diff --git a/.openpublishing.redirection.education.json b/.openpublishing.redirection.education.json index f717d3e0a8..7e028ba6b7 100644 --- a/.openpublishing.redirection.education.json +++ b/.openpublishing.redirection.education.json @@ -199,6 +199,36 @@ "source_path": "education/windows/autopilot-reset.md", "redirect_url": "/autopilot/windows-autopilot-reset", "redirect_document_id": false + }, + { + "source_path": "education/windows/set-up-students-pcs-with-apps.md", + "redirect_url": "/education/windows", + "redirect_document_id": false + }, + { + "source_path": "education/windows/set-up-windows-10.md", + "redirect_url": "/education/windows", + "redirect_document_id": false + }, + { + "source_path": "education/windows/edu-deployment-recommendations.md", + "redirect_url": "/education/windows", + "redirect_document_id": false + }, + { + "source_path": "education/windows/set-up-school-pcs-azure-ad-join.md", + "redirect_url": "/education/windows", + "redirect_document_id": false + }, + { + "source_path": "education/windows/set-up-students-pcs-to-join-domain.md", + "redirect_url": "/education/windows", + "redirect_document_id": false + }, + { + "source_path": "education/windows/windows-editions-for-education-customers.md", + "redirect_url": "/education/windows", + "redirect_document_id": false } ] -} +} \ No newline at end of file diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index ab61b600f3..0d59ddb05d 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1682,12 +1682,12 @@ }, { "source_path": "windows/deploy/assign-applications-using-roles-in-mdt.md", - "redirect_url": "/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt", "redirect_document_id": false }, { "source_path": "windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md", - "redirect_url": "/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment", "redirect_document_id": false }, { @@ -1717,17 +1717,17 @@ }, { "source_path": "windows/deploy/configure-mdt-deployment-share-rules.md", - "redirect_url": "/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules", "redirect_document_id": false }, { "source_path": "windows/deploy/configure-mdt-for-userexit-scripts.md", - "redirect_url": "/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts", "redirect_document_id": false }, { "source_path": "windows/deploy/configure-mdt-settings.md", - "redirect_url": "/windows/deployment/deploy-windows-mdt/configure-mdt-settings", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/configure-mdt-settings", "redirect_document_id": false }, { @@ -1742,7 +1742,7 @@ }, { "source_path": "windows/deploy/create-a-windows-10-reference-image.md", - "redirect_url": "/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/create-a-windows-10-reference-image", "redirect_document_id": false }, { @@ -1752,7 +1752,7 @@ }, { "source_path": "windows/deploy/deploy-a-windows-10-image-using-mdt.md", - "redirect_url": "/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt", "redirect_document_id": false }, { @@ -1772,7 +1772,12 @@ }, { "source_path": "windows/deploy/deploy-windows-to-go.md", - "redirect_url": "/windows/deployment/deploy-windows-to-go", + "redirect_url": "/windows/deployment/windows-deployment-scenarios-and-tools", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/deploy-windows-to-go.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/windows-to-go/deploy-windows-to-go", "redirect_document_id": false }, { @@ -1782,7 +1787,7 @@ }, { "source_path": "windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md", - "redirect_url": "/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit", "redirect_document_id": false }, { @@ -1922,7 +1927,7 @@ }, { "source_path": "windows/deploy/prepare-for-windows-deployment-with-mdt.md", - "redirect_url": "/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt", "redirect_document_id": false }, { @@ -2002,7 +2007,7 @@ }, { "source_path": "windows/deploy/refresh-a-windows-7-computer-with-windows-10.md", - "redirect_url": "/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10", "redirect_document_id": false }, { @@ -2017,7 +2022,7 @@ }, { "source_path": "windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md", - "redirect_url": "/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer", "redirect_document_id": false }, { @@ -2047,7 +2052,7 @@ }, { "source_path": "windows/deploy/set-up-mdt-for-bitlocker.md", - "redirect_url": "/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker", "redirect_document_id": false }, { @@ -2057,7 +2062,7 @@ }, { "source_path": "windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md", - "redirect_url": "/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment", "redirect_document_id": false }, { @@ -2207,7 +2212,7 @@ }, { "source_path": "windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md", - "redirect_url": "/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit", "redirect_document_id": false }, { @@ -2217,12 +2222,12 @@ }, { "source_path": "windows/deploy/use-orchestrator-runbooks-with-mdt.md", - "redirect_url": "/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt", "redirect_document_id": false }, { "source_path": "windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md", - "redirect_url": "/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information", "redirect_document_id": false }, { @@ -2252,7 +2257,7 @@ }, { "source_path": "windows/deploy/use-web-services-in-mdt.md", - "redirect_url": "/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/use-web-services-in-mdt", "redirect_document_id": false }, { @@ -2532,7 +2537,7 @@ }, { "source_path": "windows/deploy/windows-10-poc-mdt.md", - "redirect_url": "/windows/deployment/windows-10-poc-mdt", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/windows-10-poc-mdt", "redirect_document_id": false }, { @@ -11202,7 +11207,12 @@ }, { "source_path": "windows/plan/best-practice-recommendations-for-windows-to-go.md", - "redirect_url": "/windows/deployment/planning/best-practice-recommendations-for-windows-to-go", + "redirect_url": "/windows/deployment/windows-deployment-scenarios-and-tools", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/windows-to-go/best-practice-recommendations-for-windows-to-go", "redirect_document_id": false }, { @@ -11332,7 +11342,12 @@ }, { "source_path": "windows/plan/deployment-considerations-for-windows-to-go.md", - "redirect_url": "/windows/deployment/planning/deployment-considerations-for-windows-to-go", + "redirect_url": "/windows/deployment/windows-deployment-scenarios-and-tools", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/planning/deployment-considerations-for-windows-to-go.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/windows-to-go/deployment-considerations-for-windows-to-go", "redirect_document_id": false }, { @@ -11427,7 +11442,12 @@ }, { "source_path": "windows/plan/prepare-your-organization-for-windows-to-go.md", - "redirect_url": "/windows/deployment/planning/prepare-your-organization-for-windows-to-go", + "redirect_url": "/windows/deployment/windows-deployment-scenarios-and-tools", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/planning/prepare-your-organization-for-windows-to-go.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/windows-to-go/prepare-your-organization-for-windows-to-go", "redirect_document_id": false }, { @@ -11462,7 +11482,12 @@ }, { "source_path": "windows/plan/security-and-data-protection-considerations-for-windows-to-go.md", - "redirect_url": "/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go", + "redirect_url": "/windows/deployment/windows-deployment-scenarios-and-tools", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/windows-to-go/security-and-data-protection-considerations-for-windows-to-go", "redirect_document_id": false }, { @@ -11652,7 +11677,12 @@ }, { "source_path": "windows/plan/windows-to-go-overview.md", - "redirect_url": "/windows/deployment/planning/windows-to-go-overview", + "redirect_url": "/windows/deployment/windows-deployment-scenarios-and-tools", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/planning/windows-to-go-overview.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/windows-to-go/windows-to-go-overview", "redirect_document_id": false }, { @@ -12725,6 +12755,11 @@ "redirect_url": "/windows/deployment/update/waas-wufb-group-policy", "redirect_document_id": false }, + { + "source_path": "windows/deployment/planning/windows-to-go-frequently-asked-questions.yml", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/windows-to-go/windows-to-go-frequently-asked-questions", + "redirect_document_id": false + }, { "source_path": "windows/deployment/upgrade/windows-10-edition-upgrades.md", "redirect_url": "/windows/deployment/upgrade/windows-edition-upgrades", @@ -12734,6 +12769,101 @@ "source_path": "windows/deployment/windows-10-media.md", "redirect_url": "/licensing/", "redirect_document_id": false + }, + { + "source_path": "windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/deploy-windows-mdt/configure-mdt-settings.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/configure-mdt-settings", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/create-a-windows-10-reference-image", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/use-web-services-in-mdt", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-10-poc-mdt.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/windows-10-poc-mdt", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md", + "redirect_url": "/windows/deployment/upgrade/resolve-windows-upgrade-errors", + "redirect_document_id": false } ] } diff --git a/.openpublishing.redirection.windows-deployment.json b/.openpublishing.redirection.windows-deployment.json index 06fc754819..292294affa 100644 --- a/.openpublishing.redirection.windows-deployment.json +++ b/.openpublishing.redirection.windows-deployment.json @@ -12,7 +12,7 @@ }, { "source_path": "windows/deployment/deploy-windows-mdt/deploy-a-windows-11-image-using-mdt.md", - "redirect_url": "/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt", "redirect_document_id": false }, { @@ -22,17 +22,17 @@ }, { "source_path": "windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md", - "redirect_url": "/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt", "redirect_document_id": false }, { "source_path": "windows/deployment/deploy-windows-mdt/key-features-in-mdt.md", - "redirect_url": "/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit#key-features-in-mdt", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit#key-features-in-mdt", "redirect_document_id": false }, { "source_path": "windows/deployment/deploy-windows-mdt/mdt-lite-touch-components.md", - "redirect_url": "/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit#mdt-lite-touch-components", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit#mdt-lite-touch-components", "redirect_document_id": false }, { @@ -692,7 +692,7 @@ }, { "source_path": "windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md", - "redirect_url": "/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit", "redirect_document_id": false }, { diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json index d0bee7874b..9ddad9824f 100644 --- a/.openpublishing.redirection.windows-security.json +++ b/.openpublishing.redirection.windows-security.json @@ -8217,13 +8217,123 @@ }, { "source_path": "windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md", - "redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-pki", + "redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust", "redirect_document_id": false }, { "source_path": "windows/security/identity-protection/hello-for-business/hello-identity-verification.md", "redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/requirements", "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-mfa.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-mfa.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/deploy/requirements.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/multifactor-unlock", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/hello-and-password-changes.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/how-it-works", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/how-it-works", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/hello-how-it-works.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/how-it-works", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/how-it-works-authentication", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/how-it-works-provisioning", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/policy-settings", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/hello-planning-guide.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/prepare-users", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/passwordless-strategy.md", + "redirect_url": "/windows/security/identity-protection/passwordless-strategy/", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/deploy/cloud.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/cloud-only", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust-enroll.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-pki.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/hello-videos.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/hello-faq.yml", + "redirect_url": "/windows/security/identity-protection/hello-for-business/faq", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-pki.md", + "redirect_url": "/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust", + "redirect_document_id": false } ] } \ No newline at end of file diff --git a/.openpublishing.redirection.windows-whats-new.json b/.openpublishing.redirection.windows-whats-new.json index 6a9debfcc4..9e05719ebc 100644 --- a/.openpublishing.redirection.windows-whats-new.json +++ b/.openpublishing.redirection.windows-whats-new.json @@ -1,114 +1,169 @@ { - "redirections": [ - { - "source_path": "windows/whats-new/applocker.md", - "redirect_url": "/windows/whats-new/whats-new-windows-10-version-1507-and-1511", - "redirect_document_id": false - }, - { - "source_path": "windows/whats-new/bitlocker.md", - "redirect_url": "/windows/whats-new/whats-new-windows-10-version-1507-and-1511", - "redirect_document_id": false - }, - { - "source_path": "windows/whats-new/change-history-for-what-s-new-in-windows-10.md", - "redirect_url": "/windows/whats-new/index", - "redirect_document_id": false - }, - { - "source_path": "windows/whats-new/contribute-to-a-topic.md", - "redirect_url": "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/CONTRIBUTING.md#editing-windows-it-professional-documentation", - "redirect_document_id": false - }, - { - "source_path": "windows/whats-new/credential-guard.md", - "redirect_url": "/windows/whats-new/whats-new-windows-10-version-1507-and-1511", - "redirect_document_id": false - }, - { - "source_path": "windows/whats-new/device-guard-overview.md", - "redirect_url": "/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control", - "redirect_document_id": false - }, - { - "source_path": "windows/whats-new/device-management.md", - "redirect_url": "/windows/client-management/index", - "redirect_document_id": false - }, - { - "source_path": "windows/whats-new/edge-ie11-whats-new-overview.md", - "redirect_url": "/microsoft-edge/deploy/emie-to-improve-compatibility", - "redirect_document_id": false - }, - { - "source_path": "windows/whats-new/edp-whats-new-overview.md", - "redirect_url": "/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip", - "redirect_document_id": false - }, - { - "source_path": "windows/whats-new/lockdown-features-windows-10.md", - "redirect_url": "/windows/configuration/lockdown-features-windows-10", - "redirect_document_id": false - }, - { - "source_path": "windows/whats-new/microsoft-passport.md", - "redirect_url": "/windows/access-protection/hello-for-business/hello-identity-verification", - "redirect_document_id": false - }, - { - "source_path": "windows/whats-new/new-provisioning-packages.md", - "redirect_url": "/windows/configuration/provisioning-packages/provisioning-packages", - "redirect_document_id": false - }, - { - "source_path": "windows/whats-new/security-auditing.md", - "redirect_url": "/windows/whats-new/whats-new-windows-10-version-1507-and-1511", - "redirect_document_id": false - }, - { - "source_path": "windows/whats-new/security.md", - "redirect_url": "/windows/threat-protection/overview-of-threat-mitigations-in-windows-10", - "redirect_document_id": false - }, - { - "source_path": "windows/whats-new/trusted-platform-module.md", - "redirect_url": "/windows/device-security/tpm/trusted-platform-module-overview", - "redirect_document_id": false - }, - { - "source_path": "windows/whats-new/user-account-control.md", - "redirect_url": "/windows/whats-new/whats-new-windows-10-version-1507-and-1511", - "redirect_document_id": false - }, - { - "source_path": "windows/whats-new/windows-10-insider-preview.md", - "redirect_url": "/windows/whats-new", - "redirect_document_id": false - }, - { - "source_path": "windows/whats-new/windows-11-whats-new.md", - "redirect_url": "/windows/whats-new/windows-11-overview", - "redirect_document_id": false - }, - { - "source_path": "windows/whats-new/windows-11.md", - "redirect_url": "/windows/whats-new/windows-11-whats-new", - "redirect_document_id": false - }, - { - "source_path": "windows/whats-new/windows-spotlight.md", - "redirect_url": "/windows/configuration/windows-spotlight", - "redirect_document_id": false - }, - { - "source_path": "windows/whats-new/windows-store-for-business-overview.md", - "redirect_url": "/microsoft-store/windows-store-for-business-overview", - "redirect_document_id": false - }, - { - "source_path": "windows/whats-new/windows-update-for-business.md", - "redirect_url": "/windows/whats-new/whats-new-windows-10-version-1507-and-1511", - "redirect_document_id": false - } - ] -} + "redirections":[ + { + "source_path":"windows/whats-new/applocker.md", + "redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-1507-and-1511", + "redirect_document_id":false + }, + { + "source_path":"windows/whats-new/bitlocker.md", + "redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-1507-and-1511", + "redirect_document_id":false + }, + { + "source_path":"windows/whats-new/change-history-for-what-s-new-in-windows-10.md", + "redirect_url":"/windows/whats-new/index", + "redirect_document_id":false + }, + { + "source_path":"windows/whats-new/contribute-to-a-topic.md", + "redirect_url":"https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/CONTRIBUTING.md#editing-windows-it-professional-documentation", + "redirect_document_id":false + }, + { + "source_path":"windows/whats-new/credential-guard.md", + "redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-1507-and-1511", + "redirect_document_id":false + }, + { + "source_path":"windows/whats-new/device-guard-overview.md", + "redirect_url":"/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control", + "redirect_document_id":false + }, + { + "source_path":"windows/whats-new/device-management.md", + "redirect_url":"/windows/client-management/index", + "redirect_document_id":false + }, + { + "source_path":"windows/whats-new/edge-ie11-whats-new-overview.md", + "redirect_url":"/microsoft-edge/deploy/emie-to-improve-compatibility", + "redirect_document_id":false + }, + { + "source_path":"windows/whats-new/edp-whats-new-overview.md", + "redirect_url":"/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip", + "redirect_document_id":false + }, + { + "source_path":"windows/whats-new/lockdown-features-windows-10.md", + "redirect_url":"/windows/configuration/lockdown-features-windows-10", + "redirect_document_id":false + }, + { + "source_path":"windows/whats-new/microsoft-passport.md", + "redirect_url":"/windows/access-protection/hello-for-business/hello-identity-verification", + "redirect_document_id":false + }, + { + "source_path":"windows/whats-new/new-provisioning-packages.md", + "redirect_url":"/windows/configuration/provisioning-packages/provisioning-packages", + "redirect_document_id":false + }, + { + "source_path":"windows/whats-new/security-auditing.md", + "redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-1507-and-1511", + "redirect_document_id":false + }, + { + "source_path":"windows/whats-new/security.md", + "redirect_url":"/windows/threat-protection/overview-of-threat-mitigations-in-windows-10", + "redirect_document_id":false + }, + { + "source_path":"windows/whats-new/trusted-platform-module.md", + "redirect_url":"/windows/device-security/tpm/trusted-platform-module-overview", + "redirect_document_id":false + }, + { + "source_path":"windows/whats-new/user-account-control.md", + "redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-1507-and-1511", + "redirect_document_id":false + }, + { + "source_path":"windows/whats-new/windows-10-insider-preview.md", + "redirect_url":"/windows/whats-new", + "redirect_document_id":false + }, + { + "source_path":"windows/whats-new/windows-11-whats-new.md", + "redirect_url":"/windows/whats-new/windows-11-overview", + "redirect_document_id":false + }, + { + "source_path":"windows/whats-new/windows-11.md", + "redirect_url":"/windows/whats-new/windows-11-whats-new", + "redirect_document_id":false + }, + { + "source_path":"windows/whats-new/windows-spotlight.md", + "redirect_url":"/windows/configuration/windows-spotlight", + "redirect_document_id":false + }, + { + "source_path":"windows/whats-new/windows-store-for-business-overview.md", + "redirect_url":"/microsoft-store/windows-store-for-business-overview", + "redirect_document_id":false + }, + { + "source_path":"windows/whats-new/windows-update-for-business.md", + "redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-1507-and-1511", + "redirect_document_id":false + }, + { + "source_path":"windows/whats-new/whats-new-windows-10-version-1507-and-1511.md", + "redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-1507-and-1511", + "redirect_document_id":false + }, + { + "source_path":"windows/whats-new/whats-new-windows-10-version-1607.md", + "redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-1607", + "redirect_document_id":false + }, + { + "source_path":"windows/whats-new/whats-new-windows-10-version-1703.md", + "redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-1703", + "redirect_document_id":false + }, + { + "source_path":"windows/whats-new/whats-new-windows-10-version-1709.md", + "redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-1709", + "redirect_document_id":false + }, + { + "source_path":"windows/whats-new/whats-new-windows-10-version-1803.md", + "redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-1803", + "redirect_document_id":false + }, + { + "source_path":"windows/whats-new/whats-new-windows-10-version-1809.md", + "redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-1809", + "redirect_document_id":false + }, + { + "source_path":"windows/whats-new/whats-new-windows-10-version-1903.md", + "redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-1903", + "redirect_document_id":false + }, + { + "source_path":"windows/whats-new/whats-new-windows-10-version-1909.md", + "redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-1909", + "redirect_document_id":false + }, + { + "source_path":"windows/whats-new/whats-new-windows-10-version-2004.md", + "redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-2004", + "redirect_document_id":false + }, + { + "source_path":"windows/whats-new/whats-new-windows-10-version-20H2.md", + "redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-20H2", + "redirect_document_id":false + }, + { + "source_path":"windows/whats-new/whats-new-windows-10-version-21H1.md", + "redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-21H1", + "redirect_document_id":false + } + ] + } diff --git a/browsers/internet-explorer/kb-support/ie-edge-faqs.yml b/browsers/internet-explorer/kb-support/ie-edge-faqs.yml index 996e07597a..fc5a540272 100644 --- a/browsers/internet-explorer/kb-support/ie-edge-faqs.yml +++ b/browsers/internet-explorer/kb-support/ie-edge-faqs.yml @@ -6,7 +6,7 @@ metadata: author: ramakoni1 ms.author: ramakoni ms.reviewer: ramakoni, DEV_Triage - ms.prod: internet-explorer + ms.service: internet-explorer ms.technology: ms.topic: faq ms.localizationpriority: medium diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md index 9a93fa8064..4046e74047 100644 --- a/education/includes/education-content-updates.md +++ b/education/includes/education-content-updates.md @@ -2,13 +2,19 @@ -## Week of December 11, 2023 +## Week of January 15, 2024 | Published On |Topic title | Change | |------|------------|--------| -| 12/12/2023 | Chromebook migration guide | removed | -| 12/12/2023 | Deploy Windows 10 in a school district | removed | -| 12/12/2023 | Deploy Windows 10 in a school | removed | -| 12/12/2023 | Windows 10 for Education | removed | -| 12/12/2023 | [Reset devices with Autopilot Reset](/education/windows/autopilot-reset) | modified | +| 1/16/2024 | Deployment recommendations for school IT administrators | removed | +| 1/16/2024 | Microsoft Entra join with Set up School PCs app | removed | +| 1/16/2024 | [Set up School PCs app technical reference overview](/education/windows/set-up-school-pcs-technical) | modified | +| 1/16/2024 | Set up student PCs to join domain | removed | +| 1/16/2024 | Provision student PCs with apps | removed | +| 1/16/2024 | Set up Windows devices for education | removed | +| 1/16/2024 | [Configure applications with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-apps) | modified | +| 1/16/2024 | [Configure and secure devices with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-settings) | modified | +| 1/16/2024 | [Configure devices with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-devices-overview) | modified | +| 1/16/2024 | [Set up Microsoft Entra ID](/education/windows/tutorial-school-deployment/set-up-microsoft-entra-id) | modified | +| 1/16/2024 | Windows 10 editions for education customers | removed | diff --git a/education/index.yml b/education/index.yml index a79c5f8617..adc8d30041 100644 --- a/education/index.yml +++ b/education/index.yml @@ -14,7 +14,7 @@ productDirectory: title: For IT admins summary: This guide is designed for IT admins looking for the simplest way to move their platform to the cloud. It does not capture all the necessary steps for large scale or complex deployments. items: - # Card + # Card - title: Phase 1 - Cloud deployment imageSrc: ./images/EDU-Deploy.svg summary: Create your Microsoft 365 tenant, secure and configure your environment, sync your Active Directory and SIS, and license users. @@ -24,12 +24,12 @@ productDirectory: imageSrc: ./images/EDU-Device-Mgmt.svg summary: Get started with Windows for Education, set up and enroll devices in Intune. url: /microsoft-365/education/deploy/set-up-windows-10-education-devices - # Card + # Card - title: Phase 3 - Apps management imageSrc: ./images/EDU-Apps-Mgmt.svg summary: Configure admin settings, set up Teams for Education, install apps and install Minecraft. url: /microsoft-365/education/deploy/configure-admin-settings - # Card + # Card - title: Phase 4 - Complete your deployment # imageSrc should be square in ratio with no whitespace imageSrc: ./images/EDU-Tasks.svg @@ -51,7 +51,7 @@ productDirectory: text: Microsoft Purview compliance - url: https://social.technet.microsoft.com/wiki/contents/articles/35748.office-365-what-is-customer-lockbox-and-how-to-enable-it.aspx text: Deploying Lockbox - # Card + # Card - title: Analytics & insights imageSrc: ./images/EDU-Education.svg links: @@ -59,7 +59,7 @@ productDirectory: text: Power BI for IT admins - url: /dynamics365/ text: Dynamics 365 - # Card + # Card - title: Find deployment help and other support resources imageSrc: ./images/EDU-Teachers.svg links: @@ -69,14 +69,6 @@ productDirectory: text: Education help center - url: /training/educator-center/ text: Teacher training packs - # Card - - title: Check out our education journey - imageSrc: ./images/EDU-ITJourney.svg - links: - - url: https://edujourney.microsoft.com/k-12/ - text: K-12 - - url: https://edujourney.microsoft.com/hed/ - text: Higher education additionalContent: sections: diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md deleted file mode 100644 index d343391f22..0000000000 --- a/education/windows/edu-deployment-recommendations.md +++ /dev/null @@ -1,129 +0,0 @@ ---- -title: Deployment recommendations for school IT administrators -description: Provides guidance on ways to customize the OS privacy settings, and some of the apps, for Windows-based devices used in schools so that you can choose what information is shared with Microsoft. -ms.topic: best-practice -ms.date: 08/10/2022 -appliesto: - - ✅ Windows 10 ---- - -# Deployment recommendations for school IT administrators - -Your privacy is important to us, so we want to provide you with ways to customize the OS privacy settings, and some of the apps, so that you can choose what information is shared with Microsoft. To learn more about Microsoft's commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305). The following sections provide some best practices and specific privacy settings we'd like you to be aware of. For more information about ways to customize the OS diagnostic data, consumer experiences, Cortana, and search, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md). - -We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store, and use devices running Windows 10 S, will be able to configure the device at no extra charge to Windows 10 Pro Education. To learn more about the steps to configure this device, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md). - -## Deployment best practices - -Keep these best practices in mind when deploying any edition of Windows 10 in schools or districts: - -* A Microsoft account is only intended for consumer services. Enterprises and educational institutions should use enterprise versions where possible, such as Skype for Business, OneDrive for Business, and so on. For schools, consider using mobile device management (MDM) or Group Policy to block students from adding a Microsoft account as a secondary account -* If schools allow the use of personal accounts by their students to access personal services, schools should be aware that these accounts belong to individuals, not the school -* IT administrators, school officials, and teachers should also consider ratings when picking apps from the Microsoft Store -* If you've students or school personnel who rely on assistive technology apps that aren't available in the Microsoft Store, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) for more info - -## Windows 10 Contacts privacy settings - -If you're an IT administrator who deploys Windows 10 in a school or district, we recommend that you review these deployment resources to make informed decisions about how you can configure telemetry for your school or district: - -* [Configure Windows telemetry in your organization](/windows/privacy/configure-windows-diagnostic-data-in-your-organization) - Describes the types of telemetry we gather and the ways you can manage this data -* [Manage connections from Windows operating system components to Microsoft services](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services) - Learn about network connections that Windows components make to Microsoft and also the privacy settings (such as location, camera, messaging, and more) that affect data that is shared with either Microsoft or apps and how you can manage this data - -In particular, the **Contacts** area in the **Settings** > **Privacy** section lets you choose which apps can access a student's contacts list. By default, this setting is turned on. - -To change the setting, you can: -* [Turn off access to contacts for all apps](#turn-off-access-to-contacts-for-all-apps) -* [Choose the apps that you want to allow access to contacts](#choose-the-apps-that-you-want-to-allow-access-to-contacts) - -### Turn off access to contacts for all apps - -To turn off access to contacts for all apps on individual Windows devices: - -1. On the computer, go to **Settings** and select **Privacy**. -1. Under the list of **Privacy** areas, select **Contacts**. -1. Turn off **Let apps access my contacts**. - -For IT-managed Windows devices, you can use a Group Policy to turn off the setting. To turn off the setting: - -1. Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts**. -1. Set the **Select a setting** box to **Force Deny**. - -### Choose the apps that you want to allow access to contacts - -If you want to allow only certain apps to have access to contacts, you can use the switch for each app to specify which ones you want on or off. - -The list of apps on the Windows-based device may vary from the above example. The list depends on what apps you've installed and which of these apps access contacts. - -To allow only certain apps to have access to contacts, you can: - -- Configure each app individually using the **Settings** > **Contacts** option in the Windows UI -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts** and then specify the default for each app by adding the app's Package Family Name under the default behavior you want to enforce - -## Skype and Xbox settings - -Skype (a Universal Windows Platform [UWP]) and Xbox are preinstalled as part of Windows 10. - -The Skype app replaces the integration of Skype features into Skype video and Messaging apps on Windows PCs and large tablets. The Skype app provides all these features in one place and lets users have a single place to manage both their chat and voice conversations so they can take better advantage of their screen. For information about the new Skype UWP app preview, see [Skype for Windows 10 Insiders – your most asked questions](https://go.microsoft.com/fwlink/?LinkId=821441). - -With the Xbox app, students can use their Xbox profiles to play and make progress on their games using their Windows-based device. They can also unlock achievements and show off to their friends with game clips and screenshots. The Xbox app requires a Microsoft account, which is a personal account. - -Both Skype and Xbox include searchable directories that let students find other people to connect to. The online privacy and security settings for Skype and Xbox aren't manageable through Group Policy so we recommend that school IT administrators and school officials let parents and students know about these searchable directories. - -If the school allows the use of personal or Microsoft account in addition to organization accounts, we also recommend that IT administrators inform parents and students that they can optionally remove any identifying information from the directories by: - -* [Managing the user profile](#managing-the-user-profile) -* [Deleting the account if the user name is part of the identifying information](#delete-an-account-if-username-is-identifying) - -### Managing the user profile - -#### Skype - -Skype uses the user's contact details to deliver important information about the account and it also lets friends find each other on Skype. - -To manage and edit your profile in the Skype UWP app, follow these steps: - -1. In the Skype UWP app, select the user profile icon to go to the user's profile page. -2. In the account page, select **Manage account** for the Skype account that you want to change. This will take you to the online Skype portal. -3. In the online Skype portal, scroll down to the **Account details** section. In **Settings and preferences**, click **Edit profile**. - - The profile page includes these sections: - - * Personal information - * Contact details - * Profile settings - -4. Review the information in each section and click **Edit profile** in either or both the **Personal information** and **Contact details** sections to change the information being shared. You can also remove the checks in the **Profile settings** section to change settings on discoverability, notifications, and staying in touch. -5. If you don't wish the name to be included, edit the fields and replace the fields with **XXX**. -6. To change the profile picture, go to the Skype app and click on the current profile picture or avatar. The **Manage Profile Picture** window pops up. - - * To take a new picture, click the camera icon in the pop-up window. To upload a new picture, click the three dots (**...**) - * You can also change the visibility of the profile picture between public (everyone) or for contacts only. To change the profile picture visibility, select the dropdown under **Profile picture** and choose between **Show to everyone** or **Show to contacts only** - -#### Xbox - -A user's Xbox friends and their friends' friends can see their real name and profile. By default, the Xbox privacy settings enforce that no personal identifying information of a minor is shared on the Xbox Live network, although adults in the child's family can change these default settings to allow it to be more permissive. - -To learn more about how families can manage security and privacy settings on Xbox, see this [Xbox article on security](https://go.microsoft.com/fwlink/?LinkId=821445). - - -### Delete an account if username is identifying - -If you want to delete either (or both) the Skype and the Xbox accounts, here's how to do it. - -#### Skype - -To delete a Skype account, you can follow the instructions here: [How do I close my Skype account?](https://go.microsoft.com/fwlink/?LinkId=816515) - -If you need help with deleting the account, you can contact Skype customer service by going to the [Skype support request page](https://go.microsoft.com/fwlink/?LinkId=816519). You may need to sign in and specify a Skype account. Once you've signed in, you can: - -1. Select a help topic (**Account and Password**) -1. Select a related problem (**Deleting an account**) -1. Click **Next**. -1. Select a contact method to get answers to your questions. - -#### Xbox - -To delete an Xbox account, you can follow the instructions here: [How to delete your Microsoft account and personal information associated with it](https://go.microsoft.com/fwlink/?LinkId=816521). - -## Related topics -[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) diff --git a/education/windows/index.yml b/education/windows/index.yml index 3c3dfae79b..2959b14bbb 100644 --- a/education/windows/index.yml +++ b/education/windows/index.yml @@ -11,6 +11,7 @@ metadata: ms.collection: - education - tier1 + - essentials-navigation author: paolomatarazzo ms.author: paoloma manager: aaroncz diff --git a/education/windows/set-up-school-pcs-azure-ad-join.md b/education/windows/set-up-school-pcs-azure-ad-join.md deleted file mode 100644 index 27bffd9a4e..0000000000 --- a/education/windows/set-up-school-pcs-azure-ad-join.md +++ /dev/null @@ -1,86 +0,0 @@ ---- -title: Microsoft Entra join with Set up School PCs app -description: Learn how Microsoft Entra join is configured in the Set up School PCs app. -ms.topic: reference -ms.date: 08/10/2022 -appliesto: - - ✅ Windows 10 ---- - -# Microsoft Entra join for school PCs - -> [!NOTE] -> Set up School PCs app uses Microsoft Entra join to configure PCs. The app is helpful if you use the cloud based directory, Microsoft Entra ID. If your organization uses Active Directory or requires no account to connect, install and use [Windows Configuration -> Designer](set-up-students-pcs-to-join-domain.md) to -> join your PCs to your school's domain. - -Set up School PCs lets you create a provisioning package that automates Microsoft Entra ID -Join on your devices. This feature eliminates the need to manually: - -- Connect to your school's network. -- Join your organization's domain. - -## Automated connection to school domain - -During initial device setup, Microsoft Entra join automatically connects your PCs to your school's Microsoft Entra domain. You can skip all of the Windows setup experience that is typically a part of the out-of-the-box-experience (OOBE). Devices that are managed by a mobile device manager, such as Intune, are automatically enrolled with the provider upon initial device startup. - -Students who sign in to their PCs with their Microsoft Entra credentials get access to on-premises apps and the following cloud apps: -* Office 365 -* OneDrive -* OneNote - - - -## Enable Microsoft Entra join - -Learn how to enable Microsoft Entra join for your school. After you configure this setting, you'll be able to request an automated Microsoft Entra bulk token, which you need to create a provisioning package. - -1. Sign in to the Azure portal with your organization's credentials. -2. Go to **Azure -Active Directory** \> **Devices** \> **Device settings**. -3. Enable the setting -for Microsoft Entra ID by selecting **All** or **Selected**. If you choose the latter -option, select the teachers and IT staff to allow them to connect to Microsoft Entra ID. - -![Select the users you want to let join devices to Azure AD.](images/suspcs/suspc-enable-shared-pc-1807.png) - -You can also create an account that holds the exclusive rights to join devices. When a student PC has to be set up, provide the account credentials to the appropriate teachers or staff. - -## All Device Settings - -The following table describes each setting within **Device Settings**. - -| Setting | Description | -|------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Users may join devices to Microsoft Entra ID | Choose the scope of people in your organization that are allowed to join devices to Microsoft Entra ID. **All** allows all users and groups within your tenant to join devices. **Selected** prompts you to choose specific users or groups to allow. **None** allows no one in your tenant to join devices to Microsoft Entra ID. | -| More local administrators on Microsoft Entra joined devices | Only applicable to Microsoft Entra ID P1 or P2 tenants. Grant extra local administrator rights on devices, to selected users. Global administrators and the device owner are granted local administrator rights by default. | -| Users may register their devices with Microsoft Entra ID | Allow all or none of your users to register their devices with Microsoft Entra ID (Workplace Join). If you're enrolled in Microsoft Intune or Mobile Device Management for Office 365, your devices are required to be registered. In this case, **All** is automatically selected for you. | -| Require Multi-Factor Authentication to join devices | Recommended when adding devices to Microsoft Entra ID. When set to **Yes**, users that are setting up devices must enter a second method of authentication. | -| Maximum number of devices per user | Set the maximum number of devices a user is allowed to have in Microsoft Entra ID. If the maximum is exceeded, the user must remove one or more existing devices before more devices are added. | -| Users may sync settings and enterprise app data | Allow all or none of your users to sync settings and app data across multiple devices. Tenants with Microsoft Entra ID P1 or P2 are permitted to select specific users to allow. | - - - -## Clear Microsoft Entra tokens - -Your Intune tenant can only have 500 active Microsoft Entra tokens, or packages, at a time. You'll receive a notification in the Intune portal when you reach 500 active tokens. - -To reduce your inventory, clear out all unnecessary and inactive tokens. -1. Go to **Microsoft Entra ID** > **Users** > **All users** -2. In the **User Name** column, select and delete all accounts with a **package\ _** -prefix. These accounts are created at a 1:1 ratio for every token and are safe -to delete. -3. Select and delete inactive and expired user accounts. - -### How do I know if my package expired? -Automated Microsoft Entra tokens expire after 180 days. The expiration date for each token is appended to the end of the saved provisioning package, on the USB drive. After this date, you must create a new package. Be careful that you don't delete active accounts. - -![Screenshot of the Azure portal, Microsoft Entra ID, All Users page. Highlights all accounts that start with the prefix package_ and can be deleted.](images/suspcs/suspc-admin-token-delete-1807.png) - -## Next steps -Learn more about setting up devices with the Set up School PCs app. -* [What's in my provisioning package?](set-up-school-pcs-provisioning-package.md) -* [Set up School PCs technical reference](set-up-school-pcs-technical.md) -* [Set up Windows 10 devices for education](set-up-windows-10.md) - -When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md). diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index 8dd635d04e..213c75c26f 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -2,7 +2,7 @@ title: Set up School PCs app technical reference overview description: Describes the purpose of the Set up School PCs app for Windows 10 devices. ms.topic: overview -ms.date: 08/10/2022 +ms.date: 01/16/2024 appliesto: - ✅ Windows 10 --- @@ -14,47 +14,36 @@ The **Set up School PCs** app helps you configure new Windows 10 PCs for school If your school uses Microsoft Entra ID or Office 365, the Set up School PCs app will create a setup file. This file joins the PC to your Microsoft Entra tenant. The app also helps set up PCs for use with or without Internet connectivity. - +## Join devices to Microsoft Entra ID -## Join PC to Microsoft Entra ID -If your school uses Microsoft Entra ID or Office 365, the Set up -School PCs app creates a setup file that joins your PC to your Azure Active -Directory tenant. +If your school uses Microsoft Entra ID or Office 365, the Set up School PCs app creates a setup file that joins your PC to your Microsoft Entra ID tenant. The app also helps set up PCs for use with or without Internet connectivity. ## List of Set up School PCs features + The following table describes the Set up School PCs app features and lists each type of Intune subscription. An X indicates that the feature is available with the specific subscription. -| Feature | No Internet | Microsoft Entra ID | Office 365 | Microsoft Entra ID P1 or P2 | -|--------------------------------------------------------------------------------------------------------|-------------|----------|------------|------------------| -| **Fast sign-in** | X | X | X | X | -| Students sign in and start using the computer in under a minute, even on initial sign-in. | | | | | -| **Custom Start experience** | X | X | X | X | -| Necessary classroom apps are pinned to Start and unnecessary apps are removed. | | | | | -| **Guest account, no sign-in required** | X | X | X | X | -| Set up computers for use by anyone with or without an account. | | | | | -| **School policies** | X | X | X | X | -| Settings create a relevant, useful learning environment and optimal computer performance. | | | | | -| **Microsoft Entra join** | | X | X | X | -| Computers join with your existing Microsoft Entra ID or Office 365 subscription for centralized management. | | | | | -| **Single sign-on to Office 365** | | | X | X | -| Students sign in with their IDs to access all Office 365 web apps or installed Office apps. | | | | | -| **Take a Test app** | | | | X | -| Administer quizzes and assessments through test providers such as Smarter Balanced. | | | | | -| [Settings roaming](/azure/active-directory/devices/enterprise-state-roaming-overview) **via Microsoft Entra ID** | | | | X | -| Synchronize student and application data across devices for a personalized experience. | | | | | +| Feature | No Internet | Microsoft Entra ID | Office 365 | Microsoft Entra ID P1 or P2 | +|--|--|--|--|--| +| **Fast sign-in** | X | X | X | X | +| Students sign in and start using the computer in under a minute, even on initial sign-in. | | | | | +| **Custom Start experience** | X | X | X | X | +| Necessary classroom apps are pinned to Start and unnecessary apps are removed. | | | | | +| **Guest account, no sign-in required** | X | X | X | X | +| Set up computers for use by anyone with or without an account. | | | | | +| **School policies** | X | X | X | X | +| Settings create a relevant, useful learning environment and optimal computer performance. | | | | | +| **Microsoft Entra join** | | X | X | X | +| Computers join with your existing Microsoft Entra ID or Office 365 subscription for centralized management. | | | | | +| **Single sign-on to Office 365** | | | X | X | +| Students sign in with their IDs to access all Office 365 web apps or installed Office apps. | | | | | +| **Take a Test app** | | | | X | +| Administer quizzes and assessments through test providers such as Smarter Balanced. | | | | | +| [Settings roaming](/azure/active-directory/devices/enterprise-state-roaming-overview) **via Microsoft Entra ID** | | | | X | +| Synchronize student and application data across devices for a personalized experience. | | | | | -> [!NOTE] -> If your school uses Active Directory, use [Windows Configuration -> Designer](set-up-students-pcs-to-join-domain.md) -> to configure your PCs to join the domain. You can only use the Set up School -> PCs app to set up PCs that are connected to Microsoft Entra ID. - -## Next steps -Learn more about setting up devices with the Set up School PCs app. -* [Microsoft Entra join with Set up School PCs](set-up-school-pcs-azure-ad-join.md) -* [What's in my provisioning package](set-up-school-pcs-provisioning-package.md) -* [Set up Windows 10 devices for education](set-up-windows-10.md) +>[!NOTE] +>You can only use the Set up School PCs app to set up PCs that are connected to Microsoft Entra ID. When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md). diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md deleted file mode 100644 index 91f2ad28d1..0000000000 --- a/education/windows/set-up-students-pcs-to-join-domain.md +++ /dev/null @@ -1,59 +0,0 @@ ---- -title: Set up student PCs to join domain -description: Learn how to use Windows Configuration Designer to provision student devices to join Active Directory. -ms.topic: how-to -ms.date: 08/10/2022 -appliesto: - - ✅ Windows 10 ---- - -# Set up student PCs to join domain - -If your school uses Active Directory, use the Windows Configuration Designer tool to create a provisioning package that will configure a PC for student use that is joined to the Active Directory domain. - -## Install Windows Configuration Designer -Follow the instructions in [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd). - -## Create the provisioning package -Follow the steps in [Provision PCs with common settings for initial deployment (desktop wizard)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment). However, make a note of these steps to further customize the provisioning package for use in a school that will join a student PC to a domain: - -1. In the **Account Management** step: - - > [!WARNING] - > If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you'll have to reimage the device and start over. As a best practice, we recommend: - > - Use a least-privileged domain account to join the device to the domain. - > - Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully. - > - [Use Group Policy to delete the temporary administrator account](/archive/blogs/canitpro/group-policy-creating-a-standard-local-admin-account) after the device is enrolled in Active Directory. - -2. After you're done with the wizard, don't click **Create**. Instead, click the **Switch to advanced editor** to switch the project to the advanced editor to see all the available **Runtime settings**. -3. Find the **SharedPC** settings group. - - Set **EnableSharedPCMode** to **TRUE** to configure the PC for shared use. -4. (Optional) To configure the PC for secure testing, follow these steps. - 1. Under **Runtime settings**, go to **AssignedAccess > AssignedAccessSettings**. - 2. Enter **{"Account":"*redmond\\kioskuser*","AUMID":” Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App "}**, using the account that you want to set up. - - **Figure 7** - Add the account to use for test-taking - - ![Add the account to use for test-taking.](images/wcd/wcd_settings_assignedaccess.png) - - The account can be in one of the following formats: - - username - - domain\username - - computer name\\username - - username@tenant.com - - 3. Under **Runtime settings**, go to **TakeATest** and configure the following settings: - 1. In **LaunchURI**, enter the assessment URL. - 2. In **TesterAccount**, enter the test account you entered in the previous step. - -5. To configure other settings to make Windows education ready, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md) and follow the guidance on what settings you can set using Windows Configuration Designer. - -6. Follow the steps to [build a package](/windows/configuration/provisioning-packages/provisioning-create-package#build-package). - - You'll see the file path for your provisioning package. By default, this path is set to %windir%\Users\*your_username\Windows Imaging and Configuration Designer (WICD)\*Project name). - - Copy the provisioning package to a USB drive. - - > [!IMPORTANT] - > When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. - -## Apply package -Follow the steps in [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) to apply the package that you created. \ No newline at end of file diff --git a/education/windows/set-up-students-pcs-with-apps.md b/education/windows/set-up-students-pcs-with-apps.md deleted file mode 100644 index 669dc2484c..0000000000 --- a/education/windows/set-up-students-pcs-with-apps.md +++ /dev/null @@ -1,25 +0,0 @@ ---- -title: Provision student PCs with apps -description: Learn how to use Windows Configuration Designer to easily provision student devices to join Active Directory. -ms.topic: how-to -ms.date: 08/10/2022 -appliesto: - - ✅ Windows 10 ---- -# Provision student PCs with apps - -To create and apply a provisioning package that contains apps to a device running all desktop editions of Windows 10 except Windows 10 Home, follow the steps in [Provision PCs with apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps). - -Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. - -You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices. - -- If you want to [provision a school PC to join a domain](set-up-students-pcs-to-join-domain.md) and add apps in the same provisioning package, follow the steps in [Provision PCs with apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps). - -- If you want to provision a school PC to join Microsoft Entra ID, set up the PC using the steps in [Use Set up School PCs App](use-set-up-school-pcs-app.md). Set up School PCs now lets you add recommended apps from the Store so you can add these apps while you're creating your package through Set up School PCs. You can also follow the steps in [Provision PCs with apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps) if you want to add apps to student PCs after initial setup with the Set up School PCs package. - -## Learn more - --[Develop Universal Windows Education apps](/windows/uwp/apps-for-education/) - -- [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package) diff --git a/education/windows/set-up-windows-10.md b/education/windows/set-up-windows-10.md deleted file mode 100644 index 784d5978ac..0000000000 --- a/education/windows/set-up-windows-10.md +++ /dev/null @@ -1,33 +0,0 @@ ---- -title: Set up Windows devices for education -description: Decide which option for setting up Windows 10 is right for you. -ms.topic: overview -ms.date: 08/10/2022 -appliesto: - - ✅ Windows 10 ---- - -# Set up Windows devices for education - -You have two tools to choose from to set up PCs for your classroom: - -- Set up School PCs -- Windows Configuration Designer - -Choose the tool that is appropriate for how your students will sign in (Active Directory, Microsoft Entra ID, or no account). - -You can use the following diagram to compare the tools. - -![Which tool to use to set up Windows 10.](images/suspcs/suspc_wcd_featureslist.png) - -## In this section - -- [Use the Set up School PCs app](use-set-up-school-pcs-app.md) -- [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md) -- [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md) -- [Provision student PCs with apps](set-up-students-pcs-with-apps.md) - -## Related topics - -[Take tests in Windows](take-tests-in-windows.md) -[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)S diff --git a/education/windows/toc.yml b/education/windows/toc.yml index a574722c09..ef02b15f30 100644 --- a/education/windows/toc.yml +++ b/education/windows/toc.yml @@ -26,8 +26,6 @@ items: href: /windows/deployment/windows-10-pro-in-s-mode?context=/education/context/context - name: Deploy Win32 apps to S Mode devices href: /windows/security/threat-protection/windows-defender-application-control/lob-win32-apps-on-s?context=/education/context/context - - name: Windows 10 editions for education customers - href: windows-editions-for-education-customers.md - name: Considerations for shared and guest devices href: /windows/configuration/shared-devices-concepts?context=/education/context/context - name: Windows 10 configuration recommendations for education customers @@ -64,8 +62,6 @@ items: href: set-up-school-pcs-technical.md - name: Provisioning package settings href: set-up-school-pcs-provisioning-package.md - - name: What's new in Set up School PCs - href: set-up-school-pcs-whats-new.md - name: Take a Test technical reference href: take-a-test-app-technical.md - name: Shared PC technical reference diff --git a/education/windows/tutorial-school-deployment/configure-device-apps.md b/education/windows/tutorial-school-deployment/configure-device-apps.md index ef1e695396..25171ff770 100644 --- a/education/windows/tutorial-school-deployment/configure-device-apps.md +++ b/education/windows/tutorial-school-deployment/configure-device-apps.md @@ -1,7 +1,7 @@ --- title: Configure applications with Microsoft Intune description: Learn how to configure applications with Microsoft Intune in preparation for device deployment. -ms.date: 03/08/2023 +ms.date: 01/16/2024 ms.topic: tutorial --- @@ -14,11 +14,12 @@ Applications can be assigned to groups: - If you target apps to a **group of users**, the apps will be installed on any managed devices that the users sign into - If you target apps to a **group of devices**, the apps will be installed on those devices and available to any user who signs in -In this section you will: > [!div class="checklist"] -> * Add apps to Intune for Education -> * Assign apps to groups -> * Review some considerations for Windows 11 SE devices +>In this section you will: +> +> - Add apps to Intune for Education +> - Assign apps to groups +> - Review some considerations for Windows 11 SE devices ## Add apps to Intune for Education diff --git a/education/windows/tutorial-school-deployment/configure-device-settings.md b/education/windows/tutorial-school-deployment/configure-device-settings.md index fc71325532..5733d483e9 100644 --- a/education/windows/tutorial-school-deployment/configure-device-settings.md +++ b/education/windows/tutorial-school-deployment/configure-device-settings.md @@ -1,8 +1,9 @@ --- title: Configure and secure devices with Microsoft Intune description: Learn how to configure policies with Microsoft Intune in preparation for device deployment. -ms.date: 11/09/2023 +ms.date: 01/16/2024 ms.topic: tutorial +ms.collection: essentials-manage --- # Configure and secure devices with Microsoft Intune @@ -23,12 +24,14 @@ There are two ways to manage settings in Intune for Education: > [!NOTE] > Express Configuration is ideal when you are getting started. Settings are pre-configured to Microsoft-recommended values, but can be changed to fit your school's needs. It is recommended to use Express Configuration to initially set up your Windows devices. -In this section you will: + > [!div class="checklist"] -> * Configure settings with Express Configuration -> * Configure group settings -> * Create Windows Update policies -> * Configure security policies +>In this section you will: +> +> - Configure settings with Express Configuration +> - Configure group settings +> - Create Windows Update policies +> - Configure security policies ## Configure settings with Express Configuration diff --git a/education/windows/tutorial-school-deployment/configure-devices-overview.md b/education/windows/tutorial-school-deployment/configure-devices-overview.md index fa6e5c218a..27ad5f3a8d 100644 --- a/education/windows/tutorial-school-deployment/configure-devices-overview.md +++ b/education/windows/tutorial-school-deployment/configure-devices-overview.md @@ -3,6 +3,7 @@ title: Configure devices with Microsoft Intune description: Learn how to configure policies and applications in preparation for device deployment. ms.date: 11/09/2023 ms.topic: tutorial +ms.collection: essentials-manage --- # Configure settings and applications with Microsoft Intune @@ -11,11 +12,13 @@ Before distributing devices to your users, you must ensure that the devices will Microsoft Intune uses Microsoft Entra groups to assign policies and applications to devices. With Microsoft Intune for Education, you can conveniently create groups and assign policies and applications to them. -In this section you will: + > [!div class="checklist"] -> * Create groups -> * Create and assign policies to groups -> * Create and assign applications to groups +>In this section you will: +> +> - Create groups +> - Create and assign policies to groups +> - Create and assign applications to groups ## Create groups diff --git a/education/windows/tutorial-school-deployment/enroll-autopilot.md b/education/windows/tutorial-school-deployment/enroll-autopilot.md index 26300b5115..23985289cf 100644 --- a/education/windows/tutorial-school-deployment/enroll-autopilot.md +++ b/education/windows/tutorial-school-deployment/enroll-autopilot.md @@ -1,7 +1,7 @@ --- title: Enrollment in Intune with Windows Autopilot description: Learn how to join Microsoft Entra ID and enroll in Intune using Windows Autopilot. -ms.date: 03/08/2023 +ms.date: 01/16/2024 ms.topic: tutorial --- @@ -61,8 +61,9 @@ More advanced dynamic membership rules can be created from Microsoft Intune admi For Autopilot devices to offer a customized OOBE experience, you must create **Windows Autopilot deployment profiles** and assign them to a group containing the devices. A deployment profile is a collection of settings that determine the behavior of the device during OOBE. Among other settings, a deployment profile specifies a **deployment mode**, which can either be: + 1. **User-driven:** devices with this profile are associated with the user enrolling the device. User credentials are required to complete the Microsoft Entra join process during OOBE -1. **Self-deploying:** devices with this profile aren't associated with the user enrolling the device. User credentials aren't required to complete the Microsoft Entra join process. Rather, the device is joined automatically and, for this reason, specific hardware requirements must be met to use this mode. +1. **Self-deploying:** devices with this profile aren't associated with the user enrolling the device. User credentials aren't required to complete the Microsoft Entra join process. Rather, the device is joined automatically and, for this reason, specific hardware requirements must be met to use this mode To create an Autopilot deployment profile: @@ -142,8 +143,6 @@ With the devices joined to Microsoft Entra tenant and managed by Intune, you can [M365-1]: https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2 -[EDU-1]: /education/windows/windows-11-se-overview -[EDU-2]: /intune-education/windows-11-se-overview#windows-autopilot [EDU-3]: ../tutorial-deploy-apps-winse/considerations.md#enrollment-status-page [SURF-1]: /surface/surface-autopilot-registration-support diff --git a/education/windows/tutorial-school-deployment/index.md b/education/windows/tutorial-school-deployment/index.md index 6ddb3c8c54..c72273b7aa 100644 --- a/education/windows/tutorial-school-deployment/index.md +++ b/education/windows/tutorial-school-deployment/index.md @@ -3,6 +3,7 @@ title: Introduction to the tutorial deploy and manage Windows devices in a schoo description: Introduction to deployment and management of Windows devices in education environments. ms.date: 11/09/2023 ms.topic: tutorial +ms.collection: essentials-get-started --- # Tutorial: deploy and manage Windows devices in a school diff --git a/education/windows/tutorial-school-deployment/set-up-microsoft-entra-id.md b/education/windows/tutorial-school-deployment/set-up-microsoft-entra-id.md index b1ab1cfc12..845d66a892 100644 --- a/education/windows/tutorial-school-deployment/set-up-microsoft-entra-id.md +++ b/education/windows/tutorial-school-deployment/set-up-microsoft-entra-id.md @@ -1,7 +1,7 @@ --- title: Set up Microsoft Entra ID description: Learn how to create and prepare your Microsoft Entra tenant for an education environment. -ms.date: 11/09/2023 +ms.date: 01/16/2024 ms.topic: tutorial appliesto: --- @@ -12,12 +12,13 @@ The Microsoft platform for education simplifies the management of Windows device Microsoft Entra ID, which is included with the Microsoft 365 Education subscription, provides authentication and authorization to any Microsoft cloud services. Identity objects are defined in Microsoft Entra ID for human identities, like students and teachers, as well as non-human identities, like devices, services, and applications. Once users get Microsoft 365 licenses assigned, they'll be able to consume services and access resources within the tenant. With Microsoft 365 Education, you can manage identities for your teachers and students, assign licenses to devices and users, and create groups for the classrooms. -In this section you will: > [!div class="checklist"] -> * Set up a Microsoft 365 Education tenant -> * Add users, create groups, and assign licenses -> * Configure school branding -> * Enable bulk enrollment +>In this section you will: +> +> - Set up a Microsoft 365 Education tenant +> - Add users, create groups, and assign licenses +> - Configure school branding +> - Enable bulk enrollment ## Create a Microsoft 365 tenant @@ -45,7 +46,7 @@ For more information, see [Overview of the Microsoft 365 admin center][M365-2]. With the Microsoft 365 tenant in place, it's time to add users, create groups, and assign licenses. All students and teachers need a user account before they can sign in and access the different Microsoft 365 services. There are multiple ways to do this, including using School Data Sync (SDS), synchronizing an on-premises Active Directory, manually, or a combination of the above. > [!NOTE] -> Synchronizing your Student Information System (SIS) with School Data Sync is the preferred way to create students and teachers as users in a Microsoft 365 Education tenant. However, if you want to integrate an on-premises directory and synchronize accounts to the cloud, skip to [Azure Active Directory Sync](#azure-active-directory-sync) below. +> Synchronizing your Student Information System (SIS) with School Data Sync is the preferred way to create students and teachers as users in a Microsoft 365 Education tenant. However, if you want to integrate an on-premises directory and synchronize accounts to the cloud, skip to [Microsoft Entra Connect Sync](#microsoft-entra-connect-sync) below. ### School Data Sync @@ -61,7 +62,7 @@ For more information, see [Overview of School Data Sync][SDS-1]. > > Remember that you should typically deploy test SDS data (users, groups, and so on) in a separate test tenant, not your school production environment. -### Azure Active Directory Sync +### Microsoft Entra Connect Sync To integrate an on-premises directory with Microsoft Entra ID, you can use **Microsoft Entra Connect** to synchronize users, groups, and other objects. Microsoft Entra Connect lets you configure the authentication method appropriate for your school, including: diff --git a/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md b/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md index 38dc58b276..1ee9608b0c 100644 --- a/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md +++ b/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md @@ -1,7 +1,7 @@ --- title: Set up device management description: Learn how to configure the Intune service and set up the environment for education. -ms.date: 11/09/2023 +ms.date: 01/16/2024 ms.topic: tutorial appliesto: --- @@ -18,10 +18,11 @@ The Microsoft Intune service can be managed in different ways, and one of them i For more information, see [Intune for Education documentation][INT-1]. -In this section you will: > [!div class="checklist"] -> * Review Intune's licensing prerequisites -> * Configure the Intune service for education devices +>In this section you will: +> +> - Review Intune's licensing prerequisites +> - Configure the Intune service for education devices ## Prerequisites diff --git a/education/windows/windows-11-se-faq.yml b/education/windows/windows-11-se-faq.yml index 52fa4c5d69..4a9b022c07 100644 --- a/education/windows/windows-11-se-faq.yml +++ b/education/windows/windows-11-se-faq.yml @@ -3,7 +3,7 @@ metadata: title: Windows 11 SE Frequently Asked Questions (FAQ) description: Use these frequently asked questions (FAQ) to learn important details about Windows 11 SE. ms.topic: faq - ms.date: 03/09/2023 + ms.date: 01/16/2024 appliesto: - ✅ Windows 11 SE diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index e82eb8a227..eec8f909f1 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -2,7 +2,7 @@ title: Windows 11 SE Overview description: Learn about Windows 11 SE, and the apps that are included with the operating system. ms.topic: overview -ms.date: 11/02/2023 +ms.date: 01/09/2024 appliesto: - ✅ Windows 11 SE ms.collection: @@ -88,6 +88,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `AristotleK12 Borderless Classroom ` | 3.0.11. | `Win32` | `Sergeant Laboratories` | | `AristotleK12 Analytics ` | 10.0.6 | `Win32` | `Sergeant Laboratories` | | `AristotleK12 Network filter` | 3.1.10 | `Win32` | `Sergeant Laboratories` | +| `Bluebook` | 0.9.203 | `Win32` | `Collegeboard` | | `Brave Browser` | 106.0.5249.119 | `Win32` | `Brave` | | `Bulb Digital Portfolio` | 0.0.7.0 | `Store` | `Bulb` | | `CA Secure Browser` | 15.0.0 | `Win32` | `Cambium Development` | @@ -101,8 +102,9 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `ContentKeeper Cloud` | 9.01.45 | `Win32` | `ContentKeeper Technologies` | | `DigiExam` | 14.1.0 | `Win32` | `Digiexam` | | `Digital Secure testing browser` | 15.0.0 | `Win32` | `Digiexam` | +| `Dolphin Guide Connect` | 1.25 | `Win32` | `Dolphin Guide Connect` | | `Dragon Professional Individual` | 15.00.100 | `Win32` | `Nuance Communications` | -| `DRC INSIGHT Online Assessments` | 13.0.0.0 | `Store` | `Data recognition Corporation` | +| `DRC INSIGHT Online Assessments` | 14.0.0.0 | `Store` | `Data recognition Corporation` | | `Duo from Cisco` | 3.0.0 | `Win32` | `Cisco` | | `Dyknow` | 7.9.13.7 | `Win32` | `Dyknow` | | `e-Speaking Voice and Speech recognition` | 4.4.0.11 | `Win32` | `e-speaking` | @@ -125,9 +127,9 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `Impero Backdrop Client` | 5.0.151 | `Win32` | `Impero Software` | | `IMT Lazarus` | 2.86.0 | `Win32` | `IMTLazarus` | | `Inspiration 10` | 10.11 | `Win32` | `TechEdology Ltd` | -| `JAWS for Windows` | 2022.2112.24 | `Win32` | `Freedom Scientific` | +| `JAWS for Windows` | 2023.2307.37 | `Win32` | `Freedom Scientific` | | `Kite Student Portal` | 9.0.0.0 | `Win32` | `Dynamic Learning Maps` | -| `Keyman` | 16.0.141 | `Win32` | `SIL International` | +| `Keyman` | 16.0.142 | `Win32` | `SIL International` | | `Kortext` | 2.3.433.0 | `Store` | `Kortext` | | `Kurzweil 3000 Assistive Learning` | 20.13.0000 | `Win32` | `Kurzweil Educational Systems` | | `LanSchool Classic` | 9.1.0.46 | `Win32` | `Stoneware, Inc.` | @@ -135,10 +137,13 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `Lexibar` | 3.07.02 | `Win32` | `Lexibar` | | `LGfL HomeProtect` | 8.3.44.11 | `Win32` | `LGFL` | | `Lightspeed Smart Agent` | 1.9.1 | `Win32` | `Lightspeed Systems` | -| `Lightspeed Filter Agent` | 2.3.4 | `Win32` | `Lightspeed Systems` | +| `Lightspeed Classroom` | 3.4.5.0 | `Win32` | `Lightspeed Systems` | +| `Lightspeed Filter Agent` | 2.5.2 | `Win32` | `Lightspeed Systems` | | `Lightspeed Digital` | 3.12.3.11 | `Win32` | `Lightspeed Systems` | +| `Linewize Authentication agent ` |1.4.1 | `Win32` | `Linewize` | | `MetaMoJi ClassRoom` | 3.12.4.0 | `Store` | `MetaMoJi Corporation` | | `Microsoft Connect` | 10.0.22000.1 | `Store` | `Microsoft` | +| `Mind+ Desktop` | 1.8.0 | `Win32` | `Mind+Desktop` | | `Mozilla Firefox` | 116.0.2 | `Win32` | `Mozilla` | | `Mobile Plans` | 5.1911.3171.0 | `Store` | `Microsoft Corporation` | | `Musescore` | 4.1.1.232071203 | `Win32` | `Musescore` | @@ -157,19 +162,20 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `PaperCut` | 22.0.6 | `Win32` | `PaperCut Software International Pty Ltd` | | `Pearson TestNav` | 1.11.3 | `Store` | `Pearson` | | `Project Monarch Outlook` | 1.2023.831.400 | `Store` | `Microsoft` | -| `Questar Secure Browser` | 5.0.1.456 | `Win32` | `Questar, Inc` | +| `Questar Secure Browser` | 5.0.5.536 | `Win32` | `Questar, Inc` | | `ReadAndWriteForWindows` | 12.0.78 | `Win32` | `Texthelp Ltd.` | | `Remote Desktop client (MSRDC)` | 1.2.4487.0 | `Win32` | `Microsoft` | -| `Remote Help` | 4.0.1.13 | `Win32` | `Microsoft` | +| `Remote Help` | 5.0.1311.0 | `Win32` | `Microsoft` | | `Respondus Lockdown Browser` | 2.0.9.03 | `Win32` | `Respondus` | | `Safe Exam Browser` | 3.5.0.544 | `Win32` | `Safe Exam Browser` | -|`SchoolYear` | 3.5.4 | `Win32` |`SchoolYear` | -|`School Manager` | 3.6.8.1109 | `Win32` |`School Manager` | +|`SchoolYear` | 3.5.4 | `Win32` |`SchoolYear` | +|`School Manager` | 3.6.10-1149 | `Win32` |`Linewize` | +|`Schoolnet Secure Tester` | 2.1.0 | `Win32` |`School Net` | |`Scratch` | 3.0 | `Win32` |`MIT` | -| `Senso.Cloud` | 2021.11.15.0 | `Win32` | `Senso.Cloud` | +| `Senso.Cloud` |2021.11.15.0 | `Win32` | `Senso.Cloud` | | `Skoolnext` | 2.19 | `Win32` | `Skool.net` | | `Smoothwall Monitor` | 2.9.2 | `Win32` | `Smoothwall Ltd` | -| `SuperNova Magnifier & Screen Reader` | 22.02 | `Win32` | `Dolphin Computer Access` | +| `SuperNova Magnifier & Screen Reader` | 22.03 | `Win32` | `Dolphin Computer Access` | | `SuperNova Magnifier & Speech` | 21.03 | `Win32` | `Dolphin Computer Access` | |`TX Secure Browser` | 15.0.0 | `Win32` | `Cambium Development` | | `VitalSourceBookShelf` | 10.2.26.0 | `Win32` | `VitalSource Technologies Inc` | @@ -218,4 +224,4 @@ For more information on Intune requirements for adding education apps, see [Conf [EDUWIN-1]: /education/windows/tutorial-school-deployment/configure-device-apps [EDUWIN-2]: /education/windows/tutorial-school-deployment/ -[WIN-1]: /windows/whats-new/windows-11-requirements +[WIN-1]: /windows/whats-new/windows-11-requirements \ No newline at end of file diff --git a/education/windows/windows-editions-for-education-customers.md b/education/windows/windows-editions-for-education-customers.md deleted file mode 100644 index 7c6ecca23b..0000000000 --- a/education/windows/windows-editions-for-education-customers.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -title: Windows 10 editions for education customers -description: Learn about the two Windows 10 editions that are designed for the needs of education institutions. -ms.topic: overview -ms.date: 07/25/2023 -appliesto: - - ✅ Windows 10 ---- - -# Windows 10 editions for education customers - -Windows 10 offers various new features and functionalities, such as simplified provisioning with the [Set up School PCs app](./use-set-up-school-pcs-app.md) or [Windows Configuration Designer](./set-up-students-pcs-to-join-domain.md), easier delivery of digital assessments with [Take a Test](./take-tests-in-windows.md), and faster sign-in performance for shared devices than ever before. These features work with all Windows for desktop editions, excluding Windows 10 Home. You can find more information on [windows.com](https://www.windows.com/). - -Windows 10 introduces two editions designed for the unique needs of K-12 institutions: [Windows 10 Pro Education](#windows-10-pro-education) and [Windows 10 Education](#windows-10-education). These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments. - -## Windows 10 Pro Education - -Windows 10 Pro Education builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools. Windows 10 Pro Education is a variant of Windows 10 Pro that provides education-specific default settings. These default settings disable tips, tricks and suggestions & Microsoft Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](/windows/configuration/manage-tips-and-suggestions). - -Windows 10 Pro Education is available on new devices pre-installed with Windows 10, version 1607 or newer versions that are purchased with discounted K-12 academic licenses through OEM partners (these discounted licenses are sometimes referred to as National Academic or Shape the Future). - -Existing devices running Windows 10 Pro, currently activated with the original OEM digital product key and purchased with discounted K-12 academic licenses through OEM partners (these discounted licenses are sometimes referred to as National Academic or Shape the Future), will upgrade automatically to Windows 10 Pro Education as part of the Windows 10, version 1607 installation. - -Customers with Academic Volume Licensing agreements with rights for Windows can get Windows 10 Pro Education through the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). - -Customers who deploy Windows 10 Pro are able to configure the product to have similar feature settings to Windows 10 Pro Education using policies. More detailed information on these policies and the configuration steps required is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](/windows/configuration/manage-tips-and-suggestions). We recommend that K-12 customers using commercial Windows 10 Pro read the [document](/windows/configuration/manage-tips-and-suggestions) and apply desired settings for your environment. - -## Windows 10 Education - -Windows 10 Education builds on Windows 10 Enterprise and provides the enterprise-grade manageability and security desired by many schools. Windows 10 Education is effectively a variant of Windows 10 Enterprise that provides education-specific default settings. These default settings disable tips, tricks and suggestions & Microsoft Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](/windows/configuration/manage-tips-and-suggestions). - -Windows 10 Education is available through Microsoft Volume Licensing. Customers who are already running Windows 10 Education can upgrade to Windows 10, version 1607 or newer versions through Windows Update or from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). We recommend Windows 10 Education to all K-12 customers as it provides the most complete and secure edition for education environments. If you don't have access to Windows 10 Education, contact your Microsoft representative or see more information [here](https://go.microsoft.com/fwlink/?LinkId=822628). - -Customers who deploy Windows 10 Enterprise are able to configure the product to have similar feature settings to Windows 10 Education using policies. More detailed information on these policies and the configuration steps required is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](/windows/configuration/manage-tips-and-suggestions). We recommend that K-12 customers using commercial Windows 10 Enterprise read the [document](/windows/configuration/manage-tips-and-suggestions) and apply desired settings for your environment. - -For any other questions, contact [Microsoft Customer Service and Support](https://support.microsoft.com/en-us). - -## Related topics - -- [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) -- [Windows deployment for education](./index.yml) -- [Windows 10 upgrade paths](/windows/deployment/upgrade/windows-10-upgrade-paths) -- [Volume Activation for Windows 10](/windows/deployment/volume-activation/volume-activation-windows-10) -- [Plan for volume activation](/windows/deployment/volume-activation/plan-for-volume-activation-client) -- [Windows 10 subscription activation](/windows/deployment/windows-10-subscription-activation) -- \ No newline at end of file diff --git a/images/group-policy.svg b/images/group-policy.svg index ace95add6b..95957a5914 100644 --- a/images/group-policy.svg +++ b/images/group-policy.svg @@ -1,3 +1,9 @@ - - - \ No newline at end of file + + + + + + + + + diff --git a/includes/licensing/windows-defender-system-guard.md b/includes/licensing/system-guard.md similarity index 75% rename from includes/licensing/windows-defender-system-guard.md rename to includes/licensing/system-guard.md index cecce5edd5..0c165234b4 100644 --- a/includes/licensing/windows-defender-system-guard.md +++ b/includes/licensing/system-guard.md @@ -7,13 +7,13 @@ ms.topic: include ## Windows edition and licensing requirements -The following table lists the Windows editions that support Windows Defender System Guard: +The following table lists the Windows editions that support System Guard: |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| |:---:|:---:|:---:|:---:| |Yes|Yes|Yes|Yes| -Windows Defender System Guard license entitlements are granted by the following licenses: +System Guard license entitlements are granted by the following licenses: |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| |:---:|:---:|:---:|:---:|:---:| diff --git a/store-for-business/release-history-microsoft-store-business-education.md b/store-for-business/release-history-microsoft-store-business-education.md index 15adb1f6c8..368df86b94 100644 --- a/store-for-business/release-history-microsoft-store-business-education.md +++ b/store-for-business/release-history-microsoft-store-business-education.md @@ -8,7 +8,7 @@ ms.author: cmcatee author: cmcatee-MSFT manager: scotv ms.topic: conceptual -ms.date: 06/29/2023 +ms.date: 01/11/2024 ms.reviewer: --- @@ -22,9 +22,17 @@ Because Microsoft Store for Business and Education will be retired, we no longer Looking for info on the latest release? Check out [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) +## January 2024 + +**Removal of private store capability from Microsoft Store for Business and Education** + +The private store tab and associated functionality was removed from the Microsoft Store for Business and Education portal. This includes the ability to add apps to private groups and to download and install apps from the private store. + +We recommend customers use the [Private app repository, Windows Package Manager, and Company Portal app](/windows/application-management/private-app-repository-mdm-company-portal-windows-11) to provide a private app repository within their organization. + ## May 2023 -### Removal of Microsoft Store for Business tab from Microsoft Store app on Windows 10 PCs +**Removal of Microsoft Store for Business tab from Microsoft Store app on Windows 10 PCs** The Microsoft Store for Business tab was removed from the Microsoft Store app on Windows 10. The Microsoft Store for Business tab is still available on HoloLens devices. @@ -45,33 +53,41 @@ We recommend that you add your apps through the new Microsoft Store app experien Follow the [Intune Customer Success blog](https://aka.ms/IntuneCustomerSuccess) where we will publish more information about this change. ## April 2023 + - **Tab removed from Microsoft Store apps on Windows 11 PCs** – The Microsoft Store for Business tab was removed from Microsoft Store apps on Windows 11 PCs. An interaction with existing MDM and GPO policies may lead to customers seeing errors when accessing the Microsoft Store app. [Get more info](manage-access-to-private-store.md#microsoft-store-for-business-tab-removed) ## October 2018 + - **Use security groups with Private store apps** - On the details page for apps in your private store, you can set Private store availability. This allows you to choose which security groups can see an app in the private store. [Get more info](app-inventory-management-microsoft-store-for-business.md) ## September 2018 + - **Performance improvements** - With updates and improvements in the private store, most changes, like adding an app, will take fifteen minutes or less. [Get more info](/microsoft-store/manage-private-store-settings#private-store-performance) ## August 2018 - **App requests** - People in your organization can make requests for apps that they need. hey can also request them on behalf of other people. Admins review requests and can decide on purchases. [Get more info](./acquire-apps-microsoft-store-for-business.md#allow-app-requests) ## July 2018 + - Bug fixes and performance improvements. ## June 2018 -- **Change order within private store collection** - Continuing our focus on improvements for private store, now you can customize the order of products in each private store collection. + +- **Change order within private store collection** - Continuing our focus on improvements for private store, now you can customize the order of products in each private store collection. - **Performance improvements in private store** - We continue to work on performance improvements in the private store. Now, most products new to your inventory are available in your private store within 15 minutes of adding them. [Get more info](./manage-private-store-settings.md#private-store-performance) ## May 2018 + - **Immersive Reader app available in Microsoft Store for Education** - This app is a free tool that uses proven techniques to improve reading and writing for people regardless of their age or ability. You can add the app to your private store, so students can easily install and use it. ## April 2018 + - **Assign apps to larger groups** - We're making it easier for admins to assign apps to groups of people. Admins can assign licenses to groups of any size, and include subgroups within those groups. We'll figure out who's in those groups, and assign licenses to people in the groups (skipping people who already have licenses). Along the way, we'll let you know how many licenses are needed, and provide an estimate on the time required to assign licenses. - **Change collection order in private store** - Private store collections make it easy for groups of people to find the apps that they need. Now, you can customize the order of your private store collections. - **Office 365 subscription management** - We know that sometimes customers need to cancel a subscription. While we don't want to lose a customer, we want the process for managing subscriptions to be easy. Now, you can delete your Office 365 subscription without calling Support. From Microsoft Store for Business and Education, you can request to delete an Office 365 subscription. We'll wait three days before permanently deleting the subscription. In case of a mistake, customers are welcome to reactivate subscriptions during the three-day period. ## March 2018 + - **Performance improvements in private store** - We've made it significantly faster for you to update the private store. Many changes to the private store are available immediately after you make them. [Get more info](./manage-private-store-settings.md#private-store-performance) - **Private store collection updates** - We've made it easier to find apps when creating private store collections – now you can search and filter results. [Get more info](./manage-private-store-settings.md#private-store-collections) @@ -79,19 +95,23 @@ Follow the [Intune Customer Success blog](https://aka.ms/IntuneCustomerSuccess) - **Upgrade Microsoft 365 trial subscription** - Customers with Office 365 can upgrade their subscription and automatically re-assign their user licenses over to a new target subscription. For example, you could upgrade your Office 365 for business subscription to a Microsoft 365 for business subscription. ## January and February 2018 + - **One place for apps, software, and subscriptions** - The new **Products & services** page in Microsoft Store for Business and Education gives customers a single place to manage all products and services. - **Create collections of apps in your private store** - Use **collections** to customize your private store. Collections allow you to create groups of apps that are commonly used in your organization or school -- you might create a collection for a Finance department, or a 6th-grade class. [Get more info](./manage-private-store-settings.md#private-store-collections) - **Upgrade Office 365 trial subscription** - Customers with Office 365 trials can now transition their trial to a paid subscription in Microsoft Store for Business. This works for trials you acquired from Microsoft Store for Business, or Office Admin Portal. - **Supporting Microsoft Product and Services Agreement customers** - If you are purchasing under the Microsoft Products and Services Agreement (MPSA), you can use Microsoft Store for Business. Here you will find access to Products & Services purchased, Downloads & Keys, Software Assurance benefits, Order history, and Agreement details. -- **Microsoft Product and Services Agreement customers can invite people to take roles** - MPSA admins can invite people to take Microsoft Store for Business roles even if the person is not in their tenant. You provide an email address when you assign the role, and we'll add the account to your tenant and assign the role. +- **Microsoft Product and Services Agreement customers can invite people to take roles** - MPSA admins can invite people to take Microsoft Store for Business roles even if the person is not in their tenant. You provide an email address when you assign the role, and we'll add the account to your tenant and assign the role. ## December 2017 + - Bug fixes and performance improvements. ## November 2017 + - **Export list of Minecraft: Education Edition users** - Admins and teachers can now export a list of users who have Minecraft: Education Edition licenses assigned to them. Click **Export users**, and Store for Education creates an Excel spreadsheet for you, and saves it as a .csv file. ## October 2017 + - Bug fixes and performance improvements. ## September 2017 @@ -102,4 +122,4 @@ Follow the [Intune Customer Success blog](https://aka.ms/IntuneCustomerSuccess) - **Manage prepaid Office 365 subscriptions** - Office 365 prepaid subscriptions can be redeemed using a prepaid token. Tokens are available through 3rd-party businesses, outside of Microsoft Store for Business or the Office 365 Admin portal. After redeeming prepaid subscriptions, Admins can add more licenses or extend the subscription's expiration date. - **Manage Office 365 subscriptions acquired by partners** - Office 365 subscriptions purchased for your organization by a partner or reseller can be managed in Microsoft Store for Business. Admins can assign and manage licenses for these subscriptions. - **Edge extensions in Microsoft Store** - Edge Extensions are now available from Microsoft Store! You can acquire and distribute them from Microsoft Store for Business just like any other app. -- **Search results in Microsoft Store for Business** - Search results now have sub categories to help you refine search results. \ No newline at end of file +- **Search results in Microsoft Store for Business** - Search results now have sub categories to help you refine search results. diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md index 8ab993b759..964efc7788 100644 --- a/store-for-business/whats-new-microsoft-store-business-education.md +++ b/store-for-business/whats-new-microsoft-store-business-education.md @@ -8,7 +8,7 @@ ms.author: cmcatee author: cmcatee-MSFT manager: scotv ms.topic: conceptual -ms.date: 06/29/2023 +ms.date: 01/11/2024 ms.reviewer: --- @@ -20,40 +20,19 @@ ms.reviewer: ## Latest updates for Store for Business and Education -**May 2023** +**January 2024** -**Removal of Microsoft Store for Business tab from Microsoft Store app on Windows 10 PCs** +**Removal of private store capability from Microsoft Store for Business and Education** -The Microsoft Store for Business tab was removed from the Microsoft Store app on Windows 10. The Microsoft Store for Business tab is still available on HoloLens devices. +The private store tab and associated functionality was removed from the Microsoft Store for Business and Education portal. This includes the ability to add apps to private groups and to download and install apps from the private store. -Users on Windows 10 PCs can no longer do the following tasks: - -- see Line of Business (LOB) products listed in the Microsoft Store for Business tab -- acquire or install [online apps](/mem/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business#online-and-offline-apps) -- assign licenses for existing [online apps](/mem/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business#online-and-offline-apps) using the Store for Business portal or Store for Business app - -[Offline app](/mem/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business#online-and-offline-apps) distribution and licensing scenarios aren't impacted by this change. - -We recommend that you add your apps through the new Microsoft Store app experience in Intune. If an app isn’t available in the Microsoft Store, you must retrieve an app package from the vendor and install it as an LOB app or Win32 app. For instructions, read the following articles: - -- [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps-microsoft) -- [Add a Windows line-of-business app to Microsoft Intune](/mem/intune/apps/lob-apps-windows) -- [Add, assign, and monitor a Win32 app in Microsoft Intune](/mem/intune/apps/apps-win32-add) - -Follow the [Intune Customer Success blog](https://aka.ms/IntuneCustomerSuccess) where we will publish more information about this change. - - +We recommend customers use the [Private app repository, Windows Package Manager, and Company Portal app](/windows/application-management/private-app-repository-mdm-company-portal-windows-11) to provide a private app repository within their organization. ## Previous releases and updates +[May 2023](release-history-microsoft-store-business-education.md#may-2023) +- Tab removed from Microsoft Store apps on Windows 10 PCs. + [April 2023](release-history-microsoft-store-business-education.md#april-2023) - Tab removed from Microsoft Store apps on Windows 11 PCs. diff --git a/windows/application-management/add-apps-and-features.md b/windows/application-management/add-apps-and-features.md index db4571a9c6..534e26d426 100644 --- a/windows/application-management/add-apps-and-features.md +++ b/windows/application-management/add-apps-and-features.md @@ -6,8 +6,8 @@ ms.author: aaroncz manager: aaroncz ms.date: 08/18/2023 ms.topic: how-to -ms.prod: windows-client -ms.technology: itpro-apps +ms.service: windows-client +ms.subservice: itpro-apps ms.localizationpriority: medium ms.collection: tier2 appliesto: diff --git a/windows/application-management/app-v/appv-about-appv.md b/windows/application-management/app-v/appv-about-appv.md index 4fc8997a6e..94c799e8af 100644 --- a/windows/application-management/app-v/appv-about-appv.md +++ b/windows/application-management/app-v/appv-about-appv.md @@ -2,14 +2,14 @@ title: What's new in App-V for Windows 10, version 1703 and earlier (Windows 10) description: Information about what's new in App-V for Windows 10, version 1703 and earlier. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 06/08/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # What's new in App-V for Windows 10, version 1703 and earlier diff --git a/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md b/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md index 040eda052e..21175a8da7 100644 --- a/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md +++ b/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md @@ -2,14 +2,14 @@ title: How to Add or Remove an Administrator by Using the Management Console (Windows 10/11) description: Add or remove an administrator on the Microsoft Application Virtualization (App-V) server by using the Management Console. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 06/08/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # How to add or remove an administrator by using the Management Console diff --git a/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md b/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md index b11acc20a7..ee6544a181 100644 --- a/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md +++ b/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md @@ -2,14 +2,14 @@ title: How to Add or Upgrade Packages by Using the Management Console (Windows 10/11) description: Add or upgrade packages on the Microsoft Application Virtualization (App-V) server by using the Management Console. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 06/08/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # How to add or upgrade packages by using the Management Console diff --git a/windows/application-management/app-v/appv-administering-appv-with-powershell.md b/windows/application-management/app-v/appv-administering-appv-with-powershell.md index ec381c1293..9260eaa159 100644 --- a/windows/application-management/app-v/appv-administering-appv-with-powershell.md +++ b/windows/application-management/app-v/appv-administering-appv-with-powershell.md @@ -2,14 +2,14 @@ title: Administering App-V by using Windows PowerShell (Windows 10/11) description: Administer App-V by using Windows PowerShell and learn where to find more information about PowerShell for App-V. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 06/08/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Administering App-V by using Windows PowerShell diff --git a/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md b/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md index cf6f1e8a76..3ae0ecc41f 100644 --- a/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md +++ b/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md @@ -2,14 +2,14 @@ title: Administering App-V Virtual Applications by using the Management Console (Windows 10/11) description: Administering App-V Virtual Applications by using the Management Console author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 06/08/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Administering App-V Virtual Applications by using the Management Console diff --git a/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md b/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md index a02875375a..24ab5d46a1 100644 --- a/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md +++ b/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md @@ -2,14 +2,14 @@ title: Only Allow Admins to Enable Connection Groups (Windows 10/11) description: Configure the App-V client so that only administrators, not users, can enable or disable connection groups. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 06/08/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # How to allow only administrators to enable connection groups diff --git a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md index 025efdca77..363bf2e7ec 100644 --- a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md +++ b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md @@ -2,14 +2,14 @@ title: Application Publishing and Client Interaction (Windows 10/11) description: Learn technical information about common App-V Client operations and their integration with the local operating system. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 06/08/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Application publishing and client interaction diff --git a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md index 24903fe377..310cac6312 100644 --- a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md +++ b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md @@ -2,14 +2,14 @@ title: Apply deployment config file via Windows PowerShell (Windows 10/11) description: How to apply the deployment configuration file by using Windows PowerShell for Windows 10/11. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 06/15/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # How to apply the deployment configuration file by using Windows PowerShell diff --git a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md index 9d78748d49..cb64552879 100644 --- a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md +++ b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md @@ -2,14 +2,14 @@ title: How to apply the user configuration file by using Windows PowerShell (Windows 10/11) description: How to apply the user configuration file by using Windows PowerShell (Windows 10/11). author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 06/15/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # How to apply the user configuration file by using Windows PowerShell diff --git a/windows/application-management/app-v/appv-auto-batch-sequencing.md b/windows/application-management/app-v/appv-auto-batch-sequencing.md index c8a8e980b5..415ade7895 100644 --- a/windows/application-management/app-v/appv-auto-batch-sequencing.md +++ b/windows/application-management/app-v/appv-auto-batch-sequencing.md @@ -2,14 +2,14 @@ title: Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10/11) description: How to automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer). author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/18/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) diff --git a/windows/application-management/app-v/appv-auto-batch-updating.md b/windows/application-management/app-v/appv-auto-batch-updating.md index 42e883d6c6..4b2246bee4 100644 --- a/windows/application-management/app-v/appv-auto-batch-updating.md +++ b/windows/application-management/app-v/appv-auto-batch-updating.md @@ -2,14 +2,14 @@ title: Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10/11) description: How to automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer). author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/18/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) diff --git a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md index f73f89ee26..d56ea57fc8 100644 --- a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md +++ b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md @@ -2,14 +2,14 @@ title: Auto-remove unpublished packages on App-V client (Windows 10/11) description: How to automatically clean up any unpublished packages on your App-V client devices. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 06/15/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Automatically clean up unpublished packages on the App-V client diff --git a/windows/application-management/app-v/appv-auto-provision-a-vm.md b/windows/application-management/app-v/appv-auto-provision-a-vm.md index 0f09ca265b..50e6dd4a87 100644 --- a/windows/application-management/app-v/appv-auto-provision-a-vm.md +++ b/windows/application-management/app-v/appv-auto-provision-a-vm.md @@ -2,14 +2,14 @@ title: Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10/11) description: How to automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) PowerShell cmdlet or the user interface. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/18/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) diff --git a/windows/application-management/app-v/appv-available-mdm-settings.md b/windows/application-management/app-v/appv-available-mdm-settings.md index e869fd86fb..32afb3de6b 100644 --- a/windows/application-management/app-v/appv-available-mdm-settings.md +++ b/windows/application-management/app-v/appv-available-mdm-settings.md @@ -2,14 +2,14 @@ title: Available Mobile Device Management (MDM) settings for App-V (Windows 10/11) description: Learn the available Mobile Device Management (MDM) settings you can use to configure App-V on Windows 10. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 06/15/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Available Mobile Device Management (MDM) settings for App-V diff --git a/windows/application-management/app-v/appv-capacity-planning.md b/windows/application-management/app-v/appv-capacity-planning.md index 2b7edc6c54..5d052067c5 100644 --- a/windows/application-management/app-v/appv-capacity-planning.md +++ b/windows/application-management/app-v/appv-capacity-planning.md @@ -2,14 +2,14 @@ title: App-V Capacity Planning (Windows 10/11) description: Use these recommendations as a baseline to help determine capacity planning information that is appropriate to your organization’s App-V infrastructure. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/18/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # App-V Capacity Planning diff --git a/windows/application-management/app-v/appv-client-configuration-settings.md b/windows/application-management/app-v/appv-client-configuration-settings.md index d87457a13f..c7b029ac7a 100644 --- a/windows/application-management/app-v/appv-client-configuration-settings.md +++ b/windows/application-management/app-v/appv-client-configuration-settings.md @@ -2,14 +2,14 @@ title: About Client Configuration Settings (Windows 10/11) description: Learn about the App-V client configuration settings and how to use Windows PowerShell to modify the client configuration settings. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/18/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # About Client Configuration Settings diff --git a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md index ab350e2a83..23f43e8cb3 100644 --- a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md +++ b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md @@ -2,14 +2,14 @@ title: How to configure access to packages by using the Management Console (Windows 10/11) description: How to configure access to packages by using the App-V Management Console. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 06/18/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # How to configure access to packages by using the Management Console diff --git a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md index 9e7f90b5a1..9524c2d447 100644 --- a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md +++ b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md @@ -2,14 +2,14 @@ title: How to make a connection group ignore the package version (Windows 10/11) description: Learn how to make a connection group ignore the package version with the App-V Server Management Console. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 06/18/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # How to make a connection group ignore the package version diff --git a/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md b/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md index 687c339a07..c8e45c8af1 100644 --- a/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md +++ b/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md @@ -2,14 +2,14 @@ title: How to configure the client to receive package and connection groups updates from the publishing server (Windows 10/11) description: How to configure the client to receive package and connection groups updates from the publishing server. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 06/25/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # How to configure the client to receive package and connection groups updates from the publishing server diff --git a/windows/application-management/app-v/appv-connect-to-the-management-console.md b/windows/application-management/app-v/appv-connect-to-the-management-console.md index 95ec5914c4..50ed9fd433 100644 --- a/windows/application-management/app-v/appv-connect-to-the-management-console.md +++ b/windows/application-management/app-v/appv-connect-to-the-management-console.md @@ -2,14 +2,14 @@ title: How to connect to the Management Console (Windows 10/11) description: In this article, learn the procedure for connecting to the App-V Management Console through your web browser. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 06/25/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # How to connect to the Management Console diff --git a/windows/application-management/app-v/appv-connection-group-file.md b/windows/application-management/app-v/appv-connection-group-file.md index df85debbf2..bfad2cc36f 100644 --- a/windows/application-management/app-v/appv-connection-group-file.md +++ b/windows/application-management/app-v/appv-connection-group-file.md @@ -2,14 +2,14 @@ title: About the connection group file (Windows 10/11) description: A summary of what the connection group file is and how to configure it. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 06/25/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # About the connection group file diff --git a/windows/application-management/app-v/appv-connection-group-virtual-environment.md b/windows/application-management/app-v/appv-connection-group-virtual-environment.md index 26f5a073a8..d84704a33f 100644 --- a/windows/application-management/app-v/appv-connection-group-virtual-environment.md +++ b/windows/application-management/app-v/appv-connection-group-virtual-environment.md @@ -2,14 +2,14 @@ title: About the connection group virtual environment (Windows 10/11) description: Learn how the connection group virtual environment works and how package priority is determined. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 06/25/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # About the connection group virtual environment diff --git a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md index 3a2f20cbb5..e12fd39cb0 100644 --- a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md +++ b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md @@ -2,14 +2,14 @@ title: How to convert a package created in a previous version of App-V (Windows 10/11) description: Use the package converter utility to convert a virtual application package created in a previous version of App-V. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 07/10/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # How to convert a package created in a previous version of App-V diff --git a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md index 09a658895f..e602397d30 100644 --- a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md +++ b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md @@ -2,14 +2,14 @@ title: How to create a connection croup with user-published and globally published packages (Windows 10/11) description: How to create a connection croup with user-published and globally published packages. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 07/10/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # How to create a connection croup with user-published and globally published packages diff --git a/windows/application-management/app-v/appv-create-a-connection-group.md b/windows/application-management/app-v/appv-create-a-connection-group.md index 18a61bee6e..a78ae6f6cd 100644 --- a/windows/application-management/app-v/appv-create-a-connection-group.md +++ b/windows/application-management/app-v/appv-create-a-connection-group.md @@ -2,14 +2,14 @@ title: How to create a connection group (Windows 10/11) description: Learn how to create a connection group with the App-V Management Console and where to find information about managing connection groups. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 07/10/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # How to create a connection group diff --git a/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md b/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md index 0dd4402170..ead8b2f662 100644 --- a/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md +++ b/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md @@ -2,14 +2,14 @@ title: How to create a custom configuration file by using the App-V Management Console (Windows 10/11) description: How to create a custom configuration file by using the App-V Management Console. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 07/10/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # How to create a custom configuration file by using the App-V Management Console diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md index 30cddc907d..cbe79ac2df 100644 --- a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md +++ b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md @@ -2,14 +2,14 @@ title: How to create a package accelerator by using Windows PowerShell (Windows 10/11) description: Learn how to create an App-v Package Accelerator by using Windows PowerShell. App-V Package Accelerators automatically sequence large, complex applications. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 07/10/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # How to create a package accelerator by using Windows PowerShell diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator.md b/windows/application-management/app-v/appv-create-a-package-accelerator.md index 93333681f5..e1500e3807 100644 --- a/windows/application-management/app-v/appv-create-a-package-accelerator.md +++ b/windows/application-management/app-v/appv-create-a-package-accelerator.md @@ -2,14 +2,14 @@ title: How to create a package accelerator (Windows 10/11) description: Learn how to create App-V Package Accelerators to automatically generate new virtual application packages. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 07/10/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # How to create a package accelerator diff --git a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md index 162c56efbc..2ee8100f3e 100644 --- a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md +++ b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md @@ -2,14 +2,14 @@ title: How to create a virtual application package using an App-V Package Accelerator (Windows 10/11) description: How to create a virtual application package using an App-V Package Accelerator. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 07/10/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # How to create a virtual application package using an App-V Package Accelerator diff --git a/windows/application-management/app-v/appv-create-and-use-a-project-template.md b/windows/application-management/app-v/appv-create-and-use-a-project-template.md index 9420f67b5f..a37682809c 100644 --- a/windows/application-management/app-v/appv-create-and-use-a-project-template.md +++ b/windows/application-management/app-v/appv-create-and-use-a-project-template.md @@ -2,14 +2,14 @@ title: Create and apply an App-V project template to a sequenced App-V package (Windows 10/11) description: Steps for how to create and apply an App-V project template (.appvt) to a sequenced App-V package. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 07/10/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Create and apply an App-V project template to a sequenced App-V package diff --git a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md index 4616ec336f..ef0e7deee1 100644 --- a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md +++ b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md @@ -2,14 +2,14 @@ title: Creating and managing App-V virtualized applications (Windows 10/11) description: Create and manage App-V virtualized applications to monitor and record the installation process for an application to be run as a virtualized application. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/18/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Creating and managing App-V virtualized applications diff --git a/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md b/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md index 117cbd91bd..bbb9594d7c 100644 --- a/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md +++ b/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md @@ -2,14 +2,14 @@ title: How to customize virtual application extensions for a specific AD group by using the Management Console (Windows 10/11) description: How to customize virtual application extensions for a specific AD group by using the Management Console. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 07/10/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # How to customize virtual applications extensions for a specific AD group by using the Management Console diff --git a/windows/application-management/app-v/appv-delete-a-connection-group.md b/windows/application-management/app-v/appv-delete-a-connection-group.md index 55dc6b0ec7..88af78ee9f 100644 --- a/windows/application-management/app-v/appv-delete-a-connection-group.md +++ b/windows/application-management/app-v/appv-delete-a-connection-group.md @@ -2,14 +2,14 @@ title: How to delete a connection group (Windows 10/11) description: Learn how to delete an existing App-V connection group in the App-V Management Console and where to find information about managing connection groups. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 09/27/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # How to delete a connection group diff --git a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md index 1917d768e9..2bd65704c0 100644 --- a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md +++ b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md @@ -2,14 +2,14 @@ title: How to delete a package in the Management Console (Windows 10/11) description: Learn how to delete a package in the App-V Management Console and where to find information about operations for App-V. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 09/27/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # How to delete a package in the Management Console diff --git a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md index 3fac560518..af21f7aff4 100644 --- a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md +++ b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md @@ -2,14 +2,14 @@ title: How to Deploy the App-V Databases by Using SQL Scripts (Windows 10/11) description: Learn how to use SQL scripts to install the App-V databases and upgrade the App-V databases to a later version. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/18/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # How to deploy the App-V databases by using SQL scripts diff --git a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md index cbaf3e7123..a085662790 100644 --- a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md @@ -2,14 +2,14 @@ title: How to deploy App-V packages using electronic software distribution (Windows 10/11) description: Learn how to use an electronic software distribution (ESD) system to deploy App-V virtual applications to App-V clients. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 09/27/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # How to deploy App-V packages using electronic software distribution diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md index 19e48512a0..d0e531b234 100644 --- a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md +++ b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md @@ -2,14 +2,14 @@ title: How to Deploy the App-V Server Using a Script (Windows 10/11) description: 'Learn how to deploy the App-V server by using a script (appv_server_setup.exe) from the command line.' author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/18/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # How to deploy the App-V server using a script diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server.md b/windows/application-management/app-v/appv-deploy-the-appv-server.md index 4a9f49f03b..ccd4d5e8c2 100644 --- a/windows/application-management/app-v/appv-deploy-the-appv-server.md +++ b/windows/application-management/app-v/appv-deploy-the-appv-server.md @@ -2,14 +2,14 @@ title: How to Deploy the App-V Server (Windows 10/11) description: Use these instructions to deploy the Application Virtualization (App-V) Server in App-V for Windows 10/11. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/18/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # How to Deploy the App-V Server (new installation) diff --git a/windows/application-management/app-v/appv-deploying-appv.md b/windows/application-management/app-v/appv-deploying-appv.md index d1d23d6d74..57ec089771 100644 --- a/windows/application-management/app-v/appv-deploying-appv.md +++ b/windows/application-management/app-v/appv-deploying-appv.md @@ -2,14 +2,14 @@ title: Deploying App-V (Windows 10/11) description: App-V supports several different deployment options. Learn how to complete App-V deployment at different stages in your App-V deployment. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/18/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Deploying App-V for Windows client diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md index 02924fde4f..e68c95f230 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md @@ -2,14 +2,14 @@ title: Deploying Microsoft Office 2010 by Using App-V description: Create Office 2010 packages for Microsoft Application Virtualization (App-V) using the App-V Sequencer or the App-V Package Accelerator. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/18/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Deploying Microsoft Office 2010 by Using App-V diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md index 0cb31fa36f..8b8c6ca547 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md @@ -2,14 +2,14 @@ title: Deploying Microsoft Office 2013 by Using App-V (Windows 10/11) description: Use Application Virtualization (App-V) to deliver Microsoft Office 2013 as a virtualized application to computers in your organization. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/18/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Deploying Microsoft Office 2013 by Using App-V diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md index ee4cbe5751..e76a52b47d 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md @@ -2,14 +2,14 @@ title: Deploying Microsoft Office 2016 by using App-V (Windows 10/11) description: Use Application Virtualization (App-V) to deliver Microsoft Office 2016 as a virtualized application to computers in your organization. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/18/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Deploying Microsoft Office 2016 by using App-V diff --git a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md index 20e131feb1..f9ba5b9a57 100644 --- a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md @@ -2,14 +2,14 @@ title: Deploying App-V packages by using electronic software distribution (ESD) description: Deploying App-V packages by using electronic software distribution (ESD) author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 09/27/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Deploying App-V packages by using electronic software distribution (ESD) diff --git a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md index e2fd60d1e8..d9f2150218 100644 --- a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md +++ b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md @@ -2,14 +2,14 @@ title: Deploying the App-V Sequencer and configuring the client (Windows 10/11) description: Learn how to deploy the App-V Sequencer and configure the client by using the ADMX template and Group Policy. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/18/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Deploying the App-V Sequencer and configuring the client diff --git a/windows/application-management/app-v/appv-deploying-the-appv-server.md b/windows/application-management/app-v/appv-deploying-the-appv-server.md index 2b08876aed..35e22a1400 100644 --- a/windows/application-management/app-v/appv-deploying-the-appv-server.md +++ b/windows/application-management/app-v/appv-deploying-the-appv-server.md @@ -2,14 +2,14 @@ title: Deploying the App-V Server (Windows 10/11) description: Learn how to deploy the Application Virtualization (App-V) Server in App-V for Windows 10/11 by using different deployment configurations described in this article. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/18/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Deploying the App-V server diff --git a/windows/application-management/app-v/appv-deployment-checklist.md b/windows/application-management/app-v/appv-deployment-checklist.md index fd90b055be..0b06042ae1 100644 --- a/windows/application-management/app-v/appv-deployment-checklist.md +++ b/windows/application-management/app-v/appv-deployment-checklist.md @@ -2,14 +2,14 @@ title: App-V Deployment Checklist (Windows 10/11) description: Use the App-V deployment checklist to understand the recommended steps and items to consider when deploying App-V features. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/18/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # App-V Deployment Checklist diff --git a/windows/application-management/app-v/appv-dynamic-configuration.md b/windows/application-management/app-v/appv-dynamic-configuration.md index 03ba41c6d2..d6073f10c0 100644 --- a/windows/application-management/app-v/appv-dynamic-configuration.md +++ b/windows/application-management/app-v/appv-dynamic-configuration.md @@ -2,14 +2,14 @@ title: About App-V Dynamic Configuration (Windows 10/11) description: Learn how to create or edit an existing Application Virtualization (App-V) dynamic configuration file. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 09/27/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # About App-V dynamic configuration diff --git a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md index 9c19cab0aa..39c355141c 100644 --- a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md @@ -2,8 +2,8 @@ title: How to enable only administrators to publish packages by using an ESD description: Learn how to enable only administrators to publish packages by bsing an electronic software delivery (ESD). author: aczechowski -ms.prod: windows-client -ms.technology: itpro-apps +ms.service: windows-client +ms.subservice: itpro-apps ms.date: 05/02/2022 ms.reviewer: manager: aaroncz diff --git a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md index cc71b17cb7..757e57fbf2 100644 --- a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md +++ b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md @@ -2,14 +2,14 @@ title: How to Enable Reporting on the App-V Client by Using Windows PowerShell (Windows 10/11) description: How to Enable Reporting on the App-V Client by Using Windows PowerShell author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/19/2017 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # How to Enable Reporting on the App-V Client by Using Windows PowerShell diff --git a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md index 5b65a93ac1..7622c5c8dd 100644 --- a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md +++ b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md @@ -2,14 +2,14 @@ title: Enable the App-V in-box client (Windows 10/11) description: Learn how to enable the Microsoft Application Virtualization (App-V) in-box client installed with Windows 10/11. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/18/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Enable the App-V in-box client diff --git a/windows/application-management/app-v/appv-evaluating-appv.md b/windows/application-management/app-v/appv-evaluating-appv.md index 6874ebc260..78f237a692 100644 --- a/windows/application-management/app-v/appv-evaluating-appv.md +++ b/windows/application-management/app-v/appv-evaluating-appv.md @@ -2,13 +2,13 @@ title: Evaluating App-V (Windows 10/11) description: Learn how to evaluate App-V for Windows 10/11 in a lab environment before deploying into a production environment. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/19/2017 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Evaluating App-V diff --git a/windows/application-management/app-v/appv-for-windows.md b/windows/application-management/app-v/appv-for-windows.md index ecb4183907..b2ded1f268 100644 --- a/windows/application-management/app-v/appv-for-windows.md +++ b/windows/application-management/app-v/appv-for-windows.md @@ -2,14 +2,14 @@ title: Application Virtualization (App-V) (Windows 10/11) description: See various articles that can help you administer Application Virtualization (App-V) and its components. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 09/27/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Application Virtualization (App-V) for Windows client overview diff --git a/windows/application-management/app-v/appv-getting-started.md b/windows/application-management/app-v/appv-getting-started.md index f851ca2a85..aab10ec1a4 100644 --- a/windows/application-management/app-v/appv-getting-started.md +++ b/windows/application-management/app-v/appv-getting-started.md @@ -2,14 +2,14 @@ title: Getting Started with App-V (Windows 10/11) description: Get started with Microsoft Application Virtualization (App-V) for Windows 10/11. App-V for Windows client devices delivers Win32 applications to users as virtual applications. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/18/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Getting started with App-V for Windows client diff --git a/windows/application-management/app-v/appv-high-level-architecture.md b/windows/application-management/app-v/appv-high-level-architecture.md index 437b20eeb1..1757dca790 100644 --- a/windows/application-management/app-v/appv-high-level-architecture.md +++ b/windows/application-management/app-v/appv-high-level-architecture.md @@ -2,14 +2,14 @@ title: High-level architecture for App-V (Windows 10/11) description: Use the information in this article to simplify your Microsoft Application Virtualization (App-V) deployment. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/18/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # High-level architecture for App-V diff --git a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md index acc244a595..4f706ec7eb 100644 --- a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md +++ b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md @@ -2,13 +2,13 @@ title: How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell (Windows 10/11) description: How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/19/2017 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep -ms.technology: itpro-apps +ms.subservice: itpro-apps --- diff --git a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md index ae2e2b56c3..ba5480496d 100644 --- a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md +++ b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md @@ -2,14 +2,14 @@ title: How to Install the Management and Reporting Databases on separate computers from the Management and Reporting Services (Windows 10/11) description: How to install the Management and Reporting Databases on separate computers from the Management and Reporting Services. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/18/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # How to Install the Management and Reporting Databases on separate computers from the Management and Reporting Services diff --git a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md index 5b258437f3..a9263f3cba 100644 --- a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md +++ b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md @@ -2,14 +2,14 @@ title: How to install the Management Server on a Standalone Computer and Connect it to the Database (Windows 10/11) description: How to install the Management Server on a Standalone Computer and Connect it to the Database author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/18/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # How to install the Management Server on a Standalone Computer and Connect it to the Database diff --git a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md index 7457b54f82..b25c54796c 100644 --- a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md +++ b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md @@ -2,14 +2,14 @@ title: Install the Publishing Server on a Remote Computer (Windows 10/11) description: Use the procedures in this article to install the Microsoft Application Virtualization (App-V) publishing server on a separate computer. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/18/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # How to install the publishing server on a remote computer diff --git a/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md index f5335dd5f0..39075f56f3 100644 --- a/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md +++ b/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md @@ -2,14 +2,14 @@ title: How to install the Reporting Server on a standalone computer and connect it to the database (Windows 10/11) description: How to install the App-V Reporting Server on a Standalone Computer and Connect it to the Database author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/18/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # How to install the reporting server on a standalone computer and connect it to the database diff --git a/windows/application-management/app-v/appv-install-the-sequencer.md b/windows/application-management/app-v/appv-install-the-sequencer.md index 2fdd2ec28d..2f756b549e 100644 --- a/windows/application-management/app-v/appv-install-the-sequencer.md +++ b/windows/application-management/app-v/appv-install-the-sequencer.md @@ -2,14 +2,14 @@ title: Install the App-V Sequencer (Windows 10/11) description: Learn how to install the App-V Sequencer to convert Win32 applications into virtual packages for deployment to user devices. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/18/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Install the App-V Sequencer diff --git a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md index 2170f1e25b..9ce856129d 100644 --- a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md +++ b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md @@ -2,14 +2,14 @@ title: How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help (Windows 10/11) description: How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 09/27/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # How to load the Windows PowerShell cmdlets for App-V and get cmdlet help diff --git a/windows/application-management/app-v/appv-maintaining-appv.md b/windows/application-management/app-v/appv-maintaining-appv.md index fb3a0ccc4e..0b04a038f5 100644 --- a/windows/application-management/app-v/appv-maintaining-appv.md +++ b/windows/application-management/app-v/appv-maintaining-appv.md @@ -2,14 +2,14 @@ title: Maintaining App-V (Windows 10/11) description: After you have deployed App-V for Windows 10/11, you can use the following information to maintain the App-V infrastructure. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 09/27/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Maintaining App-V diff --git a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md index e125255c83..55a855d2eb 100644 --- a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md +++ b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md @@ -5,14 +5,14 @@ author: aczechowski ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library -ms.prod: windows-client +ms.service: windows-client ms.date: 09/24/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # How to manage App-V packages running on a stand-alone computer by using Windows PowerShell diff --git a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md index c870425b03..1a6a1de125 100644 --- a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md +++ b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md @@ -2,13 +2,13 @@ title: How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell (Windows 10/11) description: How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/19/2017 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell diff --git a/windows/application-management/app-v/appv-managing-connection-groups.md b/windows/application-management/app-v/appv-managing-connection-groups.md index d65f100109..e985d4a918 100644 --- a/windows/application-management/app-v/appv-managing-connection-groups.md +++ b/windows/application-management/app-v/appv-managing-connection-groups.md @@ -2,13 +2,13 @@ title: Managing Connection Groups (Windows 10/11) description: Connection groups can allow administrators to manage packages independently and avoid having to add the same application multiple times to a client computer. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/19/2017 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Managing Connection Groups diff --git a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md index b5ca6b5e48..c42f3ed0f6 100644 --- a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md +++ b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md @@ -2,13 +2,13 @@ title: Migrating to App-V from a Previous Version (Windows 10/11) description: Learn how to migrate to Microsoft Application Virtualization (App-V) for Windows 10/11 from a previous version. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/19/2017 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Migrating to App-V from previous versions diff --git a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md index db81d9833c..b9d7da75f0 100644 --- a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md +++ b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md @@ -2,13 +2,13 @@ title: How to Modify an Existing Virtual Application Package (Windows 10/11) description: Learn how to modify an existing virtual application package and add a new application to an existing virtual application package. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/19/2017 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # How to Modify an Existing Virtual Application Package diff --git a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md index 6e0950dbf8..24187f7a7d 100644 --- a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md +++ b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md @@ -2,13 +2,13 @@ title: How to Modify Client Configuration by Using Windows PowerShell (Windows 10/11) description: Learn how to modify the Application Virtualization (App-V) client configuration by using Windows PowerShell. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/19/2017 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # How to Modify Client Configuration by Using Windows PowerShell diff --git a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md index 4b844f29a5..9aa55c680d 100644 --- a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md +++ b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md @@ -2,13 +2,13 @@ title: How to Move the App-V Server to Another Computer (Windows 10/11) description: Learn how to create a new management server console in your environment and learn how to connect it to the App-V database. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/19/2017 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # How to move the App-V server to another computer diff --git a/windows/application-management/app-v/appv-operations.md b/windows/application-management/app-v/appv-operations.md index 7b2ef74380..8af6d33a4d 100644 --- a/windows/application-management/app-v/appv-operations.md +++ b/windows/application-management/app-v/appv-operations.md @@ -2,14 +2,14 @@ title: Operations for App-V (Windows 10/11) description: Learn about the various types of App-V administration and operating tasks that are typically performed by an administrator. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/18/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Operations for App-V diff --git a/windows/application-management/app-v/appv-performance-guidance.md b/windows/application-management/app-v/appv-performance-guidance.md index cb7e615a02..d05eec841b 100644 --- a/windows/application-management/app-v/appv-performance-guidance.md +++ b/windows/application-management/app-v/appv-performance-guidance.md @@ -2,13 +2,13 @@ title: Performance Guidance for Application Virtualization description: Learn how to configure App-V for optimal performance, optimize virtual app packages, and provide a better user experience with RDS and VDI. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/19/2017 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Performance Guidance for Application Virtualization diff --git a/windows/application-management/app-v/appv-planning-checklist.md b/windows/application-management/app-v/appv-planning-checklist.md index c391399dd5..76f89eae1f 100644 --- a/windows/application-management/app-v/appv-planning-checklist.md +++ b/windows/application-management/app-v/appv-planning-checklist.md @@ -2,14 +2,14 @@ title: App-V Planning Checklist (Windows 10/11) description: Learn about the recommended steps and items to consider when planning an Application Virtualization (App-V) deployment. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/18/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # App-V Planning Checklist diff --git a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md index 04e30a407c..1045a49e6e 100644 --- a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md +++ b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md @@ -2,14 +2,14 @@ title: Planning to Use Folder Redirection with App-V (Windows 10/11) description: Learn about folder redirection with App-V. Folder redirection enables users and administrators to redirect the path of a folder to a new location. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/18/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Planning to Use Folder Redirection with App-V diff --git a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md index 6d1dfd402c..9d934729e0 100644 --- a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md +++ b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md @@ -2,14 +2,14 @@ title: Planning for the App-V Server Deployment (Windows 10/11) description: Learn what you need to know so you can plan for the Microsoft Application Virtualization (App-V) 5.1 server deployment. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/18/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Planning for the App-V server deployment diff --git a/windows/application-management/app-v/appv-planning-for-appv.md b/windows/application-management/app-v/appv-planning-for-appv.md index e0bf768b4b..e4fcf0c5ad 100644 --- a/windows/application-management/app-v/appv-planning-for-appv.md +++ b/windows/application-management/app-v/appv-planning-for-appv.md @@ -2,14 +2,14 @@ title: Planning for App-V (Windows 10/11) description: Use the information in this article to plan to deploy App-V without disrupting your existing network or user experience. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/18/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Planning for App-V diff --git a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md index 3f800f36de..cb1db35d6e 100644 --- a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md +++ b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md @@ -2,14 +2,14 @@ title: Planning for High Availability with App-V Server description: Learn what you need to know so you can plan for high availability with Application Virtualization (App-V) server. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/18/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Planning for high availability with App-V Server diff --git a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md index 61f49df9b6..2ba0a00feb 100644 --- a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md +++ b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md @@ -2,14 +2,14 @@ title: Planning for the App-V Sequencer and Client Deployment (Windows 10/11) description: Learn what you need to do to plan for the App-V Sequencer and Client deployment, and where to find additional information about the deployment process. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/18/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Planning for the App-V Sequencer and Client Deployment diff --git a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md index 02914cd55b..6bdba43ddf 100644 --- a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md +++ b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md @@ -2,14 +2,14 @@ title: Planning for Deploying App-V with Office (Windows 10/11) description: Use the information in this article to plan how to deploy Office within Microsoft Application Virtualization (App-V). author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/18/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Planning for deploying App-V with Office diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md index 478b1f8523..0649249186 100644 --- a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md @@ -2,14 +2,14 @@ title: Planning to Deploy App-V with an Electronic Software Distribution System (Windows 10/11) description: Planning to Deploy App-V with an Electronic Software Distribution System author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/18/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Planning to Deploy App-V with an electronic software distribution system diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv.md b/windows/application-management/app-v/appv-planning-to-deploy-appv.md index 5cfdf7b332..64468df388 100644 --- a/windows/application-management/app-v/appv-planning-to-deploy-appv.md +++ b/windows/application-management/app-v/appv-planning-to-deploy-appv.md @@ -2,14 +2,14 @@ title: Planning to Deploy App-V (Windows 10/11) description: Learn about the different deployment configurations and requirements to consider before you deploy App-V for Windows 10. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/18/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Planning to Deploy App-V for Windows client diff --git a/windows/application-management/app-v/appv-preparing-your-environment.md b/windows/application-management/app-v/appv-preparing-your-environment.md index 95fad14736..3268e9610e 100644 --- a/windows/application-management/app-v/appv-preparing-your-environment.md +++ b/windows/application-management/app-v/appv-preparing-your-environment.md @@ -1,7 +1,7 @@ --- title: Preparing Your Environment for App-V (Windows 10/11) description: Use this info to prepare for deployment configurations and prerequisites for Microsoft Application Virtualization (App-V). -ms.prod: windows-client +ms.service: windows-client ms.date: 04/18/2018 ms.reviewer: author: aczechowski @@ -9,7 +9,7 @@ manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Preparing your environment for App-V diff --git a/windows/application-management/app-v/appv-prerequisites.md b/windows/application-management/app-v/appv-prerequisites.md index 9df6ba5e4c..38af8e2364 100644 --- a/windows/application-management/app-v/appv-prerequisites.md +++ b/windows/application-management/app-v/appv-prerequisites.md @@ -2,14 +2,14 @@ title: App-V Prerequisites (Windows 10/11) description: Learn about the prerequisites you need before you begin installing Application Virtualization (App-V). author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/18/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # App-V for Windows client prerequisites diff --git a/windows/application-management/app-v/appv-publish-a-connection-group.md b/windows/application-management/app-v/appv-publish-a-connection-group.md index 2a86b56aff..de2ecd3c81 100644 --- a/windows/application-management/app-v/appv-publish-a-connection-group.md +++ b/windows/application-management/app-v/appv-publish-a-connection-group.md @@ -2,14 +2,14 @@ title: How to Publish a Connection Group (Windows 10/11) description: Learn how to publish a connection group to computers that run the Application Virtualization (App-V) client. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 09/27/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # How to Publish a Connection Group diff --git a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md index 8d1b3b7041..0d5526bb14 100644 --- a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md +++ b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md @@ -2,14 +2,14 @@ title: How to publish a package by using the Management console (Windows 10/11) description: Learn how the Management console in App-V can help you enable admin controls as well as publish App-V packages. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 09/27/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # How to publish a package by using the Management console diff --git a/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md b/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md index 2c82592252..0af2304c46 100644 --- a/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md +++ b/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md @@ -2,13 +2,13 @@ title: How to Register and Unregister a Publishing Server by Using the Management Console (Windows 10/11) description: How to Register and Unregister a Publishing Server by Using the Management Console author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/19/2017 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # How to Register and Unregister a Publishing Server by Using the Management Console diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md index f2df77ee92..68b2efeb3a 100644 --- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md +++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md @@ -2,13 +2,13 @@ title: Release Notes for App-V for Windows 10 version 1703 (Windows 10/11) description: A list of known issues and workarounds for App-V running on Windows 10 version 1703 and Windows 11. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/19/2017 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Release Notes for App-V for Windows 10 version 1703 and later diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md index 00fd89be8c..e9f6d97139 100644 --- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md +++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md @@ -2,13 +2,13 @@ title: Release Notes for App-V for Windows 10, version 1607 (Windows 10) description: A list of known issues and workarounds for App-V running on Windows 10, version 1607. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/19/2017 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Release Notes for App-V for Windows 10, version 1607 diff --git a/windows/application-management/app-v/appv-reporting.md b/windows/application-management/app-v/appv-reporting.md index 0108207c9e..2e05013ad9 100644 --- a/windows/application-management/app-v/appv-reporting.md +++ b/windows/application-management/app-v/appv-reporting.md @@ -2,14 +2,14 @@ title: About App-V Reporting (Windows 10/11) description: Learn how the App-V reporting feature collects information about computers running the App-V client and virtual application package usage. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/16/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # About App-V reporting diff --git a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md index ce0c73c061..f37849f3a0 100644 --- a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md +++ b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md @@ -2,13 +2,13 @@ title: Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications (Windows 10/11) description: Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 03/08/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications diff --git a/windows/application-management/app-v/appv-security-considerations.md b/windows/application-management/app-v/appv-security-considerations.md index 5c13af93a6..77bc48c66f 100644 --- a/windows/application-management/app-v/appv-security-considerations.md +++ b/windows/application-management/app-v/appv-security-considerations.md @@ -2,14 +2,14 @@ title: App-V Security Considerations (Windows 10/11) description: Learn about accounts and groups, log files, and other security-related considerations for Microsoft Application Virtualization (App-V). author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/16/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # App-V security considerations diff --git a/windows/application-management/app-v/appv-sequence-a-new-application.md b/windows/application-management/app-v/appv-sequence-a-new-application.md index a19c89cc1c..1af6a22f42 100644 --- a/windows/application-management/app-v/appv-sequence-a-new-application.md +++ b/windows/application-management/app-v/appv-sequence-a-new-application.md @@ -2,14 +2,14 @@ title: Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10/11) description: Learn how to manually sequence a new app by using the App-V Sequencer that's included with the Windows ADK. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/16/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer) diff --git a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md index 1b289057fe..9754332e13 100644 --- a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md +++ b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md @@ -2,13 +2,13 @@ title: How to sequence a package by using Windows PowerShell (Windows 10/11) description: Learn how to sequence a new Microsoft Application Virtualization (App-V) package by using Windows PowerShell. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/19/2017 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # How to Sequence a Package by using Windows PowerShell diff --git a/windows/application-management/app-v/appv-supported-configurations.md b/windows/application-management/app-v/appv-supported-configurations.md index 059ef24c65..f96111505d 100644 --- a/windows/application-management/app-v/appv-supported-configurations.md +++ b/windows/application-management/app-v/appv-supported-configurations.md @@ -2,14 +2,14 @@ title: App-V Supported Configurations (Windows 10/11) description: Learn the requirements to install and run App-V supported configurations in your Windows 10/11 environment. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/16/2018 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep ms.topic: article -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # App-V Supported Configurations diff --git a/windows/application-management/app-v/appv-technical-reference.md b/windows/application-management/app-v/appv-technical-reference.md index 5feee6e5a9..ec23d191b4 100644 --- a/windows/application-management/app-v/appv-technical-reference.md +++ b/windows/application-management/app-v/appv-technical-reference.md @@ -2,13 +2,13 @@ title: Technical Reference for App-V (Windows 10/11) description: Learn strategy and context for many performance optimization practices in this technical reference for Application Virtualization (App-V). author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/19/2017 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Technical Reference for App-V diff --git a/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md index 6ad489e6d0..1a4d09cc2f 100644 --- a/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md +++ b/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md @@ -2,13 +2,13 @@ title: How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console (Windows 10/11) description: How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/19/2017 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console diff --git a/windows/application-management/app-v/appv-troubleshooting.md b/windows/application-management/app-v/appv-troubleshooting.md index 8e916937ed..020e46ea24 100644 --- a/windows/application-management/app-v/appv-troubleshooting.md +++ b/windows/application-management/app-v/appv-troubleshooting.md @@ -2,13 +2,13 @@ title: Troubleshooting App-V (Windows 10/11) description: Learn how to find information about troubleshooting Application Virtualization (App-V) and information about other App-V articles. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/19/2017 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Troubleshooting App-V diff --git a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md index d9769d9ac3..48842df8a4 100644 --- a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md +++ b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md @@ -2,13 +2,13 @@ title: Upgrading to App-V for Windows 10/11 from an existing installation (Windows 10/11) description: Learn about upgrading to Application Virtualization (App-V) for Windows 10/11 from an existing installation. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/19/2017 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Upgrading to App-V for Windows client from an existing installation diff --git a/windows/application-management/app-v/appv-using-the-client-management-console.md b/windows/application-management/app-v/appv-using-the-client-management-console.md index 3cdd99110d..84af8ed135 100644 --- a/windows/application-management/app-v/appv-using-the-client-management-console.md +++ b/windows/application-management/app-v/appv-using-the-client-management-console.md @@ -2,13 +2,13 @@ title: Using the App-V Client Management Console (Windows 10/11) description: Learn how to use the Application Virtualization (App-V) client management console to manage packages on the computer running the App-V client. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/19/2017 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Using the App-V Client Management Console diff --git a/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md b/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md index 92b64eb2ec..82665691aa 100644 --- a/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md +++ b/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md @@ -2,13 +2,13 @@ title: How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console (Windows 10/11) description: How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/19/2017 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console diff --git a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md index ed8de7183d..c2d47380bf 100644 --- a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md +++ b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md @@ -2,13 +2,13 @@ title: Viewing App-V Server Publishing Metadata (Windows 10/11) description: Use this procedure to view App-V Server publishing metadata, which can help you resolve publishing-related issues. author: aczechowski -ms.prod: windows-client +ms.service: windows-client ms.date: 04/19/2017 ms.reviewer: manager: aaroncz ms.author: aaroncz ms.collection: must-keep -ms.technology: itpro-apps +ms.subservice: itpro-apps --- # Viewing App-V Server Publishing Metadata diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json index 93921e2c5b..f9544bebe7 100644 --- a/windows/application-management/docfx.json +++ b/windows/application-management/docfx.json @@ -40,7 +40,8 @@ "tier2" ], "uhfHeaderId": "MSDocsHeader-Windows", - "ms.technology": "itpro-apps", + "ms.service": "windows-client", + "ms.subservice": "itpro-apps", "ms.topic": "article", "feedback_system": "Standard", "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md index 1ed95c362a..2a00963aef 100644 --- a/windows/application-management/enterprise-background-activity-controls.md +++ b/windows/application-management/enterprise-background-activity-controls.md @@ -6,8 +6,8 @@ ms.author: aaroncz manager: aaroncz ms.date: 10/03/2017 ms.topic: article -ms.prod: windows-client -ms.technology: itpro-apps +ms.service: windows-client +ms.subservice: itpro-apps ms.localizationpriority: medium ms.collection: tier2 ms.reviewer: diff --git a/windows/application-management/images/insider.png b/windows/application-management/images/insider.png new file mode 100644 index 0000000000..dbe00408cb Binary files /dev/null and b/windows/application-management/images/insider.png differ diff --git a/windows/application-management/includes/app-v-end-life-statement.md b/windows/application-management/includes/app-v-end-life-statement.md index f9844e71b1..932390fc2d 100644 --- a/windows/application-management/includes/app-v-end-life-statement.md +++ b/windows/application-management/includes/app-v-end-life-statement.md @@ -4,9 +4,7 @@ ms.author: aaroncz manager: aaroncz ms.date: 09/20/2021 ms.topic: include -ms.prod: w10 -ms.collection: tier1 -ms.reviewer: +ms.service: windows-client --- Application Virtualization will be [end of life in April 2026](/lifecycle/announcements/mdop-extended). We recommend looking at Azure Virtual Desktop with MSIX app attach. For more information, see [What is Azure Virtual Desktop?](/azure/virtual-desktop/overview) and [Set up MSIX app attach with the Azure portal](/azure/virtual-desktop/app-attach-azure-portal). diff --git a/windows/application-management/includes/applies-to-windows-client-versions.md b/windows/application-management/includes/applies-to-windows-client-versions.md index 35084641c6..f4b2934ded 100644 --- a/windows/application-management/includes/applies-to-windows-client-versions.md +++ b/windows/application-management/includes/applies-to-windows-client-versions.md @@ -5,8 +5,8 @@ manager: aaroncz ms.date: 09/28/2021 manager: aaroncz ms.topic: include -ms.prod: windows-client -ms.technology: itpro-apps +ms.service: windows-client +ms.subservice: itpro-apps ms.localizationpriortiy: medium ms.collection: tier1 ms.reviewer: diff --git a/windows/application-management/includes/insider-note.md b/windows/application-management/includes/insider-note.md new file mode 100644 index 0000000000..a1160f8047 --- /dev/null +++ b/windows/application-management/includes/insider-note.md @@ -0,0 +1,16 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.topic: include +ms.date: 01/11/2024 +--- + +:::row::: +:::column span="1"::: +:::image type="content" source="../images/insider.png" alt-text="Logo of Windows Insider." border="false"::: +:::column-end::: +:::column span="3"::: +> [!IMPORTANT] +>This article describes features or settings that are under development and only applicable to [Windows Insider Preview builds](/windows-insider/). The content is subject to change and may have dependencies on other features or services in preview. +:::column-end::: +:::row-end::: diff --git a/windows/application-management/overview-windows-apps.md b/windows/application-management/overview-windows-apps.md index 1c54d148ce..ab58f88f99 100644 --- a/windows/application-management/overview-windows-apps.md +++ b/windows/application-management/overview-windows-apps.md @@ -6,8 +6,8 @@ ms.author: aaroncz manager: aaroncz ms.date: 08/28/2023 ms.topic: overview -ms.prod: windows-client -ms.technology: itpro-apps +ms.service: windows-client +ms.subservice: itpro-apps ms.localizationpriority: medium ms.collection: tier2 appliesto: diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md index 2ea7628c2f..9e6cefb8ae 100644 --- a/windows/application-management/per-user-services-in-windows.md +++ b/windows/application-management/per-user-services-in-windows.md @@ -6,8 +6,8 @@ ms.author: aaroncz manager: aaroncz ms.date: 12/22/2023 ms.topic: how-to -ms.prod: windows-client -ms.technology: itpro-apps +ms.service: windows-client +ms.subservice: itpro-apps ms.localizationpriority: medium ms.collection: tier2 appliesto: diff --git a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md index cb4377d22d..90281afcd3 100644 --- a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md +++ b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md @@ -6,8 +6,8 @@ ms.author: aaroncz manager: aaroncz ms.date: 04/04/2023 ms.topic: article -ms.prod: windows-client -ms.technology: itpro-apps +ms.service: windows-client +ms.subservice: itpro-apps ms.localizationpriority: medium ms.collection: tier2 ms.reviewer: amanh diff --git a/windows/application-management/remove-provisioned-apps-during-update.md b/windows/application-management/remove-provisioned-apps-during-update.md index 23b08e028e..84cf6dc297 100644 --- a/windows/application-management/remove-provisioned-apps-during-update.md +++ b/windows/application-management/remove-provisioned-apps-during-update.md @@ -6,8 +6,8 @@ ms.author: aaroncz manager: aaroncz ms.date: 05/25/2018 ms.topic: how-to -ms.prod: windows-client -ms.technology: itpro-apps +ms.service: windows-client +ms.subservice: itpro-apps ms.localizationpriority: medium ms.collection: tier1 appliesto: diff --git a/windows/application-management/sideload-apps-in-windows.md b/windows/application-management/sideload-apps-in-windows.md index f962fed76e..3779938afc 100644 --- a/windows/application-management/sideload-apps-in-windows.md +++ b/windows/application-management/sideload-apps-in-windows.md @@ -6,8 +6,8 @@ ms.author: aaroncz manager: aaroncz ms.date: 12/22/2023 ms.topic: how-to -ms.prod: windows-client -ms.technology: itpro-apps +ms.service: windows-client +ms.subservice: itpro-apps ms.localizationpriority: medium ms.collection: tier2 appliesto: diff --git a/windows/application-management/svchost-service-refactoring.md b/windows/application-management/svchost-service-refactoring.md index 7bc1bcf117..5d7b3a998c 100644 --- a/windows/application-management/svchost-service-refactoring.md +++ b/windows/application-management/svchost-service-refactoring.md @@ -6,8 +6,8 @@ ms.author: aaroncz manager: aaroncz ms.date: 07/20/2017 ms.topic: concept-article -ms.prod: windows-client -ms.technology: itpro-apps +ms.service: windows-client +ms.subservice: itpro-apps ms.localizationpriority: medium ms.colletion: tier2 appliesto: diff --git a/windows/client-management/azure-active-directory-integration-with-mdm.md b/windows/client-management/azure-active-directory-integration-with-mdm.md index efb65c5991..27c5fb235c 100644 --- a/windows/client-management/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/azure-active-directory-integration-with-mdm.md @@ -1,7 +1,7 @@ --- title: Microsoft Entra integration with MDM description: Microsoft Entra ID is the world's largest enterprise cloud identity management service. -ms.topic: article +ms.topic: conceptual ms.collection: - highpri - tier2 diff --git a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md index e1c894e2c5..ab7c3e0a1c 100644 --- a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md +++ b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md @@ -1,7 +1,7 @@ --- title: Automatic MDM enrollment in the Intune admin center description: Automatic MDM enrollment in the Intune admin center -ms.topic: article +ms.topic: conceptual ms.date: 08/10/2023 --- diff --git a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md index 522b5d05b6..d9938c6409 100644 --- a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md @@ -1,7 +1,7 @@ --- title: Bulk enrollment description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. -ms.topic: article +ms.topic: conceptual ms.date: 08/10/2023 --- diff --git a/windows/client-management/certificate-authentication-device-enrollment.md b/windows/client-management/certificate-authentication-device-enrollment.md index c1ab833e1c..e53a80cc55 100644 --- a/windows/client-management/certificate-authentication-device-enrollment.md +++ b/windows/client-management/certificate-authentication-device-enrollment.md @@ -1,7 +1,7 @@ --- title: Certificate authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using certificate authentication policy. -ms.topic: article +ms.topic: conceptual ms.date: 08/10/2023 --- diff --git a/windows/client-management/certificate-renewal-windows-mdm.md b/windows/client-management/certificate-renewal-windows-mdm.md index 233a34e3dc..573cbe71b2 100644 --- a/windows/client-management/certificate-renewal-windows-mdm.md +++ b/windows/client-management/certificate-renewal-windows-mdm.md @@ -1,7 +1,7 @@ --- title: Certificate Renewal description: Learn how to find all the resources that you need to provide continuous access to client certificates. -ms.topic: article +ms.topic: conceptual ms.date: 08/10/2023 --- diff --git a/windows/client-management/client-tools/administrative-tools-in-windows.md b/windows/client-management/client-tools/administrative-tools-in-windows.md index 7c30da23de..1e319e16a4 100644 --- a/windows/client-management/client-tools/administrative-tools-in-windows.md +++ b/windows/client-management/client-tools/administrative-tools-in-windows.md @@ -3,10 +3,11 @@ title: Windows Tools/Administrative Tools description: The folders for Windows Tools and Administrative Tools are folders in the Control Panel that contain tools for system administrators and advanced users. ms.localizationpriority: medium ms.date: 08/10/2023 -ms.topic: article +ms.topic: conceptual ms.collection: - highpri - tier2 +- essentials-manage --- # Windows Tools/Administrative Tools diff --git a/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md b/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md index 1bcd9ff753..685f872e8a 100644 --- a/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md +++ b/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md @@ -2,7 +2,7 @@ title: Windows default media removal policy description: In Windows 10 and later, the default removal policy for external storage media changed from Better performance to Quick removal. ms.date: 08/10/2023 -ms.topic: article +ms.topic: conceptual ms.localizationpriority: medium --- diff --git a/windows/client-management/client-tools/connect-to-remote-aadj-pc.md b/windows/client-management/client-tools/connect-to-remote-aadj-pc.md index 2e3e741284..b47fad81ee 100644 --- a/windows/client-management/client-tools/connect-to-remote-aadj-pc.md +++ b/windows/client-management/client-tools/connect-to-remote-aadj-pc.md @@ -3,7 +3,7 @@ title: Connect to remote Microsoft Entra joined device description: Learn how to use Remote Desktop Connection to connect to a Microsoft Entra joined device. ms.localizationpriority: medium ms.date: 08/10/2023 -ms.topic: article +ms.topic: conceptual ms.collection: - highpri - tier2 diff --git a/windows/client-management/client-tools/manage-device-installation-with-group-policy.md b/windows/client-management/client-tools/manage-device-installation-with-group-policy.md index 8efcf24c66..0aaf41776d 100644 --- a/windows/client-management/client-tools/manage-device-installation-with-group-policy.md +++ b/windows/client-management/client-tools/manage-device-installation-with-group-policy.md @@ -2,7 +2,7 @@ title: Manage Device Installation with Group Policy description: Find out how to manage Device Installation Restrictions with Group Policy. ms.date: 08/10/2023 -ms.topic: article +ms.topic: conceptual --- # Manage Device Installation with Group Policy diff --git a/windows/client-management/client-tools/manage-settings-app-with-group-policy.md b/windows/client-management/client-tools/manage-settings-app-with-group-policy.md index afc00a6203..bf19bb6ad7 100644 --- a/windows/client-management/client-tools/manage-settings-app-with-group-policy.md +++ b/windows/client-management/client-tools/manage-settings-app-with-group-policy.md @@ -2,7 +2,7 @@ title: Manage the Settings app with Group Policy description: Find out how to manage the Settings app with Group Policy so you can hide specific pages from users. ms.date: 08/10/2023 -ms.topic: article +ms.topic: conceptual --- # Manage the Settings app with Group Policy diff --git a/windows/client-management/client-tools/mandatory-user-profile.md b/windows/client-management/client-tools/mandatory-user-profile.md index 5c867f498d..78e358f1fd 100644 --- a/windows/client-management/client-tools/mandatory-user-profile.md +++ b/windows/client-management/client-tools/mandatory-user-profile.md @@ -2,7 +2,7 @@ title: Create mandatory user profiles description: A mandatory user profile is a special type of pre-configured roaming user profile that administrators can use to specify settings for users. ms.date: 08/10/2023 -ms.topic: article +ms.topic: conceptual ms.collection: - highpri - tier2 diff --git a/windows/client-management/client-tools/quick-assist.md b/windows/client-management/client-tools/quick-assist.md index 58eceea5e1..f902b92204 100644 --- a/windows/client-management/client-tools/quick-assist.md +++ b/windows/client-management/client-tools/quick-assist.md @@ -2,7 +2,7 @@ title: Use Quick Assist to help users description: Learn how IT Pros can use Quick Assist to help users. ms.date: 08/10/2023 -ms.topic: article +ms.topic: conceptual ms.localizationpriority: medium ms.collection: - highpri diff --git a/windows/client-management/client-tools/windows-libraries.md b/windows/client-management/client-tools/windows-libraries.md index 43666505af..3486649f20 100644 --- a/windows/client-management/client-tools/windows-libraries.md +++ b/windows/client-management/client-tools/windows-libraries.md @@ -1,7 +1,7 @@ --- title: Windows Libraries description: All about Windows Libraries, which are containers for users' content, such as Documents and Pictures. -ms.topic: article +ms.topic: conceptual ms.date: 08/10/2023 --- diff --git a/windows/client-management/client-tools/windows-version-search.md b/windows/client-management/client-tools/windows-version-search.md index a9ff816f27..2bb838cf72 100644 --- a/windows/client-management/client-tools/windows-version-search.md +++ b/windows/client-management/client-tools/windows-version-search.md @@ -2,7 +2,7 @@ title: What version of Windows am I running? description: Discover which version of Windows you're running to determine whether or not your device is enrolled in the Long-Term Servicing Channel or General Availability Channel. ms.date: 08/10/2023 -ms.topic: article +ms.topic: conceptual --- # What version of Windows am I running? diff --git a/windows/client-management/config-lock.md b/windows/client-management/config-lock.md index 443c29c949..30b905a41d 100644 --- a/windows/client-management/config-lock.md +++ b/windows/client-management/config-lock.md @@ -1,7 +1,7 @@ --- title: Secured-core configuration lock description: A secured-core PC (SCPC) feature that prevents configuration drift from secured-core PC features caused by unintentional misconfiguration. -ms.topic: article +ms.topic: conceptual ms.date: 08/10/2023 appliesto: - ✅ Windows 11 diff --git a/windows/client-management/device-update-management.md b/windows/client-management/device-update-management.md index e6c914668a..c298893a3a 100644 --- a/windows/client-management/device-update-management.md +++ b/windows/client-management/device-update-management.md @@ -1,7 +1,7 @@ --- title: Mobile device management MDM for device updates description: Windows provides several APIs to help mobile device management (MDM) solutions manage updates. Learn how to use these APIs to implement update management. -ms.topic: article +ms.topic: conceptual ms.date: 08/10/2023 ms.collection: - highpri diff --git a/windows/client-management/disconnecting-from-mdm-unenrollment.md b/windows/client-management/disconnecting-from-mdm-unenrollment.md index 00e2645545..612dd07651 100644 --- a/windows/client-management/disconnecting-from-mdm-unenrollment.md +++ b/windows/client-management/disconnecting-from-mdm-unenrollment.md @@ -1,7 +1,7 @@ --- title: Disconnecting from the management infrastructure (unenrollment) description: Disconnecting is initiated either locally by the user using a phone or remotely by the IT admin using management server. -ms.topic: article +ms.topic: conceptual ms.date: 08/10/2023 --- diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json index aea6640ea0..d099e4731e 100644 --- a/windows/client-management/docfx.json +++ b/windows/client-management/docfx.json @@ -41,10 +41,10 @@ "zone_pivot_group_filename": "resources/zone-pivot-groups.json", "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-Windows", - "ms.technology": "itpro-manage", "audience": "ITPro", - "ms.prod": "windows-client", - "ms.topic": "article", + "ms.service": "windows-client", + "ms.subservice": "itpro-manage", + "ms.topic": "conceptual", "ms.author": "vinpa", "author": "vinaypamnani-msft", "manager": "aaroncz", @@ -85,6 +85,9 @@ "✅ Windows 11", "✅ Windows 10" ] + }, + "ms.topic": { + "mdm/*.md": "reference" } }, "template": [], diff --git a/windows/client-management/enable-admx-backed-policies-in-mdm.md b/windows/client-management/enable-admx-backed-policies-in-mdm.md index bd41f63d4d..00618845b9 100644 --- a/windows/client-management/enable-admx-backed-policies-in-mdm.md +++ b/windows/client-management/enable-admx-backed-policies-in-mdm.md @@ -1,7 +1,7 @@ --- title: Enable ADMX policies in MDM description: Use this step-by-step guide to configure a selected set of Group Policy administrative templates (ADMX policies) in Mobile Device Management (MDM). -ms.topic: article +ms.topic: conceptual ms.localizationpriority: medium ms.date: 08/10/2023 --- diff --git a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md index 853f60c4dd..f9ccd5cc0a 100644 --- a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -1,7 +1,7 @@ --- title: Enroll a Windows device automatically using Group Policy description: Learn how to use a Group Policy to trigger autoenrollment to MDM for Active Directory (AD) domain-joined devices. -ms.topic: article +ms.topic: conceptual ms.date: 08/10/2023 ms.collection: - highpri diff --git a/windows/client-management/enterprise-app-management.md b/windows/client-management/enterprise-app-management.md index 976b340e5a..b6e975a1c8 100644 --- a/windows/client-management/enterprise-app-management.md +++ b/windows/client-management/enterprise-app-management.md @@ -1,7 +1,7 @@ --- title: Enterprise app management description: This article covers one of the key mobile device management (MDM) features for managing the lifecycle of apps across Windows devices. -ms.topic: article +ms.topic: conceptual ms.date: 08/10/2023 --- diff --git a/windows/client-management/federated-authentication-device-enrollment.md b/windows/client-management/federated-authentication-device-enrollment.md index a96b2ed7e3..ecb42e8160 100644 --- a/windows/client-management/federated-authentication-device-enrollment.md +++ b/windows/client-management/federated-authentication-device-enrollment.md @@ -1,7 +1,7 @@ --- title: Federated authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using federated authentication policy. -ms.topic: article +ms.topic: conceptual ms.date: 08/10/2023 --- diff --git a/windows/client-management/images/insider.png b/windows/client-management/images/insider.png new file mode 100644 index 0000000000..dbe00408cb Binary files /dev/null and b/windows/client-management/images/insider.png differ diff --git a/windows/client-management/implement-server-side-mobile-application-management.md b/windows/client-management/implement-server-side-mobile-application-management.md index ae35a82630..e9c0ab5ecc 100644 --- a/windows/client-management/implement-server-side-mobile-application-management.md +++ b/windows/client-management/implement-server-side-mobile-application-management.md @@ -1,7 +1,7 @@ --- title: Support for Windows Information Protection (WIP) on Windows description: Learn about implementing the Windows version of Windows Information Protection (WIP), which is a lightweight solution for managing company data access and security on personal devices. -ms.topic: article +ms.topic: conceptual ms.date: 08/10/2023 --- diff --git a/windows/client-management/includes/insider-note.md b/windows/client-management/includes/insider-note.md new file mode 100644 index 0000000000..a1160f8047 --- /dev/null +++ b/windows/client-management/includes/insider-note.md @@ -0,0 +1,16 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.topic: include +ms.date: 01/11/2024 +--- + +:::row::: +:::column span="1"::: +:::image type="content" source="../images/insider.png" alt-text="Logo of Windows Insider." border="false"::: +:::column-end::: +:::column span="3"::: +> [!IMPORTANT] +>This article describes features or settings that are under development and only applicable to [Windows Insider Preview builds](/windows-insider/). The content is subject to change and may have dependencies on other features or services in preview. +:::column-end::: +:::row-end::: diff --git a/windows/client-management/index.yml b/windows/client-management/index.yml index 40f4cb654f..860eb04bfe 100644 --- a/windows/client-management/index.yml +++ b/windows/client-management/index.yml @@ -7,15 +7,13 @@ metadata: title: Manage Windows client # Required; page title displayed in search results. Include the brand. < 60 chars. description: Learn about the administrative tools, tasks, and best practices for managing Windows clients across your enterprise. # Required; article description that is displayed in search results. < 160 chars. ms.topic: landing-page - ms.prod: windows-client - ms.technology: itpro-manage ms.collection: - highpri - tier1 author: vinaypamnani-msft ms.author: vinpa manager: aaroncz - ms.date: 09/26/2023 + ms.date: 01/18/2024 localization_priority: medium # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md index 7129573f55..cc6af7d11f 100644 --- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md @@ -3,7 +3,7 @@ title: Manage Windows devices in your organization - transitioning to modern man description: This article offers strategies for deploying and managing Windows devices, including deploying Windows in a mixed environment. ms.localizationpriority: medium ms.date: 08/10/2023 -ms.topic: article +ms.topic: conceptual --- # Manage Windows devices in your organization - transitioning to modern management diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index 1b811341cb..fbd255ba26 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -2,19 +2,20 @@ title: Manage Copilot in Windows description: Learn how to manage Copilot in Windows for commercial environments using MDM and group policy. Learn about the chat providers available to Copilot in Windows. ms.topic: conceptual -ms.technology: itpro-windows-copilot -ms.date: 11/06/2023 +ms.subservice: windows-copilot +ms.date: 01/22/2024 ms.author: mstewart -author: mestew +author: mestew appliesto: - ✅ Windows 11, version 22H2 or later --- # Manage Copilot in Windows + >**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0). -Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to help your users get things done in Windows. Copilot in Windows can perform common tasks in Windows like changing Windows settings, which makes it different from the browser-based [Copilot in Edge](/bing-chat-enterprise/edge). However, both user experiences, Copilot in Windows and Copilot in Edge, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since it is possible for users to copy and paste sensitive information into the chat provider. +Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop and is designed to help users get things done in Windows. Copilot in Windows can perform common tasks in Windows like changing Windows settings, which makes it different from the browser-based [Copilot in Edge](/copilot/edge). However, both user experiences, Copilot in Windows and Copilot in Edge, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since it's possible for users to copy and paste sensitive information into the chat. > [!Note] > - Copilot in Windows is currently available as a preview. We will continue to experiment with new ideas and methods using your feedback. @@ -39,62 +40,63 @@ Organizations that aren't ready to use Copilot in Windows can disable it until t ## Chat provider platforms for Copilot in Windows -Copilot in Windows can use either Bing Chat or Bing Chat Enterprise as its chat provider platform. The chat provider platform is the underlying service that Copilot in Windows uses to communicate with the user. The chat provider platform that Copilot in Windows uses is important because it is possible for users to copy and paste sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. +Copilot in Windows can use either Microsoft Copilot or Copilot with commercial data protection as its chat provider platform. The chat provider platform is the underlying service that Copilot in Windows uses to communicate with the user. The chat provider platform is important because it's possible for users to copy and paste sensitive information into the chat. Each chat provider platform has different privacy and security protections. -**Bing Chat**: +### Copilot -[Bing Chat](https://www.microsoft.com/bing/do-more-with-ai/what-is-bing-chat-and-how-can-you-use-it) is a consumer experience and if a user isn't signed in with their Microsoft account, the number of chat queries per user has a daily limit. Bing Chat doesn't offer the same commercial data protection as Bing Chat Enterprise does. The following privacy and security protections apply for Bing Chat: - - [Copilot in Windows: Your data and privacy](https://support.microsoft.com/windows/3e265e82-fc76-4d0a-afc0-4a0de528b73a) - - The privacy statement for using Bing Chat follows the [Microsoft privacy statement](https://privacy.microsoft.com/privacystatement) including the product specific guidance in the Microsoft privacy statement for **Bing** under the **Search, Microsoft Edge, and artificial intelligence** section. +Copilot is a consumer experience and has a daily limit on the number of chat queries per user when not signed in with a Microsoft account. It doesn't offer the same data protection as Copilot with commercial data protection. + +- [Copilot in Windows: Your data and privacy](https://support.microsoft.com/windows/3e265e82-fc76-4d0a-afc0-4a0de528b73a) +- The privacy statement for using Copilot follows the [Microsoft privacy statement](https://privacy.microsoft.com/privacystatement) including the product specific guidance in the Microsoft privacy statement for **Bing** under the **Search, Microsoft Edge, and artificial intelligence** section. -**Bing Chat Enterprise**: +### Copilot with commercial data protection -[Bing Chat Enterprise](/bing-chat-enterprise/overview) is intended for commercial use scenarios and offers commercial data protection. The following privacy and security protections apply for Bing Chat Enterprise: +[Copilot with commercial data protection](/copilot/overview) is intended for commercial use scenarios and offers commercial data protection. The following privacy and security protections apply for Copilot with commercial data protection: -- With [Bing Chat Enterprise](/bing-chat-enterprise/overview), user and organizational data is protected, chat data isn't saved, and your data isn't used to train the underlying large language models. Because of this protection, chat history, 3rd-party plugins, and the Bing mobile app for iOS or Android aren't currently supported. Bing Chat Enterprise is accessible from mobile browsers, including Edge mobile on iOS and Android. Review the Bing Chat Enterprise [privacy statement](/bing-chat-enterprise/privacy-and-protections). -- Bing Chat Enterprise is available, at no additional cost, for the following licenses: +- User and organizational data is protected, chat data isn't saved, and your data isn't used to train the underlying large language models. Because of this protection, chat history, 3rd-party plugins, and the Bing app for iOS or Android aren't currently supported. Copilot with commercial data protection is accessible from mobile browsers, including Edge mobile on iOS and Android. Review the Copilot with commercial data protection [privacy statement](/copilot/privacy-and-protections). +- Copilot with commercial data protection is available, at no additional cost, for the following licenses: - Microsoft 365 E3 or E5 - Microsoft 365 A3 or A5 for faculty - Microsoft 365 Business Standard - Microsoft 365 Business Premium > [!Note] - > Bing Chat Enterprise and Bing Chat don't have access to Microsoft Graph, unlike [Microsoft 365 Copilot](/microsoft-365-copilot/microsoft-365-copilot-overview) which can be used in the Microsoft 365 apps. This means that Bing Chat Enterprise and Bing Chat can't access Microsoft 365 Apps data, such as email, calendar, or files. + > Copilot doesn't have access to Microsoft 365 Apps data, such as email, calendar, or files using Microsoft Graph, unlike [Copilot for Microsoft 365](/microsoft-365-copilot/microsoft-365-copilot-overview) which can be used in the Microsoft 365 apps. ## Configure the chat provider platform that Copilot in Windows uses -Configuring the correct chat provider platform for Copilot in Windows is important because it is possible for users to copy and paste sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. Once you have selected the chat provider platform that you want to use for Copilot in Windows, ensure it's configured for your organization's users. The following sections describe how to configure the chat provider platform that Copilot in Windows uses. +Configuring the correct chat provider platform for Copilot in Windows is important because it's possible for users to copy and paste sensitive information into the chat. Each chat provider platform has different privacy and security protections. Once you select the chat provider platform that you want to use for Copilot in Windows, ensure it's configured for your organization's users. The following sections describe how to configure the chat provider platform that Copilot in Windows uses. -### Bing Chat as the chat provider platform +### Microsoft Copilot as the chat provider platform -Bing Chat is used as the default chat provider platform for Copilot in Windows when any of the following conditions occur: +Copilot is used as the default chat provider platform for Copilot in Windows when any of the following conditions occur: -- Bing Chat Enterprise isn't configured for the user -- The user isn't assigned a license that includes Bing Chat Enterprise -- Bing Chat Enterprise is [turned off](/bing-chat-enterprise/manage) -- The user isn't signed in with a Microsoft Entra account that's licensed for Bing Chat Enterprise +- Commercial data protection isn't configured for the user. +- Commercial data protection is [turned off](/copilot/manage). +- The user isn't assigned a license that includes Copilot with commercial data protection. +- The user isn't signed in with a Microsoft Entra account that's licensed for Copilot with commercial data protection. -### Bing Chat Enterprise as the chat provider platform (recommended for commercial environments) +### Copilot with commercial data protection as the chat provider platform (recommended for commercial environments) -To verify that Bing Chat Enterprise is enabled for the user as the chat provider platform for Copilot in Windows, use the following instructions: +To verify that Copilot with commercial data protection is enabled for the user as the chat provider platform for Copilot in Windows, use the following instructions: 1. Sign into the [Microsoft 365 admin center](https://admin.microsoft.com/). -1. In the admin center, select **Users** > **Active users** and verify that users are assigned a license that includes Bing Chat Enterprise. Bing Chat Enterprise is included and enabled by default for users that are assigned one of the following licenses: +1. In the admin center, select **Users** > **Active users** and verify that users are assigned a license that includes **Copilot**. Copilot with commercial data protection is included and enabled by default for users that are assigned one of the following licenses: - Microsoft 365 E3 or E5 - Microsoft 365 A3 or A5 for faculty - - Currently, Microsoft 365 A3 and A5 for faculty requires additional configuration. For more information, see [Manage Bing Chat Enterprise](/bing-chat-enterprise/manage). + - Currently, Microsoft 365 A3 and A5 for faculty requires additional configuration. For more information, see [Manage Copilot](/copilot/manage). - Microsoft 365 Business Standard - Microsoft 365 Business Premium -1. To verify that Bing Chat Enterprise is enabled for the user, select the user's **Display name** to open the flyout menu. +1. To verify that commercial data protection is enabled for the user, select the user's **Display name** to open the flyout menu. 1. In the flyout, select the **Licenses & apps** tab, then expand the **Apps** list. -1. Verify that **Bing Chat Enterprise** is enabled for the user. -1. If you prefer to view a user's licenses from the [Azure portal](https://portal.azure.com), you will find it under **Microsoft Entra ID** > **Users**. Select the user's name, then **Licenses**. Select a license that includes Bing Chat Enterprise, and verify that it's listed as **On**. +1. Verify that **Copilot** is enabled for the user. +1. If you prefer to view a user's licenses from the [Azure portal](https://portal.azure.com), you'll find it under **Microsoft Entra ID** > **Users**. Select the user's name, then **Licenses**. Select a license that includes **Copilot**, and verify that it's listed as **On**. > [!Note] - > If you previously disabled Bing Chat Enterprise using the URL, `https://aka.ms/TurnOffBCE`, see [Manage Bing Chat Enterprise](/bing-chat-enterprise/manage) for verifying that Bing Chat Enterprise is enabled for your users. + > If you previously disabled Copilot with commercial data protection (formerly Bing Chat Enterprise) using the URL, `https://aka.ms/TurnOffBCE`, see [Manage Copilot](/copilot/manage) for verifying that commercial data protection is enabled for your users. -The following sample PowerShell script connects to Microsoft Graph and lists which users that have Bing Chat Enterprise enabled and disabled: +The following sample PowerShell script connects to Microsoft Graph and lists which users that have Copilot with commercial data protection enabled and disabled: ```powershell # Install Microsoft Graph module @@ -108,20 +110,20 @@ Connect-MgGraph -Scopes 'User.Read.All' # Get all users $users = Get-MgUser -All -ConsistencyLevel eventual -Property Id, DisplayName, Mail, UserPrincipalName, AssignedPlans -# Users with Bing Chat Enterprise enabled +# Users with Copilot with commercial data protection enabled $users | Where-Object { $_.AssignedPlans -and $_.AssignedPlans.Service -eq "Bing" -and $_.AssignedPlans.CapabilityStatus -eq "Enabled" } | Format-Table -# Users without Bing Chat Enterprise enabled +# Users without Copilot with commercial data protection enabled $users | Where-Object { -not $_.AssignedPlans -or ($_.AssignedPlans.Service -eq "Bing" -and $_.AssignedPlans.CapabilityStatus -ne "Enabled") } | Format-Table ``` -When Bing Chat Enterprise is the chat provider platform, the user experience clearly states that **Your personal and company data are protected in this chat**. There's also a shield symbol labeled **Protected** at the top of the Copilot in Windows sidebar and the provider is listed under the Copilot logo when the sidebar is first opened. The following image shows the message that's displayed when Bing Chat Enterprise is the chat provider platform for Copilot in Windows: +When Copilot with commercial data protection is the chat provider platform, the user experience clearly states that **Your personal and company data are protected in this chat**. There's also a shield symbol labeled **Protected** at the top of the Copilot in Windows sidebar and the provider is listed under the Copilot logo when the sidebar is first opened. The following image shows the message that's displayed in this scenario: -:::image type="content" source="images/bing-chat-enterprise-chat-provider.png" alt-text="Screenshot of the Copilot in Windows user experience when Bing Chat Enterprise is the chat provider." lightbox="images/bing-chat-enterprise-chat-provider.png"::: +:::image type="content" source="images/bing-chat-enterprise-chat-provider.png" alt-text="Screenshot of the Copilot in Windows user experience when Copilot with commercial data protection is the chat provider." lightbox="images/bing-chat-enterprise-chat-provider.png"::: ## Ensure the Copilot in Windows user experience is enabled -Once you've configured the chat provider platform that Copilot in Windows uses, you need to ensure that the Copilot in Windows user experience is enabled. Ensuring the Copilot in Windows user experience is enabled varies by the Windows version. +Once you've configured the chat provider platform that Copilot in Windows uses, you need to ensure that the Copilot in Windows user experience is enabled. Ensuring the Copilot in Windows user experience is enabled varies by the Windows version. ### Enable the Copilot in Windows user experience for Windows 11, version 22H2 clients @@ -130,7 +132,7 @@ Copilot in Windows isn't technically enabled by default for managed Windows 11, To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you need to enable features under temporary enterprise control for these devices. Since enabling features behind [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) can be impactful, you should test this change before deploying it broadly. To enable Copilot in Windows for managed Windows 11, version 22H2 devices, use the following instructions: 1. Verify that the user accounts have the correct chat provider platform configured for Copilot in Windows. For more information, see the [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) section. -1. Apply a policy to enable features under temporary enterprise control for managed clients. The following polices apply to Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: +1. Apply a policy to enable features under temporary enterprise control for managed clients. The following polices apply to Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: - **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage end user experience\\**Enable features introduced via servicing that are off by default** - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol) @@ -142,7 +144,7 @@ To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you n - **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Windows Update for Business\\**Allow updates to Windows optional features** - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowOptionalUpdates](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalupdates) - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow optional updates** under the **Windows Update for Business** category. - + The optional updates policy applies to Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later. When setting policy for [optional updates](/windows/deployment/update/waas-configure-wufb#enable-optional-updates), ensure you select one of the following options that includes CFRs: - Automatically receive optional updates (including CFRs) - This selection places devices into an early CFR phase @@ -152,9 +154,9 @@ To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you n ### Enable the Copilot in Windows user experience for Windows 11, version 23H2 clients -Once a managed device installs the version 23H2 update, the [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) for Copilot in Windows will be removed. This means that Copilot in Windows will be enabled by default for these devices. +Once a managed device installs the version 23H2 update, the [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) for Copilot in Windows is removed. This means that Copilot in Windows is enabled by default for these devices. -While the user experience for Copilot in Windows is enabled by default, you still need to verify that the correct chat provider platform configured for Copilot in Windows. While every effort has been made to ensure that Bing Chat Enterprise is the default chat provider for commercial organizations, it's still possible that Bing Chat might still be used if the configuration is incorrect, or if other settings are affecting Copilot in Windows. For more information, see: +While the user experience for Copilot in Windows is enabled by default, you still need to verify that the correct chat provider platform configured for Copilot in Windows. While every effort is made to ensure that Copilot with commercial data protection is the default chat provider for commercial organizations, it's still possible that Copilot might still be used if the configuration is incorrect, or if other settings are affecting Copilot in Windows. For more information, see: - [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) - [Other settings that might affect Copilot in Windows and its underlying chat provider](#other-settings-that-might-affect-copilot-in-windows-and-its-underlying-chat-provider) @@ -165,25 +167,26 @@ Organizations that aren't ready to use Copilot in Windows can disable it until t ## Other settings that might affect Copilot in Windows and its underlying chat provider -Copilot in Windows and [Copilot in Edge](/bing-chat-enterprise/edge), can share the same underlying chat provider platform. This also means that some settings that affect Bing Chat, Bing Chat Enterprise, and Copilot in Edge can also affect Copilot in Windows. The following common settings might affect Copilot in Windows and its underlying chat provider: +Copilot in Windows and [Copilot in Edge](/copilot/edge), can share the same underlying chat provider platform. This also means that some settings that affect Copilot, Copilot with commercial data protection, and Copilot in Edge can also affect Copilot in Windows. The following common settings might affect Copilot in Windows and its underlying chat provider: ### Bing settings -- If [SafeSearch](https://support.microsoft.com/topic/946059ed-992b-46a0-944a-28e8fb8f1814) is enabled for Bing, it can block chat providers for Copilot in Windows. The following network changes block the chat providers for Copilot in Windows and Copilot in Edge: - - mapping `www.bing.com` to `strict.bing.com` - - mapping `edgeservices.bing.com` to `strict.bing.com` - - blocking `bing.com` +- If [SafeSearch](https://support.microsoft.com/topic/946059ed-992b-46a0-944a-28e8fb8f1814) is enabled for Bing, it can block chat providers for Copilot in Windows. The following network changes block the chat providers for Copilot in Windows and Edge: -- If Bing Chat Enterprise is turned on for your organization, users will be able to access it through Edge mobile when signed in with their work account. If you would like to remove the Bing Chat button from the Edge mobile interface, you can use an [Intune Mobile Application Management (MAM) policy for Microsoft Edge](/mem/intune/apps/manage-microsoft-edge) to remove it: + - Mapping `www.bing.com` to `strict.bing.com` + - Mapping `edgeservices.bing.com` to `strict.bing.com` + - Blocking `bing.com` - |Key |Value | - |:---------|:------------| - |com.microsoft.intune.mam.managedbrowser.Chat| **true** (default) shows the interface
**false** hides the interface | +- If Copilot with commercial data protection is turned on for your organization, users can access it through Edge mobile when signed in with their work account. If you would like to remove the Bing Chat button from the Edge mobile interface, you can use an [Intune Mobile Application Management (MAM) policy for Microsoft Edge](/mem/intune/apps/manage-microsoft-edge) to remove it: + + | Key | Value | + |:---------------------------------------------|:---------------------------------------------------------------------------| + | com.microsoft.intune.mam.managedbrowser.Chat | **true** (default) shows the interface
**false** hides the interface | ### Microsoft Edge policies - If [HubsSidebarEnabled](/deployedge/microsoft-edge-policies#hubssidebarenabled) is set to `disabled`, it blocks Copilot in Edge from being displayed. -- If [DiscoverPageContextEnabled](/deployedge/microsoft-edge-policies#discoverpagecontextenabled) is set to `disabled`, it blocks Bing Chat and Bing Chat Enterprise from reading the current webpage context. The chat providers need access to the current webpage context for providing page summarizations and sending user selected strings from the webpage into the chat provider. +- If [DiscoverPageContextEnabled](/deployedge/microsoft-edge-policies#discoverpagecontextenabled) is set to `disabled`, it blocks Copilot from reading the current webpage context. The chat providers need access to the current webpage context for providing page summarizations and sending user selected strings from the webpage into the chat provider. ### Search settings diff --git a/windows/client-management/mdm-collect-logs.md b/windows/client-management/mdm-collect-logs.md index 5756913331..bc39a4ceb7 100644 --- a/windows/client-management/mdm-collect-logs.md +++ b/windows/client-management/mdm-collect-logs.md @@ -1,7 +1,7 @@ --- title: Collect MDM logs description: Learn how to collect MDM logs. Examining these logs can help diagnose enrollment or device management issues in Windows devices managed by an MDM server. -ms.topic: article +ms.topic: conceptual ms.date: 08/10/2023 ms.collection: - highpri diff --git a/windows/client-management/mdm-diagnose-enrollment.md b/windows/client-management/mdm-diagnose-enrollment.md index c3dd757bb5..1d2c92bd1f 100644 --- a/windows/client-management/mdm-diagnose-enrollment.md +++ b/windows/client-management/mdm-diagnose-enrollment.md @@ -1,7 +1,7 @@ --- title: Diagnose MDM enrollment failures description: Learn how to diagnose enrollment failures for Windows devices -ms.topic: article +ms.topic: conceptual ms.date: 08/10/2023 --- diff --git a/windows/client-management/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm-enrollment-of-windows-devices.md index ef09eea68f..c3140fd86d 100644 --- a/windows/client-management/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm-enrollment-of-windows-devices.md @@ -1,7 +1,7 @@ --- title: MDM enrollment of Windows devices description: Learn about mobile device management (MDM) enrollment of Windows devices to simplify access to your organization's resources. -ms.topic: article +ms.topic: conceptual ms.collection: - highpri - tier2 diff --git a/windows/client-management/mdm-known-issues.md b/windows/client-management/mdm-known-issues.md index 3b715665e0..10bd7ebaa1 100644 --- a/windows/client-management/mdm-known-issues.md +++ b/windows/client-management/mdm-known-issues.md @@ -1,7 +1,7 @@ --- title: Known issues in MDM description: Learn about known issues for Windows devices in MDM -ms.topic: article +ms.topic: conceptual ms.date: 08/10/2023 --- diff --git a/windows/client-management/mdm-overview.md b/windows/client-management/mdm-overview.md index 4777c1d28c..7b31fe006a 100644 --- a/windows/client-management/mdm-overview.md +++ b/windows/client-management/mdm-overview.md @@ -2,7 +2,7 @@ title: Mobile Device Management overview description: Windows provides an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy. ms.date: 08/10/2023 -ms.topic: article +ms.topic: conceptual ms.localizationpriority: medium ms.collection: - highpri diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index 25ff8939c4..f4e01b842c 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -1,14 +1,7 @@ --- title: LanguagePackManagement CSP description: Learn more about the LanguagePackManagement CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/accountmanagement-csp.md b/windows/client-management/mdm/accountmanagement-csp.md index 4fdc019a91..55180da611 100644 --- a/windows/client-management/mdm/accountmanagement-csp.md +++ b/windows/client-management/mdm/accountmanagement-csp.md @@ -1,14 +1,7 @@ --- title: AccountManagement CSP description: Learn more about the AccountManagement CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/29/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/accountmanagement-ddf.md b/windows/client-management/mdm/accountmanagement-ddf.md index 7589b07ab4..06093b49ae 100644 --- a/windows/client-management/mdm/accountmanagement-ddf.md +++ b/windows/client-management/mdm/accountmanagement-ddf.md @@ -1,14 +1,7 @@ --- title: AccountManagement DDF file description: View the XML file containing the device description framework (DDF) for the AccountManagement configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/29/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md index 86ff222dcc..e32ee78e33 100644 --- a/windows/client-management/mdm/accounts-csp.md +++ b/windows/client-management/mdm/accounts-csp.md @@ -1,14 +1,7 @@ --- title: Accounts CSP description: The Accounts configuration service provider (CSP) is used by the enterprise to rename devices, and create local Windows accounts & join them to a group. -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 03/27/2020 -ms.reviewer: -manager: aaroncz --- # Accounts CSP diff --git a/windows/client-management/mdm/accounts-ddf-file.md b/windows/client-management/mdm/accounts-ddf-file.md index 330218b819..9fb71bd404 100644 --- a/windows/client-management/mdm/accounts-ddf-file.md +++ b/windows/client-management/mdm/accounts-ddf-file.md @@ -1,14 +1,7 @@ --- title: Accounts DDF file description: View the XML file containing the device description framework (DDF) for the Accounts configuration service provider. -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 04/17/2018 -ms.reviewer: -manager: aaroncz --- # Accounts DDF file diff --git a/windows/client-management/mdm/activesync-csp.md b/windows/client-management/mdm/activesync-csp.md index 842d9225c2..8d862c057a 100644 --- a/windows/client-management/mdm/activesync-csp.md +++ b/windows/client-management/mdm/activesync-csp.md @@ -1,14 +1,7 @@ --- title: ActiveSync CSP description: Learn more about the ActiveSync CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/activesync-ddf-file.md b/windows/client-management/mdm/activesync-ddf-file.md index c187d411e2..b32ae659db 100644 --- a/windows/client-management/mdm/activesync-ddf-file.md +++ b/windows/client-management/mdm/activesync-ddf-file.md @@ -1,14 +1,7 @@ --- title: ActiveSync DDF file description: View the XML file containing the device description framework (DDF) for the ActiveSync configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/alljoynmanagement-csp.md b/windows/client-management/mdm/alljoynmanagement-csp.md index c87f85294d..a7df16f516 100644 --- a/windows/client-management/mdm/alljoynmanagement-csp.md +++ b/windows/client-management/mdm/alljoynmanagement-csp.md @@ -1,13 +1,6 @@ --- title: AllJoynManagement CSP description: The AllJoynManagement configuration service provider (CSP) allows an IT administrator to enumerate the AllJoyn devices that are connected to the AllJoyn bus. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/alljoynmanagement-ddf.md b/windows/client-management/mdm/alljoynmanagement-ddf.md index 32030275e8..a3ef6dc003 100644 --- a/windows/client-management/mdm/alljoynmanagement-ddf.md +++ b/windows/client-management/mdm/alljoynmanagement-ddf.md @@ -1,13 +1,6 @@ --- title: AllJoynManagement DDF description: Learn the OMA DM device description framework (DDF) for the AllJoynManagement configuration service provider. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/application-csp.md b/windows/client-management/mdm/application-csp.md index c53a080791..b20e289a43 100644 --- a/windows/client-management/mdm/application-csp.md +++ b/windows/client-management/mdm/application-csp.md @@ -1,13 +1,6 @@ --- title: APPLICATION CSP description: Learn how the APPLICATION configuration service provider is used to configure an application transport using Open Mobile Alliance (OMA) Client Provisioning. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/applicationcontrol-csp-ddf.md b/windows/client-management/mdm/applicationcontrol-csp-ddf.md index 6bb9fd8585..38de53b868 100644 --- a/windows/client-management/mdm/applicationcontrol-csp-ddf.md +++ b/windows/client-management/mdm/applicationcontrol-csp-ddf.md @@ -1,14 +1,7 @@ --- title: ApplicationControl DDF file description: View the XML file containing the device description framework (DDF) for the ApplicationControl configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index 9c5875b5a4..76a6d9a68a 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -1,14 +1,7 @@ --- title: ApplicationControl CSP description: Learn more about the ApplicationControl CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index e7b2417319..b7c198fd13 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -1,14 +1,7 @@ --- title: AppLocker CSP description: Learn more about the AppLocker CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/applocker-ddf-file.md b/windows/client-management/mdm/applocker-ddf-file.md index 313a0a7700..11f10bf906 100644 --- a/windows/client-management/mdm/applocker-ddf-file.md +++ b/windows/client-management/mdm/applocker-ddf-file.md @@ -1,14 +1,7 @@ --- title: AppLocker DDF file description: View the XML file containing the device description framework (DDF) for the AppLocker configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index 6aea2cc955..85fa624e4a 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -1,14 +1,7 @@ --- title: AssignedAccess CSP description: Learn more about the AssignedAccess CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md index 30739845c8..4c003123f7 100644 --- a/windows/client-management/mdm/assignedaccess-ddf.md +++ b/windows/client-management/mdm/assignedaccess-ddf.md @@ -1,14 +1,7 @@ --- title: AssignedAccess DDF file description: View the XML file containing the device description framework (DDF) for the AssignedAccess configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index ab201e6028..d9cf189c9a 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -1,14 +1,7 @@ --- title: BitLocker CSP description: Learn more about the BitLocker CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 11/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/bitlocker-ddf-file.md b/windows/client-management/mdm/bitlocker-ddf-file.md index c53badbdcb..ea131ee762 100644 --- a/windows/client-management/mdm/bitlocker-ddf-file.md +++ b/windows/client-management/mdm/bitlocker-ddf-file.md @@ -1,14 +1,7 @@ --- title: BitLocker DDF file description: View the XML file containing the device description framework (DDF) for the BitLocker configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/cellularsettings-csp.md b/windows/client-management/mdm/cellularsettings-csp.md index 629021dd17..993b08f2bf 100644 --- a/windows/client-management/mdm/cellularsettings-csp.md +++ b/windows/client-management/mdm/cellularsettings-csp.md @@ -1,13 +1,6 @@ --- title: CellularSettings CSP description: Learn how the CellularSettings configuration service provider is used to configure cellular settings on a mobile device. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 06/26/2017 --- @@ -42,8 +35,8 @@ CellularSettings |Value|Setting| |--- |--- | -|0|Don’t roam| -|1|Don’t roam (or Domestic roaming if applicable)| +|0|Don't roam| +|1|Don't roam (or Domestic roaming if applicable)| |2|Roam| ## Related topics diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md index cc17da3674..63ccb20661 100644 --- a/windows/client-management/mdm/certificatestore-csp.md +++ b/windows/client-management/mdm/certificatestore-csp.md @@ -1,14 +1,7 @@ --- title: CertificateStore CSP description: Learn more about the CertificateStore CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/certificatestore-ddf-file.md b/windows/client-management/mdm/certificatestore-ddf-file.md index b4b03dd331..795e288f4d 100644 --- a/windows/client-management/mdm/certificatestore-ddf-file.md +++ b/windows/client-management/mdm/certificatestore-ddf-file.md @@ -1,14 +1,7 @@ --- title: CertificateStore DDF file description: View the XML file containing the device description framework (DDF) for the CertificateStore configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/cleanpc-csp.md b/windows/client-management/mdm/cleanpc-csp.md index a1b634ff45..1f90bd010d 100644 --- a/windows/client-management/mdm/cleanpc-csp.md +++ b/windows/client-management/mdm/cleanpc-csp.md @@ -1,14 +1,7 @@ --- title: CleanPC CSP description: The CleanPC configuration service provider (CSP) allows you to remove user-installed and pre-installed applications, with the option to persist user data. -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 06/26/2017 -ms.reviewer: -manager: aaroncz --- # CleanPC CSP diff --git a/windows/client-management/mdm/cleanpc-ddf.md b/windows/client-management/mdm/cleanpc-ddf.md index 1bc37c5325..40c8fdba74 100644 --- a/windows/client-management/mdm/cleanpc-ddf.md +++ b/windows/client-management/mdm/cleanpc-ddf.md @@ -1,13 +1,6 @@ --- title: CleanPC DDF description: Learn about the OMA DM device description framework (DDF) for the CleanPC configuration service provider. DDF files are used only with OMA DM provisioning XML. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md index a1936f909b..8b4c0ff283 100644 --- a/windows/client-management/mdm/clientcertificateinstall-csp.md +++ b/windows/client-management/mdm/clientcertificateinstall-csp.md @@ -1,14 +1,7 @@ --- title: ClientCertificateInstall CSP description: Learn more about the ClientCertificateInstall CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 10/24/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md index d51b9201d5..f0fb439bfa 100644 --- a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md +++ b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md @@ -1,14 +1,7 @@ --- title: ClientCertificateInstall DDF file description: View the XML file containing the device description framework (DDF) for the ClientCertificateInstall configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/clouddesktop-csp.md b/windows/client-management/mdm/clouddesktop-csp.md index b8a0a69fad..8e70090f67 100644 --- a/windows/client-management/mdm/clouddesktop-csp.md +++ b/windows/client-management/mdm/clouddesktop-csp.md @@ -1,14 +1,7 @@ --- title: CloudDesktop CSP description: Learn more about the CloudDesktop CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 10/25/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- @@ -47,7 +40,7 @@ The following list shows the CloudDesktop configuration service provider nodes: -This node allows to configure different kinds of Boot to Cloud mode. Boot to cloud mode enables users to seamlessly sign-in to a Cloud PC. For using this feature, Cloud Provider application must be installed on the PC and the user must have a Cloud PC provisioned. This node supports the below options: 0. Not Configured. 1. Enable Boot to Cloud Shared PC Mode: Boot to Cloud Shared PC mode allows multiple users to sign-in on the device and use for shared purpose. 2. Enable Boot to Cloud Personal Mode (Cloud only): Personal mode allows user to sign-in on the device using various authentication mechanism configured by their organization (For ex. PIN, Biometrics etc). This mode preserves user personalization, including their profile picture and username in local machine, and facilitates fast account switching. +This node allows to configure different kinds of Boot to Cloud mode. Boot to cloud mode enables users to seamlessly sign-in to a Cloud PC. For using this feature, Cloud Provider application must be installed on the PC and the user must have a Cloud PC provisioned. This node supports the below options: 0. Not Configured. 1. Enable Boot to Cloud Shared PC Mode: Boot to Cloud Shared PC mode allows multiple users to sign-in on the device and use for shared purpose. 2. Enable Boot to Cloud Dedicated Mode (Cloud only): Dedicated mode allows user to sign-in on the device using various authentication mechanism configured by their organization (For ex. PIN, Biometrics etc). This mode preserves user personalization, including their profile picture and username in local machine, and facilitates fast account switching. @@ -73,7 +66,7 @@ This node allows to configure different kinds of Boot to Cloud mode. Boot to clo |:--|:--| | 0 (Default) | Not Configured. | | 1 | Enable Boot to Cloud Shared PC Mode. | -| 2 | Enable Boot to Cloud Personal Mode (Cloud only). | +| 2 | Enable Boot to Cloud Dedicated Mode (Cloud only). | @@ -140,10 +133,10 @@ Setting this node to "true" configures boot to cloud for Shared PC mode. Boot to ## BootToCloudPCEnhanced technical reference -BootToCloudPCEnhanced is the setting used to configure **Boot to Cloud** feature either for shared mode or personal mode. When you enable this setting, multiple policies are applied to achieve the intended behavior. If you wish to customize the **Boot to Cloud** experience, you can utilize the [BootToCloudMode](policy-csp-clouddesktop.md#boottocloudmode) policy, which provides the flexibility to tailor the experience according to your requirements. +BootToCloudPCEnhanced is the setting used to configure **Boot to Cloud** feature either for shared mode or dedicated mode. When you enable this setting, multiple policies are applied to achieve the intended behavior. If you wish to customize the **Boot to Cloud** experience, you can utilize the [BootToCloudMode](policy-csp-clouddesktop.md#boottocloudmode) policy, which provides the flexibility to tailor the experience according to your requirements. > [!NOTE] -> It is recommended not to set any of the policies enforced by this setting to different values, as these policies help provide a smooth UX experience for the **Boot to Cloud** feature for shared and personal mode. +> It is recommended not to set any of the policies enforced by this setting to different values, as these policies help provide a smooth UX experience for the **Boot to Cloud** feature for shared and dedicated mode. ### Boot to Cloud Shared PC Mode @@ -189,6 +182,7 @@ When the Shared PC mode is enabled by setting BootToCloudPCEnhanced value to 1: | Start Menu and Taskbar/Notifications/Turn off toast notifications | Enabled | | Start Menu and Taskbar/Notifications/Remove Notifications and Action Center | Enabled | | System/Logon/Do not process the legacy run list | Enabled | + | Windows Components/Windows Copilot/Turn off Windows Copilot | Enabled | - Following registry changes are performed: @@ -197,9 +191,9 @@ When the Shared PC mode is enabled by setting BootToCloudPCEnhanced value to 1: | Software\Policies\Microsoft\PassportForWork\Remote\Enabled (Phone sign-in/Use phone sign-in) | 0 | | Software\Policies\Microsoft\PassportForWork\Enabled (Use Microsoft Passport for Work) | 0 | -### Boot to Cloud Personal Mode +### Boot to Cloud Dedicated Mode -When the Personal mode is enabled by setting BootToCloudPCEnhanced value to 2: +When the Dedicated mode is enabled by setting BootToCloudPCEnhanced value to 2: - Following MDM policies are applied for the Device scope (all users): @@ -218,6 +212,7 @@ When the Personal mode is enabled by setting BootToCloudPCEnhanced value to 2: | Start Menu and Taskbar/Notifications/Turn off toast notifications | Enabled | | Start Menu and Taskbar/Notifications/Remove Notifications and Action Center | Enabled | | System/Logon/Do not process the legacy run list | Enabled | + | Windows Components/Windows Copilot/Turn off Windows Copilot | Enabled | diff --git a/windows/client-management/mdm/clouddesktop-ddf-file.md b/windows/client-management/mdm/clouddesktop-ddf-file.md index e6d9ecd91e..836c999eeb 100644 --- a/windows/client-management/mdm/clouddesktop-ddf-file.md +++ b/windows/client-management/mdm/clouddesktop-ddf-file.md @@ -1,14 +1,7 @@ --- title: CloudDesktop DDF file description: View the XML file containing the device description framework (DDF) for the CloudDesktop configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md index 1997c7878c..4051454ae5 100644 --- a/windows/client-management/mdm/cm-cellularentries-csp.md +++ b/windows/client-management/mdm/cm-cellularentries-csp.md @@ -1,13 +1,6 @@ --- title: CM\_CellularEntries CSP description: Learn how to configure the General Packet Radio Service (GPRS) entries using the CM\_CellularEntries CSP. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 08/02/2017 --- diff --git a/windows/client-management/mdm/cmpolicy-csp.md b/windows/client-management/mdm/cmpolicy-csp.md index caf0856091..af8c1facf4 100644 --- a/windows/client-management/mdm/cmpolicy-csp.md +++ b/windows/client-management/mdm/cmpolicy-csp.md @@ -1,13 +1,6 @@ --- title: CMPolicy CSP description: Learn how the CMPolicy configuration service provider (CSP) is used to define rules that the Connection Manager uses to identify correct connections. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 06/26/2017 --- @@ -33,7 +26,7 @@ Each policy entry identifies one or more applications in combination with a host **Policy Ordering**: There's no explicit ordering of policies. The general rule is that the most concrete or specific policy mappings take a higher precedence. -**Default Policies**: Policies are applied in order of their scope with the most specific policies considered before the more general policies. The phone’s default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN. +**Default Policies**: Policies are applied in order of their scope with the most specific policies considered before the more general policies. The phone's default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN. The following shows the CMPolicy configuration service provider management object in tree format as used by both Open Mobile Alliance (OMA) Client Provisioning and OMA Device Management. @@ -88,7 +81,7 @@ Enumerates the connections associated with the policy. Element names begin with **ConnectionID** Specifies a unique identifier for a connection within a group of connections. The exact value is based on the Type parameter. -For `CMST_CONNECTION_NAME`, specify the connection name. For example, if you have a connection configured by using the CM\_CellularEntries configuration service provider, the connection name could be the name of the connection. If you have a NAP configured with the NAPID set to “GPRS1”, the connection name could be “GPRS1@WAP”. +For `CMST_CONNECTION_NAME`, specify the connection name. For example, if you have a connection configured by using the CM\_CellularEntries configuration service provider, the connection name could be the name of the connection. If you have a NAP configured with the NAPID set to "GPRS1", the connection name could be "GPRS1@WAP". For `CMST_CONNECTION_TYPE`, specify the GUID for the desired connection type. The curly brackets {} around the GUID are required. The following connection types are available: @@ -142,7 +135,7 @@ Specifies the type of connection being referenced. The following list describes ## OMA client provisioning examples -Adding an application-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider. +Adding an application-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection ("GPRSConn1") that is configured with the CM\_CellularEntries configuration service provider. ```xml @@ -189,7 +182,7 @@ Adding an application-based mapping policy. In this example, the ConnectionId fo Adding a host-based mapping policy: -In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider. +In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection ("GPRSConn1") that is configured with the CM\_CellularEntries configuration service provider. ```xml diff --git a/windows/client-management/mdm/cmpolicyenterprise-csp.md b/windows/client-management/mdm/cmpolicyenterprise-csp.md index 72db3fe0f1..eee6f8d4b1 100644 --- a/windows/client-management/mdm/cmpolicyenterprise-csp.md +++ b/windows/client-management/mdm/cmpolicyenterprise-csp.md @@ -1,13 +1,6 @@ --- title: CMPolicyEnterprise CSP description: Learn how the CMPolicyEnterprise CSP is used to define rules that the Connection Manager uses to identify the correct connection for a connection request. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 06/26/2017 --- @@ -36,7 +29,7 @@ Each policy entry identifies one or more applications in combination with a host **Policy Ordering**: There's no explicit ordering of policies. The general rule is that the most concrete or specific policy mappings take a higher precedence. -**Default Policies**: Policies are applied in the order of their scope with the most specific policies considered before the more general policies. The phone’s default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN. +**Default Policies**: Policies are applied in the order of their scope with the most specific policies considered before the more general policies. The phone's default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN. The following shows the CMPolicyEnterprise configuration service provider management object in tree format as used by both Open Mobile Alliance (OMA) Client Provisioning and OMA Device Management. @@ -91,7 +84,7 @@ Enumerates the connections associated with the policy. Element names begin with **ConnectionID** Specifies a unique identifier for a connection within a group of connections. The exact value is based on the Type parameter. -For `CMST_CONNECTION_NAME`, specify the connection name. For example, if you have a connection configured by using the CM\_CellularEntries configuration service provider, the connection name could be the name of the connection. If you have a NAP configured with the NAPID set to “GPRS1”, the connection name could be “GPRS1@WAP”. +For `CMST_CONNECTION_NAME`, specify the connection name. For example, if you have a connection configured by using the CM\_CellularEntries configuration service provider, the connection name could be the name of the connection. If you have a NAP configured with the NAPID set to "GPRS1", the connection name could be "GPRS1@WAP". For `CMST_CONNECTION_TYPE`, specify the GUID for the desired connection type. The curly brackets {} around the GUID are required. The following connection types are available: @@ -146,7 +139,7 @@ Specifies the type of connection being referenced. The following list describes ## OMA client provisioning examples -Adding an application-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider. +Adding an application-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection ("GPRSConn1") that is configured with the CM\_CellularEntries configuration service provider. ```xml @@ -191,7 +184,7 @@ Adding an application-based mapping policy. In this example, the ConnectionId fo ``` -Adding a host-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider. +Adding a host-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection ("GPRSConn1") that is configured with the CM\_CellularEntries configuration service provider. ```xml diff --git a/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md b/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md index 15d65b1bc8..c452430808 100644 --- a/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md +++ b/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md @@ -1,13 +1,6 @@ --- title: CMPolicyEnterprise DDF file description: Learn about the OMA DM device description framework (DDF) for the CMPolicyEnterprise configuration service provider. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/configuration-service-provider-ddf.md b/windows/client-management/mdm/configuration-service-provider-ddf.md index ad995b441b..dbb6d25b17 100644 --- a/windows/client-management/mdm/configuration-service-provider-ddf.md +++ b/windows/client-management/mdm/configuration-service-provider-ddf.md @@ -1,13 +1,6 @@ --- title: Configuration service provider DDF files description: Learn more about the OMA DM device description framework (DDF) for various configuration service providers -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 09/18/2020 ms.collection: - highpri diff --git a/windows/client-management/mdm/configuration-service-provider-support.md b/windows/client-management/mdm/configuration-service-provider-support.md index 84472ed120..161a1ac596 100644 --- a/windows/client-management/mdm/configuration-service-provider-support.md +++ b/windows/client-management/mdm/configuration-service-provider-support.md @@ -1,13 +1,6 @@ --- title: Configuration service provider support description: Learn more about configuration service provider (CSP) supported scenarios. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 09/18/2020 ms.collection: - highpri diff --git a/windows/client-management/mdm/contribute-csp-reference.md b/windows/client-management/mdm/contribute-csp-reference.md index 4f2f637895..b31178f974 100644 --- a/windows/client-management/mdm/contribute-csp-reference.md +++ b/windows/client-management/mdm/contribute-csp-reference.md @@ -1,14 +1,9 @@ --- title: Contributing to CSP reference articles description: Learn more about contributing to the CSP reference articles. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa ms.date: 07/18/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage ms.topic: reference +ms.localizationpriority: medium --- # Contributing to the CSP reference articles diff --git a/windows/client-management/mdm/customdeviceui-csp.md b/windows/client-management/mdm/customdeviceui-csp.md index 7e206209d2..aec5c878b5 100644 --- a/windows/client-management/mdm/customdeviceui-csp.md +++ b/windows/client-management/mdm/customdeviceui-csp.md @@ -1,13 +1,6 @@ --- title: CustomDeviceUI CSP description: Learn how the CustomDeviceUI configuration service provider (CSP) allows OEMs to implement their custom foreground application. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/customdeviceui-ddf.md b/windows/client-management/mdm/customdeviceui-ddf.md index 78d4037e82..e5b3f90423 100644 --- a/windows/client-management/mdm/customdeviceui-ddf.md +++ b/windows/client-management/mdm/customdeviceui-ddf.md @@ -1,13 +1,6 @@ --- title: CustomDeviceUI DDF description: Learn about the OMA DM device description framework (DDF) for the CustomDeviceUI configuration service provider. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/declaredconfiguration-csp.md b/windows/client-management/mdm/declaredconfiguration-csp.md index 64297f2f14..5614e38ee4 100644 --- a/windows/client-management/mdm/declaredconfiguration-csp.md +++ b/windows/client-management/mdm/declaredconfiguration-csp.md @@ -1,14 +1,7 @@ --- title: DeclaredConfiguration CSP description: Learn more about the DeclaredConfiguration CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 11/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/declaredconfiguration-ddf-file.md b/windows/client-management/mdm/declaredconfiguration-ddf-file.md index 1eb9b29930..22f6c58926 100644 --- a/windows/client-management/mdm/declaredconfiguration-ddf-file.md +++ b/windows/client-management/mdm/declaredconfiguration-ddf-file.md @@ -1,14 +1,7 @@ --- title: DeclaredConfiguration DDF file description: View the XML file containing the device description framework (DDF) for the DeclaredConfiguration configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index be3cc79720..a8de02da0d 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -1,14 +1,7 @@ --- title: Defender CSP description: Learn more about the Defender CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md index e46a86acbd..3b43ffb12a 100644 --- a/windows/client-management/mdm/defender-ddf.md +++ b/windows/client-management/mdm/defender-ddf.md @@ -1,14 +1,7 @@ --- title: Defender DDF file description: View the XML file containing the device description framework (DDF) for the Defender configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md index de6aaa2a90..43fa16e588 100644 --- a/windows/client-management/mdm/devdetail-csp.md +++ b/windows/client-management/mdm/devdetail-csp.md @@ -1,14 +1,7 @@ --- title: DevDetail CSP description: Learn more about the DevDetail CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/devdetail-ddf-file.md b/windows/client-management/mdm/devdetail-ddf-file.md index 776cc046d4..d51d3417ab 100644 --- a/windows/client-management/mdm/devdetail-ddf-file.md +++ b/windows/client-management/mdm/devdetail-ddf-file.md @@ -1,14 +1,7 @@ --- title: DevDetail DDF file description: View the XML file containing the device description framework (DDF) for the DevDetail configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/developersetup-csp.md b/windows/client-management/mdm/developersetup-csp.md index 55b326e83b..defb0f5945 100644 --- a/windows/client-management/mdm/developersetup-csp.md +++ b/windows/client-management/mdm/developersetup-csp.md @@ -1,13 +1,6 @@ --- title: DeveloperSetup CSP description: The DeveloperSetup configuration service provider (CSP) is used to configure developer mode on the device. This CSP was added in the Windows 10, version 1703. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 06/26/2018 --- diff --git a/windows/client-management/mdm/developersetup-ddf.md b/windows/client-management/mdm/developersetup-ddf.md index daa6a0b7f9..ed60d67574 100644 --- a/windows/client-management/mdm/developersetup-ddf.md +++ b/windows/client-management/mdm/developersetup-ddf.md @@ -1,13 +1,6 @@ --- title: DeveloperSetup DDF file description: This topic shows the OMA DM device description framework (DDF) for the DeveloperSetup configuration service provider. This CSP was added in Windows 10, version 1703. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/devicelock-csp.md b/windows/client-management/mdm/devicelock-csp.md index ab39986c26..652574980b 100644 --- a/windows/client-management/mdm/devicelock-csp.md +++ b/windows/client-management/mdm/devicelock-csp.md @@ -1,13 +1,6 @@ --- title: DeviceLock CSP description: Learn how the DeviceLock configuration service provider (CSP) is used by the enterprise management server to configure device lock related policies. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/devicelock-ddf-file.md b/windows/client-management/mdm/devicelock-ddf-file.md index 03f27aef68..57ffe9c63b 100644 --- a/windows/client-management/mdm/devicelock-ddf-file.md +++ b/windows/client-management/mdm/devicelock-ddf-file.md @@ -1,13 +1,6 @@ --- title: DeviceLock DDF file description: Learn about the OMA DM device description framework (DDF) for the DeviceLock configuration service provider (CSP). -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/devicemanageability-csp.md b/windows/client-management/mdm/devicemanageability-csp.md index 38250ba79f..ff94b7f4b8 100644 --- a/windows/client-management/mdm/devicemanageability-csp.md +++ b/windows/client-management/mdm/devicemanageability-csp.md @@ -1,14 +1,7 @@ --- title: DeviceManageability CSP description: Learn more about the DeviceManageability CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/devicemanageability-ddf.md b/windows/client-management/mdm/devicemanageability-ddf.md index 49511db516..e8d4b8243d 100644 --- a/windows/client-management/mdm/devicemanageability-ddf.md +++ b/windows/client-management/mdm/devicemanageability-ddf.md @@ -1,14 +1,7 @@ --- title: DeviceManageability DDF file description: View the XML file containing the device description framework (DDF) for the DeviceManageability configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/devicepreparation-csp.md b/windows/client-management/mdm/devicepreparation-csp.md index 1998989619..b079b123ed 100644 --- a/windows/client-management/mdm/devicepreparation-csp.md +++ b/windows/client-management/mdm/devicepreparation-csp.md @@ -1,14 +1,7 @@ --- title: DevicePreparation CSP description: Learn more about the DevicePreparation CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 11/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/devicepreparation-ddf-file.md b/windows/client-management/mdm/devicepreparation-ddf-file.md index eb4efc4afa..83f0c990f2 100644 --- a/windows/client-management/mdm/devicepreparation-ddf-file.md +++ b/windows/client-management/mdm/devicepreparation-ddf-file.md @@ -1,14 +1,7 @@ --- title: DevicePreparation DDF file description: View the XML file containing the device description framework (DDF) for the DevicePreparation configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md index f9d45fdc5e..ad6ab08164 100644 --- a/windows/client-management/mdm/devicestatus-csp.md +++ b/windows/client-management/mdm/devicestatus-csp.md @@ -1,14 +1,7 @@ --- title: DeviceStatus CSP description: Learn more about the DeviceStatus CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/devicestatus-ddf.md b/windows/client-management/mdm/devicestatus-ddf.md index 7cdf8548eb..5ddde61818 100644 --- a/windows/client-management/mdm/devicestatus-ddf.md +++ b/windows/client-management/mdm/devicestatus-ddf.md @@ -1,14 +1,7 @@ --- title: DeviceStatus DDF file description: View the XML file containing the device description framework (DDF) for the DeviceStatus configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/devinfo-csp.md b/windows/client-management/mdm/devinfo-csp.md index 1a9e74c3a2..348fd292dc 100644 --- a/windows/client-management/mdm/devinfo-csp.md +++ b/windows/client-management/mdm/devinfo-csp.md @@ -1,14 +1,7 @@ --- title: DevInfo CSP description: Learn more about the DevInfo CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/devinfo-ddf-file.md b/windows/client-management/mdm/devinfo-ddf-file.md index 05179d6f55..37290dd8ca 100644 --- a/windows/client-management/mdm/devinfo-ddf-file.md +++ b/windows/client-management/mdm/devinfo-ddf-file.md @@ -1,14 +1,7 @@ --- title: DevInfo DDF file description: View the XML file containing the device description framework (DDF) for the DevInfo configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md index baa3ca8990..01c937ef35 100644 --- a/windows/client-management/mdm/diagnosticlog-csp.md +++ b/windows/client-management/mdm/diagnosticlog-csp.md @@ -1,14 +1,7 @@ --- title: DiagnosticLog CSP description: Learn more about the DiagnosticLog CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 11/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/diagnosticlog-ddf.md b/windows/client-management/mdm/diagnosticlog-ddf.md index 3a34db6c8a..4b7a116020 100644 --- a/windows/client-management/mdm/diagnosticlog-ddf.md +++ b/windows/client-management/mdm/diagnosticlog-ddf.md @@ -1,14 +1,7 @@ --- title: DiagnosticLog DDF file description: View the XML file containing the device description framework (DDF) for the DiagnosticLog configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/dmacc-csp.md b/windows/client-management/mdm/dmacc-csp.md index 91624a95d6..ab7d234d40 100644 --- a/windows/client-management/mdm/dmacc-csp.md +++ b/windows/client-management/mdm/dmacc-csp.md @@ -1,14 +1,7 @@ --- title: DMAcc CSP description: Learn more about the DMAcc CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 11/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/dmacc-ddf-file.md b/windows/client-management/mdm/dmacc-ddf-file.md index 7dd6bd406e..f27382fcdb 100644 --- a/windows/client-management/mdm/dmacc-ddf-file.md +++ b/windows/client-management/mdm/dmacc-ddf-file.md @@ -1,14 +1,7 @@ --- title: DMAcc DDF file description: View the XML file containing the device description framework (DDF) for the DMAcc configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md index e1447e368b..f32ff8f609 100644 --- a/windows/client-management/mdm/dmclient-csp.md +++ b/windows/client-management/mdm/dmclient-csp.md @@ -1,14 +1,7 @@ --- title: DMClient CSP description: Learn more about the DMClient CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 11/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md index 58c838fddb..64dd766397 100644 --- a/windows/client-management/mdm/dmclient-ddf-file.md +++ b/windows/client-management/mdm/dmclient-ddf-file.md @@ -1,14 +1,7 @@ --- title: DMClient DDF file description: View the XML file containing the device description framework (DDF) for the DMClient configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/dmsessionactions-csp.md b/windows/client-management/mdm/dmsessionactions-csp.md index cb1f8535c4..c34c69e898 100644 --- a/windows/client-management/mdm/dmsessionactions-csp.md +++ b/windows/client-management/mdm/dmsessionactions-csp.md @@ -1,14 +1,7 @@ --- title: DMSessionActions CSP description: Learn how the DMSessionActions configuration service provider (CSP) is used to manage the number of sessions the client skips if the device is in a low-power state. -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 06/26/2017 -ms.reviewer: -manager: aaroncz --- # DMSessionActions CSP diff --git a/windows/client-management/mdm/dmsessionactions-ddf.md b/windows/client-management/mdm/dmsessionactions-ddf.md index 3fd2404a22..07079210a8 100644 --- a/windows/client-management/mdm/dmsessionactions-ddf.md +++ b/windows/client-management/mdm/dmsessionactions-ddf.md @@ -1,14 +1,7 @@ --- title: DMSessionActions DDF file description: Learn about the OMA DM device description framework (DDF) for the DMSessionActions configuration service provider (CSP). -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 12/05/2017 -ms.reviewer: -manager: aaroncz --- # DMSessionActions DDF file diff --git a/windows/client-management/mdm/dynamicmanagement-csp.md b/windows/client-management/mdm/dynamicmanagement-csp.md index d4eb392f33..72019eaa9f 100644 --- a/windows/client-management/mdm/dynamicmanagement-csp.md +++ b/windows/client-management/mdm/dynamicmanagement-csp.md @@ -1,14 +1,7 @@ --- title: DynamicManagement CSP description: Learn how the Dynamic Management configuration service provider (CSP) enables configuration of policies that change how the device is managed. -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 06/26/2017 -ms.reviewer: -manager: aaroncz --- # DynamicManagement CSP @@ -24,7 +17,7 @@ The table below shows the applicability of Windows: |Enterprise|Yes|Yes| |Education|Yes|Yes| -Windows 10 or Windows 11 allows you to manage devices differently depending on location, network, or time.  Added in Windows 10, version 1703, the focus is on the most common areas of concern expressed by organizations. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country/region to avoid roaming charges, or the wireless network can be disabled when the device isn't within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs. +Windows 10 or Windows 11 allows you to manage devices differently depending on location, network, or time.  Added in Windows 10, version 1703, the focus is on the most common areas of concern expressed by organizations. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country/region to avoid roaming charges, or the wireless network can be disabled when the device isn't within the corporate building or campus. Once configured, these settings will be enforced even if the device can't reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs. This CSP was added in Windows 10, version 1703. diff --git a/windows/client-management/mdm/dynamicmanagement-ddf.md b/windows/client-management/mdm/dynamicmanagement-ddf.md index a5456ee32d..4114467551 100644 --- a/windows/client-management/mdm/dynamicmanagement-ddf.md +++ b/windows/client-management/mdm/dynamicmanagement-ddf.md @@ -1,13 +1,6 @@ --- title: DynamicManagement DDF file description: Learn about the OMA DM device description framework (DDF) for the DynamicManagement configuration service provider (CSP). -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/eap-configuration.md b/windows/client-management/mdm/eap-configuration.md index 926d63ac80..cb42cb7572 100644 --- a/windows/client-management/mdm/eap-configuration.md +++ b/windows/client-management/mdm/eap-configuration.md @@ -1,13 +1,6 @@ --- title: EAP configuration description: Learn how to create an Extensible Authentication Protocol (EAP) configuration XML for a VPN profile, including details about EAP certificate filtering in Windows 10. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/email2-csp.md b/windows/client-management/mdm/email2-csp.md index c2b25eca83..cb09b51a30 100644 --- a/windows/client-management/mdm/email2-csp.md +++ b/windows/client-management/mdm/email2-csp.md @@ -1,14 +1,7 @@ --- title: EMAIL2 CSP description: Learn more about the EMAIL2 CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/email2-ddf-file.md b/windows/client-management/mdm/email2-ddf-file.md index 6b3314bab0..2b9763c045 100644 --- a/windows/client-management/mdm/email2-ddf-file.md +++ b/windows/client-management/mdm/email2-ddf-file.md @@ -1,14 +1,7 @@ --- title: EMAIL2 DDF file description: View the XML file containing the device description framework (DDF) for the EMAIL2 configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md b/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md index 35513a778a..cb401d29af 100644 --- a/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md +++ b/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md @@ -1,11 +1,6 @@ --- title: EnrollmentStatusTracking DDF description: View the OMA DM DDF for the EnrollmentStatusTracking configuration service provider. DDF files are used only with OMA DM provisioning XML. -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 05/17/2019 --- diff --git a/windows/client-management/mdm/enrollmentstatustracking-csp.md b/windows/client-management/mdm/enrollmentstatustracking-csp.md index d3c9c60797..94d3e0c6ef 100644 --- a/windows/client-management/mdm/enrollmentstatustracking-csp.md +++ b/windows/client-management/mdm/enrollmentstatustracking-csp.md @@ -1,11 +1,6 @@ --- title: EnrollmentStatusTracking CSP description: Learn how to execute a hybrid certificate trust deployment of Windows Hello for Business, for systems with no previous installations. -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 05/21/2019 --- diff --git a/windows/client-management/mdm/enterpriseapn-csp.md b/windows/client-management/mdm/enterpriseapn-csp.md index 2c93f02a94..0b89ef1f01 100644 --- a/windows/client-management/mdm/enterpriseapn-csp.md +++ b/windows/client-management/mdm/enterpriseapn-csp.md @@ -1,13 +1,6 @@ --- title: EnterpriseAPN CSP description: The EnterpriseAPN configuration service provider is used by the enterprise to provision an APN for the Internet. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 09/22/2017 --- diff --git a/windows/client-management/mdm/enterpriseapn-ddf.md b/windows/client-management/mdm/enterpriseapn-ddf.md index 665a9234c3..5b6c2efba6 100644 --- a/windows/client-management/mdm/enterpriseapn-ddf.md +++ b/windows/client-management/mdm/enterpriseapn-ddf.md @@ -1,13 +1,6 @@ --- title: EnterpriseAPN DDF description: Learn about the OMA DM device description framework (DDF) for the EnterpriseAPN configuration service provider (CSP). -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/enterpriseappvmanagement-csp.md b/windows/client-management/mdm/enterpriseappvmanagement-csp.md index c6ad92193c..0a895f7562 100644 --- a/windows/client-management/mdm/enterpriseappvmanagement-csp.md +++ b/windows/client-management/mdm/enterpriseappvmanagement-csp.md @@ -1,14 +1,7 @@ --- title: EnterpriseAppVManagement CSP description: Examine the tree format for EnterpriseAppVManagement CSP to manage virtual applications in Windows 10 or Windows 11 PCs. (Enterprise and Education editions). -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 06/26/2017 -ms.reviewer: -manager: aaroncz --- # EnterpriseAppVManagement CSP diff --git a/windows/client-management/mdm/enterpriseappvmanagement-ddf.md b/windows/client-management/mdm/enterpriseappvmanagement-ddf.md index fa2e075e71..f9e425652e 100644 --- a/windows/client-management/mdm/enterpriseappvmanagement-ddf.md +++ b/windows/client-management/mdm/enterpriseappvmanagement-ddf.md @@ -1,14 +1,7 @@ --- title: EnterpriseAppVManagement DDF file description: Learn about the OMA DM device description framework (DDF) for the EnterpriseAppVManagement configuration service provider (CSP). -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 12/05/2017 -ms.reviewer: -manager: aaroncz --- # EnterpriseAppVManagement DDF file diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md index a6c2a4662b..0b411fed30 100644 --- a/windows/client-management/mdm/enterprisedataprotection-csp.md +++ b/windows/client-management/mdm/enterprisedataprotection-csp.md @@ -2,13 +2,6 @@ title: EnterpriseDataProtection CSP description: Learn how the EnterpriseDataProtection configuration service provider (CSP) configures Windows Information Protection (formerly, Enterprise Data Protection) settings. ms.assetid: E2D4467F-A154-4C00-9208-7798EF3E25B3 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 08/09/2017 --- diff --git a/windows/client-management/mdm/enterprisedataprotection-ddf-file.md b/windows/client-management/mdm/enterprisedataprotection-ddf-file.md index 73469ecfa7..5700376c37 100644 --- a/windows/client-management/mdm/enterprisedataprotection-ddf-file.md +++ b/windows/client-management/mdm/enterprisedataprotection-ddf-file.md @@ -1,13 +1,6 @@ --- title: EnterpriseDataProtection DDF file description: The following topic shows the OMA DM device description framework (DDF) for the EnterpriseDataProtection configuration service provider. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md index 02e11e7496..4c2b45f8d4 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md @@ -1,14 +1,7 @@ --- title: EnterpriseDesktopAppManagement CSP description: Learn more about the EnterpriseDesktopAppManagement CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md b/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md index 013c40e935..3392fcb317 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md @@ -1,14 +1,7 @@ --- title: EnterpriseDesktopAppManagement DDF file description: View the XML file containing the device description framework (DDF) for the EnterpriseDesktopAppManagement configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md index 4d1e964bfc..4369995a2e 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -1,14 +1,7 @@ --- title: EnterpriseModernAppManagement CSP description: Learn more about the EnterpriseModernAppManagement CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md index d9aaa1e1a1..6afb253277 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md @@ -1,14 +1,7 @@ --- title: EnterpriseModernAppManagement DDF file description: View the XML file containing the device description framework (DDF) for the EnterpriseModernAppManagement configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md index 3933d2fb17..a4af4d0697 100644 --- a/windows/client-management/mdm/euiccs-csp.md +++ b/windows/client-management/mdm/euiccs-csp.md @@ -1,14 +1,7 @@ --- title: eUICCs CSP description: Learn more about the eUICCs CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/29/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/euiccs-ddf-file.md b/windows/client-management/mdm/euiccs-ddf-file.md index 8e6dcafd38..62059a7c7d 100644 --- a/windows/client-management/mdm/euiccs-ddf-file.md +++ b/windows/client-management/mdm/euiccs-ddf-file.md @@ -1,14 +1,7 @@ --- title: eUICCs DDF file description: View the XML file containing the device description framework (DDF) for the eUICCs configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index 9fb784e982..53b060e0f5 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -1,14 +1,7 @@ --- title: Firewall CSP description: Learn more about the Firewall CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 11/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/firewall-ddf-file.md b/windows/client-management/mdm/firewall-ddf-file.md index c550d02adf..580516ab56 100644 --- a/windows/client-management/mdm/firewall-ddf-file.md +++ b/windows/client-management/mdm/firewall-ddf-file.md @@ -1,14 +1,7 @@ --- title: Firewall DDF file description: View the XML file containing the device description framework (DDF) for the Firewall configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index befe9471cc..b3944647b7 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -1,14 +1,7 @@ --- title: HealthAttestation CSP description: Learn more about the HealthAttestation CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/healthattestation-ddf.md b/windows/client-management/mdm/healthattestation-ddf.md index 55bf10d11f..0f4afae56f 100644 --- a/windows/client-management/mdm/healthattestation-ddf.md +++ b/windows/client-management/mdm/healthattestation-ddf.md @@ -1,14 +1,7 @@ --- title: HealthAttestation DDF file description: View the XML file containing the device description framework (DDF) for the HealthAttestation configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/images/insider.png b/windows/client-management/mdm/images/insider.png new file mode 100644 index 0000000000..dbe00408cb Binary files /dev/null and b/windows/client-management/mdm/images/insider.png differ diff --git a/windows/client-management/mdm/includes/mdm-insider-csp-note.md b/windows/client-management/mdm/includes/mdm-insider-csp-note.md index bc1fc814b6..7e0d214867 100644 --- a/windows/client-management/mdm/includes/mdm-insider-csp-note.md +++ b/windows/client-management/mdm/includes/mdm-insider-csp-note.md @@ -6,5 +6,12 @@ ms.topic: include ms.date: 05/09/2023 --- +:::row::: +:::column span="1"::: +:::image type="content" source="../images/insider.png" alt-text="Logo of Windows Insider." border="false"::: +:::column-end::: +:::column span="3"::: > [!IMPORTANT] -> This CSP contains some settings that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These settings are subject to change and may have dependencies on other features or services in preview. +>This CSP contains some settings that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These settings are subject to change and may have dependencies on other features or services in preview. +:::column-end::: +:::row-end::: diff --git a/windows/client-management/mdm/index.yml b/windows/client-management/mdm/index.yml index 7944d29d03..cfa99b1a5f 100644 --- a/windows/client-management/mdm/index.yml +++ b/windows/client-management/mdm/index.yml @@ -7,13 +7,8 @@ metadata: title: Configuration Service Provider # Required; page title displayed in search results. Include the brand. < 60 chars. description: Learn more about the configuration service provider (CSP) policies available on Windows devices. # Required; article description that is displayed in search results. < 160 chars. ms.topic: landing-page - ms.technology: itpro-manage - ms.prod: windows-client ms.collection: - tier1 - author: vinaypamnani-msft - ms.author: vinpa - manager: aaroncz ms.date: 10/25/2023 localization_priority: medium diff --git a/windows/client-management/mdm/language-pack-management-ddf-file.md b/windows/client-management/mdm/language-pack-management-ddf-file.md index 1f48c2ef24..d2589cc4a8 100644 --- a/windows/client-management/mdm/language-pack-management-ddf-file.md +++ b/windows/client-management/mdm/language-pack-management-ddf-file.md @@ -1,14 +1,7 @@ --- title: LanguagePackManagement DDF file description: View the XML file containing the device description framework (DDF) for the LanguagePackManagement configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/laps-csp.md b/windows/client-management/mdm/laps-csp.md index a010675895..0bcdee4870 100644 --- a/windows/client-management/mdm/laps-csp.md +++ b/windows/client-management/mdm/laps-csp.md @@ -1,14 +1,7 @@ --- title: LAPS CSP description: Learn more about the LAPS CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 10/24/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/laps-ddf-file.md b/windows/client-management/mdm/laps-ddf-file.md index d9f29bb7d6..9b5d989db8 100644 --- a/windows/client-management/mdm/laps-ddf-file.md +++ b/windows/client-management/mdm/laps-ddf-file.md @@ -1,14 +1,7 @@ --- title: LAPS DDF file description: View the XML file containing the device description framework (DDF) for the LAPS configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 04/07/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/multisim-csp.md b/windows/client-management/mdm/multisim-csp.md index b225f2f4c3..d7d8d8d642 100644 --- a/windows/client-management/mdm/multisim-csp.md +++ b/windows/client-management/mdm/multisim-csp.md @@ -1,14 +1,7 @@ --- title: MultiSIM CSP description: MultiSIM configuration service provider (CSP) allows the enterprise to manage devices with dual SIM single active configuration. -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 03/22/2018 -ms.reviewer: -manager: aaroncz --- # MultiSIM CSP diff --git a/windows/client-management/mdm/multisim-ddf.md b/windows/client-management/mdm/multisim-ddf.md index 55f8ef2b32..435a597cc4 100644 --- a/windows/client-management/mdm/multisim-ddf.md +++ b/windows/client-management/mdm/multisim-ddf.md @@ -1,14 +1,7 @@ --- title: MultiSIM DDF file description: XML file containing the device description framework for the MultiSIM configuration service provider. -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 02/27/2018 -ms.reviewer: -manager: aaroncz --- # MultiSIM DDF diff --git a/windows/client-management/mdm/nap-csp.md b/windows/client-management/mdm/nap-csp.md index 801f6fc15d..c8a4ac849f 100644 --- a/windows/client-management/mdm/nap-csp.md +++ b/windows/client-management/mdm/nap-csp.md @@ -1,13 +1,6 @@ --- title: NAP CSP description: Learn how the Network Access Point (NAP) configuration service provider (CSP) is used to manage and query GPRS and CDMA connections. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/napdef-csp.md b/windows/client-management/mdm/napdef-csp.md index 4af7ac6717..06d4684e7a 100644 --- a/windows/client-management/mdm/napdef-csp.md +++ b/windows/client-management/mdm/napdef-csp.md @@ -1,13 +1,6 @@ --- title: NAPDEF CSP description: Learn how the NAPDEF configuration service provider (CSP) is used to add, modify, or delete WAP network access points (NAPs). -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/networkproxy-csp.md b/windows/client-management/mdm/networkproxy-csp.md index 57294de0a0..8eba61aa61 100644 --- a/windows/client-management/mdm/networkproxy-csp.md +++ b/windows/client-management/mdm/networkproxy-csp.md @@ -1,14 +1,7 @@ --- title: NetworkProxy CSP description: Learn more about the NetworkProxy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/networkproxy-ddf.md b/windows/client-management/mdm/networkproxy-ddf.md index 0226954189..a7ee14b7ab 100644 --- a/windows/client-management/mdm/networkproxy-ddf.md +++ b/windows/client-management/mdm/networkproxy-ddf.md @@ -1,14 +1,7 @@ --- title: NetworkProxy DDF file description: View the XML file containing the device description framework (DDF) for the NetworkProxy configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/networkqospolicy-csp.md b/windows/client-management/mdm/networkqospolicy-csp.md index cc5a8c8ada..cc42fe0b09 100644 --- a/windows/client-management/mdm/networkqospolicy-csp.md +++ b/windows/client-management/mdm/networkqospolicy-csp.md @@ -1,14 +1,7 @@ --- title: NetworkQoSPolicy CSP description: Learn more about the NetworkQoSPolicy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/networkqospolicy-ddf.md b/windows/client-management/mdm/networkqospolicy-ddf.md index ede5bc6be0..16220bc01f 100644 --- a/windows/client-management/mdm/networkqospolicy-ddf.md +++ b/windows/client-management/mdm/networkqospolicy-ddf.md @@ -1,14 +1,7 @@ --- title: NetworkQoSPolicy DDF file description: View the XML file containing the device description framework (DDF) for the NetworkQoSPolicy configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/nodecache-csp.md b/windows/client-management/mdm/nodecache-csp.md index dea68d13f0..53c5f2e391 100644 --- a/windows/client-management/mdm/nodecache-csp.md +++ b/windows/client-management/mdm/nodecache-csp.md @@ -1,14 +1,7 @@ --- title: NodeCache CSP description: Learn more about the NodeCache CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/nodecache-ddf-file.md b/windows/client-management/mdm/nodecache-ddf-file.md index f9d3be9b4f..0dd13ab94a 100644 --- a/windows/client-management/mdm/nodecache-ddf-file.md +++ b/windows/client-management/mdm/nodecache-ddf-file.md @@ -1,14 +1,7 @@ --- title: NodeCache DDF file description: View the XML file containing the device description framework (DDF) for the NodeCache configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md index a5fd7fb004..70692efc8b 100644 --- a/windows/client-management/mdm/office-csp.md +++ b/windows/client-management/mdm/office-csp.md @@ -1,14 +1,7 @@ --- title: Office CSP description: Learn more about the Office CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/office-ddf.md b/windows/client-management/mdm/office-ddf.md index 7314007057..1453b24f55 100644 --- a/windows/client-management/mdm/office-ddf.md +++ b/windows/client-management/mdm/office-ddf.md @@ -1,14 +1,7 @@ --- title: Office DDF file description: View the XML file containing the device description framework (DDF) for the Office configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md index 14c84143e8..6c581a7335 100644 --- a/windows/client-management/mdm/passportforwork-csp.md +++ b/windows/client-management/mdm/passportforwork-csp.md @@ -1,14 +1,7 @@ --- title: PassportForWork CSP description: Learn more about the PassportForWork CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 11/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/passportforwork-ddf.md b/windows/client-management/mdm/passportforwork-ddf.md index 69d5da6ba2..8c1832dac1 100644 --- a/windows/client-management/mdm/passportforwork-ddf.md +++ b/windows/client-management/mdm/passportforwork-ddf.md @@ -1,14 +1,7 @@ --- title: PassportForWork DDF file description: View the XML file containing the device description framework (DDF) for the PassportForWork configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/personaldataencryption-csp.md b/windows/client-management/mdm/personaldataencryption-csp.md index 6c8eb48c1b..2a4648393a 100644 --- a/windows/client-management/mdm/personaldataencryption-csp.md +++ b/windows/client-management/mdm/personaldataencryption-csp.md @@ -1,14 +1,7 @@ --- title: PDE CSP description: Learn more about the PDE CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/personaldataencryption-ddf-file.md b/windows/client-management/mdm/personaldataencryption-ddf-file.md index 38478d9041..8cd2a70919 100644 --- a/windows/client-management/mdm/personaldataencryption-ddf-file.md +++ b/windows/client-management/mdm/personaldataencryption-ddf-file.md @@ -1,14 +1,7 @@ --- title: PDE DDF file description: View the XML file containing the device description framework (DDF) for the PDE configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/personalization-csp.md b/windows/client-management/mdm/personalization-csp.md index 6625fb8a84..4bd6d9078f 100644 --- a/windows/client-management/mdm/personalization-csp.md +++ b/windows/client-management/mdm/personalization-csp.md @@ -1,14 +1,7 @@ --- title: Personalization CSP description: Learn more about the Personalization CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 10/26/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/personalization-ddf.md b/windows/client-management/mdm/personalization-ddf.md index 58e55cae6a..7b107ab37d 100644 --- a/windows/client-management/mdm/personalization-ddf.md +++ b/windows/client-management/mdm/personalization-ddf.md @@ -1,14 +1,7 @@ --- title: Personalization DDF file description: View the XML file containing the device description framework (DDF) for the Personalization configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 2bfe37f037..c5d045a584 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -1,14 +1,7 @@ --- title: ADMX-backed policies in Policy CSP description: Learn about the ADMX-backed policies in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md index 8aa6de5b01..bb35612d0e 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md @@ -1,14 +1,7 @@ --- title: Policies in Policy CSP supported by Group Policy description: Learn about the policies in Policy CSP supported by Group Policy. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md index 2329114e1b..c4376598c8 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md @@ -1,13 +1,6 @@ --- title: Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite description: Learn the policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/17/2019 --- diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md index 631059455e..dee1ed9c6b 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md @@ -1,13 +1,6 @@ --- title: Policies in Policy CSP supported by HoloLens (1st gen) Development Edition description: Learn about the policies in Policy CSP supported by HoloLens (1st gen) Development Edition. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 07/18/2019 --- diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md index e45320b0b7..8a1244f15d 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md @@ -1,13 +1,6 @@ --- title: Policies in Policy CSP supported by HoloLens 2 description: Learn about the policies in Policy CSP supported by HoloLens 2. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 02/03/2023 --- diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md index 7e755cbccd..17bb6fddc6 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md @@ -1,14 +1,7 @@ --- title: Policies in Policy CSP supported by Windows 10 Team description: Learn about the policies in Policy CSP supported by Windows 10 Team. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 09/25/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md b/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md index b2cb734aa7..2cb5d252a7 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md +++ b/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md @@ -1,13 +1,6 @@ --- title: Policies in Policy CSP that can be set using Exchange Active Sync (EAS) description: Learn about the policies in Policy CSP that can be set using Exchange Active Sync (EAS). -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 07/18/2019 --- diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index f7695f6a8a..da8784e014 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1,14 +1,7 @@ --- title: Policy CSP description: Learn more about the Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/29/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md index 44d02d34ed..0c304bbebb 100644 --- a/windows/client-management/mdm/policy-csp-abovelock.md +++ b/windows/client-management/mdm/policy-csp-abovelock.md @@ -1,14 +1,7 @@ --- title: AboveLock Policy CSP description: Learn more about the AboveLock Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md index 5af247868d..472fa8e6dc 100644 --- a/windows/client-management/mdm/policy-csp-accounts.md +++ b/windows/client-management/mdm/policy-csp-accounts.md @@ -1,14 +1,7 @@ --- title: Accounts Policy CSP description: Learn more about the Accounts Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md index fce92f8dff..7fe5d7be45 100644 --- a/windows/client-management/mdm/policy-csp-activexcontrols.md +++ b/windows/client-management/mdm/policy-csp-activexcontrols.md @@ -1,14 +1,7 @@ --- title: ActiveXControls Policy CSP description: Learn more about the ActiveXControls Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md index 0055dc812c..5a3a8d415b 100644 --- a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md +++ b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md @@ -1,14 +1,7 @@ --- title: ADMX_ActiveXInstallService Policy CSP description: Learn more about the ADMX_ActiveXInstallService Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md index 10196c3390..481aefeb0c 100644 --- a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md +++ b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md @@ -1,14 +1,7 @@ --- title: ADMX_AddRemovePrograms Policy CSP description: Learn more about the ADMX_AddRemovePrograms Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-admpwd.md b/windows/client-management/mdm/policy-csp-admx-admpwd.md index a1bcc9f18b..24516f1874 100644 --- a/windows/client-management/mdm/policy-csp-admx-admpwd.md +++ b/windows/client-management/mdm/policy-csp-admx-admpwd.md @@ -1,14 +1,7 @@ --- title: ADMX_AdmPwd Policy CSP description: Learn more about the ADMX_AdmPwd Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-appcompat.md b/windows/client-management/mdm/policy-csp-admx-appcompat.md index 7899515d31..db2d8555a0 100644 --- a/windows/client-management/mdm/policy-csp-admx-appcompat.md +++ b/windows/client-management/mdm/policy-csp-admx-appcompat.md @@ -1,14 +1,7 @@ --- title: ADMX_AppCompat Policy CSP description: Learn more about the ADMX_AppCompat Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md index 029e7784ba..afc5924f0e 100644 --- a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md +++ b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md @@ -1,14 +1,7 @@ --- title: ADMX_AppxPackageManager Policy CSP description: Learn more about the ADMX_AppxPackageManager Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-appxruntime.md b/windows/client-management/mdm/policy-csp-admx-appxruntime.md index 749ee6afce..8c3e3054f5 100644 --- a/windows/client-management/mdm/policy-csp-admx-appxruntime.md +++ b/windows/client-management/mdm/policy-csp-admx-appxruntime.md @@ -1,14 +1,7 @@ --- title: ADMX_AppXRuntime Policy CSP description: Learn more about the ADMX_AppXRuntime Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md index eed1a52c46..43b3293b3c 100644 --- a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md +++ b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md @@ -1,14 +1,7 @@ --- title: ADMX_AttachmentManager Policy CSP description: Learn more about the ADMX_AttachmentManager Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-auditsettings.md b/windows/client-management/mdm/policy-csp-admx-auditsettings.md index ff33c79687..255926912f 100644 --- a/windows/client-management/mdm/policy-csp-admx-auditsettings.md +++ b/windows/client-management/mdm/policy-csp-admx-auditsettings.md @@ -1,14 +1,7 @@ --- title: ADMX_AuditSettings Policy CSP description: Learn more about the ADMX_AuditSettings Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-bits.md b/windows/client-management/mdm/policy-csp-admx-bits.md index 311e65ddc9..7762c0431d 100644 --- a/windows/client-management/mdm/policy-csp-admx-bits.md +++ b/windows/client-management/mdm/policy-csp-admx-bits.md @@ -1,14 +1,7 @@ --- title: ADMX_Bits Policy CSP description: Learn more about the ADMX_Bits Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md index f7e094a272..c2810e7ba4 100644 --- a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md +++ b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md @@ -1,14 +1,7 @@ --- title: ADMX_CipherSuiteOrder Policy CSP description: Learn more about the ADMX_CipherSuiteOrder Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-com.md b/windows/client-management/mdm/policy-csp-admx-com.md index a5997f9c3f..3497e521fa 100644 --- a/windows/client-management/mdm/policy-csp-admx-com.md +++ b/windows/client-management/mdm/policy-csp-admx-com.md @@ -1,14 +1,7 @@ --- title: ADMX_COM Policy CSP description: Learn more about the ADMX_COM Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-controlpanel.md b/windows/client-management/mdm/policy-csp-admx-controlpanel.md index 488996e8fd..a94e04af2d 100644 --- a/windows/client-management/mdm/policy-csp-admx-controlpanel.md +++ b/windows/client-management/mdm/policy-csp-admx-controlpanel.md @@ -1,14 +1,7 @@ --- title: ADMX_ControlPanel Policy CSP description: Learn more about the ADMX_ControlPanel Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md index 8b6ce4783f..bb5edcf621 100644 --- a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md +++ b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md @@ -1,14 +1,7 @@ --- title: ADMX_ControlPanelDisplay Policy CSP description: Learn more about the ADMX_ControlPanelDisplay Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-cpls.md b/windows/client-management/mdm/policy-csp-admx-cpls.md index 65be5aa708..b9744965b8 100644 --- a/windows/client-management/mdm/policy-csp-admx-cpls.md +++ b/windows/client-management/mdm/policy-csp-admx-cpls.md @@ -1,14 +1,7 @@ --- title: ADMX_Cpls Policy CSP description: Learn more about the ADMX_Cpls Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md index 099494bfad..6d4b3184a0 100644 --- a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md +++ b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md @@ -1,14 +1,7 @@ --- title: ADMX_CredentialProviders Policy CSP description: Learn more about the ADMX_CredentialProviders Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-credssp.md b/windows/client-management/mdm/policy-csp-admx-credssp.md index 44ad3d65e5..a33e0f4837 100644 --- a/windows/client-management/mdm/policy-csp-admx-credssp.md +++ b/windows/client-management/mdm/policy-csp-admx-credssp.md @@ -1,14 +1,7 @@ --- title: ADMX_CredSsp Policy CSP description: Learn more about the ADMX_CredSsp Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-credui.md b/windows/client-management/mdm/policy-csp-admx-credui.md index b31b580c8b..d173ccb390 100644 --- a/windows/client-management/mdm/policy-csp-admx-credui.md +++ b/windows/client-management/mdm/policy-csp-admx-credui.md @@ -1,14 +1,7 @@ --- title: ADMX_CredUI Policy CSP description: Learn more about the ADMX_CredUI Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md index 54ad86715e..fb39f06a22 100644 --- a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md +++ b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md @@ -1,14 +1,7 @@ --- title: ADMX_CtrlAltDel Policy CSP description: Learn more about the ADMX_CtrlAltDel Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-datacollection.md b/windows/client-management/mdm/policy-csp-admx-datacollection.md index e1194939bb..88352e9758 100644 --- a/windows/client-management/mdm/policy-csp-admx-datacollection.md +++ b/windows/client-management/mdm/policy-csp-admx-datacollection.md @@ -1,14 +1,7 @@ --- title: ADMX_DataCollection Policy CSP description: Learn more about the ADMX_DataCollection Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-dcom.md b/windows/client-management/mdm/policy-csp-admx-dcom.md index c85d5737b3..5243e0bdb3 100644 --- a/windows/client-management/mdm/policy-csp-admx-dcom.md +++ b/windows/client-management/mdm/policy-csp-admx-dcom.md @@ -1,14 +1,7 @@ --- title: ADMX_DCOM Policy CSP description: Learn more about the ADMX_DCOM Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-desktop.md b/windows/client-management/mdm/policy-csp-admx-desktop.md index 0a0280c52c..74cb4bd0e0 100644 --- a/windows/client-management/mdm/policy-csp-admx-desktop.md +++ b/windows/client-management/mdm/policy-csp-admx-desktop.md @@ -1,14 +1,7 @@ --- title: ADMX_Desktop Policy CSP description: Learn more about the ADMX_Desktop Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-devicecompat.md b/windows/client-management/mdm/policy-csp-admx-devicecompat.md index bc8976cc58..0992bb4dbb 100644 --- a/windows/client-management/mdm/policy-csp-admx-devicecompat.md +++ b/windows/client-management/mdm/policy-csp-admx-devicecompat.md @@ -1,14 +1,7 @@ --- title: ADMX_DeviceCompat Policy CSP description: Learn more about the ADMX_DeviceCompat Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-deviceguard.md b/windows/client-management/mdm/policy-csp-admx-deviceguard.md index 7afb0273de..3873ad69da 100644 --- a/windows/client-management/mdm/policy-csp-admx-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-admx-deviceguard.md @@ -1,14 +1,7 @@ --- title: ADMX_DeviceGuard Policy CSP description: Learn more about the ADMX_DeviceGuard Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md index c8e2319400..2fb1234e02 100644 --- a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md @@ -1,14 +1,7 @@ --- title: ADMX_DeviceInstallation Policy CSP description: Learn more about the ADMX_DeviceInstallation Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-devicesetup.md b/windows/client-management/mdm/policy-csp-admx-devicesetup.md index b6fcaa1949..d298ee4f28 100644 --- a/windows/client-management/mdm/policy-csp-admx-devicesetup.md +++ b/windows/client-management/mdm/policy-csp-admx-devicesetup.md @@ -1,14 +1,7 @@ --- title: ADMX_DeviceSetup Policy CSP description: Learn more about the ADMX_DeviceSetup Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-dfs.md b/windows/client-management/mdm/policy-csp-admx-dfs.md index bf9c77582b..8b8a9fd98e 100644 --- a/windows/client-management/mdm/policy-csp-admx-dfs.md +++ b/windows/client-management/mdm/policy-csp-admx-dfs.md @@ -1,14 +1,7 @@ --- title: ADMX_DFS Policy CSP description: Learn more about the ADMX_DFS Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-digitallocker.md b/windows/client-management/mdm/policy-csp-admx-digitallocker.md index 1cbc73ac60..b9cab4363f 100644 --- a/windows/client-management/mdm/policy-csp-admx-digitallocker.md +++ b/windows/client-management/mdm/policy-csp-admx-digitallocker.md @@ -1,14 +1,7 @@ --- title: ADMX_DigitalLocker Policy CSP description: Learn more about the ADMX_DigitalLocker Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md b/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md index 56edf435ca..6fe0e41bc7 100644 --- a/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md +++ b/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md @@ -1,14 +1,7 @@ --- title: ADMX_DiskDiagnostic Policy CSP description: Learn more about the ADMX_DiskDiagnostic Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-disknvcache.md b/windows/client-management/mdm/policy-csp-admx-disknvcache.md index 65b61b43e6..7aebe11d5c 100644 --- a/windows/client-management/mdm/policy-csp-admx-disknvcache.md +++ b/windows/client-management/mdm/policy-csp-admx-disknvcache.md @@ -1,14 +1,7 @@ --- title: ADMX_DiskNVCache Policy CSP description: Learn more about the ADMX_DiskNVCache Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-diskquota.md b/windows/client-management/mdm/policy-csp-admx-diskquota.md index 9e04e0f283..3822ac0264 100644 --- a/windows/client-management/mdm/policy-csp-admx-diskquota.md +++ b/windows/client-management/mdm/policy-csp-admx-diskquota.md @@ -1,14 +1,7 @@ --- title: ADMX_DiskQuota Policy CSP description: Learn more about the ADMX_DiskQuota Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md b/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md index 948283f347..10ff8682a8 100644 --- a/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md +++ b/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md @@ -1,14 +1,7 @@ --- title: ADMX_DistributedLinkTracking Policy CSP description: Learn more about the ADMX_DistributedLinkTracking Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-dnsclient.md b/windows/client-management/mdm/policy-csp-admx-dnsclient.md index 2ba7d810ae..66b65954ea 100644 --- a/windows/client-management/mdm/policy-csp-admx-dnsclient.md +++ b/windows/client-management/mdm/policy-csp-admx-dnsclient.md @@ -1,14 +1,7 @@ --- title: ADMX_DnsClient Policy CSP description: Learn more about the ADMX_DnsClient Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-dwm.md b/windows/client-management/mdm/policy-csp-admx-dwm.md index 22f1c4afd7..d44012983a 100644 --- a/windows/client-management/mdm/policy-csp-admx-dwm.md +++ b/windows/client-management/mdm/policy-csp-admx-dwm.md @@ -1,14 +1,7 @@ --- title: ADMX_DWM Policy CSP description: Learn more about the ADMX_DWM Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-eaime.md b/windows/client-management/mdm/policy-csp-admx-eaime.md index 0008cdb700..f7038edb13 100644 --- a/windows/client-management/mdm/policy-csp-admx-eaime.md +++ b/windows/client-management/mdm/policy-csp-admx-eaime.md @@ -1,14 +1,7 @@ --- title: ADMX_EAIME Policy CSP description: Learn more about the ADMX_EAIME Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md index 47de0a1e19..7e4e793bf7 100644 --- a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md +++ b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md @@ -1,14 +1,7 @@ --- title: ADMX_EncryptFilesonMove Policy CSP description: Learn more about the ADMX_EncryptFilesonMove Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md index 8f8c2edfae..899f863d68 100644 --- a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md +++ b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md @@ -1,14 +1,7 @@ --- title: ADMX_EnhancedStorage Policy CSP description: Learn more about the ADMX_EnhancedStorage Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-errorreporting.md b/windows/client-management/mdm/policy-csp-admx-errorreporting.md index 9cff3290ef..4d1b6c454d 100644 --- a/windows/client-management/mdm/policy-csp-admx-errorreporting.md +++ b/windows/client-management/mdm/policy-csp-admx-errorreporting.md @@ -1,14 +1,7 @@ --- title: ADMX_ErrorReporting Policy CSP description: Learn more about the ADMX_ErrorReporting Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md index c795cc1b25..1f768733bc 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md +++ b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md @@ -1,14 +1,7 @@ --- title: ADMX_EventForwarding Policy CSP description: Learn more about the ADMX_EventForwarding Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-eventlog.md b/windows/client-management/mdm/policy-csp-admx-eventlog.md index e7ea263655..55c84c956a 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventlog.md +++ b/windows/client-management/mdm/policy-csp-admx-eventlog.md @@ -1,14 +1,7 @@ --- title: ADMX_EventLog Policy CSP description: Learn more about the ADMX_EventLog Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 11/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-eventlogging.md b/windows/client-management/mdm/policy-csp-admx-eventlogging.md index 4ab3bea921..f72a8ff776 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventlogging.md +++ b/windows/client-management/mdm/policy-csp-admx-eventlogging.md @@ -1,14 +1,7 @@ --- title: ADMX_EventLogging Policy CSP description: Learn more about the ADMX_EventLogging Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-eventviewer.md b/windows/client-management/mdm/policy-csp-admx-eventviewer.md index 5dbf8de29a..8b171fc73b 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventviewer.md +++ b/windows/client-management/mdm/policy-csp-admx-eventviewer.md @@ -1,14 +1,7 @@ --- title: ADMX_EventViewer Policy CSP description: Learn more about the ADMX_EventViewer Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-explorer.md b/windows/client-management/mdm/policy-csp-admx-explorer.md index 109d2ab3e4..afe2fa4fee 100644 --- a/windows/client-management/mdm/policy-csp-admx-explorer.md +++ b/windows/client-management/mdm/policy-csp-admx-explorer.md @@ -1,14 +1,7 @@ --- title: ADMX_Explorer Policy CSP description: Learn more about the ADMX_Explorer Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-externalboot.md b/windows/client-management/mdm/policy-csp-admx-externalboot.md index 0e9014753c..ea236024a2 100644 --- a/windows/client-management/mdm/policy-csp-admx-externalboot.md +++ b/windows/client-management/mdm/policy-csp-admx-externalboot.md @@ -1,14 +1,7 @@ --- title: ADMX_ExternalBoot Policy CSP description: Learn more about the ADMX_ExternalBoot Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- @@ -48,6 +41,8 @@ Specifies whether the PC can use the hibernation sleep state (S4) when started f +> [!IMPORTANT] +> Windows To Go was announced as deprecated in Windows 10, version 1903, and was removed in version 2004. For more information, see [Features and functionality removed in Windows](/windows/whats-new/removed-features). @@ -109,6 +104,8 @@ This policy setting controls whether the PC will boot to Windows To Go if a USB +> [!IMPORTANT] +> Windows To Go was announced as deprecated in Windows 10, version 1903, and was removed in version 2004. For more information, see [Features and functionality removed in Windows](/windows/whats-new/removed-features). @@ -168,6 +165,8 @@ Specifies whether the PC can use standby sleep states (S1-S3) when starting from +> [!IMPORTANT] +> Windows To Go was announced as deprecated in Windows 10, version 1903, and was removed in version 2004. For more information, see [Features and functionality removed in Windows](/windows/whats-new/removed-features). diff --git a/windows/client-management/mdm/policy-csp-admx-filerecovery.md b/windows/client-management/mdm/policy-csp-admx-filerecovery.md index df706d5574..6fa3f2524f 100644 --- a/windows/client-management/mdm/policy-csp-admx-filerecovery.md +++ b/windows/client-management/mdm/policy-csp-admx-filerecovery.md @@ -1,14 +1,7 @@ --- title: ADMX_FileRecovery Policy CSP description: Learn more about the ADMX_FileRecovery Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-filerevocation.md b/windows/client-management/mdm/policy-csp-admx-filerevocation.md index b4db9c6e31..4f69113a08 100644 --- a/windows/client-management/mdm/policy-csp-admx-filerevocation.md +++ b/windows/client-management/mdm/policy-csp-admx-filerevocation.md @@ -1,14 +1,7 @@ --- title: ADMX_FileRevocation Policy CSP description: Learn more about the ADMX_FileRevocation Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md index 4ef165f51b..09b719884e 100644 --- a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md +++ b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md @@ -1,14 +1,7 @@ --- title: ADMX_FileServerVSSProvider Policy CSP description: Learn more about the ADMX_FileServerVSSProvider Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-filesys.md b/windows/client-management/mdm/policy-csp-admx-filesys.md index 46e9b64dae..125fd2482d 100644 --- a/windows/client-management/mdm/policy-csp-admx-filesys.md +++ b/windows/client-management/mdm/policy-csp-admx-filesys.md @@ -1,14 +1,7 @@ --- title: ADMX_FileSys Policy CSP description: Learn more about the ADMX_FileSys Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-folderredirection.md b/windows/client-management/mdm/policy-csp-admx-folderredirection.md index f899fc45c3..8515f89060 100644 --- a/windows/client-management/mdm/policy-csp-admx-folderredirection.md +++ b/windows/client-management/mdm/policy-csp-admx-folderredirection.md @@ -1,14 +1,7 @@ --- title: ADMX_FolderRedirection Policy CSP description: Learn more about the ADMX_FolderRedirection Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-framepanes.md b/windows/client-management/mdm/policy-csp-admx-framepanes.md index 4879cfd377..bdc13bd323 100644 --- a/windows/client-management/mdm/policy-csp-admx-framepanes.md +++ b/windows/client-management/mdm/policy-csp-admx-framepanes.md @@ -1,14 +1,7 @@ --- title: ADMX_FramePanes Policy CSP description: Learn more about the ADMX_FramePanes Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-fthsvc.md b/windows/client-management/mdm/policy-csp-admx-fthsvc.md index 0a21d317ee..0bd737cd3c 100644 --- a/windows/client-management/mdm/policy-csp-admx-fthsvc.md +++ b/windows/client-management/mdm/policy-csp-admx-fthsvc.md @@ -1,14 +1,7 @@ --- title: ADMX_fthsvc Policy CSP description: Learn more about the ADMX_fthsvc Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-globalization.md b/windows/client-management/mdm/policy-csp-admx-globalization.md index 318b249de9..5266b42db2 100644 --- a/windows/client-management/mdm/policy-csp-admx-globalization.md +++ b/windows/client-management/mdm/policy-csp-admx-globalization.md @@ -1,14 +1,7 @@ --- title: ADMX_Globalization Policy CSP description: Learn more about the ADMX_Globalization Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-grouppolicy.md b/windows/client-management/mdm/policy-csp-admx-grouppolicy.md index b4e3c52267..51baad84e5 100644 --- a/windows/client-management/mdm/policy-csp-admx-grouppolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-grouppolicy.md @@ -1,14 +1,7 @@ --- title: ADMX_GroupPolicy Policy CSP description: Learn more about the ADMX_GroupPolicy Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-help.md b/windows/client-management/mdm/policy-csp-admx-help.md index 3cc624b3ec..df2e037886 100644 --- a/windows/client-management/mdm/policy-csp-admx-help.md +++ b/windows/client-management/mdm/policy-csp-admx-help.md @@ -1,14 +1,7 @@ --- title: ADMX_Help Policy CSP description: Learn more about the ADMX_Help Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-helpandsupport.md b/windows/client-management/mdm/policy-csp-admx-helpandsupport.md index b207a1fdec..3d1cc2cff2 100644 --- a/windows/client-management/mdm/policy-csp-admx-helpandsupport.md +++ b/windows/client-management/mdm/policy-csp-admx-helpandsupport.md @@ -1,14 +1,7 @@ --- title: ADMX_HelpAndSupport Policy CSP description: Learn more about the ADMX_HelpAndSupport Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-hotspotauth.md b/windows/client-management/mdm/policy-csp-admx-hotspotauth.md index 97c0f896dd..731f6ed051 100644 --- a/windows/client-management/mdm/policy-csp-admx-hotspotauth.md +++ b/windows/client-management/mdm/policy-csp-admx-hotspotauth.md @@ -1,14 +1,7 @@ --- title: ADMX_hotspotauth Policy CSP description: Learn more about the ADMX_hotspotauth Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-icm.md b/windows/client-management/mdm/policy-csp-admx-icm.md index b75dbe301d..17e2fbb340 100644 --- a/windows/client-management/mdm/policy-csp-admx-icm.md +++ b/windows/client-management/mdm/policy-csp-admx-icm.md @@ -1,14 +1,7 @@ --- title: ADMX_ICM Policy CSP description: Learn more about the ADMX_ICM Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-iis.md b/windows/client-management/mdm/policy-csp-admx-iis.md index 5a1b4f8ae9..d447964117 100644 --- a/windows/client-management/mdm/policy-csp-admx-iis.md +++ b/windows/client-management/mdm/policy-csp-admx-iis.md @@ -1,14 +1,7 @@ --- title: ADMX_IIS Policy CSP description: Learn more about the ADMX_IIS Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-iscsi.md b/windows/client-management/mdm/policy-csp-admx-iscsi.md index 2bb4a2a986..2e5c716a1d 100644 --- a/windows/client-management/mdm/policy-csp-admx-iscsi.md +++ b/windows/client-management/mdm/policy-csp-admx-iscsi.md @@ -1,14 +1,7 @@ --- title: ADMX_iSCSI Policy CSP description: Learn more about the ADMX_iSCSI Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-kdc.md b/windows/client-management/mdm/policy-csp-admx-kdc.md index c9bad00bc5..f972a10971 100644 --- a/windows/client-management/mdm/policy-csp-admx-kdc.md +++ b/windows/client-management/mdm/policy-csp-admx-kdc.md @@ -1,14 +1,7 @@ --- title: ADMX_kdc Policy CSP description: Learn more about the ADMX_kdc Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-kerberos.md b/windows/client-management/mdm/policy-csp-admx-kerberos.md index 267e0d30d2..085ac4f942 100644 --- a/windows/client-management/mdm/policy-csp-admx-kerberos.md +++ b/windows/client-management/mdm/policy-csp-admx-kerberos.md @@ -1,14 +1,7 @@ --- title: ADMX_Kerberos Policy CSP description: Learn more about the ADMX_Kerberos Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-lanmanserver.md b/windows/client-management/mdm/policy-csp-admx-lanmanserver.md index 8cdab26c32..97c9ecc2d4 100644 --- a/windows/client-management/mdm/policy-csp-admx-lanmanserver.md +++ b/windows/client-management/mdm/policy-csp-admx-lanmanserver.md @@ -1,14 +1,7 @@ --- title: ADMX_LanmanServer Policy CSP description: Learn more about the ADMX_LanmanServer Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md index 474035a993..b507c61a1e 100644 --- a/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md +++ b/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md @@ -1,14 +1,7 @@ --- title: ADMX_LanmanWorkstation Policy CSP description: Learn more about the ADMX_LanmanWorkstation Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md b/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md index 10bfdf7962..067d3135e1 100644 --- a/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md +++ b/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md @@ -1,14 +1,7 @@ --- title: ADMX_LeakDiagnostic Policy CSP description: Learn more about the ADMX_LeakDiagnostic Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md b/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md index dc36ab7519..469330d891 100644 --- a/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md +++ b/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md @@ -1,14 +1,7 @@ --- title: ADMX_LinkLayerTopologyDiscovery Policy CSP description: Learn more about the ADMX_LinkLayerTopologyDiscovery Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md b/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md index c36607194b..970d6b6704 100644 --- a/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md +++ b/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md @@ -1,14 +1,7 @@ --- title: ADMX_LocationProviderAdm Policy CSP description: Learn more about the ADMX_LocationProviderAdm Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-logon.md b/windows/client-management/mdm/policy-csp-admx-logon.md index cf357ba833..dba5786104 100644 --- a/windows/client-management/mdm/policy-csp-admx-logon.md +++ b/windows/client-management/mdm/policy-csp-admx-logon.md @@ -1,14 +1,7 @@ --- title: ADMX_Logon Policy CSP description: Learn more about the ADMX_Logon Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- @@ -97,12 +90,7 @@ This policy prevents the user from showing account details (email address or use - -This policy setting disables the acrylic blur effect on logon background image. - -- If you enable this policy, the logon background image shows without blur. - -- If you disable or don't configure this policy, the logon background image adopts the acrylic blur effect. + diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md index 2ed270ebf6..d56fe04616 100644 --- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md +++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md @@ -1,14 +1,7 @@ --- title: ADMX_MicrosoftDefenderAntivirus Policy CSP description: Learn more about the ADMX_MicrosoftDefenderAntivirus Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 11/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-mmc.md b/windows/client-management/mdm/policy-csp-admx-mmc.md index 33ef1a700b..d127a3b726 100644 --- a/windows/client-management/mdm/policy-csp-admx-mmc.md +++ b/windows/client-management/mdm/policy-csp-admx-mmc.md @@ -1,14 +1,7 @@ --- title: ADMX_MMC Policy CSP description: Learn more about the ADMX_MMC Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md b/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md index d7e7143b0d..d854617402 100644 --- a/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md +++ b/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md @@ -1,14 +1,7 @@ --- title: ADMX_MMCSnapins Policy CSP description: Learn more about the ADMX_MMCSnapins Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md b/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md index 54c66c7309..7e94f79eac 100644 --- a/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md +++ b/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md @@ -1,14 +1,7 @@ --- title: ADMX_MobilePCMobilityCenter Policy CSP description: Learn more about the ADMX_MobilePCMobilityCenter Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md b/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md index bd007d95f0..7fecf79eed 100644 --- a/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md +++ b/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md @@ -1,14 +1,7 @@ --- title: ADMX_MobilePCPresentationSettings Policy CSP description: Learn more about the ADMX_MobilePCPresentationSettings Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-msapolicy.md b/windows/client-management/mdm/policy-csp-admx-msapolicy.md index 334498bf41..b253142cc0 100644 --- a/windows/client-management/mdm/policy-csp-admx-msapolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-msapolicy.md @@ -1,14 +1,7 @@ --- title: ADMX_MSAPolicy Policy CSP description: Learn more about the ADMX_MSAPolicy Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-msched.md b/windows/client-management/mdm/policy-csp-admx-msched.md index 34c9f09939..7d53cbdc2b 100644 --- a/windows/client-management/mdm/policy-csp-admx-msched.md +++ b/windows/client-management/mdm/policy-csp-admx-msched.md @@ -1,14 +1,7 @@ --- title: ADMX_msched Policy CSP description: Learn more about the ADMX_msched Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-msdt.md b/windows/client-management/mdm/policy-csp-admx-msdt.md index 61b9d77688..33e06d7063 100644 --- a/windows/client-management/mdm/policy-csp-admx-msdt.md +++ b/windows/client-management/mdm/policy-csp-admx-msdt.md @@ -1,14 +1,7 @@ --- title: ADMX_MSDT Policy CSP description: Learn more about the ADMX_MSDT Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-msi.md b/windows/client-management/mdm/policy-csp-admx-msi.md index 881922d5e8..30e507028d 100644 --- a/windows/client-management/mdm/policy-csp-admx-msi.md +++ b/windows/client-management/mdm/policy-csp-admx-msi.md @@ -1,14 +1,7 @@ --- title: ADMX_MSI Policy CSP description: Learn more about the ADMX_MSI Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 11/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md b/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md index 90a1241020..e87b0fb09d 100644 --- a/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md +++ b/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md @@ -1,14 +1,7 @@ --- title: ADMX_MsiFileRecovery Policy CSP description: Learn more about the ADMX_MsiFileRecovery Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-mss-legacy.md b/windows/client-management/mdm/policy-csp-admx-mss-legacy.md index c318f50ecd..27e93c1b63 100644 --- a/windows/client-management/mdm/policy-csp-admx-mss-legacy.md +++ b/windows/client-management/mdm/policy-csp-admx-mss-legacy.md @@ -1,14 +1,7 @@ --- title: ADMX_MSS-legacy Policy CSP description: Learn more about the ADMX_MSS-legacy Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-nca.md b/windows/client-management/mdm/policy-csp-admx-nca.md index 62d426d98e..8e47bcbc86 100644 --- a/windows/client-management/mdm/policy-csp-admx-nca.md +++ b/windows/client-management/mdm/policy-csp-admx-nca.md @@ -1,14 +1,7 @@ --- title: ADMX_nca Policy CSP description: Learn more about the ADMX_nca Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 11/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-ncsi.md b/windows/client-management/mdm/policy-csp-admx-ncsi.md index 19a7dcb36f..59719047b8 100644 --- a/windows/client-management/mdm/policy-csp-admx-ncsi.md +++ b/windows/client-management/mdm/policy-csp-admx-ncsi.md @@ -1,14 +1,7 @@ --- title: ADMX_NCSI Policy CSP description: Learn more about the ADMX_NCSI Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-netlogon.md b/windows/client-management/mdm/policy-csp-admx-netlogon.md index c9d7247cac..cc98c5cf2d 100644 --- a/windows/client-management/mdm/policy-csp-admx-netlogon.md +++ b/windows/client-management/mdm/policy-csp-admx-netlogon.md @@ -1,14 +1,7 @@ --- title: ADMX_Netlogon Policy CSP description: Learn more about the ADMX_Netlogon Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-networkconnections.md b/windows/client-management/mdm/policy-csp-admx-networkconnections.md index 04f22cb3cf..e65aa855ba 100644 --- a/windows/client-management/mdm/policy-csp-admx-networkconnections.md +++ b/windows/client-management/mdm/policy-csp-admx-networkconnections.md @@ -1,14 +1,7 @@ --- title: ADMX_NetworkConnections Policy CSP description: Learn more about the ADMX_NetworkConnections Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md index 6fe146e767..3f4616f1d8 100644 --- a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md +++ b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md @@ -1,14 +1,7 @@ --- title: ADMX_OfflineFiles Policy CSP description: Learn more about the ADMX_OfflineFiles Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 11/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-pca.md b/windows/client-management/mdm/policy-csp-admx-pca.md index 362d358dbb..cf28909853 100644 --- a/windows/client-management/mdm/policy-csp-admx-pca.md +++ b/windows/client-management/mdm/policy-csp-admx-pca.md @@ -1,14 +1,7 @@ --- title: ADMX_pca Policy CSP description: Learn more about the ADMX_pca Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md index d71f78c562..83ba39d5bd 100644 --- a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md +++ b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md @@ -1,14 +1,7 @@ --- title: ADMX_PeerToPeerCaching Policy CSP description: Learn more about the ADMX_PeerToPeerCaching Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-pentraining.md b/windows/client-management/mdm/policy-csp-admx-pentraining.md index f6c7cd6556..1f8f990c0e 100644 --- a/windows/client-management/mdm/policy-csp-admx-pentraining.md +++ b/windows/client-management/mdm/policy-csp-admx-pentraining.md @@ -1,14 +1,7 @@ --- title: ADMX_PenTraining Policy CSP description: Learn more about the ADMX_PenTraining Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md index 4668a2c205..510a54b8fa 100644 --- a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md +++ b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md @@ -1,14 +1,7 @@ --- title: ADMX_PerformanceDiagnostics Policy CSP description: Learn more about the ADMX_PerformanceDiagnostics Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-power.md b/windows/client-management/mdm/policy-csp-admx-power.md index df3ab6fb49..d329f3a34e 100644 --- a/windows/client-management/mdm/policy-csp-admx-power.md +++ b/windows/client-management/mdm/policy-csp-admx-power.md @@ -1,14 +1,7 @@ --- title: ADMX_Power Policy CSP description: Learn more about the ADMX_Power Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 10/23/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md index 68f10aa963..bea468e20c 100644 --- a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md @@ -1,14 +1,7 @@ --- title: ADMX_PowerShellExecutionPolicy Policy CSP description: Learn more about the ADMX_PowerShellExecutionPolicy Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-previousversions.md b/windows/client-management/mdm/policy-csp-admx-previousversions.md index 12298c8668..f9552c2c37 100644 --- a/windows/client-management/mdm/policy-csp-admx-previousversions.md +++ b/windows/client-management/mdm/policy-csp-admx-previousversions.md @@ -1,14 +1,7 @@ --- title: ADMX_PreviousVersions Policy CSP description: Learn more about the ADMX_PreviousVersions Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-printing.md b/windows/client-management/mdm/policy-csp-admx-printing.md index 4e7b8d6bf5..712df5a4c8 100644 --- a/windows/client-management/mdm/policy-csp-admx-printing.md +++ b/windows/client-management/mdm/policy-csp-admx-printing.md @@ -1,14 +1,7 @@ --- title: ADMX_Printing Policy CSP description: Learn more about the ADMX_Printing Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-printing2.md b/windows/client-management/mdm/policy-csp-admx-printing2.md index a30b68056b..c687d9136e 100644 --- a/windows/client-management/mdm/policy-csp-admx-printing2.md +++ b/windows/client-management/mdm/policy-csp-admx-printing2.md @@ -1,14 +1,7 @@ --- title: ADMX_Printing2 Policy CSP description: Learn more about the ADMX_Printing2 Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-programs.md b/windows/client-management/mdm/policy-csp-admx-programs.md index ce4953e2bd..5548050a9c 100644 --- a/windows/client-management/mdm/policy-csp-admx-programs.md +++ b/windows/client-management/mdm/policy-csp-admx-programs.md @@ -1,14 +1,7 @@ --- title: ADMX_Programs Policy CSP description: Learn more about the ADMX_Programs Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md b/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md index f4c90fd2f1..806d9651ce 100644 --- a/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md +++ b/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md @@ -1,14 +1,7 @@ --- title: ADMX_PushToInstall Policy CSP description: Learn more about the ADMX_PushToInstall Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-qos.md b/windows/client-management/mdm/policy-csp-admx-qos.md index 88eb3a3e85..c19234a322 100644 --- a/windows/client-management/mdm/policy-csp-admx-qos.md +++ b/windows/client-management/mdm/policy-csp-admx-qos.md @@ -1,14 +1,7 @@ --- title: ADMX_QOS Policy CSP description: Learn more about the ADMX_QOS Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-radar.md b/windows/client-management/mdm/policy-csp-admx-radar.md index 787f2686d2..2d7bb746e9 100644 --- a/windows/client-management/mdm/policy-csp-admx-radar.md +++ b/windows/client-management/mdm/policy-csp-admx-radar.md @@ -1,14 +1,7 @@ --- title: ADMX_Radar Policy CSP description: Learn more about the ADMX_Radar Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-reliability.md b/windows/client-management/mdm/policy-csp-admx-reliability.md index 0c9e9c4c91..20c59c50f0 100644 --- a/windows/client-management/mdm/policy-csp-admx-reliability.md +++ b/windows/client-management/mdm/policy-csp-admx-reliability.md @@ -1,14 +1,7 @@ --- title: ADMX_Reliability Policy CSP description: Learn more about the ADMX_Reliability Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md index b3b804deb2..d6b3127e2e 100644 --- a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md +++ b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md @@ -1,14 +1,7 @@ --- title: ADMX_RemoteAssistance Policy CSP description: Learn more about the ADMX_RemoteAssistance Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-removablestorage.md b/windows/client-management/mdm/policy-csp-admx-removablestorage.md index 3184140eb7..8e706aa2c0 100644 --- a/windows/client-management/mdm/policy-csp-admx-removablestorage.md +++ b/windows/client-management/mdm/policy-csp-admx-removablestorage.md @@ -1,14 +1,7 @@ --- title: ADMX_RemovableStorage Policy CSP description: Learn more about the ADMX_RemovableStorage Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-rpc.md b/windows/client-management/mdm/policy-csp-admx-rpc.md index 7c8406a263..613e1bb668 100644 --- a/windows/client-management/mdm/policy-csp-admx-rpc.md +++ b/windows/client-management/mdm/policy-csp-admx-rpc.md @@ -1,14 +1,7 @@ --- title: ADMX_RPC Policy CSP description: Learn more about the ADMX_RPC Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-sam.md b/windows/client-management/mdm/policy-csp-admx-sam.md index f50403b71b..1427a02daf 100644 --- a/windows/client-management/mdm/policy-csp-admx-sam.md +++ b/windows/client-management/mdm/policy-csp-admx-sam.md @@ -1,14 +1,7 @@ --- title: ADMX_sam Policy CSP description: Learn more about the ADMX_sam Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-scripts.md b/windows/client-management/mdm/policy-csp-admx-scripts.md index 787caffb91..a507a7dc14 100644 --- a/windows/client-management/mdm/policy-csp-admx-scripts.md +++ b/windows/client-management/mdm/policy-csp-admx-scripts.md @@ -1,14 +1,7 @@ --- title: ADMX_Scripts Policy CSP description: Learn more about the ADMX_Scripts Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-sdiageng.md b/windows/client-management/mdm/policy-csp-admx-sdiageng.md index 6d21f4a202..c23bf10950 100644 --- a/windows/client-management/mdm/policy-csp-admx-sdiageng.md +++ b/windows/client-management/mdm/policy-csp-admx-sdiageng.md @@ -1,14 +1,7 @@ --- title: ADMX_sdiageng Policy CSP description: Learn more about the ADMX_sdiageng Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-sdiagschd.md b/windows/client-management/mdm/policy-csp-admx-sdiagschd.md index 7fe4560ed8..a221dc34b5 100644 --- a/windows/client-management/mdm/policy-csp-admx-sdiagschd.md +++ b/windows/client-management/mdm/policy-csp-admx-sdiagschd.md @@ -1,14 +1,7 @@ --- title: ADMX_sdiagschd Policy CSP description: Learn more about the ADMX_sdiagschd Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-securitycenter.md b/windows/client-management/mdm/policy-csp-admx-securitycenter.md index b485aeaea3..fd54e1f891 100644 --- a/windows/client-management/mdm/policy-csp-admx-securitycenter.md +++ b/windows/client-management/mdm/policy-csp-admx-securitycenter.md @@ -1,14 +1,7 @@ --- title: ADMX_Securitycenter Policy CSP description: Learn more about the ADMX_Securitycenter Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 11/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-sensors.md b/windows/client-management/mdm/policy-csp-admx-sensors.md index 467b0c299b..6c890631d8 100644 --- a/windows/client-management/mdm/policy-csp-admx-sensors.md +++ b/windows/client-management/mdm/policy-csp-admx-sensors.md @@ -1,14 +1,7 @@ --- title: ADMX_Sensors Policy CSP description: Learn more about the ADMX_Sensors Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-servermanager.md b/windows/client-management/mdm/policy-csp-admx-servermanager.md index 2e0010499f..0af31e3dda 100644 --- a/windows/client-management/mdm/policy-csp-admx-servermanager.md +++ b/windows/client-management/mdm/policy-csp-admx-servermanager.md @@ -1,14 +1,7 @@ --- title: ADMX_ServerManager Policy CSP description: Learn more about the ADMX_ServerManager Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-servicing.md b/windows/client-management/mdm/policy-csp-admx-servicing.md index 8a4ae0fb37..a31799041a 100644 --- a/windows/client-management/mdm/policy-csp-admx-servicing.md +++ b/windows/client-management/mdm/policy-csp-admx-servicing.md @@ -1,14 +1,7 @@ --- title: ADMX_Servicing Policy CSP description: Learn more about the ADMX_Servicing Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-settingsync.md b/windows/client-management/mdm/policy-csp-admx-settingsync.md index 27aef62087..5b949ace6f 100644 --- a/windows/client-management/mdm/policy-csp-admx-settingsync.md +++ b/windows/client-management/mdm/policy-csp-admx-settingsync.md @@ -1,14 +1,7 @@ --- title: ADMX_SettingSync Policy CSP description: Learn more about the ADMX_SettingSync Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md index 78196c2803..486085f08a 100644 --- a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md +++ b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md @@ -1,14 +1,7 @@ --- title: ADMX_SharedFolders Policy CSP description: Learn more about the ADMX_SharedFolders Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-sharing.md b/windows/client-management/mdm/policy-csp-admx-sharing.md index 5af4415dfe..a83e821101 100644 --- a/windows/client-management/mdm/policy-csp-admx-sharing.md +++ b/windows/client-management/mdm/policy-csp-admx-sharing.md @@ -1,14 +1,7 @@ --- title: ADMX_Sharing Policy CSP description: Learn more about the ADMX_Sharing Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md b/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md index 97565d0fc8..228d08b694 100644 --- a/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md +++ b/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md @@ -1,14 +1,7 @@ --- title: ADMX_ShellCommandPromptRegEditTools Policy CSP description: Learn more about the ADMX_ShellCommandPromptRegEditTools Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-smartcard.md b/windows/client-management/mdm/policy-csp-admx-smartcard.md index a427fcd365..22338b85ad 100644 --- a/windows/client-management/mdm/policy-csp-admx-smartcard.md +++ b/windows/client-management/mdm/policy-csp-admx-smartcard.md @@ -1,14 +1,7 @@ --- title: ADMX_Smartcard Policy CSP description: Learn more about the ADMX_Smartcard Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-snmp.md b/windows/client-management/mdm/policy-csp-admx-snmp.md index 36d22a34e9..0d2382bb64 100644 --- a/windows/client-management/mdm/policy-csp-admx-snmp.md +++ b/windows/client-management/mdm/policy-csp-admx-snmp.md @@ -1,14 +1,7 @@ --- title: ADMX_Snmp Policy CSP description: Learn more about the ADMX_Snmp Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-soundrec.md b/windows/client-management/mdm/policy-csp-admx-soundrec.md index ead22da785..41cf4a6ccc 100644 --- a/windows/client-management/mdm/policy-csp-admx-soundrec.md +++ b/windows/client-management/mdm/policy-csp-admx-soundrec.md @@ -1,14 +1,7 @@ --- title: ADMX_SoundRec Policy CSP description: Learn more about the ADMX_SoundRec Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-srmfci.md b/windows/client-management/mdm/policy-csp-admx-srmfci.md index 1758b042bb..7fc90a1ff0 100644 --- a/windows/client-management/mdm/policy-csp-admx-srmfci.md +++ b/windows/client-management/mdm/policy-csp-admx-srmfci.md @@ -1,14 +1,7 @@ --- title: ADMX_srmfci Policy CSP description: Learn more about the ADMX_srmfci Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-startmenu.md b/windows/client-management/mdm/policy-csp-admx-startmenu.md index ea6c920ff9..0a223d43d0 100644 --- a/windows/client-management/mdm/policy-csp-admx-startmenu.md +++ b/windows/client-management/mdm/policy-csp-admx-startmenu.md @@ -1,14 +1,7 @@ --- title: ADMX_StartMenu Policy CSP description: Learn more about the ADMX_StartMenu Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-systemrestore.md b/windows/client-management/mdm/policy-csp-admx-systemrestore.md index c3c396e287..2e1c03774b 100644 --- a/windows/client-management/mdm/policy-csp-admx-systemrestore.md +++ b/windows/client-management/mdm/policy-csp-admx-systemrestore.md @@ -1,14 +1,7 @@ --- title: ADMX_SystemRestore Policy CSP description: Learn more about the ADMX_SystemRestore Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md b/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md index c031995861..e7b2fb7d4a 100644 --- a/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md +++ b/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md @@ -1,14 +1,7 @@ --- title: ADMX_TabletPCInputPanel Policy CSP description: Learn more about the ADMX_TabletPCInputPanel Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-tabletshell.md b/windows/client-management/mdm/policy-csp-admx-tabletshell.md index 6682bc155c..7ee90e1830 100644 --- a/windows/client-management/mdm/policy-csp-admx-tabletshell.md +++ b/windows/client-management/mdm/policy-csp-admx-tabletshell.md @@ -1,14 +1,7 @@ --- title: ADMX_TabletShell Policy CSP description: Learn more about the ADMX_TabletShell Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-taskbar.md b/windows/client-management/mdm/policy-csp-admx-taskbar.md index 97e296b53b..176660f30b 100644 --- a/windows/client-management/mdm/policy-csp-admx-taskbar.md +++ b/windows/client-management/mdm/policy-csp-admx-taskbar.md @@ -1,14 +1,7 @@ --- title: ADMX_Taskbar Policy CSP description: Learn more about the ADMX_Taskbar Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- @@ -105,16 +98,7 @@ A reboot is required for this policy setting to take effect. - -This policy disables the functionality that converts balloons to toast notifications. - -- If you enable this policy setting, system and application notifications will render as balloons instead of toast notifications. - -Enable this policy setting if a specific app or system component that uses balloon notifications has compatibility issues with toast notifications. - -- If you disable or don't configure this policy setting, all notifications will appear as toast notifications. - -A reboot is required for this policy setting to take effect. + diff --git a/windows/client-management/mdm/policy-csp-admx-tcpip.md b/windows/client-management/mdm/policy-csp-admx-tcpip.md index efef32bb83..a394a7a264 100644 --- a/windows/client-management/mdm/policy-csp-admx-tcpip.md +++ b/windows/client-management/mdm/policy-csp-admx-tcpip.md @@ -1,14 +1,7 @@ --- title: ADMX_tcpip Policy CSP description: Learn more about the ADMX_tcpip Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md index a278a237c3..0b5853336a 100644 --- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -1,14 +1,7 @@ --- title: ADMX_TerminalServer Policy CSP description: Learn more about the ADMX_TerminalServer Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- @@ -2945,7 +2938,7 @@ This policy setting determines whether a user will be prompted on the client com -This policy setting specifies the default connection URL for RemoteApp and Desktop Connections. The default connection URL is a specific connection that can only be configured by using Group Policy. In addition to the capabilities that are common to all connections, the default connection URL allows document file types to be associated with RemoteApp programs. +This policy setting specifies the default connection URL for RemoteApp and Desktop Connections. In addition to the capabilities that are common to all connections, the default connection URL allows document file types to be associated with RemoteApp programs. The default connection URL must be configured in the form of< https://contoso.com/rdweb/Feed/webfeed.aspx>. diff --git a/windows/client-management/mdm/policy-csp-admx-thumbnails.md b/windows/client-management/mdm/policy-csp-admx-thumbnails.md index aa937ea978..1b7747fb27 100644 --- a/windows/client-management/mdm/policy-csp-admx-thumbnails.md +++ b/windows/client-management/mdm/policy-csp-admx-thumbnails.md @@ -1,14 +1,7 @@ --- title: ADMX_Thumbnails Policy CSP description: Learn more about the ADMX_Thumbnails Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-touchinput.md b/windows/client-management/mdm/policy-csp-admx-touchinput.md index 2442bd1a0c..90a38cf981 100644 --- a/windows/client-management/mdm/policy-csp-admx-touchinput.md +++ b/windows/client-management/mdm/policy-csp-admx-touchinput.md @@ -1,14 +1,7 @@ --- title: ADMX_TouchInput Policy CSP description: Learn more about the ADMX_TouchInput Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-tpm.md b/windows/client-management/mdm/policy-csp-admx-tpm.md index c0de908883..299bc993aa 100644 --- a/windows/client-management/mdm/policy-csp-admx-tpm.md +++ b/windows/client-management/mdm/policy-csp-admx-tpm.md @@ -1,14 +1,7 @@ --- title: ADMX_TPM Policy CSP description: Learn more about the ADMX_TPM Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md index c89a4542be..5df403b933 100644 --- a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md +++ b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md @@ -1,14 +1,7 @@ --- title: ADMX_UserExperienceVirtualization Policy CSP description: Learn more about the ADMX_UserExperienceVirtualization Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-userprofiles.md b/windows/client-management/mdm/policy-csp-admx-userprofiles.md index df2fd32ecf..adf0ccefe0 100644 --- a/windows/client-management/mdm/policy-csp-admx-userprofiles.md +++ b/windows/client-management/mdm/policy-csp-admx-userprofiles.md @@ -1,14 +1,7 @@ --- title: ADMX_UserProfiles Policy CSP description: Learn more about the ADMX_UserProfiles Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-w32time.md b/windows/client-management/mdm/policy-csp-admx-w32time.md index 4c34ddc617..3aaf1c7335 100644 --- a/windows/client-management/mdm/policy-csp-admx-w32time.md +++ b/windows/client-management/mdm/policy-csp-admx-w32time.md @@ -1,14 +1,7 @@ --- title: ADMX_W32Time Policy CSP description: Learn more about the ADMX_W32Time Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-wcm.md b/windows/client-management/mdm/policy-csp-admx-wcm.md index 2daf25532c..e6fe0c1726 100644 --- a/windows/client-management/mdm/policy-csp-admx-wcm.md +++ b/windows/client-management/mdm/policy-csp-admx-wcm.md @@ -1,14 +1,7 @@ --- title: ADMX_WCM Policy CSP description: Learn more about the ADMX_WCM Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-wdi.md b/windows/client-management/mdm/policy-csp-admx-wdi.md index 14371f71cf..df4c5846ad 100644 --- a/windows/client-management/mdm/policy-csp-admx-wdi.md +++ b/windows/client-management/mdm/policy-csp-admx-wdi.md @@ -1,14 +1,7 @@ --- title: ADMX_WDI Policy CSP description: Learn more about the ADMX_WDI Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-wincal.md b/windows/client-management/mdm/policy-csp-admx-wincal.md index 97141edb41..31833306d1 100644 --- a/windows/client-management/mdm/policy-csp-admx-wincal.md +++ b/windows/client-management/mdm/policy-csp-admx-wincal.md @@ -1,14 +1,7 @@ --- title: ADMX_WinCal Policy CSP description: Learn more about the ADMX_WinCal Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md b/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md index c7c06a9fc3..2055d516ec 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md +++ b/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md @@ -1,14 +1,7 @@ --- title: ADMX_WindowsColorSystem Policy CSP description: Learn more about the ADMX_WindowsColorSystem Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md index 10dcf61ff3..b115f7d5e2 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md @@ -1,14 +1,7 @@ --- title: ADMX_WindowsConnectNow Policy CSP description: Learn more about the ADMX_WindowsConnectNow Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md index 33ab184dc5..7fe9bd9679 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md @@ -1,14 +1,7 @@ --- title: ADMX_WindowsExplorer Policy CSP description: Learn more about the ADMX_WindowsExplorer Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md b/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md index 9476a4fabb..dbd36541c4 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md @@ -1,14 +1,7 @@ --- title: ADMX_WindowsMediaDRM Policy CSP description: Learn more about the ADMX_WindowsMediaDRM Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md index 46150339f6..04df21d7a7 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md @@ -1,14 +1,7 @@ --- title: ADMX_WindowsMediaPlayer Policy CSP description: Learn more about the ADMX_WindowsMediaPlayer Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md b/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md index 3a972ef92a..9feebc0561 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md @@ -1,14 +1,7 @@ --- title: ADMX_WindowsRemoteManagement Policy CSP description: Learn more about the ADMX_WindowsRemoteManagement Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-windowsstore.md b/windows/client-management/mdm/policy-csp-admx-windowsstore.md index 757279b2fc..ad9da6b96b 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsstore.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsstore.md @@ -1,14 +1,7 @@ --- title: ADMX_WindowsStore Policy CSP description: Learn more about the ADMX_WindowsStore Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-wininit.md b/windows/client-management/mdm/policy-csp-admx-wininit.md index b4561c36e3..016d00fda3 100644 --- a/windows/client-management/mdm/policy-csp-admx-wininit.md +++ b/windows/client-management/mdm/policy-csp-admx-wininit.md @@ -1,14 +1,7 @@ --- title: ADMX_WinInit Policy CSP description: Learn more about the ADMX_WinInit Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-winlogon.md b/windows/client-management/mdm/policy-csp-admx-winlogon.md index e9191d0a40..7861b20555 100644 --- a/windows/client-management/mdm/policy-csp-admx-winlogon.md +++ b/windows/client-management/mdm/policy-csp-admx-winlogon.md @@ -1,14 +1,7 @@ --- title: ADMX_WinLogon Policy CSP description: Learn more about the ADMX_WinLogon Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-winsrv.md b/windows/client-management/mdm/policy-csp-admx-winsrv.md index f92cba7883..56d9974fe2 100644 --- a/windows/client-management/mdm/policy-csp-admx-winsrv.md +++ b/windows/client-management/mdm/policy-csp-admx-winsrv.md @@ -1,14 +1,7 @@ --- title: ADMX_Winsrv Policy CSP description: Learn more about the ADMX_Winsrv Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- @@ -38,12 +31,7 @@ ms.topic: reference - -This policy setting specifies whether Windows will allow console applications and GUI applications without visible top-level windows to block or cancel shutdown. By default, such applications are automatically terminated if they attempt to cancel shutdown or block it indefinitely. - -- If you enable this setting, console applications or GUI applications without visible top-level windows that block or cancel shutdown won't be automatically terminated during shutdown. - -- If you disable or don't configure this setting, these applications will be automatically terminated during shutdown, helping to ensure that Windows can shut down faster and more smoothly. + diff --git a/windows/client-management/mdm/policy-csp-admx-wlansvc.md b/windows/client-management/mdm/policy-csp-admx-wlansvc.md index 67f7fd4932..d09a2030f0 100644 --- a/windows/client-management/mdm/policy-csp-admx-wlansvc.md +++ b/windows/client-management/mdm/policy-csp-admx-wlansvc.md @@ -1,14 +1,7 @@ --- title: ADMX_wlansvc Policy CSP description: Learn more about the ADMX_wlansvc Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-wordwheel.md b/windows/client-management/mdm/policy-csp-admx-wordwheel.md index 8217f78031..a71623c248 100644 --- a/windows/client-management/mdm/policy-csp-admx-wordwheel.md +++ b/windows/client-management/mdm/policy-csp-admx-wordwheel.md @@ -1,14 +1,7 @@ --- title: ADMX_WordWheel Policy CSP description: Learn more about the ADMX_WordWheel Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md b/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md index 90b757d7e6..f5b3d60f6b 100644 --- a/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md +++ b/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md @@ -1,14 +1,7 @@ --- title: ADMX_WorkFoldersClient Policy CSP description: Learn more about the ADMX_WorkFoldersClient Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-admx-wpn.md b/windows/client-management/mdm/policy-csp-admx-wpn.md index 3a2751af33..f69b55da60 100644 --- a/windows/client-management/mdm/policy-csp-admx-wpn.md +++ b/windows/client-management/mdm/policy-csp-admx-wpn.md @@ -1,14 +1,7 @@ --- title: ADMX_WPN Policy CSP description: Learn more about the ADMX_WPN Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md index abed7ece97..ee6da319a3 100644 --- a/windows/client-management/mdm/policy-csp-applicationdefaults.md +++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md @@ -1,14 +1,7 @@ --- title: ApplicationDefaults Policy CSP description: Learn more about the ApplicationDefaults Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index 15396470d3..ba4fc8b016 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -1,14 +1,7 @@ --- title: ApplicationManagement Policy CSP description: Learn more about the ApplicationManagement Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-appruntime.md b/windows/client-management/mdm/policy-csp-appruntime.md index c80e7472b4..20cddfc183 100644 --- a/windows/client-management/mdm/policy-csp-appruntime.md +++ b/windows/client-management/mdm/policy-csp-appruntime.md @@ -1,14 +1,7 @@ --- title: AppRuntime Policy CSP description: Learn more about the AppRuntime Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md index 7cfb9ef14a..6e677aa3b7 100644 --- a/windows/client-management/mdm/policy-csp-appvirtualization.md +++ b/windows/client-management/mdm/policy-csp-appvirtualization.md @@ -1,14 +1,7 @@ --- title: AppVirtualization Policy CSP description: Learn more about the AppVirtualization Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 10/24/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md index ad924dc539..63caf16da0 100644 --- a/windows/client-management/mdm/policy-csp-attachmentmanager.md +++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md @@ -1,14 +1,7 @@ --- title: AttachmentManager Policy CSP description: Learn more about the AttachmentManager Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-audit.md b/windows/client-management/mdm/policy-csp-audit.md index 174c8e6dd0..c434116039 100644 --- a/windows/client-management/mdm/policy-csp-audit.md +++ b/windows/client-management/mdm/policy-csp-audit.md @@ -1,14 +1,7 @@ --- title: Audit Policy CSP description: Learn more about the Audit Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index dd50a84d62..ebc00056d8 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -1,14 +1,7 @@ --- title: Authentication Policy CSP description: Learn more about the Authentication Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-autoplay.md b/windows/client-management/mdm/policy-csp-autoplay.md index fbf76ab56a..f94c675d89 100644 --- a/windows/client-management/mdm/policy-csp-autoplay.md +++ b/windows/client-management/mdm/policy-csp-autoplay.md @@ -1,14 +1,7 @@ --- title: Autoplay Policy CSP description: Learn more about the Autoplay Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md index bdc7ed5eee..85ba82af82 100644 --- a/windows/client-management/mdm/policy-csp-bitlocker.md +++ b/windows/client-management/mdm/policy-csp-bitlocker.md @@ -1,14 +1,7 @@ --- title: Bitlocker Policy CSP description: Learn more about the Bitlocker Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/09/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-bits.md b/windows/client-management/mdm/policy-csp-bits.md index b1d3449ae2..01dbd07987 100644 --- a/windows/client-management/mdm/policy-csp-bits.md +++ b/windows/client-management/mdm/policy-csp-bits.md @@ -1,14 +1,7 @@ --- title: BITS Policy CSP description: Learn more about the BITS Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md index 03ee87d6ff..fc321bd1b1 100644 --- a/windows/client-management/mdm/policy-csp-bluetooth.md +++ b/windows/client-management/mdm/policy-csp-bluetooth.md @@ -1,14 +1,7 @@ --- title: Bluetooth Policy CSP description: Learn more about the Bluetooth Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index c6cf0c0b0b..0831538391 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -1,14 +1,7 @@ --- title: Browser Policy CSP description: Learn more about the Browser Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 11/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-camera.md b/windows/client-management/mdm/policy-csp-camera.md index 3f89630a72..3882e07879 100644 --- a/windows/client-management/mdm/policy-csp-camera.md +++ b/windows/client-management/mdm/policy-csp-camera.md @@ -1,14 +1,7 @@ --- title: Camera Policy CSP description: Learn more about the Camera Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md index 1e98fdc8f5..a2cfae0564 100644 --- a/windows/client-management/mdm/policy-csp-cellular.md +++ b/windows/client-management/mdm/policy-csp-cellular.md @@ -1,14 +1,7 @@ --- title: Cellular Policy CSP description: Learn more about the Cellular Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-clouddesktop.md b/windows/client-management/mdm/policy-csp-clouddesktop.md index 66d7fcc0ad..cb287ddd00 100644 --- a/windows/client-management/mdm/policy-csp-clouddesktop.md +++ b/windows/client-management/mdm/policy-csp-clouddesktop.md @@ -1,14 +1,7 @@ --- title: CloudDesktop Policy CSP description: Learn more about the CloudDesktop Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 09/14/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md index 7e0a5b1426..26b96531e8 100644 --- a/windows/client-management/mdm/policy-csp-connectivity.md +++ b/windows/client-management/mdm/policy-csp-connectivity.md @@ -1,14 +1,7 @@ --- title: Connectivity Policy CSP description: Learn more about the Connectivity Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md index 4c27326f83..11a98be2e2 100644 --- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md +++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md @@ -1,14 +1,7 @@ --- title: ControlPolicyConflict Policy CSP description: Learn more about the ControlPolicyConflict Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md index bf6c62f53a..d73b3ade9c 100644 --- a/windows/client-management/mdm/policy-csp-credentialproviders.md +++ b/windows/client-management/mdm/policy-csp-credentialproviders.md @@ -1,14 +1,7 @@ --- title: CredentialProviders Policy CSP description: Learn more about the CredentialProviders Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-credentialsdelegation.md b/windows/client-management/mdm/policy-csp-credentialsdelegation.md index 943113ee1d..af3cee543f 100644 --- a/windows/client-management/mdm/policy-csp-credentialsdelegation.md +++ b/windows/client-management/mdm/policy-csp-credentialsdelegation.md @@ -1,14 +1,7 @@ --- title: CredentialsDelegation Policy CSP description: Learn more about the CredentialsDelegation Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md index 2fb7881948..f6f9d847a7 100644 --- a/windows/client-management/mdm/policy-csp-credentialsui.md +++ b/windows/client-management/mdm/policy-csp-credentialsui.md @@ -1,14 +1,7 @@ --- title: CredentialsUI Policy CSP description: Learn more about the CredentialsUI Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md index a5874803b9..27aae04079 100644 --- a/windows/client-management/mdm/policy-csp-cryptography.md +++ b/windows/client-management/mdm/policy-csp-cryptography.md @@ -1,14 +1,7 @@ --- title: Cryptography Policy CSP description: Learn more about the Cryptography Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/29/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md index 591e62bd55..ed3d5d84d4 100644 --- a/windows/client-management/mdm/policy-csp-dataprotection.md +++ b/windows/client-management/mdm/policy-csp-dataprotection.md @@ -1,14 +1,7 @@ --- title: DataProtection Policy CSP description: Learn more about the DataProtection Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md index 3bb392662b..37ef82f657 100644 --- a/windows/client-management/mdm/policy-csp-datausage.md +++ b/windows/client-management/mdm/policy-csp-datausage.md @@ -1,14 +1,7 @@ --- title: DataUsage Policy CSP description: Learn more about the DataUsage Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index b191cca03e..ce5814933e 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -1,14 +1,7 @@ --- title: Defender Policy CSP description: Learn more about the Defender Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/08/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index b79f7e2e0d..f9f05c2927 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -1,14 +1,7 @@ --- title: DeliveryOptimization Policy CSP description: Learn more about the DeliveryOptimization Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md index 8c7fe07a3d..60c0d9c6aa 100644 --- a/windows/client-management/mdm/policy-csp-desktop.md +++ b/windows/client-management/mdm/policy-csp-desktop.md @@ -1,14 +1,7 @@ --- title: Desktop Policy CSP description: Learn more about the Desktop Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-desktopappinstaller.md b/windows/client-management/mdm/policy-csp-desktopappinstaller.md index e0c33829f6..2b3fea16a4 100644 --- a/windows/client-management/mdm/policy-csp-desktopappinstaller.md +++ b/windows/client-management/mdm/policy-csp-desktopappinstaller.md @@ -1,14 +1,7 @@ --- title: DesktopAppInstaller Policy CSP description: Learn more about the DesktopAppInstaller Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 11/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md index fe3ed53290..c27a142696 100644 --- a/windows/client-management/mdm/policy-csp-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-deviceguard.md @@ -1,14 +1,7 @@ --- title: DeviceGuard Policy CSP description: Learn more about the DeviceGuard Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md index 0f7c4c5589..271866959b 100644 --- a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md +++ b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md @@ -1,14 +1,7 @@ --- title: DeviceHealthMonitoring Policy CSP description: Learn more about the DeviceHealthMonitoring Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index 601453f34d..88d04325f2 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -1,14 +1,7 @@ --- title: DeviceInstallation Policy CSP description: Learn more about the DeviceInstallation Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 11/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index 7b0d273a41..e066ebfeee 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -1,14 +1,7 @@ --- title: DeviceLock Policy CSP description: Learn more about the DeviceLock Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md index c716b41a63..8f021f8337 100644 --- a/windows/client-management/mdm/policy-csp-display.md +++ b/windows/client-management/mdm/policy-csp-display.md @@ -1,14 +1,7 @@ --- title: Display Policy CSP description: Learn more about the Display Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-dmaguard.md b/windows/client-management/mdm/policy-csp-dmaguard.md index 0a9aa6d814..ed3b7b4609 100644 --- a/windows/client-management/mdm/policy-csp-dmaguard.md +++ b/windows/client-management/mdm/policy-csp-dmaguard.md @@ -1,14 +1,7 @@ --- title: DmaGuard Policy CSP description: Learn more about the DmaGuard Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-eap.md b/windows/client-management/mdm/policy-csp-eap.md index ccc75b02bf..14022fde28 100644 --- a/windows/client-management/mdm/policy-csp-eap.md +++ b/windows/client-management/mdm/policy-csp-eap.md @@ -1,14 +1,7 @@ --- title: Eap Policy CSP description: Learn more about the Eap Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md index 4ec2cef651..cfd49a1bf0 100644 --- a/windows/client-management/mdm/policy-csp-education.md +++ b/windows/client-management/mdm/policy-csp-education.md @@ -1,14 +1,7 @@ --- title: Education Policy CSP description: Learn more about the Education Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md index 4005e29555..f0c354b20c 100644 --- a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md +++ b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md @@ -1,14 +1,7 @@ --- title: EnterpriseCloudPrint Policy CSP description: Learn more about the EnterpriseCloudPrint Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-errorreporting.md b/windows/client-management/mdm/policy-csp-errorreporting.md index e97461a682..50e401227e 100644 --- a/windows/client-management/mdm/policy-csp-errorreporting.md +++ b/windows/client-management/mdm/policy-csp-errorreporting.md @@ -1,14 +1,7 @@ --- title: ErrorReporting Policy CSP description: Learn more about the ErrorReporting Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md index ce940b762e..83a5c6c350 100644 --- a/windows/client-management/mdm/policy-csp-eventlogservice.md +++ b/windows/client-management/mdm/policy-csp-eventlogservice.md @@ -1,14 +1,7 @@ --- title: EventLogService Policy CSP description: Learn more about the EventLogService Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index 3fbecc7fbe..f7ecf4bf2a 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -1,14 +1,7 @@ --- title: Experience Policy CSP description: Learn more about the Experience Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md index 089a7066d9..6d947b5cd3 100644 --- a/windows/client-management/mdm/policy-csp-exploitguard.md +++ b/windows/client-management/mdm/policy-csp-exploitguard.md @@ -1,14 +1,7 @@ --- title: ExploitGuard Policy CSP description: Learn more about the ExploitGuard Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-federatedauthentication.md b/windows/client-management/mdm/policy-csp-federatedauthentication.md index 18426abce1..4b4de43f51 100644 --- a/windows/client-management/mdm/policy-csp-federatedauthentication.md +++ b/windows/client-management/mdm/policy-csp-federatedauthentication.md @@ -1,14 +1,7 @@ --- title: FederatedAuthentication Policy CSP description: Learn more about the FederatedAuthentication Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 10/23/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-feeds.md b/windows/client-management/mdm/policy-csp-feeds.md index a8a7ae5f57..98a8e70629 100644 --- a/windows/client-management/mdm/policy-csp-feeds.md +++ b/windows/client-management/mdm/policy-csp-feeds.md @@ -1,15 +1,7 @@ --- title: Policy CSP - Feeds description: Use the Policy CSP - Feeds setting policy specifies whether news and interests is allowed on the device. -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium ms.date: 09/17/2021 -ms.reviewer: -manager: aaroncz --- # Policy CSP - Feeds diff --git a/windows/client-management/mdm/policy-csp-fileexplorer.md b/windows/client-management/mdm/policy-csp-fileexplorer.md index 75e9fb777f..fb55df7a5d 100644 --- a/windows/client-management/mdm/policy-csp-fileexplorer.md +++ b/windows/client-management/mdm/policy-csp-fileexplorer.md @@ -1,14 +1,7 @@ --- title: FileExplorer Policy CSP description: Learn more about the FileExplorer Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/30/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-filesystem.md b/windows/client-management/mdm/policy-csp-filesystem.md index b3c3aa2084..f1d4135999 100644 --- a/windows/client-management/mdm/policy-csp-filesystem.md +++ b/windows/client-management/mdm/policy-csp-filesystem.md @@ -1,14 +1,7 @@ --- title: FileSystem Policy CSP description: Learn more about the FileSystem Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-games.md b/windows/client-management/mdm/policy-csp-games.md index 7be1ae616e..d16bea4048 100644 --- a/windows/client-management/mdm/policy-csp-games.md +++ b/windows/client-management/mdm/policy-csp-games.md @@ -1,14 +1,7 @@ --- title: Games Policy CSP description: Learn more about the Games Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-handwriting.md b/windows/client-management/mdm/policy-csp-handwriting.md index 941b6ab1ce..6cd40803bd 100644 --- a/windows/client-management/mdm/policy-csp-handwriting.md +++ b/windows/client-management/mdm/policy-csp-handwriting.md @@ -1,14 +1,7 @@ --- title: Handwriting Policy CSP description: Learn more about the Handwriting Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-humanpresence.md b/windows/client-management/mdm/policy-csp-humanpresence.md index 6584e6372b..3ef891ed68 100644 --- a/windows/client-management/mdm/policy-csp-humanpresence.md +++ b/windows/client-management/mdm/policy-csp-humanpresence.md @@ -1,14 +1,7 @@ --- title: HumanPresence Policy CSP description: Learn more about the HumanPresence Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/30/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index d707b4af93..a6efb038f9 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -1,14 +1,7 @@ --- title: InternetExplorer Policy CSP description: Learn more about the InternetExplorer Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 10/03/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- @@ -3666,17 +3659,7 @@ If you disable, or don't configure this policy, all sites are opened using the c - -This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows. - -> [!IMPORTANT] -> Some ActiveX controls and toolbars may not be available when 64-bit processes are used. - -- If you enable this policy setting, Internet Explorer 11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows. - -- If you disable this policy setting, Internet Explorer 11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows. - -- If you don't configure this policy setting, users can turn this feature on or off using Internet Explorer settings. This feature is turned off by default. + diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md index ed58ffd639..51c1950d55 100644 --- a/windows/client-management/mdm/policy-csp-kerberos.md +++ b/windows/client-management/mdm/policy-csp-kerberos.md @@ -1,14 +1,7 @@ --- title: Kerberos Policy CSP description: Learn more about the Kerberos Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 10/23/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md index 957c1a280e..ab923304b0 100644 --- a/windows/client-management/mdm/policy-csp-kioskbrowser.md +++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md @@ -1,14 +1,7 @@ --- title: KioskBrowser Policy CSP description: Learn more about the KioskBrowser Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-lanmanworkstation.md index 4c0d5e7b6e..b3e44fe44d 100644 --- a/windows/client-management/mdm/policy-csp-lanmanworkstation.md +++ b/windows/client-management/mdm/policy-csp-lanmanworkstation.md @@ -1,14 +1,7 @@ --- title: LanmanWorkstation Policy CSP description: Learn more about the LanmanWorkstation Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-licensing.md b/windows/client-management/mdm/policy-csp-licensing.md index 27405e9ef7..69f8d74490 100644 --- a/windows/client-management/mdm/policy-csp-licensing.md +++ b/windows/client-management/mdm/policy-csp-licensing.md @@ -1,14 +1,7 @@ --- title: Licensing Policy CSP description: Learn more about the Licensing Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 00bb621743..8ec2b64666 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -1,14 +1,7 @@ --- title: LocalPoliciesSecurityOptions Policy CSP description: Learn more about the LocalPoliciesSecurityOptions Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index 1ae1768b2e..7dc4364747 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -1,14 +1,7 @@ --- title: LocalUsersAndGroups Policy CSP description: Learn more about the LocalUsersAndGroups Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-lockdown.md b/windows/client-management/mdm/policy-csp-lockdown.md index f7afb94964..95f4c33c50 100644 --- a/windows/client-management/mdm/policy-csp-lockdown.md +++ b/windows/client-management/mdm/policy-csp-lockdown.md @@ -1,14 +1,7 @@ --- title: LockDown Policy CSP description: Learn more about the LockDown Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-lsa.md b/windows/client-management/mdm/policy-csp-lsa.md index 3359d00d6a..d4773d4c5d 100644 --- a/windows/client-management/mdm/policy-csp-lsa.md +++ b/windows/client-management/mdm/policy-csp-lsa.md @@ -1,14 +1,7 @@ --- title: LocalSecurityAuthority Policy CSP description: Learn more about the LocalSecurityAuthority Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-maps.md b/windows/client-management/mdm/policy-csp-maps.md index e3a20f4341..7dc52aed91 100644 --- a/windows/client-management/mdm/policy-csp-maps.md +++ b/windows/client-management/mdm/policy-csp-maps.md @@ -1,14 +1,7 @@ --- title: Maps Policy CSP description: Learn more about the Maps Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-memorydump.md b/windows/client-management/mdm/policy-csp-memorydump.md index 5c6eedf729..d6550053a3 100644 --- a/windows/client-management/mdm/policy-csp-memorydump.md +++ b/windows/client-management/mdm/policy-csp-memorydump.md @@ -1,14 +1,7 @@ --- title: MemoryDump Policy CSP description: Learn more about the MemoryDump Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md index f0b04e92b7..30117ff84d 100644 --- a/windows/client-management/mdm/policy-csp-messaging.md +++ b/windows/client-management/mdm/policy-csp-messaging.md @@ -1,14 +1,7 @@ --- title: Messaging Policy CSP description: Learn more about the Messaging Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md index 79b92833b7..e8a936acdc 100644 --- a/windows/client-management/mdm/policy-csp-mixedreality.md +++ b/windows/client-management/mdm/policy-csp-mixedreality.md @@ -1,14 +1,7 @@ --- title: MixedReality Policy CSP description: Learn more about the MixedReality Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/29/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-mssecurityguide.md b/windows/client-management/mdm/policy-csp-mssecurityguide.md index 9d94c49836..b6562fb871 100644 --- a/windows/client-management/mdm/policy-csp-mssecurityguide.md +++ b/windows/client-management/mdm/policy-csp-mssecurityguide.md @@ -1,14 +1,7 @@ --- title: MSSecurityGuide Policy CSP description: Learn more about the MSSecurityGuide Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 11/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-msslegacy.md b/windows/client-management/mdm/policy-csp-msslegacy.md index a34a41ff94..6e60b0d9dd 100644 --- a/windows/client-management/mdm/policy-csp-msslegacy.md +++ b/windows/client-management/mdm/policy-csp-msslegacy.md @@ -1,14 +1,7 @@ --- title: MSSLegacy Policy CSP description: Learn more about the MSSLegacy Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-multitasking.md b/windows/client-management/mdm/policy-csp-multitasking.md index c12b74e90f..84df0472de 100644 --- a/windows/client-management/mdm/policy-csp-multitasking.md +++ b/windows/client-management/mdm/policy-csp-multitasking.md @@ -1,14 +1,7 @@ --- title: Multitasking Policy CSP description: Learn more about the Multitasking Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/30/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md index dd7b76de61..14633df6c8 100644 --- a/windows/client-management/mdm/policy-csp-networkisolation.md +++ b/windows/client-management/mdm/policy-csp-networkisolation.md @@ -1,14 +1,7 @@ --- title: NetworkIsolation Policy CSP description: Learn more about the NetworkIsolation Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-networklistmanager.md b/windows/client-management/mdm/policy-csp-networklistmanager.md index 8b5b22dbeb..9741bc0df7 100644 --- a/windows/client-management/mdm/policy-csp-networklistmanager.md +++ b/windows/client-management/mdm/policy-csp-networklistmanager.md @@ -1,14 +1,7 @@ --- title: NetworkListManager Policy CSP description: Learn more about the NetworkListManager Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-newsandinterests.md b/windows/client-management/mdm/policy-csp-newsandinterests.md index c22d8a9bfa..16fabdc822 100644 --- a/windows/client-management/mdm/policy-csp-newsandinterests.md +++ b/windows/client-management/mdm/policy-csp-newsandinterests.md @@ -1,14 +1,7 @@ --- title: NewsAndInterests Policy CSP description: Learn more about the NewsAndInterests Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md index 1f7b42377a..65d5cb42bc 100644 --- a/windows/client-management/mdm/policy-csp-notifications.md +++ b/windows/client-management/mdm/policy-csp-notifications.md @@ -1,14 +1,7 @@ --- title: Notifications Policy CSP description: Learn more about the Notifications Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/30/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index 68c365431c..e1e5083184 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -1,14 +1,7 @@ --- title: Power Policy CSP description: Learn more about the Power Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 10/24/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md index 10b73e98be..e98acdec75 100644 --- a/windows/client-management/mdm/policy-csp-printers.md +++ b/windows/client-management/mdm/policy-csp-printers.md @@ -1,14 +1,7 @@ --- title: Printers Policy CSP description: Learn more about the Printers Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md index f96c5acb6a..5094419e31 100644 --- a/windows/client-management/mdm/policy-csp-privacy.md +++ b/windows/client-management/mdm/policy-csp-privacy.md @@ -1,14 +1,7 @@ --- title: Privacy Policy CSP description: Learn more about the Privacy Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/30/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-remoteassistance.md b/windows/client-management/mdm/policy-csp-remoteassistance.md index fa85c9cec4..1e190204ac 100644 --- a/windows/client-management/mdm/policy-csp-remoteassistance.md +++ b/windows/client-management/mdm/policy-csp-remoteassistance.md @@ -1,14 +1,7 @@ --- title: RemoteAssistance Policy CSP description: Learn more about the RemoteAssistance Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-remotedesktop.md b/windows/client-management/mdm/policy-csp-remotedesktop.md index e112f3b6d8..caa589b6f9 100644 --- a/windows/client-management/mdm/policy-csp-remotedesktop.md +++ b/windows/client-management/mdm/policy-csp-remotedesktop.md @@ -1,14 +1,7 @@ --- title: RemoteDesktop Policy CSP description: Learn more about the RemoteDesktop Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md index e56b901ad4..2e7833047e 100644 --- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md +++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md @@ -1,14 +1,7 @@ --- title: RemoteDesktopServices Policy CSP description: Learn more about the RemoteDesktopServices Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-remotemanagement.md b/windows/client-management/mdm/policy-csp-remotemanagement.md index 1a0bbae405..0f19f54970 100644 --- a/windows/client-management/mdm/policy-csp-remotemanagement.md +++ b/windows/client-management/mdm/policy-csp-remotemanagement.md @@ -1,14 +1,7 @@ --- title: RemoteManagement Policy CSP description: Learn more about the RemoteManagement Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md index c939be5ef0..1def7d700f 100644 --- a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md +++ b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md @@ -1,14 +1,7 @@ --- title: RemoteProcedureCall Policy CSP description: Learn more about the RemoteProcedureCall Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-remoteshell.md b/windows/client-management/mdm/policy-csp-remoteshell.md index 95deedc15b..e7c0d076a7 100644 --- a/windows/client-management/mdm/policy-csp-remoteshell.md +++ b/windows/client-management/mdm/policy-csp-remoteshell.md @@ -1,14 +1,7 @@ --- title: RemoteShell Policy CSP description: Learn more about the RemoteShell Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 83c65f6386..6c8af25f6a 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -1,14 +1,7 @@ --- title: RestrictedGroups Policy CSP description: Learn more about the RestrictedGroups Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index 624d6566b7..f981a81cc0 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -1,14 +1,7 @@ --- title: Search Policy CSP description: Learn more about the Search Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 10/24/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md index ef1082ff7d..b1093ffddc 100644 --- a/windows/client-management/mdm/policy-csp-security.md +++ b/windows/client-management/mdm/policy-csp-security.md @@ -1,14 +1,7 @@ --- title: Security Policy CSP description: Learn more about the Security Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md index 73dbb1343a..46c10a8e9a 100644 --- a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md +++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md @@ -1,14 +1,7 @@ --- title: ServiceControlManager Policy CSP description: Learn more about the ServiceControlManager Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md index 9f5437e695..eeb0d6f1ba 100644 --- a/windows/client-management/mdm/policy-csp-settings.md +++ b/windows/client-management/mdm/policy-csp-settings.md @@ -1,14 +1,7 @@ --- title: Settings Policy CSP description: Learn more about the Settings Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-settingssync.md b/windows/client-management/mdm/policy-csp-settingssync.md index 954bbaeaf2..39e032a8b4 100644 --- a/windows/client-management/mdm/policy-csp-settingssync.md +++ b/windows/client-management/mdm/policy-csp-settingssync.md @@ -1,14 +1,7 @@ --- title: SettingsSync Policy CSP description: Learn more about the SettingsSync Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/30/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md index a59c0981e8..fce90a0f5b 100644 --- a/windows/client-management/mdm/policy-csp-smartscreen.md +++ b/windows/client-management/mdm/policy-csp-smartscreen.md @@ -1,14 +1,7 @@ --- title: SmartScreen Policy CSP description: Learn more about the SmartScreen Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-speech.md b/windows/client-management/mdm/policy-csp-speech.md index bf6e6f78d4..437f917212 100644 --- a/windows/client-management/mdm/policy-csp-speech.md +++ b/windows/client-management/mdm/policy-csp-speech.md @@ -1,14 +1,7 @@ --- title: Speech Policy CSP description: Learn more about the Speech Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index 838e2faf41..8ae3504c72 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -1,14 +1,7 @@ --- title: Start Policy CSP description: Learn more about the Start Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 09/25/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-stickers.md b/windows/client-management/mdm/policy-csp-stickers.md index 9f2e6a4f60..34b5c89385 100644 --- a/windows/client-management/mdm/policy-csp-stickers.md +++ b/windows/client-management/mdm/policy-csp-stickers.md @@ -1,14 +1,7 @@ --- title: Stickers Policy CSP description: Learn more about the Stickers Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index 3e241acee7..78f789eba8 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -1,14 +1,7 @@ --- title: Storage Policy CSP description: Learn more about the Storage Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 22ff8ce8ea..337e3987e3 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -1,14 +1,7 @@ --- title: System Policy CSP description: Learn more about the System Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 11/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-systemservices.md b/windows/client-management/mdm/policy-csp-systemservices.md index b0e97a7454..b08d9a0c2d 100644 --- a/windows/client-management/mdm/policy-csp-systemservices.md +++ b/windows/client-management/mdm/policy-csp-systemservices.md @@ -1,14 +1,7 @@ --- title: SystemServices Policy CSP description: Learn more about the SystemServices Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 11/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-taskmanager.md b/windows/client-management/mdm/policy-csp-taskmanager.md index 9882cd2083..439cfdb8d3 100644 --- a/windows/client-management/mdm/policy-csp-taskmanager.md +++ b/windows/client-management/mdm/policy-csp-taskmanager.md @@ -1,14 +1,7 @@ --- title: TaskManager Policy CSP description: Learn more about the TaskManager Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-taskscheduler.md b/windows/client-management/mdm/policy-csp-taskscheduler.md index 61603da719..a847cb3ec9 100644 --- a/windows/client-management/mdm/policy-csp-taskscheduler.md +++ b/windows/client-management/mdm/policy-csp-taskscheduler.md @@ -1,14 +1,7 @@ --- title: TaskScheduler Policy CSP description: Learn more about the TaskScheduler Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-tenantdefinedtelemetry.md b/windows/client-management/mdm/policy-csp-tenantdefinedtelemetry.md index 32c6595782..6c9181ab8c 100644 --- a/windows/client-management/mdm/policy-csp-tenantdefinedtelemetry.md +++ b/windows/client-management/mdm/policy-csp-tenantdefinedtelemetry.md @@ -1,14 +1,7 @@ --- title: TenantDefinedTelemetry Policy CSP description: Learn more about the TenantDefinedTelemetry Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-tenantrestrictions.md b/windows/client-management/mdm/policy-csp-tenantrestrictions.md index 62451125d8..b0838899b1 100644 --- a/windows/client-management/mdm/policy-csp-tenantrestrictions.md +++ b/windows/client-management/mdm/policy-csp-tenantrestrictions.md @@ -1,14 +1,7 @@ --- title: TenantRestrictions Policy CSP description: Learn more about the TenantRestrictions Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md index 49037f5600..359c78a5c8 100644 --- a/windows/client-management/mdm/policy-csp-textinput.md +++ b/windows/client-management/mdm/policy-csp-textinput.md @@ -1,14 +1,7 @@ --- title: TextInput Policy CSP description: Learn more about the TextInput Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md index 216139ba2a..ec0faa2924 100644 --- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md +++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md @@ -1,14 +1,7 @@ --- title: TimeLanguageSettings Policy CSP description: Learn more about the TimeLanguageSettings Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-troubleshooting.md b/windows/client-management/mdm/policy-csp-troubleshooting.md index 96e90c4433..4e27dcdaee 100644 --- a/windows/client-management/mdm/policy-csp-troubleshooting.md +++ b/windows/client-management/mdm/policy-csp-troubleshooting.md @@ -1,14 +1,7 @@ --- title: Troubleshooting Policy CSP description: Learn more about the Troubleshooting Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 11/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 5232cbd5a3..f4e6909c22 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1,14 +1,7 @@ --- title: Update Policy CSP description: Learn more about the Update Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 11/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index 39a023b122..dc226ea336 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -1,14 +1,7 @@ --- title: UserRights Policy CSP description: Learn more about the UserRights Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 11/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md b/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md index 5c2fd4615b..bfea6628c8 100644 --- a/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md +++ b/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md @@ -1,14 +1,7 @@ --- title: VirtualizationBasedTechnology Policy CSP description: Learn more about the VirtualizationBasedTechnology Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-webthreatdefense.md b/windows/client-management/mdm/policy-csp-webthreatdefense.md index e415fba8e2..09fbed9c20 100644 --- a/windows/client-management/mdm/policy-csp-webthreatdefense.md +++ b/windows/client-management/mdm/policy-csp-webthreatdefense.md @@ -1,14 +1,7 @@ --- title: WebThreatDefense Policy CSP description: Learn more about the WebThreatDefense Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 11/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md index 0eb72b28a0..acb1356f98 100644 --- a/windows/client-management/mdm/policy-csp-wifi.md +++ b/windows/client-management/mdm/policy-csp-wifi.md @@ -1,14 +1,7 @@ --- title: Wifi Policy CSP description: Learn more about the Wifi Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-windowsai.md b/windows/client-management/mdm/policy-csp-windowsai.md index 879c8ba6b4..ed3cc9b463 100644 --- a/windows/client-management/mdm/policy-csp-windowsai.md +++ b/windows/client-management/mdm/policy-csp-windowsai.md @@ -1,14 +1,7 @@ --- title: WindowsAI Policy CSP description: Learn more about the WindowsAI Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/14/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-windowsautopilot.md b/windows/client-management/mdm/policy-csp-windowsautopilot.md index 6fc277fe8f..1e3b68c37a 100644 --- a/windows/client-management/mdm/policy-csp-windowsautopilot.md +++ b/windows/client-management/mdm/policy-csp-windowsautopilot.md @@ -1,14 +1,7 @@ --- title: WindowsAutopilot Policy CSP description: Learn more about the WindowsAutopilot Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md index 3b1491564f..ae7bafe0cf 100644 --- a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md +++ b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md @@ -1,14 +1,7 @@ --- title: WindowsConnectionManager Policy CSP description: Learn more about the WindowsConnectionManager Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md index 44ed4083ba..bc665f2973 100644 --- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md +++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md @@ -1,14 +1,7 @@ --- title: WindowsDefenderSecurityCenter Policy CSP description: Learn more about the WindowsDefenderSecurityCenter Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md index a2608dd9a9..c84c0bded7 100644 --- a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md +++ b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md @@ -1,14 +1,7 @@ --- title: WindowsInkWorkspace Policy CSP description: Learn more about the WindowsInkWorkspace Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index 7f43647495..0c07ef2d66 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -1,14 +1,7 @@ --- title: WindowsLogon Policy CSP description: Learn more about the WindowsLogon Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 10/24/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-windowspowershell.md b/windows/client-management/mdm/policy-csp-windowspowershell.md index 2a3b6be557..9e4a87efb2 100644 --- a/windows/client-management/mdm/policy-csp-windowspowershell.md +++ b/windows/client-management/mdm/policy-csp-windowspowershell.md @@ -1,14 +1,7 @@ --- title: WindowsPowerShell Policy CSP description: Learn more about the WindowsPowerShell Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-windowssandbox.md b/windows/client-management/mdm/policy-csp-windowssandbox.md index be6709c49c..ffa94e847a 100644 --- a/windows/client-management/mdm/policy-csp-windowssandbox.md +++ b/windows/client-management/mdm/policy-csp-windowssandbox.md @@ -1,14 +1,7 @@ --- title: WindowsSandbox Policy CSP description: Learn more about the WindowsSandbox Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 11/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md index 2d101d6563..70e8e67fba 100644 --- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md +++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md @@ -1,14 +1,7 @@ --- title: WirelessDisplay Policy CSP description: Learn more about the WirelessDisplay Area in Policy CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/printerprovisioning-csp.md b/windows/client-management/mdm/printerprovisioning-csp.md index bea685738c..a80ace3abb 100644 --- a/windows/client-management/mdm/printerprovisioning-csp.md +++ b/windows/client-management/mdm/printerprovisioning-csp.md @@ -1,14 +1,7 @@ --- title: PrinterProvisioning CSP description: Learn more about the PrinterProvisioning CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/printerprovisioning-ddf-file.md b/windows/client-management/mdm/printerprovisioning-ddf-file.md index fb871d05c8..3c4a974d93 100644 --- a/windows/client-management/mdm/printerprovisioning-ddf-file.md +++ b/windows/client-management/mdm/printerprovisioning-ddf-file.md @@ -1,14 +1,7 @@ --- title: PrinterProvisioning DDF file description: View the XML file containing the device description framework (DDF) for the PrinterProvisioning configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/provisioning-csp.md b/windows/client-management/mdm/provisioning-csp.md index 11e636ca48..62d027c686 100644 --- a/windows/client-management/mdm/provisioning-csp.md +++ b/windows/client-management/mdm/provisioning-csp.md @@ -1,13 +1,6 @@ --- title: Provisioning CSP description: The Provisioning configuration service provider is used for bulk user enrollment to an MDM service. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/pxlogical-csp.md b/windows/client-management/mdm/pxlogical-csp.md index bfc6a262c4..b452264fde 100644 --- a/windows/client-management/mdm/pxlogical-csp.md +++ b/windows/client-management/mdm/pxlogical-csp.md @@ -1,13 +1,6 @@ --- title: PXLOGICAL configuration service provider description: The PXLOGICAL configuration service provider is used to add, remove, or modify WAP logical and physical proxies by using WAP or the standard Windows techniques. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md index f289a7e154..b095998bbd 100644 --- a/windows/client-management/mdm/reboot-csp.md +++ b/windows/client-management/mdm/reboot-csp.md @@ -1,14 +1,7 @@ --- title: Reboot CSP description: Learn more about the Reboot CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/reboot-ddf-file.md b/windows/client-management/mdm/reboot-ddf-file.md index 68b6e64ef9..3b86f5316c 100644 --- a/windows/client-management/mdm/reboot-ddf-file.md +++ b/windows/client-management/mdm/reboot-ddf-file.md @@ -1,14 +1,7 @@ --- title: Reboot DDF file description: View the XML file containing the device description framework (DDF) for the Reboot configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/remotefind-csp.md b/windows/client-management/mdm/remotefind-csp.md index 2b3973921d..2acb98e912 100644 --- a/windows/client-management/mdm/remotefind-csp.md +++ b/windows/client-management/mdm/remotefind-csp.md @@ -1,13 +1,6 @@ --- title: RemoteFind CSP description: The RemoteFind configuration service provider retrieves the location information for a particular device. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/remotefind-ddf-file.md b/windows/client-management/mdm/remotefind-ddf-file.md index e805197cf2..572d1cbf9e 100644 --- a/windows/client-management/mdm/remotefind-ddf-file.md +++ b/windows/client-management/mdm/remotefind-ddf-file.md @@ -1,13 +1,6 @@ --- title: RemoteFind DDF file description: This topic shows the OMA DM device description framework (DDF) for the RemoteFind configuration service provider. DDF files are used only with OMA DM provisioning XML. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/remotering-csp.md b/windows/client-management/mdm/remotering-csp.md index 16c44fd50b..12526066f9 100644 --- a/windows/client-management/mdm/remotering-csp.md +++ b/windows/client-management/mdm/remotering-csp.md @@ -1,13 +1,6 @@ --- title: RemoteRing CSP description: The RemoteRing CSP can be used to remotely trigger a device to produce an audible ringing sound regardless of the volume that's set on the device. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 06/26/2017 --- @@ -17,29 +10,27 @@ ms.date: 06/26/2017 You can use the RemoteRing configuration service provider to remotely trigger a device to produce an audible ringing sound, regardless of the volume that is set on the device. The following DDF format shows the RemoteRing configuration service provider in tree format. + ``` ./User/Vendor/MSFT RemoteRing ----Ring - ./Device/Vendor/MSFT Root - ./User/Vendor/MSFT ./Device/Vendor/MSFT RemoteRing ----Ring ``` -**Ring** -Required. The node accepts requests to ring the device. -The supported operation is Exec. +## Ring + +Required. The node accepts requests to ring the device. The supported operation is Exec. ## Examples - The following sample shows how to initiate a remote ring on the device. ```xml @@ -52,13 +43,3 @@ The following sample shows how to initiate a remote ring on the device. ``` - -  - -  - - - - - - diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md index d0ae5d1f19..1c0afff55f 100644 --- a/windows/client-management/mdm/remotewipe-csp.md +++ b/windows/client-management/mdm/remotewipe-csp.md @@ -1,14 +1,7 @@ --- title: RemoteWipe CSP description: Learn more about the RemoteWipe CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/remotewipe-ddf-file.md b/windows/client-management/mdm/remotewipe-ddf-file.md index 1bc56998aa..6ec9d27e89 100644 --- a/windows/client-management/mdm/remotewipe-ddf-file.md +++ b/windows/client-management/mdm/remotewipe-ddf-file.md @@ -1,14 +1,7 @@ --- title: RemoteWipe DDF file description: View the XML file containing the device description framework (DDF) for the RemoteWipe configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 02/17/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/reporting-csp.md b/windows/client-management/mdm/reporting-csp.md index a6ff79d5e1..b8b1422494 100644 --- a/windows/client-management/mdm/reporting-csp.md +++ b/windows/client-management/mdm/reporting-csp.md @@ -1,13 +1,6 @@ --- title: Reporting CSP description: The Reporting configuration service provider is used to retrieve Windows Information Protection (formerly known as Enterprise Data Protection) and security auditing logs. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/reporting-ddf-file.md b/windows/client-management/mdm/reporting-ddf-file.md index 71c1e4a728..b04625ed11 100644 --- a/windows/client-management/mdm/reporting-ddf-file.md +++ b/windows/client-management/mdm/reporting-ddf-file.md @@ -1,13 +1,6 @@ --- title: Reporting DDF file description: View the OMA DM device description framework (DDF) for the Reporting configuration service provider. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/rootcacertificates-csp.md b/windows/client-management/mdm/rootcacertificates-csp.md index 67664ef793..6445586c10 100644 --- a/windows/client-management/mdm/rootcacertificates-csp.md +++ b/windows/client-management/mdm/rootcacertificates-csp.md @@ -1,14 +1,7 @@ --- title: RootCATrustedCertificates CSP description: Learn more about the RootCATrustedCertificates CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/rootcacertificates-ddf-file.md b/windows/client-management/mdm/rootcacertificates-ddf-file.md index fbfb864c26..d5a746496d 100644 --- a/windows/client-management/mdm/rootcacertificates-ddf-file.md +++ b/windows/client-management/mdm/rootcacertificates-ddf-file.md @@ -1,14 +1,7 @@ --- title: RootCATrustedCertificates DDF file description: View the XML file containing the device description framework (DDF) for the RootCATrustedCertificates configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/secureassessment-csp.md b/windows/client-management/mdm/secureassessment-csp.md index 1ccd2b55b5..172e2ef819 100644 --- a/windows/client-management/mdm/secureassessment-csp.md +++ b/windows/client-management/mdm/secureassessment-csp.md @@ -1,14 +1,7 @@ --- title: SecureAssessment CSP description: Learn more about the SecureAssessment CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 10/23/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/secureassessment-ddf-file.md b/windows/client-management/mdm/secureassessment-ddf-file.md index 01eaf192bc..ef8d526873 100644 --- a/windows/client-management/mdm/secureassessment-ddf-file.md +++ b/windows/client-management/mdm/secureassessment-ddf-file.md @@ -1,14 +1,7 @@ --- title: SecureAssessment DDF file description: View the XML file containing the device description framework (DDF) for the SecureAssessment configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/securitypolicy-csp.md b/windows/client-management/mdm/securitypolicy-csp.md index 49390c0ef7..c35bb9bfe7 100644 --- a/windows/client-management/mdm/securitypolicy-csp.md +++ b/windows/client-management/mdm/securitypolicy-csp.md @@ -1,13 +1,6 @@ --- title: SecurityPolicy CSP description: The SecurityPolicy CSP is used to configure security policy settings for WAP push, OMA DM, Service Indication (SI), Service Loading (SL), and MMS. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/sharedpc-csp.md b/windows/client-management/mdm/sharedpc-csp.md index f2446290ae..bdff7ac7bd 100644 --- a/windows/client-management/mdm/sharedpc-csp.md +++ b/windows/client-management/mdm/sharedpc-csp.md @@ -1,14 +1,7 @@ --- title: SharedPC CSP description: Learn more about the SharedPC CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/sharedpc-ddf-file.md b/windows/client-management/mdm/sharedpc-ddf-file.md index b652268570..fd1f225e74 100644 --- a/windows/client-management/mdm/sharedpc-ddf-file.md +++ b/windows/client-management/mdm/sharedpc-ddf-file.md @@ -1,14 +1,7 @@ --- title: SharedPC DDF file description: View the XML file containing the device description framework (DDF) for the SharedPC configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/storage-csp.md b/windows/client-management/mdm/storage-csp.md index 7593043812..3319247b9f 100644 --- a/windows/client-management/mdm/storage-csp.md +++ b/windows/client-management/mdm/storage-csp.md @@ -1,13 +1,6 @@ --- title: Storage CSP description: Learn how the Storage enterprise configuration service provider (CSP) is used to configure the storage card settings. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/storage-ddf-file.md b/windows/client-management/mdm/storage-ddf-file.md index 9b582019e9..e0797e83a5 100644 --- a/windows/client-management/mdm/storage-ddf-file.md +++ b/windows/client-management/mdm/storage-ddf-file.md @@ -1,13 +1,6 @@ --- title: Storage DDF file description: Learn about the OMA DM device description framework (DDF) for the Storage configuration service provider (CSP). -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md index 90fb91e0bd..3793140f08 100644 --- a/windows/client-management/mdm/supl-csp.md +++ b/windows/client-management/mdm/supl-csp.md @@ -1,14 +1,7 @@ --- title: SUPL CSP description: Learn more about the SUPL CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/supl-ddf-file.md b/windows/client-management/mdm/supl-ddf-file.md index 3d0aa1baf9..e489dea63b 100644 --- a/windows/client-management/mdm/supl-ddf-file.md +++ b/windows/client-management/mdm/supl-ddf-file.md @@ -1,14 +1,7 @@ --- title: SUPL DDF file description: View the XML file containing the device description framework (DDF) for the SUPL configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md index 4c9892dc4c..553037a410 100644 --- a/windows/client-management/mdm/surfacehub-csp.md +++ b/windows/client-management/mdm/surfacehub-csp.md @@ -1,14 +1,7 @@ --- title: SurfaceHub CSP description: Learn more about the SurfaceHub CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/surfacehub-ddf-file.md b/windows/client-management/mdm/surfacehub-ddf-file.md index 2519ecf5d4..4bfee13fce 100644 --- a/windows/client-management/mdm/surfacehub-ddf-file.md +++ b/windows/client-management/mdm/surfacehub-ddf-file.md @@ -1,14 +1,7 @@ --- title: SurfaceHub DDF file description: View the XML file containing the device description framework (DDF) for the SurfaceHub configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/tenantlockdown-csp.md b/windows/client-management/mdm/tenantlockdown-csp.md index 97551d7680..f9abc97d80 100644 --- a/windows/client-management/mdm/tenantlockdown-csp.md +++ b/windows/client-management/mdm/tenantlockdown-csp.md @@ -1,14 +1,7 @@ --- title: TenantLockdown CSP description: To lock a device to a tenant to prevent accidental or intentional resets or wipes, use the TenantLockdown configuration service provider. -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 08/13/2018 -ms.reviewer: -manager: aaroncz --- # TenantLockdown CSP diff --git a/windows/client-management/mdm/tenantlockdown-ddf.md b/windows/client-management/mdm/tenantlockdown-ddf.md index 3aa78e83a1..05bf7451c6 100644 --- a/windows/client-management/mdm/tenantlockdown-ddf.md +++ b/windows/client-management/mdm/tenantlockdown-ddf.md @@ -1,14 +1,7 @@ --- title: TenantLockdown DDF file description: XML file containing the device description framework for the TenantLockdown configuration service provider (CSP). -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 08/13/2018 -ms.reviewer: -manager: aaroncz --- # TenantLockdown DDF file diff --git a/windows/client-management/mdm/tpmpolicy-csp.md b/windows/client-management/mdm/tpmpolicy-csp.md index 5486abb6d0..299b1077a8 100644 --- a/windows/client-management/mdm/tpmpolicy-csp.md +++ b/windows/client-management/mdm/tpmpolicy-csp.md @@ -1,14 +1,7 @@ --- title: TPMPolicy CSP description: The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero-exhaust configuration on a Windows device for TPM software components. -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 11/01/2017 -ms.reviewer: -manager: aaroncz --- # TPMPolicy CSP diff --git a/windows/client-management/mdm/tpmpolicy-ddf-file.md b/windows/client-management/mdm/tpmpolicy-ddf-file.md index 2987a036eb..ae8d4f38f6 100644 --- a/windows/client-management/mdm/tpmpolicy-ddf-file.md +++ b/windows/client-management/mdm/tpmpolicy-ddf-file.md @@ -1,14 +1,7 @@ --- title: TPMPolicy DDF file description: Learn about the OMA DM device description framework (DDF) for the TPMPolicy configuration service provider (CSP). -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 12/05/2017 -ms.reviewer: -manager: aaroncz --- # TPMPolicy DDF file diff --git a/windows/client-management/mdm/uefi-csp.md b/windows/client-management/mdm/uefi-csp.md index a818eb9880..e3e130ee43 100644 --- a/windows/client-management/mdm/uefi-csp.md +++ b/windows/client-management/mdm/uefi-csp.md @@ -1,14 +1,7 @@ --- title: UEFI CSP description: The Uefi CSP interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes. -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 10/02/2018 -ms.reviewer: -manager: aaroncz --- # UEFI CSP diff --git a/windows/client-management/mdm/uefi-ddf.md b/windows/client-management/mdm/uefi-ddf.md index dde7789737..3ce949f7c8 100644 --- a/windows/client-management/mdm/uefi-ddf.md +++ b/windows/client-management/mdm/uefi-ddf.md @@ -1,14 +1,7 @@ --- title: UEFI DDF file description: Learn about the OMA DM device description framework (DDF) for the Uefi configuration service provider (CSP). -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 10/02/2018 -ms.reviewer: -manager: aaroncz --- # UEFI DDF file diff --git a/windows/client-management/mdm/unifiedwritefilter-csp.md b/windows/client-management/mdm/unifiedwritefilter-csp.md index b35a740976..1df0f1e524 100644 --- a/windows/client-management/mdm/unifiedwritefilter-csp.md +++ b/windows/client-management/mdm/unifiedwritefilter-csp.md @@ -1,13 +1,6 @@ --- title: UnifiedWriteFilter CSP description: The UnifiedWriteFilter (UWF) configuration service provider allows you to remotely manage the UWF. Understand how it helps protect physical storage media. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/unifiedwritefilter-ddf.md b/windows/client-management/mdm/unifiedwritefilter-ddf.md index ffaf61bb19..3e28dc3252 100644 --- a/windows/client-management/mdm/unifiedwritefilter-ddf.md +++ b/windows/client-management/mdm/unifiedwritefilter-ddf.md @@ -1,13 +1,6 @@ --- title: UnifiedWriteFilter DDF File description: UnifiedWriteFilter DDF File -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/universalprint-csp.md b/windows/client-management/mdm/universalprint-csp.md index cfaae48b05..183576910e 100644 --- a/windows/client-management/mdm/universalprint-csp.md +++ b/windows/client-management/mdm/universalprint-csp.md @@ -1,14 +1,8 @@ --- title: UniversalPrint CSP description: Learn how the UniversalPrint configuration service provider (CSP) is used to install printers on Windows client devices. -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 06/02/2022 ms.reviewer: jimwu -manager: aaroncz --- # UniversalPrint CSP diff --git a/windows/client-management/mdm/universalprint-ddf-file.md b/windows/client-management/mdm/universalprint-ddf-file.md index 3d3fdc2426..e1a1037685 100644 --- a/windows/client-management/mdm/universalprint-ddf-file.md +++ b/windows/client-management/mdm/universalprint-ddf-file.md @@ -1,14 +1,8 @@ --- title: UniversalPrint DDF file description: UniversalPrint DDF file -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 06/02/2022 ms.reviewer: jimwu -manager: aaroncz --- # UniversalPrint DDF file diff --git a/windows/client-management/mdm/update-csp.md b/windows/client-management/mdm/update-csp.md index e825289b3c..ab540156f2 100644 --- a/windows/client-management/mdm/update-csp.md +++ b/windows/client-management/mdm/update-csp.md @@ -1,13 +1,6 @@ --- title: Update CSP description: Learn how the Update configuration service provider (CSP) enables IT administrators to manage and control the rollout of new updates. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 11/16/2023 --- diff --git a/windows/client-management/mdm/update-ddf-file.md b/windows/client-management/mdm/update-ddf-file.md index a1ba78b157..186bfc4f22 100644 --- a/windows/client-management/mdm/update-ddf-file.md +++ b/windows/client-management/mdm/update-ddf-file.md @@ -1,13 +1,6 @@ --- title: Update DDF file description: Learn about the OMA DM device description framework (DDF) for the Update configuration service provider (CSP). -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 02/23/2018 --- diff --git a/windows/client-management/mdm/vpn-csp.md b/windows/client-management/mdm/vpn-csp.md index 4f43fb1e32..da946f07ea 100644 --- a/windows/client-management/mdm/vpn-csp.md +++ b/windows/client-management/mdm/vpn-csp.md @@ -1,13 +1,6 @@ --- title: VPN CSP description: Learn how the VPN configuration service provider (CSP) allows the mobile device management (MDM) server to configure the VPN profile of the device. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 04/02/2017 --- diff --git a/windows/client-management/mdm/vpn-ddf-file.md b/windows/client-management/mdm/vpn-ddf-file.md index f3df5126a9..81e88ca2b9 100644 --- a/windows/client-management/mdm/vpn-ddf-file.md +++ b/windows/client-management/mdm/vpn-ddf-file.md @@ -1,13 +1,6 @@ --- title: VPN DDF file description: Learn about the OMA DM device description framework (DDF) for the VPN configuration service provider (CSP). -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index 3e5e3a5468..58d6463c97 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -1,14 +1,7 @@ --- title: VPNv2 CSP description: Learn more about the VPNv2 CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/vpnv2-ddf-file.md b/windows/client-management/mdm/vpnv2-ddf-file.md index 20a3da3401..badf9f29e6 100644 --- a/windows/client-management/mdm/vpnv2-ddf-file.md +++ b/windows/client-management/mdm/vpnv2-ddf-file.md @@ -1,14 +1,7 @@ --- title: VPNv2 DDF file description: View the XML file containing the device description framework (DDF) for the VPNv2 configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/w4-application-csp.md b/windows/client-management/mdm/w4-application-csp.md index 6b33ccc664..a84f2bf593 100644 --- a/windows/client-management/mdm/w4-application-csp.md +++ b/windows/client-management/mdm/w4-application-csp.md @@ -1,13 +1,6 @@ --- title: w4 APPLICATION CSP description: Use an APPLICATION configuration service provider (CSP) that has an APPID of w4 to configure Multimedia Messaging Service (MMS). -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/w7-application-csp.md b/windows/client-management/mdm/w7-application-csp.md index 0c5e7f4cd5..28acb291e9 100644 --- a/windows/client-management/mdm/w7-application-csp.md +++ b/windows/client-management/mdm/w7-application-csp.md @@ -1,13 +1,6 @@ --- title: w7 APPLICATION CSP description: Learn that the APPLICATION configuration service provider (CSP) that has an APPID of w7 is used for bootstrapping a device with an OMA DM account. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index d7b549f5e8..da583b8cd9 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -1,14 +1,7 @@ --- title: WiFi CSP description: Learn more about the WiFi CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/wifi-ddf-file.md b/windows/client-management/mdm/wifi-ddf-file.md index 6fe4d9867a..a0ff37f35e 100644 --- a/windows/client-management/mdm/wifi-ddf-file.md +++ b/windows/client-management/mdm/wifi-ddf-file.md @@ -1,14 +1,7 @@ --- title: WiFi DDF file description: View the XML file containing the device description framework (DDF) for the WiFi configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/win32appinventory-csp.md b/windows/client-management/mdm/win32appinventory-csp.md index d76120673d..0c9cc388d4 100644 --- a/windows/client-management/mdm/win32appinventory-csp.md +++ b/windows/client-management/mdm/win32appinventory-csp.md @@ -1,13 +1,6 @@ --- title: Win32AppInventory CSP description: Learn how the Win32AppInventory configuration service provider (CSP) is used to provide an inventory of installed applications on a device. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/win32appinventory-ddf-file.md b/windows/client-management/mdm/win32appinventory-ddf-file.md index 413f6927a8..c30f6ba4a9 100644 --- a/windows/client-management/mdm/win32appinventory-ddf-file.md +++ b/windows/client-management/mdm/win32appinventory-ddf-file.md @@ -1,13 +1,6 @@ --- title: Win32AppInventory DDF file description: Learn about the OMA DM device description framework (DDF) for the Win32AppInventory configuration service provider (CSP). -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/win32compatibilityappraiser-csp.md b/windows/client-management/mdm/win32compatibilityappraiser-csp.md index 72e4dc7e0d..0e9a1dd3b8 100644 --- a/windows/client-management/mdm/win32compatibilityappraiser-csp.md +++ b/windows/client-management/mdm/win32compatibilityappraiser-csp.md @@ -1,14 +1,7 @@ --- title: Win32CompatibilityAppraiser CSP description: Learn how the Win32CompatibilityAppraiser configuration service provider enables the IT admin to query the current status of the Appraiser and UTC telemetry health. -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 07/19/2018 -ms.reviewer: -manager: aaroncz --- # Win32CompatibilityAppraiser CSP diff --git a/windows/client-management/mdm/win32compatibilityappraiser-ddf.md b/windows/client-management/mdm/win32compatibilityappraiser-ddf.md index 2412d86ade..6e1017cd32 100644 --- a/windows/client-management/mdm/win32compatibilityappraiser-ddf.md +++ b/windows/client-management/mdm/win32compatibilityappraiser-ddf.md @@ -1,14 +1,7 @@ --- title: Win32CompatibilityAppraiser DDF file description: Learn about the XML file containing the device description framework for the Win32CompatibilityAppraiser configuration service provider. -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 07/19/2018 -ms.reviewer: -manager: aaroncz --- # Win32CompatibilityAppraiser DDF file diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md index ab6d3cfd03..040365664e 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md @@ -1,13 +1,6 @@ --- title: WindowsAdvancedThreatProtection CSP description: The Windows Defender Advanced Threat Protection (WDATP) CSP allows IT Admins to onboard, determine configuration and health status, and offboard endpoints for WDATP. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 11/01/2017 --- diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md index 1e3460593d..9486c07290 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md @@ -2,13 +2,6 @@ title: WindowsAdvancedThreatProtection DDF file description: Learn about the OMA DM device description framework (DDF) for the WindowsAdvancedThreatProtection configuration service provider (CSP). ms.assetid: 0C62A790-4351-48AF-89FD-7D46C42D13E0 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/windowsautopilot-csp.md b/windows/client-management/mdm/windowsautopilot-csp.md index 7a34b0a995..788144001b 100644 --- a/windows/client-management/mdm/windowsautopilot-csp.md +++ b/windows/client-management/mdm/windowsautopilot-csp.md @@ -1,13 +1,6 @@ --- title: WindowsAutopilot CSP description: Learn how without the ability to mark a device as remediation required, the device will remain in a broken state, which results in security and privacy concerns in Autopilot. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 05/09/2022 --- diff --git a/windows/client-management/mdm/windowsautopilot-ddf-file.md b/windows/client-management/mdm/windowsautopilot-ddf-file.md index 88313274a6..86b4d615ca 100644 --- a/windows/client-management/mdm/windowsautopilot-ddf-file.md +++ b/windows/client-management/mdm/windowsautopilot-ddf-file.md @@ -1,14 +1,7 @@ --- title: WindowsAutopilot DDF file description: Learn how, without the ability to mark a device as remediation required, the device will remain in a broken state for the WindowsAutopilot DDF file configuration service provider (CSP). -ms.author: vinpa -ms.topic: reference -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft ms.date: 02/07/2022 -ms.reviewer: -manager: aaroncz --- # WindowsAutopilot DDF file diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md index 0261c3b007..10546d7713 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md @@ -1,14 +1,7 @@ --- title: WindowsDefenderApplicationGuard CSP description: Learn more about the WindowsDefenderApplicationGuard CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md index 233de242bb..bdee83a712 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md @@ -1,14 +1,7 @@ --- title: WindowsDefenderApplicationGuard DDF file description: View the XML file containing the device description framework (DDF) for the WindowsDefenderApplicationGuard configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md index 156b999f6d..f880dd265e 100644 --- a/windows/client-management/mdm/windowslicensing-csp.md +++ b/windows/client-management/mdm/windowslicensing-csp.md @@ -1,14 +1,7 @@ --- title: WindowsLicensing CSP description: Learn more about the WindowsLicensing CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/windowslicensing-ddf-file.md b/windows/client-management/mdm/windowslicensing-ddf-file.md index fae5beb908..2830112994 100644 --- a/windows/client-management/mdm/windowslicensing-ddf-file.md +++ b/windows/client-management/mdm/windowslicensing-ddf-file.md @@ -1,14 +1,7 @@ --- title: WindowsLicensing DDF file description: View the XML file containing the device description framework (DDF) for the WindowsLicensing configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/wirednetwork-csp.md b/windows/client-management/mdm/wirednetwork-csp.md index a609a45d59..12bac7c750 100644 --- a/windows/client-management/mdm/wirednetwork-csp.md +++ b/windows/client-management/mdm/wirednetwork-csp.md @@ -1,14 +1,7 @@ --- title: WiredNetwork CSP description: Learn more about the WiredNetwork CSP. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 08/10/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mdm/wirednetwork-ddf-file.md b/windows/client-management/mdm/wirednetwork-ddf-file.md index e59398aa57..ba3a3845ed 100644 --- a/windows/client-management/mdm/wirednetwork-ddf-file.md +++ b/windows/client-management/mdm/wirednetwork-ddf-file.md @@ -1,14 +1,7 @@ --- title: WiredNetwork DDF file description: View the XML file containing the device description framework (DDF) for the WiredNetwork configuration service provider. -author: vinaypamnani-msft -manager: aaroncz -ms.author: vinpa -ms.date: 12/06/2023 -ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-manage -ms.topic: reference +ms.date: 01/18/2024 --- diff --git a/windows/client-management/mobile-device-enrollment.md b/windows/client-management/mobile-device-enrollment.md index c69c1fb951..5d0537216a 100644 --- a/windows/client-management/mobile-device-enrollment.md +++ b/windows/client-management/mobile-device-enrollment.md @@ -1,7 +1,7 @@ --- title: Mobile device enrollment description: Learn how mobile device enrollment verifies that only authenticated and authorized devices are managed by the enterprise. -ms.topic: article +ms.topic: conceptual ms.date: 08/10/2023 ms.collection: - highpri diff --git a/windows/client-management/new-in-windows-mdm-enrollment-management.md b/windows/client-management/new-in-windows-mdm-enrollment-management.md index 4ed6e26aaf..dcfbdeb34b 100644 --- a/windows/client-management/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/new-in-windows-mdm-enrollment-management.md @@ -1,7 +1,7 @@ --- title: What's new in MDM enrollment and management description: Discover what's new and breaking changes in mobile device management (MDM) enrollment and management experience across all Windows devices. -ms.topic: article +ms.topic: conceptual ms.localizationpriority: medium ms.date: 08/10/2023 --- diff --git a/windows/client-management/oma-dm-protocol-support.md b/windows/client-management/oma-dm-protocol-support.md index ad62b88273..3d1ff0619c 100644 --- a/windows/client-management/oma-dm-protocol-support.md +++ b/windows/client-management/oma-dm-protocol-support.md @@ -1,7 +1,7 @@ --- title: OMA DM protocol support description: See how the OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload. -ms.topic: article +ms.topic: conceptual ms.date: 08/10/2023 --- diff --git a/windows/client-management/on-premise-authentication-device-enrollment.md b/windows/client-management/on-premise-authentication-device-enrollment.md index 39e4133d55..0d3a3b1a1d 100644 --- a/windows/client-management/on-premise-authentication-device-enrollment.md +++ b/windows/client-management/on-premise-authentication-device-enrollment.md @@ -1,7 +1,7 @@ --- title: On-premises authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using on-premises authentication policy. -ms.topic: article +ms.topic: conceptual ms.date: 08/10/2023 --- diff --git a/windows/client-management/push-notification-windows-mdm.md b/windows/client-management/push-notification-windows-mdm.md index d449bbfa9f..0ac4310aab 100644 --- a/windows/client-management/push-notification-windows-mdm.md +++ b/windows/client-management/push-notification-windows-mdm.md @@ -1,7 +1,7 @@ --- title: Push notification support for device management description: The DMClient CSP supports the ability to configure push-initiated device management sessions. -ms.topic: article +ms.topic: conceptual ms.date: 08/10/2023 --- diff --git a/windows/client-management/server-requirements-windows-mdm.md b/windows/client-management/server-requirements-windows-mdm.md index e3cafbd896..6b3a303e0a 100644 --- a/windows/client-management/server-requirements-windows-mdm.md +++ b/windows/client-management/server-requirements-windows-mdm.md @@ -1,7 +1,7 @@ --- title: Server requirements for using OMA DM to manage Windows devices description: Learn about the general server requirements for using OMA DM to manage Windows devices, including the supported versions of OMA DM. -ms.topic: article +ms.topic: conceptual ms.date: 08/10/2023 --- diff --git a/windows/client-management/structure-of-oma-dm-provisioning-files.md b/windows/client-management/structure-of-oma-dm-provisioning-files.md index c239b9d0fd..170d213948 100644 --- a/windows/client-management/structure-of-oma-dm-provisioning-files.md +++ b/windows/client-management/structure-of-oma-dm-provisioning-files.md @@ -1,7 +1,7 @@ --- title: Structure of OMA DM provisioning files description: Learn about the structure of OMA DM provisioning files, for example how each message is composed of a header, specified by the SyncHdr element, and a message body. -ms.topic: article +ms.topic: conceptual ms.date: 08/10/2023 --- diff --git a/windows/client-management/understanding-admx-backed-policies.md b/windows/client-management/understanding-admx-backed-policies.md index e7bccddb07..7b80861923 100644 --- a/windows/client-management/understanding-admx-backed-policies.md +++ b/windows/client-management/understanding-admx-backed-policies.md @@ -1,7 +1,7 @@ --- title: Understanding ADMX policies description: You can use ADMX policies for Windows mobile device management (MDM) across Windows devices. -ms.topic: article +ms.topic: conceptual ms.date: 08/10/2023 --- diff --git a/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md b/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md index 4c631e20f5..5fc0485080 100644 --- a/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md +++ b/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md @@ -1,7 +1,7 @@ --- title: Using PowerShell scripting with the WMI Bridge Provider description: This article covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, and how to invoke methods through the WMI Bridge Provider. -ms.topic: article +ms.topic: conceptual ms.date: 08/10/2023 --- diff --git a/windows/client-management/win32-and-centennial-app-policy-configuration.md b/windows/client-management/win32-and-centennial-app-policy-configuration.md index 0cab615908..ff1887a640 100644 --- a/windows/client-management/win32-and-centennial-app-policy-configuration.md +++ b/windows/client-management/win32-and-centennial-app-policy-configuration.md @@ -1,7 +1,7 @@ --- title: Win32 and Desktop Bridge app ADMX policy Ingestion description: Ingest ADMX files and set ADMX policies for Win32 and Desktop Bridge apps. -ms.topic: article +ms.topic: conceptual ms.date: 08/10/2023 --- diff --git a/windows/client-management/windows-mdm-enterprise-settings.md b/windows/client-management/windows-mdm-enterprise-settings.md index e3503a278f..03c28bfba7 100644 --- a/windows/client-management/windows-mdm-enterprise-settings.md +++ b/windows/client-management/windows-mdm-enterprise-settings.md @@ -1,7 +1,7 @@ --- title: Enterprise settings and policy management description: The DM client manages the interaction between a device and a server. Learn more about the client-server management workflow. -ms.topic: article +ms.topic: conceptual ms.date: 08/10/2023 --- diff --git a/windows/client-management/wmi-providers-supported-in-windows.md b/windows/client-management/wmi-providers-supported-in-windows.md index ab34b9d0c7..81c71bd5ba 100644 --- a/windows/client-management/wmi-providers-supported-in-windows.md +++ b/windows/client-management/wmi-providers-supported-in-windows.md @@ -1,7 +1,7 @@ --- title: WMI providers supported in Windows description: Manage settings and applications on devices that subscribe to the Mobile Device Management (MDM) service with Windows Management Infrastructure (WMI). -ms.topic: article +ms.topic: conceptual ms.date: 08/10/2023 --- diff --git a/windows/configuration/cortana-at-work/includes/cortana-deprecation.md b/windows/configuration/cortana-at-work/includes/cortana-deprecation.md index c5ad2bd22a..2b233464ea 100644 --- a/windows/configuration/cortana-at-work/includes/cortana-deprecation.md +++ b/windows/configuration/cortana-at-work/includes/cortana-deprecation.md @@ -2,8 +2,8 @@ author: mestew ms.author: mstewart manager: aaroncz -ms.technology: itpro-updates -ms.prod: windows-client +ms.subservice: itpro-updates +ms.service: windows-client ms.topic: include ms.date: 06/08/2023 ms.localizationpriority: medium diff --git a/windows/configuration/images/insider.png b/windows/configuration/images/insider.png new file mode 100644 index 0000000000..dbe00408cb Binary files /dev/null and b/windows/configuration/images/insider.png differ diff --git a/windows/configuration/includes/insider-note.md b/windows/configuration/includes/insider-note.md new file mode 100644 index 0000000000..a1160f8047 --- /dev/null +++ b/windows/configuration/includes/insider-note.md @@ -0,0 +1,16 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.topic: include +ms.date: 01/11/2024 +--- + +:::row::: +:::column span="1"::: +:::image type="content" source="../images/insider.png" alt-text="Logo of Windows Insider." border="false"::: +:::column-end::: +:::column span="3"::: +> [!IMPORTANT] +>This article describes features or settings that are under development and only applicable to [Windows Insider Preview builds](/windows-insider/). The content is subject to change and may have dependencies on other features or services in preview. +:::column-end::: +:::row-end::: diff --git a/windows/configuration/includes/multi-app-kiosk-support-windows11.md b/windows/configuration/includes/multi-app-kiosk-support-windows11.md index 7f90909404..10bfe16e1d 100644 --- a/windows/configuration/includes/multi-app-kiosk-support-windows11.md +++ b/windows/configuration/includes/multi-app-kiosk-support-windows11.md @@ -4,7 +4,7 @@ ms.author: aaroncz ms.date: 09/21/2021 ms.reviewer: manager: aaroncz -ms.prod: w10 +ms.service: windows-client ms.topic: include --- diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md index 7dc2ae5f02..d722a89cf2 100644 --- a/windows/configuration/kiosk-methods.md +++ b/windows/configuration/kiosk-methods.md @@ -24,7 +24,7 @@ ms.date: 12/31/2017 Some desktop devices in an enterprise serve a special purpose. For example, a PC in the lobby that customers use to see your product catalog. Or, a PC displaying visual content as a digital sign. Windows client offers two different locked-down experiences for public or specialized use: -- **A single-app kiosk**: Runs a single Universal Windows Platform (UWP) app in full screen above the lock screen. People using the kiosk can see only that app. When the kiosk account (a local standard user account) signs in, the kiosk app will launch automatically, and you can configure the kiosk account to sign in automatically as well. If the kiosk app is closed, it will automatically restart. +- **A single-app kiosk**: Runs a single Universal Windows Platform (UWP) app in full screen above the lock screen. People using the kiosk can see only that app. When the kiosk account (a local standard user account) signs in, the kiosk app launches automatically, and you can configure the kiosk account to sign in automatically as well. If the kiosk app is closed, it will automatically restart. A single-app kiosk is ideal for public use. Using [Shell Launcher](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk doesn't run above the lock screen. @@ -32,10 +32,7 @@ Some desktop devices in an enterprise serve a special purpose. For example, a PC - **A multi-app kiosk**: Runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types. - > [!NOTE] - > [!INCLUDE [Multi-app kiosk mode not supported on Windows 11](./includes/multi-app-kiosk-support-windows11.md)] - - A multi-app kiosk is appropriate for devices that are shared by multiple people. When you configure a multi-app kiosk, [specific policies are enforced](kiosk-policies.md) that will affect **all** non-administrator users on the device. + A multi-app kiosk is appropriate for devices that are shared by multiple people. When you configure a multi-app kiosk, [specific policies are enforced](kiosk-policies.md) that affects **all** non-administrator users on the device. ![Illustration of a kiosk Start screen that runs multiple apps on a Windows client device.](images/kiosk-desktop.png) diff --git a/windows/configuration/lock-down-windows-11-to-specific-apps.md b/windows/configuration/lock-down-windows-11-to-specific-apps.md index e8f41d7572..ad6bdff78f 100644 --- a/windows/configuration/lock-down-windows-11-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-11-to-specific-apps.md @@ -151,7 +151,7 @@ The following example allows Photos, Weather, Calculator, Paint, and Notepad app - + ``` diff --git a/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md b/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md index e5fbf3eb4f..a26d33e3b2 100644 --- a/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md +++ b/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md @@ -4,8 +4,8 @@ description: Diagnose general failures in provisioning. manager: aaroncz ms.author: lizlong ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage +ms.service: windows-client +ms.subservice: itpro-manage author: lizgt2000 ms.date: 01/18/2023 --- diff --git a/windows/configuration/start-secondary-tiles.md b/windows/configuration/start-secondary-tiles.md index 7600808ed5..e9b63e1772 100644 --- a/windows/configuration/start-secondary-tiles.md +++ b/windows/configuration/start-secondary-tiles.md @@ -41,9 +41,10 @@ In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutE **Example of secondary tiles in XML generated by Export-StartLayout** + ```xml ``` - - ## Export Start layout and assets 1. Follow the instructions in [Customize and export Start layout](customize-and-export-start-layout.md#customize-the-start-screen-on-your-test-computer) to customize the Start screen on your test computer. @@ -130,6 +129,7 @@ In Microsoft Intune, you create a device restrictions policy to apply to device The **export-StartLayout** and **export-StartLayoutEdgeAssets** cmdlets produce XML files. Because Windows Configuration Designer produces a customizations.xml file that contains the configuration settings, adding the Start layout and Edge assets sections to the customizations.xml file directly would result in an XML file embedded in an XML file. Before you add the Start layout and Edge assets sections to the customizations.xml file, you must replace the markup characters in your layout.xml with escape characters. + 1. Copy the contents of layout.xml into an online tool that escapes characters. 2. Copy the contents of assets.xml into an online tool that escapes characters. @@ -139,6 +139,7 @@ The **export-StartLayout** and **export-StartLayoutEdgeAssets** cmdlets produce #### Create a provisioning package that contains a customized Start layout + Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-packages/provisioning-install-icd.md) >[!IMPORTANT] diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 06776b853a..8158e2b359 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -335,8 +335,8 @@ items: - name: Resolve upgrade errors items: - - name: Resolve Windows client upgrade errors - href: upgrade/resolve-windows-10-upgrade-errors.md + - name: Resolve Windows upgrade errors + href: upgrade/resolve-windows-upgrade-errors.md - name: Quick fixes href: /troubleshoot/windows-client/deployment/windows-10-upgrade-quick-fixes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json - name: SetupDiag @@ -406,22 +406,6 @@ href: configure-a-pxe-server-to-load-windows-pe.md - name: Windows ADK for Windows 10 scenarios for IT Pros href: windows-adk-scenarios-for-it-pros.md - - name: Windows To Go - items: - - name: Deploy Windows To Go in your organization - href: deploy-windows-to-go.md - - name: "Windows To Go: feature overview" - href: planning/windows-to-go-overview.md - - name: Best practice recommendations for Windows To Go - href: planning/best-practice-recommendations-for-windows-to-go.md - - name: Deployment considerations for Windows To Go - href: planning/deployment-considerations-for-windows-to-go.md - - name: Prepare your organization for Windows To Go - href: planning/prepare-your-organization-for-windows-to-go.md - - name: Security and data protection considerations for Windows To Go - href: planning/security-and-data-protection-considerations-for-windows-to-go.md - - name: "Windows To Go: frequently asked questions" - href: planning/windows-to-go-frequently-asked-questions.yml - name: User State Migration Tool (USMT) technical reference items: - name: USMT overview articles @@ -592,4 +576,4 @@ - name: Install fonts in Windows client href: windows-10-missing-fonts.md - name: Customize Windows PE boot images - href: customize-boot-image.md + href: customize-boot-image.md \ No newline at end of file diff --git a/windows/deployment/Windows-AutoPilot-EULA-note.md b/windows/deployment/Windows-AutoPilot-EULA-note.md index 674bd00551..76f8e035a8 100644 --- a/windows/deployment/Windows-AutoPilot-EULA-note.md +++ b/windows/deployment/Windows-AutoPilot-EULA-note.md @@ -1,7 +1,7 @@ --- title: Windows Autopilot EULA dismissal – important information description: A notice about EULA dismissal through Windows Autopilot -ms.prod: windows-client +ms.service: windows-client ms.localizationpriority: medium ms.date: 11/23/2022 author: frankroj @@ -9,7 +9,7 @@ ms.author: frankroj manager: aaroncz ROBOTS: NOINDEX ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy --- # Windows Autopilot EULA dismissal – important information diff --git a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md index f3f16802b4..8afd2c00f8 100644 --- a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md +++ b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md @@ -1,14 +1,14 @@ --- title: Configure a PXE server to load Windows PE (Windows 10) description: This article describes how to configure a PXE server to load Windows PE so that it can be used with an image file to install Windows 10 from the network. -ms.prod: windows-client +ms.service: windows-client ms.localizationpriority: medium author: frankroj manager: aaroncz ms.author: frankroj ms.topic: article ms.date: 11/23/2022 -ms.technology: itpro-deploy +ms.subservice: itpro-deploy --- # Configure a PXE server to load Windows PE diff --git a/windows/deployment/customize-boot-image.md b/windows/deployment/customize-boot-image.md index 3b52b209f3..fc07e5a9ba 100644 --- a/windows/deployment/customize-boot-image.md +++ b/windows/deployment/customize-boot-image.md @@ -1,14 +1,14 @@ --- title: Customize Windows PE boot images description: This article describes how to customize a Windows PE (WinPE) boot image including updating with the latest cumulative update, adding drivers, and adding optional components. -ms.prod: windows-client +ms.service: windows-client ms.localizationpriority: medium author: frankroj manager: aaroncz ms.author: frankroj ms.topic: article ms.date: 09/05/2023 -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index f94f31723e..8208704491 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -4,8 +4,8 @@ description: Steps to deploy Windows 10 Enterprise or Windows 11 Enterprise lice author: frankroj ms.author: frankroj manager: aaroncz -ms.prod: windows-client -ms.technology: itpro-fundamentals +ms.service: windows-client +ms.subservice: itpro-fundamentals ms.localizationpriority: medium ms.topic: how-to ms.collection: diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md index b8025d4dc9..08eca15252 100644 --- a/windows/deployment/deploy-m365.md +++ b/windows/deployment/deploy-m365.md @@ -3,12 +3,12 @@ title: Deploy Windows 10 with Microsoft 365 manager: aaroncz ms.author: frankroj description: Learn about deploying Windows 10 with Microsoft 365 and how to use a free 90-day trial account to review some of the benefits of Microsoft 365. -ms.prod: windows-client +ms.service: windows-client ms.localizationpriority: medium author: frankroj ms.topic: article ms.date: 11/23/2022 -ms.technology: itpro-deploy +ms.subservice: itpro-deploy --- # Deploy Windows 10 with Microsoft 365 diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index d42a253d04..2c8c4d9c52 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -2,8 +2,8 @@ title: What's new in Windows client deployment description: Use this article to learn about new solutions and online content related to deploying Windows in your organization. ms.localizationpriority: medium -ms.prod: windows-client -ms.technology: itpro-deploy +ms.service: windows-client +ms.subservice: itpro-deploy author: frankroj manager: aaroncz ms.author: frankroj @@ -11,7 +11,7 @@ ms.topic: conceptual ms.collection: - highpri - tier2 -ms.date: 11/17/2023 +ms.date: 01/18/2024 appliesto: - ✅ Windows 11 - ✅ Windows 10 @@ -21,7 +21,7 @@ appliesto: This article provides an overview of new solutions and online content related to deploying Windows client in your organization. -- For an all-up overview of new features in Windows 10, see [What's new in Windows 10](/windows/whats-new/index). +- For an all-up overview of new features in Windows, see [What's new in Windows](/windows/whats-new/). ## [Preview] Windows Autopilot diagnostics page @@ -88,9 +88,9 @@ The following Delivery Optimization policies are removed in the Windows 10, vers - **Intune console updates**: target version is now available allowing you to specify which supported version of Windows you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy. -- **Validation improvements**: To ensure devices and end users stay productive and protected, Microsoft blocks devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, a new policy is available that enables admins to opt devices out of the built-in safeguard holds. +- **Validation improvements**: To ensure devices and end users stay productive and protected, Microsoft blocks devices from updating when there are known issues affect that device. Also, to better enable IT administrators to validate on the latest release, a new policy is available that enables admins to opt devices out of the built-in safeguard holds. -- [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows automatically signs in as the user and locks their device in order to complete the update. This automatic sign-on ensures that when the user returns and unlocks the device, the update is completed. +- [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows automatically signs in as the user and locks their device in order to complete the update. Automatic sign-on ensures that when the user returns and unlocks the device, the update is completed. - [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There's now a single, common start date for phased deployments (no more SAC-T designation). In addition, there's a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. @@ -106,7 +106,7 @@ The following Delivery Optimization policies are removed in the Windows 10, vers Microsoft previously announced that we're [extending support](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop) for Windows 10 Enterprise and Windows 10 Education editions to 30 months from the version release date. These editions include all past versions and future versions that are targeted for release in September (versions ending in 09, ex: 1809). Future releases that are targeted for release in March (versions ending in 03, ex: 1903) will continue to be supported for 18 months from their release date. All releases of Windows 10 Home, Windows 10 Pro, and Microsoft 365 Apps for enterprise will continue to be supported for 18 months (there's no change for these editions). These support policies are summarized in the following table: -![Support lifecycle.](images/support-cycle.png) +:::image type="content" alt-text="Support lifecycle." source="images/support-cycle.png"::: ## Windows 10 Enterprise upgrade @@ -158,8 +158,8 @@ Input from the community heavily influenced the development of Upgrade Readiness For more information about Upgrade Readiness, see the following articles: -- [Windows Analytics blog](https://aka.ms/blog/WindowsAnalytics/) -- [Manage Windows upgrades with Upgrade Readiness](/mem/configmgr/desktop-analytics/overview) +- [Windows Analytics blog](https://aka.ms/blog/WindowsAnalytics/). +- [Manage Windows upgrades with Upgrade Readiness](/mem/configmgr/desktop-analytics/overview). ### Update Compliance @@ -215,7 +215,7 @@ For more information, see the following guides: ## Troubleshooting guidance -[Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) was published in October of 2016 and continues to be updated with new fixes. The article provides a detailed explanation of the Windows upgrade process and instructions on how to locate, interpret, and resolve specific errors that can be encountered during the upgrade process. +[Resolve Windows upgrade errors](upgrade/resolve-windows-upgrade-errors.md) was published in October of 2016 and continues to be updated with new fixes. The article provides a detailed explanation of the Windows upgrade process and instructions on how to locate, interpret, and resolve specific errors that can be encountered during the upgrade process. ## Related articles diff --git a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md index 94c3d4ad20..c5ed56316b 100644 --- a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md @@ -3,11 +3,11 @@ title: Add a Windows 10 operating system image using Configuration Manager description: Operating system images are typically the production image used for deployment throughout the organization. manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client ms.localizationpriority: medium author: frankroj ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy ms.date: 10/27/2022 --- diff --git a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md index 49a76b890d..40fdcea0df 100644 --- a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md @@ -3,11 +3,11 @@ title: Add drivers to a Windows 10 deployment with Windows PE using Configuratio description: Learn how to configure the Windows Preinstallation Environment (Windows PE) to include required network and storage drivers. manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client ms.localizationpriority: medium author: frankroj ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy ms.date: 10/27/2022 --- diff --git a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md index 8c9f73f7e0..da7c70c515 100644 --- a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md @@ -3,11 +3,11 @@ title: Create a custom Windows PE boot image with Configuration Manager (Windows description: Learn how to create custom Windows Preinstallation Environment (Windows PE) boot images in Microsoft Configuration Manager. manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client ms.localizationpriority: medium author: frankroj ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy ms.date: 10/27/2022 --- diff --git a/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md index 95074a8b3d..af5baf8233 100644 --- a/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md +++ b/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md @@ -3,11 +3,11 @@ title: Create a task sequence with Configuration Manager (Windows 10) description: Create a Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client ms.localizationpriority: medium author: frankroj ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy ms.date: 10/27/2022 --- diff --git a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md index 8c8f05cc7c..7159edcbe3 100644 --- a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md @@ -3,11 +3,11 @@ title: Create an app to deploy with Windows 10 using Configuration Manager description: Microsoft Configuration Manager supports deploying applications as part of the Windows 10 deployment process. manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client ms.localizationpriority: medium author: frankroj ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy ms.date: 10/27/2022 --- diff --git a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md index e3a76f89f8..648a274ad0 100644 --- a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md @@ -3,11 +3,11 @@ title: Deploy Windows 10 using PXE and Configuration Manager (Windows 10) description: In this article, you'll learn how to deploy Windows 10 using Microsoft Configuration Manager deployment packages and task sequences. manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client ms.localizationpriority: medium author: frankroj ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy ms.date: 10/27/2022 --- diff --git a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md index 603cdd71f6..4929876f5a 100644 --- a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md @@ -3,11 +3,11 @@ title: Finalize operating system configuration for Windows 10 deployment description: This article provides a walk-through to finalize the configuration of your Windows 10 operating deployment. manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client ms.localizationpriority: medium author: frankroj ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy ms.date: 10/27/2022 --- diff --git a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md index 2cbc8a589e..42526dd62d 100644 --- a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md @@ -3,11 +3,11 @@ title: Prepare for Zero Touch Installation of Windows 10 with Configuration Mana description: Learn how to prepare a Zero Touch Installation of Windows 10 with Configuration Manager, by integrating Configuration Manager with Microsoft Deployment Toolkit. manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client ms.localizationpriority: medium author: frankroj ms.topic: how-to -ms.technology: itpro-deploy +ms.subservice: itpro-deploy ms.date: 10/27/2022 --- diff --git a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md index 2ea7c6d6a7..e31c4ebfb5 100644 --- a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -3,11 +3,11 @@ title: Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manage description: Learn how to use Configuration Manager and Microsoft Deployment Toolkit (MDT) to refresh a Windows 7 SP1 client with Windows 10. manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client ms.localizationpriority: medium author: frankroj ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy ms.date: 10/27/2022 --- diff --git a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md index f2a38e6125..48c9e2bcbb 100644 --- a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -3,11 +3,11 @@ title: Replace a Windows 7 SP1 client with Windows 10 using Configuration Manage description: In this article, you'll learn how to replace a Windows 7 SP1 computer using Microsoft Configuration Manager. manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client ms.localizationpriority: medium author: frankroj ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy ms.date: 10/27/2022 --- diff --git a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md index 9de18e31aa..f74e065856 100644 --- a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md @@ -3,11 +3,11 @@ title: Perform in-place upgrade to Windows 10 via Configuration Manager description: Learn how to perform an in-place upgrade to Windows 10 by automating the process with a Microsoft Configuration Manager task sequence. manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client ms.localizationpriority: medium author: frankroj ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy ms.date: 10/27/2022 --- diff --git a/windows/deployment/deploy-windows-mdt/TOC.yml b/windows/deployment/deploy-windows-mdt/TOC.yml deleted file mode 100644 index 51493a1083..0000000000 --- a/windows/deployment/deploy-windows-mdt/TOC.yml +++ /dev/null @@ -1,40 +0,0 @@ -- name: Deploy Windows 10 with the Microsoft Deployment Toolkit (MDT) - items: - - name: Get started with MDT - href: get-started-with-the-microsoft-deployment-toolkit.md - - name: Deploy Windows 10 with MDT - items: - - name: Prepare for deployment with MDT - href: prepare-for-windows-deployment-with-mdt.md - - name: Create a Windows 10 reference image - href: create-a-windows-10-reference-image.md - - name: Deploy a Windows 10 image using MDT - href: deploy-a-windows-10-image-using-mdt.md - - name: Build a distributed environment for Windows 10 deployment - href: build-a-distributed-environment-for-windows-10-deployment.md - - name: Refresh a Windows 7 computer with Windows 10 - href: refresh-a-windows-7-computer-with-windows-10.md - - name: Replace a Windows 7 computer with a Windows 10 computer - href: replace-a-windows-7-computer-with-a-windows-10-computer.md - - name: Perform an in-place upgrade to Windows 10 with MDT - href: upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md - - name: Customize MDT - items: - - name: Configure MDT settings - href: configure-mdt-settings.md - - name: Set up MDT for BitLocker - href: set-up-mdt-for-bitlocker.md - - name: Configure MDT deployment share rules - href: configure-mdt-deployment-share-rules.md - - name: Configure MDT for UserExit scripts - href: configure-mdt-for-userexit-scripts.md - - name: Simulate a Windows 10 deployment in a test environment - href: simulate-a-windows-10-deployment-in-a-test-environment.md - - name: Use the MDT database to stage Windows 10 deployment information - href: use-the-mdt-database-to-stage-windows-10-deployment-information.md - - name: Assign applications using roles in MDT - href: assign-applications-using-roles-in-mdt.md - - name: Use web services in MDT - href: use-web-services-in-mdt.md - - name: Use Orchestrator runbooks with MDT - href: use-orchestrator-runbooks-with-mdt.md diff --git a/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md b/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md deleted file mode 100644 index 1f8a403732..0000000000 --- a/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md +++ /dev/null @@ -1,136 +0,0 @@ ---- -title: Assign applications using roles in MDT (Windows 10) -description: This article will show you how to add applications to a role in the MDT database and then assign that role to a computer. -manager: aaroncz -ms.author: frankroj -ms.prod: windows-client -ms.localizationpriority: medium -author: frankroj -ms.topic: article -ms.technology: itpro-deploy -ms.date: 11/28/2022 ---- - -# Assign applications using roles in MDT - -This article will show you how to add applications to a role in the MDT database and then assign that role to a computer. For the purposes of this article, the application we're adding is Adobe Reader XI. In addition to using computer-specific entries in the database, you can use roles in MDT to group settings together. - -## Create and assign a role entry in the database - -1. On MDT01, using Deployment Workbench, in the MDT Production deployment share, expand **Advanced Configuration** and then expand **Database**. - -2. In the **Database** node, right-click **Role**, select **New**, and create a role entry with the following settings: - - 1. Role name: Standard PC - 2. Applications / Lite Touch Applications: - 3. Install - Adobe Reader XI - x86 - -![figure 12.](../images/mdt-09-fig12.png) - -Figure 12. The Standard PC role with the application added - -## Associate the role with a computer in the database - -After creating the role, you can associate it with one or more computer entries. - -1. Using Deployment Workbench, expand **MDT Production**, expand **Advanced Configuration**, expand **Database**, and select **Computers**. - -2. In the **Computers** node, double-click the **PC00075** entry, and add the following setting: - - Roles: Standard PC - -![figure 13.](../images/mdt-09-fig13.png) - -Figure 13. The Standard PC role added to PC00075 (having ID 1 in the database). - -## Verify database access in the MDT simulation environment - -When the database is populated, you can use the MDT simulation environment to simulate a deployment. The applications aren't installed, but you can see which applications would be installed if you did a full deployment of the computer. - -1. On PC0001, log on as **CONTOSO\\MDT\_BA**. - -2. Modify the C:\\MDT\\CustomSettings.ini file to look like below: - - ```ini - [Settings] - Priority=CSettings, CRoles, RApplications, Default - [Default] - _SMSTSORGNAME=Contoso - OSInstall=Y - UserDataLocation=AUTO - TimeZoneName=Pacific Standard Time - AdminPassword=P@ssw0rd - JoinDomain=contoso.com - DomainAdmin=CONTOSO\MDT_JD - DomainAdminPassword=P@ssw0rd - MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com - SLShare=\\MDT01\Logs$ - ScanStateArgs=/ue:*\* /ui:CONTOSO\* - USMTMigFiles001=MigApp.xml - USMTMigFiles002=MigUser.xml - HideShell=YES - ApplyGPOPack=NO - SkipAppsOnUpgrade=NO - SkipAdminPassword=YES - SkipProductKey=YES - SkipComputerName=NO - SkipDomainMembership=YES - SkipUserData=NO - SkipLocaleSelection=YES - SkipTaskSequence=NO - SkipTimeZone=YES - SkipApplications=NO - SkipBitLocker=YES - SkipSummary=YES - SkipCapture=YES - SkipFinalSummary=NO - EventService=http://MDT01:9800 - [CSettings] - SQLServer=MDT01 - Instance=SQLEXPRESS - Database=MDT - Netlib=DBNMPNTW - SQLShare=Logs$ - Table=ComputerSettings - Parameters=UUID, AssetTag, SerialNumber, MacAddress - ParameterCondition=OR - [CRoles] - SQLServer=MDT01 - Instance=SQLEXPRESS - Database=MDT - Netlib=DBNMPNTW - SQLShare=Logs$ - Table=ComputerRoles - Parameters=UUID, AssetTag, SerialNumber, MacAddress - ParameterCondition=OR - [RApplications] - SQLServer=MDT01 - Instance=SQLEXPRESS - Database=MDT - Netlib=DBNMPNTW - SQLShare=Logs$ - Table=RoleApplications - Parameters=Role - Order=Sequence - ``` - -3. Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press **Enter** after each command: - - ```powershell - Set-Location C:\MDT - .\Gather.ps1 - - ``` - -![figure 14.](../images/mdt-09-fig14.png) - -Figure 14. ZTIGather.log displaying the application GUID belonging to the Adobe Reader XI application that would have been installed if you deployed this machine. - -## Related articles - -- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) -- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) -- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) -- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) -- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) -- [Use web services in MDT](use-web-services-in-mdt.md) -- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) diff --git a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md deleted file mode 100644 index dbfe7666fd..0000000000 --- a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md +++ /dev/null @@ -1,304 +0,0 @@ ---- -title: Build a distributed environment for Windows 10 deployment (Windows 10) -description: In this article, you'll learn how to replicate your Windows 10 deployment shares to facilitate the deployment of Windows 10 in remote or branch locations. -manager: aaroncz -ms.author: frankroj -ms.prod: windows-client -ms.localizationpriority: medium -author: frankroj -ms.topic: article -ms.technology: itpro-deploy -ms.date: 11/28/2022 ---- - -# Build a distributed environment for Windows 10 deployment - -**Applies to:** - -- Windows 10 - -Perform the steps in this article to build a distributed environment for Windows 10 deployment. A distributed environment for deployment is useful when you have a segmented network, for example one that is segmented geographically into two branch locations. If you work in a distributed environment, replicating the deployment shares is an important part of a deployment solution because images of 5 GB or more in size can present bandwidth issues when deployed over the wire. Replicating this content enables clients to do local deployments. - -Four computers are used in this article: DC01, MDT01, MDT02, and PC0006. DC01 is a domain controller, MDT01 and MDT02 are domain member computers running Windows Server 2019, and PC0006 is a blank device where we'll deploy Windows 10. The second deployment server (MDT02) will be configured for a remote site (Stockholm) by replicating the deployment share on MDT01 at the original site (New York). All devices are members of the domain contoso.com for the fictitious Contoso Corporation. - -For the purposes of this article, we assume that MDT02 is prepared with the same network and storage capabilities that were specified for MDT01, except that MDT02 is located on a different subnet than MDT01. For more information on the infrastructure setup for this article, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). - -![figure 1.](../images/mdt-10-fig01.png) - -Computers used in this article. - -> [!NOTE] -> HV01 is also used in this topic to host the PC0006 virtual machine. - -## Replicate deployment shares - -Replicating the content between MDT01 (New York) and MDT02 (Stockholm) can be done in different ways. The most common content replication solutions with Microsoft Deployment Toolkit (MDT) use either the Linked Deployment Shares (LDS) feature or Distributed File System Replication (DFS-R). Some organizations have used a simple robocopy script for replication of the content. - -> [!NOTE] -> Robocopy has options that allow for synchronization between folders. It has a simple reporting function; it supports transmission retry; and, by default, it will only copy/remove files from the source that are newer than files on the target. - -### Linked deployment shares in MDT - -LDS is a built-in feature in MDT for replicating content. However, LDS works best with strong connections such as LAN connections with low latency. For most WAN links, DFS-R is the better option. - -### Why DFS-R is a better option - -DFS-R isn't only fast and reliable, but it also offers central monitoring, bandwidth control, and a great delta replication engine. DFS-R will work equally well whether you have 2 sites or 90. When using DFS-R for MDT, we recommend running your deployment servers on Windows Server 2008 R2 or higher. From that version on, you can configure the replication targets as read-only, which is exactly what you want for MDT. This way, you can have your main deployment share centralized and replicate out changes as they happen. DFS-R will quickly pick up changes at the central deployment share in MDT01 and replicate the delta changes to MDT02. - -## Set up Distributed File System Replication (DFS-R) for replication - -Setting up DFS-R for replication is a quick and straightforward process: Prepare the deployment servers, create a replication group, then configure some replication settings. - -### Prepare MDT01 for replication - -On **MDT01**: - -1. Install the DFS Replication role on MDT01 by entering the following at an elevated Windows PowerShell prompt: - - ```powershell - Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools - ``` - -2. Wait for installation to complete, and then verify that the installation was successful. See the following output: - -```output -PS C:\> Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools - -Success Restart Needed Exit Code Feature Result -------- -------------- --------- -------------- -True No Success {DFS Replication, DFS Management Tools, Fi... -``` - -### Prepare MDT02 for replication - -On **MDT02**: - -1. Perform the same procedure on MDT02 by entering the following at an elevated Windows PowerShell prompt: - - ```powershell - Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools - ``` - -2. Wait for installation to complete, and then verify that the installation was successful. See the following output: - -```output -PS C:\> Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools - -Success Restart Needed Exit Code Feature Result -------- -------------- --------- -------------- -True No Success {DFS Replication, DFS Management Tools, Fi... -``` - -### Create the MDTProduction folder on MDT02 - -On **MDT02**: - -1. Create and share the **D:\\MDTProduction** folder using default permissions by entering the following at an elevated command prompt: - - ```powershell - mkdir d:\MDTProduction - New-SmbShare -Name "MDTProduction$" -Path "D:\MDTProduction" - ``` - -2. You should see the following output: - - ```output - C:\> New-SmbShare -Name "MDTProduction$" -Path "D:\MDTProduction" - - Name ScopeName Path Description - ---- --------- ---- ----------- - MDTProduction$ * D:\MDTProduction - ``` - -### Configure the deployment share - -When you have multiple deployment servers sharing the same content, you need to configure the Bootstrap.ini file with information about which server to connect to based on where the client is located. In MDT that can be done by using the **DefaultGateway** property. - -On **MDT01**: - -1. Using Notepad, navigate to the **D:\\MDTProduction\\Control** folder and modify the `Boostrap.ini` file as follows. Under `[DefaultGateway]` enter the IP addresses for the client's default gateway in New York and Stockholm, respectively (replace 10.10.10.1 and 10.10.20.1 with your default gateways). The default gateway setting is what tells the client which deployment share (that is, server) to use. - - ```ini - [Settings] - Priority=DefaultGateway, Default - - [DefaultGateway] - 10.10.10.1=NewYork - 10.10.20.1=Stockholm - - [NewYork] - DeployRoot=\\MDT01\MDTProduction$ - - [Stockholm] - DeployRoot=\\MDT02\MDTProduction$ - - [Default] - UserDomain=CONTOSO - UserID=MDT_BA - UserPassword=pass@word1 - SkipBDDWelcome=YES - ``` - - > [!NOTE] - > The DeployRoot value needs to go into the Bootstrap.ini file, but you can use the same logic in the CustomSettings.ini file. For example, you can redirect the logs to the local deployment server (SLSHARE), or have the User State Migration Tool (USMT) migration store (UDDIR) local. To learn more about USMT, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) and [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md). - -2. Save the `Bootstrap.ini` file. - -3. Using the Deployment Workbench, right-click the **MDT Production** deployment share and select **Update Deployment Share**. Use the default settings for the Update Deployment Share Wizard. This process will take a few minutes. - -4. After the update is complete, use the Windows Deployment Services console on MDT01. In the **Boot Images** node, right-click the **MDT Production x64** boot image and select **Replace Image**. - -5. Browse and select the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** boot image, and then complete Replace Boot Image Wizard using the default settings. - - ![figure 5.](../images/mdt-10-fig05.png) - - Replacing the updated boot image in WDS. - - > [!TIP] - > If you modify bootstrap.ini again later, be sure to repeat the process of updating the deployment share in the Deployment Workbench and replacing the boot image in the WDS console. - -## Replicate the content - -Once the MDT01 and MDT02 servers are prepared, you're ready to configure the actual replication. - -### Create the replication group - -1. On MDT01, using DFS Management (dfsmgmt.msc), right-click **Replication**, and select **New Replication Group**. - -2. On the **Replication Group Type** page, select **Multipurpose replication group**, and select **Next**. - -3. On the **Name and Domain** page, assign the **MDTProduction** name, and select **Next**. - -4. On the **Replication Group Members** page, select **Add**, add **MDT01** and **MDT02**, and then select **Next**. - - ![figure 6.](../images/mdt-10-fig06.png) - - Adding the Replication Group Members. - -5. On the **Topology Selection** page, select the **Full mesh** option and select **Next**. - -6. On the **Replication Group Schedule and Bandwidth** page, accept the default settings and select **Next**. - -7. On the **Primary Member** page, select **MDT01** and select **Next**. - -8. On the **Folders to Replicate** page, select **Add**, enter **D:\\MDTProduction** as the folder to replicate, select **OK**, and then select **Next**. - -9. On the **Local Path of MDTProduction** on the **Other Members** page, select **MDT02**, and select **Edit**. - -10. On the **Edit** page, select the **Enabled** option, type in **D:\\MDTProduction** as the local path of folder, select the **Make the selected replicated folder on this member read-only** check box, select **OK**, and then select **Next**. - -11. On the **Review Settings and Create Replication Group** page, select **Create**. - -12. On the **Confirmation** page, select **Close**. - -### Configure replicated folders - -1. On **MDT01**, using DFS Management, expand **Replication** and then select **MDTProduction**. - -2. In the middle pane, right-click the **MDT01** member and select **Properties**. - -3. On the **MDT01 (MDTProduction) Properties** page, configure the following and then select **OK**: - - 1. In the **Staging** tab, set the quota to **20480 MB**. - - 2. In the **Advanced** tab, set the quota to **8192 MB**. - - In this scenario the size of the deployment share is known, but you might need to change the values for your environment. A good rule of thumb is to get the size of the 16 largest files and make sure they fit in the staging area. Below is a Windows PowerShell example that calculates the size of the 16 largest files in the D:\\MDTProduction deployment share: - - ```powershell - (Get-ChildItem D:\MDTProduction -Recurse | Sort-Object Length -Descending | Select-Object -First 16 | Measure-Object -Property Length -Sum).Sum /1GB - ``` - -4. In the middle pane, right-click the **MDT02** member and select **Properties**. - -5. On the **MDT02 (MDTProduction) Properties** page, configure the following and then select **OK**: - 1. In the **Staging** tab, set the quota to **20480 MB**. - - 2. In the **Advanced** tab, set the quota to **8192 MB**. - - > [!NOTE] - > It will take some time for the replication configuration to be picked up by the replication members (MDT01 and MDT02). The time for the initial sync will depend on the WAN link speed between the sites. After that, delta changes are replicated quickly. - -6. Verify that MDT01 and MDT02 are members of the MDTProduction replication group, with MDT01 being primary as follows using an elevated command prompt: - - ```cmd - C:\> dfsradmin membership list /rgname:MDTProduction /attr:MemName,IsPrimary - MemName IsPrimary - MDT01 Yes - MDT02 No - ``` - -### Verify replication - -On **MDT02**: - -1. Wait until you start to see content appear in the **D:\\MDTProduction** folder. - -2. Using DFS Management, expand **Replication**, right-click **MDTProduction**, and select **Create Diagnostics Report**. - -3. In the Diagnostics Report Wizard, on the **Type of Diagnostics Report or Test** page, choose **Health report** and select **Next**. - -4. On the **Path and Name** page, accept the default settings and select **Next**. - -5. On the **Members to Include** page, accept the default settings and select **Next**. - -6. On the **Options** page, accept the default settings and select **Next**. - -7. On the **Review Settings and Create Report** page, select **Create**. - -8. Open the report in Internet Explorer, and if necessary, select the **Allow blocked content** option. - - ![figure 9.](../images/mdt-10-fig09.png) - The DFS Replication Health Report. - - > [!NOTE] - > If there are replication errors you can review the DFS event log in Event Viewer under **Applications and Services Logs**. - -## Configure Windows Deployment Services (WDS) in a remote site - -Like you did in the previous article for MDT01, you need to add the MDT Production Lite Touch x64 Boot image to Windows Deployment Services on MDT02. For the following steps, we assume that WDS has already been installed on MDT02. - -1. On MDT02, using the WDS console, right-click **Boot Images** and select **Add Boot Image**. - -2. Browse to the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** file and add the image with the default settings. - -## Deploy a Windows 10 client to the remote site - -Now you should have a solution ready for deploying the Windows 10 client to the remote site: Stockholm, using the MDTProduction deployment share replica on MDT02. You can test this deployment with the following optional procedure. - -> [!NOTE] -> For demonstration purposes, the following procedure uses a virtual machine (PC0006) hosted by the Hyper-V server HV01. To use the remote site server (MDT02) the VM must be assigned a default gateway that matches the one you entered in the `Boostrap.ini` file. - -1. Create a virtual machine with the following settings: - - 1. **Name**: PC0006 - 2. **Location**: C:\\VMs - 3. **Generation**: 2 - 4. **Memory**: 2048 MB - 5. **Hard disk**: 60 GB (dynamic disk) - 6. Install an operating system from a network-based installation server - -2. Start the PC0006 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The VM will now load the Windows PE boot image from the WDS server. - -3. After Windows Preinstallation Environment (Windows PE) has booted, complete the Windows Deployment Wizard using the following settings: - - 1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image - 2. Computer Name: PC0006 - 3. Applications: Select the Install - Adobe Reader - -4. Setup will now start and perform the following steps: - - 1. Install the Windows 10 Enterprise operating system. - 2. Install applications. - 3. Update the operating system using your local Windows Server Update Services (WSUS) server. - -![pc0001.](../images/pc0006.png) - -## Related articles - -- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) -- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) -[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) -- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) -- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) -- [Configure MDT settings](configure-mdt-settings.md) diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md deleted file mode 100644 index 36f7e1544c..0000000000 --- a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md +++ /dev/null @@ -1,116 +0,0 @@ ---- -title: Configure MDT deployment share rules (Windows 10) -description: Learn how to configure the MDT rules engine to reach out to other resources for additional information instead of storing settings directly in the rules engine. -manager: aaroncz -ms.author: frankroj -ms.prod: windows-client -ms.localizationpriority: medium -author: frankroj -ms.topic: article -ms.technology: itpro-deploy -ms.date: 11/28/2022 ---- - -# Configure MDT deployment share rules - -In this article, you'll learn how to configure the MDT rules engine to reach out to other resources, including external scripts, databases, and web services, for additional information instead of storing settings directly in the rules engine. The rules engine in MDT is powerful: most of the settings used for operating system deployments are retrieved and assigned via the rules engine. In its simplest form, the rules engine is the CustomSettings.ini text file. - -## Assign settings - -When using MDT, you can assign setting in three distinct ways: - -- You can pre-stage the information before deployment. -- You can prompt the user or technician for information. -- You can have MDT generate the settings automatically. - -In order to illustrate these three options, let's look at some sample configurations. - -## Sample configurations - -Before adding the more advanced components like scripts, databases, and web services, consider the commonly used configurations below; they demonstrate the power of the rules engine. - -### Set computer name by MAC Address - -If you have a small test environment, or simply want to assign settings to a limited number of machines, you can edit the rules to assign settings directly for a given MAC Address. When you have many machines, it makes sense to use the database instead. - -```ini -[Settings] -Priority=MacAddress, Default -[Default] -OSInstall=YES -[00:15:5D:85:6B:00] -OSDComputerName=PC00075 -``` - -In the preceding sample, you set the PC00075 computer name for a machine with a MAC Address of 00:15:5D:85:6B:00. - -### Set computer name by serial number - -Another way to assign a computer name is to identify the machine via its serial number. - -```ini -[Settings] -Priority=SerialNumber, Default -[Default] -OSInstall=YES -[CND0370RJ7] -OSDComputerName=PC00075 -``` - -In this sample, you set the PC00075 computer name for a machine with a serial number of CND0370RJ7. - -### Generate a computer name based on a serial number - -You also can configure the rules engine to use a known property, like a serial number, to generate a computer name on the fly. - -```ini -[Settings] -Priority=Default -[Default] -OSInstall=YES -OSDComputerName=PC-%SerialNumber% -``` - -In this sample, you configure the rules to set the computer name to a prefix (PC-) and then the serial number. If the serial number of the machine is CND0370RJ7, the preceding configuration sets the computer name to PC-CND0370RJ7. - -> [!NOTE] -> Be careful when using the serial number to assign computer names. A serial number can contain more than 15 characters, but the Windows setup limits a computer name to 15 characters. - -### Generate a limited computer name based on a serial number - -To avoid assigning a computer name longer than 15 characters, you can configure the rules in more detail by adding VBScript functions, as follows: - -```ini -[Settings] -Priority=Default -[Default] -OSInstall=YES -OSDComputerName=PC-#Left("%SerialNumber%",12)# -``` - -In the preceding sample, you still configure the rules to set the computer name to a prefix (PC-) followed by the serial number. However, by adding the Left VBScript function, you configure the rule to use only the first 12 serial-number characters for the name. - -### Add laptops to a different organizational unit (OU) in Active Directory - -In the rules, you find built-in properties that use a Windows Management Instrumentation (WMI) query to determine whether the machine you're deploying is a laptop, desktop, or server. In this sample, we assume you want to add laptops to different OUs in Active Directory. Note that ByLaptopType isn't a reserved word; rather, it's the name of the section to read. - -```ini -[Settings] -Priority=ByLaptopType, Default -[Default] -MachineObjectOU=OU=Workstations,OU=Contoso,DC=contoso,DC=com -[ByLaptopType] -Subsection=Laptop-%IsLaptop% -[Laptop-True] -MachineObjectOU=OU=Laptops,OU=Contoso,DC=contoso,DC=com -``` - -## Related articles - -- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) -- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) -- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) -- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) -- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) -- [Use web services in MDT](use-web-services-in-mdt.md) -- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md b/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md deleted file mode 100644 index 443854bdd5..0000000000 --- a/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md +++ /dev/null @@ -1,64 +0,0 @@ ---- -title: Configure MDT for UserExit scripts (Windows 10) -description: In this article, you'll learn how to configure the MDT rules engine to use a UserExit script to generate computer names based on a prefix and the computer MAC Address. -manager: aaroncz -ms.author: frankroj -ms.prod: windows-client -ms.localizationpriority: medium -author: frankroj -ms.topic: article -ms.technology: itpro-deploy -ms.date: 11/28/2022 ---- - -# Configure MDT for UserExit scripts - -In this article, you'll learn how to configure the MDT rules engine to use a UserExit script to generate computer names based on a prefix and the computer MAC Address. MDT supports calling external VBScripts as part of the Gather process; these scripts are referred to as UserExit scripts. The script also removes the colons in the MAC Address. - -## Configure the rules to call a UserExit script - -You can call a UserExit by referencing the script in your rules. Then you can configure a property to be set to the result of a function of the VBScript. In this example, we have a VBScript named Setname.vbs (provided in the book sample files, in the UserExit folder). - -```ini -[Settings] -Priority=Default -[Default] -OSINSTALL=YES -UserExit=Setname.vbs -OSDComputerName=#SetName("%MACADDRESS%")# -``` - -The UserExit=Setname.vbs calls the script and then assigns the computer name to what the SetName function in the script returns. In this sample, the %MACADDRESS% variable is passed to the script - -## The Setname.vbs UserExit script - -The Setname.vbs script takes the MAC Address passed from the rules. The script then does some string manipulation to add a prefix (PC) and remove the semicolons from the MAC Address. - -```vb -Function UserExit(sType, sWhen, sDetail, bSkip) - UserExit = Success -End Function -Function SetName(sMac) - Dim re - Set re = new RegExp - re.IgnoreCase = true - re.Global = true - re.Pattern = ":" - SetName = "PC" & re.Replace(sMac, "") -End Function -``` - -The first three lines of the script make up a header that all UserExit scripts have. The interesting part is the lines between Function and End Function. Those lines add a prefix (PC), remove the colons from the MAC Address, and return the value to the rules by setting the SetName value. - -> [!NOTE] -> The purpose of this sample isn't to recommend that you use the MAC Address as a base for computer naming, but to show you how to take a variable from MDT, pass it to an external script, make some changes to it, and then return the new value to the deployment process. - -## Related articles - -- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) -- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) -- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) -- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) -- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) -- [Use web services in MDT](use-web-services-in-mdt.md) -- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md deleted file mode 100644 index 167059f1e7..0000000000 --- a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md +++ /dev/null @@ -1,41 +0,0 @@ ---- -title: Configure MDT settings (Windows 10) -description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there's virtually no limitation to what you can do in terms of customization. -manager: aaroncz -ms.author: frankroj -ms.prod: windows-client -ms.localizationpriority: medium -author: frankroj -ms.topic: article -ms.technology: itpro-deploy -ms.date: 11/28/2022 ---- - -# Configure MDT settings - -One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there's virtually no limitation to what you can do in terms of customization. In this article, you learn about configuring customizations for your environment. -For the purposes of this article, we'll use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more information on the setup for this article, see [Deploy Windows 10 with the Microsoft Deployment Toolkit](./prepare-for-windows-deployment-with-mdt.md). - -![figure 1.](../images/mdt-09-fig01.png) - -The computers used in this article. - -## In this section - -- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) -- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) -- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) -- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) -- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) -- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) -- [Use web services in MDT](use-web-services-in-mdt.md) -- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) - -## Related articles - -- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) -- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) -- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) -- [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) -- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) -- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md deleted file mode 100644 index 7100f080ec..0000000000 --- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md +++ /dev/null @@ -1,775 +0,0 @@ ---- -title: Create a Windows 10 reference image (Windows 10) -description: Creating a reference image is important because that image serves as the foundation for the devices in your organization. -manager: aaroncz -ms.author: frankroj -ms.prod: windows-client -ms.localizationpriority: medium -author: frankroj -ms.topic: article -ms.technology: itpro-deploy -ms.date: 11/28/2022 ---- - -# Create a Windows 10 reference image - -**Applies to:** - -- Windows 10 - -Creating a reference image is important because that image serves as the foundation for the devices in your organization. In this article, you 'll learn how to create a Windows 10 reference image using the Microsoft Deployment Toolkit (MDT). You 'll create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 10 reference image. After completing the steps outlined in this article, you 'll have a Windows 10 reference image that can be used in your deployment solution. - -> [!NOTE] -> For more information about the server, client, and network infrastructure used in this guide, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). - -For the purposes of this article, we'll use three computers: DC01, MDT01, and HV01. - -- DC01 is a domain controller for the contoso.com domain. -- MDT01 is a contoso.com domain member server. -- HV01 is a Hyper-V server that will be used to build the reference image. - - ![devices.](../images/mdt-08-fig01.png) - Computers used in this article. - -## The reference image - -The reference image described in this guide is designed primarily for deployment to physical devices. However, the reference image is typically created on a virtual platform, before being automatically run through the System Preparation (Sysprep) tool process and captured to a Windows Imaging (WIM) file. The reasons for creating the reference image on a virtual platform are: - -- To reduce development time and can use snapshots to test different configurations quickly. -- To rule out hardware issues. You get the best possible image, and if you've a problem, it's not likely to be hardware related. -- To ensure that you won't have unwanted applications that could be installed as part of a driver install but not removed by the Sysprep process. -- The image is easy to move between lab, test, and production. - -## Set up the MDT build lab deployment share - -With Windows 10, there's no hard requirement to create reference images. However, to reduce the time needed for deployment, you might want to create a reference image that contains a few base applications and all of the latest updates. This section will show you how to create and configure the MDT Build Lab deployment share to create a Windows 10 reference image. Because reference images will be deployed only to virtual machines during the creation process and have specific settings (rules), you should always create a separate deployment share specifically for this process. - -### Create the MDT build lab deployment share - -On **MDT01**: - -1. Sign in as **contoso\\administrator** using a password of **pass@word1** (credentials from the [prepare for deployment](prepare-for-windows-deployment-with-mdt.md) article). - -2. Start the MDT deployment workbench, and pin this workbench to the taskbar for easy access. - -3. Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. - -4. Use the following settings for the New Deployment Share Wizard: - - - Deployment share path: **D:\\MDTBuildLab** - - Share name: **MDTBuildLab$** - - Deployment share description: **MDT Build Lab** - -5. Accept the default selections on the Options page and select **Next**. - -6. Review the Summary page, select **Next**, wait for the deployment share to be created, then select **Finish**. - -7. Verify that you can access the **\\\\MDT01\\MDTBuildLab$** share. - - ![figure 2.](../images/mdt-08-fig02.png) - The Deployment Workbench with the MDT Build Lab deployment share. - -### Enable monitoring - -To monitor the task sequence as it happens, right-click the **MDT Build Lab** deployment share, select **Properties**, select the **Monitoring** tab, and select **Enable monitoring for this deployment share**. This step is optional. - -### Configure permissions for the deployment share - -In order to read files in the deployment share and write the reference image back to it, you need to assign NTFS and SMB permissions to the MDT Build Account (MDT\_BA) for the **D:\\MDTBuildLab** folder - -On **MDT01**: - -1. Ensure you're signed in as **contoso\\administrator**. - -2. Modify the NTFS permissions for the **D:\\MDTBuildLab** folder by running the following command in an elevated Windows PowerShell prompt: - - ```powershell - icacls "D:\MDTBuildLab" /grant '"CONTOSO\MDT_BA":(OI)(CI)(M)' - grant-smbshareaccess -Name MDTBuildLab$ -AccountName "Contoso\MDT_BA" -AccessRight Full -force - ``` - -## Add setup files - -This section will show you how to populate the MDT deployment share with the Windows 10 operating system source files, commonly referred to as setup files, which will be used to create a reference image. Setup files are used during the reference image creation process and are the foundation for the reference image. - -### Add the Windows 10 installation files - -MDT supports adding both full source Windows 10 DVDs (ISOs) and custom images that you've created. In this case, you create a reference image, so you add the full source setup files from Microsoft. - -> [!NOTE] -> Due to the Windows limits on path length, we are purposely keeping the operating system destination directory short, using the folder name W10EX64RTM rather than a more descriptive name like Windows 10 Enterprise x64 RTM. - -### Add Windows 10 Enterprise x64 (full source) - -On **MDT01**: - -1. Sign in as **contoso\\administrator** and copy the content of a Windows 10 Enterprise x64 DVD/ISO to the **D:\\Downloads\\Windows 10 Enterprise x64** folder on MDT01, or just insert the DVD or mount an ISO on MDT01. The following example shows the files copied to the D:\\Downloads folder, but you can also choose to import the OS directly from an ISO or DVD. - - ![ISO.](../images/iso-data.png) - -2. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Build Lab**. - -3. Right-click the **Operating Systems** node, and create a new folder named **Windows 10**. - -4. Expand the **Operating Systems** node, right-click the **Windows 10** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard: - - - Full set of source files - - Source directory: (location of your source files) - - Destination directory name: **W10EX64RTM** - -5. After adding the operating system, in the **Operating Systems** > **Windows 10** folder, double-click it and change the name to: **Windows 10 Enterprise x64 RTM Default Image**. See the following example. - - ![Default image.](../images/deployment-workbench01.png) - -> [!NOTE] -> Depending on the DVD you used, there might be multiple editions available. For the purposes of this guide, we are using the Windows 10 Enterprise image, but other images will also work. - -## Add applications - -Before you create an MDT task sequence, you need to add applications and scripts you wish to install to the MDT Build Lab share. - -On **MDT01**: - -First, create an MDT folder to store the Microsoft applications that will be installed: - -1. In the MDT Deployment Workbench, expand **Deployment Shares \\ MDT Build Lab \\ Applications** - -2. Right-click **Applications** and then select **New Folder**. - -3. Under **Folder name**, type **Microsoft**. - -4. Select **Next** twice, and then select **Finish**. - -The steps in this section use a strict naming standard for your MDT applications. - -- Use the **Install -** prefix for typical application installations that run a setup installer of some kind. -- Use the **Configure -** prefix when an application configures a setting in the operating system. -- You also add an **- x86**, **- x64**, or **- x86-x64** suffix to indicate the application's architecture (some applications have installers for both architectures). - -Using a script naming standard is always recommended when using MDT as it helps maintain order and consistency. - -By storing configuration items as MDT applications, it's easy to move these objects between various solutions, or between test and production environments. - -In example sections, you 'll add the following applications: - -- Install - Microsoft Office 365 Pro Plus - x64 -- Install - Microsoft Visual C++ Redistributable 2019 - x86 -- Install - Microsoft Visual C++ Redistributable 2019 - x64 - ->The 64-bit version of Microsoft Office 365 Pro Plus is recommended unless you need legacy app support. For more information, see [Choose between the 64-bit or 32-bit version of Office](https://support.office.com/article/choose-between-the-64-bit-or-32-bit-version-of-office-2dee7807-8f95-4d0c-b5fe-6c6f49b8d261) - -Download links: - -- [Office Deployment Tool](https://www.microsoft.com/download/details.aspx?id=49117) -- [Microsoft Visual C++ Redistributable 2019 - x86](https://aka.ms/vs/16/release/VC_redist.x86.exe) -- [Microsoft Visual C++ Redistributable 2019 - x64](https://aka.ms/vs/16/release/VC_redist.x64.exe) - -Download all three items in this list to the D:\\Downloads folder on MDT01. - -> [!NOTE] -> For the purposes of this lab, we'll leave the MSVC files in the D:\\Downloads folder and the Office365 files will be extracted to a child folder. If you prefer, you can place each application in its own separate child folder, and then modify the $ApplicationSourcePath below as needed (instead of just D:\\Downloads). - -> [!NOTE] -> All the Microsoft Visual C++ downloads can be found on [The latest supported Visual C++ downloads](https://go.microsoft.com/fwlink/p/?LinkId=619523). Visual C++ 2015, 2017 and 2019 all share the same redistributable files. - -### Create configuration file: Microsoft Office 365 Professional Plus x64 - -1. After downloading the most current version of the Office Deployment tool from the Microsoft Download Center using the link provided above, run the self-extracting executable file and extract the files to **D:\\Downloads\\Office365**. The Office Deployment Tool (setup.exe) and several sample configuration.xml files will be extracted. - -2. Using a text editor (such as Notepad), create an XML file in the D:\\Downloads\\Office365 directory with the installation settings for Microsoft 365 Apps for enterprise that are appropriate for your organization. The file uses an XML format, so the file you create must have an extension of .xml but the file can have any filename. - - For example, you can use the following configuration.xml file, which provides these configuration settings: - - Install the 64-bit version of Microsoft 365 Apps for enterprise in English directly from the Office Content Delivery Network (CDN) on the internet. - > [!NOTE] - > 64-bit is now the default and recommended edition. - - Use the General Availability Channel and get updates directly from the Office CDN on the internet. - - Perform a silent installation. You won't see anything that shows the progress of the installation and you won't see any error messages. - - ```xml - - - - - - - - - - ``` - - When you use these settings, anytime you build the reference image you'll be installing the most up-to-date General Availability Channel version of Microsoft 365 Apps for enterprise. - - > [!TIP] - > You can also use the web-based interface of the [Office Customization Tool](https://config.office.com/) to help you create your configuration.xml file. - - For more information, see [Configuration options for the Office Deployment Tool](/deployoffice/configuration-options-for-the-office-2016-deployment-tool) and [Overview of the Office Deployment Tool](/DeployOffice/overview-of-the-office-2016-deployment-tool). - -3. Ensure the configuration.xml file is in the D:\\Downloads\\Office365 folder. See the following example of the extracted files plus the configuration.xml file in the Downloads\\Office365 folder: - - ![folder.](../images/office-folder.png) - -Assuming you've named the file `configuration.xml` as shown above, we'll use the command **`setup.exe /configure configuration.xml`** when we create the application in MDT. This command execution will perform the installation of Microsoft 365 Apps for enterprise using the configuration settings in the configuration.xml file. Don't perform this step yet. - -> [!IMPORTANT] -> After Microsoft 365 Apps for enterprise is installed on the reference image, do NOT open any Office programs. if you open an Office program, you're prompted to sign-in, which activates the installation of Microsoft 365 Apps for enterprise. Even if you don't sign in and you close the Sign in to set up Office dialog box, a temporary product key is installed. You don't want any kind of product key for Microsoft 365 Apps for enterprise installed as part of your reference image. - -Additional information - -- Microsoft 365 Apps for enterprise is updated on a monthly basis with security updates and other quality updates (bug fixes), and possibly new features (depending on which update channel you're using). That means that once you've deployed your reference image, Microsoft 365 Apps for enterprise will most likely need to download and install the latest updates that have been released since you created your reference image. - - > [!NOTE] - > With the installing Office Deployment Tool being used as part of the reference image, Microsoft 365 Apps for enterprise is installed immediately after the reference image is deployed to the user's device, rather than including Office apps part of the reference image. This way the user will have the most up-to-date version of Microsoft 365 Apps for enterprise right away and won't have to download any new updates (which is most likely what would happen if Microsoft 365 Apps for enterprise was installed as part of the reference image.) - -- When you're creating your reference image, instead of installing Microsoft 365 Apps for enterprise directly from the Office CDN on the internet, you can install Microsoft 365 Apps for enterprise from a location on your local network, such as a file share. To do that, you would use the Office Deployment Tool in /download mode to download the installation files to that file share. Then you could use the Office Deployment Tool in /configure mode to install Microsoft 365 Apps for enterprise from that location on to your reference image. As part of that process, you'll need to point to that location in your configuration.xml file so that the Office Deployment Tool knows where to get the Microsoft 365 Apps for enterprise files. If you decide to do this step, the next time you create a new reference image, you'll want to be sure to use the Office Deployment Tool to download the most up-to-date installation files for Microsoft 365 Apps for enterprise to that location on your internal network. That way your new reference image will have a more up-to-date installation of Microsoft 365 Apps for enterprise. - -### Connect to the deployment share using Windows PowerShell - -If you need to add many applications, you can take advantage of the PowerShell support that MDT has. To start using PowerShell against the deployment share, you must first load the MDT PowerShell snap-in, and then make the deployment share a PowerShell drive (PSDrive). - -On **MDT01**: - -1. Ensure you're signed in as **contoso\\Administrator**. -2. Import the snap-in and create the PSDrive by running the following commands in an elevated PowerShell prompt: - - ```powershell - Import-Module "C:\Program Files\Microsoft Deployment Toolkit\bin\MicrosoftDeploymentToolkit.psd1" - New-PSDrive -Name "DS001" -PSProvider MDTProvider -Root "D:\MDTBuildLab" - ``` - -> [!TIP] -> Use `Get-Command -module MicrosoftDeploymentToolkit` to see a list of available cmdlets - -### Create the install: Microsoft Office 365 Pro Plus - x64 - -In these steps, we assume that you've downloaded the Office Deployment Tool. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads\\Office365. - -On **MDT01**: - -1. Ensure you're signed on as **contoso\\Administrator**. - -2. Create the application by running the following commands in an elevated PowerShell prompt: - - ```powershell - $ApplicationName = "Install - Office365 ProPlus - x64" - $CommandLine = "setup.exe /configure configuration.xml" - $ApplicationSourcePath = "D:\Downloads\Office365" - Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -CommandLine $CommandLine -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName -Verbose - ``` - - Upon successful installation, the following text is displayed: - - ```output - VERBOSE: Performing the operation "import" on target "Application". - VERBOSE: Beginning application import - VERBOSE: Copying application source files from D:\Downloads\Office365 to D:\MDTBuildLab\Applications\Install - - Office365 ProPlus - x64 - VERBOSE: Creating new item named Install - Office365 ProPlus - x64 at DS001:\Applications\Microsoft. - - Name - ---- - Install - Office365 ProPlus - x64 - VERBOSE: Import processing finished. - ``` - -### Create the install: Microsoft Visual C++ Redistributable 2019 - x86 - -> [!NOTE] -> We have abbreviated "Microsoft Visual C++ Redistributable" in the $ApplicationName below as "MSVC" to avoid the path name exceeding the maxiumum allowed length of 248 characters. - -In these steps, we assume that you've downloaded Microsoft Visual C++ Redistributable 2019 - x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads. - -On **MDT01**: - -1. Ensure you're signed on as **contoso\\Administrator**. - -2. Create the application by running the following commands in an elevated PowerShell prompt: - - ```powershell - $ApplicationName = "Install - MSVC 2019 - x86" - $CommandLine = "vc_redist.x86.exe /Q" - $ApplicationSourcePath = "D:\Downloads" - Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -CommandLine $CommandLine -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName -Verbose - ``` - - Upon successful installation, the following text is displayed: - - ```output - VERBOSE: Performing the operation "import" on target "Application". - VERBOSE: Beginning application import - VERBOSE: Copying application source files from D:\Downloads to D:\MDTBuildLab\Applications\Install - MSVC 2019 - x86 - VERBOSE: Creating new item named Install - MSVC 2019 - x86 at DS001:\Applications\Microsoft. - - Name - ---- - Install - MSVC 2019 - x86 - VERBOSE: Import processing finished. - ``` - -### Create the install: Microsoft Visual C++ Redistributable 2019 - x64 - -In these steps, we assume that you've downloaded Microsoft Visual C++ Redistributable 2019 - x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads. - -On **MDT01**: - -1. Ensure you're signed on as **contoso\\Administrator**. - -2. Create the application by running the following commands in an elevated PowerShell prompt: - - ```powershell - $ApplicationName = "Install - MSVC 2019 - x64" - $CommandLine = "vc_redist.x64.exe /Q" - $ApplicationSourcePath = "D:\Downloads" - Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -CommandLine $CommandLine -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName -Verbose - ``` - -## Create the reference image task sequence - -In order to build and capture your Windows 10 reference image for deployment using MDT, you 'll create a task sequence. The task sequence will reference the operating system and applications that you previously imported into the MDT Build Lab deployment share to build a Windows 10 reference image. -After creating the task sequence, you configure it to enable patching against the Windows Server Update Services (WSUS) server. The Task Sequence Windows Update action supports getting updates directly from Microsoft Update, but you get more stable patching if you use a local WSUS server. WSUS also allows for an easy process of approving the patches that you're deploying. - -### Drivers and the reference image - -Because we use modern virtual platforms for creating our reference images, we don't need to worry about drivers when creating reference images for Windows 10. We use Hyper-V in our environment, and Windows Preinstallation Environment (Windows PE) already has all the needed drivers built-in for Hyper-V. - -### Create a task sequence for Windows 10 Enterprise - -To create a Windows 10 reference image task sequence, the process is as follows: - -On **MDT01**: - -1. When you're using the Deployment Workbench, under **Deployment Shares > MDT Build Lab** right-click **Task Sequences**, and create a **New Folder** named **Windows 10**. - -2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - - 1. **Task sequence ID**: REFW10X64-001 - 2. **Task sequence name**: Windows 10 Enterprise x64 RTM Default Image - 3. **Task sequence comments**: Reference Build - 4. **Template**: Standard Client Task Sequence - 5. **Select OS**: Windows 10 Enterprise x64 RTM Default Image - 6. **Specify Product Key**: Don't specify a product key at this time - 7. **Full Name**: Contoso - 8. **Organization**: Contoso - 9. **Internet Explorer home page**: `http://www.contoso.com` - 10. **Admin Password**: Don't specify an Administrator Password at this time - -### Edit the Windows 10 task sequence - -The steps below walk you through the process of editing the Windows 10 reference image task sequence to include the actions required to update the reference image with the latest updates from WSUS, install roles and features, and utilities, and install Microsoft Office365 ProPlus x64. - -On **MDT01**: - -1. In the **Task Sequences / Windows 10** folder, right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence, and select **Properties**. - -2. On the **Task Sequence** tab, configure the Windows 10 Enterprise x64 RTM Default Image task sequence with the following settings: - - **State Restore > Windows Update (Pre-Application Installation)** action: Enable this action by clicking the **Options** tab and clearing the **Disable this step** check box. - - - **State Restore > Windows Update (Post-Application Installation)** action: Also enable this action. - - - **State Restore**: After the **Tattoo** action, add a new **Group** action (select **Add** then select **New Group**) with the following setting: - - Name: **Custom Tasks (Pre-Windows Update)** - - - **State Restore**: After **Windows Update (Post-Application Installation)** action, rename **Custom Tasks** to **Custom Tasks (Post-Windows Update)**. - > [!NOTE] - > The reason for adding the applications after the Tattoo action but before running Windows Update is simply to save time during the deployment. This way we can add all applications that will upgrade some of the built-in components and avoid unnecessary updating. - - - **State Restore > Custom Tasks (Pre-Windows Update)**: Add a new **Install Roles and Features** action with the following settings: - - - **Name**: Install - Microsoft NET Framework 3.5.1 - - - **Select the operating system for which roles are to be installed**: Windows 10 - - - **Select the roles and features that should be installed**: .NET Framework 3.5 (includes .NET 2.0 and 3.0) - - > [!IMPORTANT] - > This is probably the most important step when creating a reference image. Many applications need the .NET Framework, and we strongly recommend having it available in the image. The one thing that makes this different from other components is that .NET Framework 3.5.1 is not included in the WIM file. It's installed from the **Sources\\SxS** folder on the media, and that makes it more difficult to add after the image has been deployed. - - ![task sequence.](../images/fig8-cust-tasks.png) - - The task sequence after creating the Custom Tasks (Pre-Windows Update) group and adding the Install - Microsoft NET Framework 3.5.1 action. - - - **State Restore > Custom Tasks (Pre-Windows Update)**: After the **Install - Microsoft NET Framework 3.5.1** action, add a new **Install Application** action (selected from the **General** group) with the following settings: - - - **Name**: Microsoft Visual C++ Redistributable 2019 - x86 - - - **Install a Single Application**: browse to **Install - MSVC 2019 - x86** - - - Repeat these steps (add a new **Install Application**) to add Microsoft Visual C++ Redistributable 2019 - x64 and Microsoft 365 Apps for enterprise as well. - -3. Select **OK**. - - ![apps.](../images/mdt-apps.png) - -### Optional configuration: Add a suspend action - -The goal when creating a reference image is to automate everything. But sometimes you've a special configuration or application setup that is too time-consuming to automate. If you need to do some manual configuration, you can add a little-known feature called Lite Touch Installation (LTI) Suspend. If you add the LTISuspend.wsf script as a custom action in the task sequence, it will suspend the task sequence until you select the Resume Task Sequence shortcut icon on the desktop. In addition to using the LTI Suspend feature for manual configuration or installation, you can also use it simply for verifying a reference image before you allow the task sequence to continue and use Sysprep and capture the virtual machine. - - ![figure 8.](../images/fig8-suspend.png) - A task sequence with optional Suspend action (LTISuspend.wsf) added. - - ![figure 9.](../images/fig9-resumetaskseq.png) - The Windows 10 desktop with the Resume Task Sequence shortcut. - -### Edit the Unattend.xml file for Windows 10 Enterprise - -When using MDT, you don't need to edit the Unattend.xml file often because most configurations are taken care of by MDT. However if, for example, you want to configure Internet Explorer behavior, then you can edit the Unattend.xml. Editing the Unattend.xml for basic Internet Explorer settings is easy, but for more advanced settings, you 'll want to use the Internet Explorer Administration Kit (IEAK). - -> [!WARNING] -> Don't use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml file. These settings are deprecated and can have unintended effects if used. - -> [!NOTE] -> You also can use the Unattend.xml to enable components in Windows 10, like the Telnet Client or Hyper-V client. Normally we prefer to do this via the **Install Roles and Features** action, or using Deployment Image Servicing and Management (DISM) command-line tools, because then we can add that as an application, being dynamic, having conditions, and so forth. Also, if you're adding packages via Unattend.xml, it's version specific, so Unattend.xml must match the exact version of the operating system you're servicing. - -Follow these steps to configure Internet Explorer settings in Unattend.xml for the Windows 10 Enterprise x64 RTM Default Image task sequence: - -On **MDT01**: - -1. When you're using the Deployment Workbench, under **Deployment Shares > MDT Build Lab > Task Sequences** right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence and select **Properties**. - -2. In the **OS Info** tab, select **Edit Unattend.xml**. MDT now generates a catalog file. This file generation process will take a few minutes, and then Windows System Image Manager (Windows SIM) will start. - - > [!IMPORTANT] - > The ADK version 1903 has a [known issue](/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-1903) generating a catalog file for Windows 10, version 1903 or 1909 X64 install.wim. You might see the error **Could not load file or assembly** in in the console output. To avoid this issue, [install the ADK, version 2004 or a later version](/windows-hardware/get-started/adk-install). A workaround is also available for the ADK version 1903: - > - > - Close the Deployment Workbench and install the [WSIM 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334). This will update imagecat.exe and imgmgr.exe to version 10.0.18362.144. - > - > - Manually run imgmgr.exe (C:\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM\\imgmgr.exe). - > - > - Generate a catalog (Tools/Create Catalog) for the selected install.wim (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install.wim). - > - > - After manually creating the catalog file (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install_Windows 10 Enterprise.clg), open the Deployment Workbench and proceed to edit unattend.xml. - -3. In Windows SIM, expand the **4 specialize** node in the **Answer File** pane and select the amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral entry. - -4. In the **amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral properties** window (right-hand window), set the following values: - - - **DisableDevTools**: true - -5. Save the Unattend.xml file, and close Windows SIM. - - > [!NOTE] - > If errors are reported that certain display values are incorrect, you can ignore this message or browse to **7oobeSystem\\amd64_Microsoft-Windows-Shell-Setup__neutral\\Display** and enter the following: ColorDepth 32, HorizontalResolution 1, RefreshRate 60, VerticalResolution 1. - -6. On the Windows 10 Enterprise x64 RTM Default Image Properties, select **OK**. - - ![figure 10.](../images/fig10-unattend.png) - Windows System Image Manager with the Windows 10 Unattend.xml. - -## Configure the MDT deployment share rules - -Understanding rules is critical to successfully using MDT. Rules are configured using the **Rules** tab of the deployment share's properties. The **Rules** tab is essentially a shortcut to edit the **CustomSettings.ini** file that exists in the **D:\\MDTBuildLab\\Control** folder. This section discusses how to configure the MDT deployment share rules as part of your Windows 10 Enterprise deployment. - -### MDT deployment share rules overview - -In MDT, there are always two rule files: the **CustomSettings.ini** file and the **Bootstrap.ini** file. You can add almost any rule to either. However, the Bootstrap.ini file is copied from the Control folder to the boot image, so the boot image needs to be updated every time you change that file. For this reason, add only a minimal set of rules to Bootstrap.ini, such as which deployment server and share to connect to - the DEPLOYROOT value. Put the other rules in CustomSettings.ini because that file is updated immediately when you select OK. - -To configure the rules for the MDT Build Lab deployment share: - -On **MDT01**: - -1. Using the Deployment Workbench, right-click the **MDT Build Lab** deployment share and select **Properties**. - -2. Select the **Rules** tab and replace the existing content with the following information (edit the settings as needed to match your deployment). For example, If you don't have a WSUS server in your environment, delete the **WSUSServer** line from the configuration: - - ```ini - [Settings] - Priority=Default - - [Default] - _SMSTSORGNAME=Contoso - UserDataLocation=NONE - DoCapture=YES - OSInstall=Y - AdminPassword=pass@word1 - TimeZoneName=Pacific Standard Time - JoinWorkgroup=WORKGROUP - HideShell=YES - FinishAction=SHUTDOWN - DoNotCreateExtraPartition=YES - WSUSServer=http://mdt01.contoso.com:8530 - ApplyGPOPack=NO - SLSHARE=\\MDT01\Logs$ - SkipAdminPassword=YES - SkipProductKey=YES - SkipComputerName=YES - SkipDomainMembership=YES - SkipUserData=YES - SkipLocaleSelection=YES - SkipTaskSequence=NO - SkipTimeZone=YES - SkipApplications=YES - SkipBitLocker=YES - SkipSummary=YES - SkipRoles=YES - SkipCapture=NO - SkipFinalSummary=YES - ``` - - ![figure 11.](../images/mdt-rules.png) - The server-side rules for the MDT Build Lab deployment share. - -3. Select **Edit Bootstrap.ini** and modify using the following information: - - ```ini - [Settings] - Priority=Default - - [Default] - DeployRoot=\\MDT01\MDTBuildLab$ - UserDomain=CONTOSO - UserID=MDT_BA - UserPassword=pass@word1 - - SkipBDDWelcome=YES - ``` - - > [!NOTE] - > For security reasons, you normally don't add the password to the Bootstrap.ini file; however, because this deployment share is for creating reference image builds only, and should not be published to the production network, it's acceptable to do so in this situation. Obviously if you're not using the same password (pass@word3) that is provided in this lab, you must enter your own custom password on the Rules tab and in Bootstrap.ini. - -4. On the **Windows PE** tab, in the **Platform** drop-down list, select **x86**. - -5. In the **Lite Touch Boot Image Settings** area, configure the following settings: - - - **Image description**: MDT Build Lab x86 - - **ISO file name**: MDT Build Lab x86.iso - -6. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**. - -7. In the **Lite Touch Boot Image Settings** area, configure the following settings: - - - **Image description**: MDT Build Lab x64 - - **ISO file name**: MDT Build Lab x64.iso - -8. Select **OK**. - -> [!NOTE] -> In MDT, the x86 boot image can deploy both x86 and x64 operating systems (except on computers based on Unified Extensible Firmware Interface). - -### Update the deployment share - -After the deployment share has been configured, it needs to be updated. This update-process is the one when the Windows PE boot images are created. - -1. In the Deployment Workbench, right-click the **MDT Build Lab** deployment share and select **Update Deployment Share**. -2. Use the default options for the Update Deployment Share Wizard. - -> [!NOTE] -> The update process will take 5 to 10 minutes. - -### The rules explained - -Now that the MDT Build Lab deployment share (the share used to create the reference images) has been configured, it's time to explain the various settings used in the Bootstrap.ini and CustomSettings.ini files. - -The Bootstrap.ini and CustomSettings.ini files work together. The Bootstrap.ini file is always present on the boot image and is read first. The basic purpose for Bootstrap.ini is to provide enough information for MDT to find the CustomSettings.ini. - -The CustomSettings.ini file is normally stored on the server, in the Deployment share\\Control folder, but also can be stored on the media (when using offline media). - -> [!NOTE] -> The settings, or properties, that are used in the rules (CustomSettings.ini and Bootstrap.ini) are listed in the MDT documentation, in the Microsoft Deployment Toolkit Reference / Properties / Property Definition section. - -### The Bootstrap.ini file - -The Bootstrap.ini file is available via the deployment share's Properties dialog box, or via the D:\\MDTBuildLab\\Control folder on MDT01. - -```ini -[Settings] -Priority=Default -[Default] -DeployRoot=\\MDT01\MDTBuildLab$ -UserDomain=CONTOSO -UserID=MDT_BA -UserPassword=pass@word1 -SkipBDDWelcome=YES -``` - -So, what are these settings? - -- **Priority**: This setting determines the order in which different sections are read. This Bootstrap.ini has only one section, named \[Default\]. - -- **DeployRoot**: This location is of the deployment share. Normally, this value is set by MDT, but you need to update the DeployRoot value if you move to another server or other share. If you don't specify a value, the Windows Deployment Wizard prompts you for a location. - -- **UserDomain, UserID, and UserPassword**: These values are used for automatic sign in to the deployment share. Again, if they aren't specified, the wizard prompts you. - - > [!WARNING] - > Caution is advised. These values are stored in clear text on the boot image. Use them only for the MDT Build Lab deployment share and not for the MDT Production deployment share that you learn to create in the next topic. - -- **SkipBDDWelcome**: Even if it's nice to be welcomed every time we start a deployment, we prefer to skip the initial welcome page of the Windows Deployment Wizard. - -> [!NOTE] -> All properties beginning with "Skip" control only whether to display that pane in the Windows Deployment Wizard. Most of the panes also require you to actually set one or more values. - -### The CustomSettings.ini file - -The CustomSettings.ini file, whose content you see on the Rules tab of the deployment share Properties dialog box, contains most of the properties used in the configuration. - -```ini -[Settings] -Priority=Default -[Default] -_SMSTSORGNAME=Contoso -UserDataLocation=NONE -DoCapture=YES -OSInstall=Y -AdminPassword=pass@word1 -TimeZoneName=Pacific Standard Time -JoinWorkgroup=WORKGROUP -HideShell=YES -FinishAction=SHUTDOWN -DoNotCreateExtraPartition=YES -WSUSServer=http://mdt01.contoso.com:8530 -ApplyGPOPack=NO -SLSHARE=\\MDT01\Logs$ -SkipAdminPassword=YES -SkipProductKey=YES -SkipComputerName=YES -SkipDomainMembership=YES -SkipUserData=YES -SkipLocaleSelection=YES -SkipTaskSequence=NO -SkipTimeZone=YES -SkipApplications=YES -SkipBitLocker=YES -SkipSummary=YES -SkipRoles=YES -SkipCapture=NO -SkipFinalSummary=YES -``` - -- **Priority**: Has the same function as in Bootstrap.ini. Priority determines the order in which different sections are read. This CustomSettings.ini has only one section, named \[Default\]. In general, if you've multiple sections that set the same value, the value from the first section (higher priority) wins. The rare exceptions are listed in the ZTIGather.xml file. - -- **\_SMSTSORGNAME**: The organization name displayed in the task sequence progress bar window during deployment. - -- **UserDataLocation**: Controls the settings for user state backup. You don't need to use when building and capturing a reference image. - -- **DoCapture**: Configures the task sequence to run the System Preparation (Sysprep) tool and capture the image to a file when the operating system is installed. - -- **OSInstall**: Must be set to Y or YES (the code just looks for the Y character) for the setup to proceed. - -- **AdminPassword**: Sets the local Administrator account password. - -- **TimeZoneName**: Establishes the time zone to use. Don't confuse this value with TimeZone, which is only for legacy operating systems (Windows 7 and Windows Server 2003). - - > [!NOTE] - > The easiest way to find the current time zone name on a Windows 10 machine is to run tzutil /g in a command prompt. You can also run tzutil /l to get a listing of all available time zone names. - -- **JoinWorkgroup**: Configures Windows to join a workgroup. - -- **HideShell**: Hides the Windows Shell during deployment. This hide-operation is especially useful for Windows 10 deployments in which the deployment wizard will otherwise appear behind the tiles. - -- **FinishAction**: Instructs MDT what to do when the task sequence is complete. - -- **DoNotCreateExtraPartition**: Configures the task sequence not to create the extra partition for BitLocker. There's no need to do this configuration for your reference image. - -- **WSUSServer**: Specifies which Windows Server Update Services (WSUS) server (and port, if needed) to use during the deployment. Without this option MDT will use Microsoft Update directly, which will increase deployment time and limit your options of controlling which updates are applied. - -- **SLSHARE**: Instructs MDT to copy the log files to a server share if something goes wrong during deployment, or when a deployment is successfully completed. - -- **ApplyGPOPack**: Allows you to deploy local group policies created by Microsoft Security Compliance Manager (SCM). - -- **SkipAdminPassword**: Skips the pane that asks for the Administrator password. - -- **SkipProductKey**: Skips the pane that asks for the product key. - -- **SkipComputerName**: Skips the Computer Name pane. - -- **SkipDomainMemberShip**: Skips the Domain Membership pane. If set to Yes, you need to configure either the JoinWorkgroup value or the JoinDomain, DomainAdmin, DomainAdminDomain, and DomainAdminPassword properties. - -- **SkipUserData**: Skips the pane for user state migration. - -- **SkipLocaleSelection**: Skips the pane for selecting language and keyboard settings. - -- **SkipTimeZone**: Skips the pane for setting the time zone. - -- **SkipApplications**: Skips the Applications pane. - -- **SkipBitLocker**: Skips the BitLocker pane. - -- **SkipSummary**: Skips the initial Windows Deployment Wizard summary pane. - -- **SkipRoles**: Skips the Install Roles and Features pane. - -- **SkipCapture**: Skips the Capture pane. - -- **SkipFinalSummary**: Skips the final Windows Deployment Wizard summary. Because you use FinishAction=Shutdown, you don't want the wizard to stop in the end so that you need to select OK before the machine shuts down. - -## Build the Windows 10 reference image - -As previously described, this section requires a Hyper-V host. For more information, see [Hyper-V requirements](prepare-for-windows-deployment-with-mdt.md#hyper-v-requirements). - -Once you've created your task sequence, you're ready to create the Windows 10 reference image. This image creation will be performed by launching the task sequence from a virtual machine that will then automatically perform the reference image creation and capture process. - -The steps below outline the process used to boot a virtual machine using an ISO boot image created by MDT, and then run the reference image task sequence image to create and capture the Windows 10 reference image. - -1. Copy D:\\MDTBuildLab\\Boot\\MDT Build Lab x86.iso on MDT01 to C:\\ISO on your Hyper-V host (HV01). - - > [!NOTE] - > Remember, in MDT you can use the x86 boot image to deploy both x86 and x64 operating system images. That's why you can use the x86 boot image instead of the x64 boot image. - -On **HV01**: - -1. Create a new virtual machine with the following settings: - - 1. Name: REFW10X64-001 - 2. Store the virtual machine in a different location: C:\VM - 3. Generation 1 - 4. Memory: 1024 MB - 5. Network: Must be able to connect to \\MDT01\MDTBuildLab$ - 6. Hard disk: 60 GB (dynamic disk) - 7. Install OS with image file: C:\\ISO\\MDT Build Lab x86.iso - -2. Before you start the VM, add a checkpoint for REFW10X64-001, and name it **Clean with MDT Build Lab x86 ISO**. - - > [!NOTE] - > Checkpoints are useful if you need to restart the process and want to make sure you can start clean. - -3. Start the REFW10X64-001 virtual machine and connect to it. - - > [!NOTE] - > Up to this point we haven't discussed IP addressing or DHCP. In the initial setup for this guide, DC01 was provisioned as a DHCP server to provide IP address leases to client computers. You might have a different DHCP server on your network that you wish to use. The REFW10X64-001 virtual machine requires an IP address lease that provides it with connectivity to MDT01 so that it can connect to the \\MDT01\MDTBuildLab$ share. In the current scenario, this connectivity is accomplished with a DHCP scope that provides IP addresses in the 10.10.10.100 - 10.10.10.200 range, as part of a /24 subnet so that the client can connect to MDT01 at 10.10.10.11. - - After booting into Windows PE, complete the Windows Deployment Wizard with the following settings: - - - **Select a task sequence to execute on this computer**: Windows 10 Enterprise x64 RTM Default Image - - - **Specify whether to capture an image**: Capture an image of this reference computer - - - Location: \\\\MDT01\\MDTBuildLab$\\Captures - - - **File name**: REFW10X64-001.wim - - ![capture image.](../images/captureimage.png) - The Windows Deployment Wizard for the Windows 10 reference image. - -4. The setup now starts and does the following steps: - - 1. Installs the Windows 10 Enterprise operating system. - 2. Installs the added applications, roles, and features. - 3. Updates the operating system via your local Windows Server Update Services (WSUS) server. - 4. Stages Windows PE on the local disk. - 5. Runs System Preparation (Sysprep) and reboots into Windows PE. - 6. Captures the installation to a Windows Imaging (WIM) file. - 7. Turns off the virtual machine. - -After some time, you 'll have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim. - - ![image.](../images/image-captured.png) - -## Troubleshooting - -> [!IMPORTANT] -> If you encounter errors applying the image when using a BIOS firmware type, see [Windows 10 deployments fail with Microsoft Deployment Toolkit on computers with BIOS type firmware](https://support.microsoft.com/topic/windows-10-deployments-fail-with-microsoft-deployment-toolkit-on-computers-with-bios-type-firmware-70557b0b-6be3-81d2-556f-b313e29e2cb7). - -If you [enabled monitoring](#enable-monitoring), you can check the progress of the task sequence. - - ![monitoring.](../images/mdt-monitoring.png) - -If there are problems with your task sequence, you can troubleshoot in Windows PE by pressing F8 to open a command prompt. There are several [MDT log files](/configmgr/mdt/troubleshooting-reference#mdt-logs) created that can be helpful determining the origin of an error, such as BDD.log. From the command line in Windows PE, you can copy these logs from the client to your MDT server for viewing with CMTrace. For example: copy BDD.log \\\\mdt01\\logs$. - -After some time, you 'll have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim. - -## Related articles - -- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) -- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) -- [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) -- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) -- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) -- [Configure MDT settings](configure-mdt-settings.md) diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md deleted file mode 100644 index 7ecf3516b0..0000000000 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ /dev/null @@ -1,883 +0,0 @@ ---- -title: Deploy a Windows 10 image using MDT (Windows 10) -description: This article will show you how to take your reference image for Windows 10, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT). -manager: aaroncz -ms.author: frankroj -ms.prod: windows-client -ms.localizationpriority: medium -author: frankroj -ms.topic: article -ms.technology: itpro-deploy -ms.collection: - - highpri - - tier3 -ms.date: 11/28/2022 ---- - -# Deploy a Windows 10 image using MDT - -**Applies to:** - -- Windows 10 - -This article will show you how to take your reference image for Windows 10 (that was [created](create-a-windows-10-reference-image.md)), and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT). - -We'll prepare for this deployment by creating an MDT deployment share that is used solely for image deployment. Separating the processes of creating reference images from the processes used to deploy them in production allows greater control of on both processes. We'll configure Active Directory permissions, configure the deployment share, create a new task sequence, and add applications, drivers, and rules. - -For the purposes of this article, we'll use four computers: DC01, MDT01, HV01 and PC0005. - -- DC01 is a domain controller -- MDT01 is a domain member server -- HV01 is a Hyper-V server -- PC0005 is a blank device to which we'll deploy Windows 10 - -MDT01 and PC0005 are members of the domain contoso.com for the fictitious Contoso Corporation. HV01 used to test deployment of PC0005 in a virtual environment. - - ![devices.](../images/mdt-07-fig01.png) - -> [!NOTE] -> For details about the setup for the procedures in this article, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). - -## Step 1: Configure Active Directory permissions - -These steps will show you how to configure an Active Directory account with the permissions required to deploy a Windows 10 machine to the domain using MDT. These steps assume you've The account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01. In order for MDT to join machines into the contoso.com domain you need to create an account and configure permissions in Active Directory. - -On **DC01**: - -1. Download the [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copy it to the **C:\\Setup\\Scripts** directory on **DC01**. This script configures permissions to allow the **MDT_JD** account to manage computer accounts in the contoso > Computers organizational unit. - -2. Create the **MDT_JD** service account by running the following command from an elevated **Windows PowerShell prompt**: - - ```powershell - New-ADUser -Name MDT_JD -UserPrincipalName MDT_JD@contoso.com -path "OU=Service Accounts,OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Description "MDT join domain account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true - ``` - -3. Next, run the Set-OuPermissions script to apply permissions to the **MDT\_JD** service account, enabling it to manage computer accounts in the Contoso / Computers OU. Run the following commands from an elevated Windows PowerShell prompt: - - ```powershell - Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force - Set-Location C:\Setup\Scripts - .\Set-OUPermissions.ps1 -Account MDT_JD -TargetOU "OU=Workstations,OU=Computers,OU=Contoso" - ``` - - The following list is of the permissions being granted: - - - Scope: This object and all descendant objects - - Create Computer objects - - Delete Computer objects - - Scope: Descendant Computer objects - - Read All Properties - - Write All Properties - - Read Permissions - - Modify Permissions - - Change Password - - Reset Password - - Validated write to DNS host name - - Validated write to service principal name - -## Step 2: Set up the MDT production deployment share - -Next, create a new MDT deployment share. You shouldn't use the same deployment share that you used to create the reference image for a production deployment. Perform this procedure on the MDT01 server. - -### Create the MDT production deployment share - -On **MDT01**: - -The steps for creating the deployment share for production are the same as when you created the deployment share for creating the custom reference image: - -1. Ensure you're signed on as: contoso\administrator. - -2. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. - -3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and select **Next**. - -4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and select **Next**. - -5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and select **Next**. - -6. On the **Options** page, accept the default settings and select **Next** twice, and then select **Finish**. - -7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share. - -### Configure permissions for the production deployment share - -To read files in the deployment share, you need to assign NTFS and SMB permissions to the MDT Build Account (MDT\_BA) for the **D:\\MDTProduction** folder - -On **MDT01**: - -1. Ensure you're signed in as **contoso\\administrator**. - -2. Modify the NTFS permissions for the **D:\\MDTProduction** folder by running the following command in an elevated Windows PowerShell prompt: - - ```powershell - icacls.exe "D:\MDTProduction" /grant '"CONTOSO\MDT_BA":(OI)(CI)(M)' - grant-smbshareaccess -Name MDTProduction$ -AccountName "Contoso\MDT_BA" -AccessRight Full -force - ``` - -## Step 3: Add a custom image - -The next step is to add a reference image into the deployment share with the setup files required to successfully deploy Windows 10. When adding a custom image, you still need to copy setup files (an option in the wizard) because Windows 10 stores other components in the Sources\\SxS folder that is outside the image and may be required when installing components. - -### Add the Windows 10 Enterprise x64 RTM custom image - -In these steps, we assume that you've completed the steps in the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) article, so you've a Windows 10 reference image at **D:\\MDTBuildLab\\Captures\REFW10X64-001.wim** on MDT01. - -1. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**; select the **Operating Systems** node, and create a folder named **Windows 10**. - -2. Right-click the **Windows 10** folder and select **Import Operating System**. - -3. On the **OS Type** page, select **Custom image file** and select **Next**. - -4. On the **Image** page, in the **Source file** text box, browse to **D:\\MDTBuildLab\\Captures\\REFW10X64-001.wim** and select **Next**. - -5. On the **Setup** page, select the **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path** option; in the **Setup source directory** text box, browse to **D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM** and select **Next**. - -6. On the **Destination** page, in the **Destination directory name** text box, type **W10EX64RTM**, select **Next** twice, and then select **Finish**. - -7. After adding the operating system, double-click the added operating system name in the **Operating Systems / Windows 10** node and change the name to **Windows 10 Enterprise x64 RTM Custom Image**. - -> [!NOTE] -> The reason for adding the setup files has changed since earlier versions of MDT. MDT 2010 used the setup files to install Windows. MDT uses DISM to apply the image; however, you still need the setup files because some components in roles and features are stored outside the main image. - -![imported OS.](../images/fig2-importedos.png) - -## Step 4: Add an application - -When you configure your MDT Build Lab deployment share, you can also add applications to the new deployment share before creating your task sequence. This section walks you through the process of adding an application to the MDT Production deployment share using Adobe Reader as an example. - -### Create the install: Adobe Reader DC - -On **MDT01**: - -1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2200320282_en_US.exe) to **D:\\setup\\adobe** on MDT01. - -2. Extract the .exe file that you downloaded to a .msi (ex: .\AcroRdrDC2200320282_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne). - -3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node. - -4. Right-click the **Applications** node, and create a new folder named **Adobe**. - -5. In the **Applications** node, right-click the **Adobe** folder and select **New Application**. - -6. On the **Application Type** page, select the **Application with source files** option and select **Next**. - -7. On the **Details** page, in the **Application Name** text box, type **Install - Adobe Reader** and select *Next**. - -8. On the **Source** page, in the **Source Directory** text box, browse to **D:\\setup\\adobe\\install** and select **Next**. - -9. On the **Destination** page, in the **Specify the name of the directory that should be created** text box, type **Install - Adobe Reader** and select **Next**. - -10. On the **Command Details** page, in the **Command Line** text box, type **msiexec /i AcroRead.msi /q**, select **Next** twice, and then select **Finish**. - - ![acroread image.](../images/acroread.png) - The Adobe Reader application added to the Deployment Workbench. - -## Step 5: Prepare the drivers repository - -In order to deploy Windows 10 with MDT successfully, you need drivers for the boot images and for the actual operating system. This section will show you how to add drivers for the boot image and operating system, using the following hardware models as examples: - -- Lenovo ThinkPad T420 -- Dell Latitude 7390 -- HP EliteBook 8560w -- Microsoft Surface Pro - -For boot images, you need to have storage and network drivers; for the operating system, you need to have the full suite of drivers. - -> [!NOTE] -> You should only add drivers to the Windows PE images if the default drivers don't work. Adding drivers that are not necessary will only make the boot image larger and potentially delay the download time. - -### Create the driver source structure in the file system - -The key to successful management of drivers for MDT, and for any other deployment solution, is to have a good driver repository. From this repository, you import drivers into MDT for deployment, but you should always maintain the repository for future use. - -On **MDT01**: - -> [!IMPORTANT] -> In the steps below, it's critical that the folder names used for various computer makes and models exactly match the results of **wmic computersystem get model,manufacturer** on the target system. - -1. Using File Explorer, create the **D:\\drivers** folder. - -2. In the **D:\\drivers** folder, create the following folder structure: - - 1. WinPE x86 - 2. WinPE x64 - 3. Windows 10 x64 - -3. In the new Windows 10 x64 folder, create the following folder structure: - - - Dell Inc. - - Latitude E7450 - - Hewlett-Packard - - HP EliteBook 8560w - - Lenovo - - ThinkStation P500 (30A6003TUS) - - Microsoft Corporation - - Surface Laptop - -> [!NOTE] -> Even if you're not going to use both x86 and x64 boot images, we still recommend that you add the support structure for future use. - -### Create the logical driver structure in MDT - -When you import drivers to the MDT driver repository, MDT creates a single instance folder structure based on driver class names. However, you can, and should, mimic the driver structure of your driver source repository in the Deployment Workbench. This mimic is done by creating logical folders in the Deployment Workbench. - -1. On MDT01, using Deployment Workbench, select the **Out-of-Box Drivers** node. - -2. In the **Out-Of-Box Drivers** node, create the following folder structure: - - 1. WinPE x86 - 2. WinPE x64 - 3. Windows 10 x64 - -3. In the **Windows 10 x64** folder, create the following folder structure: - - - Dell Inc. - - Latitude E7450 - - Hewlett-Packard - - HP EliteBook 8560w - - Lenovo - - 30A6003TUS - - Microsoft Corporation - - Surface Laptop - -The preceding folder names should match the actual make and model values that MDT reads from devices during deployment. You can find out the model values for your machines by using the following command in Windows PowerShell: - -```powershell -Get-WmiObject -Class:Win32_ComputerSystem -``` - -Or, you can use this command in a normal command prompt: - -```cmd -wmic.exe csproduct get name -``` - -If you want a more standardized naming convention, try the **ModelAliasExit.vbs script** from the Deployment Guys blog post, entitled [Using and Extending Model Aliases for Hardware Specific Application Installation](/archive/blogs/deploymentguys/using-and-extending-model-aliases-for-hardware-specific-application-installation). - -![drivers.](../images/fig4-oob-drivers.png) -The Out-of-Box Drivers structure in the Deployment Workbench. - -### Create the selection profiles for boot image drivers - -By default, MDT adds any storage and network drivers that you import to the boot images. However, you should add only the drivers that are necessary to the boot image. You can control which drivers are added by using selection profiles. - -The drivers that are used for the boot images (Windows PE) are Windows 10 drivers. If you can't locate Windows 10 drivers for your device, a Windows 7 or Windows 8.1 driver will most likely work, but Windows 10 drivers should be your first choice. - -On **MDT01**: - -1. In the Deployment Workbench, under the **MDT Production** node, expand the **Advanced Configuration** node, right-click the **Selection Profiles** node, and select **New Selection Profile**. - -2. In the **New Selection Profile Wizard**, create a selection profile with the following settings: - - - **Selection Profile name**: WinPE x86 - - **Folders**: Select the WinPE x86 folder in Out-of-Box Drivers. - - Select **Next**, **Next** and **Finish**. - -3. Right-click the **Selection Profiles** node again, and select **New Selection Profile**. - -4. In the New Selection Profile Wizard, create a selection profile with the following settings: - - - **Selection Profile name**: WinPE x64 - - **Folders**: Select the WinPE x64 folder in Out-of-Box Drivers. - - Select **Next**, **Next** and **Finish**. - - ![figure 5.](../images/fig5-selectprofile.png) - Creating the WinPE x64 selection profile. - -### Extract and import drivers for the x64 boot image - -Windows PE supports all the hardware models that we have, but here you learn to add boot image drivers to accommodate any new hardware that might require more drivers. In this example, you add the latest Intel network drivers to the x64 boot image. - -On **MDT01**: - -1. Download **PROWinx64.exe** from Intel.com (ex: [PROWinx64.exe](https://downloadcenter.intel.com/downloads/eula/25016/Intel-Network-Adapter-Driver-for-Windows-10?httpDown=https%3A%2F%2Fdownloadmirror.intel.com%2F25016%2Feng%2FPROWinx64.exe)). - -2. Extract PROWinx64.exe to a temporary folder - in this example to the **C:\\Tmp\\ProWinx64** folder. - - > [!NOTE] - > Extracting the .exe file manually requires an extraction utility. You can also run the .exe and it will self-extract files to the **%userprofile%\AppData\Local\Temp\RarSFX0** directory. This directory is temporary and will be deleted when the .exe terminates. - -3. Using File Explorer, create the **D:\\Drivers\\WinPE x64\\Intel PRO1000** folder. - -4. Copy the content of the **C:\\Tmp\\PROWinx64\\PRO1000\\Winx64\\NDIS64** folder to the **D:\\Drivers\\WinPE x64\\Intel PRO1000** folder. - -5. In the Deployment Workbench, expand the **MDT Production** > **Out-of-Box Drivers** node, right-click the **WinPE x64** node, and select **Import Drivers**, and use the following Driver source directory to import drivers: **D:\\Drivers\\WinPE x64\\Intel PRO1000**. - -### Download, extract, and import drivers - -### For the Lenovo ThinkStation P500 - -For the ThinkStation P500 model, you use the Lenovo ThinkVantage Update Retriever software to download the drivers. With Update Retriever, you need to specify the correct Lenovo Machine Type for the actual hardware (the first four characters of the model name). As an example, the Lenovo ThinkStation P500 model has the 30A6003TUS model name, meaning the Machine Type is 30A6. - -![ThinkStation image.](../images/thinkstation.png) - -To get the updates, download the drivers from the Lenovo ThinkVantage Update Retriever using its export function. You can also download the drivers by searching PC Support on the [Lenovo website](https://go.microsoft.com/fwlink/p/?LinkId=619543). - -In this example, we assume you've downloaded and extracted the drivers using ThinkVantage Update Retriever to the **D:\\Drivers\\Lenovo\\ThinkStation P500 (30A6003TUS)** directory. - -On **MDT01**: - -1. In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Lenovo** node. - -2. Right-click the **30A6003TUS** folder and select **Import Drivers** and use the following Driver source directory to import drivers: - - **D:\\Drivers\\Windows 10 x64\\Lenovo\\ThinkStation P500 (30A6003TUS)** - - The folder you select and all subfolders will be checked for drivers, expanding any .cab files that are present and searching for drivers. - -### For the Latitude E7450 - -For the Dell Latitude E7450 model, you use the Dell Driver CAB file, which is accessible via the [Dell TechCenter website](https://go.microsoft.com/fwlink/p/?LinkId=619544). - -In these steps, we assume you've downloaded and extracted the CAB file for the Latitude E7450 model to the **D:\\Drivers\\Dell Inc.\\Latitude E7450** folder. - -On **MDT01**: - -1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Dell Inc.** node. - -2. Right-click the **Latitude E7450** folder and select **Import Drivers** and use the following Driver source directory to import drivers: - - **`D:\Drivers\Windows 10 x64\Dell Inc.\Latitude E7450`** - -### For the HP EliteBook 8560w - -For the HP EliteBook 8560w, you use HP Image Assistant to get the drivers. The HP Image Assistant can be accessed on the [HP Support site](https://ftp.ext.hp.com/pub/caps-softpaq/cmit/HPIA.html). - -In these steps, we assume you've downloaded and extracted the drivers for the HP EliteBook 8650w model to the **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** folder. - -On **MDT01**: - -1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Hewlett-Packard** node. - -2. Right-click the **HP EliteBook 8560w** folder and select **Import Drivers** and use the following Driver source directory to import drivers: - - **`D:\Drivers\Windows 10 x64\Hewlett-Packard\HP EliteBook 8560w`** - -### For the Microsoft Surface Laptop - -For the Microsoft Surface Laptop model, you find the drivers on the Microsoft website. In these steps, we assume you've downloaded and extracted the Surface Laptop drivers to the **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop** folder. - -On **MDT01**: - -1. In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Microsoft** node. - -2. Right-click the **Surface Laptop** folder and select **Import Drivers**; and use the following Driver source directory to import drivers: - - **`D:\Drivers\Windows 10 x64\Microsoft\Surface Laptop`** - -## Step 6: Create the deployment task sequence - -This section will show you how to create the task sequence used to deploy your production Windows 10 reference image. You'll then configure the task sequence to enable patching via a Windows Server Update Services (WSUS) server. - -### Create a task sequence for Windows 10 Enterprise - -On **MDT01**: - -1. In the Deployment Workbench, under the **MDT Production** node, right-click **Task Sequences**, and create a folder named **Windows 10**. - -2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - - - Task sequence ID: W10-X64-001 - - Task sequence name: Windows 10 Enterprise x64 RTM Custom Image - - Task sequence comments: Production Image - - Template: Standard Client Task Sequence - - Select OS: Windows 10 Enterprise x64 RTM Custom Image - - Specify Product Key: Don't specify a product key at this time - - Full Name: Contoso - - Organization: Contoso - - Internet Explorer home page: `https://www.contoso.com` - - Admin Password: Don't specify an Administrator Password at this time - -### Edit the Windows 10 task sequence - -1. Continuing from the previous procedure, right-click the **Windows 10 Enterprise x64 RTM Custom Image** task sequence, and select **Properties**. - -2. On the **Task Sequence** tab, configure the **Windows 10 Enterprise x64 RTM Custom Image** task sequence with the following settings: - - 1. Preinstall: After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings: - - - **Name**: Set DriverGroup001 - - **Task Sequence Variable**: DriverGroup001 - - **Value**: Windows 10 x64\\%Make%\\%Model% - - 2. Configure the **Inject Drivers** action with the following settings: - - - **Choose a selection profile**: Nothing - - Install all drivers from the selection profile - - > [!NOTE] - > The configuration above indicates that MDT should only use drivers from the folder specified by the DriverGroup001 property, which is defined by the "Choose a selection profile: Nothing" setting, and that MDT shouldn't use plug and play to determine which drivers to copy, which is defined by the "Install all drivers from the selection profile" setting. - - 3. State Restore. Enable the **Windows Update (Pre-Application Installation)** action. - - 4. State Restore. Enable the **Windows Update (Post-Application Installation)** action. - -3. Select **OK**. - - ![drivergroup.](../images/fig6-taskseq.png) - The task sequence for production deployment. - -## Step 7: Configure the MDT production deployment share - -In this section, you'll learn how to configure the MDT Build Lab deployment share with the rules required to create a dynamic deployment process. This configuration includes commonly used rules and an explanation of how these rules work. - -### Configure the rules - -> [!NOTE] -> The following instructions assume the device is online. If you're offline you can remove SLShare variable. - -On **MDT01**: - -1. Right-click the **MDT Production** deployment share and select **Properties**. - -2. Select the **Rules** tab and replace the existing rules with the following information (modify the domain name, WSUS server, and administrative credentials to match your environment): - - ```ini - [Settings] - Priority=Default - - [Default] - _SMSTSORGNAME=Contoso - OSInstall=YES - UserDataLocation=AUTO - TimeZoneName=Pacific Standard Time - AdminPassword=pass@word1 - JoinDomain=contoso.com - DomainAdmin=CONTOSO\MDT_JD - DomainAdminPassword=pass@word1 - MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com - SLShare=\\MDT01\Logs$ - ScanStateArgs=/ue:*\* /ui:CONTOSO\* - USMTMigFiles001=MigApp.xml - USMTMigFiles002=MigUser.xml - HideShell=YES - ApplyGPOPack=NO - WSUSServer=mdt01.contoso.com:8530 - SkipAppsOnUpgrade=NO - SkipAdminPassword=YES - SkipProductKey=YES - SkipComputerName=NO - SkipDomainMembership=YES - SkipUserData=YES - SkipLocaleSelection=YES - SkipTaskSequence=NO - SkipTimeZone=YES - SkipApplications=NO - SkipBitLocker=YES - SkipSummary=YES - SkipCapture=YES - SkipFinalSummary=NO - ``` - -3. Select **Edit Bootstrap.ini** and modify using the following information: - - ```ini - [Settings] - Priority=Default - - [Default] - DeployRoot=\\MDT01\MDTProduction$ - UserDomain=CONTOSO - UserID=MDT_BA - UserPassword=pass@word1 - SkipBDDWelcome=YES - ``` - -4. On the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected. - -5. On the **General** sub tab (still under the main Windows PE tab), configure the following settings: - - In the **Lite Touch Boot Image Settings** area: - - - Image description: MDT Production x86 - - ISO file name: MDT Production x86.iso - - > [!NOTE] - > - > Because you're going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you don't need the ISO file; however, we recommend creating ISO files because they're useful when troubleshooting deployments and for quick tests. - -6. On the **Drivers and Patches** sub tab, select the **WinPE x86** selection profile and select the **Include all drivers from the selection profile** option. - -7. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**. - -8. On the **General** sub tab, configure the following settings: - - In the **Lite Touch Boot Image Settings** area: - - - Image description: MDT Production x64 - - ISO file name: MDT Production x64.iso - -9. In the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option. - -10. In the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box. - -11. Select **OK**. - - > [!NOTE] - > It will take a while for the Deployment Workbench to create the monitoring database and web service. - - ![figure 8.](../images/mdt-07-fig08.png) - - The Windows PE tab for the x64 boot image. - -### The rules explained - -The rules for the MDT Production deployment share are different from those rules for the MDT Build Lab deployment share. The biggest differences are that you deploy the machines into a domain instead of a workgroup. - -You can optionally remove the **UserID** and **UserPassword** entries from Bootstrap.ini so that users performing PXE boot are prompted to provide credentials with permission to connect to the deployment share. Setting **SkipBDDWelcome=NO** enables the welcome screen that displays options to run the deployment wizard, run DaRT tools (if installed), exit to a Windows PE command prompt, set the keyboard layout, or configure a static IP address. In this example, we're skipping the welcome screen and providing credentials. - -### The Bootstrap.ini file - -This file is the MDT Production Bootstrap.ini: - -```ini -[Settings] -Priority=Default - -[Default] -DeployRoot=\\MDT01\MDTProduction$ -UserDomain=CONTOSO -UserID=MDT_BA -UserPassword=pass@word1 -SkipBDDWelcome=YES -``` - -### The CustomSettings.ini file - -This file is the CustomSettings.ini file with the new join domain information: - -```ini -[Settings] -Priority=Default - -[Default] -_SMSTSORGNAME=Contoso -OSInstall=Y -UserDataLocation=AUTO -TimeZoneName=Pacific Standard Time -AdminPassword=pass@word1 -JoinDomain=contoso.com -DomainAdmin=CONTOSO\MDT_JD -DomainAdminPassword=pass@word1 -MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com -SLShare=\\MDT01\Logs$ -ScanStateArgs=/ue:*\* /ui:CONTOSO\* -USMTMigFiles001=MigApp.xml -USMTMigFiles002=MigUser.xml -HideShell=YES -ApplyGPOPack=NO -WSUSServer=http://mdt01.contoso.com:8530 -SkipAppsOnUpgrade=NO -SkipAdminPassword=YES -SkipProductKey=YES -SkipComputerName=NO -SkipDomainMembership=YES -SkipUserData=YES -SkipLocaleSelection=YES -SkipTaskSequence=NO -SkipTimeZone=YES -SkipApplications=NO -SkipBitLocker=YES -SkipSummary=YES -SkipCapture=YES -SkipFinalSummary=NO -EventService=http://MDT01:9800 -``` - -Some properties to use in the MDT Production rules file are as follows: - -- **JoinDomain.** The domain to join. -- **DomainAdmin.** The account to use when joining the machine to the domain. -- **DomainAdminDomain.** The domain for the join domain account. -- **DomainAdminPassword.** The password for the join domain account. -- **MachineObjectOU.** The organizational unit (OU) to which to add the computer account. -- **ScanStateArgs.** Arguments for the User State Migration Tool (USMT) ScanState command. -- **USMTMigFiles(\*).** List of USMT templates (controlling what to back up and restore). -- **EventService.** Activates logging information to the MDT monitoring web service. - -> [!NOTE] -> For more information about localization support, see the following articles: -> -> - [MDT sample guide](/mem/configmgr/mdt/samples-guide#fully-automated-lti-deployment-for-a-refresh-computer-scenario) -> - [LCID (Locale ID) codes](/openspecs/office_standards/ms-oe376/6c085406-a698-4e12-9d4d-c3b0ee3dbc4a) - -### Optional deployment share configuration - -If your organization has a Microsoft Software Assurance agreement, you also can subscribe to another Microsoft Desktop Optimization Package (MDOP) license (at an extra cost). Included in MDOP is Microsoft Diagnostics and Recovery Toolkit (DaRT), which contains tools that can help you troubleshoot MDT deployments, and troubleshoot Windows itself. - -### Add DaRT 10 to the boot images - -If you've licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you don't have DaRT licensing, or don't want to use it, skip to the next section, [Update the Deployment Share](#update-the-deployment-share). To enable the remote connection feature in MDT, you need to do the following steps: - -> [!NOTE] -> DaRT 10 is part of [MDOP 2015](/microsoft-desktop-optimization-pack/#how-to-get-mdop). -> -> MDOP might be available as a download from your [Visual Studio subscription](https://my.visualstudio.com/Downloads). When searching, be sure to look for **Desktop Optimization Pack**. - -On **MDT01**: - -1. Download MDOP 2015 and copy the DaRT 10 installer file to the D:\\Setup\\DaRT 10 folder on MDT01 (DaRT\\DaRT 10\\Installers\\\\\x64\\MSDaRT100.msi). - -2. Install DaRT 10 (MSDaRT10.msi) using the default settings. - - ![DaRT image.](../images/dart.png) - -3. Copy the two tools CAB files from **C:\\Program Files\\Microsoft DaRT\\v10** (**Toolsx86.cab** and **Toolsx64.cab**) to the production deployment share at **D:\\MDTProduction\\Tools\\x86** and **D:\\MDTProduction\\Tools\\x64**, respectively. - -4. In the Deployment Workbench, right-click the **MDT Production** deployment share and select **Properties**. - -5. On the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected. - -6. On the **Features** sub tab, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox. - - ![DaRT selection.](../images/mdt-07-fig09.png) - Selecting the DaRT 10 feature in the deployment share. - -7. In the **Windows PE** tab, in the **Platform** drop-down list, select **x64**. - -8. In the **Features** sub tab, in addition to the default selected feature pack, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box. - -9. Select **OK**. - -### Update the deployment share - -Like the MDT Build Lab deployment share, the MDT Production deployment share needs to be updated after it has been configured. This update-process is the one during which the Windows PE boot images are created. - -1. Right-click the **MDT Production** deployment share and select **Update Deployment Share**. - -2. Use the default options for the Update Deployment Share Wizard. - -> [!NOTE] -> The update process will take 5 to 10 minutes. - -## Step 8: Deploy the Windows 10 client image - -These steps will walk you through the process of using task sequences to deploy Windows 10 images through a fully automated process. First, you need to add the boot image to Windows Deployment Services (WDS) and then start the deployment. In contrast with deploying images from the MDT Build Lab deployment share, we recommend using the Pre-Installation Execution Environment (PXE) to start the full deployments in the datacenter, even though you technically can use an ISO/CD or USB to start the process. - -### Configure Windows Deployment Services - -You need to add the MDT Production Lite Touch x64 Boot image to WDS in preparation for the deployment. In this procedure, we assume that WDS is already installed and initialized on MDT01 as described in the [Prepare for Windows deployment](prepare-for-windows-deployment-with-mdt.md#install-and-initialize-windows-deployment-services-wds) article. - -On **MDT01**: - -1. Open the Windows Deployment Services console, expand the **Servers** node and then expand **MDT01.contoso.com**. - -2. Right-click **Boot Images** and select **Add Boot Image**. - -3. Browse to the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** file and add the image with the default settings. - - ![figure 9.](../images/mdt-07-fig10.png) - The boot image added to the WDS console. - -### Deploy the Windows 10 client - -At this point, you should have a solution ready for deploying the Windows 10 client. We recommend starting by trying a few deployments at a time until you're confident that your configuration works as expected. We find it useful to try some initial tests on virtual machines before testing on physical hardware. These tests help rule out hardware issues when testing or troubleshooting. Here are the steps to deploy your Windows 10 image to a virtual machine: - -On **HV01**: - -1. Create a virtual machine with the following settings: - - - Name: PC0005 - - Store the virtual machine in a different location: C:\VM - - Generation: 2 - - Memory: 2048 MB - - Network: Must be able to connect to \\MDT01\MDTProduction$ - - Hard disk: 60 GB (dynamic disk) - - Installation Options: Install an operating system from a network-based installation server - -2. Start the PC0005 virtual machine, and press **Enter** to start the PXE boot. The VM will now load the Windows PE boot image from the WDS server. - - ![figure 10.](../images/mdt-07-fig11.png) - The initial PXE boot process of PC0005. - -3. After Windows PE has booted, complete the Windows Deployment Wizard using the following setting: - - - Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image - - Computer Name: **PC0005** - - Applications: Select the **Install - Adobe Reader** checkbox. - -4. Setup now begins and does the following steps: - - - Installs the Windows 10 Enterprise operating system. - - Installs the added application. - - Updates the operating system via your local Windows Server Update Services (WSUS) server. - - ![pc0005 image1.](../images/pc0005-vm.png) - -### Application installation - -Following OS installation, Microsoft Office 365 Pro Plus - x64 is installed automatically. - - ![pc0005 image2.](../images/pc0005-vm-office.png) - -### Use the MDT monitoring feature - -Since you've enabled the monitoring on the MDT Production deployment share, you can follow your deployment of PC0005 via the monitoring node. - -On **MDT01**: - -1. In the Deployment Workbench, expand the **MDT Production** deployment share folder. - -2. Select the **Monitoring** node, and wait until you see PC0005. - -3. Double-click PC0005, and review the information. - - ![figure 11.](../images/mdt-07-fig13.png) - The Monitoring node, showing the deployment progress of PC0005. - -### Use information in the Event Viewer - -When monitoring is enabled, MDT also writes information to the event viewer on MDT01. This information can be used to trigger notifications via scheduled tasks when deployment is completed. For example, you can configure scheduled tasks to send an email when a certain event is created in the event log. - -![figure 12.](../images/mdt-07-fig14.png) -The Event Viewer showing a successful deployment of PC0005. - -## Multicast deployments - -Multicast deployment allows for image deployment with reduced network load during simultaneous deployments. Multicast is a useful operating system deployment feature in MDT deployments, however it's important to ensure that your network supports it and is designed for it. If you've a limited number of simultaneous deployments, you probably don't need to enable multicast. - -### Requirements - -Multicast requires that Windows Deployment Services (WDS) is running on Windows Server 2008 or later. In addition to the core MDT setup for multicast, the network needs to be configured to support multicast. In general, this configuration means involvement of the organization networking team to ensure that Internet Group Management Protocol (IGMP) snooping is turned on and that the network is designed for multicast traffic. The multicast solution uses IGMPv3. - -### Set up MDT for multicast - -Setting up MDT for multicast is straightforward. You enable multicast on the deployment share, and MDT takes care of the rest. - -On **MDT01**: - -1. In the Deployment Workbench, right-click the **MDT Production** deployment share folder and select **Properties**. - -2. On the **General** tab, select the **Enable multicast for this deployment share (requires Windows Server 2008 R2 Windows Deployment Services)** check box, and select **OK**. - -3. Right-click the **MDT Production** deployment share folder and select **Update Deployment Share**. - -4. After updating the deployment share, use the Windows Deployment Services console to, verify that the multicast namespace was created. - - ![figure 13.](../images/mdt-07-fig15.png) - The newly created multicast namespace. - -## Use offline media to deploy Windows 10 - -In addition to network-based deployments, MDT supports the use of offline media-based deployments of Windows 10. You can easily generate an offline version of your deployment share - either the full deployment share or a subset of it - by using selection profiles. The generated offline media can be burned to a DVD or copied to a USB stick for deployment. - -Offline media are useful not only when you don't have network connectivity to the deployment share, but also when you've limited connection to the deployment share and don't want to copy 5 GB of data over the wire. Offline media can still join the domain, but you save the transfer of operating system images, drivers, and applications over the wire. - -### Create the offline media selection profile - -To filter what is being added to the media, you create a selection profile. When creating selection profiles, you quickly realize the benefits of having created a good logical folder structure in the Deployment Workbench. - -On **MDT01**: - -1. In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click **Selection Profiles**, and select **New Selection Profile**. - -2. Use the following settings for the New Selection Profile Wizard: - - - General Settings - - **Selection profile name**: Windows 10 Offline Media - - - Folders - - Applications / Adobe - - Operating Systems / Windows 10 - - Out-Of-Box Drivers / WinPE x64 - - Out-Of-Box Drivers / Windows 10 x64 - - Task Sequences / Windows 10 - - ![offline media.](../images/mdt-offline-media.png) - -### Create the offline media - -In these steps, you generate offline media from the MDT Production deployment share. To filter what is being added to the media, you use the previously created selection profile. - -1. On MDT01, using File Explorer, create the **D:\\MDTOfflineMedia** folder. - - > [!NOTE] - > When creating offline media, you need to create the target folder first. It's crucial that you don't create a subfolder inside the deployment share folder because it will break the offline media. - -2. In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click the **Media** node, and select **New Media**. - -3. Use the following settings for the New Media Wizard: - - - General Settings - - Media path: **D:\\MDTOfflineMedia** - - Selection profile: **Windows 10 Offline Media** - -### Configure the offline media - -Offline media has its own rules, its own Bootstrap.ini and CustomSettings.ini files. These files are stored in the Control folder of the offline media; they also can be accessed via properties of the offline media in the Deployment Workbench. - -On **MDT01**: - -1. Copy the CustomSettings.ini file from the **D:\MDTProduction\Control** folder to **D:\\MDTOfflineMedia\\Content\\Deploy\\Control**. Overwrite the existing files. - -2. In the Deployment Workbench, under the **MDT Production / Advanced Configuration / Media** node, right-click the **MEDIA001** media, and select **Properties**. - -3. In the **General** tab, configure the following: - - Clear the Generate x86 boot image check box. - - ISO file name: Windows 10 Offline Media.iso - -4. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**. - -5. On the **General** sub tab, configure the following settings: - - - In the **Lite Touch Boot Image Settings** area: - - **Image description**: MDT Production x64 - - In the **Windows PE Customizations** area, set the Scratch space size to 128. - -6. On the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option. - -7. Select **OK**. - -### Generate the offline media - -You've now configured the offline media deployment share, however the share hasn't yet been populated with the files required for deployment. Now everything is ready you populate the deployment share content folder and generate the offline media ISO. - -On **MDT01**: - -1. In the Deployment Workbench, navigate to the **MDT Production / Advanced Configuration / Media** node. - -2. Right-click the **MEDIA001** media, and select **Update Media Content**. The Update Media Content process now generates the offline media in the **D:\\MDTOfflineMedia\\Content** folder. The process might require several minutes. - -### Create a bootable USB stick - -The ISO that you got when updating the offline media item can be burned to a DVD and used directly (it will be bootable), but it's often more efficient to use USB sticks instead since they're faster and can hold more data. (A dual-layer DVD is limited to 8.5 GB.) - -> [!TIP] -> In this example, the .wim file is 5.5 GB in size. However, bootable USB sticks are formatted with the FAT32 file system which limits file size to 4.0 GB. You can place the image on a different drive (ex: E:\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.swm) and then modify E:\Deploy\Control\OperatingSystems.xml to point to it. Alternatively to keep using the USB you must split the .wim file, which can be done using DISM: -> -> **`Dism.exe /Split-Image /ImageFile:D:\MDTOfflinemedia\Content\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.wim /SWMFile:E:\sources\install.swm /FileSize:3800.`** -> -> Windows Setup automatically installs from this file, provided you name it install.swm. The file names for the next files include numbers, for example: install2.swm, install3.swm. -> -> To enable split image in MDT, the Settings.xml file in your deployment share (ex: D:\MDTProduction\Control\Settings.xml) must have the **SkipWimSplit** value set to **False**. By default this value is set to True (`True`), so this must be changed and the offline media content updated. - -Follow these steps to create a bootable USB stick from the offline media content: - -1. On a physical machine running Windows 7 or later, insert the USB stick you want to use. - -2. Copy the content of the **MDTOfflineMedia\\Content** folder to the root of the USB stick. - -3. Start an elevated command prompt (run as Administrator), and start the Diskpart utility by typing **Diskpart** and pressing **Enter**. - -4. In the Diskpart utility, you can type **list volume** (or the shorter **list vol**) to list the volumes, but you only need to remember the drive letter of the USB stick to which you copied the content. In our example, the USB stick had the drive letter F. - -5. In the Diskpart utility, type **select volume F** (replace F with your USB stick drive letter). - -6. In the Diskpart utility, type **active**, and then type **exit**. - -## Unified Extensible Firmware Interface (UEFI)-based deployments - -As referenced in [Windows 10 deployment scenarios and tools](../windows-deployment-scenarios-and-tools.md), Unified Extensible Firmware Interface (UEFI)-based deployments are becoming more common. In fact, when you create a generation 2 virtual machine in Hyper-V, you get a UEFI-based computer. During deployment, MDT automatically detects that you've an UEFI-based machine and creates the partitions UEFI requires. You don't need to update or change your task sequences in any way to accommodate UEFI. - -![figure 14.](../images/mdt-07-fig16.png) - -The partitions when deploying an UEFI-based machine. - -## Related articles - -- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) -- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) -- [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) -- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) -- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) -- [Configure MDT settings](configure-mdt-settings.md) diff --git a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md deleted file mode 100644 index 4adba0785d..0000000000 --- a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md +++ /dev/null @@ -1,203 +0,0 @@ ---- -title: Get started with the Microsoft Deployment Toolkit (MDT) (Windows 10) -description: This article will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), as part of a Windows operating system deployment. -manager: aaroncz -ms.author: frankroj -ms.prod: windows-client -ms.localizationpriority: medium -author: frankroj -ms.topic: article -ms.technology: itpro-deploy -ms.collection: - - highpri - - tier3 -ms.date: 11/28/2022 ---- - -# Get started with MDT - -**Applies to:** - -- Windows 10 - -This article provides an overview of the features, components, and capabilities of the [Microsoft Deployment Toolkit (MDT)](/mem/configmgr/mdt/). When you have finished reviewing this information, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). - -## About MDT - -MDT is a unified collection of tools, processes, and guidance for automating desktop and server deployment. You can use it to create reference images or as a complete deployment solution. MDT is one of the most important tools available to IT professionals today. - -In addition to reducing deployment time and standardizing desktop and server images, MDT enables you to more easily manage security and ongoing configurations. MDT builds on top of the core deployment tools in the [Windows Assessment and Deployment Kit](/windows-hardware/get-started/adk-install) (Windows ADK) with more guidance and features designed to reduce the complexity and time required for deployment in an enterprise environment. - -MDT supports the deployment of Windows 10, and Windows 7, Windows 8.1, and Windows Server. It also includes support for zero-touch installation (ZTI) with [Microsoft Configuration Manager](/configmgr/). - -> [!IMPORTANT] -> For more information about MDT supported platforms, see [MDT Release Notes](/mem/configmgr/mdt/release-notes#supported-platforms) and [MDT FAQ](/mem/configmgr/mdt/faq#is-this-release-only-supported-with-version--x--of-windows-client--windows-adk--or-configuration-manager-). - -## Key features in MDT - -MDT has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. The toolkit has evolved, both in functionality and popularity, and today it's considered fundamental to Windows operating system and enterprise application deployment. - -MDT has many useful features, such as: - -- **Windows Client support**: Supports Windows 7, Windows 8.1, and Windows 10. - -- **Windows Server support**: Supports Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019. - -- **Additional operating systems support**: Supports Windows Thin PC and [Windows Embedded POSReady 7](https://www.microsoft.com/download/details.aspx?id=26558), and Windows 8.1 Embedded Industry. - -- **UEFI support**: Supports deployment to machines using Unified Extensible Firmware Interface (UEFI) version 2.3.1. - -- **GPT support**: Supports deployment to machines that require the new GPT partition table format. This feature is related to UEFI. - -- **Enhanced Windows PowerShell support**: Provides support for running PowerShell scripts. - - ![figure 2.](../images/mdt-05-fig02.png) - The deployment share mounted as a standard PSDrive allows for administration using PowerShell. - -- **Add local administrator accounts**: Allows you to add multiple user accounts to the local Administrators group on the target computers, either via settings or the deployment wizard. - -- **Automated participation in CEIP and WER**: Provides configuration for participation in Windows Customer Experience Improvement Program (CEIP) and Windows Error Reporting (WER). - -- **Deploy Windows RE**: Enables deployment of a customized Windows Recovery Environment (Windows RE) as part of the task sequence. - -- **Deploy to VHD**: Provides ready-made task sequence templates for deploying Windows into a virtual hard disk (VHD) file. - -- **Improved deployment wizard**: Provides more progress information and a cleaner UI for the Lite Touch Deployment Wizard. - -- **Monitoring**: Allows you to see the status of currently running deployments. - -- **Apply GPO Pack**: Allows you to deploy local group policy objects created by Microsoft Security Compliance Manager (SCM). - -- **Partitioning routines**: Provides improved partitioning routines to ensure that deployments work regardless of the current hard drive structure. - -- **Offline BitLocker**: Provides the capability to have BitLocker enabled during the Windows Preinstallation Environment (Windows PE) phase, thus saving hours of encryption time. - -- **USMT offline user-state migration**: Provides support for running the User State Migration Tool (USMT) capture offline, during the Windows PE phase of the deployment. - - ![figure 3.](../images/mdt-05-fig03.png) - The offline USMT backup in action. - -- **Install or uninstall Windows roles or features**: Enables you to select roles and features as part of the deployment wizard. MDT also supports uninstall of roles and features. - -- **Microsoft System Center Orchestrator integration**: Provides the capability to use Orchestrator runbooks as part of the task sequence. - -- **Support for DaRT**: Supports optional integration of the DaRT components into the boot image. - -- **Support for Microsoft Office**: Provides added support for deploying Microsoft Office. - -- **Support for Modern UI app package provisioning**: Provisions applications based on the new Windows app package standard, which is used in Windows 8 and later. - -- **Extensibility**: Provides the capability to extend MDT far beyond the built-in features by adding custom scripts, web services, System Center Orchestrator runbooks, PowerShell scripts, and VBScripts. - -- **Upgrade task sequence**: Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, and Windows 8.1 systems directly to Windows 10, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, see the [Microsoft Deployment Toolkit resource page](/mem/configmgr/mdt/). - -## MDT Lite Touch components - -Many features in MDT support Lite Touch Installation (LTI) for Windows 10. An LTI deployment strategy requires little infrastructure or user interaction, and can be used to deploy an operating system from a network share or from a physical media, such as a USB flash drive or disk. - -When the Windows operating system is being deployed using MDT, most of the administration and configuration is done through the Deployment Workbench, but you also can perform many of the tasks using Windows PowerShell. The easiest way to find out how to use PowerShell in MDT is to use the Deployment Workbench to perform an operation and at the end of that task, select **View Script**. You're provided the PowerShell command. - -![figure 4.](../images/mdt-05-fig04.png) - -If you select **View Script** on the right side, you'll get the PowerShell code that was used to perform the task. - -## Deployment shares - -A deployment share is essentially a folder on the server that is shared and contains all the setup files and scripts needed for the deployment solution. It also holds the configuration files (called rules) that are gathered when a machine is deployed. These configuration files can reach out to other sources, like a database, external script, or web server to get more settings for the deployment. For Lite Touch deployments, it's common to have two deployment shares: one for creating the reference images and one for deployment. For Zero Touch, it's common to have only the deployment share for creating reference images because Configuration Manager deploys the image in the production environment. - -## Rules - -The rules (CustomSettings.ini and Bootstrap.ini) make up the brain of MDT. The rules control the Windows Deployment Wizard on the client and, for example, can provide the following settings to the machine being deployed: - -- Computer name -- Domain to join, and organizational unit (OU) in Active Directory to hold the computer object -- Whether to enable BitLocker -- Regional settings -You can manage hundreds of settings in the rules. For more information, see the [Microsoft Deployment Toolkit resource center](/mem/configmgr/mdt/). - -![figure 5.](../images/mdt-05-fig05.png) -Example of an MDT rule. In this example, the new computer name is being calculated based on PC- plus the first seven (Left) characters from the serial number - -## Boot images - -Boot images are the Windows Preinstallation Environment (Windows PE) images that are used to start the deployment. They can be started from a CD or DVD, an ISO file, a USB device, or over the network using a Pre-Boot Execution Environment (PXE) server. The boot images connect to the deployment share on the server and start the deployment. - -## Operating systems - -Using the Deployment Workbench, you import the operating systems you want to deploy. You can import either the full source (like the full Windows 10 DVD/ISO) or a custom image that you've created. The full-source operating systems are primarily used to create reference images; however, they also can be used for normal deployments. - -## Applications - -Using the Deployment Workbench, you also add the applications you want to deploy. MDT supports virtually every executable Windows file type. The file can be a standard .exe file with command-line switches for an unattended install, a Microsoft Windows Installer (MSI) package, a batch file, or a VBScript. In fact, it can be just about anything that can be executed unattended. MDT also supports the new Universal Windows apps. - -## Driver repository - -You also use the Deployment Workbench to import the drivers your hardware needs into a driver repository that lives on the server, not in the image. - -## Packages - -With the Deployment Workbench, you can add any Microsoft packages that you want to use. The most commonly added packages are language packs, and the Deployment Workbench Packages node works well for those packages. You also can add security and other updates this way. However, we generally recommend that you use Windows Server Update Services (WSUS) for operating system updates. The rare exceptions are critical hotfixes that aren't available via WSUS, packages for the boot image, or any other package that needs to be deployed before the WSUS update process starts. - -## Task sequences - -Task sequences are the heart and soul of the deployment solution. When creating a task sequence, you need to select a template. The templates are located in the Templates folder in the MDT installation directory, and they determine which default actions are present in the sequence. - -You can think of a task sequence as a list of actions that need to be executed in a certain order. Each action can also have conditions. Some examples of actions are as follows: - -- **Gather**: Reads configuration settings from the deployment server. -- **Format and Partition**: Creates the partition(s) and formats them. -- **Inject Drivers**: Finds out which drivers the machine needs and downloads them from the central driver repository. -- **Apply Operating System**: Applies the Windows image. -- **Windows Update**: Connects to a WSUS server and updates the machine. - -## Task sequence templates - -MDT comes with nine default task sequence templates. You can also create your own templates. As long as you store them in the Templates folder, they'll be available when you create a new task sequence. - -- **Sysprep and Capture task sequence**: Used to run the System Preparation (Sysprep) tool and capture an image of a reference computer. - - > [!NOTE] - > It's preferable to use a complete build and capture instead of the Sysprep and Capture task sequence. A complete build and capture can be automated, whereas Sysprep and Capture can't. - -- **Standard Client task sequence**: The most frequently used task sequence. Used for creating reference images and for deploying clients in production. - -- **Standard Client Replace task sequence**: Used to run User State Migration Tool (USMT) backup and the optional full Windows Imaging (WIM) backup action. Can also be used to do a secure wipe of a machine that is going to be decommissioned. - -- **Custom task sequence**: As the name implies, a custom task sequence with only one default action (one Install Application action). - -- **Standard Server task sequence**: The default task sequence for deploying operating system images to servers. The main difference between this template and the Standard Client task sequence template is that it doesn't contain any USMT actions because USMT isn't supported on servers. - -- **Lite Touch OEM task sequence**: Used to preload operating systems images on the computer hard drive. Typically used by computer original equipment manufacturers (OEMs) but some enterprise organizations also use this feature. - -- **Post OS Installation task sequence**: A task sequence prepared to run actions after the operating system has been deployed. Useful for server deployments but not often used for client deployments. - -- **Deploy to VHD Client task sequence**: Similar to the Standard Client task sequence template but also creates a virtual hard disk (VHD) file on the target computer and deploys the image to the VHD file. - -- **Deploy to VHD Server task sequence**: Same as the Deploy to VHD Client task sequence but for servers. - -- **Standard Client Upgrade task sequence**: A simple task sequence template used to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 directly to Windows 10, automatically preserving existing data, settings, applications, and drivers. - -## Selection profiles - -Selection profiles, which are available in the Advanced Configuration node, provide a way to filter content in the Deployment Workbench. Selection profiles are used for several purposes in the Deployment Workbench and in Lite Touch deployments. For example, they can be used to: - -- Control which drivers and packages are injected into the Lite Touch (and generic) boot images. -- Control which drivers are injected during the task sequence. -- Control what is included in any media that you create. -- Control what is replicated to other deployment shares. -- Filter which task sequences and applications are displayed in the Deployment Wizard. - -## Logging - -MDT uses many log files during operating system deployments. By default the logs are client side, but by configuring the deployment settings, you can have MDT store them on the server, as well. - -> [!NOTE] -> The easiest way to view log files is to use Configuration Manager Trace (CMTrace). For more information, see [CMTrace](/mem/configmgr/core/support/cmtrace). - -## Monitoring - -On the deployment share, you also can enable monitoring. After you enable monitoring, you'll see all running deployments in the Monitor node in the Deployment Workbench. - -## See next - -- [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md deleted file mode 100644 index dd75e9b3fc..0000000000 --- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md +++ /dev/null @@ -1,293 +0,0 @@ ---- -title: Prepare for deployment with MDT (Windows 10) -description: This article will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT). -manager: aaroncz -ms.author: frankroj -ms.prod: windows-client -ms.localizationpriority: medium -author: frankroj -ms.topic: article -ms.technology: itpro-deploy -ms.collection: - - highpri - - tier3 -ms.date: 10/13/2023 ---- - -# Prepare for deployment with MDT - -**Applies to:** - -- Windows 10 - -This article will walk you through the steps necessary to prepare your network and server infrastructure to deploy Windows 10 with the Microsoft Deployment Toolkit (MDT). It covers the installation of the necessary system prerequisites, the creation of shared folders and service accounts, and the configuration of security permissions in the file system and in Active Directory. - -## Infrastructure - -The procedures in this guide use the following names and infrastructure. - -### Network and servers - -For the purposes of this article, we'll use three server computers: **DC01**, **MDT01**, and **HV01**. - -- All servers are running Windows Server 2019. - - - You can use an earlier version of Windows Server with minor modifications to some procedures. - -- **DC01** is a domain controller, DHCP server, and DNS server for **contoso.com**, representing the fictitious Contoso Corporation. - -- **MDT01** is a domain member server in contoso.com with a data (D:) drive that can store at least 200 GB. MDT01 will host deployment shares and run the Windows Deployment Service. Optionally, MDT01 is also a WSUS server. - - - A second MDT server (**MDT02**) configured identically to MDT01 is optionally used to [build a distributed environment](build-a-distributed-environment-for-windows-10-deployment.md) for Windows 10 deployment. This server is located on a different subnet than MDT01 and has a different default gateway. - -- **HV01** is a Hyper-V host computer that is used to build a Windows 10 reference image. - - See [Hyper-V requirements](#hyper-v-requirements) below for more information about HV01. - -### Client computers - -Several client computers are referenced in this guide with hostnames of PC0001 to PC0007. - -- **PC0001**: A computer running Windows 10 Enterprise x64, fully patched with the latest security updates, and configured as a member in the contoso.com domain. - - - Client name: PC0001 - - IP Address: DHCP - -- **PC0002**: A computer running Windows 7 SP1 Enterprise x64, fully patched with the latest security updates, and configured as a member in the contoso.com domain. This computer is referenced during the migration scenarios. - - - Client name: PC0002 - - IP Address: DHCP - -- **PC0003 - PC0007**: These are other client computers similar to PC0001 and PC0002 that are used in this guide and another guide for various scenarios. The device names are incremented for clarity within each scenario. For example, PC0003 and PC0004 are running Windows 7 just like PC0002, but are used for Configuration Manager refresh and replace scenarios, respectively. - -### Storage requirements - -MDT01 and HV01 should have the ability to store up to 200 GB of files on a data drive (D:). If you use a computer with a single system partition (C:), you'll need to adjust some procedures in this guide to specify the C: drive instead of the D: drive. - -### Hyper-V requirements - -If you don't have access to a Hyper-V server, you can install Hyper-V on a Windows 10 or Windows 8.1 computer temporarily to use for building reference images. For instructions on how to enable Hyper-V on Windows 10, see the [Verify support and install Hyper-V](../windows-10-poc.md#verify-support-and-install-hyper-v) section in the Windows 10 deployment test lab guide. This guide is a proof-of-concept guide that has detailed instructions for installing Hyper-V. - -### Network requirements - -All server and client computers referenced in this guide are on the same subnet. This isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. - -### Domain credentials - -The following generic credentials are used in this guide. You should replace these credentials as they appear in each procedure with your credentials. - -- **Active Directory domain name**: contoso.com -- **Domain administrator username**: administrator -- **Domain administrator password**: pass@word1 - -### Organizational unit structure - -The following OU structure is used in this guide. Instructions are provided [below](#create-the-ou-structure) to help you create the required OUs. - -![figure 2.](../images/mdt-01-fig02.jpg) - -## Install the Windows ADK - -These steps assume that you have the MDT01 member server running and configured as a domain member server. - -On **MDT01**: - -Visit the [Download and install the Windows ADK](/windows-hardware/get-started/adk-install) page and download the following items to the **D:\\Downloads\\ADK** folder on MDT01 (you'll need to create this folder): - -- [The Windows ADK for Windows 10](https://go.microsoft.com/fwlink/?linkid=2086042) -- [The Windows PE add-on for the ADK](https://go.microsoft.com/fwlink/?linkid=2087112) -- [The Windows System Image Manager (WSIM) 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334) -- (Optional) [The MDT_KB4564442 patch for BIOS firmware](https://download.microsoft.com/download/3/0/6/306AC1B2-59BE-43B8-8C65-E141EF287A5E/KB4564442/MDT_KB4564442.exe) - - This patch is needed to resolve a bug that causes detection of BIOS-based machines as UEFI-based machines. If you have a UEFI deployment, you don't need this patch. - -> [!TIP] -> You might need to temporarily disable IE Enhanced Security Configuration for administrators in order to download files from the Internet to the server. This setting can be disabled by using Server Manager (Local Server/Properties). - -1. On **MDT01**, ensure that you're signed in as an administrator in the CONTOSO domain. - - - For the purposes of this guide, we're using a Domain Admin account of **administrator** with a password of **pass@word1**. You can use your own administrator username and password as long as you properly adjust all steps in this guide that use these login credentials. - -2. Start the **ADK Setup** (D:\\Downloads\\ADK\\adksetup.exe), select **Next** twice to accept the default installation parameters, select **Accept** to accept the license agreement, and then on the **Select the features you want to install** page accept the default list of features by clicking **Install**. This will install deployment tools and the USMT. Verify that the installation completes successfully before moving to the next step. - -3. Start the **WinPE Setup** (D:\\Downloads\\ADK\\adkwinpesetup.exe), select **Next** twice to accept the default installation parameters, select **Accept** to accept the license agreement, and then on the **Select the features you want to install** page select **Install**. This will install Windows PE for x86, AMD64, ARM, and ARM64. Verify that the installation completes successfully before moving to the next step. - -4. Extract the **WSIM 1903 update** (D:\\Downloads\ADK\\WSIM1903.zip) and then run the **UpdateWSIM.bat** file. - - You can confirm that the update is applied by viewing properties of the ImageCat.exe and ImgMgr.exe files at **C:\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM** and verifying that the **Details** tab displays a **File version** of **10.0.18362.144** or later. - -5. If you downloaded the optional MDT_KB4564442 patch for BIOS based deployment, see [this support article](https://support.microsoft.com/topic/windows-10-deployments-fail-with-microsoft-deployment-toolkit-on-computers-with-bios-type-firmware-70557b0b-6be3-81d2-556f-b313e29e2cb7) for instructions on how to install the patch. - -## Install and initialize Windows Deployment Services (WDS) - -On **MDT01**: - -1. Open an elevated Windows PowerShell prompt and enter the following command: - - ```powershell - Install-WindowsFeature -Name WDS -IncludeManagementTools - WDSUTIL.exe /Verbose /Progress /Initialize-Server /Server:MDT01 /RemInst:"D:\RemoteInstall" - WDSUTIL.exe /Set-Server /AnswerClients:All - ``` - -## Optional: Install Windows Server Update Services (WSUS) - -If you wish to use MDT as a WSUS server using the Windows Internal Database (WID), use the following command to install this service. Alternatively, change the WSUS server information in this guide to the WSUS server in your environment. - -To install WSUS on MDT01, enter the following at an elevated Windows PowerShell prompt: - -```powershell -Install-WindowsFeature -Name UpdateServices, UpdateServices-WidDB, UpdateServices-Services, UpdateServices-RSAT, UpdateServices-API, UpdateServices-UI -cd "C:\Program Files\Update Services\Tools" -.\wsusutil.exe postinstall CONTENT_DIR=C:\WSUS -``` - -> [!NOTE] -> To use the WSUS that you have installed on MDT01, you must also [configure Group Policy](../update/waas-manage-updates-wsus.md#configure-automatic-updates-and-update-service-location) on DC01 and perform the necessary post-installation configuration of WSUS on MDT01. - -## Install MDT - -> [!NOTE] -> MDT installation requires the following: -> -> - The Windows ADK for Windows 10 (installed in the previous procedure) -> - Windows PowerShell ([version 5.1](https://www.microsoft.com/download/details.aspx?id=54616) is recommended; enter `$host` to check) -> - Microsoft .NET Framework - -On **MDT01**: - -1. Visit the [MDT resource page](/mem/configmgr/mdt/) and select **Download MDT**. - -2. Save the **MicrosoftDeploymentToolkit_x64.msi** file to the D:\\Downloads\\MDT folder on MDT01. - - > [!NOTE] - > As of the publishing date for this guide, the current version of MDT is 8456 (6.3.8456.1000), but a later version will also work. - -3. Install **MDT** (D:\\Downloads\\MDT\\MicrosoftDeploymentToolkit_x64.exe) with the default settings. - -## Create the OU structure - -Switch to **DC01** and perform the following procedures on **DC01**: - -To create the OU structure, you can use the Active Directory Users and Computers console (dsa.msc), or you can use Windows PowerShell. - -Copy the following list of OU names and paths into a CSV file and save it as `~\Setup\Scripts\oulist.csv`. - -```csv -OUName,OUPath -Contoso,"DC=CONTOSO,DC=COM" -Accounts,"OU=Contoso,DC=CONTOSO,DC=COM" -Computers,"OU=Contoso,DC=CONTOSO,DC=COM" -Groups,"OU=Contoso,DC=CONTOSO,DC=COM" -Admins,"OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Service Accounts,"OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Users,"OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Servers,"OU=Computers,OU=Contoso,DC=CONTOSO,DC=COM" -Workstations,"OU=Computers,OU=Contoso,DC=CONTOSO,DC=COM" -Security Groups,"OU=Groups,OU=Contoso,DC=CONTOSO,DC=COM" -``` - -Next, copy the following commands into a file and save it as `~\Setup\Scripts\ou.ps1`. Be sure that you're viewing file extensions and that you save the file with the `.ps1` extension. - -```powershell -Import-CSV -Path $home\Setup\Scripts\oulist.csv | ForEach-Object { - New-ADOrganizationalUnit -Name $_.ouname -Path $_.oupath - Write-Host -ForegroundColor Green "OU $($_.ouname) is created in the location $($_.oupath)" -} -``` - -Lastly, open an elevated Windows PowerShell prompt on DC01 and run the `ou.ps1` script: - -```powershell -Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force -Set-Location $home\Setup\Scripts -.\ou.ps1 -``` - -This will create an OU structure as shown below. - -![OU structure.](../images/mdt-05-fig07.png) - -To use the Active Directory Users and Computers console (instead of PowerShell): - -On **DC01**: - -1. Using the Active Directory Users and Computers console (dsa.msc), in the contoso.com domain level, create a top-level OU named **Contoso**. - -2. In the **Contoso** OU, create the following OUs: - - - Accounts - - Computers - - Groups - -3. In the **Contoso / Accounts** OU, create the following underlying OUs: - - - Admins - - Service Accounts - - Users - -4. In the **Contoso / Computers** OU, create the following underlying OUs: - - - Servers - - Workstations - -5. In the **Contoso / Groups** OU, create the following OU: - - Security Groups - -The final result of either method is shown below. The **MDT_BA** account will be created next. - -## Create the MDT service account - -When creating a reference image, you need an account for MDT. The MDT build account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01. - -To create an MDT build account, open an elevated Windows PowerShell prompt on DC01 and enter the following (copy and paste the entire command, taking care to notice the scroll bar at the bottom). This command will create the MDT_BA user account and set the password to "pass@word1": - -```powershell -New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -path "OU=Service Accounts,OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true -``` - -If you have the Active Directory Users and Computers console open you can refresh the view and see this new account in the **Contoso\Accounts\Service Accounts** OU as shown in the screenshot above. - -## Create and share the logs folder - -By default MDT stores the log files locally on the client. In order to capture a reference image, you'll need to enable server-side logging and, to do that, you'll need to have a folder in which to store the logs. For more information, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md). - -On **MDT01**: - -1. Sign in as **CONTOSO\\administrator**. - -2. Create and share the **D:\\Logs** folder by running the following commands in an elevated Windows PowerShell prompt: - - ```powershell - New-Item -Path D:\Logs -ItemType directory - New-SmbShare -Name Logs$ -Path D:\Logs -ChangeAccess EVERYONE - icacls D:\Logs /grant '"MDT_BA":(OI)(CI)(M)' - ``` - -See the following example: - -![Logs folder.](../images/mdt-05-fig08.png) - -## Use Support Center OneTrace or CMTrace to read log files (optional) - -The log files in MDT Lite Touch are formatted to be read by [Support Center OneTrace](/mem/configmgr/core/support/support-center-onetrace) or [CMTrace](/mem/configmgr/core/support/cmtrace). - -Notepad can be used to read the log files (example below): - -![figure 8.](../images/mdt-05-fig09.png) - -However, Support Center OneTrace or CMTrace makes the logs much easier to read. See the same log file below, opened in CMTrace: - -![figure 9.](../images/mdt-05-fig10.png) - -Both Support Center OneTrace and CMTrace are available as part of Microsoft Configuration Manager. - -## Next steps - -When you've completed all the steps in this section to prepare for deployment, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md). - -## Appendix - -### Sample files - -The following sample files are also available to help automate some MDT deployment tasks. This guide doesn't use these files, but they're made available here so you can see how some tasks can be automated with Windows PowerShell. - -- [Set-OUPermissions.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619362). This sample Windows PowerShell script creates a domain account and then configures OU permissions to allow the account to join machines to the domain in the specified OU. -- [MDTSample.zip](https://go.microsoft.com/fwlink/p/?LinkId=619363). This sample web service shows you how to configure a computer name dynamically using MDT. diff --git a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md deleted file mode 100644 index 23267929fa..0000000000 --- a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md +++ /dev/null @@ -1,121 +0,0 @@ ---- -title: Refresh a Windows 7 computer with Windows 10 (Windows 10) -description: This article will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process. -manager: aaroncz -ms.author: frankroj -ms.prod: windows-client -ms.localizationpriority: medium -author: frankroj -ms.topic: article -ms.technology: itpro-deploy -ms.date: 11/28/2022 ---- - -# Refresh a Windows 7 computer with Windows 10 - -**Applies to:** - -- Windows 10 - -This article will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the online computer refresh process. The computer refresh scenario is a reinstallation of an updated operating system on the same computer. You can also use this procedure to reinstall the same OS version. In this article, the computer refresh will be done while the computer is online. MDT also supports an offline computer refresh. For more info on that scenario, see the USMTOfflineMigration property on the [MDT resource page](/mem/configmgr/mdt/). - -For the purposes of this article, we'll use three computers: DC01, MDT01, and PC0001. - -- DC01 is a domain controller for the contoso.com domain. -- MDT01 is domain member server that hosts your deployment share. -- PC0001 is a domain member computer running a previous version of Windows that is going to be refreshed to a new version of Windows 10, with data and settings restored. The example used here is a computer running Windows 7 SP1. - -Both DC01 and MDT01 are running Windows Server 2019; however any supported version of Windows Server can be used. For more information on the setup for this article, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). - -![computers.](../images/mdt-04-fig01.png "Computers used in this topic") -The computers used in this article. - -## The computer refresh process - -A computer refresh isn't the same as an in-place upgrade because a computer refresh involves exporting user data and settings then wiping the device before installing a fresh OS and restoring the user's data and settings. - -For a computer refresh with MDT, you use the User State Migration Tool (USMT), which is part of the Windows Assessment and Deployment Kit (ADK) for Windows 10, to migrate user data and settings. To complete a computer refresh, you will: - -1. Back up data and settings locally, in a backup folder. -2. Wipe the partition, except for the backup folder. -3. Apply the new operating system image. -4. Install other applications. -5. Restore data and settings. - -During the computer refresh, USMT uses a feature called Hard-Link Migration Store. When you use this feature, the files are linked in the file system, which allows for fast migration, even when there's many files. - -> [!NOTE] -> In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file contains the entire volume from the computer and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire computer is not a supported scenario. - -### Multi-user migration - -By default, ScanState in USMT backs up all profiles on the machine, including local computer profiles. If you have a computer that has been in your environment for a while, it likely has several domain-based profiles on it, including those of former users. You can limit which profiles are backed up by configuring command-line switches to ScanState (added as rules in MDT). - -For example, the following line configures USMT to migrate only domain user profiles and not profiles from the local SAM account database: `ScanStateArgs=/ue:*\* /ui:CONTOSO\*` - -> [!NOTE] -> You also can combine the preceding switches with the /uel switch, which excludes profiles that have not been accessed within a specific number of days. For example, adding /uel:60 will configure ScanState (or LoadState) not to include profiles that haven't been accessed for more than 60 days. - -### Support for additional settings - -In addition to the command-line switches that control which profiles to migrate, [XML templates](../usmt/understanding-migration-xml-files.md) control exactly what data is being migrated. You can control data within and outside the user profiles. - -### Multicast - -Multicast is a technology designed to optimize simultaneous deployment to multiple devices. If you have a limited number of simultaneous deployments, you should disable multicast which was [configured in a previous procedure](deploy-a-windows-10-image-using-mdt.md#set-up-mdt-for-multicast) in this guide. Disabling multicast will speed up deployment there are only a few computers. You'll need to update the deployment share after changing this setting. - -## Refresh a Windows 7 SP1 client - -In this section, we assume that you've already performed the prerequisite procedures in the following articles, so that you have a deployment share named **MDTProduction$** on MDT01: - -- [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) -- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) -- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) - -It's also assumed that you have a domain member client computer named PC0001 in your environment running Windows 7, 8.1 or 10 that is ready for a refresh to the latest version of Windows 10. For demonstration purposes, we'll be refreshing a Windows 7 SP1 PC to Windows 10, version 1909. - -### Upgrade (refresh) a Windows 7 SP1 client - -> [!IMPORTANT] -> Domain join details [specified in the deployment share rules](deploy-a-windows-10-image-using-mdt.md#configure-the-rules) will be used to rejoin the computer to the domain during the refresh process. If the Windows 7 client is domain-jonied in a different OU than the one specified by MachineObjectOU, the domain join process will initially fail and then retry without specifying an OU. If the domain account that is specified (ex: **MDT_JD**) has [permissions limited to a specific OU](deploy-a-windows-10-image-using-mdt.md#step-1-configure-active-directory-permissions) then the domain join will ultimately fail, the refresh process will proceed, and the client computer object will be orphaned in Active Directory. In the current guide, computer objects should be located in **Contoso** > **Computers** > **Workstations**. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed. To diagnose MDT domain join errors, see **ZTIDomainJoin.log** in the C:\Windows\Temp\DeploymentLogs directory on the client computer. - -1. On PC0001, sign in as **contoso\\Administrator** and start the Lite Touch Deploy Wizard by opening **\\\\MDT01\\MDTProduction$\\Scripts\\Litetouch.vbs**. - -2. Complete the deployment guide using the following settings: - - - Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image - - - **Computer name**: *\* - - - **Specify where to save a complete computer backup**: Don't back up the existing computer - - > [!NOTE] - > Skip this optional full WIM backup that we are choosing not to perform. The USMT backup will still run. - - - **Select one or more applications to install**: Install - Adobe Reader - - ![Computer refresh.](../images/fig2-taskseq.png "Start the computer refresh") - -3. Setup starts and performs the following actions: - - - Backs up user settings and data using USMT. - - Installs the Windows 10 Enterprise x64 operating system. - - Installs any added applications. - - Updates the operating system using your local Windows Server Update Services (WSUS) server. - - Restores user settings and data using USMT. - -4. You can monitor progress of the deployment using the deployment workbench on MDT01. See the following example: - - ![monitor deployment.](../images/monitor-pc0001.png) - -5. After the refresh process completes, sign in to the Windows 10 computer and verify that user accounts, data and settings were migrated. - -## Related articles - -- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) -- [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) -- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) -- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) -- [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) -- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) -- [Configure MDT settings](configure-mdt-settings.md) diff --git a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md deleted file mode 100644 index 9983df7350..0000000000 --- a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md +++ /dev/null @@ -1,167 +0,0 @@ ---- -title: Replace a Windows 7 computer with a Windows 10 computer (Windows 10) -description: In this article, you'll learn how to replace a Windows 7 device with a Windows 10 device. -manager: aaroncz -ms.author: frankroj -ms.prod: windows-client -ms.localizationpriority: medium -author: frankroj -ms.topic: article -ms.technology: itpro-deploy -ms.date: 11/28/2022 ---- - -# Replace a Windows 7 computer with a Windows 10 computer - -**Applies to:** - -- Windows 10 - -A computer replace scenario for Windows 10 is similar to a computer refresh for Windows 10. However, because you're replacing a device, you can't store the backup on the old computer. Instead you need to store the backup to a location where the new computer can read it. The User State Migration Tool (USMT) will be used to back up and restore data and settings. - -For the purposes of this article, we'll use four computers: DC01, MDT01, PC0002, and PC0007. - -- DC01 is a domain controller for the contoso.com domain. -- MDT01 is domain member server that hosts your deployment share. -- PC0002 is an old computer running Windows 7 SP1 that will be replaced by PC0007. -- PC0007 is a new computer will have the Windows 10 OS installed prior to data from PC0002 being migrated. Both PC0002 and PC0007 are members of the contoso.com domain. - -For more details on the setup for this article, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). - -![The computers used in this topic.](../images/mdt-03-fig01.png) -The computers used in this article. - ->HV01 is also used in this topic to host the PC0007 virtual machine for demonstration purposes, however typically PC0007 is a physical computer. - -## Prepare for the computer replace - - To prepare for the computer replace, you need to create a folder in which to store the backup and a backup only task sequence to run on the old computer. - -### Configure the rules on the Microsoft Deployment Toolkit (MDT) Production share - -On **MDT01**: - -1. Open the Deployment Workbench, under **Deployment Shares** right-click **MDT Production**, select **Properties**, and then select the **Rules** tab. - -2. Change the **SkipUserData=YES** option to **NO**, and select **OK**. - -3. Right-click on **MDT Production** and select **Update Deployment Share**. Then select **Next**, **Next**, and **Finish** to complete the Update Deployment Share Wizard with the default settings. - -### Create and share the MigData folder - -On **MDT01**: - -1. Create and share the **D:\\MigData** folder by running the following three commands in an elevated Windows PowerShell prompt: - - ```powershell - New-Item -Path D:\MigData -ItemType directory - New-SmbShare -Name MigData$ -Path D:\MigData -ChangeAccess EVERYONE - icacls D:\MigData /grant '"MDT_BA":(OI)(CI)(M)' - ``` - -### Create a backup only (replace) task sequence - -1. In Deployment Workbench, under the **MDT Production** deployment share, select the **Task Sequences** node and create a new folder named **Other**. - -2. Right-click the **Other** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - - - Task sequence ID: REPLACE-001 - - Task sequence name: Backup Only Task Sequence - - Task sequence comments: Run USMT to back up user data and settings - - Template: Standard Client Replace Task Sequence - -3. In the **Other** folder, double-click **Backup Only Task Sequence**, and then in the **Task Sequence** tab, review the sequence. Notice that it only contains a subset of the normal client task sequence actions. - - ![The Backup Only Task Sequence action list.](../images/mdt-03-fig02.png "The Backup Only Task Sequence action list") - - The Backup Only Task Sequence action list. - -## Perform the computer replace - -During a computer replace, the following are the high-level steps that occur: - -1. On the computer you're replacing, a special replace task sequence runs the USMT backup and, if you configured it, runs the optional full Windows Imaging (WIM) backup. - -2. On the new computer, you perform a standard bare-metal deployment. At the end of the bare-metal deployment, the USMT backup from the old computer is restored. - -### Run the replace task sequence - -On **PC0002**: - -1. Sign in as **CONTOSO\\Administrator** and verify that you have write access to the **\\\\MDT01\\MigData$** share. - -2. Run **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs**. - -3. Complete the **Windows Deployment Wizard** using the following settings: - - - **Select a task sequence to execute on this computer**: Backup Only Task Sequence - - - **Specify where to save your data and settings**: Specify a location - - - **Location**: \\\\MDT01\\MigData$\\PC0002 - - > [!NOTE] - > If you are replacing the computer at a remote site you should create the MigData folder on MDT02 and use that share instead. - - - **Specify where to save a complete computer backup**: Don't back up the existing computer - - The task sequence will now run USMT (Scanstate.exe) to capture user data and settings of the computer. - - ![The new task sequence.](../images/mdt-03-fig03.png "The new task sequence") - The new task sequence running the Capture User State action on PC0002. - -4. On **MDT01**, verify that you have a USMT.MIG compressed backup file in the **D:\\MigData\\PC0002\\USMT** folder. - - ![The USMT backup.](../images/mdt-03-fig04.png "The USMT backup") - The USMT backup of PC0002. - -### Deploy the replacement computer - -To demonstrate deployment of the replacement computer, HV01 is used to host a virtual machine: PC0007. - -On **HV01**: - -1. Create a virtual machine with the following settings: - - - **Name**: PC0007 - - **Location**: C:\\VMs - - **Generation**: 2 - - **Memory**: 2048 MB - - **Hard disk**: 60 GB (dynamic disk) - - Install an operating system from a network-based installation server - -2. Start the PC0007 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The VM will now load the Windows PE boot image from MDT01 (or MDT02 if at a remote site). - - ![The initial PXE boot process.](../images/mdt-03-fig05.png "The initial PXE boot process") - - The initial PXE boot process of PC0007. - -3. After Windows Preinstallation Environment (Windows PE) has booted, complete the Windows Deployment Wizard using the following settings: - - - Select a task sequence to execute on this computer: - - Windows 10 Enterprise x64 RTM Custom Image - - **Computer Name**: PC0007 - - **Move Data and Settings**: Don't move user data and settings. - - **User Data (Restore)** > **Specify a location**: \\\\MDT01\\MigData$\\PC0002 - - **Applications**: Adobe > Install - Adobe Reader - -4. Setup now starts and does the following actions: - - - Partitions and formats the disk. - - Installs the Windows 10 Enterprise operating system. - - Installs the application. - - Updates the operating system via your local Windows Server Update Services (WSUS) server. - - Restores the USMT backup from PC0002. - -You can view progress of the process by clicking the Monitoring node in the Deployment Workbench on MDT01. - -![Monitor progress.](../images/mdt-replace.png) - -## Related articles - -- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) -- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) -- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) -- [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) -- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) -- [Configure MDT settings](configure-mdt-settings.md) diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md deleted file mode 100644 index e08bd4f051..0000000000 --- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md +++ /dev/null @@ -1,181 +0,0 @@ ---- -title: Set up MDT for BitLocker (Windows 10) -manager: aaroncz -ms.author: frankroj -description: Learn how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT. -ms.prod: windows-client -ms.localizationpriority: medium -author: frankroj -ms.topic: article -ms.technology: itpro-deploy -ms.date: 11/28/2022 ---- - -# Set up MDT for BitLocker - -This article will show you how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT. BitLocker in Windows 10 has two requirements in regard to an operating system deployment: - -- A protector, which can either be stored in the Trusted Platform Module (TPM) chip, or stored as a password. Technically, you can also use a USB stick to store the protector, but it's not a practical approach as the USB stick can be lost or stolen. We, therefore, recommend that you instead use a TPM chip and/or a password. - -- Multiple partitions on the hard drive. - -To configure your environment for BitLocker, you'll need to do the following actions: - -1. Configure Active Directory for BitLocker. -2. Download the various BitLocker scripts and tools. -3. Configure the operating system deployment task sequence for BitLocker. -4. Configure the rules (CustomSettings.ini) for BitLocker. - -> [!NOTE] -> Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery password in Active Directory. For more information about this feature, see [Backing Up BitLocker and TPM Recovery Information to AD DS](/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds). -> -> If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker. - -For the purposes of this article, we'll use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more information on the setup for this article, see [Deploy Windows 10 with the Microsoft Deployment Toolkit](./prepare-for-windows-deployment-with-mdt.md). - -## Configure Active Directory for BitLocker - -To enable BitLocker to store the recovery key and TPM information in Active Directory, you need to create a Group Policy for it in Active Directory. For this section, we're running Windows Server 2012 R2, so you don't need to extend the Schema. You do, however, need to set the appropriate permissions in Active Directory. - -> [!NOTE] -> Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory. - -In Windows Server version from 2008 R2 and later, you have access to the BitLocker Drive Encryption Administration Utilities features, which will help you manage BitLocker. When you install the features, the BitLocker Active Directory Recovery Password Viewer is included, and it extends Active Directory Users and Computers with BitLocker Recovery information. - -![figure 2.](../images/mdt-09-fig02.png) - -The BitLocker Recovery information on a computer object in the contoso.com domain. - -### Add the BitLocker Drive Encryption Administration Utilities - -The BitLocker Drive Encryption Administration Utilities are added as features via Server Manager (or Windows PowerShell): - -1. On DC01, log on as **CONTOSO\\Administrator**, and, using Server Manager, select **Add roles and features**. - -2. On the **Before you begin** page, select **Next**. - -3. On the **Select installation type** page, select **Role-based or feature-based installation**, and select **Next**. - -4. On the **Select destination server** page, select **DC01.contoso.com** and select **Next**. - -5. On the **Select server roles** page, select **Next**. - -6. On the **Select features** page, expand **Remote Server Administration Tools**, expand **Feature Administration Tools**, select the following features, and then select **Next**: - - 1. BitLocker Drive Encryption Administration Utilities - 2. BitLocker Drive Encryption Tools - 3. BitLocker Recovery Password Viewer - -7. On the **Confirm installation selections** page, select **Install**, and then select **Close**. - -![figure 3.](../images/mdt-09-fig03.png) -Selecting the BitLocker Drive Encryption Administration Utilities. - -### Create the BitLocker Group Policy - -Following these steps, you enable the backup of BitLocker and TPM recovery information to Active Directory. You also enable the policy for the TPM validation profile. - -1. On DC01, using Group Policy Management, right-click the **Contoso** organizational unit (OU), and select **Create a GPO in this domain, and Link it here**. - -2. Assign the name **BitLocker Policy** to the new Group Policy. - -3. Expand the **Contoso** OU, right-click the **BitLocker Policy**, and select **Edit**. Configure the following policy settings found under **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** - - 1. Enable the **Choose how BitLocker-protected operating system drives can be recovered** policy, and configure the following settings: - - - Allow data recovery agent (default) - - Save BitLocker recovery information to Active Directory Domain Services (default) - - Don't enable BitLocker until recovery information is stored in AD DS for operating system drives - - 2. Enable the **Configure TPM platform validation profile for BIOS-based firmware configurations** policy. - - 3. Enable the **Configure TPM platform validation profile for native UEFI firmware configurations** policy. - -> [!NOTE] -> If you consistently get the error: -> -> **Windows BitLocker Drive Encryption Information. The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system.** -> -> after encrypting a computer with BitLocker, you might have to change the various **Configure TPM platform validation profile** Group Policies, as well. Whether or not you need to do this will depend on the hardware you are using. - -### Set permissions in Active Directory for BitLocker - -In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you've downloaded the [Add-TPMSelfWriteACE.vbs script](https://raw.githubusercontent.com/DeploymentArtist/DF4/master/BitLocker%20and%20TPM/Add-TPMSelfWriteACE.vbs) to C:\\Setup\\Scripts on DC01. - -1. On DC01, start an elevated PowerShell prompt (run as Administrator). - -2. Configure the permissions by running the following command: - - ```cmd - cscript.exe C:\Setup\Scripts\Add-TPMSelfWriteACE.vbs - ``` - -![figure 4.](../images/mdt-09-fig04.png) -Running the Add-TPMSelfWriteACE.vbs script on DC01. - -## Add BIOS configuration tools from Dell, HP, and Lenovo - -If you want to automate enabling the TPM chip as part of the deployment process, you need to download the vendor tools and add them to your task sequences, either directly or in a script wrapper. - -### Add tools from Dell - -[Dell Command | Configure](https://www.dell.com/support/article/us/en/04/sln311302/dell-command-configure) provides a Command Line Interface and a Graphical User Interface. - -### Add tools from HP - -The HP tools are part of HP System Software Manager. The executable file from HP is named BiosConfigUtility.exe. This utility uses a configuration file for the BIOS settings. Here's a sample command to enable TPM and set a BIOS password using the BiosConfigUtility.exe tool: - -```cmd -BIOSConfigUtility.EXE /SetConfig:TPMEnable.REPSET /NewAdminPassword:Password1234 -``` - -And the sample content of the TPMEnable.REPSET file: - -```txt -English -Activate Embedded Security On Next Boot -*Enable -Embedded Security Activation Policy -*No prompts -F1 to Boot -Allow user to reject -Embedded Security Device Availability -*Available -``` - -### Add tools from Lenovo - -The Lenovo tools are a set of VBScripts available as part of the Lenovo BIOS Setup using Windows Management Instrumentation Deployment Guide. Lenovo also provides a separate download of the scripts. Here's a sample command to enable TPM using the Lenovo tools: - -```cmd -cscript.exe SetConfig.vbs SecurityChip Active -``` - -## Configure the Windows 10 task sequence to enable BitLocker - -When configuring a task sequence to run any BitLocker tool, either directly or using a custom script, it's helpful if you also add some logic to detect whether the BIOS is already configured on the machine. In the following task sequence, we're using a sample script (ZTICheckforTPM.wsf) from the Deployment Guys web page to check the status on the TPM chip. You can download this script from the Deployment Guys Blog post, [Check to see if the TPM is enabled](/archive/blogs/deploymentguys/check-to-see-if-the-tpm-is-enabled). - -In the following task sequence, we added five actions: - -- **Check TPM Status.** Runs the ZTICheckforTPM.wsf script to determine if TPM is enabled. Depending on the status, the script will set the TPMEnabled and TPMActivated properties to either true or false. - -- **Configure BIOS for TPM.** Runs the vendor tools (in this case, HP, Dell, and Lenovo). To ensure this action is run only when necessary, add a condition so the action is run only when the TPM chip isn't already activated. Use the properties from the ZTICheckforTPM.wsf. - - > [!NOTE] - > It is common for organizations to wrap these tools in scripts to get additional logging and error handling. - -- **Restart computer.** Self-explanatory, reboots the computer. - -- **Check TPM Status.** Runs the ZTICheckforTPM.wsf script one more time. - -- **Enable BitLocker.** Runs the built-in action to activate BitLocker. - -## Related articles - -- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) -- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) -- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) -- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) -- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) -- [Use web services in MDT](use-web-services-in-mdt.md) -- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) diff --git a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md deleted file mode 100644 index 0ea1bd83a0..0000000000 --- a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md +++ /dev/null @@ -1,103 +0,0 @@ ---- -title: Simulate a Windows 10 deployment in a test environment (Windows 10) -description: This article will walk you through the process of creating a simulated environment on which to test your Windows 10 deployment using MDT. -manager: aaroncz -ms.author: frankroj -ms.prod: windows-client -ms.localizationpriority: medium -author: frankroj -ms.topic: article -ms.technology: itpro-deploy -ms.date: 11/28/2022 ---- - -# Simulate a Windows 10 deployment in a test environment - -This article will walk you through the process of creating a simulated environment on which to test your Windows 10 deployment using MDT. When working with advanced settings and rules, especially those like database calls, it's most efficient to be able to test the settings without having to run through a complete deployment. Luckily, MDT enables you to perform a simulated deployment by running the Gather process by itself. The simulation works best when you're using a domain-joined client. - -## Test environment - -- A Windows 10 client named **PC0001** will be used to simulate deployment. The client is joined to the contoso.com domain and has access to the Internet to required download tools and scripts. - -- It's assumed that you've performed (at least) the following procedures so that you have an MDT service account and an MDT production deployment share: - - - [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) - - [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) - - [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) - -## Simulate deployment - -On **PC0001**: - -1. Sign as **contoso\\Administrator**. - -2. Copy the following to a PowerShell script named gather.ps1 and copy it to a directory named **C:\MDT** on PC0001. - - ```powershell - # Check for elevation - If (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(` - [Security.Principal.WindowsBuiltInRole] "Administrator")) - { - Write-Warning "Oupps, you need to run this script from an elevated PowerShell prompt!`nPlease start the PowerShell prompt as an Administrator and re-run the script." - Write-Warning "Aborting script..." - Break - } - cls - if (Test-Path -Path "C:\MININT") {Write-Host "C:\MININT exists, deleting...";Remove-Item C:\MININT -Recurse} - cscript.exe ZTIGather.wsf /debug:true - # Optional, comment out if you want the script to open the log in CMTrace - & "C:\MDT\CMTrace" C:\MININT\SMSOSD\OSDLOGS\ZTIGather.log - ``` - - > [!NOTE] - > For more information about the Configuration Manager Trace (cmtrace.exe) tool, see [CMTrace](/mem/configmgr/core/support/cmtrace). - -4. Using Local Users and Groups (lusrmgr.msc), add the **contoso\\MDT\_BA** user account to the local **Administrators** group. - -5. Sign off, and then sign on to PC0001 as **contoso\\MDT\_BA**. - -6. Open the **\\\\MDT01\\MDTProduction$\\Scripts** folder and copy the following files to **C:\\MDT**: - - - ZTIDataAccess.vbs - - ZTIGather.wsf - - ZTIGather.xml - - ZTIUtility.vbs - -7. From the **\\\\MDT01\\MDTProduction$\\Control** folder, copy the CustomSettings.ini file to **C:\\MDT**. - -8. In the **C:\\MDT** folder, create a subfolder named **X64**. - -9. From the **\\\\MDT01\\MDTProduction$\\Tools\\X64** folder, copy the Microsoft.BDD.Utility.dll file to **C:\\MDT\\X64**. - - ![files.](../images/mdt-09-fig06.png) - - The C:\\MDT folder with the files added for the simulation environment. - -10. Type the following at an elevated Windows PowerShell prompt: - - ```powershell - Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process -Force - Set-Location C:\MDT - .\Gather.ps1 - ``` - - When prompted, press **R** to run the gather script. - -11. Review the ZTIGather.log in the **C:\\MININT\\SMSOSD\\OSDLOGS** folder using CMTrace. - - > [!NOTE] - > Warnings or errors regarding the Wizard.hta are expected. If the log file looks okay, you're ready to try a real deployment. - - ![ztigather.](../images/mdt-09-fig07.png) - - The ZTIGather.log file from PC0001. - -## Related articles - -- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) -- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) -- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) -- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) -- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) -- [Use web services in MDT](use-web-services-in-mdt.md) -- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) diff --git a/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md deleted file mode 100644 index 6c8c9c684a..0000000000 --- a/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md +++ /dev/null @@ -1,123 +0,0 @@ ---- -title: Perform an in-place upgrade to Windows 10 with MDT (Windows 10) -description: The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. -manager: aaroncz -ms.author: frankroj -ms.prod: windows-client -ms.localizationpriority: medium -author: frankroj -ms.topic: article -ms.technology: itpro-deploy -ms.date: 11/28/2022 ---- - -# Perform an in-place upgrade to Windows 10 with MDT - -**Applies to:** - -- Windows 10 - -The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. - -> [!TIP] -> In-place upgrade is the preferred method to use when migrating from Windows 10 to a later release of Windows 10, and is also a preferred method for upgrading from Windows 7 or 8.1 if you do not plan to significantly change the device's configuration or applications. MDT includes an in-place upgrade task sequence template that makes the process really simple. - -In-place upgrade differs from [computer refresh](refresh-a-windows-7-computer-with-windows-10.md) in that you can't use a custom image to perform the in-place upgrade. In this article, we'll add a default Windows 10 image to the production deployment share specifically to perform an in-place upgrade. - -Three computers are used in this article: DC01, MDT01, and PC0002. - -- DC01 is a domain controller for the contoso.com domain -- MDT01 is a domain member server -- PC0002 is a domain member computer running Windows 7 SP1, targeted for the Windows 10 upgrade - - ![computers.](../images/mdt-upgrade.png) - The computers used in this article. - -> [!NOTE] -> For details about the setup for the procedures in this article, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). -> ->If you have already completed all the steps in [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md), then you already have a production deployment share and you can skip to [Add Windows 10 Enterprise x64 (full source)](#add-windows-10-enterprise-x64-full-source). - -## Create the MDT production deployment share - -On **MDT01**: - -1. Ensure you're signed on as **contoso\administrator**. - -2. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. - -3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and select **Next**. - -4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and select **Next**. - -5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and select **Next**. - -6. On the **Options** page, accept the default settings and select **Next** twice, and then select **Finish**. - -7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share. - -## Add Windows 10 Enterprise x64 (full source) - -> [!NOTE] -> If you have already have a Windows 10 [reference image](create-a-windows-10-reference-image.md) in the **MDT Build Lab** deployment share, you can use the deployment workbench to copy and paste this image from the MDT Build Lab share to the MDT Production share and skip the steps in this section. - -On **MDT01**: - -1. Sign in as contoso\\administrator and copy the content of a Windows 10 Enterprise x64 DVD/ISO to the **D:\\Downloads\\Windows 10 Enterprise x64** folder on MDT01, or just insert the DVD or mount an ISO on MDT01. - -2. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**. - -3. Right-click the **Operating Systems** node, and create a new folder named **Windows 10**. - -4. Expand the **Operating Systems** node, right-click the **Windows 10** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard: - - - Full set of source files - - **Source directory**: (location of your source files) - - **Destination directory name**: `W10EX64RTM` - -5. After adding the operating system, in the **Operating Systems / Windows 10** folder, double-click it and change the name to: **Windows 10 Enterprise x64 RTM Default Image**. - -## Create a task sequence to upgrade to Windows 10 Enterprise - -On **MDT01**: - -1. Using the Deployment Workbench, select **Task Sequences** in the **MDT Production** node, then create a folder named **Windows 10**. - -2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the **New Task Sequence Wizard**: - - - **Task sequence ID**: W10-X64-UPG - - **Task sequence name**: Windows 10 Enterprise x64 RTM Upgrade - - **Template**: Standard Client Upgrade Task Sequence - - **Select OS**: Windows 10 Enterprise x64 RTM Default Image - - **Specify Product Key**: Don't specify a product key at this time - - **Organization**: Contoso - - **Admin Password**: Don't specify an Administrator password at this time - -## Perform the Windows 10 upgrade - -To initiate the in-place upgrade, perform the following steps on PC0002 (the device to be upgraded). - -On **PC0002**: - -1. Start the MDT deployment wizard by running the following command: **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs** - -2. Select the **Windows 10 Enterprise x64 RTM Upgrade** task sequence, and then select **Next**. - -3. Select one or more applications to install (will appear if you use custom image): Install - Adobe Reader - -4. On the **Ready** tab, select **Begin** to start the task sequence. - -When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers. - -![upgrade1.](../images/upgrademdt-fig5-winupgrade.png) - -![upgrade2.](../images/mdt-upgrade-proc.png) - -![upgrade3.](../images/mdt-post-upg.png) - -After the task sequence completes, the computer will be fully upgraded to Windows 10. - -## Related articles - -- [Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md) -- [Microsoft Deployment Toolkit downloads and resources](/mem/configmgr/mdt/) diff --git a/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md deleted file mode 100644 index c8e060d3cb..0000000000 --- a/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md +++ /dev/null @@ -1,212 +0,0 @@ ---- -title: Use Orchestrator runbooks with MDT (Windows 10) -description: Learn how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions. -manager: aaroncz -ms.author: frankroj -ms.prod: windows-client -ms.localizationpriority: medium -author: frankroj -ms.topic: article -ms.technology: itpro-deploy -ms.date: 11/28/2022 ---- - -# Use Orchestrator runbooks with MDT - -This article will show you how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions. - -MDT can integrate with System Center 2012 R2 Orchestrator, which is a component that ties the Microsoft System Center products together, as well as other products from both Microsoft and third-party vendors. The difference between using Orchestrator and "normal" web services, is that with Orchestrator you have a rich drag-and-drop style interface when building the solution, and little or no coding is required. - -> [!NOTE] -> If you are licensed to use Orchestrator, we highly recommend that you start using it. To find out more about licensing options for System Center 2012 R2 and Orchestrator, visit the [System Center 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=619553) website. - -## Orchestrator terminology - -Before diving into the core details, here's a quick course in Orchestrator terminology: - -- **Orchestrator Server**: This is a server that executes runbooks. - -- **Runbooks**: A runbook is similar to a task sequence; it's a series of instructions based on conditions. Runbooks consist of workflow activities; an activity could be Copy File, Get User from Active Directory, or even Write to Database. - -- **Orchestrator Designer**: This is where you build the runbooks. In brief, you do that by creating an empty runbook, dragging in the activities you need, and then connecting them in a workflow with conditions and subscriptions. - -- **Subscriptions**: These are variables that come from an earlier activity in the runbook. So if you first execute an activity in which you type in a computer name, you can then subscribe to that value in the next activity. All these variables are accumulated during the execution of the runbook. - -- **Orchestrator Console**: This is the Microsoft Silverlight-based web page you can use interactively to execute runbooks. The console listens to TCP port 81 by default. - -- **Orchestrator web services**: These are the web services you use in the Microsoft Deployment Toolkit to execute runbooks during deployment. The web services listen to TCP port 82 by default. - -- **Integration packs**: These provide additional workflow activities you can import to integrate with other products or solutions, like the rest of Active Directory, other System Center 2012 R2 products, or Microsoft Exchange Server, to name a few. - -> [!NOTE] -> To find and download additional integration packs, see [Integration Packs for System Center 2012 - Orchestrator](/previous-versions/system-center/packs/hh295851(v=technet.10)). - -## Create a sample runbook - -This section assumes you have Orchestrator 2012 R2 installed on a server named OR01. In this section, you create a sample runbook, which is used to log some of the MDT deployment information into a text file on OR01. - -1. On OR01, using File Explorer, create the **E:\\Logfile** folder, and grant Users modify permissions (NTFS). - -2. In the **E:\\Logfile** folder, create the DeployLog.txt file. - - > [!NOTE] - > Make sure File Explorer is configured to show known file extensions so the file isn't named DeployLog.txt.txt. - - ![figure 23.](../images/mdt-09-fig23.png) - - Figure 23. The DeployLog.txt file. - -3. Using System Center 2012 R2 Orchestrator Runbook Designer, in the **Runbooks** node, create the **1.0 MDT** folder. - - ![figure 24.](../images/mdt-09-fig24.png) - - Figure 24. Folder created in the Runbooks node. - -4. In the **Runbooks** node, right-click the **1.0 MDT** folder, and select **New / Runbook**. - -5. On the ribbon bar, select **Check Out**. - -6. Right-click the **New Runbook** label, select **Rename**, and assign the name **MDT Sample**. - -7. Add (using a drag-and-drop operation) the following items from the **Activities** list to the middle pane: - - - Runbook Control / Initialize Data - - Text File Management / Append Line - -8. Connect **Initialize Data** to **Append Line**. - - ![figure 25.](../images/mdt-09-fig25.png) - - Figure 25. Activities added and connected. - -9. Right-click the **Initialize Data** activity, and select **Properties** - -10. On **the Initialize Data Properties** page, select **Add**, change **Parameter 1** to **OSDComputerName**, and then select **Finish**. - - ![figure 26.](../images/mdt-09-fig26.png) - - Figure 26. The Initialize Data Properties window. - -11. Right-click the **Append Line** activity, and select **Properties**. - -12. On the **Append Line Properties** page, in the **File** text box, type **E:\\Logfile\\DeployLog.txt**. - -13. In the **File** encoding drop-down list, select **ASCII**. - -14. In the **Append** area, right-click inside the **Text** text box and select **Expand**. - - ![figure 27.](../images/mdt-09-fig27.png) - - Figure 27. Expanding the Text area. - -15. In the blank text box, right-click and select **Subscribe / Published Data**. - - ![figure 28.](../images/mdt-09-fig28.png) - - Figure 28. Subscribing to data. - -16. In the **Published Data** window, select the **OSDComputerName** item, and select **OK**. - -17. After the **{OSDComputerName from "Initialize Data"}** text, type in **has been deployed at** and, once again, right-click and select **Subscribe / Published Data**. - -18. In the **Published Data** window, select the **Show common Published Data** check box, select the **Activity end time** item, and select **OK**. - - ![figure 29.](../images/mdt-09-fig29.png) - - Figure 29. The expanded text box after all subscriptions have been added. - -19. On the **Append Line Properties** page, select **Finish**. -## Test the demo MDT runbook - -After the runbook is created, you're ready to test it. - -1. On the ribbon bar, select **Runbook Tester**. - -2. Select **Run**, and in the **Initialize Data Parameters** dialog box, use the following setting and then select **OK**: - - - **OSDComputerName**: PC0010 - -3. Verify that all activities are green (for more information, see each target). - -4. Close the **Runbook Tester**. - -5. On the ribbon bar, select **Check In**. - -![figure 30.](../images/mdt-09-fig30.png) - -Figure 30. All tests completed. - -## Use the MDT demo runbook from MDT - -1. On MDT01, using the Deployment Workbench, in the MDT Production deployment share, select the **Task Sequences** node, and create a folder named **Orchestrator**. - -2. Right-click the **Orchestrator** node, and select **New Task Sequence**. Use the following settings for the **New Task Sequence Wizard**: - - - **Task sequence ID**: OR001 - - **Task sequence name**: Orchestrator Sample - - **Task sequence comments**: *\* - - **Template**: Custom Task Sequence - -3. In the **Orchestrator** node, double-click the **Orchestrator Sample** task sequence, and then select the **Task Sequence** tab. - -4. Remove the default **Application Install** action. - -5. Add a **Gather** action and select the **Gather only local data (do not process rules)** option. - -6. After the **Gather** action, add a **Set Task Sequence Variable** action with the following settings: - - - **Name**: Set Task Sequence Variable - - **Task Sequence Variable**: OSDComputerName - - **Value**: %hostname% - -7. After the **Set Task Sequence Variable** action, add a new **Execute Orchestrator Runbook** action with the following settings: - - - **Orchestrator Server**: OR01.contoso.com - - Use **Browse** to select **1.0 MDT / MDT Sample**. - -8. Select **OK**. - -![figure 31.](../images/mdt-09-fig31.png) - -Figure 31. The ready-made task sequence. - -## Run the orchestrator sample task sequence - -Since this task sequence just starts a runbook, you can test the task sequence on the PC0001 client that you used for the MDT simulation environment. - -> [!NOTE] -> Make sure the account you're using has permissions to run runbooks on the Orchestrator server. For more information about runbook permissions, see [Runbook Permissions](/previous-versions/system-center/system-center-2012-R2/hh403774(v=sc.12)). - -1. On PC0001, log on as **CONTOSO\\MDT\_BA**. - -2. Using an elevated command prompt (run as Administrator), type the following command: - - ```cmd - cscript.exe \\MDT01\MDTProduction$\Scripts\Litetouch.vbs - ``` - -3. Complete the **Windows Deployment Wizard** using the following information: - - 1. **Task Sequence**: Orchestrator Sample - - 2. **Credentials**: - - - **User Name**: MDT\_BA - - **Password**: P@ssw0rd - - **Domain**: CONTOSO - -4. Wait until the task sequence is completed and then verify that the DeployLog.txt file in the E:\\Logfile folder on OR01 was updated. - -![figure 32.](../images/mdt-09-fig32.png) - -Figure 32. The ready-made task sequence. - -## Related articles - -- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) -- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) -- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) -- [Simulate a Windows10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) -- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) -- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) -- [Use web services in MDT](use-web-services-in-mdt.md) diff --git a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md deleted file mode 100644 index ddb614d625..0000000000 --- a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md +++ /dev/null @@ -1,99 +0,0 @@ ---- -title: Use MDT database to stage Windows 10 deployment info (Windows 10) -description: Learn how to use the MDT database to pre-stage information on your Windows 10 deployment in a Microsoft SQL Server 2012 SP1 Express database. -manager: aaroncz -ms.author: frankroj -ms.prod: windows-client -ms.localizationpriority: medium -author: frankroj -ms.topic: article -ms.technology: itpro-deploy -ms.date: 11/28/2022 ---- - -# Use the MDT database to stage Windows 10 deployment information - -This article is designed to teach you how to use the MDT database to pre-stage information on your Windows 10 deployment in a Microsoft SQL Server 2012 SP1 Express database, rather than include the information in a text file (CustomSettings.ini). You can use this process, for example, to add the client machines you want to deploy, specify their computer names and IP addresses, indicate applications to be deployed, and determine many more settings for the machines. - -## Database prerequisites - -MDT can use either SQL Server Express or full SQL Server. However, since the deployment database isn't large, even in large enterprise environments, we recommend using the free SQL Server 2012 SP1 Express database in your environment. - -> [!NOTE] -> Be sure to enable Named Pipes when configuring the SQL Server 2012 SP1 Express database. Although it is a legacy protocol, Named Pipes has proven to work well when connecting from Windows Preinstallation Environment (Windows PE) to the SQL Server database. - -## Create the deployment database - -The MDT database is by default created and managed from the Deployment Workbench. In these steps, we assume you have installed SQL Server 2012 SP1 Express on MDT01. - -> [!NOTE] -> Since SQL Server 2012 SP1 Express runs by default on a separate instance (SQLEXPRESS), the SQL Server Browser service must be running, and the firewall configured to allow traffic to it. Port 1433 TCP and port 1434 UDP need to be opened for inbound traffic on MDT01. - -1. On MDT01, using Deployment Workbench, expand the MDT Production deployment share, expand **Advanced Configuration**, right-click **Database**, and select **New Database**. - -2. In the New DB Wizard, on the **SQL Server Details** page, enter the following settings and select **Next**: - - 1. SQL Server Name: MDT01 - 2. Instance: SQLEXPRESS - 3. Port: <blank> - 4. Network Library: Named Pipes - -3. On the **Database** page, select **Create a new database**; in the **Database** field, type **MDT** and select **Next**. - -4. On the **SQL Share** page, in the **SQL Share** field, type **Logs$** and select **Next**. Select **Next** again and then select **Finish**. - -![figure 8.](../images/mdt-09-fig08.png) - -Figure 8. The MDT database added to MDT01. - -## Configure database permissions - -After creating the database, you need to assign permissions to it. In MDT, the account you used to run the deployment is used to access the database. In this environment, the network access account is MDT\_BA. - -1. On MDT01, start SQL Server Management Studio. - -2. In the **Connect to Server** dialog box, in the **Server name** list, select **MDT01\\SQLEXPRESS** and select **Connect**. - -3. In the **Object Explorer** pane, expand the top-level **Security** node, right-click **Logins**, and select **New Login**. - - ![figure 9.](../images/mdt-09-fig09.png) - - Figure 9. The top-level Security node. - -4. On the **Login - New** page, next to the **Login** name field, select **Search**, and search for **CONTOSO\\MDT\_BA**. Then in the left pane, select **User Mapping**. Select the **MDT** database, and assign the following roles: - - 1. db\_datareader - 2. db\_datawriter - 3. public (default) - -5. Select **OK**, and close SQL Server Management Studio. - -![figure 10.](../images/mdt-09-fig10.png) - -Figure 10. Creating the login and settings permissions to the MDT database. - -## Create an entry in the database - -To start using the database, you add a computer entry and assign a description and computer name. Use the computer's MAC Address as the identifier. - -1. On MDT01, using the Deployment Workbench, in the MDT Production deployment share, expand **Advanced Configuration**, and expand **Database**. - -2. Right-click **Computers**, select **New**, and add a computer entry with the following settings: - - 1. Description: New York Site - PC00075 - 2. MacAddress: <PC00075 MAC Address in the 00:00:00:00:00:00 format> - 3. Details Tab / OSDComputerName: PC00075 - -![figure 11.](../images/mdt-09-fig11.png) - -Figure 11. Adding the PC00075 computer to the database. - -## Related articles - -- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) -- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) -- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) -- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) -- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) -- [Use web services in MDT](use-web-services-in-mdt.md) -- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) diff --git a/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md deleted file mode 100644 index 1a264d2ee7..0000000000 --- a/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md +++ /dev/null @@ -1,146 +0,0 @@ ---- -title: Use web services in MDT (Windows 10) -description: Learn how to create a web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment. -manager: aaroncz -ms.author: frankroj -ms.prod: windows-client -ms.localizationpriority: medium -author: frankroj -ms.topic: article -ms.technology: itpro-deploy -ms.date: 11/28/2022 ---- - -# Use web services in MDT - -In this article, you'll learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment. Web services provide a powerful way to assign settings during a deployment. Web services are web applications that run code on the server side, and MDT has built-in functions to call these web services. -Using a web service in MDT is straightforward, but it does require that you've enabled the Web Server (IIS) role on the server. Developing web services involves some coding, but for most web services used with MDT, you can use the free Microsoft Visual Studio Express 2013 for Web. - -## Create a sample web service - -In these steps, we assume you have installed Microsoft Visual Studio Express 2013 for Web on PC0001 (the Windows 10 client) and downloaded the [MDT Sample Web Service](https://www.microsoft.com/download/details.aspx?id=42516) from the Microsoft Download Center and extracted it to C:\\Projects. - -1. On PC0001, using Visual Studio Express 2013 for Web, open the C:\\Projects\\MDTSample\\ MDTSample.sln solution file. - -2. On the ribbon bar, verify that Release is selected. - -3. In the **Debug** menu, select the **Build MDTSample** action. - -4. On MDT01, create a folder structure for **E:\\MDTSample\\bin**. - -5. From PC0001, copy the C:\\Projects\\MDTSample\\obj\\Release\\MDTSample.dll file to the **E:\\MDTSample\\bin** folder on MDT01. - -6. From PC0001, copy the following files from C:\\Projects\\MDTSample file to the **E:\\MDTSample** folder on MDT01: - - - Web.config - - mdtsample.asmx - - ![figure 15.](../images/mdt-09-fig15.png) - - Figure 15. The sample project in Microsoft Visual Studio Express 2013 for Web. - -## Create an application pool for the web service - -This section assumes that you've enabled the Web Server (IIS) role on MDT01. - -1. On MDT01, using Server Manager, install the **IIS Management Console** role (available under Web Server (IIS) / Management Tools). - -2. Using Internet Information Services (IIS) Manager, expand the **MDT01 (CONTOSO\\Administrator)** node. If prompted with the **Do you want to get started with Microsoft Web Platform?** question, select the **Do not show this message** check box and then select **No**. - -3. Right-click **Application Pools**, select **Add Application Pool**, and configure the new application pool with the following settings: - - - **Name**: MDTSample - - **.NET Framework version**: .NET Framework 4.0.30319 - - **Manage pipeline mode**: Integrated - - Select the **Start application pool immediately** check box. - - Select **OK**. - - ![figure 16.](../images/mdt-09-fig16.png) - - Figure 16. The new MDTSample application. - -## Install the web service - -1. On MDT01, using Internet Information Services (IIS) Manager, expand **Sites**, right-click **Default Web Site**, and select **Add Application**. Use the following settings for the application: - - - **Alias**: MDTSample - - **Application pool**: MDTSample - - **Physical Path**: E:\\MDTSample - - ![figure 17.](../images/mdt-09-fig17.png) - - Figure 17. Adding the MDTSample web application. - -2. In the **Default Web Site** node, select the MDTSample web application, and in the right pane, double-click **Authentication**. Use the following settings for the **Authentication** dialog box: - - - **Anonymous Authentication**: Enabled - - **ASP.NET Impersonation**: Disabled - - ![figure 18.](../images/mdt-09-fig18.png) - - Figure 18. Configuring Authentication for the MDTSample web service. - -## Test the web service in Internet Explorer - -1. On PC0001, using Internet Explorer, navigate to: **`http://MDT01/MDTSample/mdtsample.asmx'**. - -2. Select the **GetComputerName** link. - - ![figure 19.](../images/mdt-09-fig19.png) - - Figure 19. The MDT Sample web service. - -3. On the **GetComputerName** page, type in the following settings, and select **Invoke**: - - - **Model**: Hewlett-Packard - - **SerialNumber**: 123456789 - - ![figure 20.](../images/mdt-09-fig20.png) - - Figure 20. The result from the MDT Sample web service. - -## Test the web service in the MDT simulation environment - -After verifying the web service using Internet Explorer, you're ready to do the same test in the MDT simulation environment. - -1. On PC0001, edit the CustomSettings.ini file in the **C:\\MDT** folder to look like the following: - - ```ini - [Settings] - Priority=Default, GetComputerName - [Default] - OSInstall=YES - [GetComputerName] - WebService=http://mdt01/MDTSample/mdtsample.asmx/GetComputerName - Parameters=Model,SerialNumber - OSDComputerName=string - ``` - - ![figure 21.](../images/mdt-09-fig21.png) - - Figure 21. The updated CustomSettings.ini file. - -2. Save the CustomSettings.ini file. - -3. Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press **Enter** after each command: - - ```powershell - Set-Location C:\MDT - .\Gather.ps1 - ``` - -4. Review the ZTIGather.log in the **C:\\MININT\\SMSOSD\\OSDLOGS** folder. - - ![figure 22.](../images/mdt-09-fig22.png) - - Figure 22. The OSDCOMPUTERNAME value obtained from the web service. - -## Related articles - -- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) -- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) -- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) -- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) -- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) -- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) -- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) diff --git a/windows/deployment/deploy-windows-to-go.md b/windows/deployment/deploy-windows-to-go.md deleted file mode 100644 index 9276cbf7c4..0000000000 --- a/windows/deployment/deploy-windows-to-go.md +++ /dev/null @@ -1,1025 +0,0 @@ ---- -title: Deploy Windows To Go in your organization (Windows 10) -description: Learn how to deploy Windows To Go in your organization through a wizard in the user interface and programatically with Windows PowerShell. -manager: aaroncz -author: frankroj -ms.author: frankroj -ms.prod: windows-client -ms.technology: itpro-deploy -ms.topic: article -ms.date: 11/23/2022 ---- - -# Deploy Windows To Go in your organization - -*Applies to:* - -- Windows 10 - -This article helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you've reviewed the articles [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this article to start your Windows To Go deployment. - -> [!IMPORTANT] -> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. - -## Deployment tips - -The below list is items that you should be aware of before you start the deployment process: - -- Only use recommended USB drives for Windows To Go. Use of other drives isn't supported. Check the list at [Windows To Go: feature overview](planning/windows-to-go-overview.md) for the latest USB drives certified for use as Windows To Go drives. - -- After you provision a new workspace, always eject a Windows To Go drive using the **Safely Remove Hardware and Eject Media** control that can be found in the notification area or in Windows Explorer. Removing the drive from the USB port without ejecting it first can cause the drive to become corrupted. - -- When running a Windows To Go workspace, always shut down the workspace before unplugging the drive. - -- Configuration Manager SP1 and later includes support for user self-provisioning of Windows To Go drives. For more information on this deployment option, see [How to Provision Windows To Go in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/jj651035(v=technet.10)). - -- If you're planning on using a USB drive duplicator to duplicate Windows To Go drives, don't configure offline domain join or BitLocker on the drive. - -## Basic deployment steps - -Unless you're using a customized operating system image, your initial Windows To Go workspace won't be domain joined, and won't contain applications. This is exactly like a new installation of Windows on a desktop or laptop computer. When planning your deployment, you should develop methods to join Windows to Go drives to the domain, and install the standard applications that users in your organization require. These methods probably will be similar to the ones used for setting up desktop and laptop computers with domain privileges and applications. This section describes the instructions for creating the correct disk layout on the USB drive, applying the operating system image and the core Windows To Go specific configurations to the drive. The steps that follow are used in both small-scale and large-scale Windows To Go deployment scenarios. - -Completing these steps will give you a generic Windows To Go drive that can be distributed to your users and then customized for their usage as needed. This drive is also appropriate for use with USB drive duplicators. Your specific deployment scenarios will involve more than just these basic steps but these additional deployment considerations are similar to traditional PC deployment and can be incorporated into your Windows To Go deployment plan. For more information, see [Windows Deployment Options](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825230(v=win.10)). - -> [!WARNING] -> If you plan to use the generic Windows To Go drive as the master drive in a USB duplicator, the drive should not be booted. If the drive has been booted inadvertently it should be reprovisioned prior to duplication. - -### Create the Windows To Go workspace - -In this step we're creating the operating system image that will be used on the Windows To Go drives. You can use the Windows To Go Creator Wizard or you can [do this manually](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) using a combination of Windows PowerShell and command-line tools. - -> [!WARNING] -> The preferred method to create a single Windows To Go drive is to use the Windows To Go Creator Wizard included in Windows 10 Enterprise and Windows 10 Education. - -#### To create a Windows To Go workspace with the Windows To Go Creator Wizard - -1. Sign into your Windows PC using an account with Administrator privileges. - -2. Insert the USB drive that you want to use as your Windows To Go drive into your PC. - -3. Verify that the `.wim` file location (which can be a network share, a DVD, or a USB drive) is accessible and that it contains a valid Windows 10 Enterprise or Windows 10 Education image that has been generalized using sysprep. Many environments can use the same image for both Windows To Go and desktop deployments. - - > [!NOTE] - > For more information about `.wim` files, see [Windows System Image Manager (Windows SIM) Technical Reference](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824929(v=win.10)). For more information about using sysprep, see [Sysprep Overview](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825209(v=win.10)). - -4. Search for **Windows To Go** and then press **Enter**. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**. The **Windows To Go Creator Wizard** opens. - -5. On the **Choose the drive you want to use** page select the drive that represents the USB drive you inserted previously, then select **Next.** - -6. On the **Choose a Windows image** page, select **Add Search Location** and then navigate to the `.wim` file location and select folder. The wizard will display the installable images present in the folder; select the Windows 10 Enterprise or Windows 10 Education image you wish to use and then select **Next**. - -7. (Optional) On the **Set a BitLocker password (optional)** page, you can select **Use BitLocker with my Windows To Go Workspace** to encrypt your Windows To Go drive. If you don't wish to encrypt the drive at this time, select **Skip**. If you decide you want to add BitLocker protection later, for instructions see [Enable BitLocker protection for your Windows To Go drive](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)). - - > [!WARNING] - > If you plan to use a USB-Duplicator to create multiple Windows To Go drives, do not enable BitLocker. Drives protected with BitLocker should not be duplicated. - - If you choose to encrypt the Windows To Go drive now, enter a password that is at least eight characters long and conforms to your organizations password complexity policy. This password will be provided before the operating system is started so any characters you use must be able to be interpreted by the firmware. Some firmware doesn't support non-ASCII characters. - - > [!IMPORTANT] - > The BitLocker recovery password will be saved in the documents library of the computer used to create the workspace automatically. If your organization is using Active Directory Domain Services (AD DS) to store recovery passwords it will also be saved in AD DS under the computer account of the computer used to create the workspace. This password will be used only if you need to recover access to the drive because the BitLocker password specified in the previous step is not available, such as if a password is lost or forgotten. For more information about BitLocker and AD DS, see [Active Directory Domain Services considerations](/previous-versions/windows/it-pro/windows-8.1-and-8/jj592683(v=ws.11)). - -8. Verify that the USB drive inserted is the one you want to provision for Windows To Go and then select **Create** to start the Windows To Go workspace creation process. - - > [!WARNING] - > The USB drive identified will be reformatted as part of the Windows To Go provisioning process and any data on the drive will be erased. - -9. Wait for the creation process to complete, which can take 20 to 30 minutes. A completion page will be displayed that tells you when your Windows To Go workspace is ready to use. From the completion page, you can configure the Windows To Go startup options to configure the current computer as a Windows To Go host computer. - -Your Windows To Go workspace is now ready to be started. You can now [prepare a host computer](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) using the Windows To Go startup options and boot your Windows To Go drive. - -#### Windows PowerShell equivalent commands - -The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints. This procedure can only be used on PCs that are running Windows 10. Before starting, ensure that only the USB drive that you want to provision as a Windows To Go drive is connected to the PC. - -1. Search for **powershell**, right-click **Windows PowerShell**, and then select **Run as administrator**. - -2. In the Windows PowerShell session, enter the following commands to partition a master boot record (MBR) disk for use with a FAT32 system partition and an NTFS-formatted operating system partition. This disk layout can support computers that use either UEFI or BIOS firmware: - -
-
- Expand to show PowerShell commands to partition an MBR disk - - ```powershell - # The following command will set $Disk to all USB drives with >20 GB of storage - - $Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot } - - #Clear the disk. This will delete any data on the disk. (and will fail if the disk is not yet initialized. If that happens, simply continue with 'New-Partition…) Validate that this is the correct disk that you want to completely erase. - # - # To skip the confirmation prompt, append -confirm:$False - Clear-Disk -InputObject $Disk[0] -RemoveData - - # This command initializes a new MBR disk - Initialize-Disk -InputObject $Disk[0] -PartitionStyle MBR - - # This command creates a 350 MB system partition - $SystemPartition = New-Partition -InputObject $Disk[0] -Size (350MB) -IsActive - - # This formats the volume with a FAT32 Filesystem - # To skip the confirmation dialog, append -Confirm:$False - Format-Volume -NewFileSystemLabel "UFD-System" -FileSystem FAT32 ` - -Partition $SystemPartition - - # This command creates the Windows volume using the maximum space available on the drive. The Windows To Go drive should not be used for other file storage. - $OSPartition = New-Partition -InputObject $Disk[0] -UseMaximumSize - Format-Volume -NewFileSystemLabel "UFD-Windows" -FileSystem NTFS ` - -Partition $OSPartition - - # This command assigns drive letters to the new drive, the drive letters chosen should not already be in use. - Set-Partition -InputObject $SystemPartition -NewDriveLetter "S" - Set-Partition -InputObject $OSPartition -NewDriveLetter "W" - - # This command sets the NODEFAULTDRIVELETTER flag on the partition which prevents drive letters being assigned to either partition when inserted into a different computer. - Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE - ``` - -
- -3. Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) command-line tool (DISM): - - > [!TIP] - > The index number must be set correctly to a valid Enterprise image in the `.wim` file. - - ```cmd - #The WIM file must contain a sysprep generalized image. - dism.exe /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\ - ``` - -4. Now use the [bcdboot](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824874(v=win.10)) command line tool to move the necessary boot components to the system partition on the disk. This helps ensure that the boot components, operating system versions, and architectures match. The `/f ALL` parameter indicates that boot components for UEFI and BIOS should be placed on the system partition of the disk. The following example illustrates this step: - - ```cmd - W:\Windows\System32\bcdboot.exe W:\Windows /f ALL /s S: - ``` - -5. Apply SAN policy—OFFLINE\_INTERNAL - "4" to prevent the operating system from automatically bringing online any internally connected disk. This is done by creating and saving a **san\_policy.xml** file on the disk. The following example illustrates this step: - -
-
- Expand to show example san_policy.xml file - - ```xml - - - - - 4 - - - 4 - - - - ``` - -
- -6. Place the **san\_policy.xml** file created in the previous step into the root directory of the Windows partition on the Windows To Go drive (W: from the previous examples) and run the following command: - - ```cmd - Dism.exe /Image:W:\ /Apply-Unattend:W:\san_policy.xml - ``` - -7. Create an answer file (unattend.xml) that disables the use of Windows Recovery Environment with Windows To Go. You can use the following code sample to create a new answer file or you can paste it into an existing answer file: - -
-
- Expand to show example san_policy.xml file - - ```xml - - - - - true - - - true - - - - ``` - -
- - After the answer file has been saved, copy `unattend.xml` into the sysprep folder on the Windows To Go drive (for example, `W:\Windows\System32\sysprep\`) - - > [!IMPORTANT] - > Setup unattend files are processed based on their location. Setup will place a temporary unattend file into the **`%systemroot%\panther`** folder which is the first location that setup will check for installation information. You should make sure that folder does not contain a previous version of an unattend.xml file to ensure that the one you just created is used. - - If you don't wish to boot your Windows To Go device on this computer and want to remove it to boot it on another PC, be sure to use the **Safely Remove Hardware and Eject Media** option to safely disconnect the drive before physically removing it from the PC. - -Your Windows To Go workspace is now ready to be started. You can now [prepare a host computer](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) using the Windows To Go startup options to test your workspace configuration, [configure the workspace for offline domain join](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)), or [enable BitLocker protection for your Windows To Go drive](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)). - -### To prepare a host computer - -Computers running Windows 8 and later can be configured as host computers that use Windows To Go automatically whenever a Windows To Go workspace is available at startup. When the Windows To Go startup options are enabled on a host computer, Windows will divert startup to the Windows To Go drive whenever it's attached to the computer. This makes it easy to switch from using the host computer to using the Windows To Go workspace. - -> [!TIP] -> If you will be using a PC running Windows 7 as your host computer, see [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkId=618951) for information to help you prepare the host computer. - -If you want to use the Windows To Go workspace, shut down the computer, plug in the Windows To Go drive, and turn on the computer. To use the host computer, shut down the Windows To Go workspace, unplug the Windows To Go drive, and turn on the computer. - -To set the Windows To Go Startup options for host computers running Windows 10: - -1. Search for **Windows To Go startup options** and then press **Enter**. - -2. In the **Windows To Go Startup Options** dialog box, select **Yes**, and then select **Save Changes** to configure the computer to boot from USB - -For host computers running Windows 8 or Windows 8.1: - -1. Press **Windows logo key+W**, search for **Windows To Go startup options**, and then press **Enter**. - -2. In the **Windows To Go Startup Options** dialog box, select **Yes**, and then select **Save Changes** to configure the computer to boot from USB. - -You can configure your organization's computers to automatically start from the USB drive by enabling the following Group Policy setting: - -**Computer Configuration** > **Administrative Templates** > **Windows Components** > **Portable Operating System** > **Windows To Go Default Startup Options** - -After this policy setting is enabled, automatic starting of a Windows To Go workspace will be attempted when a USB drive is connected to the computer when it's started. Users won't be able to use the Windows To Go Startup Options to change this behavior. If you disable this policy setting, booting to Windows To Go when a USB drive is connected won't occur unless a user configures the option manually in the firmware. If you don't configure this policy setting, users who are members of the Administrators group can enable or disable booting from a USB drive using the Windows To Go Startup Options. - -Your host computer is now ready to boot directly into Windows To Go workspace when it's inserted prior to starting the computer. Optionally you can perform [Configure Windows To Go workspace for offline domain join](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) and [Enable BitLocker protection for your Windows To Go drive](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)). - -### Booting your Windows To Go workspace - -After you've configured your host PC to boot from USB, you can use the following procedure to boot your Windows To Go workspace: - -**To boot your workspace:** - -1. Make sure that the host PC isn't in a sleep state. If the computer is in a sleep state, either shut it down or hibernate it. - -2. Insert the Windows To Go USB drive directly into a USB 3.0 or USB 2.0 port on the PC. Don't use a USB hub or extender. - -3. Turn on the PC. If your Windows To Go drive is protected with BitLocker you'll be asked to enter the password, otherwise the workspace will boot directly into the Windows To Go workspace. - -## Advanced deployment steps - -The following steps are used for more advanced deployments where you want to have further control over the configuration of the Windows To Go drives, ensure that they're correctly configured for remote access to your organizational resources, and have been protected with BitLocker Drive Encryption. - -### Configure Windows To Go workspace for remote access - -Making sure that Windows To Go workspaces are effective when used off premises is essential to a successful deployment. One of the key benefits of Windows To Go is the ability for your users to use the enterprise managed domain joined workspace on an unmanaged computer that is outside your corporate network. To enable this usage, typically you would provision the USB drive as described in the basic deployment instructions and then add the configuration to support domain joining of the workspace, installation of any line-of-business applications, and configuration of your chosen remote connectivity solution such as a virtual private network client or DirectAccess. Once these configurations have been performed the user can work from the workspace using a computer that is off-premises. The following procedure allows you to provision domain joined Windows To Go workspaces for workers that don't have physical access to your corporate network. - -**Prerequisites for remote access scenario:** - -- A domain-joined computer running Windows 8 or later and is configured as a Windows To Go host computer - -- A Windows To Go drive that hasn't been booted or joined to the domain using unattend settings. - -- A domain user account with rights to add computer accounts to the domain and is a member of the Administrator group on the Windows To Go host computer - -- [DirectAccess](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831539(v=ws.11)) configured on the domain - -**To configure your Windows To Go workspace for remote access:** - -1. Start the host computer and sign in using a user account with privileges to add workstations to the domain and then run the following command from an elevated command prompt replacing the example placeholder parameters (denoted by <>) with the ones applicable for your environment: - - ```cmd - djoin.exe /provision /domain /machine /certtemplate /policynames /savefile /reuse - ``` - - > [!NOTE] - > The **/certtemplate** parameter supports the use of certificate templates for distributing certificates for DirectAccess, if your organization is not using certificate templates you can omit this parameter. Additionally, if are using `djoin.exe` with Windows Server 2008-based Domain Controllers, append the /downlevel switch during provisioning. For more information, see the [Offline Domain Join Step-by-Step guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd392267(v=ws.10)). - -2. Insert the Windows To Go drive. - -3. Launch an elevated Windows PowerShell prompt by right-clicking the Windows PowerShell shortcut in the taskbar, and then clicking **Run as Administrator**. - -4. From the Windows PowerShell command prompt run: - -
-
- Expand this section to show PowerShell commands to run - - ```powershell - # The following command will set $Disk to all USB drives with >20 GB of storage - - $Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot } - - #Clear the disk. This will delete any data on the disk. (and will fail if the disk is not yet initialized. If that happens, simply continue with 'New-Partition…) Validate that this is the correct disk that you want to completely erase. - # - # To skip the confirmation prompt, append -confirm:$False - Clear-Disk -InputObject $Disk[0] -RemoveData - - # This command initializes a new MBR disk - Initialize-Disk -InputObject $Disk[0] -PartitionStyle MBR - - # This command creates a 350 MB system partition - $SystemPartition = New-Partition -InputObject $Disk[0] -Size (350MB) -IsActive - - # This formats the volume with a FAT32 Filesystem - # To skip the confirmation dialog, append -Confirm:$False - Format-Volume -NewFileSystemLabel "UFD-System" -FileSystem FAT32 ` - -Partition $SystemPartition - - # This command creates the Windows volume using the maximum space available on the drive. The Windows To Go drive should not be used for other file storage. - $OSPartition = New-Partition -InputObject $Disk[0] -UseMaximumSize - Format-Volume -NewFileSystemLabel "UFD-Windows" -FileSystem NTFS ` - -Partition $OSPartition - - # This command assigns drive letters to the new drive, the drive letters chosen should not already be in use. - Set-Partition -InputObject $SystemPartition -NewDriveLetter "S" - Set-Partition -InputObject $OSPartition -NewDriveLetter "W" - - # This command toggles the NODEFAULTDRIVELETTER flag on the partition which prevents drive letters being assigned to either partition when inserted into a different computer. - Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE - ``` - -
- -5. Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) command-line tool (DISM): - - ```cmd - #The WIM file must contain a sysprep generalized image. - dism.exe /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\ - ``` - - > [!TIP] - > The index number must be set correctly to a valid Enterprise image in the `.wim` file. - -6. After those commands have completed, run the following command: - - ```cmd - djoin.exe /requestodj /loadfile C:\example\path\domainmetadatafile /windowspath W:\Windows - ``` - -7. Next, we'll need to edit the unattend.xml file to configure the first run (OOBE) settings. In this example we're hiding the Microsoft Software License Terms (EULA) page, configuring automatic updates to install important and recommended updates automatically, and identifying this workspace as part of a private office network. You can use other OOBE settings that you've configured for your organization if desired. For more information about the OOBE settings, see [OOBE](/previous-versions/windows/it-pro/windows-8.1-and-8/ff716016(v=win.10)): - -
-
- Expand this section to show example unattend.xml file - - ```xml - - - - - true - - true - 1 - Work - - - - true - - true - 1 - Work - - - - - ``` - -
- -8. Safely remove the Windows To Go drive. - -9. From a host computer, either on or off premises, start the computer and boot the Windows To Go workspace. - - - If on premises using a host computer with a direct network connection, sign on using your domain credentials. - - - If off premises, join a wired or wireless network with internet access and then sign on again using your domain credentials. - - > [!NOTE] - > Depending on your DirectAccess configuration you might be asked to insert your smart card to log on to the domain. - -You should now be able to access your organization's network resources and work from your Windows To Go workspace as you would normally work from your standard desktop computer on premises. - -### Enable BitLocker protection for your Windows To Go drive - -Enabling BitLocker on your Windows To Go drive will help ensure that your data is protected from unauthorized use and that if your Windows To Go drive is lost or stolen it will not be easy for an unauthorized person to obtain confidential data or use the workspace to gain access to protected resources in your organization. When BitLocker is enabled, each time you boot your Windows To Go drive, you'll be asked to provide the BitLocker password to unlock the drive. The following procedure provides the steps for enabling BitLocker on your Windows To Go drive: - -#### Prerequisites for enabling BitLocker scenario - -- A Windows To Go drive that can be successfully provisioned. - -- A computer running Windows 8 configured as a Windows To Go host computer - -- Review the following Group Policy settings for BitLocker Drive Encryption and modify the configuration as necessary: - - - **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Require additional authentication at startup** - - This policy allows the use of a password key protector with an operating system drive; this policy must be enabled to configure BitLocker from within the Windows To Go workspace. This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you're using BitLocker with or without a Trusted Platform Module (TPM). You must enable this setting and select the **Allow BitLocker without a compatible TPM** check box and then enable the **Configure use of passwords for operating system drives** setting. - - - **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Configure use of passwords for operating system drives** - - This policy setting enables passwords to be used to unlock BitLocker-protected operating system drives and provides the means to configure complexity and length requirements on passwords for Windows To Go workspaces. For the complexity requirement setting to be effective the Group Policy setting **Password must meet complexity requirements** located in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Account Policies** > **Password Policy** must be also enabled. - - - **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Enable use of BitLocker authentication requiring preboot keyboard input on slates** - - This policy setting allows users to enable authentication options that require user input from the preboot environment even if the platform indicates a lack of preboot input capability. If this setting isn't enabled, passwords can't be used to unlock BitLocker-protected operating system drives. - -You can choose to enable BitLocker protection on Windows To Go drives before distributing them to users as part of your provisioning process or you can allow your end-users to apply BitLocker protection to them after they have taken possession of the drive. A step-by-step procedure is provided for both scenarios. - -Enabling BitLocker during provisioning ensures that your operating system image is always protected by BitLocker. When enabling BitLocker during the provisioning process you can significantly reduce the time required for encrypting the drive by enabling BitLocker after configuring the disk and just prior to applying the image. If you use this method, you'll need to give users their BitLocker password when you give then their Windows To Go workspace. Also, you should instruct your users to boot their workspace and change their BitLocker password as soon as possible (this can be done with standard user privileges). - -Enabling BitLocker after distribution requires that your users turn on BitLocker. This means that your Windows To Go workspaces are unprotected until the user enables BitLocker. Administrative rights on the Windows To Go workspace are required to enable BitLocker. For more information about BitLocker, see the [BitLocker Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831713(v=ws.11)). - -#### BitLocker recovery keys - -BitLocker recovery keys are the keys that can be used to unlock a BitLocker protected drive if the standard unlock method fails. It's recommended that your BitLocker recovery keys be backed up to Active Directory Domain Services (AD DS). If you don't want to use AD DS to store recovery keys you can save recovery keys to a file or print them. How BitLocker recovery keys are managed differs depending on when BitLocker is enabled. - -- If BitLocker protection is enabled during provisioning, the BitLocker recovery keys will be stored under the computer account of the computer used for provisioning the drives. If backing up recovery keys to AD DS isn't used, the recovery keys will need to be printed or saved to a file for each drive. The IT administrator must track which keys were assigned to which Windows To Go drive. - -- If BitLocker is enabled after distribution, the recovery key will be backed up to AD DS under the computer account of the workspace. If backing up recovery keys to AD DS isn't used, they can be printed or saved to a file by the user. - - > [!WARNING] - > If backing up recovery keys to AD DS isn't used and the IT administrator wants a central record of recovery keys, a process by which the user provides the key to the IT department must be put in place. - -#### To enable BitLocker during provisioning - -1. Start the host computer that is running Windows 8. - -2. Insert your Windows To Go drive. - -3. Launch an elevated Windows PowerShell prompt by right-clicking the Windows PowerShell shortcut in the taskbar, and then clicking **Run as Administrator**. - -4. Provision the Windows To Go drive using the following cmdlets: - - > [!NOTE] - > If you used the [manual method for creating a workspace](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) you should have already provisioned the Windows To Go drive. If so, you can continue on to the next step. - -
-
- Expand this section to show PowerShell commands to run - - ```powershell - # The following command will set $Disk to all USB drives with >20 GB of storage - - $Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot } - - #Clear the disk. This will delete any data on the disk. (and will fail if the disk is not yet initialized. If that happens, simply continue with 'New-Partition…) Validate that this is the correct disk that you want to completely erase. - # - # To skip the confirmation prompt, append -confirm:$False - Clear-Disk -InputObject $Disk[0] -RemoveData - - # This command initializes a new MBR disk - Initialize-Disk -InputObject $Disk[0] -PartitionStyle MBR - - # This command creates a 350 MB system partition - $SystemPartition = New-Partition -InputObject $Disk[0] -Size (350MB) -IsActive - - # This formats the volume with a FAT32 Filesystem - # To skip the confirmation dialog, append -Confirm:$False - Format-Volume -NewFileSystemLabel "UFD-System" -FileSystem FAT32 ` - -Partition $SystemPartition - - # This command creates the Windows volume using the maximum space available on the drive. The Windows To Go drive should not be used for other file storage. - $OSPartition = New-Partition -InputObject $Disk[0] -UseMaximumSize - Format-Volume -NewFileSystemLabel "UFD-Windows" -FileSystem NTFS ` - -Partition $OSPartition - - # This command assigns drive letters to the new drive, the drive letters chosen should not already be in use. - Set-Partition -InputObject $SystemPartition -NewDriveLetter "S" - Set-Partition -InputObject $OSPartition -NewDriveLetter "W" - - # This command toggles the NODEFAULTDRIVELETTER flag on the partition which prevents drive letters being assigned to either partition when inserted into a different computer. - Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE - ``` - -
- - Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) command-line tool (DISM): - - > [!TIP] - > The index number must be set correctly to a valid Enterprise image in the `.wim` file. - - ```cmd - #The WIM file must contain a sysprep generalized image. - dism.exe /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\ - ``` - -5. In the same PowerShell session, use the following cmdlet to add a recovery key to the drive: - - ```powershell - $BitlockerRecoveryProtector = Add-BitLockerKeyProtector W: -RecoveryPasswordProtector - ``` - -6. Next, use the following cmdlets to save the recovery key to a file: - - ```powershell - #The BitLocker Recovery key is essential if for some reason you forget the BitLocker password - #This recovery key can also be backed up into Active Directory using manage-bde.exe or the - #PowerShell cmdlet Backup-BitLockerKeyProtector. - $RecoveryPassword = $BitlockerRecoveryProtector.KeyProtector.RecoveryPassword - $RecoveryPassword > WTG-Demo_Bitlocker_Recovery_Password.txt - ``` - -7. Then, use the following cmdlets to add the password as a secure string. If you omit the password the cmdlet will prompt you for the password before continuing the operation: - - ```powershell - # Create a variable to store the password - $spwd = ConvertTo-SecureString -String -AsplainText -Force - Enable-BitLocker W: -PasswordProtector $spwd - ``` - - > [!WARNING] - > To have BitLocker only encrypt used space on the disk append the parameter `-UsedSpaceOnly` to the `Enable-BitLocker` cmdlet. As data is added to the drive BitLocker will encrypt additional space. Using this parameter will speed up the preparation process as a smaller percentage of the disk will require encryption. If you are in a time critical situation where you cannot wait for encryption to complete you can also safely remove the Windows To Go drive during the encryption process. The next time the drive is inserted in a computer it will request the BitLocker password. Once the password is supplied, the encryption process will continue. If you do this, make sure your users know that BitLocker encryption is still in process and that they will be able to use the workspace while the encryption completes in the background. - -8. Copy the numerical recovery password and save it to a file in a safe location. The recovery password will be required if the password is lost or forgotten. - - > [!WARNING] - > If the **Choose how BitLocker-protected removable data drives can be recovered** Group Policy setting has been configured to back up recovery information to Active Directory Domain Services, the recovery information for the drive will be stored under the account of the host computer used to apply the recovery key. - - If you want to have the recovery information stored under the account of the Windows To Go workspace, you can turn BitLocker from within the Windows To Go workspace using the BitLocker Setup Wizard from the BitLocker Control Panel item as described in [To enable BitLocker after distribution](#to-enable-bitlocker-after-distribution). - -9. Safely remove the Windows To Go drive. - -The Windows To Go drives are now ready to be distributed to users and are protected by BitLocker. When you distribute the drives, make sure the users know the following information: - -- Initial BitLocker password that they'll need to boot the drives. - -- Current encryption status. - -- Instructions to change the BitLocker password after the initial boot. - -- Instructions for how to retrieve the recovery password if necessary. These instructions may be a help desk process, an automated password retrieval site, or a person to contact. - -#### To enable BitLocker after distribution - -1. Insert your Windows To Go drive into your host computer (that is currently shut down) and then turn on the computer and boot into your Windows To Go workspace - -2. Press **Windows logo key+W** to open **Search Settings**, type BitLocker and then select the item for BitLocker Drive Encryption. - -3. The drives on the workspace are displayed, select **Turn BitLocker On** for the C: drive. The **BitLocker Setup Wizard** appears. - -4. Complete the steps in the **BitLocker Setup Wizard** selecting the password protection option. - -> [!NOTE] -> If you have not configured the Group Policy setting **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Require additional authentication at startup** to specify **Allow BitLocker without a compatible TPM** you will not be able to enable BitLocker from within the Windows To Go workspace. - -### Advanced deployment sample script - -The following sample script supports the provisioning of multiple Windows To Go drives and the configuration of offline domain join. - -The sample script creates an unattend file that streamlines the deployment process so that the initial use of the Windows To Go drive doesn't prompt the end user for any additional configuration information before starting up. - -#### Prerequisites for running the advanced deployment sample script - -- To run this sample script, you must open a Windows PowerShell session as an administrator from a domain-joined computer using an account that has permission to create domain accounts. - -- Using offline domain join is required by this script, since the script doesn't create a local administrator user account. However, domain membership will automatically put "Domain admins" into the local administrators group. Review your domain policies. If you're using DirectAccess, you'll need to modify the `djoin.exe` command to include the `policynames` and potentially the `certtemplate` parameters. - -- The script needs to use drive letters, so you can only provision half as many drives as you have free drive letters. - -#### To run the advanced deployment sample script - -1. Copy entire the code sample titled "Windows To Go multiple drive provisioning sample script" into a PowerShell script (.ps1) file. - -2. Make the modifications necessary for it to be appropriate to your deployment and save the file. - -3. Configure the PowerShell execution policy. By default PowerShell's execution policy is set to Restricted; that means that scripts won't run until you have explicitly given them permission to. To configure PowerShell's execution policy to allow the script to run, use the following command from an elevated PowerShell prompt: - - ```powershell - Set-ExecutionPolicy RemoteSigned - ``` - - The RemoteSigned execution policy will prevent unsigned scripts from the internet from running on the computer, but will allow locally created scripts to run. For more information on execution policies, see [Set-ExecutionPolicy](/powershell/module/microsoft.powershell.security/set-executionpolicy). - - > [!TIP] - > To get online help for any Windows PowerShell cmdlet, whether or not it is installed locally, enter the following cmdlet, replacing `` with the name of the cmdlet you want to see the help for: - > - > `Get-Help -Online` - > - > This command causes Windows PowerShell to open the online version of the help topic in your default Internet browser. - -#### Windows To Go multiple drive provisioning sample script - -
-
- Expand this section to view Windows To Go multiple drive provisioning sample script - -```powershell -<# -.SYNOPSIS -Windows To Go multiple drive provisioning sample script. - -.DESCRIPTION -This sample script will provision one or more Windows To Go drives, configure offline domain join (using random machine names) and provides an option for BitLocker encryption. To provide a seamless first boot experience, an unattend file is created that will set the first run (OOBE) settings to defaults. To improve performance of the script, copy your install image to a local location on the computer used for provisioning the drives. - -.EXAMPLE -.\WTG_MultiProvision.ps1 -InstallWIMPath c:\companyImages\amd64_enterprise.wim -provision drives connected to your machine with the provided image. -#> -param ( - [parameter(Mandatory=$true)] - [string] -#Path to install wim. If you have the full path to the wim or want to use a local file. - $InstallWIMPath, - - [string] -#Domain to which to join the Windows To Go workspaces. - $DomainName -) - - -<# - In order to set BitLocker Group Policies for our offline WTG image we need to create a Registry.pol file - in the System32\GroupPolicy folder. This file requires binary editing, which is not possible in PowerShell - directly so we have some C# code that we can use to add a type in our PowerShell instance that will write - the data for us. -#> -$Source = @" -using System; -using System.Collections.Generic; -using System.IO; -using System.Text; - -namespace MS.PolicyFileEditor -{ - //The PolicyEntry represents the DWORD Registry Key/Value/Data entry that will - //be written into the file. - public class PolicyEntry - { - private List byteList; - - public string KeyName { get; set; } - public string ValueName { get; set; } - - internal List DataBytes - { - get { return this.byteList; } - } - - public PolicyEntry( - string Key, - string Value, - uint data) - { - KeyName = Key; - ValueName = Value; - this.byteList = new List(); - byte[] arrBytes = BitConverter.GetBytes(data); - if (BitConverter.IsLittleEndian == false) { Array.Reverse(arrBytes); } - this.byteList.AddRange(arrBytes); - } - - ~PolicyEntry() - { - this.byteList = null; - } - } - - public class PolicyFile - { - private Dictionary entries; - - public List Entries - { - get - { - List policyList = new List(entries.Values); - return policyList; - } - } - - public PolicyFile() - { - this.entries = new Dictionary(StringComparer.OrdinalIgnoreCase); - } - - public void SetDWORDValue(string key, string value, uint data) - { - PolicyEntry entry = new PolicyEntry(key, value, data); - this.entries[entry.KeyName + "\\" + entry.ValueName] = entry; - } - - public void SaveFile(string file) - { - using (FileStream fs = new FileStream(file, FileMode.Create, FileAccess.Write)) - { - fs.Write(new byte[] { 0x50, 0x52, 0x65, 0x67, 0x01, 0x00, 0x00, 0x00 }, 0, 8); - byte[] openBracket = UnicodeEncoding.Unicode.GetBytes("["); - byte[] closeBracket = UnicodeEncoding.Unicode.GetBytes("]"); - byte[] semicolon = UnicodeEncoding.Unicode.GetBytes(";"); - byte[] nullChar = new byte[] { 0, 0 }; - - byte[] bytes; - - foreach (PolicyEntry entry in this.Entries) - { - fs.Write(openBracket, 0, 2); - bytes = UnicodeEncoding.Unicode.GetBytes(entry.KeyName); - fs.Write(bytes, 0, bytes.Length); - fs.Write(nullChar, 0, 2); - - fs.Write(semicolon, 0, 2); - bytes = UnicodeEncoding.Unicode.GetBytes(entry.ValueName); - fs.Write(bytes, 0, bytes.Length); - fs.Write(nullChar, 0, 2); - - fs.Write(semicolon, 0, 2); - bytes = BitConverter.GetBytes(4); - if (BitConverter.IsLittleEndian == false) { Array.Reverse(bytes); } - fs.Write(bytes, 0, 4); - - fs.Write(semicolon, 0, 2); - byte[] data = entry.DataBytes.ToArray(); - bytes = BitConverter.GetBytes((uint)data.Length); - if (BitConverter.IsLittleEndian == false) { Array.Reverse(bytes); } - fs.Write(bytes, 0, 4); - - fs.Write(semicolon, 0, 2); - fs.Write(data, 0, data.Length); - fs.Write(closeBracket, 0, 2); - } - fs.Close(); - } - } - } -} -"@ - -######################################################################## -# -# Helper Functions -# -Function CreateUnattendFile { -param ( - [parameter(Mandatory=$true)] - [string] - $Arch -) - - if ( Test-Path "WtgUnattend.xml" ) { - del .\WtgUnattend.xml - } - $unattendFile = New-Item "WtgUnattend.xml" -type File - $fileContent = @" - - - - - - true - 1 - Work - - - - en-US - en-US - en-US - en-US - - - true - - - -"@ - - Set-Content $unattendFile $fileContent - -#return the file object - $unattendFile -} - -Function CreateRegistryPolicyFile { - - $saveFileLocaiton = "" + (get-location) + "\registry.pol" - - $policyFile = New-Object MS.PolicyFileEditor.PolicyFile - $policyFile.SetDWORDValue("Software\Policies\Microsoft\FVE", "UseAdvancedStartup", 1) - $policyFile.SetDWORDValue("Software\Policies\Microsoft\FVE", "EnableBDEWithNoTPM", 1) - $policyFile.SetDWORDValue("Software\Policies\Microsoft\FVE", "UseTPM", 2) - $policyFile.SetDWORDValue("Software\Policies\Microsoft\FVE", "UseTPMPIN", 2) - $policyFile.SetDWORDValue("Software\Policies\Microsoft\FVE", "UseTPMKey", 2) - $policyFile.SetDWORDValue("Software\Policies\Microsoft\FVE", "UseTPMKeyPIN", 2) - $policyFile.SetDWORDValue("Software\Policies\Microsoft\FVE", "OSEnablePrebootInputProtectorsOnSlates", 1) - $policyFile.SaveFile($saveFileLocaiton) - - $saveFileLocaiton -} - -######################################################################## - -if ( Test-Path $installWIMPath ){ - write-output "Image: $installWIMPath" -} -else{ - write-output "Unable to find image: $installWIMPath" "Exiting the script" - exit -} - -if ( (Get-WindowsImage -ImagePath $InstallWIMPath -Index 1).Architecture -eq 0 ){ - $Arch = "x86" -} -else{ - $Arch = "amd64" -} - -$starttime = get-date - -#Add type information for modifing the Registy Policy file -Add-Type -TypeDefinition $Source -Language CSharp - -#Create helper files -$unattendFile = CreateUnattendFile -Arch $Arch -$registryPolFilePath = CreateRegistryPolicyFile - -$Disks = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot } -if ($Disks -eq $null) -{ - Write-Output "No USB Disks found, exiting the script. Please check that you have a device connected." - exit -} - -#We want to make sure that all non-boot connected USB drives are online, writeable and cleaned. -#This command will erase all data from all USB drives larger than 20Gb connected to your machine -#To automate this step you can add: -confirm:$False -Clear-Disk -InputObject $Disks -RemoveData -erroraction SilentlyContinue - -# Currently the provisioning script needs drive letters (for dism and bcdboot.exe) and the script is more -# reliable when the main process determines all of the free drives and provides them to the sub-processes. -# Use a drive index starting at 1, since we need 2 free drives to proceed. (system & operating system) -$driveLetters = 68..90 | ForEach-Object { "$([char]$_):" } | - Where-Object { - (new-object System.IO.DriveInfo $_).DriveType -eq 'noRootdirectory' - } -$driveIndex = 1 - -foreach ($disk in $Disks) -{ - - if ( $driveIndex -lt $driveLetters.count ) - { - Start-Job -ScriptBlock { - $installWIMPath = $args[0] - $unattendFile = $args[1] - $Disk = $args[2] - $SystemDriveLetter = $args[3] - $OSDriveLetter = $args[4] - $DomainName = $args[5] - $policyFilePath = $args[6] - -#For compatibility between UEFI and legacy BIOS we use MBR for the disk. - Initialize-Disk -InputObject $Disk -PartitionStyle MBR - -#A short sleep between creating a new partition and formatting helps ensure the partition -#is ready before formatting. - $SystemPartition = New-Partition -InputObject $Disk -Size (350MB) -IsActive - Sleep 1 - Format-Volume -Partition $SystemPartition -FileSystem FAT32 -NewFileSystemLabel "UFD-System" -confirm:$False | Out-Null - - $OSPartition = New-Partition -InputObject $Disk -UseMaximumSize - Sleep 1 - Format-Volume -NewFileSystemLabel "UFD-Windows" -FileSystem NTFS -Partition $OSPartition -confirm:$False | Out-Null - - -#The No default drive letter prevents other computers from displaying contents of the drive when connected as a Data drive. - Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE - Set-Partition -InputObject $SystemPartition -NewDriveLetter $SystemDriveLetter - Set-Partition -InputObject $OSPartition -NewDriveLetter $OSDriveLetter - - dism /apply-image /index:1 /applydir:${OSDriveLetter}:\ /imagefile:$InstallWIMPath - if (!$?){ - write-output "DISM image application failed, exiting." - exit - } - - copy $unattendFile ${OSDriveLetter}:\Windows\System32\sysprep\unattend.xml - -#Create the directory for the Machine Registry Policy file, surpressing the output and any error -#and copy the pre-created Registry.pol file to that location. - write-output "Set BitLocker default policies for WindowsToGo" - md ${OSDriveLetter}:\windows\System32\GroupPolicy\Machine | out-null - copy $policyFilePath ${OSDriveLetter}:\windows\System32\GroupPolicy\Machine - -#modify the registry of the image to set SanPolicy. This is also where you could set the default -#keyboard type for USB keyboards. - write-output "Modify SAN Policy" - reg load HKLM\PW-System ${OSDriveLetter}:\Windows\System32\config\SYSTEM > info.log - reg add HKLM\PW-System\ControlSet001\Services\Partmgr\Parameters /v SanPolicy /d 4 /t REG_DWORD /f > info.log - reg unload HKLM\PW-System > info.log - -#We're running bcdboot from the newly applied image so we know that the correct boot files for the architecture and operating system are used. -#This will fail if we try to run an amd64 bcdboot.exe on x86. - cmd /c "$OSDriveLetter`:\Windows\system32\bcdboot $OSDriveLetter`:\Windows /f ALL /s $SystemDriveLetter`:" - if (!$?){ - write-output "BCDBOOT.exe failed, exiting script." - exit - } - - <# - If a domain name was provided to the script, we will create a random computer name - and perform an offline domain join for the device. With this command we also suppress the - Add User OOBE screen. -#> - if ($DomainName) - { -#using get-random, we will create a random computer name for the drive. - $suffix = Get-Random - $computername = "wtg-" + $suffix - djoin /provision /domain $DomainName /savefile ${OSDriveLetter}:\tempBLOB.bin /reuse /machine $computername - djoin /requestodj /loadfile ${OSDriveLetter}:\tempBLOB.bin /windowspath ${OSDriveLetter}:\windows > info.log - del ${OSDriveLetter}:\tempBLOB.bin - -#add offline registry key to skip user account screen - write-output "Add Offline Registry key for skipping UserAccount OOBE page." - reg load HKLM\PW-Temp${OSDriveLetter} ${OSDriveLetter}:\Windows\System32\config\SOFTWARE > info.log - reg add HKLM\PW-Temp${OSDriveLetter}\Microsoft\Windows\CurrentVersion\Setup\OOBE /v UnattendCreatedUser /d 1 /t REG_DWORD > info.log - reg unload HKLM\PW-Temp${OSDriveLetter} > info.log - } - - try - { - Write-VolumeCache -DriveLetter ${OSDriveLetter} - Write-Output "Disk is now ready to be removed." - } - catch [System.Management.Automation.CommandNotFoundException] - { - write-output "Flush Cache not supported, Be sure to safely remove the WTG device." - } - - - } -ArgumentList @($installWIMPath, $unattendFile, $disk, $driveLetters[$driveIndex-1][0], $driveLetters[$driveIndex][0], $DomainName, $registryPolFilePath) - } - $driveIndex = $driveIndex + 2 -} -#wait for all threads to finish -get-job | wait-job - -#print output from all threads -get-job | receive-job - -#delete the job objects -get-job | remove-job - - -#Cleanup helper files -del .\WtgUnattend.xml -del .\Registry.pol - -$finishtime = get-date -$elapsedTime = new-timespan $starttime $finishtime -write-output "Provsioning completed in: $elapsedTime (hh:mm:ss.000)" -write-output "" "Provisioning script complete." -``` - -
- -## Considerations when using different USB keyboard layouts with Windows To Go - -In the PowerShell provisioning script, after the image has been applied, you can add the following commands that will correctly set the keyboard settings. The following example uses the Japanese keyboard layout: - -```cmd -reg.exe load HKLM\WTG-Keyboard ${OSDriveLetter}:\Windows\System32\config\SYSTEM > info.log -reg.exe add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v LayerDriver /d JPN:kbd106dll /t REG_SZ /f -reg.exe add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardIdentifier /d PCAT_106KEY /t REG_SZ /f -reg.exe add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardSubtype /d 2 /t REG_DWORD /f -reg.exe add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardType /d 7 /t REG_DWORD /f -reg.exe unload HKLM\WTG-Keyboard -``` - -## Related articles - -[Windows To Go: feature overview](planning/windows-to-go-overview.md) - -[Windows 10 forums](https://go.microsoft.com/fwlink/p/?LinkId=618949) - -[Prepare your organization for Windows To Go](planning//prepare-your-organization-for-windows-to-go.md) - -[Deployment considerations for Windows To Go](planning//deployment-considerations-for-windows-to-go.md) - -[Security and data protection considerations for Windows To Go](planning/security-and-data-protection-considerations-for-windows-to-go.md) - -[BitLocker overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831713(v=ws.11)) diff --git a/windows/deployment/do/TOC.yml b/windows/deployment/do/TOC.yml index 136f9e7998..933c48b4b8 100644 --- a/windows/deployment/do/TOC.yml +++ b/windows/deployment/do/TOC.yml @@ -21,7 +21,7 @@ items: - name: Delivery Optimization reference href: waas-delivery-optimization-reference.md - - name: Delivery Optimization client-service communication + - name: Delivery Optimization workflow, privacy, security, and endpoints href: delivery-optimization-workflow.md - name: Using a proxy with Delivery Optimization href: delivery-optimization-proxy.md diff --git a/windows/deployment/do/delivery-optimization-endpoints.md b/windows/deployment/do/delivery-optimization-endpoints.md index 9189e7e85d..bbfa7de7b5 100644 --- a/windows/deployment/do/delivery-optimization-endpoints.md +++ b/windows/deployment/do/delivery-optimization-endpoints.md @@ -1,8 +1,8 @@ --- title: Microsoft Connected Cache content and services endpoints description: List of fully qualified domain names, ports, and associated content used by Microsoft Connected Cache. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: reference author: cmknox ms.author: carmenf diff --git a/windows/deployment/do/delivery-optimization-proxy.md b/windows/deployment/do/delivery-optimization-proxy.md index 70feba838a..daa2eca850 100644 --- a/windows/deployment/do/delivery-optimization-proxy.md +++ b/windows/deployment/do/delivery-optimization-proxy.md @@ -1,8 +1,8 @@ --- title: Using a proxy with Delivery Optimization description: Settings to use with various proxy configurations to allow Delivery Optimization to work in your environment. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual author: cmknox ms.author: carmenf diff --git a/windows/deployment/do/delivery-optimization-test.md b/windows/deployment/do/delivery-optimization-test.md index bb0123cd75..51daba73a3 100644 --- a/windows/deployment/do/delivery-optimization-test.md +++ b/windows/deployment/do/delivery-optimization-test.md @@ -1,8 +1,8 @@ --- title: Testing Delivery Optimization description: Explanation of Delivery Optimization distributed cache and high-level design. Demonstrate how Delivery Optimization peer-to-peer works in different scenarios. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: reference author: cmknox ms.author: carmenf diff --git a/windows/deployment/do/delivery-optimization-workflow.md b/windows/deployment/do/delivery-optimization-workflow.md index b5082f4ec4..7c2b567c9c 100644 --- a/windows/deployment/do/delivery-optimization-workflow.md +++ b/windows/deployment/do/delivery-optimization-workflow.md @@ -1,36 +1,47 @@ --- -title: Delivery Optimization client-service communication -description: Details of how Delivery Optimization communicates with the server when content is requested to download. -ms.prod: windows-client -ms.technology: itpro-updates +title: Delivery Optimization workflow, privacy, security, and endpoints +description: Details of how Delivery Optimization communicates with the server when content is requested to download including privacy, security, and endpoints. +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual author: cmknox ms.author: carmenf manager: aaroncz ms.reviewer: mstewart -ms.collection: tier3 +ms.collection: + - tier3 + - essentials-privacy + - essentials-security ms.localizationpriority: medium appliesto: - ✅ Windows 11 - ✅ Windows 10 - ✅ Delivery Optimization -ms.date: 12/31/2017 +ms.date: 01/18/2024 --- -# Delivery Optimization client-service communication explained +# Delivery Optimization workflow, privacy, security, and endpoints -Delivery Optimization is a cloud-managed solution that uses peer-to-peer (P2P) and local caching to deliver software updates and apps to Windows clients across your network. This article describes details of how Delivery Optimization communicates with the server when content is requested to download. -## Download request workflow +Delivery Optimization is a cloud-managed solution that uses peer-to-peer (P2P) and local caching to deliver software updates and apps to Windows clients across your network. This article describes details of how Delivery Optimization communicates with the server when content is requested to download and contains information about privacy, security, and endpoints. -This workflow allows Delivery Optimization to securely and efficiently deliver requested content to the calling device. Delivery Optimization uses content metadata to verify the content and to determine all available locations to pull content from. +## How we help keep your data safe + +Delivery Optimization can't be used to download or send personal content. Delivery Optimization doesn't access personal files or folders, and it doesn't change any files on the device. + +Delivery Optimization downloads the same updates and apps that you would get through [Windows Update](../update/windows-update-security.md), Microsoft Store apps, and other Microsoft updates using the same security measures. To make sure you're getting authentic updates, Delivery Optimization gets information securely from Microsoft to check the authenticity of each part of an update or app that it downloads from other PCs. The authenticity of the downloads is checked again before installing it. + +## Download request workflow + +This workflow allows Delivery Optimization to securely and efficiently deliver requested content to the calling device and explains client-service communication. Delivery Optimization uses content metadata to verify the content and to determine all available locations to pull content from. 1. When a download starts, the Delivery Optimization client attempts to get its content metadata. This content metadata is a hash file containing the SHA-256 block-level hashes of each piece in the file (typically one piece = 1 MB). 2. The authenticity of the content metadata file itself is verified prior to any content being downloaded using a hash that is obtained via an SSL channel from the Delivery Optimization service. The same channel is used to ensure the content is curated and authorized to use peer-to-peer. 3. When Delivery Optimization pulls a certain piece of the hash from another peer, it verifies the hash against the known hash in the content metadata file. 4. If a peer provides an invalid piece, that piece is discarded. When a peer sends multiple bad pieces, it's banned and will no longer be used as a source by the Delivery Optimization client performing the download. -5. If Delivery Optimization is unable to obtain the content metadata file, or if the verification of the hash file itself fails, the download will fall back to "simple mode”. Simple mode will only pull content from the HTTP source and peer-to-peer won't be allowed. +5. If Delivery Optimization is unable to obtain the content metadata file, or if the verification of the hash file itself fails, the download will fall back to simple mode. Simple mode will only pull content from the HTTP source and peer-to-peer won't be allowed. 6. Once downloading is complete, Delivery Optimization uses all retrieved pieces of the content to put the file together. At that point, the Delivery Optimization caller (for example, Windows Update) checks the entire file to verify the signature prior to installing it. + ## Delivery Optimization service endpoint and data information |Endpoint hostname | Port|Name|Description|Data sent from the computer to the endpoint diff --git a/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md b/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md index 47fd869124..bc36a395ef 100644 --- a/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md +++ b/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md @@ -2,12 +2,12 @@ title: Don't Remove images under do/images/elixir_ux - used by Azure portal Diagnose/Solve feature UI manager: aaroncz description: Elixir images read me file -ms.prod: windows-client +ms.service: windows-client author: nidos ms.author: nidos ms.topic: article ms.date: 12/31/2017 -ms.technology: itpro-updates +ms.subservice: itpro-updates robots: noindex --- diff --git a/windows/deployment/do/includes/get-azure-subscription.md b/windows/deployment/do/includes/get-azure-subscription.md index cce1f7f7f6..5e0061e00b 100644 --- a/windows/deployment/do/includes/get-azure-subscription.md +++ b/windows/deployment/do/includes/get-azure-subscription.md @@ -4,8 +4,8 @@ author: cmknox ms.reviewer: mstewart manager: aaroncz ms.date: 10/18/2022 -ms.prod: windows-client -ms.technology: itpro-deploy +ms.service: windows-client +ms.subservice: itpro-deploy ms.topic: include ms.localizationpriority: medium --- diff --git a/windows/deployment/do/includes/mcc-prerequisites.md b/windows/deployment/do/includes/mcc-prerequisites.md index fbe43f8660..05feb7ea27 100644 --- a/windows/deployment/do/includes/mcc-prerequisites.md +++ b/windows/deployment/do/includes/mcc-prerequisites.md @@ -3,8 +3,8 @@ ms.author: carmenf author: cmknox ms.reviewer: mstewart manager: aaroncz -ms.prod: windows-client -ms.technology: itpro-deploy +ms.service: windows-client +ms.subservice: itpro-deploy ms.topic: include ms.date: 11/09/2022 ms.localizationpriority: medium diff --git a/windows/deployment/do/index.yml b/windows/deployment/do/index.yml index e34d7b6de7..03b2ddc0ac 100644 --- a/windows/deployment/do/index.yml +++ b/windows/deployment/do/index.yml @@ -7,11 +7,12 @@ metadata: title: Delivery Optimization # Required; page title displayed in search results. Include the brand. < 60 chars. description: Learn about using peer to peer downloads on Windows clients and learn about Microsoft Connected Cache. # Required; article description that is displayed in search results. < 160 chars. ms.topic: landing-page - ms.prod: windows-client - ms.technology: itpro-updates + ms.service: windows-client + ms.subservice: itpro-updates ms.collection: - highpri - tier3 + - essentials-navigation author: aczechowski ms.author: aaroncz manager: aaroncz diff --git a/windows/deployment/do/mcc-ent-edu-overview.md b/windows/deployment/do/mcc-ent-edu-overview.md index 353a3d4dee..bd557375d2 100644 --- a/windows/deployment/do/mcc-ent-edu-overview.md +++ b/windows/deployment/do/mcc-ent-edu-overview.md @@ -1,8 +1,8 @@ --- title: MCC for Enterprise and Education Overview description: Overview, supported scenarios, and content types for Microsoft Connected Cache (MCC) for Enterprise and Education. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual ms.author: carmenf author: cmknox diff --git a/windows/deployment/do/mcc-enterprise-appendix.md b/windows/deployment/do/mcc-enterprise-appendix.md index ec13e41993..9add17a1be 100644 --- a/windows/deployment/do/mcc-enterprise-appendix.md +++ b/windows/deployment/do/mcc-enterprise-appendix.md @@ -1,8 +1,8 @@ --- title: Appendix for MCC for Enterprise and Education description: This article contains reference information for Microsoft Connected Cache (MCC) for Enterprise and Education. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: reference ms.author: carmenf author: cmknox @@ -40,7 +40,7 @@ Most customers choose to install their cache node on a Windows Server with a nes Microsoft Connected Cache for Enterprise and Education can be successfully installed on VMware. To do so, there are a couple of additional configurations to be made. Ensure the VM is turned off before making the following configuration changes: 1. Ensure that you're using ESX. In the VM settings, turn on the option **Expose hardware assisted virtualization to the guest OS**. -1. Using the Hyper-V Manager, create an external switch. For the external switch to have internet connection, ensure **"Allow promiscuous mode"** is switched to **Yes**. +1. Using the Hyper-V Manager, create an external switch. For the external switch to have internet connection, ensure **"Allow promiscuous mode"** and **"Forged transmits"** are switched to **Yes**. ### Installing on Hyper-V diff --git a/windows/deployment/do/mcc-enterprise-deploy.md b/windows/deployment/do/mcc-enterprise-deploy.md index 65d63be915..50c983569b 100644 --- a/windows/deployment/do/mcc-enterprise-deploy.md +++ b/windows/deployment/do/mcc-enterprise-deploy.md @@ -1,8 +1,8 @@ --- title: Deploying your cache node description: How to deploy a Microsoft Connected Cache (MCC) for Enterprise and Education cache node from the Auzre portal. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: how-to ms.author: carmenf author: cmknox diff --git a/windows/deployment/do/mcc-enterprise-prerequisites.md b/windows/deployment/do/mcc-enterprise-prerequisites.md index ba0aaef324..752eb75f2e 100644 --- a/windows/deployment/do/mcc-enterprise-prerequisites.md +++ b/windows/deployment/do/mcc-enterprise-prerequisites.md @@ -1,8 +1,8 @@ --- title: Requirements for MCC for Enterprise and Education description: Overview of prerequisites and recommendations for using Microsoft Connected Cache (MCC) for Enterprise and Education. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual ms.author: carmenf author: cmknox diff --git a/windows/deployment/do/mcc-enterprise-update-uninstall.md b/windows/deployment/do/mcc-enterprise-update-uninstall.md index a0a00f73f7..b36d56df66 100644 --- a/windows/deployment/do/mcc-enterprise-update-uninstall.md +++ b/windows/deployment/do/mcc-enterprise-update-uninstall.md @@ -1,8 +1,8 @@ --- title: Uninstall MCC for Enterprise and Education description: Details on how to uninstall Microsoft Connected Cache (MCC) for Enterprise and Education for your environment. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: how-to ms.author: carmenf author: cmknox diff --git a/windows/deployment/do/mcc-isp-cache-node-configuration.md b/windows/deployment/do/mcc-isp-cache-node-configuration.md index 3a8b22508f..b78fb6bdd2 100644 --- a/windows/deployment/do/mcc-isp-cache-node-configuration.md +++ b/windows/deployment/do/mcc-isp-cache-node-configuration.md @@ -2,8 +2,8 @@ title: Cache node configuration settings manager: aaroncz description: List of options that are available while configuring a cache node for your environment from the Azure portal. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: reference ms.author: carmenf author: cmknox diff --git a/windows/deployment/do/mcc-isp-create-provision-deploy.md b/windows/deployment/do/mcc-isp-create-provision-deploy.md index 90165d9a23..675839a616 100644 --- a/windows/deployment/do/mcc-isp-create-provision-deploy.md +++ b/windows/deployment/do/mcc-isp-create-provision-deploy.md @@ -1,8 +1,8 @@ --- title: Create, provision, and deploy the cache node description: Instructions for creating, provisioning, and deploying Microsoft Connected Cache for ISP on Azure portal -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates manager: aaroncz author: nidos ms.author: nidos diff --git a/windows/deployment/do/mcc-isp-faq.yml b/windows/deployment/do/mcc-isp-faq.yml index 4d845ee97e..863ae62232 100644 --- a/windows/deployment/do/mcc-isp-faq.yml +++ b/windows/deployment/do/mcc-isp-faq.yml @@ -2,8 +2,8 @@ metadata: title: Microsoft Connected Cache Frequently Asked Questions description: The following article is a list of frequently asked questions for Microsoft Connected Cache. - ms.prod: windows-client - ms.technology: itpro-updates + ms.service: windows-client + ms.subservice: itpro-updates ms.topic: faq ms.author: carmenf author: cmknox diff --git a/windows/deployment/do/mcc-isp-overview.md b/windows/deployment/do/mcc-isp-overview.md index f299c32448..60b248f3ae 100644 --- a/windows/deployment/do/mcc-isp-overview.md +++ b/windows/deployment/do/mcc-isp-overview.md @@ -1,8 +1,8 @@ --- title: MCC for ISPs Overview description: Overview of Microsoft Connected Cache for ISPs. Learn about how MCC works, supported scenarios, and supported content. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: overview manager: aaroncz ms.author: carmenf diff --git a/windows/deployment/do/mcc-isp-signup.md b/windows/deployment/do/mcc-isp-signup.md index c125b1e4e9..4959e3160d 100644 --- a/windows/deployment/do/mcc-isp-signup.md +++ b/windows/deployment/do/mcc-isp-signup.md @@ -1,8 +1,8 @@ --- title: Operator sign up and service onboarding description: Instructions on how to go through the service onboarding process for Microsoft Connected Cache for ISPs. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: how-to manager: aaroncz author: nidos diff --git a/windows/deployment/do/mcc-isp-support.md b/windows/deployment/do/mcc-isp-support.md index 2916abf2ef..f3a9c45418 100644 --- a/windows/deployment/do/mcc-isp-support.md +++ b/windows/deployment/do/mcc-isp-support.md @@ -1,8 +1,8 @@ --- title: Support and troubleshooting description: Troubleshooting information for commonly encountered issues for onboarding or using Microsoft Connected Cache for ISPs. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: reference author: nidos ms.author: nidos diff --git a/windows/deployment/do/mcc-isp-update.md b/windows/deployment/do/mcc-isp-update.md index bd9f199feb..b5c55362b2 100644 --- a/windows/deployment/do/mcc-isp-update.md +++ b/windows/deployment/do/mcc-isp-update.md @@ -1,8 +1,8 @@ --- title: Update or uninstall your cache node description: This article contains information on how to update or uninstall your cache node for Microsoft Connected Cache for ISPs. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: how-to ms.author: carmenf author: cmknox diff --git a/windows/deployment/do/mcc-isp-verify-cache-node.md b/windows/deployment/do/mcc-isp-verify-cache-node.md index eb3063a44f..eb44ce86c1 100644 --- a/windows/deployment/do/mcc-isp-verify-cache-node.md +++ b/windows/deployment/do/mcc-isp-verify-cache-node.md @@ -2,8 +2,8 @@ title: Verify cache node functionality and monitor health titleSuffix: Microsoft Connected Cache for ISPs description: How to verify the functionality of a cache node, monitor health and performance, and review metrics. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: how-to ms.author: carmenf author: cmknox diff --git a/windows/deployment/do/mcc-isp-vm-performance.md b/windows/deployment/do/mcc-isp-vm-performance.md index 18b1bb8b73..04c0fa00df 100644 --- a/windows/deployment/do/mcc-isp-vm-performance.md +++ b/windows/deployment/do/mcc-isp-vm-performance.md @@ -2,8 +2,8 @@ title: Enhancing cache performance titleSuffix: Microsoft Connected Cache for ISPs description: This article explains how to enhance performance on a virtual machine used with Microsoft Connected Cache for ISPs -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: reference ms.author: carmenf author: cmknox diff --git a/windows/deployment/do/mcc-isp.md b/windows/deployment/do/mcc-isp.md index a8cdcfc4e1..4191c3cd7f 100644 --- a/windows/deployment/do/mcc-isp.md +++ b/windows/deployment/do/mcc-isp.md @@ -1,8 +1,8 @@ --- title: Microsoft Connected Cache for ISPs description: This article contains details about the early preview for Microsoft Connected Cache (MCC) for Internet Service Providers (ISPs). -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: how-to ms.author: carmenf author: cmknox diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml index 92ff9cd2d4..7f80c2e084 100644 --- a/windows/deployment/do/waas-delivery-optimization-faq.yml +++ b/windows/deployment/do/waas-delivery-optimization-faq.yml @@ -2,8 +2,8 @@ metadata: title: Delivery Optimization Frequently Asked Questions description: List of frequently asked questions for Delivery Optimization. - ms.prod: windows-client - ms.technology: itpro-updates + ms.service: windows-client + ms.subservice: itpro-updates ms.topic: faq author: cmknox ms.author: carmenf diff --git a/windows/deployment/do/waas-delivery-optimization-monitor.md b/windows/deployment/do/waas-delivery-optimization-monitor.md index 512f9d41b7..a41d6159c2 100644 --- a/windows/deployment/do/waas-delivery-optimization-monitor.md +++ b/windows/deployment/do/waas-delivery-optimization-monitor.md @@ -1,8 +1,8 @@ --- title: Monitor Delivery Optimization description: How to monitor Delivery Optimization using either the Windows Update for Business Delivery Optimization Report or Windows PowerShell cmdlets -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: reference ms.author: carmenf author: cmknox @@ -10,6 +10,7 @@ manager: aaroncz ms.reviewer: mstewart ms.collection: - tier3 + - essentials-manage ms.localizationpriority: medium appliesto: - ✅ Windows 11 @@ -46,7 +47,7 @@ For details, see [Windows Update for Business Delivery Optimization Report](/win | TotalBytesDownloaded | The number of bytes from any source downloaded so far | | PercentPeerCaching |The percentage of bytes downloaded from peers versus over HTTP | | BytesFromPeers | Total bytes downloaded from peer devices (sum of bytes downloaded from LAN, Group, and Internet Peers) | -| BytesfromHTTP | Total number of bytes received over HTTP. This metric represents all HTTP sources, which includes BytesFromCacheServer | +| BytesfromHTTP | Total number of bytes received over HTTP. This metric represents all HTTP sources, **which includes BytesFromCacheServer** | | Status | Current state of the operation. Possible values are: **Downloading** (download in progress); **Complete** (download completed, but isn't uploading yet); **Caching** (download completed successfully and is ready to upload or uploading); **Paused** (download/upload paused by caller) | | Priority | Priority of the download; values are **foreground** or **background** | | BytesFromCacheServer | Total number of bytes received from cache server (MCC) | diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md index 856311df11..20bea68778 100644 --- a/windows/deployment/do/waas-delivery-optimization-reference.md +++ b/windows/deployment/do/waas-delivery-optimization-reference.md @@ -1,8 +1,8 @@ --- title: Delivery Optimization reference description: This article provides a summary of references and descriptions for all of the Delivery Optimization settings. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: reference author: cmknox ms.author: carmenf @@ -204,7 +204,7 @@ This setting specifies the minimum content file size in MB enabled to use Peer C ### Maximum Download Bandwidth -MDM Setting: **DOMaxUploadBandwidth** +MDM Setting: **DOMaxDownloadBandwidth** Deprecated in Windows 10, version 2004. This setting specifies the maximum download bandwidth that can be used across all concurrent Delivery Optimization downloads in kilobytes per second (KB/s). **A default value of "0"** means that Delivery Optimization dynamically adjusts and optimize the maximum bandwidth used. @@ -259,7 +259,7 @@ Starting in Windows 10, version 1803, set this policy to restrict peer selection If Group mode is set, Delivery Optimization connects to locally discovered peers that are also part of the same Group (have the same Group ID). -The Local Peer Discovery (DNS-SD) option can only be set via MDM delivered policies on Windows 11 builds. This feature can be enabled in supported Windows 10 builds by setting the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\DORestrictPeerSelectionBy` value to **2**. +In Windows 11, the Local Peer Discovery (DNS-SD) option can be set via MDM or Group Policy. However, in Windows 10, this feature can be enabled by setting the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\DORestrictPeerSelectionBy` value to **2**. ### Delay background download from HTTP (in secs) diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md index 40c469034e..9291818694 100644 --- a/windows/deployment/do/waas-delivery-optimization-setup.md +++ b/windows/deployment/do/waas-delivery-optimization-setup.md @@ -1,14 +1,16 @@ --- title: Set up Delivery Optimization description: In this article, learn how to set up Delivery Optimization for use by Windows clients in your organization. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: how-to author: cmknox ms.author: carmenf ms.reviewer: mstewart manager: aaroncz -ms.collection: tier3 +ms.collection: + - tier3 + - essentials-get-started ms.localizationpriority: medium appliesto: - ✅ Windows 11 diff --git a/windows/deployment/do/waas-delivery-optimization.md b/windows/deployment/do/waas-delivery-optimization.md index 3f0f9432e6..caf711d69b 100644 --- a/windows/deployment/do/waas-delivery-optimization.md +++ b/windows/deployment/do/waas-delivery-optimization.md @@ -1,8 +1,8 @@ --- title: What is Delivery Optimization? description: This article provides information about Delivery Optimization, a peer-to-peer distribution method in Windows 10 and Windows 11. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: overview author: cmknox ms.author: carmenf @@ -11,6 +11,7 @@ ms.reviewer: mstewart ms.collection: - tier3 - highpri + - essentials-overview ms.localizationpriority: medium appliesto: - ✅ Windows 11 diff --git a/windows/deployment/do/waas-microsoft-connected-cache.md b/windows/deployment/do/waas-microsoft-connected-cache.md index e3c42165c0..c02d74c2df 100644 --- a/windows/deployment/do/waas-microsoft-connected-cache.md +++ b/windows/deployment/do/waas-microsoft-connected-cache.md @@ -1,8 +1,8 @@ --- title: Microsoft Connected Cache overview description: This article provides information about Microsoft Connected Cache (MCC), a software-only caching solution. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: overview author: cmknox ms.author: carmenf diff --git a/windows/deployment/do/waas-optimize-windows-10-updates.md b/windows/deployment/do/waas-optimize-windows-10-updates.md index 7f07d6a15f..d145e150d9 100644 --- a/windows/deployment/do/waas-optimize-windows-10-updates.md +++ b/windows/deployment/do/waas-optimize-windows-10-updates.md @@ -1,9 +1,9 @@ --- title: Optimize Windows update delivery description: Learn about the two methods of peer-to-peer content distribution that are available, Delivery Optimization and BranchCache. -ms.prod: windows-client +ms.service: windows-client ms.topic: conceptual -ms.technology: itpro-updates +ms.subservice: itpro-updates ms.author: carmenf author: cmknox ms.reviewer: mstewart diff --git a/windows/deployment/do/whats-new-do.md b/windows/deployment/do/whats-new-do.md index 7c18691ae6..d9a769354f 100644 --- a/windows/deployment/do/whats-new-do.md +++ b/windows/deployment/do/whats-new-do.md @@ -1,8 +1,8 @@ --- title: What's new in Delivery Optimization description: What's new in Delivery Optimization, a peer-to-peer distribution method in Windows 10 and Windows 11. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual author: cmknox ms.author: carmenf diff --git a/windows/deployment/images/insider.png b/windows/deployment/images/insider.png new file mode 100644 index 0000000000..dbe00408cb Binary files /dev/null and b/windows/deployment/images/insider.png differ diff --git a/windows/deployment/includes/insider-note.md b/windows/deployment/includes/insider-note.md new file mode 100644 index 0000000000..a1160f8047 --- /dev/null +++ b/windows/deployment/includes/insider-note.md @@ -0,0 +1,16 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.topic: include +ms.date: 01/11/2024 +--- + +:::row::: +:::column span="1"::: +:::image type="content" source="../images/insider.png" alt-text="Logo of Windows Insider." border="false"::: +:::column-end::: +:::column span="3"::: +> [!IMPORTANT] +>This article describes features or settings that are under development and only applicable to [Windows Insider Preview builds](/windows-insider/). The content is subject to change and may have dependencies on other features or services in preview. +:::column-end::: +:::row-end::: diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml index bd107d8546..9ddf7595e4 100644 --- a/windows/deployment/index.yml +++ b/windows/deployment/index.yml @@ -7,15 +7,15 @@ metadata: title: Windows client deployment documentation # Required; browser tab title displayed in search results. Include the brand. < 60 chars. description: Learn about deploying and updating Windows client devices in your organization. # Required; article description that is displayed in search results. < 160 chars. ms.topic: hub-page - ms.prod: windows-client - ms.technology: itpro-deploy + ms.service: windows-client + ms.subservice: itpro-deploy ms.collection: - highpri - tier1 author: aczechowski ms.author: aaroncz manager: aaroncz - ms.date: 12/20/2023 + ms.date: 01/18/2024 localization_priority: medium # common graphics: https://review.learn.microsoft.com/content-production-service/internal/image-gallery?branch=main @@ -129,7 +129,7 @@ additionalContent: - text: Convert a disk from MBR to GPT url: mbr-to-gpt.md - text: Resolve Windows upgrade errors - url: upgrade/resolve-windows-10-upgrade-errors.md + url: upgrade/resolve-windows-upgrade-errors.md - title: Licensing and activation links: diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md index a0eb436b76..ecd4861cbb 100644 --- a/windows/deployment/mbr-to-gpt.md +++ b/windows/deployment/mbr-to-gpt.md @@ -1,7 +1,7 @@ --- title: MBR2GPT description: Use MBR2GPT.EXE to convert a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.author: frankroj ms.date: 11/16/2023 @@ -11,7 +11,7 @@ ms.topic: how-to ms.collection: - highpri - tier2 -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/planning/applying-filters-to-data-in-the-sua-tool.md b/windows/deployment/planning/applying-filters-to-data-in-the-sua-tool.md index 17ef12c6b3..e592664ec5 100644 --- a/windows/deployment/planning/applying-filters-to-data-in-the-sua-tool.md +++ b/windows/deployment/planning/applying-filters-to-data-in-the-sua-tool.md @@ -3,11 +3,11 @@ title: Applying Filters to Data in the SUA Tool (Windows 10) description: Learn how to apply filters to results from the Standard User Analyzer (SUA) tool while testing your application. manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.date: 10/28/2022 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy --- # Applying Filters to Data in the SUA Tool diff --git a/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md b/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md index 4e03a9e206..1d4df56098 100644 --- a/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md +++ b/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md @@ -3,11 +3,11 @@ title: Available Data Types and Operators in Compatibility Administrator (Window description: The Compatibility Administrator tool provides a way to query your custom-compatibility databases. manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.date: 10/28/2022 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy --- # Available Data Types and Operators in Compatibility Administrator diff --git a/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md b/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md deleted file mode 100644 index 07285db62e..0000000000 --- a/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -title: Best practice recommendations for Windows To Go (Windows 10) -description: Learn about best practice recommendations for using Windows To Go, like using a USB 3.0 port with Windows to Go if it's available. -manager: aaroncz -ms.author: frankroj -ms.prod: windows-client -author: frankroj -ms.topic: article -ms.technology: itpro-deploy -ms.date: 10/28/2022 ---- - -# Best practice recommendations for Windows To Go - - -**Applies to** - -- Windows 10 - -> [!IMPORTANT] -> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. - -The following are the best practice recommendations for using Windows To Go: - -- Always shut down Windows and wait for shutdown to complete before removing the Windows To Go drive. -- Do not insert the Windows To Go drive into a running computer. -- Do not boot the Windows To Go drive from a USB hub. Always insert the Windows To Go drive directly into a port on the computer. -- If available, use a USB 3.0 port with Windows To Go. -- Do not install non-Microsoft core USB drivers on Windows To Go. -- Suspend BitLocker on Windows host computers before changing the BIOS settings to boot from USB and then resume BitLocker protection. - -Additionally, we recommend that when you plan your deployment you should also plan a standard operating procedure for answering questions about which USB drives can be used for Windows To Go and how to enable booting from USB to assist your IT department or help desk in supporting users and work groups that want to use Windows To Go. It may be very helpful for your organization to work with your hardware vendors to create an IT standard for USB drives for use with Windows To Go, so that if groups within your organization want to purchase drives they can quickly determine which ones they should obtain. - -## More information - - -[Windows To Go: feature overview](windows-to-go-overview.md)
-[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
-[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
-[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
-[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.yml)
- - - - - - - - - diff --git a/windows/deployment/planning/compatibility-administrator-users-guide.md b/windows/deployment/planning/compatibility-administrator-users-guide.md index 64ed4fae58..853283a0cc 100644 --- a/windows/deployment/planning/compatibility-administrator-users-guide.md +++ b/windows/deployment/planning/compatibility-administrator-users-guide.md @@ -3,10 +3,10 @@ title: Compatibility Administrator User's Guide (Windows 10) manager: aaroncz ms.author: frankroj description: The Compatibility Administrator tool helps you resolve potential application-compatibility issues before deploying a new version of Windows. -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy ms.date: 10/28/2022 --- diff --git a/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md index 49fca85218..dd2905355f 100644 --- a/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md +++ b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md @@ -3,11 +3,11 @@ title: Compatibility Fix Database Management Strategies and Deployment (Windows manager: aaroncz ms.author: frankroj description: Learn how to deploy your compatibility fixes into an application-installation package or through a centralized compatibility-fix database. -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.date: 10/28/2022 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy --- # Compatibility Fix Database Management Strategies and Deployment diff --git a/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md b/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md index 79207612a8..e9bc0caf59 100644 --- a/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md +++ b/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md @@ -3,11 +3,11 @@ title: Compatibility Fixes for Windows 10, Windows 8, Windows 7, & Windows Vista description: Find compatibility fixes for all Windows operating systems that have been released from Windows Vista through Windows 10. manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.date: 10/28/2022 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy --- # Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista diff --git a/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md b/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md index 18f1b3e14e..c1946e6941 100644 --- a/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md +++ b/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md @@ -3,10 +3,10 @@ title: Creating a Custom Compatibility Fix in Compatibility Administrator (Windo description: The Compatibility Administrator tool uses the term fix to describe the combination of compatibility information added to a customized database for a specific application. manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy ms.date: 10/28/2022 --- diff --git a/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md b/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md index 80892aa2d5..9e8137b12b 100644 --- a/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md +++ b/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md @@ -3,11 +3,11 @@ title: Create a Custom Compatibility Mode (Windows 10) description: Windows® provides several compatibility modes, groups of compatibility fixes found to resolve many common application-compatibility issues. manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.date: 10/28/2022 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy --- # Creating a Custom Compatibility Mode in Compatibility Administrator diff --git a/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md b/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md index 31f4cff7a1..a77208735d 100644 --- a/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md +++ b/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md @@ -3,11 +3,11 @@ title: Create AppHelp Message in Compatibility Administrator (Windows 10) description: Create an AppHelp text message with Compatibility Administrator; a message that appears upon starting an app with major issues on the Windows® operating system. manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.date: 10/28/2022 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy --- # Creating an AppHelp Message in Compatibility Administrator diff --git a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md deleted file mode 100644 index e4cce0cd24..0000000000 --- a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md +++ /dev/null @@ -1,179 +0,0 @@ ---- -title: Deployment considerations for Windows To Go (Windows 10) -description: Learn about deployment considerations for Windows To Go, such as the boot experience, deployment methods, and tools that you can use with Windows To Go. -manager: aaroncz -ms.author: frankroj -ms.prod: windows-client -author: frankroj -ms.topic: article -ms.technology: itpro-deploy -ms.date: 10/28/2022 ---- - -# Deployment considerations for Windows To Go - -**Applies to** - -- Windows 10 - -> [!IMPORTANT] -> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. - -From the start, Windows To Go was designed to minimize differences between the user experience of working on a laptop and Windows To Go booted from a USB drive. Given that Windows To Go was designed as an enterprise solution, extra consideration was given to the deployment workflows that enterprises already have in place. Additionally, there has been a focus on minimizing the number of differences in deployment between Windows To Go workspaces and laptop PCs. - -> [!NOTE] -> Windows To Go does not support operating system upgrades. Windows To Go is designed as a feature that is managed centrally. IT departments that plan to transition from one operating system version to a later version will need to incorporate re-imaging their existing Windows To Go drives as part of their upgrade deployment process. - -The following sections discuss the boot experience, deployment methods, and tools that you can use with Windows To Go. - -- [Initial boot experiences](#wtg-initboot) -- [Image deployment and drive provisioning considerations](#wtg-imagedep) -- [Application installation and domain join](#wtg-appinstall) -- [Management of Windows To Go using Group Policy](#bkmk-wtggp) -- [Supporting booting from USB](#wtg-bootusb) -- [Updating firmware](#stg-firmware) -- [Configure Windows To Go startup options](#wtg-startup) -- [Change firmware settings](#wtg-changefirmware) - -## Initial boot experiences - -The following diagrams illustrate the two different methods you could use to provide Windows To Go drives to your users. The experiences differ depending on whether the user will be booting the device initially on-premises or off-premises: - -![initial boot on-premises.](images/wtg-first-boot-work.gif) - -When a Windows To Go workspace is first used at the workplace, the Windows To Go workspace can be joined to the domain through the normal procedures that occur when a new computer is introduced. It obtains a lease, applicable policies are applied and set, and user account tokens are placed appropriately. BitLocker protection can be applied and the BitLocker recovery key automatically stored in Active Directory Domain Services. The user can access network resources to install software and get access to data sources. When the workspace is subsequently booted at a different location either on or off premises, the configuration required for it to connect back to the work network using either DirectAccess or a virtual private network connection can be configured. It isn't necessary to configure the workspace for offline domain join. DirectAccess can make connecting to organizational resources easier, but isn't required. - -![initial boot off-premises.](images/wtg-first-boot-home.gif) - -When the Windows To Go workspace is going to be used first on an off-premises computer, such as one at the employee's home, then the IT professional preparing the Windows To Go drives should configure the drive to be able to connect to organizational resources and to maintain the security of the workspace. In this situation, the Windows To Go workspace needs to be configured for offline domain join and BitLocker needs to be enabled before the workspace has been initialized. - -> [!TIP] -> Applying BitLocker Drive Encryption to the drives before provisioning is a much faster process than encrypting the drives after data has already been stored on them due to a new feature called used-disk space only encryption. For more information, see [What's New in BitLocker](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn306081(v=ws.11)). - -DirectAccess can be used to ensure that the user can log in with their domain credentials without needing a local account. For instructions on setting up a DirectAccess solution, for a small pilot deployment see [Deploy a Single Remote Access Server using the Getting Started Wizard](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831520(v=ws.11)) for a larger scale deployment, see [Deploy Remote Access in an Enterprise](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj134200(v=ws.11)). If you don't want to use DirectAccess as an alternative user could log on using a local user account on the Windows To Go workspace and then use a virtual private network for remote access to your organizational network. - -### Image deployment and drive provisioning considerations - -The Image Deployment process can be accomplished either by a centralized IT process for your organization or by individual users creating their own Windows To Go workspaces. You must have local Administrator access and access to a Windows 10 Enterprise or Windows 10 Education image to create a Windows To Go workspace, or you must be using Configuration Manager Service Pack 1 or later to distribute Windows To Go workspaces to users. The image deployment process takes a blank USB drive and a Windows 10 Enterprise image (WIM) and turns it into a Windows To Go drive. - -![windows to go image deployment.](images/wtg-image-deployment.gif) - -The simplest way to provision a Windows To Go drive is to use the Windows To Go Creator. After a single Windows To Go workspace has been created, it can be duplicated as many times as necessary using widely available USB duplicator products as long as the device hasn't been booted. After the Windows To Go drive is initialized, it shouldn't be duplicated. Alternatively, Windows To Go Workspace Creator can be run multiple times to create multiple Windows To Go drives. - -> [!TIP] -> When you create your Windows To Go image use sysprep /generalize, just as you do when you deploy Windows 10 to a standard PC. In fact, if appropriate, use the same image for both deployments. - -**Driver considerations** - -Windows includes most of the drivers that you'll need to support a wide variety of host computers. However, you'll occasionally need to download drivers from Windows Update to take advantage of the full functionality of a device. If you're using Windows To Go on a set of known host computers, you can add any more drivers to the image used on Windows To Go to make Windows To Go drives more quickly usable by your employees. Especially ensure that network drivers are available so that the user can connect to Windows Update to get more drivers if necessary. - -Wi-Fi network adapter drivers are one of the most important drivers to make sure that you include in your standard image so that users can easily connect to the internet for any additional updates. IT administrators that are attempting to build Windows 10 images for use with Windows To Go should consider adding additional Wi-Fi drivers to their image to ensure that their users have the best chance of still having basic network connectivity when roaming between systems. - -The following list of commonly used Wi-Fi network adapters that aren't supported by the default drivers provided with Windows 10 is provided to help you ascertain whether or not you need to add drivers to your image. - -|Vendor name|Product description|HWID|Windows Update availability| -|--- |--- |--- |--- | -|Broadcom|802.11abgn Wireless SDIO adapter|sd\vid_02d0&pid_4330&fn_1|Contact the system OEM or Broadcom for driver availability.| -|Broadcom|802.11n Network Adapter|pci\ven_14e4&dev_4331&subsys_00d6106b&rev_02|Contact the system OEM or Broadcom for driver availability.| -|Broadcom|802.11n Network Adapter|pci\ven_14e4&dev_4331&subsys_00f5106b&rev_02|Contact the system OEM or Broadcom for driver availability.| -|Broadcom|802.11n Network Adapter|pci\ven_14e4&dev_4331&subsys_00ef106b&rev_02|Contact the system OEM or Broadcom for driver availability.| -|Broadcom|802.11n Network Adapter|pci\ven_14e4&dev_4331&subsys_00f4106b&rev_02|Contact the system OEM or Broadcom for driver availability.| -|Broadcom|802.11n Network Adapter|pci\ven_14e4&dev_4331&subsys_010e106b&rev_02|Contact the system OEM or Broadcom for driver availability.| -|Broadcom|802.11n Network Adapter|pci\ven_14e4&dev_4331&subsys_00e4106b&rev_02|Contact the system OEM or Broadcom for driver availability.| -|Broadcom|802.11n Network Adapter|pci\ven_14e4&dev_4331&subsys_433114e4&rev_02|Contact the system OEM or Broadcom for driver availability.| -|Broadcom|802.11n Network Adapter|pci\ven_14e4&dev_4331&subsys_010f106b&rev_02|Contact the system OEM or Broadcom for driver availability.| -|Marvell|Yukon 88E8001/8003/8010 PCI Gigabit Ethernet|pci\ven_11ab&dev_4320&subsys_811a1043|[32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619080)
[64-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619082)| -|Marvell|Libertas 802.11b/g Wireless|pci\ven_11ab&dev_1faa&subsys_6b001385&rev_03|[32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619128)
[64-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619129)| -|Qualcomm|Atheros AR6004 Wireless LAN Adapter|sd\vid_0271&pid_0401|[32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619086)
64-bit driver not available| -|Qualcomm|Atheros AR5BWB222 Wireless Network Adapter|pci\ven_168c&dev_0034&subsys_20031a56|[32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619348)
64-bit driver not available| -|Qualcomm|Atheros AR5BWB222 Wireless Network Adapter|pci\ven_168c&dev_0034&subsys_020a1028&rev_01|Contact the system OEM or Qualcom for driver availability.| -|Qualcomm|Atheros AR5005G Wireless Network Adapter|pci\ven_168c&dev_001a&subsys_04181468&rev_01|[32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619349)

[64-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619091)| -|Ralink|Wireless-G PCI Adapter|pci\ven_1814&dev_0301&subsys_00551737&rev_00|[32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619092)

[64-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619093)| -|Ralink|Turbo Wireless LAN Card|pci\ven_1814&dev_0301&subsys_25611814&rev_00|[32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619094)

[64-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619095)| -|Ralink|Wireless LAN Card V1|pci\ven_1814&dev_0302&subsys_3a711186&rev_00|[32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619097)

[64-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619098)| -|Ralink|D-Link AirPlus G DWL-G510 Wireless PCI Adapter(rev.C)|pci\ven_1814&dev_0302&subsys_3c091186&rev_00|[32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619099)

[64-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619100)| - -IT administrators that want to target Windows To Go images for specific systems should test their images to ensure that the necessary system drivers are in the image, especially for critical functionality like Wi-Fi that isn't supported by class drivers. Some consumer devices require OEM-specific driver packages, which may not be available on Windows Update. For more information on how to add a driver to a Windows Image, please refer to the [Basic Windows Deployment Step-by-Step Guide](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825212(v=win.10)). - -### Application installation and domain join - -Unless you're using a customized Windows image that includes unattended installation settings, the initial Windows To Go workspace won't be domain joined and won't contain applications. This is exactly like a new installation of Windows on a desktop or laptop computer. When planning your deployment, you should develop methods to join Windows to Go drives to the domain and install the standard applications that users in your organization require. These methods probably will be similar to the ones used for setting up desktop and laptop computers with domain privileges and applications - -### Management of Windows To Go using Group Policy - -In general, management of Windows To Go workspaces is same as that for desktop and laptop computers. There are Windows To Go specific Group Policy settings that should be considered as part of Windows To Go deployment. Windows To Go Group Policy settings are located at `\\Computer Configuration\Administrative Templates\Windows Components\Portable Operating System\` in the Local Group Policy Editor. - -The use of the Store on Windows To Go workspaces that are running Windows 8 can also be controlled by Group Policy. This policy setting is located at `\\Computer Configuration\Administrative Templates\Windows Components\Store\` in the Local Group Policy Editor. The policy settings have specific implications for Windows To Go that you should be aware of when planning your deployment: - -**Settings for workspaces** - -- **Allow hibernate (S4) when started from a Windows To Go workspace** - - This policy setting specifies whether the PC can use the hibernation sleep state (S4) when started from a Windows To Go workspace. By default, hibernation is disabled when using Windows To Go workspace, so enabling this setting explicitly turns this ability back on. When a computer enters hibernation, the contents of memory are written to disk. When the disk is resumed, it's important that the hardware attached to the system, and the disk itself, are unchanged. This is inherently incompatible with roaming between PC hosts. Hibernation should only be used when the Windows To Go workspace isn't being used to roam between host PCs. - - > [!IMPORTANT] - > For the host-PC to resume correctly when hibernation is enabled the Windows To Go workspace must continue to use the same USB port. - -- **Disallow standby sleep states (S1-S3) when starting from a Windows To Go workspace** - - This policy setting specifies whether the PC can use standby sleep states (S1–S3) when started from a Windows To Go workspace. The Sleep state also presents a unique challenge to Windows To Go users. When a computer goes to sleep, it appears as if it's shut down. It could be easy for a user to think that a Windows To Go workspace in sleep mode was actually shut down and they could remove the Windows To Go drive and take it home. Removing the Windows To Go drive in this scenario is equivalent to an unclean shutdown, which may result in the loss of unsaved user data or the corruption on the drive. Moreover, if the user now boots the drive on another PC and brings it back to the first PC, which still happens to be in the sleep state, it will lead to an arbitrary crash and eventually corruption of the drive and result in the workspace becoming unusable. If you enable this policy setting, the Windows To Go workspace can't use the standby states to cause the PC to enter sleep mode. If you disable or don't configure this policy setting, the Windows To Go workspace can place the PC in sleep mode. - -**Settings for host PCs** - -- **Windows To Go Default Startup Options** - - This policy setting controls whether the host computer will boot to Windows To Go if a USB device containing a Windows To Go workspace is connected, and controls whether users can make changes using the **Windows To Go Startup Options** settings dialog. If you enable this policy setting, booting to Windows To Go when a USB device is connected will be enabled and users won't be able to make changes using the **Windows To Go Startup Options** settings dialog. If you disable this policy setting, booting to Windows To Go when a USB device is connected won't be enabled unless a user configures the option manually in the firmware. If you don't configure this policy setting, users who are members of the local Administrators group can enable or disable booting from USB using the **Windows To Go Startup Options** settings dialog. - - > [!IMPORTANT] - > Enabling this policy setting will cause PCs running Windows to attempt to boot from any USB device that is inserted into the PC before it is started. - -## Supporting booting from USB - -The biggest hurdle for a user wanting to use Windows To Go is configuring their computer to boot from USB. This is traditionally done by entering the firmware and configuring the appropriate boot order options. To ease the process of making the firmware modifications required for Windows To Go, Windows includes a feature named **Windows To Go Startup Options** that allows a user to configure their computer to boot from USB from within Windows—without ever entering their firmware, as long as their firmware supports booting from USB. - -> [!NOTE] -> Enabling a system to always boot from USB first has implications that you should consider. For example, a USB device that includes malware could be booted inadvertently to compromise the system, or multiple USB drives could be plugged in to cause a boot conflict. For this reason, the Windows To Go startup options are disabled by default. In addition, administrator privileges are required to configure Windows To Go startup options. - -If you're going to be using a Windows 7 computer as a host-PC, see the wiki article [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkID=618951). - -### Roaming between different firmware types - -Windows supports two types of PC firmware: Unified Extensible Firmware Interface (UEFI), which is the new standard, and legacy BIOS firmware, which was used in most PCs shipping with Windows 7 or earlier version of Windows. Each firmware type has completely different Windows boot components that are incompatible with each other. Beyond the different boot components, Windows supports different partition styles and layout requirements for each type of firmware as shown in the following diagrams. - -![bios layout.](images/wtg-mbr-bios.gif)![uefi layout](images/wtg-gpt-uefi.gif) - -This presented a unique challenge for Windows To Go because the firmware type isn't easily determined by end users—a UEFI computer looks just like a legacy BIOS computer and Windows To Go must boot on both types of firmware. - -To enable booting Windows To Go on both types of firmware, a new disk layout is provided for Windows 8 or later that contains both sets of boot components on a FAT32 system partition and a new command-line option was added to bcdboot.exe to support this configuration. The **/f** option is used with the **bcdboot /s** command to specify the firmware type of the target system partition by appending either **UEFI**, **BIOS** or **ALL**. When creating Windows To Go drives manually, you must use the **ALL** parameter to provide the Windows To Go drive the ability to boot on both types of firmware. For example, on volume H: (your Windows To Go USB drive letter), you would use the command **bcdboot C:\\windows /s H: /f ALL**. The following diagram illustrates the disk layout that results from that command: - -![firmware roaming disk layout.](images/wtg-mbr-firmware-roaming.gif) - -This is the only supported disk configuration for Windows To Go. With this disk configuration, a single Windows To Go drive can be booted on computers with UEFI and legacy BIOS firmware. - -### Configure Windows To Go startup options - -Windows To Go Startup Options is a setting available on Windows 10-based PCs that enables the computer to be booted from a USB without manually changing the firmware settings of the PC. To configure Windows To Go Startup Options, you must have administrative rights on the computer and the **Windows To Go Default Startup Options** Group Policy setting must not be configured. - -**To configure Windows To Go startup options** - -1. On the Start screen, type, type **Windows To Go Startup Options**, click **Settings** and, then press Enter. - - ![windows to go startup options.](images/wtg-startup-options.gif) - -2. Select **Yes** to enable the startup options. - - > [!TIP] - > If your computer is part of a domain, the Group Policy setting can be used to enable the startup options instead of the dialog. - -3. Click **Save Changes**. If the User Account Control dialog box is displayed, confirm that the action it displays is what you want, and then click **Yes**. - -### Change firmware settings - -If you choose to not use the Windows To Go startup options or are using a PC running Windows 7 as your host computer, you'll need to manually configure the firmware settings. The process used to accomplish this will depend on the firmware type and manufacturer. If your host computer is protected by BitLocker and running Windows 7, you should suspend BitLocker before making the change to the firmware settings. After the firmware settings have been successfully reconfigured, resume BitLocker protection. If you don't suspend BitLocker first, BitLocker will assume that the computer has been tampered with and will boot into BitLocker recovery mode. - -## Related topics - -[Windows To Go: feature overview](windows-to-go-overview.md)
-[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
-[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
-[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.yml) diff --git a/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md b/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md index a6299026c3..e37786a9a6 100644 --- a/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md +++ b/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md @@ -3,10 +3,10 @@ title: Enabling and Disabling Compatibility Fixes in Compatibility Administrator description: You can disable and enable individual compatibility fixes in your customized databases for testing and troubleshooting purposes. manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy ms.date: 10/28/2022 --- diff --git a/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md b/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md index a39866b132..7155581ea8 100644 --- a/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md +++ b/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md @@ -3,11 +3,11 @@ title: Fixing Applications by Using the SUA Tool (Windows 10) description: On the user interface for the Standard User Analyzer (SUA) tool, you can apply fixes to an application. manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.date: 10/28/2022 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy --- # Fixing Applications by Using the SUA Tool diff --git a/windows/deployment/planning/images/wtg-first-boot-home.gif b/windows/deployment/planning/images/wtg-first-boot-home.gif deleted file mode 100644 index 46cd605a2e..0000000000 Binary files a/windows/deployment/planning/images/wtg-first-boot-home.gif and /dev/null differ diff --git a/windows/deployment/planning/images/wtg-first-boot-work.gif b/windows/deployment/planning/images/wtg-first-boot-work.gif deleted file mode 100644 index c1a9a9d31d..0000000000 Binary files a/windows/deployment/planning/images/wtg-first-boot-work.gif and /dev/null differ diff --git a/windows/deployment/planning/images/wtg-gpt-uefi.gif b/windows/deployment/planning/images/wtg-gpt-uefi.gif deleted file mode 100644 index 2ff2079a3c..0000000000 Binary files a/windows/deployment/planning/images/wtg-gpt-uefi.gif and /dev/null differ diff --git a/windows/deployment/planning/images/wtg-image-deployment.gif b/windows/deployment/planning/images/wtg-image-deployment.gif deleted file mode 100644 index d622911f3e..0000000000 Binary files a/windows/deployment/planning/images/wtg-image-deployment.gif and /dev/null differ diff --git a/windows/deployment/planning/images/wtg-mbr-bios.gif b/windows/deployment/planning/images/wtg-mbr-bios.gif deleted file mode 100644 index b93796944a..0000000000 Binary files a/windows/deployment/planning/images/wtg-mbr-bios.gif and /dev/null differ diff --git a/windows/deployment/planning/images/wtg-mbr-firmware-roaming.gif b/windows/deployment/planning/images/wtg-mbr-firmware-roaming.gif deleted file mode 100644 index f21592c310..0000000000 Binary files a/windows/deployment/planning/images/wtg-mbr-firmware-roaming.gif and /dev/null differ diff --git a/windows/deployment/planning/images/wtg-startup-options.gif b/windows/deployment/planning/images/wtg-startup-options.gif deleted file mode 100644 index 302da78ea6..0000000000 Binary files a/windows/deployment/planning/images/wtg-startup-options.gif and /dev/null differ diff --git a/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md b/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md index 2cf46ee778..a50feb249b 100644 --- a/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md +++ b/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md @@ -3,11 +3,11 @@ title: Install/Uninstall Custom Databases (Windows 10) description: The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases. manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.date: 10/28/2022 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy --- # Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator diff --git a/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md b/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md index 9c90b3ca24..69b7bd6cd3 100644 --- a/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md +++ b/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md @@ -3,11 +3,11 @@ title: Managing Application-Compatibility Fixes and Custom Fix Databases (Window description: Learn why you should use compatibility fixes, and how to deploy and manage custom-compatibility fix databases. manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.date: 10/28/2022 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy --- # Managing Application-Compatibility Fixes and Custom Fix Databases diff --git a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md deleted file mode 100644 index 5f5b94be3f..0000000000 --- a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md +++ /dev/null @@ -1,106 +0,0 @@ ---- -title: Prepare your organization for Windows To Go (Windows 10) -description: Though Windows To Go is no longer being developed, you can find info here about the what, why, and when of deployment. -manager: aaroncz -ms.author: frankroj -ms.prod: windows-client -author: frankroj -ms.topic: article -ms.technology: itpro-deploy -ms.date: 10/28/2022 ---- - -# Prepare your organization for Windows To Go - -**Applies to** - -- Windows 10 - -> [!IMPORTANT] -> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. - -The following information is provided to help you plan and design a new deployment of a Windows To Go in your production environment. It provides answers to the "what", "why", and "when" questions an IT professional might have when planning to deploy Windows To Go. - -## What is Windows To Go? - -Windows To Go is a feature of Windows 10 Enterprise and Windows 10 Education that enables users to boot Windows from a USB-connected external drive. Windows To Go drives can use the same image that enterprises use for their desktops and laptops, and can be managed the same way. A Windows To Go workspace isn't intended to replace desktops or laptops, or supplant other mobility offerings. - -Enterprise customers utilizing Volume Activation Windows licensing will be able to deploy USB drives provisioned with Windows To Go workspace. These drives will be bootable on multiple compatible host computers. Compatible host computers are computers that are: - -- USB boot capable -- Have USB boot enabled in the firmware -- Meet Windows 7 minimum system requirements -- Have compatible processor architectures (for example, x86 or AMD64) as the image used to create the Windows To Go workspace. ARM isn't a supported processor for Windows To Go. -- Have firmware architecture that is compatible with the architecture of the image used for the Windows To Go workspace - -Booting a Windows To Go workspace requires no specific software on the host computer. PCs certified for Windows 7 and later can host Windows To Go. - -The following articles will familiarize you with how you can use a Windows To Go workspace. They also give you an overview of some of the things you should consider in your design. - -## Usage scenarios - - -The following scenarios are examples of situations in which Windows To Go workspaces provide a solution for an IT implementer: - -- **Continuance of operations (COO).** In this scenario, selected employees receive a USB drive with a Windows To Go workspace, which includes all of the applications that the employees use at work. The employees can keep the device at home, in a briefcase, or wherever they want to store it until needed. When the users boot their home computer from the USB drive, it will create a corporate desktop experience so that they can quickly start working. On the first boot, the employee sees that Windows is installing devices; after that one time, the Windows To Go drive boots like a normal computer. If they have enterprise network access, employees can use a virtual private network (VPN) connection, or DirectAccess to access corporate resources. If the enterprise network is available, the Windows To Go workspace will automatically be updated using your standard client management processes. - -- **Contractors and temporary workers.** In this situation, an enterprise IT pro or manager would distribute the Windows To Go drive directly to the worker. Then they can be assisted with any necessary other user education needs or address any possible compatibility issues. While the worker is on assignment, they can boot their computer exclusively from the Windows To Go drive. And run all applications in that environment until the end of the assignment when the device is returned. No installation of software is required on the worker's personal computer. - -- **Managed free seating.** The employee is issued a Windows To Go drive. This drive is then used with the host computer assigned to that employee for a given session (this could be a vehicle, workspace, or standalone laptop). When the employee leaves the session, the next time they return, they use the same USB flash drive but use a different host computer. - -- **Work from home.** In this situation, the Windows To Go drive can be provisioned for employees using various methods including Microsoft Configuration Manager or other deployment tools and then distributed to employees. The employee is instructed to boot the Windows To Go drive initially at work. This boot caches the employee's credentials on the Windows To Go workspace and allows the initial data synchronization between the enterprise network and the Windows To Go workspace. The user can then bring the Windows To Go drive home where it can be used with their home computer, with or without enterprise network connectivity. - -- **Travel lightly.** In this situation, you have employees who are moving from site to site, but who always will have access to a compatible host computer on site. Using Windows To Go workspaces allows them to travel without the need to pack their PC. - -> [!NOTE] -> If the employee wants to work offline for the majority of the time, but still maintain the ability to use the drive on the enterprise network, they should be informed of how often the Windows To Go workspace needs to be connected to the enterprise network. Doing so will ensure that the drive retains its access privileges and the workspace's computer object isn't potentially deleted from Active Directory Domain Services (AD DS). - - ## Infrastructure considerations - -Because Windows To Go requires no other software and minimal configuration, the same tools used to deploy images to other PCs can be used by an enterprise to install Windows To Go on a large group of USB devices. Moreover, because Windows To Go is compatible with connectivity and synchronization solutions already in use—such as Remote Desktop, DirectAccess and Folder Redirection—no other infrastructure or management is necessary for this deployment. A Windows To Go image can be created on a USB drive that is identical to the hard drive inside a desktop. However, you may wish to consider making some modifications to your infrastructure to help make management of Windows To Go drives easier and to be able to identify them as a distinct device group. - -## Activation considerations - -Windows To Go uses volume activation. You can use either Active Directory-based activation or KMS activation with Windows To Go. The Windows To Go workspace counts as another installation when assessing compliance with application licensing agreements. - -Microsoft software, such as Microsoft Office, distributed to a Windows To Go workspace must also be activated. Office deployment is fully supported on Windows To Go. Due to the retail subscription activation method associated with Microsoft 365 Apps for enterprise, Microsoft 365 Apps for enterprise subscribers are provided volume licensing activation rights for Office Professional Plus 2013 MSI for local installation on the Windows To Go drive. This method is available to organizations who purchase Microsoft 365 Apps for enterprise or Office 365 Enterprise SKUs containing Microsoft 365 Apps for enterprise via volume licensing channels. For more information about activating Microsoft Office, see [Volume activation methods in Office 2013](/DeployOffice/vlactivation/plan-volume-activation-of-office). - -You should investigate other software manufacturer's licensing requirements to ensure they're compatible with roaming usage before deploying them to a Windows To Go workspace. - -> [!NOTE] -> Using Multiple Activation Key (MAK) activation isn't a supported activation method for Windows To Go as each different PC-host would require separate activation. MAK activation should not be used for activating Windows, Office, or any other application on a Windows To Go drive. - - For more information about these activation methods and how they can be used in your organization, see [Plan for Volume Activation](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj134042(v=ws.11)). - -## Organizational unit structure and use of Group Policy Objects - -You may find it beneficial to create other Active Directory organizational unit (OU) structures to support your Windows To Go deployment: one for host computer accounts and one for Windows To Go workspace computer accounts. Creating an organizational unit for host computers allows you to enable the Windows To Go Startup Options using Group Policy for only the computers that will be used as Windows To Go hosts. Setting this policy helps to prevent computers from being accidentally configured to automatically boot from USB devices and allows closer monitoring and control of those computers that can boot from a USB device. The organizational unit for Windows To Go workspaces allows you to apply specific policy controls to them, such as the ability to use the Store application, power state controls, and line-of-business application installation. - -If you're deploying Windows To Go workspaces for a scenario in which they're not going to be roaming, but are instead being used on the same host computer, such as with temporary or contract employees, you might wish to enable hibernation or the Windows Store. - -For more information about Group Policy settings that can be used with Windows To Go, see [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md) - -## Computer account management - -If you configure Windows To Go drives for scenarios where drives may remain unused for extended periods of time such as used in continuance of operations scenarios, the AD DS computer account objects that correspond to Windows To Go drives have the potential to become stale and be pruned during maintenance operations. To address this issue, you should either have users log on regularly according to a schedule, or modify any maintenance scripts to not clean computer accounts in the Windows To Go device organizational unit. - -## User account and data management - -People use computers to work with data and consume content - that is their core function. The data must be stored and retrievable for it to be useful. When users are working in a Windows To Go workspace, they need to be able to get to the data that they work with, and to keep it accessible when the workspace isn't being used. For this reason, we recommend that you use folder redirection and offline files to redirect the path of local folders (such as the Documents folder) to a network location, while caching the contents locally for increased speed and availability. We also recommend that you use roaming user profiles to synchronize user specific settings so that users receive the same operating system and application settings when using their Windows To Go workspace and their desktop computer. When a user signs in using a domain account that is set up with a file share as the profile path, the user's profile is downloaded to the local computer and merged with the local profile (if present). When the user logs off the computer, the local copy of their profile, including any changes, is merged with the server copy of the profile. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)). - -Windows To Go is fully integrated with your Microsoft account. Setting synchronization is accomplished by connecting a Microsoft account to a user account. Windows To Go devices fully support this feature and can be managed by Group Policy so that the customization and configurations you prefer will be applied to your Windows To Go workspace. - -## Remote connectivity - -If you want Windows To Go to be able to connect back to organizational resources when it's being used off-premises a remote connectivity solution must be enabled. Windows Server 2012 DirectAccess can be used as can a virtual private network (VPN) solution. For more information about configuring a remote access solution, see the [Remote Access (DirectAccess, Routing and Remote Access) Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn636119(v=ws.11)). - -## Related articles - - -[Windows To Go: feature overview](windows-to-go-overview.md) - -[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md) - -[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md) - -[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.yml) diff --git a/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md b/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md index 826f2dfc4c..aa27616363 100644 --- a/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md +++ b/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md @@ -3,11 +3,11 @@ title: Searching for Fixed Applications in Compatibility Administrator (Windows description: Compatibility Administrator can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages. manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.date: 10/28/2022 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy --- # Searching for Fixed Applications in Compatibility Administrator diff --git a/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md b/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md index 4c0f2e2689..847fb0731b 100644 --- a/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md +++ b/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md @@ -3,10 +3,10 @@ title: Searching for Installed Compatibility Fixes with the Query Tool in Compat description: You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature. manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy ms.date: 10/28/2022 --- diff --git a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md deleted file mode 100644 index b376163521..0000000000 --- a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md +++ /dev/null @@ -1,68 +0,0 @@ ---- -title: Security and data protection considerations for Windows To Go (Windows 10) -description: Ensure that the data, content, and resources you work with in the Windows To Go workspace are protected and secure. -manager: aaroncz -ms.author: frankroj -ms.prod: windows-client -author: frankroj -ms.topic: article -ms.technology: itpro-deploy -ms.date: 12/31/2017 ---- - -# Security and data protection considerations for Windows To Go - -**Applies to** - -- Windows 10 - -> [!IMPORTANT] -> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. - -One of the most important requirements to consider when you plan your Windows To Go deployment is to ensure that the data, content, and resources you work with in the Windows To Go workspace is protected and secure. - -## Backup and restore - -When you don't save data on the Windows To Go drive, you don't need for a backup and restore solution for Windows To Go. If you're saving data on the drive and aren't using folder redirection and offline files, you should back up all of your data to a network location such as cloud storage or a network share, after each work session. Review the new and improved features described in [Supporting Information Workers with Reliable File Services and Storage](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831495(v=ws.11)) for different solutions you could implement. - -If the USB drive fails for any reason, the standard process to restore the drive to working condition is to reformat and reprovision the drive with Windows To Go, so all data and customization on the drive will be lost. This result is another reason why using roaming user profiles, folder redirection, and offline files with Windows To Go is recommended. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)). - -## BitLocker - -We recommend that you use BitLocker with your Windows To Go drives to protect the drive from being compromised if the drive is lost or stolen. When BitLocker is enabled, the user must provide a password to unlock the drive and boot the Windows To Go workspace. This password requirement helps prevent unauthorized users from booting the drive and using it to gain access to your network resources and confidential data. Because Windows To Go drives are meant to be roamed between computers, the Trusted Platform Module (TPM) can't be used by BitLocker to protect the drive. Instead, you'll be specifying a password that BitLocker will use for disk encryption and decryption. By default, this password must be eight characters in length and can enforce more strict requirements depending on the password complexity requirements defined by your organizations domain controller. - -You can enable BitLocker while using the Windows To Go Creator wizard as part of the drive provisioning process before first use; or it can be enabled afterward by the user from within the Windows To Go workspace. - -> [!Tip] -> If the Windows To Go Creator wizard isn't able to enable BitLocker, see [Why can't I enable BitLocker from Windows To Go Creator?](windows-to-go-frequently-asked-questions.yml#why-can-t-i-enable-bitlocker-from-windows-to-go-creator-) - -When you use a host computer running Windows 7 that has BitLocker enabled, suspend BitLocker before changing the BIOS settings to boot from USB and then resume BitLocker protection. If BitLocker isn't suspended first, the next boot of the computer is in recovery mode. - -## Disk discovery and data leakage - -We recommend that you use the **NoDefaultDriveLetter** attribute when provisioning the USB drive to help prevent accidental data leakage. **NoDefaultDriveLetter** will prevent the host operating system from assigning a drive letter if a user inserts it into a running computer. This prevention means the drive won't appear in Windows Explorer and an Auto-Play prompt won't be displayed to the user. This non-display of the drive and the prompt reduces the likelihood that an end user will access the offline Windows To Go disk directly from another computer. If you use the Windows To Go Creator to provision a workspace, this attribute will automatically be set for you. - -To prevent accidental data leakage between Windows To Go and the host system Windows 8 has a new SAN policy—OFFLINE\_INTERNAL - "4" to prevent the operating system from automatically bringing online any internally connected disk. The default configuration for Windows To Go has this policy enabled. It's recommended you do not change this policy to allow mounting of internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 operating system, mounting the drive will lead to loss of hibernation state and, therefore, user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted. - -For more information, see [How to Configure Storage Area Network (SAN) Policy in Windows PE](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825063(v=win.10)). - -## Security certifications for Windows To Go - -Windows to Go is a core capability of Windows when it's deployed on the drive and is configured following the guidance for the applicable security certification. Solutions built using Windows To Go can be submitted for more certifications by the solution provider that cover the solution provider's specific hardware environment. For more information about Windows security certifications, see the following articles. - -- [Windows Platform Common Criteria Certification](/windows/security/threat-protection/windows-platform-common-criteria) - -- [FIPS 140 Evaluation](/windows/security/threat-protection/fips-140-validation) - -## Related articles - -[Windows To Go: feature overview](windows-to-go-overview.md) - -[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md) - -[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md) - -[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.yml) - - - diff --git a/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md b/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md index 25850695fc..cb8a3ebc82 100644 --- a/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md +++ b/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md @@ -3,11 +3,11 @@ title: Showing Messages Generated by the SUA Tool (Windows 10) description: On the user interface for the Standard User Analyzer (SUA) tool, you can show the messages that the tool has generated. manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.date: 10/28/2022 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy --- # Showing Messages Generated by the SUA Tool diff --git a/windows/deployment/planning/sua-users-guide.md b/windows/deployment/planning/sua-users-guide.md index 4f53104c76..47b4ffba5c 100644 --- a/windows/deployment/planning/sua-users-guide.md +++ b/windows/deployment/planning/sua-users-guide.md @@ -3,11 +3,11 @@ title: SUA User's Guide (Windows 10) description: Learn how to use Standard User Analyzer (SUA). SUA can test your apps and monitor API calls to detect compatibility issues related to the Windows User Account Control (UAC) feature. manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.date: 10/28/2022 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy --- # SUA User's Guide diff --git a/windows/deployment/planning/tabs-on-the-sua-tool-interface.md b/windows/deployment/planning/tabs-on-the-sua-tool-interface.md index a2dff7087c..c6af910322 100644 --- a/windows/deployment/planning/tabs-on-the-sua-tool-interface.md +++ b/windows/deployment/planning/tabs-on-the-sua-tool-interface.md @@ -3,11 +3,11 @@ title: Tabs on the SUA Tool Interface (Windows 10) description: The tabs in the Standard User Analyzer (SUA) tool show the User Account Control (UAC) issues for the applications that you analyze. manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.date: 10/28/2022 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy --- # Tabs on the SUA Tool Interface diff --git a/windows/deployment/planning/testing-your-application-mitigation-packages.md b/windows/deployment/planning/testing-your-application-mitigation-packages.md index b2ff9f8850..481d2ce883 100644 --- a/windows/deployment/planning/testing-your-application-mitigation-packages.md +++ b/windows/deployment/planning/testing-your-application-mitigation-packages.md @@ -3,11 +3,11 @@ title: Testing Your Application Mitigation Packages (Windows 10) description: Learn how to test your application-mitigation packages, including how to report your information and how to resolve any outstanding issues. manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.date: 10/28/2022 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy --- # Testing Your Application Mitigation Packages diff --git a/windows/deployment/planning/understanding-and-using-compatibility-fixes.md b/windows/deployment/planning/understanding-and-using-compatibility-fixes.md index ee6976fca5..7327ff75b9 100644 --- a/windows/deployment/planning/understanding-and-using-compatibility-fixes.md +++ b/windows/deployment/planning/understanding-and-using-compatibility-fixes.md @@ -3,10 +3,10 @@ title: Understanding and Using Compatibility Fixes (Windows 10) description: As the Windows operating system evolves to support new technology and functionality, the implementations of some functions may change. manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy ms.date: 10/28/2022 --- diff --git a/windows/deployment/planning/using-the-compatibility-administrator-tool.md b/windows/deployment/planning/using-the-compatibility-administrator-tool.md index cb156708b7..d3c2f77b38 100644 --- a/windows/deployment/planning/using-the-compatibility-administrator-tool.md +++ b/windows/deployment/planning/using-the-compatibility-administrator-tool.md @@ -3,11 +3,11 @@ title: Using the Compatibility Administrator Tool (Windows 10) description: This section provides information about using the Compatibility Administrator tool. manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.date: 10/28/2022 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy --- # Using the Compatibility Administrator Tool diff --git a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md index f6e1a6fbee..2ae090b3f3 100644 --- a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md +++ b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md @@ -3,11 +3,11 @@ title: Using the Sdbinst.exe Command-Line Tool (Windows 10) description: Learn how to deploy customized database (.sdb) files using the Sdbinst.exe Command-Line Tool. Review a list of command-line options. manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.date: 10/28/2022 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy --- # Using the Sdbinst.exe Command-Line Tool diff --git a/windows/deployment/planning/using-the-sua-tool.md b/windows/deployment/planning/using-the-sua-tool.md index 5b72bfbc4b..043d002305 100644 --- a/windows/deployment/planning/using-the-sua-tool.md +++ b/windows/deployment/planning/using-the-sua-tool.md @@ -3,11 +3,11 @@ title: Using the SUA Tool (Windows 10) description: The Standard User Analyzer (SUA) tool can test applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature. manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.date: 10/28/2022 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy --- # Using the SUA Tool diff --git a/windows/deployment/planning/using-the-sua-wizard.md b/windows/deployment/planning/using-the-sua-wizard.md index ce121c5440..8f7ed9170b 100644 --- a/windows/deployment/planning/using-the-sua-wizard.md +++ b/windows/deployment/planning/using-the-sua-wizard.md @@ -3,11 +3,11 @@ title: Using the SUA wizard (Windows 10) description: The Standard User Analyzer (SUA) wizard, although it doesn't offer deep analysis, works much like the SUA tool to test for User Account Control (UAC) issues. manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.date: 10/28/2022 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy --- # Using the SUA wizard diff --git a/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md b/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md index 44cf622430..38b8b8cf10 100644 --- a/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md +++ b/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md @@ -3,10 +3,10 @@ title: Viewing the Events Screen in Compatibility Administrator (Windows 10) description: You can use the Events screen to record and view activities in the Compatibility Administrator tool. manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy ms.date: 10/28/2022 --- diff --git a/windows/deployment/planning/windows-10-compatibility.md b/windows/deployment/planning/windows-10-compatibility.md index e444794da2..83227970dd 100644 --- a/windows/deployment/planning/windows-10-compatibility.md +++ b/windows/deployment/planning/windows-10-compatibility.md @@ -3,11 +3,11 @@ title: Windows 10 compatibility (Windows 10) description: Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10. manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client ms.localizationpriority: medium author: frankroj ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy ms.date: 10/28/2022 --- diff --git a/windows/deployment/planning/windows-10-deployment-considerations.md b/windows/deployment/planning/windows-10-deployment-considerations.md index b3911601ff..434b7da17f 100644 --- a/windows/deployment/planning/windows-10-deployment-considerations.md +++ b/windows/deployment/planning/windows-10-deployment-considerations.md @@ -3,11 +3,11 @@ title: Windows 10 deployment considerations (Windows 10) description: There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications. manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client ms.localizationpriority: medium author: frankroj ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy ms.date: 10/28/2022 --- diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml index 853855b43b..3dee852942 100644 --- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml +++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml @@ -3,8 +3,8 @@ metadata: title: Windows 10 Enterprise FAQ for IT pros (Windows 10) description: Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise. keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage updates, Windows as a service, servicing channels, deployment tools - ms.prod: windows-client - ms.technology: itpro-deploy + ms.service: windows-client + ms.subservice: itpro-deploy ms.mktglfcycl: plan ms.localizationpriority: medium ms.sitesec: library diff --git a/windows/deployment/planning/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md index 7341f4b302..06a835b0ba 100644 --- a/windows/deployment/planning/windows-10-infrastructure-requirements.md +++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md @@ -3,11 +3,11 @@ title: Windows 10 infrastructure requirements (Windows 10) description: Review the infrastructure requirements for deployment and management of Windows 10, prior to significant Windows 10 deployments within your organization. manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client ms.localizationpriority: medium author: frankroj ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy ms.date: 10/28/2022 --- diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml deleted file mode 100644 index 4907345be4..0000000000 --- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml +++ /dev/null @@ -1,455 +0,0 @@ -### YamlMime:FAQ -metadata: - title: Windows To Go frequently asked questions (Windows 10) - description: Though Windows To Go is no longer being developed, these frequently asked questions (FAQ) can provide answers about the feature. - ms.assetid: bfdfb824-4a19-4401-b369-22c5e6ca9d6e - ms.reviewer: - author: frankroj - ms.author: frankroj - manager: aaroncz - keywords: FAQ, mobile, device, USB - ms.prod: windows-client - ms.technology: itpro-deploy - ms.mktglfcycl: deploy - ms.pagetype: mobility - ms.sitesec: library - audience: itpro - ms.topic: faq - ms.date: 10/28/2022 -title: 'Windows To Go: frequently asked questions' -summary: | - **Applies to** - - - Windows 10 - - > [!IMPORTANT] - > Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature doesn't support feature updates and therefore doesn't enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. - - The following list identifies some commonly asked questions about Windows To Go. - - - [What is Windows To Go?](#what-is-windows-to-go-) - - - [Does Windows To Go rely on virtualization?](#does-windows-to-go-rely-on-virtualization-) - - - [Who should use Windows To Go?](#who-should-use-windows-to-go-) - - - [How can Windows To Go be deployed in an organization?](#how-can-windows-to-go-be-deployed-in-an-organization-) - - - [Is Windows To Go supported on both USB 2.0 and USB 3.0 drives?](#is-windows-to-go-supported-on-both-usb-2-0-and-usb-3-0-drives-) - - - [Is Windows To Go supported on USB 2.0 and USB 3.0 ports?](#is-windows-to-go-supported-on-usb-2-0-and-usb-3-0-ports-) - - - [How do I identify a USB 3.0 port?](#how-do-i-identify-a-usb-3-0-port-) - - - [Does Windows To Go run faster on a USB 3.0 port?](#does-windows-to-go-run-faster-on-a-usb-3-0-port-) - - - [Can the user self-provision Windows To Go?](#can-the-user-self-provision-windows-to-go-) - - - [How can Windows To Go be managed in an organization?](#how-can-windows-to-go-be-managed-in-an-organization-) - - - [How do I make my computer boot from USB?](#how-do-i-make-my-computer-boot-from-usb-) - - - [Why isn't my computer booting from USB?](#why-isn-t-my-computer-booting-from-usb-) - - - [What happens if I remove my Windows To Go drive while it's running?](#what-happens-if-i-remove-my-windows-to-go-drive-while-it-s-running-) - - - [Can I use BitLocker to protect my Windows To Go drive?](#can-i-use-bitlocker-to-protect-my-windows-to-go-drive-) - - - [Why can't I enable BitLocker from Windows To Go Creator?](#why-can-t-i-enable-bitlocker-from-windows-to-go-creator-) - - - [What power states do Windows To Go support?](#what-power-states-does-windows-to-go-support-) - - - [Why is hibernation disabled in Windows To Go?](#why-is-hibernation-disabled-in-windows-to-go-) - - - [Does Windows To Go support crash dump analysis?](#does-windows-to-go-support-crash-dump-analysis-) - - - [Do "Windows To Go Startup Options" work with dual boot computers?](#do--windows-to-go-startup-options--work-with-dual-boot-computers-) - - - [I plugged my Windows To Go drive into a running computer and I can't see the partitions on the drive. Why not?](#i-plugged-my-windows-to-go-drive-into-a-running-computer-and-i-can-t-see-the-partitions-on-the-drive--why-not-) - - - [I'm booted into Windows To Go, but I can't browse to the internal hard drive of the host computer. Why not?](#i-m-booted-into-windows-to-go--but-i-can-t-browse-to-the-internal-hard-drive-of-the-host-computer--why-not-) - - - [Why does my Windows To Go drive have an MBR disk format with a FAT32 system partition?](#why-does-my-windows-to-go-drive-have-an-mbr-disk-format-with-a-fat32-system-partition-) - - - [Is Windows To Go secure if I use it on an untrusted machine?](#is-windows-to-go-secure-if-i-use-it-on-an-untrusted-computer-) - - - [Does Windows To Go work with ARM processors?](#does-windows-to-go-work-with-arm-processors-) - - - [Can I synchronize data from Windows To Go with my other computer?](#can-i-synchronize-data-from-windows-to-go-with-my-other-computer-) - - - [What size USB Flash Drive do I need to make a Windows To Go drive?](#what-size-usb-flash-drive-do-i-need-to-make-a-windows-to-go-drive-) - - - [Do I need to activate Windows To Go every time I roam?](#do-i-need-to-activate-windows-to-go-every-time-i-roam-) - - - [Can I use all Windows features on Windows To Go?](#can-i-use-all-windows-features-on-windows-to-go-) - - - [Can I use all my applications on Windows To Go?](#can-i-use-all-my-applications-on-windows-to-go-) - - - [Does Windows To Go work slower than standard Windows?](#does-windows-to-go-work-slower-than-standard-windows-) - - - [If I lose my Windows To Go drive, will my data be safe?](#if-i-lose-my-windows-to-go-drive--will-my-data-be-safe-) - - - [Can I boot Windows To Go on a Mac?](#can-i-boot-windows-to-go-on-a-mac-) - - - [Are there any APIs that allow applications to identify a Windows To Go workspace?](#are-there-any-apis-that-allow-applications-to-identify-a-windows-to-go-workspace-) - - - [How is Windows To Go licensed?](#how-is-windows-to-go-licensed-) - - - [Does Windows Recovery Environment work with Windows To Go? What's the guidance for recovering a Windows To Go drive?](#does-windows-recovery-environment-work-with-windows-to-go--what-s-the-guidance-for-recovering-a-windows-to-go-drive-) - - - [Why won't Windows To Go work on a computer running Windows XP or Windows Vista?](#why-won-t-windows-to-go-work-on-a-computer-running-windows-xp-or-windows-vista-) - - - [Why does the operating system on the host computer matter?](#why-does-the-operating-system-on-the-host-computer-matter-) - - - [My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go?](#my-host-computer-running-windows-7-is-protected-by-bitlocker-drive-encryption--why-did-i-need-to-use-the-recovery-key-to-unlock-and-reboot-my-host-computer-after-using-windows-to-go-) - - - [I decided to stop using a drive for Windows To Go and reformatted it – why it doesn't have a drive letter assigned and how can I fix it?](#i-decided-to-stop-using-a-drive-for-windows-to-go-and-reformatted-it---why-it-doesn-t-have-a-drive-letter-assigned-and-how-can-i-fix-it-) - - - [Why do I keep on getting the message "Installing devices…" when I boot Windows To Go?](#why-do-i-keep-on-getting-the-message--installing-devices---when-i-boot-windows-to-go-) - - - [How do I upgrade the operating system on my Windows To Go drive?](#how-do-i-upgrade-the-operating-system-on-my-windows-to-go-drive-) - - -sections: - - name: Ignored - questions: - - question: | - What is Windows To Go? - answer: | - Windows To Go is a feature for users of Windows 10 Enterprise and Windows 10 Education that enables users to boot a full version of Windows from external USB drives on host PCs. - - - question: | - Does Windows To Go rely on virtualization? - answer: | - No. Windows To Go is a native instance of Windows 10 that runs from a USB device. It's just like a laptop hard drive with Windows 8 that has been put into a USB enclosure. - - - question: | - Who should use Windows To Go? - answer: | - Windows To Go was designed for enterprise usage and targets scenarios such as continuance of operations, contractors, managed free seating, traveling workers, and work from home. - - - question: | - How can Windows To Go be deployed in an organization? - answer: | - Windows To Go can be deployed using standard Windows deployment tools like Diskpart and DISM. The prerequisites for deploying Windows To Go are: - - - A Windows To Go recommended USB drive to provision; See the list of currently available USB drives at [Hardware considerations for Windows To Go](windows-to-go-overview.md#wtg-hardware) - - - A Windows 10 Enterprise or Windows 10 Education image - - - A Windows 10 Enterprise, Windows 10 Education or Windows 10 Professional host PC that can be used to provision new USB keys - - You can use a Windows PowerShell script to target several drives and scale your deployment for a large number of Windows To Go drives. You can also use a USB duplicator to duplicate a Windows To Go drive after it has been provisioned if you're creating a large number of drives. See the [Windows To Go Step by Step](https://go.microsoft.com/fwlink/p/?LinkId=618950) article on the TechNet wiki for a walkthrough of the drive creation process. - - - question: | - Is Windows To Go supported on both USB 2.0 and USB 3.0 drives? - answer: | - No. Windows To Go is supported on USB 3.0 drives that are certified for Windows To Go. - - - question: | - Is Windows To Go supported on USB 2.0 and USB 3.0 ports? - answer: | - Yes. Windows To Go is fully supported on either USB 2.0 ports or USB 3.0 ports on PCs certified for Windows 7 or later. - - - question: | - How do I identify a USB 3.0 port? - answer: | - USB 3.0 ports are usually marked blue or carry an SS marking on the side. - - - question: | - Does Windows To Go run faster on a USB 3.0 port? - answer: | - Yes. Because USB 3.0 offers significantly faster speeds than USB 2.0, a Windows To Go drive running on a USB 3.0 port will operate considerably faster. This speed increase applies to both drive provisioning and when the drive is being used as a workspace. - - - question: | - Can the user self-provision Windows To Go? - answer: | - Yes, if the user has administrator permissions they can self-provision a Windows To Go drive using the Windows To Go Creator wizard which is included in Windows 10 Enterprise, Windows 10 Education and Windows 10 Professional. Additionally, Configuration Manager SP1 and later releases include support for user self-provisioning of Windows To Go drives. - - - question: | - How can Windows To Go be managed in an organization? - answer: | - Windows To Go can be deployed and managed like a traditional desktop PC using standard Windows enterprise software distribution tools like Microsoft Configuration Manager. Computer and user settings for Windows To Go workspaces can be managed using Group Policy setting also in the same manner that you manage Group Policy settings for other PCs in your organization. Windows To Go workspaces can be configured to connect to the organizational resources remotely using DirectAccess or a virtual private network connection so that they can connect securely to your network. - - - question: | - How do I make my computer boot from USB? - answer: | - For host computers running Windows 10 - - - Using Cortana, search for **Windows To Go startup options**, and then press Enter. - - In the **Windows To Go Startup Options** dialog box, select **Yes**, and then click **Save Changes** to configure the computer to boot from USB. - - For host computers running Windows 8 or Windows 8.1: - - Press **Windows logo key+W** and then search for **Windows To Go startup options** and then press Enter. - - In the **Windows To Go Startup Options** dialog box select **Yes** and then click **Save Changes** to configure the computer to boot from USB. - - > [!NOTE] - > Your IT department can use Group Policy to configure Windows To Go Startup Options in your organization. - - - - If the host computer is running an earlier version of the Windows operating system need to configure the computer to boot from USB manually. - - To do this, early during boot time (usually when you see the manufacturer's logo), enter your firmware/BIOS setup. (This method to enter firmware/BIOS setup differs with different computer manufacturers, but is usually entered by pressing one of the function keys, such as F12, F2, F1, Esc, and so forth. You should check the manufacturer's site to be sure if you don't know which key to use to enter firmware setup.) - - After you have entered firmware setup, make sure that boot from USB is enabled. Then change the boot order to boot from USB drives first. - - Alternatively, if your computer supports it, you can try to use the one-time boot menu (often F12), to select USB boot on a per-boot basis. - - For more detailed instructions, see the wiki article, [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkID=618951). - - **Warning** - Configuring a computer to boot from USB will cause your computer to attempt to boot from any bootable USB device connected to your computer. This potentially includes malicious devices. Users should be informed of this risk and instructed to not have any bootable USB storage devices plugged in to their computers except for their Windows To Go drive. - - - - - question: | - Why isn't my computer booting from USB? - answer: | - Computers certified for Windows 7 and later are required to have support for USB boot. Check to see if any of the following items apply to your situation: - - 1. Ensure that your computer has the latest BIOS installed and the BIOS is configured to boot from a USB device. - - 2. Ensure that the Windows To Go drive is connected directly to a USB port on the computer. Many computers don't support booting from a device connected to a USB 3 PCI add-on card or external USB hubs. - - 3. If the computer isn't booting from a USB 3.0 port, try to boot from a USB 2.0 port. - - If none of these items enable the computer to boot from USB, contact the hardware manufacturer for additional support. - - - question: | - What happens if I remove my Windows To Go drive while it's running? - answer: | - If the Windows To Go drive is removed, the computer will freeze and the user will have 60 seconds to reinsert the Windows To Go drive. If the Windows To Go drive is reinserted into the same port it was removed from, Windows will resume at the point where the drive was removed. If the USB drive isn't reinserted, or is reinserted into a different port, the host computer will turn off after 60 seconds. - - **Warning** - You should never remove your Windows To Go drive when your workspace is running. The computer freeze is a safety measure to help mitigate the risk of accidental removal. Removing the Windows To Go drive without shutting down the Windows To Go workspace could result in corruption of the Windows To Go drive. - - - - - question: | - Can I use BitLocker to protect my Windows To Go drive? - answer: | - Yes. In Windows 8 and later, BitLocker has added support for using a password to protect operating system drives. This means that you can use a password to secure your Windows To Go workspace and you'll be prompted to enter this password every time you use the Windows To Go workspace. - - - question: | - Why can't I enable BitLocker from Windows To Go Creator? - answer: | - Several different Group Policies control the use of BitLocker on your organizations computers. These policies are located in the **Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** folder of the local Group Policy editor. The folder contains three subfolders for fixed, operating system and removable data drive types. - - When you're using Windows To Go Creator, the Windows To Go drive is considered a removable data drive by BitLocker. Review the following setting to see if these settings apply in your situation: - - 1. **Control use of BitLocker on removable drives** - - If this setting is disabled BitLocker can't be used with removable drives, so the Windows To Go Creator wizard will fail if it attempts to enable BitLocker on the Windows To Go drive. - - 2. **Configure use of smart cards on removable data drives** - - If this setting is enabled and the option **Require use of smart cards on removable data drives** is also selected the creator wizard might fail if you haven't already signed on using your smart card credentials before starting the Windows To Go Creator wizard. - - 3. **Configure use of passwords for removable data drives** - - If this setting is enabled and the **Require password complexity option** is selected the computer must be able to connect to the domain controller to verify that the password specified meets the password complexity requirements. If the connection isn't available, the Windows To Go Creator wizard will fail to enable BitLocker. - - Additionally, the Windows To Go Creator will disable the BitLocker option if the drive doesn't have any volumes. In this situation, you should initialize the drive and create a volume using the Disk Management console before provisioning the drive with Windows To Go. - - - question: | - What power states does Windows To Go support? - answer: | - Windows To Go supports all power states except the hibernate class of power states, which include hybrid boot, hybrid sleep, and hibernate. This default behavior can be modified by using Group Policy settings to enable hibernation of the Windows To Go workspace. - - - question: | - Why is hibernation disabled in Windows To Go? - answer: | - When a Windows To Go workspace is hibernated, it will only successfully resume on the exact same hardware. Therefore, if a Windows To Go workspace is hibernated on one computer and roamed to another, the hibernation state (and therefore user state) will be lost. To prevent this from happening, the default settings for a Windows To Go workspace disable hibernation. If you're confident that you'll only attempt to resume on the same computer, you can enable hibernation using the Windows To Go Group Policy setting, **Allow hibernate (S4) when started from a Windows To Go workspace** that is located at **\\\\Computer Configuration\\Administrative Templates\\Windows Components\\Portable Operating System\\** in the Local Group Policy Editor (gpedit.msc). - - - question: | - Does Windows To Go support crash dump analysis? - answer: | - Yes. Windows 8 and later support crash dump stack analysis for both USB 2.0 and 3.0. - - - question: | - Do "Windows To Go Startup Options" work with dual boot computers? - answer: | - Yes, if both operating systems are running the Windows 8 operating system. Enabling "Windows To Go Startup Options" should cause the computer to boot from the Windows To Go workspace when the drive is plugged in before the computer is turned on. - - If you have configured a dual boot computer with a Windows operating system and another operating system, it might work occasionally and fail occasionally. Using this configuration is unsupported. - - - question: | - I plugged my Windows To Go drive into a running computer and I can't see the partitions on the drive. Why not? - answer: | - Windows To Go Creator and the recommended deployment steps for Windows To Go set the NO\_DEFAULT\_DRIVE\_LETTER flag on the Windows To Go drive. This flag prevents Windows from automatically assigning drive letters to the partitions on the Windows To Go drive. That's why you can't see the partitions on the drive when you plug your Windows To Go drive into a running computer. This helps prevent accidental data leakage between the Windows To Go drive and the host computer. If you really need to access the files on the Windows To Go drive from a running computer, you can use diskmgmt.msc or diskpart to assign a drive letter. - - **Warning** - It's strongly recommended that you don't plug your Windows To Go drive into a running computer. If the computer is compromised, your Windows To Go workspace can also be compromised. - - - - - question: | - I'm booted into Windows To Go, but I can't browse to the internal hard drive of the host computer. Why not? - answer: | - Windows To Go Creator and the recommended deployment steps for Windows To Go set SAN Policy 4 on Windows To Go drive. This policy prevents Windows from automatically mounting internal disk drives. That's why you can't see the internal hard drives of the host computer when you're booted into Windows To Go. This is done to prevent accidental data leakage between Windows To Go and the host system. This policy also prevents potential corruption on the host drives or data loss if the host operating system is in a hibernation state. If you really need to access the files on the internal hard drive, you can use diskmgmt.msc to mount the internal drive. - - **Warning** - It is strongly recommended that you do not mount internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 or later operating system, mounting the drive will lead to loss of hibernation state and therefore user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted. - - - - - question: | - Why does my Windows To Go drive have an MBR disk format with a FAT32 system partition? - answer: | - This is done to allow Windows To Go to boot from UEFI and legacy systems. - - - question: | - Is Windows To Go secure if I use it on an untrusted computer? - answer: | - While you are more secure than if you use a completely untrusted operating system, you are still vulnerable to attacks from the firmware or anything that runs before Windows To Go starts. If you plug your Windows To Go drive into a running untrusted computer, your Windows To Go drive can be compromised because any malicious software that might be active on the computer can access the drive. - - - question: | - Does Windows To Go work with ARM processors? - answer: | - No. Windows RT is a specialized version of Windows designed for ARM processors. Windows To Go is currently only supported on PCs with x86 or x64-based processors. - - - question: | - Can I synchronize data from Windows To Go with my other computer? - answer: | - To get your data across all your computers, we recommend using folder redirection and client side caching to store copies of your data on a server while giving you offline access to the files you need. - - - question: | - What size USB flash drive do I need to make a Windows To Go drive? - answer: | - The size constraints are the same as full Windows. To ensure that you have enough space for Windows, your data, and your applications, we recommend USB drives that are a minimum of 20 GB in size. - - - question: | - Do I need to activate Windows To Go every time I roam? - answer: | - No, Windows To Go requires volume activation; either using the [Key Management Service](/previous-versions/tn-archive/ff793434(v=technet.10)) (KMS) server in your organization or using [Active Directory](/previous-versions/windows/hh852637(v=win.10)) based volume activation. The Windows To Go workspace won't need to be reactivated every time you roam. KMS activates Windows on a local network, eliminating the need for individual computers to connect to Microsoft. To remain activated, KMS client computers must renew their activation by connecting to the KMS host on periodic basis. This typically occurs as soon as the user has access to the corporate network (either through a direct connection on-premises or through a remote connection using DirectAccess or a virtual private network connection), once activated the machine won't need to be activated again until the activation validity interval has passed. In a KMS configuration, the activation validity interval is 180 days. - - - question: | - Can I use all Windows features on Windows To Go? - answer: | - Yes, with some minor exceptions, you can use all Windows features with your Windows To Go workspace. The only currently unsupported features are using the Windows Recovery Environment and PC Reset & Refresh. - - - question: | - Can I use all my applications on Windows To Go? - answer: | - Yes. Because your Windows To Go workspace is a full Windows 10 environment, all applications that work with Windows 10 should work in your Windows To Go workspace. However, any applications that use hardware binding (usually for licensing and/or digital rights management reasons) may not run when you roam your Windows To Go drive between different host computers, and you may have to use those applications on the same host computer every time. - - - question: | - Does Windows To Go work slower than standard Windows? - answer: | - If you're using a USB 3.0 port and a Windows To Go certified device, there should be no perceivable difference between standard Windows and Windows To Go. However, if you're booting from a USB 2.0 port, you may notice some slowdown since USB 2.0 transfer speeds are slower than SATA speeds. - - - question: | - If I lose my Windows To Go drive, will my data be safe? - answer: | - Yes! If you enable BitLocker on your Windows To Go drive, all your data will be encrypted and protected and a malicious user won't be able to access your data without your password. If you don't enable BitLocker, your data will be vulnerable if you lose your Windows To Go drive. - - - question: | - Can I boot Windows To Go on a Mac? - answer: | - We're committed to give customers a consistent and quality Windows 10 experience with Windows To Go. Windows To Go supports host devices certified for use with Windows 7 or later. Because Mac computers aren't certified for use with Windows 7 or later, using Windows To Go isn't supported on a Mac. - - - question: | - Are there any APIs that allow applications to identify a Windows To Go workspace? - answer: | - Yes. You can use a combination of identifiers to determine if the currently running operating system is a Windows To Go workspace. First, check if the **PortableOperatingSystem** property is true. When that value is true, it means that the operating system was booted from an external USB device. - - Next, check if the **OperatingSystemSKU** property is equal to **4** (for Windows 10 Enterprise) or **121** (for Windows 10 Education). The combination of those two properties represents a Windows To Go workspace environment. - - For more information, see the MSDN article on the [Win32\_OperatingSystem class](/windows/win32/cimwin32prov/win32-operatingsystem). - - - question: | - How is Windows To Go licensed? - answer: | - Windows To Go allows organization to support the use of privately owned PCs at the home or office with more secure access to their organizational resources. With Windows To Go use rights under [Software Assurance](https://go.microsoft.com/fwlink/p/?LinkId=619062), an employee will be able to use Windows To Go on any company PC licensed with Software Assurance as well as from their home PC. - - - question: | - Does Windows Recovery Environment work with Windows To Go? What's the guidance for recovering a Windows To Go drive? - answer: | - No, use of Windows Recovery Environment isn't supported on Windows To Go. It's recommended that you implement user state virtualization technologies like Folder Redirection to centralize and back up user data in the data center. If any corruption occurs on a Windows To Go drive, you should reprovision the workspace. - - - question: | - Why won't Windows To Go work on a computer running Windows XP or Windows Vista? - answer: | - Actually it might. If you've purchased a computer certified for Windows 7 or later and then installed an older operating system, Windows To Go will boot and run as expected as long as you've configured the firmware to boot from USB. However, if the computer was certified for Windows XP or Windows Vista, it might not meet the hardware requirements for Windows To Go to run. Typically computers certified for Windows Vista and earlier operating systems have less memory, less processing power, reduced video rendering, and slower USB ports. - - - question: | - Why does the operating system on the host computer matter? - answer: | - It doesn't other than to help visually identify if the PC has compatible hardware. For a PC to be certified for Windows 7 or later it had to support booting from USB. If a computer can't boot from USB there's no way that it can be used with Windows To Go. The Windows To Go workspace is a full Windows 10 environment, so all of the hardware requirements of Windows 10 with respect to processing speed, memory usage, and graphics rendering need to be supported to be assured that it will work as expected. - - - question: | - My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go? - answer: | - The default BitLocker protection profile in Windows 7 monitors the host computer for changes to the boot order as part of protecting the computer from tampering. When you change the boot order of the host computer to enable it to boot from the Windows To Go drive, the BitLocker system measurements will reflect that change and boot into recovery mode so that the computer can be inspected if necessary. - - You can reset the BitLocker system measurements to incorporate the new boot order using the following steps: - - 1. Sign in to the host computer using an account with administrator privileges. - - 2. Click **Start**, click **Control Panel**, click **System and Security**, and then click **BitLocker Drive Encryption**. - - 3. Click **Suspend Protection** for the operating system drive. - - A message is displayed, informing you that your data won't be protected while BitLocker is suspended and asking if you want to suspend BitLocker Drive Encryption. Click **Yes** to continue and suspend BitLocker on the drive. - - 4. Restart the computer and enter the firmware settings to reset the boot order to boot from USB first. For more information on changing the boot order in the BIOS, see [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkId=618951) on the TechNet wiki. - - 5. Restart the computer again and then sign in to the host computer using an account with administrator privileges. (Neither your Windows To Go drive nor any other USB drive should be inserted.) - - 6. Click **Start**, click **Control Panel**, click **System and Security**, and then click **BitLocker Drive Encryption**. - - 7. Click **Resume Protection** to re-enable BitLocker protection. - - The host computer will now be able to be booted from a USB drive without triggering recovery mode. - - > [!NOTE] - > The default BitLocker protection profile in Windows 8 or later doesn't monitor the boot order. - - - - - question: | - I decided to stop using a drive for Windows To Go and reformatted it – why it doesn't have a drive letter assigned and how can I fix it? - answer: | - Reformatting the drive erases the data on the drive, but doesn't reconfigure the volume attributes. When a drive is provisioned for use as a Windows To Go drive the NODEFAULTDRIVELETTER attribute is set on the volume. To remove this attribute, use the following steps: - - 1. Open a command prompt with full administrator permissions. - - > [!NOTE] - > If your user account is a member of the Administrators group, but isn't the Administrator account itself, then, by default, the programs that you run only have standard user permissions unless you explicitly choose to elevate them. - - - - 2. Start the [diskpart](/windows-server/administration/windows-commands/diskpart) command interpreter, by typing `diskpart` at the command prompt. - - 3. Use the `select disk` command to identify the drive. If you don't know the drive number, use the `list` command to display the list of disks available. - - 4. After selecting the disk, run the `clean` command to remove all data, formatting, and initialization information from the drive. - - - question: | - Why do I keep on getting the message "Installing devices…" when I boot Windows To Go? - answer: | - One of the challenges involved in moving the Windows To Go drive between PCs while seamlessly booting Windows with access to all of their applications and data is that for Windows to be fully functional, specific drivers need to be installed for the hardware in each machine that runs Windows. Windows 8 or later has a process called respecialize which will identify new drivers that need to be loaded for the new PC and disable drivers that aren't present on the new configuration. In general, this feature is reliable and efficient when roaming between PCs of widely varying hardware configurations. - - In certain cases, third-party drivers for different hardware models or versions can reuse device IDs, driver file names, registry keys (or any other operating system constructs that don't support side-by-side storage) for similar hardware. For example, Touchpad drivers on different laptops often reuse the same device ID's, and video cards from the same manufacturer may often reuse service names. Windows handles these situations by marking the non-present device node with a flag that indicates the existing driver needs to be reinstalled before continuing to install the new driver. - - This process will occur on any boot that a new driver is found and a driver conflict is detected. In some cases that will result in a respecialize progress message "Installing devices…" displaying every time that a Windows to Go drive is roamed between two PCs that require conflicting drivers. - - - question: | - How do I upgrade the operating system on my Windows To Go drive? - answer: | - There's no support in Windows for upgrading a Windows To Go drive. Deployed Windows To Go drives with older versions of Windows will need to be reimaged with a new version of Windows in order to transition to the new operating system version. - -additionalContent: | - - ## Additional resources - - - [Windows 10 forums](https://go.microsoft.com/fwlink/p/?LinkId=618949) - - [Windows To Go Step by Step Wiki](https://go.microsoft.com/fwlink/p/?LinkId=618950) - - [Windows To Go: feature overview](windows-to-go-overview.md) - - [Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md) - - [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md) - - [Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md) - diff --git a/windows/deployment/planning/windows-to-go-overview.md b/windows/deployment/planning/windows-to-go-overview.md deleted file mode 100644 index 4332f5785a..0000000000 --- a/windows/deployment/planning/windows-to-go-overview.md +++ /dev/null @@ -1,155 +0,0 @@ ---- -title: Windows To Go feature overview (Windows 10) -description: Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that lets you create a workspace that can be booted from a USB-connected drive. -manager: aaroncz -ms.author: frankroj -ms.prod: windows-client -author: frankroj -ms.topic: overview -ms.technology: itpro-deploy -ms.collection: - - highpri - - tier2 -ms.date: 10/28/2022 ---- - -# Windows To Go: feature overview - -**Applies to** - -- Windows 10 - -> [!IMPORTANT] -> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. - -Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on PCs. - -PCs that meet the Windows 7 or later [certification requirements](/previous-versions/windows/hardware/cert-program/) can run Windows 10 in a Windows To Go workspace, regardless of the operating system running on the PC. Windows To Go workspaces can use the same image enterprises use for their desktops and laptops and can be managed the same way. Windows To Go isn't intended to replace desktops, laptops or supplant other mobility offerings. Rather, it provides support for efficient use of resources for alternative workplace scenarios. There are some other considerations that you should keep in mind before you start to use Windows To Go: - -- [Windows To Go: feature overview](#windows-to-go-feature-overview) - - [Differences between Windows To Go and a typical installation of Windows](#differences-between-windows-to-go-and-a-typical-installation-of-windows) - - [Roaming with Windows To Go](#roaming-with-windows-to-go) - - [Prepare for Windows To Go](#prepare-for-windows-to-go) - - [Hardware considerations for Windows To Go](#hardware-considerations-for-windows-to-go) - -> [!NOTE] -> Windows To Go isn't supported on Windows RT. - -## Differences between Windows To Go and a typical installation of Windows - -Windows To Go workspace operates just like any other installation of Windows with a few exceptions. These exceptions are: - -- **Internal disks are offline.** To ensure data isn't accidentally disclosed, internal hard disks on the host computer are offline by default when booted into a Windows To Go workspace. Similarly if a Windows To Go drive is inserted into a running system, the Windows To Go drive won't be listed in Windows Explorer. -- **Trusted Platform Module (TPM) is not used.** When using BitLocker Drive Encryption, a pre-operating system boot password will be used for security rather than the TPM since the TPM is tied to a specific computer and Windows To Go drives will move between computers. -- **Hibernate is disabled by default.** To ensure that the Windows To Go workspace is able to move between computers easily, hibernation is disabled by default. Hibernation can be re-enabled by using Group Policy settings. -- **Windows Recovery Environment is not available.** In the rare case that you need to recover your Windows To Go drive, you should re-image it with a fresh image of Windows. -- **Refreshing or resetting a Windows To Go workspace is not supported.** Resetting to the manufacturer's standard for the computer doesn't apply when running a Windows To Go workspace, so the feature was disabled. -- **Upgrading a Windows To Go workspace is not supported.** Older Windows 8 or Windows 8.1 Windows To Go workspaces can't be upgraded to Windows 10 workspaces, nor can Windows 10 Windows To Go workspaces be upgraded to future versions of Windows 10. For new versions, the workspace needs to be re-imaged with a fresh image of Windows. - -## Roaming with Windows To Go - -Windows To Go drives can be booted on multiple computers. When a Windows To Go workspace is first booted on a host computer, it will detect all hardware on the computer and install any needed drivers. When the Windows To Go workspace is next booted on that host computer, it will be able to identify the host computer and load the correct set of drivers automatically. - -The applications that you want to use from the Windows To Go workspace should be tested to make sure they also support roaming. Some applications bind to the computer hardware, which will cause difficulties if the workspace is being used with multiple host computers. - -## Prepare for Windows To Go - -Enterprises install Windows on a large group of computers either by using configuration management software (such as Microsoft Configuration Manager), or by using standard Windows deployment tools such as DiskPart and the Deployment Image Servicing and Management (DISM) tool. - -These same tools can be used to provision Windows To Go drive, just as if you were planning for provisioning a new class of mobile PCs. You can use the [Windows Assessment and Deployment Kit](/windows-hardware/get-started/adk-install) to review deployment tools available. - -> [!IMPORTANT] -> Make sure you use the versions of the deployment tools provided for the version of Windows you are deploying. There have been many enhancements made to support Windows To Go. Using versions of the deployment tools released for earlier versions of Windows to provision a Windows To Go drive is not supported. - -As you decide what to include in your Windows To Go image, be sure to consider the following questions: - -Are there any drivers that you need to inject into the image? - -How will data be stored and synchronized to appropriate locations from the USB device? - -Are there any applications that are incompatible with Windows To Go roaming that shouldn't be included in the image? - -What should be the architecture of the image - 32bit/64bit? - -What remote connectivity solution should be supported in the image if Windows To Go is used outside the corporate network? - -For more information about designing and planning your Windows To Go deployment, see [Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md). - -## Hardware considerations for Windows To Go - -**For USB drives** - -The devices listed in this section have been specially optimized and certified for Windows To Go and meet the necessary requirements for booting and running a full version of Windows 10 from a USB drive. The optimizations for Windows To Go include the following items: - -- Windows To Go certified USB drives are built for high random read/write speeds and support the thousands of random access I/O operations per second required for running normal Windows workloads smoothly. -- Windows To Go certified USB drives have been tuned to ensure they boot and run on hardware certified for use with Windows 7 and later. -- Windows To Go certified USB drives are built to last. Certified USB drives are backed with manufacturer warranties and should continue operating under normal usage. Refer to the manufacturer websites for warranty details. - -As of the date of publication, the following are the USB drives currently certified for use as Windows To Go drives: - -> [!WARNING] -> Using a USB drive that has not been certified is not supported. - -- IronKey Workspace W700 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w700.html](https://www.kingston.com/support/technical/products?model=dtws)) -- IronKey Workspace W500 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w500.html](https://www.kingston.com/support/technical/products?model=dtws)) -- IronKey Workspace W300 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w300.html](https://www.kingston.com/support/technical/products?model=dtws)) -- Kingston DataTraveler Workspace for Windows To Go ([http://www.kingston.com/wtg/](https://go.microsoft.com/fwlink/p/?LinkId=618719)) - -- Super Talent Express RC4 for Windows To Go - - -and- - - Super Talent Express RC8 for Windows To Go - - ([http://www.supertalent.com/wtg/](https://go.microsoft.com/fwlink/p/?LinkId=618721)) - -- Western Digital My Passport Enterprise ([http://www.wd.com/wtg](https://go.microsoft.com/fwlink/p/?LinkId=618722)) - - We recommend that you run the WD Compass utility to prepare the Western Digital My Passport Enterprise drive for provisioning with Windows To Go. For more information about the WD Compass utility, see [http://www.wd.com/wtg](https://go.microsoft.com/fwlink/p/?LinkId=618722) - -**For host computers** - -When assessing the use of a PC as a host for a Windows To Go workspace, you should consider the following criteria: - -- Hardware that has been certified for use with Windows 7 or later operating systems will work well with Windows To Go. -- Running a Windows To Go workspace from a computer that is running Windows RT isn't a supported scenario. -- Running a Windows To Go workspace on a Mac computer isn't a supported scenario. - -The following table details the characteristics that the host computer must have to be used with Windows To Go: - -|Item|Requirement| -|--- |--- | -|Boot process|Capable of USB boot| -|Firmware|USB boot enabled. (PCs certified for use with Windows 7 or later can be configured to boot directly from USB, check with the hardware manufacturer if you're unsure of the ability of your PC to boot from USB)| -|Processor architecture|Must support the image on the Windows To Go drive| -|External USB Hubs|Not supported; connect the Windows To Go drive directly to the host machine| -|Processor|1 GHz or faster| -|RAM|2 GB or greater| -|Graphics|DirectX 9 graphics device with WDDM 1.2 or greater driver| -|USB port|USB 2.0 port or greater| - -**Checking for architectural compatibility between the host PC and the Windows To Go drive** - -In addition to the USB boot support in the BIOS, the Windows 10 image on your Windows To Go drive must be compatible with the processor architecture and the firmware of the host PC as shown in the table below. - -|Host PC Firmware Type|Host PC Processor Architecture|Compatible Windows To Go Image Architecture| -|--- |--- |--- | -|Legacy BIOS|32-bit|32-bit only| -|Legacy BIOS|64-bit|32-bit and 64-bit| -|UEFI BIOS|32-bit|32-bit only| -|UEFI BIOS|64-bit|64-bit only| - -## Other resources - -- [Windows 10 forums](https://go.microsoft.com/fwlink/p/?LinkId=618949) -- [Windows To Go Step by Step Wiki](https://go.microsoft.com/fwlink/p/?LinkId=618950) -- [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkId=618951) - -## Related articles - -[Deploy Windows To Go in your organization](../deploy-windows-to-go.md)
-[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.yml)
-[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
-[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
-[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
-[Best practice recommendations for Windows To Go](best-practice-recommendations-for-windows-to-go.md) diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md index f49339b0fd..8e5e27c8df 100644 --- a/windows/deployment/s-mode.md +++ b/windows/deployment/s-mode.md @@ -2,13 +2,13 @@ title: Windows Pro in S mode description: Overview of Windows Pro and Enterprise in S mode. ms.localizationpriority: high -ms.prod: windows-client +ms.service: windows-client manager: aaroncz author: frankroj ms.author: frankroj ms.topic: conceptual ms.date: 04/26/2023 -ms.technology: itpro-deploy +ms.subservice: itpro-deploy --- # Windows Pro in S mode diff --git a/windows/deployment/update/PSFxWhitepaper.md b/windows/deployment/update/PSFxWhitepaper.md index 72d37a8849..c8ea253ee3 100644 --- a/windows/deployment/update/PSFxWhitepaper.md +++ b/windows/deployment/update/PSFxWhitepaper.md @@ -1,8 +1,8 @@ --- title: Windows Updates using forward and reverse differentials description: A technique to produce compact software updates optimized for any origin and destination revision pair -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: reference author: mestew ms.author: mstewart diff --git a/windows/deployment/update/check-release-health.md b/windows/deployment/update/check-release-health.md index ba7b6d264d..164a2970b3 100644 --- a/windows/deployment/update/check-release-health.md +++ b/windows/deployment/update/check-release-health.md @@ -1,8 +1,8 @@ --- title: How to check Windows release health description: Check the release health status of Microsoft 365 services before you call support to see if there's an active service interruption. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual ms.author: mstewart author: mestew diff --git a/windows/deployment/update/create-deployment-plan.md b/windows/deployment/update/create-deployment-plan.md index f5f57bd6c5..d1b6ebd87e 100644 --- a/windows/deployment/update/create-deployment-plan.md +++ b/windows/deployment/update/create-deployment-plan.md @@ -1,8 +1,8 @@ --- title: Create a deployment plan description: Devise the number of deployment rings you need and how you want to populate each of the deployment rings. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual author: mestew ms.author: mstewart diff --git a/windows/deployment/update/deployment-service-drivers.md b/windows/deployment/update/deployment-service-drivers.md index 4373f59f58..ca104fce34 100644 --- a/windows/deployment/update/deployment-service-drivers.md +++ b/windows/deployment/update/deployment-service-drivers.md @@ -2,8 +2,8 @@ title: Deploy drivers and firmware updates titleSuffix: Windows Update for Business deployment service description: Use Windows Update for Business deployment service to deploy driver and firmware updates to devices. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual author: mestew ms.author: mstewart diff --git a/windows/deployment/update/deployment-service-expedited-updates.md b/windows/deployment/update/deployment-service-expedited-updates.md index 9279a5e9d4..0b59cbea9e 100644 --- a/windows/deployment/update/deployment-service-expedited-updates.md +++ b/windows/deployment/update/deployment-service-expedited-updates.md @@ -2,8 +2,8 @@ title: Deploy expedited updates titleSuffix: Windows Update for Business deployment service description: Learn how to use Windows Update for Business deployment service to deploy expedited updates to devices in your organization. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual ms.author: mstewart author: mestew @@ -32,7 +32,11 @@ In this article, you will: ## Prerequisites -All of the [prerequisites for the Windows Update for Business deployment service](deployment-service-prerequisites.md) must be met. +All of the [prerequisites for the Windows Update for Business deployment service](deployment-service-prerequisites.md) must be met, including ensuring that the *Update Health Tools* is installed on the clients. +- The *Update Health Tools* are installed starting with [KB4023057](https://support.microsoft.com/kb/4023057). To confirm the presence of the Update Health Tools on a device, use one of the following methods: + - Run a [readiness test for expedited updates](#readiness-test-for-expediting-updates) + - Look for the folder **C:\Program Files\Microsoft Update Health Tools** or review *Add Remove Programs* for **Microsoft Update Health Tools**. + - Example PowerShell script to verify tools installation: `Get-CimInstance -ClassName Win32_Product \| Where-Object {$_.Name -match "Microsoft Update Health Tools"}` ### Permissions @@ -213,8 +217,8 @@ The request returns a 201 Created response code and a [deployment](/graph/api/re { "@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/deployments/$entity", "id": "de910e12-3456-7890-abcd-ef1234567890", - "createdDateTime": "2023-02-09T22:55:04.8547517Z", - "lastModifiedDateTime": "2023-02-09T22:55:04.8547524Z", + "createdDateTime": "2024-01-30T19:43:37.1672634Z", + "lastModifiedDateTime": "2024-01-30T19:43:37.1672644Z", "state": { "effectiveValue": "offering", "requestedValue": "none", @@ -222,15 +226,19 @@ The request returns a 201 Created response code and a [deployment](/graph/api/re }, "content": { "@odata.type": "#microsoft.graph.windowsUpdates.catalogContent", - "catalogEntry@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/deployments('de910e12-3456-7890-abcd-ef1234567890')/content/microsoft.graph.windowsUpdates.catalogContent/catalogEntry/$entity", + "catalogEntry@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/deployments('073fb534-5cdd-4326-8aa2-a4d29037b60f')/content/microsoft.graph.windowsUpdates.catalogContent/catalogEntry/$entity", "catalogEntry": { "@odata.type": "#microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry", - "id": "693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432", + "id": "e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5", "displayName": null, "deployableUntilDateTime": null, - "releaseDateTime": "2023-01-10T00:00:00Z", + "releaseDateTime": "2023-08-08T00:00:00Z", "isExpeditable": false, - "qualityUpdateClassification": "security" + "qualityUpdateClassification": "security", + "catalogName": null, + "shortName": null, + "qualityUpdateCadence": "monthly", + "cveSeverityInformation": null } }, "settings": { @@ -238,10 +246,12 @@ The request returns a 201 Created response code and a [deployment](/graph/api/re "monitoring": null, "contentApplicability": null, "userExperience": { - "daysUntilForcedReboot": 2 + "daysUntilForcedReboot": 2, + "offerAsOptional": null }, "expedite": { - "isExpedited": true + "isExpedited": true, + "isReadinessTest": false } }, "audience@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/deployments('de910e12-3456-7890-abcd-ef1234567890')/audience/$entity", @@ -293,6 +303,48 @@ The following example deletes the deployment with a **Deployment ID** of `de910e DELETE https://graph.microsoft.com/beta/admin/windows/updates/deployments/de910e12-3456-7890-abcd-ef1234567890 ``` +## Readiness test for expediting updates + +You can verify the readiness of clients to receive expedited updates by using [isReadinessTest](/graph/api/resources/windowsupdates-expeditesettings). Create a deployment that specifies it's an expedite readiness test, then add members to the deployment audience. The service will check to see if the clients meet the prerequisites for expediting updates. The results of the test are displayed in the [Windows Update for Business reports workbook](wufb-reports-workbook.md#quality-updates-tab). Under the **Quality updates** tab, select the **Expedite status** tile, which opens a flyout with a **Readiness** tab with the readiness test results. + +```msgraph-interactive +POST https://graph.microsoft.com/beta/admin/windows/updates/deployments +content-type: application/json + +{ + "@odata.type": "#microsoft.graph.windowsUpdates.deployment", + "content": { + "@odata.type": "#microsoft.graph.windowsUpdates.catalogContent", + "catalogEntry": { + "@odata.type": "#microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry", + "id": "317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5" + } + }, + "settings": { + "@odata.type": "microsoft.graph.windowsUpdates.deploymentSettings", + "expedite": { + "isExpedited": true, + "isReadinessTest": true + } + } +} +``` + +The truncated response displays that **isReadinessTest** is set to `true` and gives you a **DeploymentID** of `de910e12-3456-7890-abcd-ef1234567890`. You can then [add members to the deployment audience](#add-members-to-the-deployment-audience) to have the service check that the devices meet the preresquites then review the results in the [Windows Update for Business reports workbook](wufb-reports-workbook.md#quality-updates-tab). + +```json + "expedite": { + "isExpedited": true, + "isReadinessTest": true + } + }, + "audience@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/deployments('6a6c03b5-008e-4b4d-8acd-48144208f179_Readiness')/audience/$entity", + "audience": { + "id": "de910e12-3456-7890-abcd-ef1234567890", + "applicableContent": [] + } + +``` [!INCLUDE [Windows Update for Business deployment service permissions using Graph Explorer](./includes/wufb-deployment-update-health-tools-logs.md)] diff --git a/windows/deployment/update/deployment-service-feature-updates.md b/windows/deployment/update/deployment-service-feature-updates.md index 070ecd8914..99d6c26f7c 100644 --- a/windows/deployment/update/deployment-service-feature-updates.md +++ b/windows/deployment/update/deployment-service-feature-updates.md @@ -2,8 +2,8 @@ title: Deploy feature updates titleSuffix: Windows Update for Business deployment service description: Use Windows Update for Business deployment service to deploy feature updates to devices in your organization. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual ms.author: mstewart author: mestew diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md index b3fa2680c5..adf8bfe314 100644 --- a/windows/deployment/update/deployment-service-overview.md +++ b/windows/deployment/update/deployment-service-overview.md @@ -2,8 +2,8 @@ title: Overview of the deployment service titleSuffix: Windows Update for Business deployment service description: Overview of deployment service to control approval, scheduling, and safeguarding of Windows updates with the deployment service. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual ms.author: mstewart author: mestew diff --git a/windows/deployment/update/deployment-service-prerequisites.md b/windows/deployment/update/deployment-service-prerequisites.md index d4dbc2e5e1..1f24cbfe24 100644 --- a/windows/deployment/update/deployment-service-prerequisites.md +++ b/windows/deployment/update/deployment-service-prerequisites.md @@ -2,8 +2,8 @@ title: Prerequisites for the deployment service titleSuffix: Windows Update for Business deployment service description: Prerequisites for using the Windows Update for Business deployment service for updating devices in your organization. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual ms.author: mstewart author: mestew @@ -14,7 +14,7 @@ ms.localizationpriority: medium appliesto: - ✅ Windows 11 - ✅ Windows 10 -ms.date: 02/14/2023 +ms.date: 01/29/2024 --- # Windows Update for Business deployment service prerequisites @@ -48,9 +48,9 @@ Windows Update for Business deployment service supports Windows client devices o ### Windows operating system updates -- Expediting updates requires the *Update Health Tools* on the clients. The tools are installed starting with [KB 4023057](https://support.microsoft.com/topic/kb4023057-update-for-windows-10-update-service-components-fccad0ca-dc10-2e46-9ed1-7e392450fb3a). To confirm the presence of the Update Health Tools on a device: +- Expediting updates requires the *Update Health Tools* on the clients. The tools are installed starting with [KB4023057](https://support.microsoft.com/kb/4023057). To confirm the presence of the Update Health Tools on a device: - Look for the folder **C:\Program Files\Microsoft Update Health Tools** or review *Add Remove Programs* for **Microsoft Update Health Tools**. - - As an Admin, run the following PowerShell script: `Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -match "Microsoft Update Health Tools"}` + - As an Admin, run the following PowerShell script: `Get-CimInstance -ClassName Win32_Product | Where-Object {$_.Name -match "Microsoft Update Health Tools"}` - For [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#services-that-rely-on-enhanced-diagnostic-data), installing the January 2023 release preview cumulative update, or a later equivalent update, is recommended diff --git a/windows/deployment/update/deployment-service-troubleshoot.md b/windows/deployment/update/deployment-service-troubleshoot.md index 65a6b7777a..da9f167b83 100644 --- a/windows/deployment/update/deployment-service-troubleshoot.md +++ b/windows/deployment/update/deployment-service-troubleshoot.md @@ -2,8 +2,8 @@ title: Troubleshoot the deployment service titleSuffix: Windows Update for Business deployment service description: Solutions to commonly encountered problems when using the Windows Update for Business deployment service. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: troubleshooting ms.author: mstewart author: mestew diff --git a/windows/deployment/update/eval-infra-tools.md b/windows/deployment/update/eval-infra-tools.md index 9352455d20..d12a78f404 100644 --- a/windows/deployment/update/eval-infra-tools.md +++ b/windows/deployment/update/eval-infra-tools.md @@ -1,8 +1,8 @@ --- title: Evaluate infrastructure and tools description: Review the steps to ensure your infrastructure is ready to deploy updates to clients in your organization. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: article author: mestew ms.author: mstewart diff --git a/windows/deployment/update/feature-update-user-install.md b/windows/deployment/update/feature-update-user-install.md index 41a21d5d7c..51371de0c7 100644 --- a/windows/deployment/update/feature-update-user-install.md +++ b/windows/deployment/update/feature-update-user-install.md @@ -1,8 +1,8 @@ --- title: Best practices - user-initiated feature update installation description: Learn recommendations and best practices for manually deploying a feature update for a user-initiated installation. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: best-practice author: mestew ms.author: mstewart diff --git a/windows/deployment/update/fod-and-lang-packs.md b/windows/deployment/update/fod-and-lang-packs.md index 972dd73a69..f7968c1ebc 100644 --- a/windows/deployment/update/fod-and-lang-packs.md +++ b/windows/deployment/update/fod-and-lang-packs.md @@ -1,8 +1,8 @@ --- title: FoD and language packs for WSUS and Configuration Manager description: Learn how to make FoD and language packs available to clients when you're using WSUS or Configuration Manager. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual ms.author: mstewart author: mestew diff --git a/windows/deployment/update/get-started-updates-channels-tools.md b/windows/deployment/update/get-started-updates-channels-tools.md index 5dc206f1aa..46dca308f1 100644 --- a/windows/deployment/update/get-started-updates-channels-tools.md +++ b/windows/deployment/update/get-started-updates-channels-tools.md @@ -1,8 +1,8 @@ --- title: Windows client updates, channels, and tools description: Brief summary of the kinds of Windows updates, the channels they're served through, and the tools for managing them -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual author: mestew ms.author: mstewart diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md index ef02459999..70f2c18280 100644 --- a/windows/deployment/update/how-windows-update-works.md +++ b/windows/deployment/update/how-windows-update-works.md @@ -1,8 +1,8 @@ --- title: How Windows Update works description: In this article, learn about the process Windows Update uses to download and install updates on Windows client devices. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual author: mestew ms.author: mstewart diff --git a/windows/deployment/update/includes/update-history.md b/windows/deployment/update/includes/update-history.md index 9963e0b8b6..cc5fb9bb9f 100644 --- a/windows/deployment/update/includes/update-history.md +++ b/windows/deployment/update/includes/update-history.md @@ -2,8 +2,8 @@ author: mestew ms.author: mstewart manager: aaroncz -ms.technology: itpro-updates -ms.prod: windows-client +ms.subservice: itpro-updates +ms.service: windows-client ms.topic: include ms.date: 02/24/2023 ms.localizationpriority: medium diff --git a/windows/deployment/update/includes/wufb-deployment-audience-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-audience-graph-explorer.md index 24da4ab44e..572d549362 100644 --- a/windows/deployment/update/includes/wufb-deployment-audience-graph-explorer.md +++ b/windows/deployment/update/includes/wufb-deployment-audience-graph-explorer.md @@ -2,8 +2,8 @@ author: mestew ms.author: mstewart manager: aaroncz -ms.technology: itpro-updates -ms.prod: windows-client +ms.subservice: itpro-updates +ms.service: windows-client ms.topic: include ms.date: 02/14/2023 ms.localizationpriority: medium diff --git a/windows/deployment/update/includes/wufb-deployment-driver-policy-considerations.md b/windows/deployment/update/includes/wufb-deployment-driver-policy-considerations.md index d8c96ee718..cc46da849e 100644 --- a/windows/deployment/update/includes/wufb-deployment-driver-policy-considerations.md +++ b/windows/deployment/update/includes/wufb-deployment-driver-policy-considerations.md @@ -2,8 +2,8 @@ author: mestew ms.author: mstewart manager: aaroncz -ms.technology: itpro-updates -ms.prod: windows-client +ms.subservice: itpro-updates +ms.service: windows-client ms.topic: include ms.date: 02/14/2023 ms.localizationpriority: medium diff --git a/windows/deployment/update/includes/wufb-deployment-enroll-device-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-enroll-device-graph-explorer.md index ed62f731f1..f84dd43e0a 100644 --- a/windows/deployment/update/includes/wufb-deployment-enroll-device-graph-explorer.md +++ b/windows/deployment/update/includes/wufb-deployment-enroll-device-graph-explorer.md @@ -2,8 +2,8 @@ author: mestew ms.author: mstewart manager: aaroncz -ms.technology: itpro-updates -ms.prod: windows-client +ms.subservice: itpro-updates +ms.service: windows-client ms.topic: include ms.date: 02/14/2023 ms.localizationpriority: medium diff --git a/windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md index 336236ee43..9cfcff85ad 100644 --- a/windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md +++ b/windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md @@ -2,8 +2,8 @@ author: mestew ms.author: mstewart manager: aaroncz -ms.technology: itpro-updates -ms.prod: windows-client +ms.subservice: itpro-updates +ms.service: windows-client ms.topic: include ms.date: 02/14/2023 ms.localizationpriority: medium diff --git a/windows/deployment/update/includes/wufb-deployment-graph-explorer-permissions.md b/windows/deployment/update/includes/wufb-deployment-graph-explorer-permissions.md index 23bbb2b2d9..40f67810ab 100644 --- a/windows/deployment/update/includes/wufb-deployment-graph-explorer-permissions.md +++ b/windows/deployment/update/includes/wufb-deployment-graph-explorer-permissions.md @@ -2,8 +2,8 @@ author: mestew ms.author: mstewart manager: aaroncz -ms.technology: itpro-updates -ms.prod: windows-client +ms.subservice: itpro-updates +ms.service: windows-client ms.topic: include ms.date: 02/14/2023 ms.localizationpriority: medium diff --git a/windows/deployment/update/includes/wufb-deployment-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-graph-explorer.md index 8d869d1f69..8250bc9e1d 100644 --- a/windows/deployment/update/includes/wufb-deployment-graph-explorer.md +++ b/windows/deployment/update/includes/wufb-deployment-graph-explorer.md @@ -2,8 +2,8 @@ author: mestew ms.author: mstewart manager: aaroncz -ms.technology: itpro-updates -ms.prod: windows-client +ms.subservice: itpro-updates +ms.service: windows-client ms.topic: include ms.date: 02/14/2023 ms.localizationpriority: medium diff --git a/windows/deployment/update/includes/wufb-deployment-graph-unenroll.md b/windows/deployment/update/includes/wufb-deployment-graph-unenroll.md index 682134eb32..d4681b40c2 100644 --- a/windows/deployment/update/includes/wufb-deployment-graph-unenroll.md +++ b/windows/deployment/update/includes/wufb-deployment-graph-unenroll.md @@ -2,8 +2,8 @@ author: mestew ms.author: mstewart manager: aaroncz -ms.technology: itpro-updates -ms.prod: windows-client +ms.subservice: itpro-updates +ms.service: windows-client ms.topic: include ms.date: 02/14/2023 ms.localizationpriority: medium diff --git a/windows/deployment/update/includes/wufb-deployment-limitations.md b/windows/deployment/update/includes/wufb-deployment-limitations.md index 34e70ba899..a57711bffd 100644 --- a/windows/deployment/update/includes/wufb-deployment-limitations.md +++ b/windows/deployment/update/includes/wufb-deployment-limitations.md @@ -2,8 +2,8 @@ author: mestew ms.author: mstewart manager: aaroncz -ms.technology: itpro-updates -ms.prod: windows-client +ms.subservice: itpro-updates +ms.service: windows-client ms.topic: include ms.date: 02/14/2023 ms.localizationpriority: medium diff --git a/windows/deployment/update/includes/wufb-deployment-update-health-tools-logs.md b/windows/deployment/update/includes/wufb-deployment-update-health-tools-logs.md index 4e0d5caaff..cd39b4dd7e 100644 --- a/windows/deployment/update/includes/wufb-deployment-update-health-tools-logs.md +++ b/windows/deployment/update/includes/wufb-deployment-update-health-tools-logs.md @@ -2,8 +2,8 @@ author: mestew ms.author: mstewart manager: aaroncz -ms.technology: itpro-updates -ms.prod: windows-client +ms.subservice: itpro-updates +ms.service: windows-client ms.topic: include ms.date: 02/14/2023 ms.localizationpriority: medium diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md index da738e8991..a698c7f33b 100644 --- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md +++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md @@ -2,8 +2,8 @@ author: mestew ms.author: mstewart manager: aaroncz -ms.technology: itpro-updates -ms.prod: windows-client +ms.subservice: itpro-updates +ms.service: windows-client ms.topic: include ms.date: 04/26/2023 ms.localizationpriority: medium diff --git a/windows/deployment/update/includes/wufb-reports-endpoints.md b/windows/deployment/update/includes/wufb-reports-endpoints.md index 88fd5d146e..a3bfb9b575 100644 --- a/windows/deployment/update/includes/wufb-reports-endpoints.md +++ b/windows/deployment/update/includes/wufb-reports-endpoints.md @@ -2,8 +2,8 @@ author: mestew ms.author: mstewart manager: aaroncz -ms.technology: itpro-updates -ms.prod: windows-client +ms.subservice: itpro-updates +ms.service: windows-client ms.topic: include ms.date: 12/15/2023 ms.localizationpriority: medium diff --git a/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md b/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md index 70c1948c7a..f0f14e2a67 100644 --- a/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md +++ b/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md @@ -2,8 +2,8 @@ author: mestew ms.author: mstewart manager: aaroncz -ms.technology: itpro-updates -ms.prod: windows-client +ms.subservice: itpro-updates +ms.service: windows-client ms.topic: include ms.date: 08/18/2022 ms.localizationpriority: medium diff --git a/windows/deployment/update/includes/wufb-reports-script-error-codes.md b/windows/deployment/update/includes/wufb-reports-script-error-codes.md index 479b5a9eff..7057d0789c 100644 --- a/windows/deployment/update/includes/wufb-reports-script-error-codes.md +++ b/windows/deployment/update/includes/wufb-reports-script-error-codes.md @@ -2,8 +2,8 @@ author: mestew ms.author: mstewart manager: aaroncz -ms.technology: itpro-updates -ms.prod: windows-client +ms.subservice: itpro-updates +ms.service: windows-client ms.topic: include ms.date: 07/11/2023 ms.localizationpriority: medium diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index baae39d605..080e86b6ad 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -1,8 +1,8 @@ --- title: Update Windows installation media with Dynamic Update description: Learn how to acquire and apply Dynamic Update packages to existing Windows images prior to deployment -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual author: mestew ms.author: mstewart diff --git a/windows/deployment/update/optional-content.md b/windows/deployment/update/optional-content.md index 1245ce7f59..7f6fffc7b4 100644 --- a/windows/deployment/update/optional-content.md +++ b/windows/deployment/update/optional-content.md @@ -1,8 +1,8 @@ --- title: Migrating and acquiring optional Windows content description: How to keep language resources and Features on Demand during operating system updates for your organization. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual author: mestew ms.author: mstewart diff --git a/windows/deployment/update/plan-define-readiness.md b/windows/deployment/update/plan-define-readiness.md index 3116459b20..dcc9544f7e 100644 --- a/windows/deployment/update/plan-define-readiness.md +++ b/windows/deployment/update/plan-define-readiness.md @@ -1,8 +1,8 @@ --- title: Define readiness criteria description: Identify important roles and figure out how to classify apps so you can plan and manage your deployment -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual author: mestew ms.author: mstewart diff --git a/windows/deployment/update/plan-define-strategy.md b/windows/deployment/update/plan-define-strategy.md index 9f3f2e92b7..e2175c7b40 100644 --- a/windows/deployment/update/plan-define-strategy.md +++ b/windows/deployment/update/plan-define-strategy.md @@ -1,8 +1,8 @@ --- title: Define update strategy description: Example of using a calendar-based approach to achieve consistent update installation in your organization. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual author: mestew ms.author: mstewart diff --git a/windows/deployment/update/plan-determine-app-readiness.md b/windows/deployment/update/plan-determine-app-readiness.md index 735e5a3095..6801a4cca8 100644 --- a/windows/deployment/update/plan-determine-app-readiness.md +++ b/windows/deployment/update/plan-determine-app-readiness.md @@ -1,8 +1,8 @@ --- title: Determine application readiness description: How to test your apps to identify which need attention prior to deploying an update in your organization. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual ms.author: mstewart author: mestew diff --git a/windows/deployment/update/prepare-deploy-windows.md b/windows/deployment/update/prepare-deploy-windows.md index ad9ebeff3a..a9af4519db 100644 --- a/windows/deployment/update/prepare-deploy-windows.md +++ b/windows/deployment/update/prepare-deploy-windows.md @@ -1,8 +1,8 @@ --- title: Prepare to deploy Windows description: Final steps to get ready to deploy Windows, including preparing infrastructure, environment, applications, devices, network, capability, and users -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual author: mestew ms.author: mstewart diff --git a/windows/deployment/update/release-cycle.md b/windows/deployment/update/release-cycle.md index bb6949ca8e..2d4e8ecb19 100644 --- a/windows/deployment/update/release-cycle.md +++ b/windows/deployment/update/release-cycle.md @@ -1,8 +1,8 @@ --- title: Update release cycle for Windows clients description: Learn about the release cycle for updates so Windows clients in your organization stay productive and protected. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual author: mestew ms.author: mstewart diff --git a/windows/deployment/update/safeguard-holds.md b/windows/deployment/update/safeguard-holds.md index 86232917dd..104400de70 100644 --- a/windows/deployment/update/safeguard-holds.md +++ b/windows/deployment/update/safeguard-holds.md @@ -1,8 +1,8 @@ --- title: Safeguard holds for Windows description: What are safeguard holds? How to can you tell if a safeguard hold is in effect, and what to do about it. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual author: mestew ms.author: mstewart diff --git a/windows/deployment/update/safeguard-opt-out.md b/windows/deployment/update/safeguard-opt-out.md index 30227f3553..0e0a112ae1 100644 --- a/windows/deployment/update/safeguard-opt-out.md +++ b/windows/deployment/update/safeguard-opt-out.md @@ -1,8 +1,8 @@ --- title: Opt out of safeguard holds description: How to install an update in your organization even when a safeguard hold for a known issue has been applied to it. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual author: mestew ms.author: mstewart diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md index 7aa9bf3ff1..85af66e440 100644 --- a/windows/deployment/update/servicing-stack-updates.md +++ b/windows/deployment/update/servicing-stack-updates.md @@ -1,8 +1,8 @@ --- title: Servicing stack updates description: In this article, learn how servicing stack updates improve the code that installs the other updates. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual author: mestew ms.author: mstewart diff --git a/windows/deployment/update/update-baseline.md b/windows/deployment/update/update-baseline.md index b534f09c0c..28b05bb90e 100644 --- a/windows/deployment/update/update-baseline.md +++ b/windows/deployment/update/update-baseline.md @@ -1,8 +1,8 @@ --- title: Windows 10 Update Baseline description: Use an update baseline to optimize user experience and meet monthly update goals in your organization. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual author: mestew ms.author: mstewart diff --git a/windows/deployment/update/update-policies.md b/windows/deployment/update/update-policies.md index b7fa2d5094..50b404df35 100644 --- a/windows/deployment/update/update-policies.md +++ b/windows/deployment/update/update-policies.md @@ -1,8 +1,8 @@ --- title: Policies for update compliance and user experience description: Explanation and recommendations for update compliance, activity, and user experience for your organization. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual author: mestew ms.author: mstewart diff --git a/windows/deployment/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md index 05c5f63d80..11732bc1ca 100644 --- a/windows/deployment/update/waas-branchcache.md +++ b/windows/deployment/update/waas-branchcache.md @@ -1,8 +1,8 @@ --- title: Configure BranchCache for Windows client updates description: In this article, learn how to use BranchCache to optimize network bandwidth during update deployment. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual author: mestew ms.author: mstewart @@ -35,7 +35,7 @@ Whether you use BranchCache with Configuration Manager or WSUS, each client that In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows client, set the Delivery Optimization **Download mode** to '100' (Bypass) to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode. > [!Note] -> Setting [Download mode](../do/waas-delivery-optimization-reference.md#download-mode) to '100' (Bypass) is only available in Windows 10, version 1607 and later, not in Windows 11. BranchCache isn't supported for Windows 11. +> [Bypass Download mode (100)](../do/waas-delivery-optimization-reference.md#download-mode) is only available in Windows 10 (starting in version 1607) and deprecated in Windows 11. BranchCache isn't supported for content downloaded using Delivery Optimization in Windows 11. ## Configure servers for BranchCache diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md index 2a1baa5255..4a74fbe288 100644 --- a/windows/deployment/update/waas-configure-wufb.md +++ b/windows/deployment/update/waas-configure-wufb.md @@ -2,12 +2,12 @@ title: Configure Windows Update for Business manager: aaroncz description: You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. -ms.prod: windows-client +ms.service: windows-client author: mestew ms.localizationpriority: medium ms.author: mstewart ms.topic: conceptual -ms.technology: itpro-updates +ms.subservice: itpro-updates ms.collection: - tier1 appliesto: diff --git a/windows/deployment/update/waas-integrate-wufb.md b/windows/deployment/update/waas-integrate-wufb.md index d94af9011d..54a680ab36 100644 --- a/windows/deployment/update/waas-integrate-wufb.md +++ b/windows/deployment/update/waas-integrate-wufb.md @@ -1,8 +1,8 @@ --- title: Integrate Windows Update for Business description: Use Windows Update for Business deployments with management tools such as Windows Server Update Services (WSUS) and Microsoft Configuration Manager. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual author: mestew ms.author: mstewart diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md index b1aee2ba14..6506f11e90 100644 --- a/windows/deployment/update/waas-manage-updates-wsus.md +++ b/windows/deployment/update/waas-manage-updates-wsus.md @@ -1,8 +1,8 @@ --- title: Deploy updates using Windows Server Update Services description: WSUS allows companies to defer, selectively approve, choose when delivered, and determine which devices receive updates. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: how-to author: mestew ms.author: mstewart diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index 6f20706c2e..59aa615d29 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -1,8 +1,8 @@ --- title: Overview of Windows as a service description: Windows as a service is a way to build, deploy, and service Windows. Learn how Windows as a service works. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: overview author: mestew ms.author: mstewart diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md index f027e7d657..fce23e0310 100644 --- a/windows/deployment/update/waas-quick-start.md +++ b/windows/deployment/update/waas-quick-start.md @@ -1,8 +1,8 @@ --- title: Quick guide to Windows as a service (Windows 10) description: In Windows 10, Microsoft has streamlined servicing to make operating system updates simpler to test, manage, and deploy. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual author: mestew ms.author: mstewart diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md index 18b0aa011f..6fd7172197 100644 --- a/windows/deployment/update/waas-restart.md +++ b/windows/deployment/update/waas-restart.md @@ -1,8 +1,8 @@ --- title: Manage device restarts after updates description: Use Group Policy settings, mobile device management (MDM), or Registry to configure when devices will restart after a Windows update is installed. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: how-to author: mestew ms.author: mstewart diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md index 894cb7361b..78cf2b2e50 100644 --- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md @@ -1,8 +1,8 @@ --- title: Assign devices to servicing channels for updates description: Learn how to assign devices to servicing channels for Windows 10 updates locally, by using Group Policy, and by using MDM -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual author: mestew ms.author: mstewart diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md index 31038c9fc0..fa5ee150d4 100644 --- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md @@ -1,8 +1,8 @@ --- title: Prepare a servicing strategy for Windows client updates description: A strong Windows client deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual author: mestew ms.author: mstewart diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md index b370409adb..84c4092f53 100644 --- a/windows/deployment/update/waas-wu-settings.md +++ b/windows/deployment/update/waas-wu-settings.md @@ -1,8 +1,8 @@ --- title: Manage additional Windows Update settings description: In this article, learn about additional settings to control the behavior of Windows Update in your organization. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual author: mestew ms.author: mstewart diff --git a/windows/deployment/update/waas-wufb-csp-mdm.md b/windows/deployment/update/waas-wufb-csp-mdm.md index cc945db4c2..23e561ea09 100644 --- a/windows/deployment/update/waas-wufb-csp-mdm.md +++ b/windows/deployment/update/waas-wufb-csp-mdm.md @@ -1,8 +1,8 @@ --- title: Configure Windows Update for Business by using CSPs and MDM description: Walk through demonstration of how to configure Windows Update for Business settings using Configuration Service Providers and MDM. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual author: mestew ms.author: mstewart @@ -11,7 +11,7 @@ ms.localizationpriority: medium appliesto: - ✅ Windows 11 - ✅ Windows 10 -ms.date: 11/30/2023 +ms.date: 01/18/2024 --- # Walkthrough: Use CSPs and MDMs to configure Windows Update for Business @@ -202,9 +202,9 @@ The features that are turned off by default from servicing updates will be enabl You can enable these features by using [AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol). The following options are available: -- **0** (default): Allowed. All features in the latest monthly cumulative update are enabled. - - When the policy is set to **0**, all features that are currently turned off will turn on when the device next reboots -- **1** - Not allowed. Features that are shipped turned off by default will remain off +- **0** (default): Not allowed. Features that are shipped turned off by default will remain off +- **1**: Allowed. All features in the latest monthly cumulative update are enabled. + - When the policy is set to **1**, all features that are currently turned off will turn on when the device next reboots. #### I want to enable optional updates diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md index 22c937a71a..6b757b2706 100644 --- a/windows/deployment/update/waas-wufb-group-policy.md +++ b/windows/deployment/update/waas-wufb-group-policy.md @@ -1,8 +1,8 @@ --- title: Configure Windows Update for Business via Group Policy description: Walk through of how to configure Windows Update for Business settings using Group Policy to update devices. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates manager: aaroncz ms.topic: conceptual author: mestew diff --git a/windows/deployment/update/windows-update-error-reference.md b/windows/deployment/update/windows-update-error-reference.md index c37d7cc3d2..b6dbfb03a0 100644 --- a/windows/deployment/update/windows-update-error-reference.md +++ b/windows/deployment/update/windows-update-error-reference.md @@ -1,8 +1,8 @@ --- title: Windows Update error code list by component description: Learn about reference information for Windows Update error codes, including automatic update errors, UI errors, and reporter errors. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: reference author: mestew ms.author: mstewart diff --git a/windows/deployment/update/windows-update-logs.md b/windows/deployment/update/windows-update-logs.md index b75a881dc0..80f4dcb167 100644 --- a/windows/deployment/update/windows-update-logs.md +++ b/windows/deployment/update/windows-update-logs.md @@ -1,8 +1,8 @@ --- title: Windows Update log files description: Learn about the Windows Update log files and how to merge and convert Windows Update trace files (.etl files) into a single readable WindowsUpdate.log file. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: troubleshooting author: mestew ms.author: mstewart diff --git a/windows/deployment/update/windows-update-overview.md b/windows/deployment/update/windows-update-overview.md index 7965aa2782..c81a8e7319 100644 --- a/windows/deployment/update/windows-update-overview.md +++ b/windows/deployment/update/windows-update-overview.md @@ -1,8 +1,8 @@ --- title: Get started with Windows Update description: An overview of learning resources for Windows Update, including documents on architecture, log files, and common errors. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual author: mestew ms.author: mstewart diff --git a/windows/deployment/update/windows-update-security.md b/windows/deployment/update/windows-update-security.md index ab1ed81b28..1d7ec557b6 100644 --- a/windows/deployment/update/windows-update-security.md +++ b/windows/deployment/update/windows-update-security.md @@ -2,8 +2,8 @@ title: Windows Update security manager: aaroncz description: Overview of the security for Windows Update including security for the metadata exchange and content download. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual author: mestew ms.author: mstewart diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md index 714ea509f5..d58ab72657 100644 --- a/windows/deployment/update/wufb-compliancedeadlines.md +++ b/windows/deployment/update/wufb-compliancedeadlines.md @@ -2,8 +2,8 @@ title: Enforce compliance deadlines with policies titleSuffix: Windows Update for Business description: This article contains information on how to enforce compliance deadlines using Windows Update for Business. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual author: mestew ms.localizationpriority: medium diff --git a/windows/deployment/update/wufb-reports-admin-center.md b/windows/deployment/update/wufb-reports-admin-center.md index 0e0b313437..9d93702ea9 100644 --- a/windows/deployment/update/wufb-reports-admin-center.md +++ b/windows/deployment/update/wufb-reports-admin-center.md @@ -3,8 +3,8 @@ title: Microsoft 365 admin center software updates page titleSuffix: Windows Update for Business reports manager: aaroncz description: Microsoft admin center populates Windows Update for Business reports data into the software updates page. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual author: mestew ms.author: mstewart diff --git a/windows/deployment/update/wufb-reports-configuration-intune.md b/windows/deployment/update/wufb-reports-configuration-intune.md index 395856651d..94e36fa723 100644 --- a/windows/deployment/update/wufb-reports-configuration-intune.md +++ b/windows/deployment/update/wufb-reports-configuration-intune.md @@ -2,8 +2,8 @@ title: Configure devices using Microsoft Intune titleSuffix: Windows Update for Business reports description: How to configure devices to use Windows Update for Business reports from Microsoft Intune. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual author: mestew ms.author: mstewart diff --git a/windows/deployment/update/wufb-reports-configuration-manual.md b/windows/deployment/update/wufb-reports-configuration-manual.md index 7c76c5ad32..545ebbed48 100644 --- a/windows/deployment/update/wufb-reports-configuration-manual.md +++ b/windows/deployment/update/wufb-reports-configuration-manual.md @@ -2,8 +2,8 @@ title: Manually configure devices to send data titleSuffix: Windows Update for Business reports description: How to manually configure devices for Windows Update for Business reports using a PowerShell script. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: how-to author: mestew ms.author: mstewart diff --git a/windows/deployment/update/wufb-reports-configuration-script.md b/windows/deployment/update/wufb-reports-configuration-script.md index 10af47e205..e216694bc7 100644 --- a/windows/deployment/update/wufb-reports-configuration-script.md +++ b/windows/deployment/update/wufb-reports-configuration-script.md @@ -2,8 +2,8 @@ title: Configure clients with a script titleSuffix: Windows Update for Business reports description: How to get and use the Windows Update for Business reports configuration script to configure devices for Windows Update for Business reports. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual author: mestew ms.author: mstewart diff --git a/windows/deployment/update/wufb-reports-do.md b/windows/deployment/update/wufb-reports-do.md index d71d76d0be..a02d0d0993 100644 --- a/windows/deployment/update/wufb-reports-do.md +++ b/windows/deployment/update/wufb-reports-do.md @@ -2,8 +2,8 @@ title: Delivery Optimization data in reports titleSuffix: Windows Update for Business reports description: This article provides information about Delivery Optimization data in Windows Update for Business reports. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual author: mestew ms.author: mstewart diff --git a/windows/deployment/update/wufb-reports-enable.md b/windows/deployment/update/wufb-reports-enable.md index 27a5b5ad14..1502d549d2 100644 --- a/windows/deployment/update/wufb-reports-enable.md +++ b/windows/deployment/update/wufb-reports-enable.md @@ -2,8 +2,8 @@ title: Enable Windows Update for Business reports titleSuffix: Windows Update for Business reports description: How to enable the Windows Update for Business reports service through the Azure portal or the Microsoft 365 admin center. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual author: mestew ms.author: mstewart diff --git a/windows/deployment/update/wufb-reports-faq.yml b/windows/deployment/update/wufb-reports-faq.yml index fe8f250ece..99fee1bb21 100644 --- a/windows/deployment/update/wufb-reports-faq.yml +++ b/windows/deployment/update/wufb-reports-faq.yml @@ -3,13 +3,13 @@ metadata: title: Frequently Asked Questions (FAQ) titleSuffix: Windows Update for Business reports description: Answers to frequently asked questions about Windows Update for Business reports. - ms.prod: windows-client - ms.technology: itpro-updates + ms.service: windows-client + ms.subservice: itpro-updates ms.topic: faq manager: aaroncz author: mestew ms.author: mstewart - ms.date: 06/20/2023 + ms.date: 01/26/2024 title: Frequently Asked Questions about Windows Update for Business reports summary: | This article answers frequently asked questions about Windows Update for Business reports. @@ -32,6 +32,7 @@ summary: | - [Why am I missing devices in reports?](#why-am-i-missing-devices-in-reports) - [What is the difference between OS version and target version?](#what-is-the-difference-between-os-version-and-target-version) - [Why are there multiple records for the same device?](#why-are-there-multiple-records-for-the-same-device) + - [Why are devices showing an unknown state?](#why-are-devices-showing-an-unknown-state) - [When should I use the UCClient, UCClientUpdateStatus, or UCUpdateAlert tables?](#when-should-i-use-the-ucclient--ucclientupdatestatus--or-ucupdatealert-tables) - [What is the difference between quality and security updates?](#what-is-the-difference-between-quality-and-security-updates) - [How do I confirm that devices are sending data?](#how-do-i-confirm-that-devices-are-sending-data) @@ -108,7 +109,10 @@ sections: - **The workbook has limited the results**: The default limit for rows in Azure workbooks is set to 1000. This limit is to avoid any delay in the load time for the interface. If you noticed that you can't find a specific device, you can export the output in Excel, or open the results in the logs view for the full result by selecting the three dots beside each component. - question: Why are there multiple records for the same device? answer: | - Devices have multiple records when the `UCClientUpdateStatus` or `UCClientServiceStatus` tables are queried. These tables contain multiple records because they have the history for all devices that have discovered applicable updates within the past 28 days. For example, it's possible that a device has discovered multiple security updates, each with different update states, at various times over the past 28 days. It's also possible that a device can be in multiple deployments, so multiple records are displayed. + Devices have multiple records when the `UCClientUpdateStatus` or `UCClientServiceStatus` tables are queried. These tables contain multiple records because they have the history for all devices that have discovered applicable updates within the past 28 days. For example, it's possible that a device has discovered multiple security updates, each with different update states, at various times over the past 28 days. It's also possible that a device can be in multiple deployments, so multiple records are displayed. + - question: Why are devices showing an unknown state? + answer: | + An unknown client state is displayed if there isn't an update record for the device. This state can happen for many reasons, like the device not being active, not being able to scan Windows Update, or it doesn't currently have any update related activity occurring. - question: What is the difference between OS version and target version? answer: | The word *target* in data labels refers to the update version, build or KB the client intends to update to. Typically, the fields starting with *OS*, such as OSbuild and OSversion, represents what the device is currently running. diff --git a/windows/deployment/update/wufb-reports-help.md b/windows/deployment/update/wufb-reports-help.md index 49268fb5a7..3580a4810a 100644 --- a/windows/deployment/update/wufb-reports-help.md +++ b/windows/deployment/update/wufb-reports-help.md @@ -2,8 +2,8 @@ title: Feedback, support, and troubleshooting titleSuffix: Windows Update for Business reports description: Windows Update for Business reports support, feedback, and troubleshooting information. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: article author: mestew ms.author: mstewart diff --git a/windows/deployment/update/wufb-reports-overview.md b/windows/deployment/update/wufb-reports-overview.md index a38066595f..080f273243 100644 --- a/windows/deployment/update/wufb-reports-overview.md +++ b/windows/deployment/update/wufb-reports-overview.md @@ -2,8 +2,8 @@ title: Windows Update for Business reports overview titleSuffix: Windows Update for Business reports description: Overview of Windows Update for Business reports to explain what it's used for and the cloud services it relies on. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: overview author: mestew ms.author: mstewart diff --git a/windows/deployment/update/wufb-reports-prerequisites.md b/windows/deployment/update/wufb-reports-prerequisites.md index c81cd3c96b..30f7ecac00 100644 --- a/windows/deployment/update/wufb-reports-prerequisites.md +++ b/windows/deployment/update/wufb-reports-prerequisites.md @@ -2,8 +2,8 @@ title: Prerequisites for Windows Update for Business reports titleSuffix: Windows Update for Business reports description: List of prerequisites for enabling and using Windows Update for Business reports in your organization. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual author: mestew ms.author: mstewart diff --git a/windows/deployment/update/wufb-reports-schema-enumerated-types.md b/windows/deployment/update/wufb-reports-schema-enumerated-types.md index af84c4b582..ec7e675fd1 100644 --- a/windows/deployment/update/wufb-reports-schema-enumerated-types.md +++ b/windows/deployment/update/wufb-reports-schema-enumerated-types.md @@ -2,8 +2,8 @@ title: Enumerated types titleSuffix: Windows Update for Business reports description: Enumerated types for Windows Update for Business reports. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: reference author: mestew ms.author: mstewart diff --git a/windows/deployment/update/wufb-reports-schema-ucclient.md b/windows/deployment/update/wufb-reports-schema-ucclient.md index b5383c4ad8..b4c113ef71 100644 --- a/windows/deployment/update/wufb-reports-schema-ucclient.md +++ b/windows/deployment/update/wufb-reports-schema-ucclient.md @@ -2,8 +2,8 @@ title: UCClient data schema titleSuffix: Windows Update for Business reports description: UCClient schema for Windows Update for Business reports. UCClient acts as an individual device's record. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: reference author: mestew ms.author: mstewart diff --git a/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md b/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md index 59208c8193..e531090eff 100644 --- a/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md +++ b/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md @@ -2,8 +2,8 @@ title: UCClientReadinessStatus data schema titleSuffix: Windows Update for Business reports description: UCClientReadinessStatus schema for Windows Update for Business reports. UCClientReadinessStatus is an individual device's record about Windows 11 readiness. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: reference author: mestew ms.author: mstewart diff --git a/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md b/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md index 058a649dd6..e75f3bed7e 100644 --- a/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md +++ b/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md @@ -2,8 +2,8 @@ title: UCClientUpdateStatus data schema titleSuffix: Windows Update for Business reports description: UCClientUpdateStatus schema for Windows Update for Business reports. UCClientUpdateStatus combines the latest client-based data with the latest service data. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: reference author: mestew ms.author: mstewart diff --git a/windows/deployment/update/wufb-reports-schema-ucdevicealert.md b/windows/deployment/update/wufb-reports-schema-ucdevicealert.md index e5dfa88144..c6f38d89f3 100644 --- a/windows/deployment/update/wufb-reports-schema-ucdevicealert.md +++ b/windows/deployment/update/wufb-reports-schema-ucdevicealert.md @@ -2,8 +2,8 @@ title: UCDeviceAlert data schema titleSuffix: Windows Update for Business reports description: UCDeviceAlert schema for Windows Update for Business reports. UCDeviceAlert is an individual device's record about an alert. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: reference author: mestew ms.author: mstewart diff --git a/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md b/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md index 33540428e2..834c5a0b29 100644 --- a/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md +++ b/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md @@ -2,8 +2,8 @@ title: UCDOAggregatedStatus data schema titleSuffix: Windows Update for Business reports description: UCDOAggregatedStatus schema for Windows Update for Business reports. UCDOAggregatedStatus is an aggregation of all UDDOStatus records across the tenant. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: reference author: mestew ms.author: mstewart diff --git a/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md b/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md index c78b2c076d..f01a18f679 100644 --- a/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md +++ b/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md @@ -2,8 +2,8 @@ title: UCServiceUpdateStatus data schema titleSuffix: Windows Update for Business reports description: UCServiceUpdateStatus schema for Windows Update for Business reports. UCServiceUpdateStatus has service-side information for one device and one update. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: reference author: mestew ms.author: mstewart diff --git a/windows/deployment/update/wufb-reports-schema-ucupdatealert.md b/windows/deployment/update/wufb-reports-schema-ucupdatealert.md index 588cbd8cb6..331547385e 100644 --- a/windows/deployment/update/wufb-reports-schema-ucupdatealert.md +++ b/windows/deployment/update/wufb-reports-schema-ucupdatealert.md @@ -2,8 +2,8 @@ title: UCUpdateAlert data schema titleSuffix: Windows Update for Business reports description: UCUpdateAlert schema for Windows Update for Business reports. UCUpdateAlert is an alert for both client and service updates. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: reference author: mestew ms.author: mstewart diff --git a/windows/deployment/update/wufb-reports-schema.md b/windows/deployment/update/wufb-reports-schema.md index 75cdcb5587..d87b64907c 100644 --- a/windows/deployment/update/wufb-reports-schema.md +++ b/windows/deployment/update/wufb-reports-schema.md @@ -2,8 +2,8 @@ title: Windows Update for Business reports data schema titleSuffix: Windows Update for Business reports description: An overview of Windows Update for Business reports data schema to power additional dashboards and data analysis tools. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: reference author: mestew ms.author: mstewart diff --git a/windows/deployment/update/wufb-reports-use.md b/windows/deployment/update/wufb-reports-use.md index 2b4f1b8b1a..7fb8613fcf 100644 --- a/windows/deployment/update/wufb-reports-use.md +++ b/windows/deployment/update/wufb-reports-use.md @@ -2,8 +2,8 @@ title: Use the Windows Update for Business reports data titleSuffix: Windows Update for Business reports description: How to use the Windows Update for Business reports data for custom solutions using tools like Azure Monitor Logs. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual author: mestew ms.author: mstewart diff --git a/windows/deployment/update/wufb-reports-workbook.md b/windows/deployment/update/wufb-reports-workbook.md index d024ceda0d..a8e2e42be7 100644 --- a/windows/deployment/update/wufb-reports-workbook.md +++ b/windows/deployment/update/wufb-reports-workbook.md @@ -2,8 +2,8 @@ title: Use the workbook for Windows Update for Business reports titleSuffix: Windows Update for Business reports description: How to use the Windows Update for Business reports workbook from the Azure portal. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual author: mestew ms.author: mstewart @@ -11,7 +11,7 @@ manager: aaroncz appliesto: - ✅ Windows 11 - ✅ Windows 10 -ms.date: 06/23/2023 +ms.date: 01/29/2024 --- # Windows Update for Business reports workbook @@ -36,6 +36,8 @@ To access the Windows Update for Business reports workbook: 1. When the gallery opens, select the **Windows Update for Business reports** workbook. If needed, you can filter workbooks by name in the gallery. 1. When the workbook opens, you may need to specify which **Subscription** and **Workspace** you used when [enabling Windows Update for Business reports](wufb-reports-enable.md). +> [!Important] +> Don't pin the Windows Update for Business reports workbook to an Azure dashboard. Using a pinned report loads an older copy of the report and it won't display any updates to the report template. ## Summary tab @@ -72,7 +74,8 @@ The **Quality updates** tab displays generalized data at the top by using tiles. |**Latest security update**| Count of devices that have reported successful installation of the latest security update. | - Select **View details** to display a flyout with a chart that displays the first 1000 items.
- Select `...` from the flyout to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). | | **Missing one security update** | Count of devices that haven't installed the latest security update.| - Select **View details** to display a flyout with a chart that displays the first 1000 items.
- Select `...` from the flyout to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial).| | **Missing multiple security updates** | Count of devices that are missing two or more security updates. | - Select **View details** to display a flyout with a chart that displays the first 1000 items.
- Select `...` from the flyout to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). | -| **Expedite performance** | Overview of the progress for the expedited deployments of the latest security update. | - Select **View details** to display a flyout with a chart that displays the total progress of each deployment, number of alerts, and count of devices.
- Select the count from the **Alerts** column to display the alerts, by name, for the deployment. Selecting the device count for the alert name displays a list of devices with the alert.
- Select the count in the **TotalDevices** column to display a list of clients and their information for the deployment. | +| **Active alerts** | Count of active update and device alerts for quality updates. | | +| **Expedite status** | Overview of the progress for the expedited deployments of the latest security update. | Select **View details** to display a flyout with two tabs: **Deployments** and **Readiness**

- The **Deployments** tab contins a chart that displays the total progress of each deployment, number of alerts, and count of devices.

  • Select the count from the **Alerts** column to display the alerts, by name, for the deployment. Selecting the device count for the alert name displays a list of devices with the alert.
  • Select the count in the **TotalDevices** column to display a list of clients and their information for the deployment.

- The **Readiness** tab contains a chart that displays the number of devices that are **Eligible** and **Ineligible** to install expedited udpates. The **Readiness** tab also contains a table listing the deployments for expedited updates.
  • Select the count from the **Alerts** column to display devices with a status of **RegistrationMissingUpdateClient**, which means the device is missing the Update Health Tools. The Update Health Tools are installed starting with [KB4023057](https://support.microsoft.com/kb/4023057) or from a [stand-alone package from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=103324). Example PowerShell script to verify tools installation: `Get-CimInstance -ClassName Win32_Product \| Where-Object {$_.Name -match "Microsoft Update Health Tools"}`
  • Select the count of **TotalDevices** to display a list of devices in the deployment. | Below the tiles, the **Quality updates** tab is subdivided into **Update status** and **Device status** groups. These different chart groups allow you to easily discover trends in compliance data. For instance, you may remember that about third of your devices were in the installing state yesterday, but this number didn't change as much as you were expecting. That unexpected trend may cause you to investigate and resolve a potential issue before end users are impacted. diff --git a/windows/deployment/update/wufb-wsus.md b/windows/deployment/update/wufb-wsus.md index 295f638ff4..5f5374ac96 100644 --- a/windows/deployment/update/wufb-wsus.md +++ b/windows/deployment/update/wufb-wsus.md @@ -1,8 +1,8 @@ --- title: Use Windows Update for Business and Windows Server Update Services (WSUS) together description: Learn how to use Windows Update for Business and WSUS together using the new scan source policy. -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual author: mestew ms.author: mstewart diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md index e5e5fca659..5da693649e 100644 --- a/windows/deployment/upgrade/log-files.md +++ b/windows/deployment/upgrade/log-files.md @@ -1,7 +1,7 @@ --- title: Log files and resolving upgrade errors -description: Learn how to interpret and analyze the log files that are generated during the Windows 10 upgrade process. -ms.prod: windows-client +description: Learn how to interpret and analyze the log files that are generated during the Windows upgrade process. +ms.service: windows-client author: frankroj manager: aaroncz ms.author: frankroj @@ -10,108 +10,104 @@ ms.topic: troubleshooting ms.collection: - highpri - tier2 -ms.technology: itpro-deploy -ms.date: 10/28/2022 +ms.subservice: itpro-deploy +ms.date: 01/18/2024 +appliesto: + - ✅ Windows 11 + - ✅ Windows 10 --- # Windows upgrade log files -**Applies to** +> [!NOTE] +> +> This article is a 400-level article (advanced). +> +> See [Resolve Windows upgrade errors](resolve-windows-upgrade-errors.md) for a full list of articles in this section. -- Windows 10 +Several log files are created during each phase of the upgrade process. These log files are essential for troubleshooting upgrade problems. By default, the folders that contain these log files are hidden on the upgrade target computer. To view the log files, configure Windows Explorer to view hidden items, or use a tool to automatically gather these logs. The most useful log is **setupact.log**. The log files are located in a different folder depending on the Windows Setup phase. Recall that the phase can be determined from the extend code. > [!NOTE] -> This is a 400-level topic (advanced).
    - -> See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. - -Several log files are created during each phase of the upgrade process. These log files are essential for troubleshooting upgrade problems. By default, the folders that contain these log files are hidden on the upgrade target computer. To view the log files, configure Windows Explorer to view hidden items, or use a tool to automatically gather these logs. The most useful log is **setupact.log**. The log files are located in a different folder depending on the Windows Setup phase. Recall that you can determine the phase from the extend code. - -> [!NOTE] -> Also see the [Windows Error Reporting](windows-error-reporting.md) section in this document for help locating error codes and log files. - -The following table describes some log files and how to use them for troubleshooting purposes: - +> +> Also see the [Windows Error Reporting](windows-error-reporting.md) article in this section for help with locating error codes and log files. +The following table describes some log files and how to use them for troubleshooting purposes: |Log file |Phase: Location |Description |When to use| |---|---|---|---| -|setupact.log|Down-Level:
    $Windows.~BT\Sources\Panther|Contains information about setup actions during the downlevel phase. |All down-level failures and starting point for rollback investigations.
    Setup.act is the most important log for diagnosing setup issues.| -|setupact.log|OOBE:
    $Windows.~BT\Sources\Panther\UnattendGC|Contains information about actions during the OOBE phase.|Investigating rollbacks that failed during OOBE phase and operations - 0x4001C, 0x4001D, 0x4001E, 0x4001F.| -|setupact.log|Rollback:
    $Windows.~BT\Sources\Rollback|Contains information about actions during rollback.|Investigating generic rollbacks - 0xC1900101.| -|setupact.log|Pre-initialization (prior to downlevel):
    Windows|Contains information about initializing setup.|If setup fails to launch.| -|setupact.log|Post-upgrade (after OOBE):
    Windows\Panther|Contains information about setup actions during the installation.|Investigate post-upgrade related issues.| -|setuperr.log|Same as setupact.log|Contains information about setup errors during the installation.|Review all errors encountered during the installation phase.| -|miglog.xml|Post-upgrade (after OOBE):
    Windows\Panther|Contains information about what was migrated during the installation.|Identify post upgrade data migration issues.| -|BlueBox.log|Down-Level:
    Windows\Logs\Mosetup|Contains information communication between `setup.exe` and Windows Update.|Use during WSUS and Windows Update down-level failures or for 0xC1900107.| -|Supplemental rollback logs:
    Setupmem.dmp
    setupapi.dev.log
    Event logs (*.evtx)|$Windows.~BT\Sources\Rollback|Additional logs collected during rollback.|Setupmem.dmp: If OS bug checks during upgrade, setup will attempt to extract a mini-dump.
    Setupapi: Device install issues - 0x30018
    Event logs: Generic rollbacks (0xC1900101) or unexpected reboots.| +|**setupact.log**|Down-Level:
    $Windows.~BT\Sources\Panther|Contains information about setup actions during the downlevel phase. |All down-level failures and starting point for rollback investigations.
    Setup.act is the most important log for diagnosing setup issues.| +|**setupact.log**|OOBE:
    $Windows.~BT\Sources\Panther\UnattendGC|Contains information about actions during the OOBE phase.|Investigating rollbacks that failed during OOBE phase and operations - 0x4001C, 0x4001D, 0x4001E, 0x4001F.| +|**setupact.log**|Rollback:
    $Windows.~BT\Sources\Rollback|Contains information about actions during rollback.|Investigating generic rollbacks - 0xC1900101.| +|**setupact.log**|Pre-initialization (prior to downlevel):
    Windows|Contains information about initializing setup.|If setup fails to launch.| +|**setupact.log**|Post-upgrade (after OOBE):
    Windows\Panther|Contains information about setup actions during the installation.|Investigate post-upgrade related issues.| +|**setuperr.log**|Same as setupact.log|Contains information about setup errors during the installation.|Review all errors encountered during the installation phase.| +|**miglog.xml**|Post-upgrade (after OOBE):
    Windows\Panther|Contains information about what was migrated during the installation.|Identify post upgrade data migration issues.| +|**BlueBox.log**|Down-Level:
    Windows\Logs\Mosetup|Contains information communication between `setup.exe` and Windows Update.|Use during WSUS and Windows Update down-level failures or for 0xC1900107.| +|Supplemental rollback logs:
    **Setupmem.dmp**
    **setupapi.dev.log**
    Event logs (*.evtx)|$Windows.~BT\Sources\Rollback|Additional logs collected during rollback.|Setupmem.dmp: If OS bug checks during upgrade, setup attempts to extract a mini-dump.
    Setupapi: Device install issues - 0x30018
    Event logs: Generic rollbacks (0xC1900101) or unexpected reboots.| ## Log entry structure -A setupact.log or setuperr.log entry (files are located at C:\Windows) includes the following elements: +A `setupact.log` or `setuperr.log` entry includes the following elements: -1. **The date and time** - 2016-09-08 09:20:05 +1. **The date and time** - 2023-09-08 09:20:05 +1. **The log level** - Info, Warning, Error, Fatal Error -2. **The log level** - Info, Warning, Error, Fatal Error +1. **The logging component** - CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS + The logging components SP (setup platform), MIG (migration engine), and CONX (compatibility information) are useful for troubleshooting Windows Setup errors. -3. **The logging component** - CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS - - - The logging components SP (setup platform), MIG (migration engine), and CONX (compatibility information) are useful for troubleshooting Windows Setup errors. - - -4. **The message** - Operation completed successfully. +1. **The message** - Operation completed successfully. See the following example: | Date/Time | Log level | Component | Message | |------|------------|------------|------------| -|2016-09-08 09:23:50,| Warning | MIG | Couldn't replace object C:\Users\name\Cookies. Target Object can't be removed.| +|2023-09-08 09:23:50,| Warning | MIG | Couldn't replace object C:\Users\name\Cookies. Target Object can't be removed.| ## Analyze log files -The following instructions are meant for IT professionals. Also see the [Upgrade error codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json) section in this guide to familiarize yourself with [result codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#result-codes) and [extend codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#extend-codes). +The following instructions are meant for IT professionals. Also see the [Upgrade error codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json) section in this guide to become familiar with [result codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#result-codes) and [extend codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#extend-codes). To analyze Windows Setup log files: -1. Determine the Windows Setup error code. This code should be returned by Windows Setup if it isn't successful with the upgrade process. +1. Determine the Windows Setup error code. Windows Setup should return an error code if it isn't successful with the upgrade process. -2. Based on the [extend code](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#extend-codes) portion of the error code, determine the type and location of a log file to investigate. +1. Based on the [extend code](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#extend-codes) portion of the error code, determine the type and location of a log file to investigate. -3. Open the log file in a text editor, such as notepad. +1. Open the log file in a text editor, such as notepad. -4. Using the [result code](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#result-codes) portion of the Windows Setup error code, search for the result code in the file and find the last occurrence of the code. Alternatively search for the "abort" and abandoning" text strings described in step 7 below. +1. Using the [result code](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#result-codes) portion of the Windows Setup error code, search for the result code in the file and find the last occurrence of the code. Alternatively search for the "abort" and abandoning" text strings described in step 7 below. -5. To find the last occurrence of the result code: +1. To find the last occurrence of the result code: 1. Scroll to the bottom of the file and select after the last character. - 2. Select **Edit**. - 3. Select **Find**. - 4. Type the result code. - 5. Under **Direction** select **Up**. - 6. Select **Find Next**. + 1. Select **Edit**. + 1. Select **Find**. + 1. Type the result code. + 1. Under **Direction** select **Up**. + 1. Select **Find Next**. -6. When you've located the last occurrence of the result code, scroll up a few lines from this location in the file and review the processes that failed prior to generating the result code. +1. When the last occurrence of the result code is located, scroll up a few lines from this location in the file and review the processes that failed prior to generating the result code. -7. Search for the following important text strings: +1. Search for the following important text strings: - `Shell application requested abort` - `Abandoning apply due to error for object` -8. Decode Win32 errors that appear in this section. +1. Decode Win32 errors that appear in this section. -9. Write down the timestamp for the observed errors in this section. +1. Write down the timestamp for the observed errors in this section. -10. Search other log files for additional information matching these timestamps or errors. +1. Search other log files for additional information matching these timestamps or errors. -For example, assume that the error code for an error is 0x8007042B - 0x2000D. Searching for "8007042B" reveals the following content from the setuperr.log file: +For example, assume that the error code for an error is **0x8007042B - 0x2000D**. Searching for **8007042B** reveals the following content from the `setuperr.log` file: > [!NOTE] -> Some lines in the text below are shortened to enhance readability. For example -> -> - The date and time at the start of each line (ex: 2016-10-05 15:27:08) is shortened to minutes and seconds +> +> Some lines in the following text are shortened to enhance readability. For example +> +> - The date and time at the start of each line (ex: 2023-10-05 15:27:08) is shortened to minutes and seconds > - The certificate file name, which is a long text string, is shortened to just "CN." **setuperr.log** content: @@ -127,20 +123,20 @@ For example, assume that the error code for an error is 0x8007042B - 0x2000D. Se 27:09, Error SP CSetupPlatformPrivate::Execute: Execution of operations queue failed, abandoning. Error: 0x8007042B[gle=0x000000b7] ``` -The first line indicates there was an error **0x00000570** with the file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]** (shown below): +The first line indicates there was an error **0x00000570** with the file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]**: ```console 27:08, Error SP Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570] ``` -The error 0x00000570 is a [Win32 error code](/openspecs/windows_protocols/ms-erref/18d8fbe8-a967-4f1c-ae50-99ca8e491d2d) corresponding to: ERROR_FILE_CORRUPT: The file or directory is corrupted and unreadable. +The error **0x00000570** is a [Win32 error code](/openspecs/windows_protocols/ms-erref/18d8fbe8-a967-4f1c-ae50-99ca8e491d2d) corresponding to: **ERROR_FILE_CORRUPT: The file or directory is corrupted and unreadable**. -Therefore, Windows Setup failed because it wasn't able to migrate the corrupt file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN]**. This file is a local system certificate and can be safely deleted. Searching the setupact.log file for more details, the phrase "Shell application requested abort" is found in a location with the same timestamp as the lines in setuperr.log. This confirms our suspicion that this file is the cause of the upgrade failure: +Therefore, Windows Setup failed because it wasn't able to migrate the corrupt file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN]**. This file is a local system certificate and can be safely deleted. After the `setupact.log` file is searched for more details, the phrase **Shell application requested abort** is found in a location with the same timestamp as the lines in `setuperr.log`. This analysis confirms the suspicion that this file is the cause of the upgrade failure: **setupact.log** content: ```console -27:00, Info Gather started at 10/5/2016 23:27:00 +27:00, Info Gather started at 10/5/2023 23:27:00 27:00, Info [0x080489] MIG Setting system object filter context (System) 27:00, Info [0x0803e5] MIG Not unmapping HKCU\Software\Classes; it is not mapped 27:00, Info [0x0803e5] MIG Not unmapping HKCU; it is not mapped @@ -157,7 +153,7 @@ Therefore, Windows Setup failed because it wasn't able to migrate the corrupt fi 27:08, Info MIG COutOfProcPluginFactory::LaunchSurrogateHost::CommandLine: -shortened- 27:08, Info MIG COutOfProcPluginFactory::LaunchSurrogateHost: Successfully launched host and got control object. 27:08, Error Gather failed. Last error: 0x00000000 -27:08, Info Gather ended at 10/5/2016 23:27:08 with result 44 +27:08, Info Gather ended at 10/5/2023 23:27:08 with result 44 27:08, Info Leaving MigGather method 27:08, Error SP SPDoFrameworkGather: Gather operation failed. Error: 0x0000002C ``` @@ -166,7 +162,7 @@ Therefore, Windows Setup failed because it wasn't able to migrate the corrupt fi ```console >>> [Device Install (UpdateDriverForPlugAndPlayDevices) - PCI\VEN_8086&DEV_8C4F] ->>> Section start 2019/09/26 20:13:01.623 +>>> Section start 2023/09/26 20:13:01.623 cmd: rundll32.exe "C:\WINDOWS\Installer\MSI6E4C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_95972906 484 ChipsetWiX.CustomAction!Intel.Deployment.ChipsetWiX.CustomActions.InstallDrivers ndv: INF path: C:\WINDOWS\TEMP\{15B1CD41-69F5-48EA-9F45-0560A40FE2D8}\Drivers\lynxpoint\LynxPointSystem.inf ndv: Install flags: 0x00000000 @@ -250,15 +246,12 @@ Therefore, Windows Setup failed because it wasn't able to migrate the corrupt fi <<< [Exit status: FAILURE(0xC1900101)] ``` -This analysis indicates that the Windows upgrade error can be resolved by deleting the C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN] file. +This analysis indicates that the Windows upgrade error can be resolved by deleting the `C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN]` file. > [!NOTE] -> In this example, the full, unshortened file name is C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\be8228fb2d3cb6c6b0ccd9ad51b320b4_a43d512c-69f2-42de-aef9-7a88fabdaa3f. +> +> In this example, the full file name is `C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\be8228fb2d3cb6c6b0ccd9ad51b320b4_a43d512c-69f2-42de-aef9-7a88fabdaa3f`. ## Related articles -[Windows 10 FAQ for IT professionals](../planning/windows-10-enterprise-faq-itpro.yml) -
    [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) -
    [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications) -
    [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) -
    [Fix Windows Update errors by using the DISM or System Update Readiness tool](/troubleshoot/windows-server/deployment/fix-windows-update-errors) +- [Fix Windows Update errors by using the DISM or System Update Readiness tool](/troubleshoot/windows-server/deployment/fix-windows-update-errors). diff --git a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md deleted file mode 100644 index cf7359540a..0000000000 --- a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md +++ /dev/null @@ -1,61 +0,0 @@ ---- -title: Resolve Windows 10 upgrade errors - Windows IT Pro -manager: aaroncz -ms.author: frankroj -description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. -ms.prod: windows-client -author: frankroj -ms.localizationpriority: medium -ms.topic: article -ms.technology: itpro-deploy -ms.date: 10/28/2022 ---- - -# Resolve Windows 10 upgrade errors: Technical information for IT Pros - -**Applies to** -- Windows 10 - ->[!IMPORTANT] ->This article contains technical instructions for IT administrators. If you are not an IT administrator, try some of the [quick fixes](/troubleshoot/windows-client/deployment/windows-10-upgrade-quick-fixes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json) described in this article then contact [Microsoft Support](https://support.microsoft.com/contactus/) starting with the Virtual Agent. To talk to a person about your issue, click **Get started** to interact with the Virtual Agent, then enter "Talk to a person" two times. The Virtual Agent can also help you to resolve many Windows upgrade issues. Also see: [Get help with Windows 10 upgrade and installation errors](https://support.microsoft.com/help/10587/windows-10-get-help-with-upgrade-installation-errors) and [Submit Windows 10 upgrade errors using Feedback Hub](submit-errors.md). - -This article contains a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. - -The article has been divided into subtopics of different technical levels. Basic level provides common procedures that can resolve several types of upgrade errors. Advanced level requires some experience with detailed troubleshooting methods. - -The following four levels are assigned: - -Level 100: Basic
    -Level 200: Moderate
    -Level 300: Moderate advanced
    -Level 400: Advanced
    - -## In this guide - -See the following topics in this article: - -- [Quick fixes](/troubleshoot/windows-client/deployment/windows-10-upgrade-quick-fixes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json): \Level 100\ Steps you can take to eliminate many Windows upgrade errors.
    -- [SetupDiag](setupdiag.md): \Level 300\ SetupDiag is a new tool to help you isolate the root cause of an upgrade failure. -- [Troubleshooting upgrade errors](/troubleshoot/windows-client/deployment/windows-10-upgrade-issues-troubleshooting?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json): \Level 300\ General advice and techniques for troubleshooting Windows 10 upgrade errors, and an explanation of phases used during the upgrade process.
    -- [Windows Error Reporting](windows-error-reporting.md): \Level 300\ How to use Event Viewer to review details about a Windows 10 upgrade. -- [Upgrade error codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json): \Level 400\ The components of an error code are explained. - - [Result codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#result-codes): Information about result codes. - - [Extend codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#extend-codes): Information about extend codes. -- [Log files](log-files.md): \Level 400\ A list and description of log files useful for troubleshooting. - - [Log entry structure](log-files.md#log-entry-structure): The format of a log entry is described. - - [Analyze log files](log-files.md#analyze-log-files): General procedures for log file analysis, and an example. -- [Resolution procedures](/troubleshoot/windows-client/deployment/windows-10-upgrade-resolution-procedures?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json): \Level 200\ Causes and mitigation procedures associated with specific error codes. - - [0xC1900101](/troubleshoot/windows-client/deployment/windows-10-upgrade-resolution-procedures?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#0xc1900101): Information about the 0xC1900101 result code. - - [0x800xxxxx](/troubleshoot/windows-client/deployment/windows-10-upgrade-resolution-procedures?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#0x800xxxxx): Information about result codes that start with 0x800. - - [Other result codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-resolution-procedures?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#other-result-codes): Additional causes and mitigation procedures are provided for some result codes. - - [Other error codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-resolution-procedures?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#other-error-codes): Additional causes and mitigation procedures are provided for some error codes. -- [Submit Windows 10 upgrade errors](submit-errors.md): \Level 100\ Submit upgrade errors to Microsoft for analysis. - -## Related articles - -[Windows 10 FAQ for IT professionals](../planning/windows-10-enterprise-faq-itpro.yml) -
    [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) -
    [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications) -
    [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) -
    [Fix Windows Update errors by using the DISM or System Update Readiness tool](/troubleshoot/windows-server/deployment/fix-windows-update-errors) -
    diff --git a/windows/deployment/upgrade/resolve-windows-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-upgrade-errors.md new file mode 100644 index 0000000000..db42df75b3 --- /dev/null +++ b/windows/deployment/upgrade/resolve-windows-upgrade-errors.md @@ -0,0 +1,57 @@ +--- +title: Resolve Windows upgrade errors - Windows IT Pro +manager: aaroncz +ms.author: frankroj +description: Resolve Windows upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. +author: frankroj +ms.localizationpriority: medium +ms.topic: article +ms.service: windows-client +ms.subservice: itpro-deploy +ms.date: 01/18/2024 +appliesto: + - ✅ Windows 11 + - ✅ Windows 10 +--- + +# Resolve Windows upgrade errors: Technical information for IT Pros + +> [!IMPORTANT] +> +> This article contains technical instructions for IT administrators. The article isn't intended for non-IT administrators such as home or consumer users. + +This article contains a brief introduction to the Windows installation processes, and provides resolution procedures that IT administrators can use to resolve issues with a Windows upgrade. + +The article is divided into subtopics of different technical levels. Basic level provides common procedures that can resolve several types of upgrade errors. Advanced level requires some experience with detailed troubleshooting methods. + +The following four levels are assigned: + +- Level 100: Basic +- Level 200: Moderate +- Level 300: Moderate advanced +- Level 400: Advanced + +## In this guide + +See the following articles in this section: + +- [Quick fixes](/troubleshoot/windows-client/deployment/windows-10-upgrade-quick-fixes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json): \Level 100\ Steps to take to eliminate many Windows upgrade errors. +- [SetupDiag](setupdiag.md): \Level 300\ SetupDiag is a new tool to help isolate the root cause of an upgrade failure. +- [Troubleshooting upgrade errors](/troubleshoot/windows-client/deployment/windows-10-upgrade-issues-troubleshooting?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json): \Level 300\ General advice and techniques for troubleshooting Windows upgrade errors, and an explanation of phases used during the upgrade process. +- [Windows Error Reporting](windows-error-reporting.md): \Level 300\ How to use Event Viewer to review details about a Windows upgrade. +- [Upgrade error codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json): \Level 400\ The components of an error code are explained. + - [Result codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#result-codes): Information about result codes. + - [Extend codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#extend-codes): Information about extend codes. +- [Log files](log-files.md): \Level 400\ A list and description of log files useful for troubleshooting. + - [Log entry structure](log-files.md#log-entry-structure): The format of a log entry is described. + - [Analyze log files](log-files.md#analyze-log-files): General procedures for log file analysis, and an example. +- [Resolution procedures](/troubleshoot/windows-client/deployment/windows-10-upgrade-resolution-procedures?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json): \Level 200\ Causes and mitigation procedures associated with specific error codes. + - [0xC1900101](/troubleshoot/windows-client/deployment/windows-10-upgrade-resolution-procedures?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#0xc1900101): Information about the 0xC1900101 result code. + - [0x800xxxxx](/troubleshoot/windows-client/deployment/windows-10-upgrade-resolution-procedures?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#0x800xxxxx): Information about result codes that start with 0x800. + - [Other result codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-resolution-procedures?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#other-result-codes): Additional causes and mitigation procedures are provided for some result codes. + - [Other error codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-resolution-procedures?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#other-error-codes): Additional causes and mitigation procedures are provided for some error codes. +- [Submit Windows upgrade errors](submit-errors.md): \Level 100\ Submit upgrade errors to Microsoft for analysis. + +## Related articles + +- [Fix Windows Update errors by using the DISM or System Update Readiness tool](/troubleshoot/windows-server/deployment/fix-windows-update-errors). diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md index 3b512451f5..00ae1403ff 100644 --- a/windows/deployment/upgrade/setupdiag.md +++ b/windows/deployment/upgrade/setupdiag.md @@ -1,8 +1,9 @@ --- title: SetupDiag description: SetupDiag works by examining Windows Setup log files. This article shows how to use the SetupDiag tool to diagnose Windows Setup errors. -ms.prod: windows-client -ms.technology: itpro-deploy +ms.reviewer: shendrix +ms.service: windows-client +ms.subservice: itpro-deploy author: frankroj manager: aaroncz ms.author: frankroj @@ -11,34 +12,34 @@ ms.topic: troubleshooting ms.collection: - highpri - tier2 -ms.date: 10/28/2022 +ms.date: 01/18/2024 +appliesto: + - ✅ Windows 11 + - ✅ Windows 10 --- # SetupDiag -**Applies to** -- Windows 10 +> [!NOTE] +> +> This article is a 300 level article (moderate advanced). See [Resolve Windows upgrade errors](resolve-windows-upgrade-errors.md) for a full list of articles in this section. ->[!NOTE] ->This is a 300 level topic (moderate advanced).
    ->See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
    - - [![Download SetupDiag.](../images/download.png)](https://go.microsoft.com/fwlink/?linkid=870142) +> [!div class="nextstepaction"] +> [Download the latest version of SetupDiag](https://go.microsoft.com/fwlink/?linkid=870142) ## About SetupDiag -Current downloadable version of SetupDiag: 1.6.2107.27002. -> Always be sure to run the most recent version of SetupDiag, so that can access new functionality and fixes to known issues. +> [!IMPORTANT] +> +> When SetupDiag is run manually, Microsoft recommends running the latest version of SetupDiag. The latest version is available via the following [download link](https://go.microsoft.com/fwlink/?linkid=870142). Running the latest version ensures the latest functionality and fixes known issues. -SetupDiag is a diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful. +SetupDiag is a diagnostic tool that can be used to obtain details about why a Windows upgrade was unsuccessful. -SetupDiag works by examining Windows Setup log files. It attempts to parse these log files to determine the root cause of a failure to update or upgrade the computer to Windows 10. SetupDiag can be run on the computer that failed to update, or you can export logs from the computer to another location and run SetupDiag in offline mode. +SetupDiag works by examining Windows Setup log files. It attempts to parse these log files to determine the root cause of a failure to update or upgrade the computer to Windows. SetupDiag can be run on the computer that failed to update. The logs can also be exported from the computer to another location and then running SetupDiag in offline mode. -## SetupDiag in Windows 10, version 2004 and later +SetupDiag is included with [Windows Setup](/windows-hardware/manufacture/desktop/deployment-troubleshooting-and-log-files#windows-setup-scenario) in all currently supported versions of Windows. -With the release of Windows 10, version 2004, SetupDiag is included with [Windows Setup](/windows-hardware/manufacture/desktop/deployment-troubleshooting-and-log-files#windows-setup-scenario). - -During the upgrade process, Windows Setup will extract all its sources files to the **%SystemDrive%\$Windows.~bt\Sources** directory. With Windows 10, version 2004 and later, **setupdiag.exe** is also installed to this directory. If there's an issue with the upgrade, SetupDiag will automatically run to determine the cause of the failure. +During the upgrade process, Windows Setup extracts all its sources files, including **SetupDiag.exe**, to the **%SystemDrive%\$Windows.~bt\Sources** directory. If there's an issue with the upgrade, SetupDiag automatically runs to determine the cause of the failure. When run by Windows Setup, the following [parameters](#parameters) are used: @@ -47,145 +48,200 @@ When run by Windows Setup, the following [parameters](#parameters) are used: - /Output:%windir%\logs\SetupDiag\SetupDiagResults.xml - /RegPath:HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupDiag\Results -The resulting SetupDiag analysis can be found at **%WinDir%\Logs\SetupDiag\SetupDiagResults.xml** and in the registry under **HKLM\SYSTEM\Setup\SetupDiag\Results**. Note that the registry path isn't the same as the default registry path when SetupDiag is run manually. When SetupDiag is run manually, and the /RegPath parameter isn't specified, data is stored in the registry at HKLM\SYSTEM\Setup\MoSetup\Volatile\SetupDiag. +The resulting SetupDiag analysis can be found at `%WinDir%\Logs\SetupDiag\SetupDiagResults.xml` and in the registry under `HKLM\SYSTEM\Setup\SetupDiag\Results`. + +> [!NOTE] +> +> When Windows Setup runs SetupDiag automatically, the registry path isn't the same as the default registry path when SetupDiag is run manually. When SetupDiag is run manually, and the `/RegPath` parameter isn't specified, data is stored in the registry at `HKLM\SYSTEM\Setup\MoSetup\Volatile\SetupDiag`. > [!IMPORTANT] +> > When SetupDiag indicates that there were multiple failures, the last failure in the log file is typically the fatal error, not the first one. -If the upgrade process proceeds normally, the **Sources** directory including **setupdiag.exe** is moved under **%SystemDrive%\Windows.Old** for cleanup. If the **Windows.old** directory is deleted later, **setupdiag.exe** will also be removed. - -## Using SetupDiag - -To quickly use SetupDiag on your current computer: -1. Verify that your system meets the [requirements](#requirements) described below. If needed, install the [.NET framework 4.6](https://www.microsoft.com/download/details.aspx?id=48137). -2. [Download SetupDiag](https://go.microsoft.com/fwlink/?linkid=870142). -3. If your web browser asks what to do with the file, choose **Save**. By default, the file will be saved to your **Downloads** folder. You can also save it to a different location if desired by using **Save As**. -4. When SetupDiag has finished downloading, open the folder where you downloaded the file. By default, this folder is the **Downloads** folder, which is displayed in File Explorer under **Quick access** in the left navigation pane. -5. Double-click the **SetupDiag** file to run it. Select **Yes** if you're asked to approve running the program. - - Double-clicking the file to run it will automatically close the command window when SetupDiag has completed its analysis. If you wish to keep this window open instead, and review the messages that you see, run the program by typing **SetupDiag** at the command prompt instead of double-clicking it. You'll need to change directories to the location of SetupDiag to run it this way. -6. A command window will open while SetupDiag diagnoses your computer. Wait for this process to finish. -7. When SetupDiag finishes, two files will be created in the same folder where you double-clicked SetupDiag. One is a configuration file, the other is a log file. -8. Use Notepad to open the log file: **SetupDiagResults.log**. -9. Review the information that is displayed. If a rule was matched, this information can tell you why the computer failed to upgrade, and potentially how to fix the problem. See the [Text log sample](#text-log-sample) below. - -For instructions on how to run the tool in offline mode and with more advanced options, see the [Parameters](#parameters) and [Examples](#examples) sections below. - -The [Release notes](#release-notes) section at the bottom of this article has information about recent updates to this tool. +If the upgrade process proceeds normally, the **Sources** directory including **SetupDiag.exe** is moved under **%SystemDrive%\Windows.Old** for cleanup. If the **Windows.old** directory is deleted later, **SetupDiag.exe** is also removed. ## Requirements -1. The destination OS must be Windows 10. -2. [.NET Framework 4.6](https://www.microsoft.com/download/details.aspx?id=48137) must be installed. If you aren't sure what version of .NET is currently installed, see [How to: Determine Which .NET Framework Versions Are Installed](/dotnet/framework/migration-guide/how-to-determine-which-versions-are-installed). You can also use the following command-line query to display the installed v4 versions: +1. The destination version of Windows must be a currently supported version of Windows. The originally installed version of Windows can be a version of Windows that's out of support as long as: + - The destination version of Windows is a currently supported version of Windows. + - Upgrade to the destination version of Windows is supported from the original installed version of Windows. + +1. [.NET Framework 4.7.2](https://go.microsoft.com/fwlink/?linkid=863265) or newer must be installed. To determine which version of .NET is preinstalled with a specific version of Windows, see [.NET Framework system requirements: Supported client operating systems](/dotnet/framework/get-started/system-requirements#supported-client-operating-systems). To determine which version of .NET is currently installed, see [How to: Determine Which .NET Framework Versions Are Installed](/dotnet/framework/migration-guide/how-to-determine-which-versions-are-installed). + + The following command-line query can be used to display the currently installed version of .NET: + + ```cmd + reg.exe query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4" /s ``` - reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4" /s - ``` + + As long as at least the required version of .NET is installed, no additional action is required, including if a newer version is installed. + +## Using SetupDiag + +To quickly use SetupDiag on the current computer: + +1. Verify that the system meets the [requirements](#requirements). + +1. [Download SetupDiag](https://go.microsoft.com/fwlink/?linkid=870142). + +1. If the web browser asks what to do with the file, choose **Save**. By default, the file is saved to the **Downloads** folder. If desired, the file can also be saved to a different location by using **Save As**. + +1. When SetupDiag finishes downloading, open the folder where the file was downloaded. By default, this folder is the **Downloads** folder, which is displayed in File Explorer under **Quick access** in the left navigation pane. + +1. Double-click the **SetupDiag** file to run it. Select **Yes** if asked to approve running the program. + + Double-clicking the file to run it automatically closes the command window when SetupDiag completes its analysis. To instead keep the window open to review the messages SetupDiag generates, run the program by typing **SetupDiag** at the command prompt instead of double-clicking it. When running from a command prompt, make sure to change directories to where SetupDiag is located. + +1. A command window opens while SetupDiag diagnoses the computer. Wait for this process to finish. + +1. When SetupDiag finishes, two files are created in the same folder where SetupDiag was run from. One is a configuration file, the other is a log file. + +1. Use Notepad to open the log file **SetupDiagResults.log**. + +1. Review the information that is displayed. If a rule was matched, this information can say why the computer failed to upgrade, and potentially how to fix the problem. See the section [Text log sample](#text-log-sample). + +For instructions on how to run the tool in offline mode and with more advanced options, see the sections [Parameters](#parameters) and [Examples](#examples). ## Parameters | Parameter | Description | | --- | --- | -| /? |
    • Displays interactive help
    | -| /Output:\ |
    • This optional parameter enables you to specify the output file for results. This file is where you'll find what SetupDiag was able to determine. Only text format output is supported. UNC paths will work, provided the context under which SetupDiag runs has access to the UNC path. If the path has a space in it, you must enclose the entire path in double quotes (see the example section below).
    • Default: If not specified, SetupDiag will create the file **SetupDiagResults.log** in the same directory where SetupDiag.exe is run.
    | -| /LogsPath:\ |
    • This optional parameter tells SetupDiag.exe where to find the log files for an offline analysis. These log files can be in a flat folder format, or containing multiple subdirectories. SetupDiag will recursively search all child directories.
    | -| /ZipLogs:\ |
    • This optional parameter tells SetupDiag.exe to create a zip file containing the results and all the log files it parsed. The zip file is created in the same directory where SetupDiag.exe is run.
    • Default: If not specified, a value of 'true' is used.
    | -| /Format:\ |
    • This optional parameter can be used to output log files in xml or JSON format. If this parameter isn't specified, text format is used by default.
    | -| /Scenario:\[Recovery\] |
    • This optional parameter instructs SetupDiag.exe to look for and process reset and recovery logs and ignore setup/upgrade logs.
    | -| /Verbose |
    • This optional parameter will output much more data to a log file. By default, SetupDiag will only produce a log file entry for serious errors. Using **/Verbose** will cause SetupDiag to always produce another log file with debugging details. These details can be useful when reporting a problem with SetupDiag.
    | -| /NoTel |
    • This optional parameter tells SetupDiag.exe not to send diagnostic telemetry to Microsoft.
    | -| /AddReg |
    • This optional parameter instructs SetupDiag.exe to add failure information to the registry in offline mode. By default, SetupDiag will add failure information to the registry in online mode only. Registry data is added to the following location on the system where SetupDiag is run: **HKLM\SYSTEM\Setup\MoSetup\Volatile\SetupDiag**.
    | -| /RegPath |
    • This optional parameter instructs SetupDiag.exe to add failure information to the registry using the specified path. If this parameter isn't specified the default path is **HKLM\SYSTEM\Setup\MoSetup\Volatile\SetupDiag**. -
    | +| **/?** | Displays interactive help | +| **/Output:\[Full path and file name for output log file\]** | This optional parameter specifies the name and location for the results log file. The output file contains the analysis from SetupDiag. Only text format output is supported. UNC paths work provided the context under which SetupDiag runs has access to the UNC path. If the path has a space in it, the entire path must be enclosed in double quotes (**"**). See the [Examples](#examples) sections for an example.

    Default: If not specified, SetupDiag creates the file **SetupDiagResults.log** in the same directory where **SetupDiag.exe** is run. | +| **/LogsPath:\[Full path to logs\]** | This optional parameter specifies the location of logs to parse and where to find the log files for an offline analysis. These log files can be in a flat folder format, or containing multiple subdirectories. SetupDiag recursively searches all child directories. Defaults to checking the current system for logs. | +| **/ZipLogs:\[True \| False\]** | This optional parameter Tells **SetupDiag.exe** to create a zip file containing the results and all the log files that were parsed. The zip file is created in the same directory where **SetupDiag.exe** is run.

    Default: If not specified, a value of 'true' is used. | +| **/Format:\[xml \| json\]** | This optional parameter specifies the output format for log files to be XML or JSON. If this parameter isn't specified, text format is used by default. | +| **/Scenario:\[Recovery \| Debug\]** | This optional parameter can do one of the following two items based on the argument used:

    • Recovery instructs **SetupDiag.exe** to look for and process reset and recovery logs and ignore setup/upgrade logs.
    • Debug instructs **SetupDiag.exe** to debug memory dumps if the requisite debug binaries are installed.
    | +| **/Verbose** | This optional parameter creates a diagnostic log in the current directory, with debugging information, additional data, and details about SetupDiag. By default, SetupDiag only produces a log file entry for major errors. Using **/Verbose** causes SetupDiag to always produce another log file with debugging details. These details can be useful when reporting a problem with SetupDiag. | +| **/NoTel** | This optional parameter tells **SetupDiag.exe** not to send diagnostic telemetry to Microsoft. | +| **/RegPath** | This optional parameter Instructs **SetupDiag.exe** to add failure information to the registry under the given path. Registry paths should start with **HKEY_LOCAL_MACHINE** or **HKEY_CURRENT_USER** and be accessible at the elevation level SetupDiag is executed under. If this parameter isn't specified, the default path is **HKLM\SYSTEM\Setup\MoSetup\Volatile\SetupDiag**. | +| **/AddReg** | This optional parameter Instructs **SetupDiag.exe** to add failure information to the registry on the executing system in offline mode. SetupDiag by default adds failure information to the registry in Online mode only. Registry data goes to **HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup\Volatile\SetupDiag** unless otherwise specified. | -Note: The **/Mode** parameter is deprecated in version 1.4.0.0 of SetupDiag. -- In previous versions, this command was used with the LogsPath parameter to specify that SetupDiag should run in an offline manner to analyze a set of log files that were captured from a different computer. In version 1.4.0.0, when you specify /LogsPath then SetupDiag will automatically run in offline mode, therefore the /Mode parameter isn't needed. +> [!NOTE] +> +> The **/Mode** parameter is deprecated in SetupDiag. +> +> In previous versions, this command was used with the LogsPath parameter to specify that SetupDiag should run in an offline manner to analyze a set of log files that were captured from a different computer. In current versions of SetupDiag, when /LogsPath is specified then SetupDiag automatically runs in offline mode, therefore the /Mode parameter isn't needed. -### Examples: +### Examples -In the following example, SetupDiag is run with default parameters (online mode, results file is SetupDiagResults.log in the same folder where SetupDiag is run). +- In the following example, SetupDiag is run with default parameters in online mode. The results file is **SetupDiagResults.log** in the same folder where SetupDiag is run. -``` -SetupDiag.exe -``` + ```cmd + SetupDiag.exe + ``` -In the following example, SetupDiag is run in online mode (this mode is the default). It will know where to look for logs on the current (failing) system, so there's no need to gather logs ahead of time. A custom location for results is specified. +- In the following example, SetupDiag is run in online mode (this mode is the default). It knows where to look for logs on the current (failing) system, so there's no need to gather logs ahead of time. A custom location for results is specified. -``` -SetupDiag.exe /Output:C:\SetupDiag\Results.log -``` + ```cmd + SetupDiag.exe /Output:C:\SetupDiag\Results.log + ``` -The following example uses the /Output parameter to save results to a path name that contains a space: +- The following example uses the **/Output** parameter to save results to a path name that contains a space: -``` -SetupDiag /Output:"C:\Tools\SetupDiag\SetupDiag Results\Results.log" -``` + ```cmd + SetupDiag /Output:"C:\Tools\SetupDiag\SetupDiag Results\Results.log" + ``` -The following example specifies that SetupDiag is to run in offline mode, and to process the log files found in **D:\Temp\Logs\LogSet1**. +- The following example specifies that SetupDiag is to run in offline mode, and to process the log files found in **D:\Temp\Logs\LogSet1**. -``` -SetupDiag.exe /Output:C:\SetupDiag\Results.log /LogsPath:D:\Temp\Logs\LogSet1 -``` + ```cmd + SetupDiag.exe /Output:C:\SetupDiag\Results.log /LogsPath:D:\Temp\Logs\LogSet1 + ``` -The following example sets recovery scenario in offline mode. In the example, SetupDiag will search for reset/recovery logs in the specified LogsPath location and output the results to the directory specified by the /Output parameter. +- The following example sets recovery scenario in offline mode. In the example, SetupDiag searches for reset/recovery logs in the specified LogsPath location and output the results to the directory specified by the **/Output** parameter. -``` -SetupDiag.exe /Output:C:\SetupDiag\RecoveryResults.log /LogsPath:D:\Temp\Cabs\PBR_Log /Scenario:Recovery -``` + ```cmd + SetupDiag.exe /Output:C:\SetupDiag\RecoveryResults.log /LogsPath:D:\Temp\Cabs\PBR_Log /Scenario:Recovery + ``` -The following example sets recovery scenario in online mode. In the example, SetupDiag will search for reset/recovery logs on the current system and output results in XML format. +- The following example sets recovery scenario in online mode. In the example, SetupDiag searches for reset/recovery logs on the current system and output results in XML format. -``` -SetupDiag.exe /Scenario:Recovery /Format:xml -``` + ```cmd + SetupDiag.exe /Scenario:Recovery /Format:xml + ``` +- The following example is an example of Offline Mode. SetupDiag is instructed to parse setup/upgrade log files in the LogsPath directory and output the results to `C:\SetupDiag\Results.txt`. + + ```cmd + SetupDiag.exe /Output:C:\SetupDiag\Results.txt /LogsPath:D:\Temp\Logs\Logs1 /RegPath:HKEY_CURRENT_USER\SYSTEM\SetupDiag + ``` + +- The following example is an example of Online Mode. SetupDiag is instructed to look for setup/upgrade logs on the current system and output its results in XML format to `C:\SetupDiag\Results.xml`. + + ```cmd + SetupDiag.exe /Output:C:\SetupDiag\Results.xml /Format:xml + ``` + +- The following example is an example of Online Mode where no parameters are needed or used. SetupDiag is instructed to look for setup/upgrade logs on the current system and output the results to the same directory where SetupDiag is located. + + ```cmd + SetupDiag.exe + ``` + +- The following example is an example of Reset/Recovery Offline Mode. SetupDiag is instructed to look for reset/recovery logs in the specified LogsPath location. It then outputs the results to the directory specified by the **/Output** parameter. + + ```cmd + SetupDiag.exe /Output:C:\SetupDiag\RecoveryResults.log /LogsPath:D:\Temp\Cabs\PBR_Log /Scenario:Recovery + ``` + +- The following example is an example of Reset/Recovery Online Mode. SetupDiag is instructed to look for reset/recovery logs on the current system and output its results in XML format. + + ```cmd + SetupDiag.exe /Scenario:Recovery /Format:xml + ``` ## Log files -[Windows Setup Log Files and Event Logs](/windows-hardware/manufacture/desktop/windows-setup-log-files-and-event-logs) has information about where logs are created during Windows Setup. For offline processing, you should run SetupDiag against the contents of the entire folder. For example, depending on when the upgrade failed, copy one of the following folders to your offline location: +[Windows Setup Log Files and Event Logs](/windows-hardware/manufacture/desktop/windows-setup-log-files-and-event-logs) has information about where logs are created during Windows Setup. For offline processing, SetupDiag should be run against the contents of the entire folder. For example, depending on when the upgrade failed, copy one of the following folders to the offline location: -\\$Windows.~bt\sources\panther -
    \\$Windows.~bt\Sources\Rollback -
    \Windows\Panther -
    \Windows\Panther\NewOS +- `\$Windows.~bt\sources\panther` +- `\$Windows.~bt\Sources\Rollback` +- `\Windows\Panther` +- `\Windows\Panther\NewOS` -If you copy the parent folder and all subfolders, SetupDiag will automatically search for log files in all subdirectories. +If the parent folder and all subfolders are copied, SetupDiag automatically searches for log files in all subdirectories. ## Setup bug check analysis -When Microsoft Windows encounters a condition that compromises safe system operation, the system halts. This condition is called a bug check. It's also commonly referred to as a system crash, a kernel error, a Stop error, or BSOD. Typically a hardware device, hardware driver, or related software causes this error. +When Microsoft Windows encounters a condition that compromises safe system operation, the system halts. This condition is called a bug check. This condition is also commonly referred to as a system crash, a kernel error, a Stop error, or BSOD. Typically a hardware device, hardware driver, or related software causes this error. -If crash dumps [are enabled](/windows-hardware/drivers/debugger/enabling-a-kernel-mode-dump-file) on the system, a crash dump file is created. If the bug check occurs during an upgrade, Windows Setup will extract a minidump (setupmem.dmp) file. SetupDiag can also debug these setup-related minidumps. +If crash dumps [are enabled](/windows-hardware/drivers/debugger/enabling-a-kernel-mode-dump-file) on the system, a crash dump file is created. If the bug check occurs during an upgrade, Windows Setup extracts a minidump (`setupmem.dmp`) file. SetupDiag can also debug these setup-related minidumps. + +To debug a setup-related bug check: + +- Specify the **/LogsPath** parameter. Memory dumps can't be debugged in online mode. + +- Gather the setup memory dump file (`setupmem.dmp) from the failing system. + + `Setupmem.dmp` is created in either **%SystemDrive%\$Windows.~bt\Sources\Rollback**, or in **%WinDir%\Panther\NewOS\Rollback** depending on when the bug check occurs. -To debug a setup-related bug check, you must: -- Specify the **/LogsPath** parameter. You can't debug memory dumps in online mode. -- Gather the setup memory dump file (setupmem.dmp) from the failing system. - - Setupmem.dmp will be created in either **%SystemDrive%\$Windows.~bt\Sources\Rollback**, or in **%WinDir%\Panther\NewOS\Rollback** depending on when the bug check occurs. - Install the [Windows Debugging Tools](/windows-hardware/drivers/debugger/debugger-download-tools) on the computer that runs SetupDiag. -In the following example, the **setupmem.dmp** file is copied to the **D:\Dump** directory and the Windows Debugging Tools are installed prior to running SetupDiag: +In the following example, the `setupmem.dmp` file is copied to the `D:\Dump` directory and the Windows Debugging Tools are installed prior to running SetupDiag: -``` +```cmd SetupDiag.exe /Output:C:\SetupDiag\Dumpdebug.log /LogsPath:D:\Dump ``` ## Known issues -1. Some rules can take a long time to process if the log files involved are large. - +- Some rules can take a long time to process if the log files involved are large. ## Sample output The following command is an example where SetupDiag is run in offline mode. -``` +```cmd D:\SetupDiag>SetupDiag.exe /output:c:\setupdiag\result.xml /logspath:D:\Tests\Logs\f55be736-beed-4b9b-aedf-c133536c946e /format:xml -SetupDiag v1.6.0.0 +SetupDiag v1.7.0.0 Copyright (c) Microsoft Corporation. All rights reserved. Searching for setup logs... -Found d:\tests\Logs\f55be736-beed-4b9b-aedf-c133536c946e\setupact_6.log with update date 6/12/2019 2:44:20 PM to be the correct setup log. -Found d:\tests\Logs\f55be736-beed-4b9b-aedf-c133536c946e\setupact_1.log with update date 6/12/2019 2:45:19 PM to be the correct rollback log. +Found d:\tests\Logs\f55be736-beed-4b9b-aedf-c133536c946e\setupact_6.log with update date 6/12/2023 2:44:20 PM to be the correct setup log. +Found d:\tests\Logs\f55be736-beed-4b9b-aedf-c133536c946e\setupact_1.log with update date 6/12/2023 2:45:19 PM to be the correct rollback log. Gathering baseline information from setup logs... @@ -208,241 +264,108 @@ SetupDiag found 1 matching issue. SetupDiag results were logged to: c:\setupdiag\results.xml Logs ZipFile created at: c:\setupdiag\Logs_14.zip - ``` ## Rules -When searching log files, SetupDiag uses a set of rules to match known issues. These rules are contained in the rules.xml file that is extracted when SetupDiag is run. The rules.xml file might be updated as new versions of SetupDiag are made available. For more information, see the [release notes](#release-notes) section. +When SetupDiag searches log files, it uses a set of rules to match known issues. These rules are contained in an xml file. The xml file might be updated with new and updated rules as new versions of SetupDiag are made available. -Each rule name and its associated unique rule identifier are listed with a description of the known upgrade-blocking issue. In the rule descriptions, the term "down-level" refers to the first phase of the upgrade process, which runs under the starting OS. +Each rule name and its associated unique rule identifier are listed with a description of the known upgrade-blocking issue. In the rule descriptions, the term **down-level** refers to the first phase of the upgrade process, which runs under the original OS. -1. CompatScanOnly - FFDAFD37-DB75-498A-A893-472D49A1311D - - This rule indicates that `setup.exe` was called with a specific command line parameter that indicated setup was to do a compat scan only, not an upgrade. -2. BitLockerHardblock - C30152E2-938E-44B8-915B-D1181BA635AE - - This is an upgrade block when the target OS doesn't support BitLocker, yet the host OS has BitLocker enabled. -3. VHDHardblock - D9ED1B82-4ED8-4DFD-8EC0-BE69048978CC - - This block happens when the host OS is booted to a VHD image. Upgrade isn't supported when the host OS is booted from a VHD image. -4. PortableWorkspaceHardblock - 5B0D3AB4-212A-4CE4-BDB9-37CA404BB280 - - This indicates that the host OS is booted from a Windows To-Go device (USB key). Upgrade isn't supported in the Windows To-Go environment. -5. AuditModeHardblock - A03BD71B-487B-4ACA-83A0-735B0F3F1A90 - - This block indicates that the host OS is currently booted into Audit Mode, a special mode for modifying the Windows state. Upgrade isn't supported from this state. -6. SafeModeHardblock - 404D9523-B7A8-4203-90AF-5FBB05B6579B - - This block indicates that the host OS is booted to Safe Mode, where upgrade isn't supported. -7. InsufficientSystemPartitionDiskSpaceHardblock - 3789FBF8-E177-437D-B1E3-D38B4C4269D1 - - This block is encountered when setup determines the system partition (where the boot loader files are stored) doesn't have enough space to be serviced with the newer boot files required during the upgrade process. -8. CompatBlockedApplicationAutoUninstall - BEBA5BC6-6150-413E-8ACE-5E1EC8D34DD5 - - This rule indicates there's an application that needs to be uninstalled before setup can continue. -9. CompatBlockedApplicationDismissable - EA52620B-E6A0-4BBC-882E-0686605736D9 - - When running setup in /quiet mode, there are dismissible application messages that turn into blocks unless the command line also specifies "/compat ignorewarning". This rule indicates setup was executed in /quiet mode but there's an application dismissible block message that has prevented setup from continuing. -10. CompatBlockedApplicationManualUninstall - 9E912E5F-25A5-4FC0-BEC1-CA0EA5432FF4 - - This rule indicates that an application without an Add/Remove Programs entry, is present on the system and blocking setup from continuing. This typically requires manual removal of the files associated with this application to continue. -11. HardblockDeviceOrDriver - ED3AEFA1-F3E2-4F33-8A21-184ADF215B1B - - This error indicates a device driver that is loaded on the host OS isn't compatible with the newer OS version and needs to be removed prior to the upgrade. -12. HardblockMismatchedLanguage - 60BA8449-CF23-4D92-A108-D6FCEFB95B45 - - This rule indicates the host OS and the target OS language editions don't match. -13. HardblockFlightSigning - 598F2802-3E7F-4697-BD18-7A6371C8B2F8 - - This rule indicates the target OS is a pre-release, Windows Insider build, and the target machine has Secure Boot enabled. This will block the pre-release signed build from booting if installed on the machine. -14. DiskSpaceBlockInDownLevel - 6080AFAC-892E-4903-94EA-7A17E69E549E - - This failure indicates the system ran out of disk space during the down-level operations of upgrade. -15. DiskSpaceFailure - 981DCBA5-B8D0-4BA7-A8AB-4030F7A10191 - - This failure indicates the system drive ran out of available disk space at some point after the first reboot into the upgrade. -16. DeviceInstallHang - 37BB1C3A-4D79-40E8-A556-FDA126D40BC6 - - This failure rule indicates the system hung or bug checked during the device installation phase of upgrade. -17. DebugSetupMemoryDump - C7C63D8A-C5F6-4255-8031-74597773C3C6 - - This offline only rule indicates a bug check occurred during setup. If the debugger tools are available on the system, SetupDiag will debug the memory dump and provide details. -18. DebugSetupCrash - CEEBA202-6F04-4BC3-84B8-7B99AED924B1 - - This offline only rule indicates that setup itself encountered a failure that resulted in a process memory dump. If the debugger tools are installed on the system, SetupDiag will debug the memory dump and give further details. -19. DebugMemoryDump - 505ED489-329A-43F5-B467-FCAAF6A1264C - - This offline only rule is for any memory.dmp file that resulted during the setup/upgrade operation. If the debugger tools are installed on the system, SetupDiag will debug the memory dump and give further details. -20. BootFailureDetected - 4FB446C2-D4EC-40B4-97E2-67EB19D1CFB7 - - This rule indicates a boot failure occurred during a specific phase of the update. The rule will indicate the failure code and phase for diagnostic purposes. -21. FindDebugInfoFromRollbackLog - 9600EB68-1120-4A87-9FE9-3A4A70ACFC37 - - This rule will determine and give details when a bug check occurs during the setup/upgrade process that resulted in a memory dump, but without the requirement of the debugger package being on the executing machine. -22. AdvancedInstallerFailed - 77D36C96-32BE-42A2-BB9C-AAFFE64FCADC - - Finds fatal advanced installer operations that cause setup failures. -23. FindMigApplyUnitFailure - A4232E11-4043-4A37-9BF4-5901C46FD781 - - Detects a migration unit failure that caused the update to fail. This rule will output the name of the migration plug-in and the error code it produced for diagnostic purposes. -24. FindMigGatherUnitFailure - D04C064B-CD77-4E64-96D6-D26F30B4EE29 - - Detects a migration gather unit failure that caused the update to fail. This rule will output the name of the gather unit/plug-in and the error code it produced for diagnostic purposes. -25. CriticalSafeOSDUFailure - 73566DF2-CA26-4073-B34C-C9BC70DBF043 - - This rule indicates a failure occurred while updating the SafeOS image with a critical dynamic update. It will indicate the phase and error code that occurred while attempting to update the SafeOS image for diagnostic purposes. -26. UserProfileCreationFailureDuringOnlineApply - 678117CE-F6A9-40C5-BC9F-A22575C78B14 - - Indicates there was a critical failure while creating or modifying a User Profile during the online apply phase of the update. It will indicate the operation and error code associated with the failure for diagnostic purposes. -27. WimMountFailure - BE6DF2F1-19A6-48C6-AEF8-D3B0CE3D4549 - - This rule indicates the update failed to mount a WIM file. It will show the name of the WIM file and the error message and error code associated with the failure for diagnostic purposes. -28. FindSuccessfulUpgrade - 8A0824C8-A56D-4C55-95A0-22751AB62F3E - - Determines if the given setup was a success or not based off the logs. -29. FindSetupHostReportedFailure - 6253C04F-2E4E-4F7A-B88E-95A69702F7EC - - Gives information about failures surfaced early in the upgrade process by setuphost.exe -30. FindDownlevelFailure - 716334B7-F46A-4BAA-94F2-3E31BC9EFA55 - - Gives failure information surfaced by SetupPlatform, later in the down-level phase. -31. FindAbruptDownlevelFailure - 55882B1A-DA3E-408A-9076-23B22A0472BD - - Gives last operation failure information when the system fails in the down-level, but the log just ends abruptly. -32. FindSetupPlatformFailedOperationInfo - 307A0133-F06B-4B75-AEA8-116C3B53C2D1 - - Gives last phase and error information when SetupPlatform indicates a critical failure. This rule will indicate the operation and error associated with the failure for diagnostic purposes. -33. FindRollbackFailure - 3A43C9B5-05B3-4F7C-A955-88F991BB5A48 - - Gives last operation, failure phase and error information when a rollback occurs. -34. AdvancedInstallerGenericFailure - 4019550D-4CAA-45B0-A222-349C48E86F71 - - A rule to match AdvancedInstaller read/write failures in a generic sense. Will output the executable being called as well as the error code and exit code reported. -35. OptionalComponentFailedToGetOCsFromPackage - D012E2A2-99D8-4A8C-BBB2-088B92083D78 (NOTE: This rule replaces the OptionalComponentInstallFailure rule present in v1.10. - - This matches a specific Optional Component failure when attempting to enumerate components in a package. Will output the package name and error code. -36. OptionalComponentOpenPackageFailed - 22952520-EC89-4FBD-94E0-B67DF88347F6 - - Matches a specific Optional Component failure when attempting to open an OC package. Will output the package name and error code. -37. OptionalComponentInitCBSSessionFailed - 63340812-9252-45F3-A0F2-B2A4CA5E9317 - - Matches a specific failure where the advanced installer service or components aren't operating or started on the system. Will output the error code. -38. UserProfileCreationFailureDuringFinalize - C6677BA6-2E53-4A88-B528-336D15ED1A64 - - Matches a specific User Profile creation error during the finalize phase of setup. Will output the failure code. -39. WimApplyExtractFailure - 746879E9-C9C5-488C-8D4B-0C811FF3A9A8 - - Matches a WIM apply failure during WIM extraction phases of setup. Will output the extension, path and error code. -40. UpdateAgentExpanderFailure - 66E496B3-7D19-47FA-B19B-4040B9FD17E2 - - Matches DPX expander failures in the down-level phase of update from Windows Update. Will output the package name, function, expression and error code. -41. FindFatalPluginFailure - E48E3F1C-26F6-4AFB-859B-BF637DA49636 - - Matches any plug-in failure that setupplatform decides is fatal to setup. Will output the plugin name, operation and error code. -42. AdvancedInstallerFailed - 77D36C96-32BE-42A2-BB9C-AAFFE64FCADC - - Indicates critical failure in the AdvancedInstaller while running an installer package, includes the .exe being called, the phase, mode, component and error codes. -43. MigrationAbortedDueToPluginFailure - D07A24F6-5B25-474E-B516-A730085940C9 - - Indicates a critical failure in a migration plugin that causes setup to abort the migration. Will provide the setup operation, plug-in name, plug-in action and error code. -44. DISMAddPackageFailed - 6196FF5B-E69E-4117-9EC6-9C1EAB20A3B9 - - Indicates a critical failure during a DISM add package operation. Will specify the Package Name, DISM error and add package error code. -45. PlugInComplianceBlock - D912150B-1302-4860-91B5-527907D08960 - - Detects all compat blocks from Server compliance plug-ins. Outputs the block information and remediation. -46. AdvancedInstallerGenericFailure - 4019550D-4CAA-45B0-A222-349C48E86F71 - - Triggers on advanced installer failures in a generic sense, outputting the application called, phase, mode, component and error code. -47. FindMigGatherApplyFailure - A9964E6C-A2A8-45FF-B6B5-25E0BD71428E - - Shows errors when the migration Engine fails out on a gather or apply operation. Indicates the Migration Object (file or registry path), the Migration -48. OptionalComponentFailedToGetOCsFromPackage - D012E2A2-99D8-4A8C-BBB2-088B92083D78 - - Indicates the optional component (OC) migration operation failed to enumerate optional components from an OC Package. Outputs the package name and error code. -49. OptionalComponentOpenPackageFailed - 22952520-EC89-4FBD-94E0-B67DF88347F6 - - Indicates the optional component migration operation failed to open an optional component Package. Outputs the package name and error code. -50. OptionalComponentInitCBSSessionFailed - 63340812-9252-45F3-A0F2-B2A4CA5E9317 - - Indicates corruption in the servicing stack on the down-level system. Outputs the error code encountered while trying to initialize the servicing component on the existing OS. -51. DISMproviderFailure - D76EF86F-B3F8-433F-9EBF-B4411F8141F4 - - Triggers when a DISM provider (plug-in) fails in a critical operation. Outputs the file (plug-in name), function called + error code, and error message from the provider. -52. SysPrepLaunchModuleFailure - 7905655C-F295-45F7-8873-81D6F9149BFD - - Indicates a sysPrep plug-in has failed in a critical operation. Indicates the plug-in name, operation name and error code. -53. UserProvidedDriverInjectionFailure - 2247C48A-7EE3-4037-AFAB-95B92DE1D980 - - A driver provided to setup (via command line input) has failed in some way. Outputs the driver install function and error code. -54. PlugInComplianceBlock - D912150B-1302-4860-91B5-527907D08960 - - These are for server upgrades only, will output the compliance block and remediation required. -55. PreReleaseWimMountDriverFound - 31EC76CC-27EC-4ADC-9869-66AABEDB56F0 - - Captures failures due to having an unrecognized wimmount.sys driver registered on the system. -56. WinSetupBootFilterFailure - C073BFC8-5810-4E19-B53B-4280B79E096C - - Detects failures in the kernel mode file operations. -57. WimMountDriverIssue - 565B60DD-5403-4797-AE3E-BC5CB972FBAE - - Detects failures in WimMount.sys registration on the system. -58. DISMImageSessionFailure - 61B7886B-10CD-4C98-A299-B987CB24A11C - - Captures failure information when DISM fails to start an image session successfully. -59. FindEarlyDownlevelError - A4CE4FC9-5E10-4BB1-8ECE-3B29EB9D7C52 - - Detects failures in down-level phase before setup platform is invoked. -60. FindSPFatalError - A4028172-1B09-48F8-AD3B-86CDD7D55852 - - Captures failure information when setup platform encounters a fatal error. -61. UserProfileSuffixMismatch - B4BBCCCE-F99D-43EB-9090-078213397FD8 - - Detects when a file or other object causes the migration or creation of a user profile to fail during the update. - -## Release notes - -07/27/2021 - SetupDiag v1.6.2107.27002 is released with 61 rules, as a standalone tool available in the Download Center. -- This version contains compliance updates and minor bug fixes. -- With this release and subsequent releases, the version number of the downloadable SetupDiag tool is different from the one included with Windows Setup. - -05/06/2021 - SetupDiag v1.6.1.0 is released with 61 rules, as a standalone tool available in the Download Center. -- This version of SetupDiag is included with Windows 10, version 21H1. -- A new rule is added: UserProfileSuffixMismatch. -- All outputs to the command line are now invariant culture for purposes of time/date format -- Fixed an issue with registry output in which the "no match found" result caused a corrupted REG_SZ value. - -08/08/2019 - SetupDiag v1.6.0.42 is released with 60 rules, as a standalone tool available from the Download Center. - - Log detection performance is improved. Log detection takes around 10 seconds or less where before it could take up to a minute. - - Added Setup Operation and Setup Phase information to both the results log and the registry information. - - This is the last Operation and Phase that Setup was in when the failure occurred. - - Added detailed Setup Operation and Setup Phase information (and timing) to output log when /verbose is specified. - - Note, if the issue found is a compat block, no Setup Operation or Phase info exists yet and therefore won't be available. - - Added more info to the Registry output. - - Detailed 'FailureData' info where available. Example: "AppName = MyBlockedApplication" or "DiskSpace = 6603" (in MB) - - "Key = Value" data specific to the failure found. - - Added 'UpgradeStartTime', 'UpgradeEndTime' and 'UpgradeElapsedTime' - - Added 'SetupDiagVersion', 'DateTime' (to indicate when SetupDiag was executed on the system), 'TargetOSVersion', 'HostOSVersion' and more… - - -06/19/2019 - SetupDiag v1.5.0.0 is released with 60 rules, as a standalone tool available from the Download Center. -- All date and time outputs are updated to localized format per user request. -- Added setup Operation and Phase information to /verbose log. -- Added last Setup Operation and last Setup Phase information to most rules where it makes sense (see new output below). -- Performance improvement in searching setupact.logs to determine correct log to parse. -- Added SetupDiag version number to text report (xml and json always had it). -- Added "no match" reports for xml and json per user request. -- Formatted Json output for easy readability. -- Performance improvements when searching for setup logs; this should be much faster now. -- Added seven new rules: PlugInComplianceBlock, PreReleaseWimMountDriverFound, WinSetupBootFilterFailure, WimMountDriverIssue, DISMImageSessionFailure, FindEarlyDownlevelError, and FindSPFatalError. See the [Rules](#rules) section above for more information. -- Diagnostic information is now output to the registry at **HKLM\SYSTEM\Setup\MoSetup\Volatile\SetupDiag** - - The **/AddReg** command was added to toggle registry output. This setting is off by default for offline mode, and on by default for online mode. The command has no effect for online mode and enables registry output for offline mode. - - This registry key is deleted as soon as SetupDiag is run a second time, and replaced with current data, so it's always up to date. - - This registry key also gets deleted when a new update instance is invoked. - - For an example, see [Sample registry key](#sample-registry-key). - -05/17/2019 - SetupDiag v1.4.1.0 is released with 53 rules, as a standalone tool available from the Download Center. -- This release dds the ability to find and diagnose reset and recovery failures (Push-Button Reset). - -12/18/2018 - SetupDiag v1.4.0.0 is released with 53 rules, as a standalone tool available from the Download Center. -- This release includes major improvements in rule processing performance: ~3x faster rule processing performance! - - The FindDownlevelFailure rule is up to 10 times faster. -- New rules have been added to analyze failures upgrading to Windows 10 version 1809. -- A new help link is available for resolving servicing stack failures on the down-level OS when the rule match indicates this type of failure. -- Removed the need to specify /Mode parameter. Now if you specify /LogsPath, it automatically assumes offline mode. -- Some functional and output improvements were made for several rules. - -07/16/2018 - SetupDiag v1.3.1 is released with 44 rules, as a standalone tool available from the Download Center. -- This release fixes a problem that can occur when running SetupDiag in online mode on a computer that produces a setupmem.dmp file, but doesn't have debugger binaries installed. - -07/10/2018 - SetupDiag v1.30 is released with 44 rules, as a standalone tool available from the Download Center. -- Bug fix for an over-matched plug-in rule. The rule will now correctly match only critical (setup failure) plug-in issues. -- New feature: Ability to output logs in JSON and XML format. - - Use "/Format:xml" or "/Format:json" command line parameters to specify the new output format. See [sample logs](#sample-logs) at the bottom of this topic. - - If the "/Format:xml" or "/Format:json" parameter is omitted, the log output format will default to text. -- New Feature: Where possible, specific instructions are now provided in rule output to repair the identified error. For example, instructions are provided to remediate known blocking issues such as uninstalling an incompatible app or freeing up space on the system drive. -- Three new rules added: AdvancedInstallerFailed, MigrationAbortedDueToPluginFailure, DISMAddPackageFailed. - -05/30/2018 - SetupDiag v1.20 is released with 41 rules, as a standalone tool available from the Download Center. -- Fixed a bug in device install failure detection in online mode. -- Changed SetupDiag to work without an instance of setupact.log. Previously, SetupDiag required at least one setupact.log to operate. This change enables the tool to analyze update failures that occur prior to calling SetupHost. -- Telemetry is refactored to only send the rule name and GUID (or "NoRuleMatched" if no rule is matched) and the Setup360 ReportId. This change assures data privacy during rule processing. - -05/02/2018 - SetupDiag v1.10 is released with 34 rules, as a standalone tool available from the Download Center. -- A performance enhancement has been added to result in faster rule processing. -- Rules output now includes links to support articles, if applicable. -- SetupDiag now provides the path and name of files that it's processing. -- You can now run SetupDiag by selecting it and then examining the output log file. -- An output log file is now always created, whether or not a rule was matched. - -03/30/2018 - SetupDiag v1.00 is released with 26 rules, as a standalone tool available from the Download Center. +| Rule Name | GUID | Description | +| --- | --- | +| **CompatScanOnly** | FFDAFD37-DB75-498A-A893-472D49A1311D | This rule indicates that `setup.exe` was called with a specific command line parameter that indicated setup was to do a compatibility scan only, not an upgrade. | +| **PlugInComplianceBlock** | D912150B-1302-4860-91B5-527907D08960 | Detects all compatibility blocks from Server compliance plug-ins. This rule is for server upgrades only. It outputs the compliance block and remediation required. | +| **BitLockerHardblock** | C30152E2-938E-44B8-915B-D1181BA635AE | This block is an upgrade block when the target OS doesn't support BitLocker, yet the host OS has BitLocker enabled. | +| **VHDHardblock** | D9ED1B82-4ED8-4DFD-8EC0-BE69048978CC | This block happens when the host OS is booted to a VHD image. Upgrade isn't supported when the host OS is booted from a VHD image. | +| **PortableWorkspaceHardblock** | 5B0D3AB4-212A-4CE4-BDB9-37CA404BB280 | This block indicates that the host OS is booted from a Windows To-Go device (USB key). Upgrade isn't supported in the Windows To-Go environment. | +| **AuditModeHardblock** | A03BD71B-487B-4ACA-83A0-735B0F3F1A90 | This block indicates that the host OS is currently booted into Audit Mode, a special mode for modifying the Windows state. Upgrade isn't supported from this state. | +| **SafeModeHardblock** | 404D9523-B7A8-4203-90AF-5FBB05B6579B | This block indicates that the host OS is booted to Safe Mode, where upgrade isn't supported. | +| **InsufficientSystemPartitionDiskSpaceHardblock** | 3789FBF8-E177-437D-B1E3-D38B4C4269D1 | This block is encountered when setup determines the system partition doesn't have enough space to be serviced with the newer boot files required during the upgrade process. The system partition is where the boot loader files are stored | +| **CompatBlockedApplicationAutoUninstall** | BEBA5BC6-6150-413E-8ACE-5E1EC8D34DD5 | This rule indicates there's an application that needs to be uninstalled before setup can continue. | +| **CompatBlockedApplicationDismissable** | EA52620B-E6A0-4BBC-882E-0686605736D9 | When setup is run in **/quiet** mode, there are dismissible application messages that turn into blocks unless the command line also specifies **/compat ignorewarning**. This rule indicates setup was executed in **/quiet** mode but there's an application dismissible block message that prevented setup from continuing. | +| **CompatBlockedFODDismissable** | 7B693C42-793E-4E9E-A10B-ED0F33D45E2A | When setup is run in **/quiet** mode, there are dismissible Feature On Demand messages that turn into blocks unless the command line also specifies **/compat ignorewarning**. This rule indicates setup was executed in **/quiet** mode but there's a Feature On Demand dismissible block message that prevented setup from continuing, usually that the target OS image is missing a Feature On Demand that is installed in the current OS. Removal of the Feature On Demand in the current OS should also resolve the issue. +| **CompatBlockedApplicationManualUninstall** | 9E912E5F-25A5-4FC0-BEC1-CA0EA5432FF4 | This rule indicates that an application without an Add/Remove Programs entry, is present on the system and blocking setup from continuing. This block typically requires manual removal of the files associated with this application to continue. | +| **GenericCompatBlock** | 511B9D95-C945-4F9B-BD63-98F1465E1CF6 | The rule indicates that system doesn't meet a hardware requirement for running Windows. For example, the device is missing a requirement for TPM 2.0. This issue can occur even when an attempt is made to bypass the hardware requirements. | +| **GatedCompatBlock** | 34A9F145-3842-4A68-987F-4622EE0FC162 | This rule indicates that the upgrade failed due to a temporary block. A temporary block is put in place when an issue is found with a specific piece of software or hardware driver and the issue has a fix pending. The block is lifted once the fix is widely available. | +| **HardblockDeviceOrDriver** | ED3AEFA1-F3E2-4F33-8A21-184ADF215B1B | This error indicates a device driver that is loaded on the host OS isn't compatible with the newer OS version. The device driver needs to be removed prior to the upgrade. | +| **HardblockMismatchedLanguage** | 60BA8449-CF23-4D92-A108-D6FCEFB95B45 | This rule indicates the host OS and the target OS language editions don't match. | +| **HardblockFlightSigning** | 598F2802-3E7F-4697-BD18-7A6371C8B2F8 | This rule indicates the target OS is a pre-release, Windows Insider build, and the target machine has Secure Boot enabled. This rule blocks the pre-release signed build from booting if installed on the machine. | +| **DiskSpaceBlockInDownLevel** | 6080AFAC-892E-4903-94EA-7A17E69E549E | This failure indicates the system ran out of disk space during the down-level operations of upgrade. | +| **DiskSpaceFailure** | 981DCBA5-B8D0-4BA7-A8AB-4030F7A10191 | This failure indicates the system drive ran out of available disk space at some point after the first reboot into the upgrade. | +| **PreReleaseWimMountDriverFound** | 31EC76CC-27EC-4ADC-9869-66AABEDB56F0 | Captures failures due to having an unrecognized `wimmount.sys` driver registered on the system. | +| **DebugSetupMemoryDump** | C7C63D8A-C5F6-4255-8031-74597773C3C6 | This offline only rule indicates a bug check occurred during setup. If the debugger tools are available on the system, SetupDiag debugs the memory dump and provide details. | +| **DebugSetupCrash** | CEEBA202-6F04-4BC3-84B8-7B99AED924B1 | This offline only rule indicates that setup itself encountered a failure that resulted in a process memory dump. If the debugger tools are installed on the system, SetupDiag debugs the memory dump and give further details. | +| **DebugMemoryDump** | 505ED489-329A-43F5-B467-FCAAF6A1264C | This offline only rule is for any memory.dmp file that resulted during the setup/upgrade operation. If the debugger tools are installed on the system, SetupDiag debugs the memory dump and give further details. | +| **DeviceInstallHang** | 37BB1C3A-4D79-40E8-A556-FDA126D40BC6 | This failure rule indicates the system hung or bug checked during the device installation phase of upgrade. | +| **DriverPackageMissingFileFailure** | 37BB1C3A-4D79-40E8-A556-FDA126D40BC6 | This rule indicates that a driver package had a missing file during device install. Updating the driver package might help resolve the issue. | +| **UnsignedDriverBootFailure** | CD270AA4-C044-4A22-886A-F34EF2E79469 | This rule indicates that an unsigned driver caused a boot failure. | +| **BootFailureDetected** | 4FB446C2-D4EC-40B4-97E2-67EB19D1CFB7 | This rule indicates a boot failure occurred during a specific phase of the update. The rule indicates the failure code and phase for diagnostic purposes. | +| **WinSetupBootFilterFailure** | C073BFC8-5810-4E19-B53B-4280B79E096C | Detects failures in the kernel mode file operations. | +| **FindDebugInfoFromRollbackLog** | 9600EB68-1120-4A87-9FE9-3A4A70ACFC37 | This rule determines and gives details when a bug check occurs during the setup/upgrade process that resulted in a memory dump. However, a debugger package isn't required on the executing machine. | +| **AdvancedInstallerFailed** | 77D36C96-32BE-42A2-BB9C-AAFFE64FCADC | Finds fatal advanced installer operations that cause setup failures. Indicates critical failure in the AdvancedInstaller while running an installer package, includes the .exe being called, the phase, mode, component and error codes. | +| **AdvancedInstallerPluginInstallFailed** | 2F784A0E-CEB1-47C5-8072-F1294C7CB4AE | This rule indicates some component that was being installed via an advanced installer (FeatureOnDemand, Language Packs, .NET packages, etc.) failed to install. The rule calls out what was being installed. If the failed component is a FeatureOnDemand, remove the Windows Feature, reboot, and try the upgrade again. If the failed component is a Language Pack, remove the additional language pack, reboot, and try the upgrade again. | +| **AdvancedInstallerGenericFailure** | 4019550D-4CAA-45B0-A222-349C48E86F71 | A rule to match AdvancedInstaller read/write failures in a generic sense. Triggers on advanced installer failures in a generic sense. It outputs the application called, phase, mode, component and error code. | +| **FindMigApplyUnitFailure** | A4232E11-4043-4A37-9BF4-5901C46FD781 | Detects a migration unit failure that caused the update to fail. This rule outputs the name of the migration plug-in and the error code it produced for diagnostic purposes. | +| **FindMigGatherUnitFailure** | D04C064B-CD77-4E64-96D6-D26F30B4EE29 | Detects a migration gather unit failure that caused the update to fail. This rule outputs the name of the gather unit/plug-in and the error code it produced for diagnostic purposes. | +| **FindMigGatherApplyFailure** | A9964E6C-A2A8-45FF-B6B5-25E0BD71428E | Shows errors when the migration Engine fails out on a gather or apply operation. Indicates the Migration Object (file or registry path), the Migration | +| **OptionalComponentFailedToGetOCsFromPackage** | D012E2A2-99D8-4A8C-BBB2-088B92083D78 | This rule matches a specific Optional Component failure when attempting to enumerate components in a package. Indicates the optional component (OC) migration operation failed to enumerate optional components from an OC Package. It outputs the package name and error code. This rule replaces the OptionalComponentInstallFailure rule present. | +| **OptionalComponentOpenPackageFailed** | 22952520-EC89-4FBD-94E0-B67DF88347F6 | Matches a specific Optional Component failure when attempting to open an OC package. It outputs the package name and error code. Indicates the optional component migration operation failed to open an optional component Package. Outputs the package name and error code. | +| **OptionalComponentInitCBSSessionFailed** | 63340812-9252-45F3-A0F2-B2A4CA5E9317 | Matches a specific failure where the advanced installer service or components aren't operating or started on the system. Indicates corruption in the servicing stack on the down-level system. Outputs the error code encountered while trying to initialize the servicing component on the existing OS. | +| **CriticalSafeOSDUFailure** | 73566DF2-CA26-4073-B34C-C9BC70DBF043 | This rule indicates a failure occurred while updating the SafeOS image with a critical dynamic update. It indicates the phase and error code that occurred while attempting to update the SafeOS image for diagnostic purposes. | +| **UserProfileCreationFailureDuringOnlineApply** | 678117CE-F6A9-40C5-BC9F-A22575C78B14 | Indicates there was a critical failure while creating or modifying a User Profile during the online apply phase of the update. It indicates the operation and error code associated with the failure for diagnostic purposes. | +| **UserProfileCreationFailureDuringFinalize** | C6677BA6-2E53-4A88-B528-336D15ED1A64 | Matches a specific User Profile creation error during the finalize phase of setup. It outputs the failure code. | +| **UserProfileSuffixMismatch** | B4BBCCCE-F99D-43EB-9090-078213397FD8 | Detects when a file or other object causes the migration or creation of a user profile to fail during the update. | +| **DuplicateUserProfileFailure** | BD7B3109-80F1-4421-8F0A-B34CD25F4B51 | This rule indicates a fatal error while migrating user profiles, usually with multiple SIDs associated with a single user profile. This error usually occurs when software creates local user accounts that aren't ever used or signed in with. The rule indicates the SID and UserName of the account that is causing the failure. To attempt to resolve the issue, first back up all the user's files for the affected user account. After the user's files are backed up, delete the account in a supported manner. Make sure that the account isn't one that is needed or is currently used to sign into the device. After deleting the account, reboot, and try the upgrade again. | +| **WimMountFailure** | BE6DF2F1-19A6-48C6-AEF8-D3B0CE3D4549 | This rule indicates the update failed to mount a WIM file. It shows the name of the WIM file and the error message and error code associated with the failure for diagnostic purposes. | +| **WimMountDriverIssue** | 565B60DD-5403-4797-AE3E-BC5CB972FBAE | Detects failures in `WimMount.sys` registration on the system. | +| **WimApplyExtractFailure** | 746879E9-C9C5-488C-8D4B-0C811FF3A9A8 | Matches a WIM apply failure during WIM extraction phases of setup. It outputs the extension, path and error code. | +| **UpdateAgentExpanderFailure** | 66E496B3-7D19-47FA-B19B-4040B9FD17E2 | Matches DPX expander failures in the down-level phase of update from Windows Update. It outputs the package name, function, expression and error code. | +| **FindFatalPluginFailure** | E48E3F1C-26F6-4AFB-859B-BF637DA49636 | Matches any plug-in failure that setupplatform decides is fatal to setup. It outputs the plugin name, operation and error code. | +| **MigrationAbortedDueToPluginFailure** | D07A24F6-5B25-474E-B516-A730085940C9 | Indicates a critical failure in a migration plugin that causes setup to abort the migration. Provides the setup operation, plug-in name, plug-in action and error code. | +| **DISMAddPackageFailed** | 6196FF5B-E69E-4117-9EC6-9C1EAB20A3B9 | Indicates a critical failure during a DISM add package operation. Specifies the Package Name, DISM error and add package error code. | +| **DISMImageSessionFailure** | 61B7886B-10CD-4C98-A299-B987CB24A11C | Captures failure information when DISM fails to start an image session successfully. | +| **DISMproviderFailure** | D76EF86F-B3F8-433F-9EBF-B4411F8141F4 | Triggers when a DISM provider (plug-in) fails in a critical operation. Outputs the file (plug-in name), function called + error code, and error message from the provider. | +| **SysPrepLaunchModuleFailure** | 7905655C-F295-45F7-8873-81D6F9149BFD | Indicates a sysPrep plug-in failed in a critical operation. Indicates the plug-in name, operation name and error code. | +| **UserProvidedDriverInjectionFailure** | 2247C48A-7EE3-4037-AFAB-95B92DE1D980 | A driver provided to setup (via command line input) failed in some way. Outputs the driver install function and error code. | +| **DriverMigrationFailure** | 9378D9E2-256E-448C-B02F-137F611F5CE3 | This rule indicates a fatal failure when migrating drivers. | +| **UnknownDriverMigrationFailure** | D7541B80-5071-42CE-AD14-FBE8C0C4F7FD | This rule indicates a bad driver package resides on the system. The driver package causes the upgrade to fail when the driver package is attempted to migrate to the new OS. The rule usually indicates the driver package name that caused the issue. The remediation is to remove the bad driver package, reboot, and try the upgrade again. If an update to this driver is available from the OEM, updating the driver package is recommended. | +| | | +| **FindSuccessfulUpgrade** | 8A0824C8-A56D-4C55-95A0-22751AB62F3E | Determines if the given setup was a success or not based off the logs. | +| **FindSetupHostReportedFailure** | 6253C04F-2E4E-4F7A-B88E-95A69702F7EC | Gives information about failures surfaced early in the upgrade process by `setuphost.exe` | +| **FindDownlevelFailure** | 716334B7-F46A-4BAA-94F2-3E31BC9EFA55 | Gives failure information surfaced by SetupPlatform, later in the down-level phase. | +| **FindAbruptDownlevelFailure** | 55882B1A-DA3E-408A-9076-23B22A0472BD | Gives last operation failure information when the system fails in the down-level, but the log just ends abruptly. | +| **FindEarlyDownlevelError** | A4CE4FC9-5E10-4BB1-8ECE-3B29EB9D7C52 | Detects failures in down-level phase before setup platform is invoked. | +| **FindSPFatalError** | A4028172-1B09-48F8-AD3B-86CDD7D55852 | Captures failure information when setup platform encounters a fatal error. | +| **FindSetupPlatformFailedOperationInfo** | 307A0133-F06B-4B75-AEA8-116C3B53C2D1 | Gives last phase and error information when SetupPlatform indicates a critical failure. This rule indicates the operation and error associated with the failure for diagnostic purposes. | +| **FindRollbackFailure** | 3A43C9B5-05B3-4F7C-A955-88F991BB5A48 | Gives last operation, failure phase and error information when a rollback occurs. | ## Sample logs ### Text log sample -``` +```txt Matching Profile found: OptionalComponentOpenPackageFailed - 22952520-EC89-4FBD-94E0-B67DF88347F6 System Information: - Machine Name = Offline - Manufacturer = MSI - Model = MS-7998 - HostOSArchitecture = x64 - FirmwareType = PCAT - BiosReleaseDate = 20160727000000.000000+000 - BiosVendor = BIOS Date: 07/27/16 10:01:46 Ver: V1.70 - BiosVersion = 1.70 - HostOSVersion = 10.0.15063 - HostOSBuildString = 15063.0.amd64fre.rs2_release.170317-1834 - TargetOSBuildString = 10.0.16299.15 (rs3_release.170928-1534) - HostOSLanguageId = 2057 - HostOSEdition = Core - RegisteredAV = Windows Defender, - FilterDrivers = WdFilter,wcifs,WIMMount,luafv,Wof,FileInfo, - UpgradeStartTime = 3/21/2018 9:47:16 PM - UpgradeEndTime = 3/21/2018 10:02:40 PM - UpgradeElapsedTime = 00:15:24 - ReportId = dd4db176-4e3f-4451-aef6-22cf46de8bde + Machine Name = Offline + Manufacturer = MSI + Model = MS-7998 + HostOSArchitecture = x64 + FirmwareType = PCAT + BiosReleaseDate = 20160727000000.000000+000 + BiosVendor = BIOS Date: 07/27/16 10:01:46 Ver: V1.70 + BiosVersion = 1.70 + HostOSVersion = 10.0.15063 + HostOSBuildString = 15063.0.amd64fre.rs2_release.170317-1834 + TargetOSBuildString = 10.0.16299.15 (rs3_release.170928-1534) + HostOSLanguageId = 2057 + HostOSEdition = Core + RegisteredAV = Windows Defender, + FilterDrivers = WdFilter,wcifs,WIMMount,luafv,Wof,FileInfo, + UpgradeStartTime = 3/21/2023 9:47:16 PM + UpgradeEndTime = 3/21/2023 10:02:40 PM + UpgradeElapsedTime = 00:15:24 + ReportId = dd4db176-4e3f-4451-aef6-22cf46de8bde Error: SetupDiag reports Optional Component installation failed to open OC Package. Package Name: Foundation, Error: 0x8007001F Recommend you check the "Windows Modules Installer" service (Trusted Installer) is started on the system and set to automatic start, reboot and try the update again. Optionally, you can check the status of optional components on the system (search for Windows Features), uninstall any unneeded optional components, reboot and try the update again. @@ -455,7 +378,7 @@ Refer to https://learn.microsoft.com/windows/deployment/upgrade/upgrade-error-co ```xml - 1.6.0.0 + 1.7.0.0 FindSPFatalError A4028172-1B09-48F8-AD3B-86CDD7D55852 @@ -474,9 +397,9 @@ Refer to https://learn.microsoft.com/windows/deployment/upgrade/upgrade-error-co Professional Windows Defender - 2019-06-06T21:19:10 + 2023-06-06T21:19:10 - 2019-06-06T22:21:49 + 2023-06-06T22:21:49 0001-01-01T00:00:00 0001-01-01T00:00:00 @@ -488,14 +411,14 @@ Refer to https://learn.microsoft.com/windows/deployment/upgrade/upgrade-error-co F21F8FB6-00FD-4349-84FB-2AC75F389E73 F21F8FB6-00FD-4349-84FB-2AC75F389E73 - 2019-06-06 21:47:11, Error SP Error converting install time 5/2/2019 to structure[gle=0x00000057] + 2023-06-06 21:47:11, Error SP Error converting install time 5/2/2023 to structure[gle=0x00000057] Error: SetupDiag reports Fatal Error. Last Setup Phase = Downlevel Last Setup Operation: Gather data, scope: EVERYTHING Error: 0x00000057 - LogEntry: 2019-06-06 21:47:11, Error SP Error converting install time 5/2/2019 to structure[gle=0x00000057] - LogEntry: 2019-06-06 21:47:11, Error SP Error converting install time 5/2/2019 to structure[gle=0x00000057] + LogEntry: 2023-06-06 21:47:11, Error SP Error converting install time 5/2/2023 to structure[gle=0x00000057] + LogEntry: 2023-06-06 21:47:11, Error SP Error converting install time 5/2/2023 to structure[gle=0x00000057] Refer to "https://learn.microsoft.com/windows/desktop/Debug/system-error-codes" for error information. Err = 0x00000057, LastOperation = Gather data, scope: EVERYTHING, LastPhase = Downlevel @@ -504,7 +427,7 @@ Refer to "https://learn.microsoft.com/windows/desktop/Debug/system-error-codes" ### JSON log sample -``` +```json { "Version":"1.6.0.0", "ProfileName":"FindSPFatalError", @@ -540,15 +463,15 @@ Refer to "https://learn.microsoft.com/windows/desktop/Debug/system-error-codes" "UpgradeEndTime":"\/Date(1559884909000-0700)\/", "UpgradeStartTime":"\/Date(1559881150000-0700)\/" }, - "LogErrorLine":"2019-06-06 21:47:11, Error SP Error converting install time 5\/2\/2019 to structure[ + "LogErrorLine":"2023-06-06 21:47:11, Error SP Error converting install time 5\/2\/2023 to structure[ gle=0x00000057 ]", "FailureData":[ "\u000aError: SetupDiag reports Fatal Error.\u000aLast Setup Phase = Downlevel\u000aLast Setup Operation: Gather data, scope: EVERYTHING\u000aError: 0x00000057", - "LogEntry: 2019-06-06 21:47:11, Error SP Error converting install time 5\/2\/2019 to structure[ + "LogEntry: 2023-06-06 21:47:11, Error SP Error converting install time 5\/2\/2023 to structure[ gle=0x00000057 ]", - "LogEntry: 2019-06-06 21:47:11, Error SP Error converting install time 5\/2\/2019 to structure[ + "LogEntry: 2023-06-06 21:47:11, Error SP Error converting install time 5\/2\/2023 to structure[ gle=0x00000057 ]", "\u000aRefer to \"https:\/\/learn.microsoft.com\/windows\/desktop\/Debug\/system-error-codes\" for error information." @@ -563,10 +486,10 @@ Refer to "https://learn.microsoft.com/windows/desktop/Debug/system-error-codes" } ``` -## Sample registry key +## Example registry key -![Example of Addreg.](./../images/addreg.png) +:::image type="content" alt-text="Example of Addreg registry key." source="../images/addreg.png"::: ## Related articles -[Resolve Windows 10 upgrade errors: Technical information for IT Pros](./resolve-windows-10-upgrade-errors.md) +- [Resolve Windows upgrade errors: Technical information for IT Pros](./resolve-windows-upgrade-errors.md). diff --git a/windows/deployment/upgrade/submit-errors.md b/windows/deployment/upgrade/submit-errors.md index 5bd00dddf7..16cae375b4 100644 --- a/windows/deployment/upgrade/submit-errors.md +++ b/windows/deployment/upgrade/submit-errors.md @@ -1,72 +1,75 @@ --- -title: Submit Windows 10 upgrade errors using Feedback Hub +title: Submit Windows upgrade errors using Feedback Hub manager: aaroncz ms.author: frankroj -description: Download the Feedback Hub app, and then submit Windows 10 upgrade errors for diagnosis using feedback hub. -ms.prod: windows-client +description: Download the Feedback Hub app, and then submit Windows upgrade errors for diagnosis using feedback hub. +ms.service: windows-client author: frankroj ms.localizationpriority: medium ms.topic: article -ms.technology: itpro-deploy -ms.date: 10/28/2022 +ms.subservice: itpro-deploy +ms.date: 01/18/2024 +appliesto: + - ✅ Windows 11 + - ✅ Windows 10 --- -# Submit Windows 10 upgrade errors using Feedback Hub +# Submit Windows upgrade errors using Feedback Hub -**Applies to** -- Windows 10 +> [!NOTE] +> +> This article is a 100 level article (basic). +> +> See [Resolve Windows upgrade errors](resolve-windows-upgrade-errors.md) for a full list of articles in this section. ->[!NOTE] ->This is a 100 level topic (basic).
    ->See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. - -## In this topic - -This topic describes how to submit problems with a Windows 10 upgrade to Microsoft using the Windows 10 Feedback Hub. +This article describes how to submit problems with a Windows upgrade to Microsoft using the Windows Feedback Hub. ## About the Feedback Hub -The Feedback Hub app lets you tell Microsoft about any problems you run in to while using Windows 10 and send suggestions to help us improve your Windows experience. Previously, you could only use the Feedback Hub if you were in the Windows Insider Program. Now anyone can use this tool. You can download the Feedback Hub app from the Microsoft Store [here](https://www.microsoft.com/store/p/feedback-hub/9nblggh4r32n?SilentAuth=1&wa=wsignin1.0). +The Feedback Hub app allows reporting to Microsoft of any problems encountered while using Windows. It also allows sending suggestions to Microsoft on how to improve the Windows experience. Previously, the Feedback Hub could only be used through the Windows Insider Program. Now anyone can use this tool. The Feedback Hub app can be downloaded from the [Microsoft Store](https://www.microsoft.com/store/p/feedback-hub/9nblggh4r32n?SilentAuth=1&wa=wsignin1.0). -The Feedback Hub requires Windows 10. If you're having problems upgrading from an older version of Windows to Windows 10, you can use the Feedback Hub to submit this information. However, you must collect the log files from the legacy operating system and then attach these files to your feedback using a device that is running Windows 10. If you're upgrading to Windows 10 from a previous version of Windows 10, the Feedback Hub will collect log files automatically. +The Feedback Hub requires a currently supported version of Windows. The Feedback Hub can be used to submit information to Microsoft if problems are encountered while upgrading Windows. If upgrading to a currently supported version of Windows from a previous version that's Windows 10 or newer, the Feedback Hub automatically collects log files. For operating systems prior to Windows 10 that don't support the Feedback Hub, the log files must be manually collected. The log files can then be attached to the feedback item using a device that is running a currently supported version of Windows that supports the Feedback Hub. ## Submit feedback -To submit feedback about a failed Windows 10 upgrade, select the following link: [Feedback Hub](feedback-hub://?referrer=resolveUpgradeErrorsPage&tabid=2&contextid=81&newFeedback=true&feedbackType=2&topic=submit-errors.md) +To submit feedback about a failed Windows upgrade, open the [Feedback Hub](feedback-hub://?referrer=resolveUpgradeErrorsPage&tabid=2&contextid=81&newFeedback=true&feedbackType=2&topic=submit-errors.md). -The Feedback Hub will open. +In the Feedback Hub, fill out all four sections with as much detail as possible: -- Under **Tell us about it**, and then under **Summarize your issue**, type **Upgrade failing**. -- Under **Give us more detail**, provide additional information about the failed upgrade, such as: - - When did the failure occur? - - Were there any reboots? - - How many times did the system reboot? - - How did the upgrade fail? - - Were any error codes visible? - - Did the computer fail to a blue screen? - - Did the computer automatically rollback or did it hang, requiring you to power cycle it before it rolled back? -- Additional details - - What type of security software is installed? - - Is the computer up to date with latest drivers and firmware? - - Are there any external devices connected? -- If you used the link above, the category and subcategory will be automatically selected. If it isn't selected, choose **Install and Update** and **Windows Installation**. +1. **Enter your feedback** +1. **Choose a category** +1. **Find similar feedback** +1. **Add more details** -You can attach a screenshot or file if desired. This is optional, but can be helpful when diagnosing your upgrade issue. The location of these files is described here: [Windows Setup log files and event logs](/windows-hardware/manufacture/desktop/windows-setup-log-files-and-event-logs). +Recommended information that can be included under the **Add more details** section include: -Select **Submit** to send your feedback. +- When did the failure occur? + - Were there any reboots? + - How many times did the system reboot? +- How did the upgrade fail? + - Were any error codes visible? + - Did the computer fail to a blue screen? + - Did the computer automatically rollback or did it hang, requiring the computer to be power cycled before it rolled back? +- What type of security software is installed? +- Is the computer up to date with latest drivers and firmware? +- Are there any external devices connected? -See the following example: +Using the **Attach a screenshot** and **Attach a file** options allows screenshots or files to be included as part of the feedback item. Attachments and screenshots are optional, but can be helpful when diagnosing the upgrade issue. For example, log files can be included as attachments to the feedback item. The location of the Windows upgrade log files is described in the article [Windows Setup log files and event logs](/windows-hardware/manufacture/desktop/windows-setup-log-files-and-event-logs). -![feedback example.](../images/feedback.png) +Finally the **Recreate my problem** option can be used to potentially send additional data and logs for Microsoft to evaluate. -After you select Submit, that's all you need to do. Microsoft will receive your feedback and begin analyzing the issue. You can check on your feedback periodically to see what solutions have been provided. +Once all the feedback items are completed, select the **Submit** button to send the feedback. Microsoft receives the feedback and begins analyzing the issue. The submitted feedback can be checked on periodically to see what solutions are provided. -## Link to your feedback +## Link to the feedback -After your feedback is submitted, you can email or post links to it by opening the Feedback Hub, clicking My feedback at the top, clicking the feedback item you submitted, clicking **Share**, then copying the short link that is displayed. +After the feedback is submitted, additional information and items can be added to the feedback item. To do so: -![share.](../images/share.jpg) +1. Open the [Feedback Hub](feedback-hub:). +1. At the top of the Feedback Hub, select **My feedback**. +1. Select the feedback item that was submitted. +1. Select **Share**. +1. Copy and then use the short link that is displayed. + +:::image type="content" alt-text="Share example." source="../images/share.jpg"::: ## Related articles - -[Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx) diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md index 7686e7d15b..3a3e1ce84b 100644 --- a/windows/deployment/upgrade/windows-10-upgrade-paths.md +++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md @@ -1,7 +1,7 @@ --- title: Windows 10 upgrade paths (Windows 10) description: You can upgrade to Windows 10 from a previous version of Windows if the upgrade path is supported. -ms.prod: windows-client +ms.service: windows-client ms.localizationpriority: medium author: frankroj manager: aaroncz @@ -10,7 +10,7 @@ ms.topic: conceptual ms.collection: - highpri - tier2 -ms.technology: itpro-deploy +ms.subservice: itpro-deploy ms.date: 10/02/2023 appliesto: - ✅ Windows 10 diff --git a/windows/deployment/upgrade/windows-edition-upgrades.md b/windows/deployment/upgrade/windows-edition-upgrades.md index 44c3c79c40..f09b8e67cc 100644 --- a/windows/deployment/upgrade/windows-edition-upgrades.md +++ b/windows/deployment/upgrade/windows-edition-upgrades.md @@ -3,14 +3,14 @@ title: Windows edition upgrade description: With Windows, you can quickly upgrade from one edition of Windows to another, provided the upgrade path is supported. manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client ms.localizationpriority: medium author: frankroj ms.topic: conceptual ms.collection: - highpri - tier2 -ms.technology: itpro-deploy +ms.subservice: itpro-deploy ms.date: 10/02/2023 appliesto: - ✅ Windows 10 diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md index 57c9590028..6bf70a9220 100644 --- a/windows/deployment/upgrade/windows-error-reporting.md +++ b/windows/deployment/upgrade/windows-error-reporting.md @@ -3,30 +3,32 @@ title: Windows error reporting - Windows IT Pro manager: aaroncz ms.author: frankroj description: Learn how to review the events generated by Windows Error Reporting when something goes wrong during Windows 10 setup. -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.localizationpriority: medium ms.topic: article -ms.technology: itpro-deploy -ms.date: 10/28/2022 +ms.subservice: itpro-deploy +ms.date: 01/18/2024 +appliesto: + - ✅ Windows 11 + - ✅ Windows 10 --- # Windows Error Reporting -**Applies to** -- Windows 10 - > [!NOTE] -> This is a 300 level topic (moderately advanced). -> See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. +> +> This article is a 300 level article (moderately advanced). +> +> See [Resolve Windows upgrade errors](resolve-windows-upgrade-errors.md) for a full list of articles in this section. - -When Windows Setup fails, the result and extend code are recorded as an informational event in the Application log by Windows Error Reporting as event 1001. The event name is **WinSetupDiag02**. You can use Event Viewer to review this event, or you can use Windows PowerShell. +When Windows Setup fails, the result and extend code are recorded as an informational event in the Application log by Windows Error Reporting as event 1001. The event name is **WinSetupDiag02**. Event Viewer or Windows PowerShell can be used to review this event. To use Windows PowerShell, type the following commands from an elevated Windows PowerShell prompt: > [!IMPORTANT] -> The following source will be available only if you have updated from a previous version of Windows 10 to a new version. If you installed the current version and have not updated, the source named **WinSetupDiag02** will be unavailable. +> +> The following Event logs are only available if Windows was updated from a previous version of Windows to a new version of Windows. ```powershell $events = Get-WinEvent -FilterHashtable @{LogName="Application";ID="1001";Data="WinSetupDiag02"} @@ -34,37 +36,35 @@ $event = [xml]$events[0].ToXml() $event.Event.EventData.Data ``` -To use Event Viewer: +To use Event Viewer: + 1. Open Event Viewer and navigate to **Windows Logs\Application**. -2. Select **Find**, and then search for **winsetupdiag02**. -3. Double-click the event that is highlighted. +1. Select **Find**, and then search for **winsetupdiag02**. +1. Double-click the event that is highlighted. > [!NOTE] -> For legacy operating systems, the Event Name was WinSetupDiag01. +> +> For legacy operating systems, the Event Name was WinSetupDiag01. Ten parameters are listed in the event: -| Parameters | -| ------------- | -|P1: The Setup Scenario (1=Media,5=WindowsUpdate,7=Media Creation Tool) | -|P2: Setup Mode (x=default,1=Downlevel,5=Rollback) | -|P3: New OS Architecture (x=default,0=X86,9=AMD64) | -|P4: Install Result (x=default,0=Success,1=Failure,2=Cancel,3=Blocked) | -|**P5: Result Error Code** (Ex: 0xc1900101) | -|**P6: Extend Error Code** (Ex: 0x20017) | -|P7: Source OS build (Ex: 9600) | -|P8: Source OS branch (not typically available) | -|P9: New OS build (Ex: 16299} | -|P10: New OS branch (Ex: rs3_release} | +| Parameters | +| ------------- | +| P1: The Setup Scenario (1=Media,5=WindowsUpdate,7=Media Creation Tool) | +| P2: Setup Mode (x=default,1=Downlevel,5=Rollback) | +| P3: New OS Architecture (x=default,0=X86,9=AMD64) | +| P4: Install Result (x=default,0=Success,1=Failure,2=Cancel,3=Blocked) | +| **P5: Result Error Code** (Ex: 0xc1900101) | +| **P6: Extend Error Code** (Ex: 0x20017) | +| P7: Source OS build (Ex: 9600) | +| P8: Source OS branch (not typically available) | +| P9: New OS build (Ex: 16299) | +| P10: New OS branch (Ex: rs3_release) | -The event will also contain links to log files that can be used to perform a detailed diagnosis of the error. An example of this event from a successful upgrade is shown below. +The event also contains links to log files that can be used to perform a detailed diagnosis of the error. The following example is an example of this event from a successful upgrade: :::image type="content" alt-text="Windows Error Reporting." source="../images/event.png" lightbox="../images/event.png"::: ## Related articles -[Windows 10 FAQ for IT professionals](../planning/windows-10-enterprise-faq-itpro.yml) -[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) -[Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications) -[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) -[Fix Windows Update errors by using the DISM or System Update Readiness tool](/troubleshoot/windows-server/deployment/fix-windows-update-errors) \ No newline at end of file +- [Fix Windows Update errors by using the DISM or System Update Readiness tool](/troubleshoot/windows-server/deployment/fix-windows-update-errors). diff --git a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md index 4a534442ee..90b71af916 100644 --- a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md +++ b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md @@ -3,10 +3,10 @@ title: Windows Upgrade and Migration Considerations (Windows 10) description: Discover the Microsoft tools you can use to move files and settings between installations including special considerations for performing an upgrade or migration. manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy ms.date: 08/09/2023 --- diff --git a/windows/deployment/upgrade/windows-upgrade-paths.md b/windows/deployment/upgrade/windows-upgrade-paths.md index c8ea3f2dda..cf0bfb9763 100644 --- a/windows/deployment/upgrade/windows-upgrade-paths.md +++ b/windows/deployment/upgrade/windows-upgrade-paths.md @@ -1,7 +1,7 @@ --- title: Windows upgrade paths description: Upgrade to current versions of Windows from a previous version of Windows -ms.prod: windows-client +ms.service: windows-client ms.localizationpriority: medium author: frankroj manager: aaroncz @@ -10,7 +10,7 @@ ms.topic: conceptual ms.collection: - highpri - tier2 -ms.technology: itpro-deploy +ms.subservice: itpro-deploy ms.date: 10/02/2023 appliesto: - ✅ Windows 10 diff --git a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md index b007b891a8..398bf0db0c 100644 --- a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md +++ b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md @@ -1,13 +1,14 @@ --- title: User State Migration Tool (USMT) - Getting Started description: Plan, collect, and prepare the source computer for migration using the User State Migration Tool (USMT). +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.topic: article -ms.technology: itpro-deploy -ms.date: 01/03/2024 +ms.subservice: itpro-deploy +ms.date: 01/09/2024 appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/migrate-application-settings.md b/windows/deployment/usmt/migrate-application-settings.md index 7c2dc34d50..0c0c0cd136 100644 --- a/windows/deployment/usmt/migrate-application-settings.md +++ b/windows/deployment/usmt/migrate-application-settings.md @@ -1,13 +1,14 @@ --- title: Migrate Application Settings description: Learn how to author a custom migration .xml file that migrates the settings of an application that isn't migrated by default using MigApp.xml. +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 01/03/2024 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/migration-store-types-overview.md b/windows/deployment/usmt/migration-store-types-overview.md index 71640e70fa..a78ca35e20 100644 --- a/windows/deployment/usmt/migration-store-types-overview.md +++ b/windows/deployment/usmt/migration-store-types-overview.md @@ -1,13 +1,14 @@ --- title: Migration Store Types Overview description: Learn about the migration store types and how to determine which migration store type best suits the organization's needs. +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 01/03/2024 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/offline-migration-reference.md b/windows/deployment/usmt/offline-migration-reference.md index 0c2913a370..37d0ee09aa 100644 --- a/windows/deployment/usmt/offline-migration-reference.md +++ b/windows/deployment/usmt/offline-migration-reference.md @@ -1,13 +1,14 @@ --- title: Offline Migration Reference description: Offline migration enables the ScanState tool to run inside a different Windows OS than the Windows OS from which ScanState is gathering files and settings. +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 01/03/2024 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/understanding-migration-xml-files.md b/windows/deployment/usmt/understanding-migration-xml-files.md index 5530d60b05..a0a19e6b05 100644 --- a/windows/deployment/usmt/understanding-migration-xml-files.md +++ b/windows/deployment/usmt/understanding-migration-xml-files.md @@ -1,13 +1,14 @@ --- title: Understanding Migration XML Files description: Learn how to modify the behavior of a basic User State Migration Tool (USMT) migration by using XML files. +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 01/03/2024 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/usmt-best-practices.md b/windows/deployment/usmt/usmt-best-practices.md index c7a079cf31..52e3d80761 100644 --- a/windows/deployment/usmt/usmt-best-practices.md +++ b/windows/deployment/usmt/usmt-best-practices.md @@ -1,13 +1,14 @@ --- title: USMT Best Practices description: This article discusses general and security-related best practices when using User State Migration Tool (USMT). +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 01/02/2024 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/usmt-choose-migration-store-type.md b/windows/deployment/usmt/usmt-choose-migration-store-type.md index bcee347165..3fa1d56d53 100644 --- a/windows/deployment/usmt/usmt-choose-migration-store-type.md +++ b/windows/deployment/usmt/usmt-choose-migration-store-type.md @@ -1,13 +1,14 @@ --- title: Choose a Migration Store Type description: Learn how to choose a migration store type and estimate the amount of disk space needed for computers in the organization. +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 01/03/2024 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/usmt-command-line-syntax.md b/windows/deployment/usmt/usmt-command-line-syntax.md index 9c39155386..7910d461e3 100644 --- a/windows/deployment/usmt/usmt-command-line-syntax.md +++ b/windows/deployment/usmt/usmt-command-line-syntax.md @@ -1,13 +1,14 @@ --- title: User State Migration Tool (USMT) Command-line Syntax description: Learn about the User State Migration Tool (USMT) command-line syntax for using the **ScanState** tool, **LoadState** tool, and UsmtUtils tool. +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 01/03/2024 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/usmt-common-migration-scenarios.md b/windows/deployment/usmt/usmt-common-migration-scenarios.md index 0b9d8c0c79..3cd5309aed 100644 --- a/windows/deployment/usmt/usmt-common-migration-scenarios.md +++ b/windows/deployment/usmt/usmt-common-migration-scenarios.md @@ -1,13 +1,14 @@ --- title: Common Migration Scenarios description: See how the User State Migration Tool (USMT) is used when planning hardware and/or operating system upgrades. +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 01/03/2024 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/usmt-configxml-file.md b/windows/deployment/usmt/usmt-configxml-file.md index 50d35e7bcb..4e57000ce6 100644 --- a/windows/deployment/usmt/usmt-configxml-file.md +++ b/windows/deployment/usmt/usmt-configxml-file.md @@ -1,13 +1,14 @@ --- title: Config.xml File description: Learn how the Config.xml file is an optional User State Migration Tool (USMT) file that can be created using the /genconfig option with the ScanState.exe tool. +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 01/03/2024 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/usmt-conflicts-and-precedence.md b/windows/deployment/usmt/usmt-conflicts-and-precedence.md index de97180e05..3bcd0d7bad 100644 --- a/windows/deployment/usmt/usmt-conflicts-and-precedence.md +++ b/windows/deployment/usmt/usmt-conflicts-and-precedence.md @@ -1,13 +1,14 @@ --- title: Conflicts and Precedence description: In this article, learn how User State Migration Tool (USMT) deals with conflicts and precedence. +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 01/03/2024 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/usmt-custom-xml-examples.md b/windows/deployment/usmt/usmt-custom-xml-examples.md index 5784abdf38..18b3331ea4 100644 --- a/windows/deployment/usmt/usmt-custom-xml-examples.md +++ b/windows/deployment/usmt/usmt-custom-xml-examples.md @@ -1,13 +1,14 @@ --- title: Custom XML Examples description: Use custom XML examples to learn how to migrate an unsupported application, migrate files and registry keys, and migrate the Videos folder. +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.topic: article -ms.technology: itpro-deploy -ms.date: 01/03/2024 +ms.subservice: itpro-deploy +ms.date: 01/09/2024 appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/usmt-customize-xml-files.md b/windows/deployment/usmt/usmt-customize-xml-files.md index 9f102208a9..33c3120090 100644 --- a/windows/deployment/usmt/usmt-customize-xml-files.md +++ b/windows/deployment/usmt/usmt-customize-xml-files.md @@ -1,13 +1,14 @@ --- title: Customize USMT XML Files description: Learn how to customize USMT XML files. Also, learn about the migration XML files that are included with USMT. +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 01/03/2024 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/usmt-determine-what-to-migrate.md b/windows/deployment/usmt/usmt-determine-what-to-migrate.md index 3fd59322ea..68e87f678b 100644 --- a/windows/deployment/usmt/usmt-determine-what-to-migrate.md +++ b/windows/deployment/usmt/usmt-determine-what-to-migrate.md @@ -1,13 +1,14 @@ --- title: Determine What to Migrate description: Determine migration settings for standard or customized for the User State Migration Tool (USMT). +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 01/03/2024 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/usmt-estimate-migration-store-size.md b/windows/deployment/usmt/usmt-estimate-migration-store-size.md index 943f389168..8db55b2eae 100644 --- a/windows/deployment/usmt/usmt-estimate-migration-store-size.md +++ b/windows/deployment/usmt/usmt-estimate-migration-store-size.md @@ -1,13 +1,14 @@ --- title: Estimate Migration Store Size description: Estimate the disk space requirement for a migration so that the User State Migration Tool (USMT) can be used. +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 01/03/2024 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/usmt-exclude-files-and-settings.md b/windows/deployment/usmt/usmt-exclude-files-and-settings.md index eaa1b73d0a..221ef98e11 100644 --- a/windows/deployment/usmt/usmt-exclude-files-and-settings.md +++ b/windows/deployment/usmt/usmt-exclude-files-and-settings.md @@ -1,13 +1,14 @@ --- title: Exclude Files and Settings description: In this article, learn how to exclude files and settings when creating a custom .xml file and a Config.xml file. +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 01/03/2024 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md index fabb39e360..c39ac18b5a 100644 --- a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md +++ b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md @@ -1,13 +1,14 @@ --- title: Extract Files from a Compressed USMT Migration Store description: In this article, learn how to extract files from a compressed User State Migration Tool (USMT) migration store. +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 01/03/2024 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/usmt-faq.yml b/windows/deployment/usmt/usmt-faq.yml index 3f948afe24..666888f9d3 100644 --- a/windows/deployment/usmt/usmt-faq.yml +++ b/windows/deployment/usmt/usmt-faq.yml @@ -3,15 +3,15 @@ metadata: title: 'USMT Frequently Asked Questions' description: 'Learn about frequently asked questions and recommended solutions for migrations using User State Migration Tool (USMT).' ms.assetid: 813c13a7-6818-4e6e-9284-7ee49493241b - ms.prod: windows-client - ms.technology: itpro-deploy + ms.service: windows-client + ms.subservice: itpro-deploy author: frankroj ms.author: frankroj manager: aaroncz ms.mktglfcycl: deploy ms.sitesec: library audience: itpro - ms.date: 01/03/2024 + ms.date: 01/09/2024 ms.topic: faq title: Frequently Asked Questions summary: | diff --git a/windows/deployment/usmt/usmt-general-conventions.md b/windows/deployment/usmt/usmt-general-conventions.md index ed822d7993..f0e8b6df67 100644 --- a/windows/deployment/usmt/usmt-general-conventions.md +++ b/windows/deployment/usmt/usmt-general-conventions.md @@ -1,13 +1,14 @@ --- title: General Conventions description: Learn about general XML guidelines and how to use XML helper functions in the XML Elements library to change migration behavior. +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 01/03/2024 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/usmt-hard-link-migration-store.md b/windows/deployment/usmt/usmt-hard-link-migration-store.md index 9a2f6667d8..fb1b03a426 100644 --- a/windows/deployment/usmt/usmt-hard-link-migration-store.md +++ b/windows/deployment/usmt/usmt-hard-link-migration-store.md @@ -1,13 +1,14 @@ --- title: Hard-Link Migration Store description: Use of a hard-link migration store for a computer-refresh scenario drastically improves migration performance and significantly reduces hard-disk utilization. +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 01/03/2024 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/usmt-how-it-works.md b/windows/deployment/usmt/usmt-how-it-works.md index 762709204e..7008393b54 100644 --- a/windows/deployment/usmt/usmt-how-it-works.md +++ b/windows/deployment/usmt/usmt-how-it-works.md @@ -1,13 +1,14 @@ --- title: How USMT Works description: Learn how USMT works and how it includes two tools that migrate settings and data - ScanState and LoadState. +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.topic: article -ms.technology: itpro-deploy -ms.date: 01/03/2024 +ms.subservice: itpro-deploy +ms.date: 01/09/2024 appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/usmt-how-to.md b/windows/deployment/usmt/usmt-how-to.md index c955bcb324..5356e4e408 100644 --- a/windows/deployment/usmt/usmt-how-to.md +++ b/windows/deployment/usmt/usmt-how-to.md @@ -1,13 +1,14 @@ --- title: User State Migration Tool (USMT) How-to articles description: Reference the articles in this article to learn how to use User State Migration Tool (USMT) to perform specific tasks. +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 01/03/2024 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/usmt-identify-application-settings.md b/windows/deployment/usmt/usmt-identify-application-settings.md index d76eb75973..588764266d 100644 --- a/windows/deployment/usmt/usmt-identify-application-settings.md +++ b/windows/deployment/usmt/usmt-identify-application-settings.md @@ -1,13 +1,14 @@ --- title: Identify Applications Settings description: Identify which applications and settings need to be migrated before using the User State Migration Tool (USMT). +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 01/03/2024 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md index 3f31587cc7..db8587a5a5 100644 --- a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md +++ b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md @@ -1,13 +1,14 @@ --- title: Identify File Types, Files, and Folders description: Identify the file types, files, folders, and settings that need to be migrated when planning the migration. +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 01/03/2024 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/usmt-identify-operating-system-settings.md b/windows/deployment/usmt/usmt-identify-operating-system-settings.md index 4810e4528f..5d8c14a899 100644 --- a/windows/deployment/usmt/usmt-identify-operating-system-settings.md +++ b/windows/deployment/usmt/usmt-identify-operating-system-settings.md @@ -1,13 +1,14 @@ --- title: Identify Operating System Settings description: Identify which system settings need to be migrated. The User State Migration Tool (USMT) can then be used to select settings and keep the default values for all others. +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 01/03/2024 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/usmt-identify-users.md b/windows/deployment/usmt/usmt-identify-users.md index 32f38a7d39..6f3195fe0a 100644 --- a/windows/deployment/usmt/usmt-identify-users.md +++ b/windows/deployment/usmt/usmt-identify-users.md @@ -1,14 +1,15 @@ --- title: Identify Users description: Learn how to identify users that need to be migrated, and how to migrate local accounts and domain accounts. +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.topic: article ms.localizationpriority: medium -ms.technology: itpro-deploy -ms.date: 01/03/2024 +ms.subservice: itpro-deploy +ms.date: 01/09/2024 appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/usmt-include-files-and-settings.md b/windows/deployment/usmt/usmt-include-files-and-settings.md index aa295527cb..aa89ea14d0 100644 --- a/windows/deployment/usmt/usmt-include-files-and-settings.md +++ b/windows/deployment/usmt/usmt-include-files-and-settings.md @@ -1,13 +1,14 @@ --- title: Include Files and Settings description: Specify the migration .xml files that are needed, then use the User State Migration Tool (USMT) to migrate the settings and components specified. +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 01/03/2024 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/usmt-loadstate-syntax.md b/windows/deployment/usmt/usmt-loadstate-syntax.md index 5c3033977b..520ba1010a 100644 --- a/windows/deployment/usmt/usmt-loadstate-syntax.md +++ b/windows/deployment/usmt/usmt-loadstate-syntax.md @@ -1,13 +1,14 @@ --- title: LoadState Syntax description: Learn about the syntax and usage of the command-line options available when using the LoadState command. +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 01/03/2024 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/usmt-log-files.md b/windows/deployment/usmt/usmt-log-files.md index e76bb02593..53b4df1789 100644 --- a/windows/deployment/usmt/usmt-log-files.md +++ b/windows/deployment/usmt/usmt-log-files.md @@ -1,13 +1,14 @@ --- title: USMT Log Files description: Learn how to use User State Migration Tool (USMT) logs to monitor the migration and to troubleshoot errors and failed migrations. +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 01/03/2024 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md index 07c64a00c9..eeb1b3c15f 100644 --- a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md +++ b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md @@ -1,13 +1,14 @@ --- title: Migrate EFS Files and Certificates description: Learn how to migrate Encrypting File System (EFS) certificates. Also, learn where to find information about how to identify file types, files, and folders. +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 01/03/2024 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/usmt-migrate-user-accounts.md b/windows/deployment/usmt/usmt-migrate-user-accounts.md index 792d49e9b4..898de489c6 100644 --- a/windows/deployment/usmt/usmt-migrate-user-accounts.md +++ b/windows/deployment/usmt/usmt-migrate-user-accounts.md @@ -1,13 +1,14 @@ --- title: Migrate User Accounts description: Learn how to migrate user accounts and how to specify which users to include and exclude by using the User options on the command line. +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 01/03/2024 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/usmt-migration-store-encryption.md b/windows/deployment/usmt/usmt-migration-store-encryption.md index b79eec1a7c..17d6643a94 100644 --- a/windows/deployment/usmt/usmt-migration-store-encryption.md +++ b/windows/deployment/usmt/usmt-migration-store-encryption.md @@ -1,13 +1,14 @@ --- title: Migration Store Encryption description: Learn how the User State Migration Tool (USMT) enables support for stronger encryption algorithms, called Advanced Encryption Standard (AES). +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 11/01/2022 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/usmt-overview.md b/windows/deployment/usmt/usmt-overview.md index 75b410826c..f0023bfc0b 100644 --- a/windows/deployment/usmt/usmt-overview.md +++ b/windows/deployment/usmt/usmt-overview.md @@ -1,12 +1,13 @@ --- title: User State Migration Tool (USMT) overview description: Learn about using User State Migration Tool (USMT) to streamline and simplify user state migration during large deployments of Windows operating systems. -ms.prod: windows-client -ms.technology: itpro-deploy +ms.service: windows-client +ms.subservice: itpro-deploy author: frankroj +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.date: 01/03/2024 +ms.date: 01/09/2024 ms.topic: overview ms.collection: - highpri diff --git a/windows/deployment/usmt/usmt-plan-your-migration.md b/windows/deployment/usmt/usmt-plan-your-migration.md index 7b3d61b533..806b4afc87 100644 --- a/windows/deployment/usmt/usmt-plan-your-migration.md +++ b/windows/deployment/usmt/usmt-plan-your-migration.md @@ -1,13 +1,14 @@ --- title: Plan The Migration description: Learn how to plan the migration carefully so the migration can proceed smoothly and so that the risk of migration failure is reduced. +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 01/03/2024 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/usmt-recognized-environment-variables.md b/windows/deployment/usmt/usmt-recognized-environment-variables.md index c939a9179d..be9096cf54 100644 --- a/windows/deployment/usmt/usmt-recognized-environment-variables.md +++ b/windows/deployment/usmt/usmt-recognized-environment-variables.md @@ -1,12 +1,13 @@ --- title: Recognized environment variables description: Learn how to use environment variables to identify folders that can be different on different computers. -ms.prod: windows-client -ms.technology: itpro-deploy +ms.service: windows-client +ms.subservice: itpro-deploy +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj author: frankroj -ms.date: 01/03/2024 +ms.date: 01/09/2024 ms.topic: conceptual ms.collection: - highpri diff --git a/windows/deployment/usmt/usmt-reference.md b/windows/deployment/usmt/usmt-reference.md index 1dae5a4d13..e81d243feb 100644 --- a/windows/deployment/usmt/usmt-reference.md +++ b/windows/deployment/usmt/usmt-reference.md @@ -1,13 +1,14 @@ --- title: User State Migration Toolkit (USMT) Reference description: Use this User State Migration Toolkit (USMT) article to learn details about USMT, like operating system, hardware, and software requirements, and user prerequisites. +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 01/03/2024 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/usmt-requirements.md b/windows/deployment/usmt/usmt-requirements.md index fc7b587b94..1ed79eb022 100644 --- a/windows/deployment/usmt/usmt-requirements.md +++ b/windows/deployment/usmt/usmt-requirements.md @@ -1,13 +1,14 @@ --- title: USMT Requirements description: While the User State Migration Tool (USMT) doesn't have many requirements, these tips and tricks can help smooth the migration process. +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 01/03/2024 +ms.date: 01/18/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 @@ -37,6 +38,9 @@ The following table lists the operating systems supported in USMT. ## Unsupported scenarios - USMT doesn't support any of the Windows Server operating systems. +- USMT doesn't support Microsoft Entra joined devices as either a source or destination device. +- USMT might work with Microsoft Entra hybrid joined devices, but it's not a tested scenario so therefore unsupported. +- USMT doesn't support migrating settings for Microsoft Store apps. - USMT shouldn't be used for migrating between previous versions of Windows. USMT is only meant to: - Migrate to a currently supported version of Windows - Migrate between currently supported versions of Windows, assuming the version of Windows being migrated to is newer or the same as the previous version of Windows being migrated from. diff --git a/windows/deployment/usmt/usmt-reroute-files-and-settings.md b/windows/deployment/usmt/usmt-reroute-files-and-settings.md index 99851aed2d..247311e3eb 100644 --- a/windows/deployment/usmt/usmt-reroute-files-and-settings.md +++ b/windows/deployment/usmt/usmt-reroute-files-and-settings.md @@ -1,13 +1,14 @@ --- title: Reroute Files and Settings description: Learn how to create a custom .xml file and specify this file name on both the ScanState and LoadState command lines to reroute files and settings. +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 01/03/2024 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/usmt-resources.md b/windows/deployment/usmt/usmt-resources.md index 00f4302e74..18a09528cb 100644 --- a/windows/deployment/usmt/usmt-resources.md +++ b/windows/deployment/usmt/usmt-resources.md @@ -1,13 +1,14 @@ --- title: USMT Resources description: Learn about User State Migration Tool (USMT) online resources, including Microsoft Visual Studio and forums. +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 01/03/2024 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/usmt-scanstate-syntax.md b/windows/deployment/usmt/usmt-scanstate-syntax.md index 25a1b1d5e8..5b74859a02 100644 --- a/windows/deployment/usmt/usmt-scanstate-syntax.md +++ b/windows/deployment/usmt/usmt-scanstate-syntax.md @@ -1,13 +1,14 @@ --- title: ScanState Syntax description: The ScanState command is used with the User State Migration Tool (USMT) to scan the source computer, collect the files and settings, and create a store. +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 11/01/2022 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/usmt-technical-reference.md b/windows/deployment/usmt/usmt-technical-reference.md index 0d34114c83..6a7de9fd90 100644 --- a/windows/deployment/usmt/usmt-technical-reference.md +++ b/windows/deployment/usmt/usmt-technical-reference.md @@ -1,13 +1,14 @@ --- title: User State Migration Tool (USMT) Technical Reference description: The User State Migration Tool (USMT) provides a highly customizable user-profile migration experience for IT professionals. +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 01/03/2024 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/usmt-test-your-migration.md b/windows/deployment/usmt/usmt-test-your-migration.md index b21e91a311..b4a39f6bfd 100644 --- a/windows/deployment/usmt/usmt-test-your-migration.md +++ b/windows/deployment/usmt/usmt-test-your-migration.md @@ -1,13 +1,14 @@ --- title: Test The Migration description: Learn about testing the migration plan in a controlled laboratory setting before deploying it to the entire organization. +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 01/03/2024 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/usmt-topics.md b/windows/deployment/usmt/usmt-topics.md index 21d5a39253..8b868f1fec 100644 --- a/windows/deployment/usmt/usmt-topics.md +++ b/windows/deployment/usmt/usmt-topics.md @@ -1,13 +1,14 @@ --- title: User State Migration Tool (USMT) Overview Articles description: Learn about User State Migration Tool (USMT) overview articles that describe USMT as a highly customizable user-profile migration experience for IT professionals. +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 01/03/2024 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/usmt-troubleshooting.md b/windows/deployment/usmt/usmt-troubleshooting.md index bb59960a58..e3c14bf619 100644 --- a/windows/deployment/usmt/usmt-troubleshooting.md +++ b/windows/deployment/usmt/usmt-troubleshooting.md @@ -1,13 +1,14 @@ --- title: User State Migration Tool (USMT) Troubleshooting description: Learn about articles that address common User State Migration Tool (USMT) issues and questions to help troubleshooting. +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 01/03/2024 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/usmt-utilities.md b/windows/deployment/usmt/usmt-utilities.md index 59ba8b8b14..2ccde56d88 100644 --- a/windows/deployment/usmt/usmt-utilities.md +++ b/windows/deployment/usmt/usmt-utilities.md @@ -1,13 +1,14 @@ --- title: UsmtUtils Syntax description: Learn about the syntax for the utilities available in User State Migration Tool (USMT) through the command-line interface. +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 11/01/2022 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md index 0ae37eaea0..cee6051fd0 100644 --- a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md +++ b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md @@ -1,13 +1,14 @@ --- title: What does USMT migrate description: Learn how User State Migration Tool (USMT) is designed so that an IT engineer can precisely define migrations using the USMT .xml scripting language. +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 01/03/2024 +ms.date: 01/18/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 @@ -213,7 +214,10 @@ USMT doesn't migrate the Start menu layout. To migrate a user's Start menu, sett ### User profiles from Active Directory to Microsoft Entra ID -USMT doesn't support migrating user profiles from Active Directory to Microsoft Entra ID. +- USMT doesn't support migrating user profiles from Active Directory domain joined devices to Microsoft Entra joined devices. +- USMT doesn't support migrating user profiles from Microsoft Entra joined devices to Active Directory domain joined devices. +- USMT doesn't support migrating user profiles between Microsoft Entra joined devices. +- USMT might work when migrating user profiles between Microsoft Entra hybrid joined devices or between Active Directory domain joined devices and Microsoft Entra hybrid joined devices, but it's not a tested scenario so therefore unsupported. ## Related articles diff --git a/windows/deployment/usmt/usmt-xml-elements-library.md b/windows/deployment/usmt/usmt-xml-elements-library.md index b47b672f77..7e06dffcf9 100644 --- a/windows/deployment/usmt/usmt-xml-elements-library.md +++ b/windows/deployment/usmt/usmt-xml-elements-library.md @@ -1,13 +1,14 @@ --- title: XML Elements Library description: Learn about the XML elements and helper functions that can be employed to author migration .xml files to use with User State Migration Tool (USMT). +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 01/03/2024 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/usmt-xml-reference.md b/windows/deployment/usmt/usmt-xml-reference.md index 9159bb28f1..4bc9ba48e0 100644 --- a/windows/deployment/usmt/usmt-xml-reference.md +++ b/windows/deployment/usmt/usmt-xml-reference.md @@ -1,13 +1,14 @@ --- title: USMT XML Reference description: Learn about working with and customizing the migration XML files using User State Migration Tool (USMT) XML Reference for Windows. +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 01/03/2024 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md index 2a22ccb80c..2f66da5edc 100644 --- a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md +++ b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md @@ -1,13 +1,14 @@ --- title: Verify the Condition of a Compressed Migration Store description: Use these tips and tricks to verify the condition of a compressed migration store when using User State Migration Tool (USMT). +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 01/03/2024 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/xml-file-requirements.md b/windows/deployment/usmt/xml-file-requirements.md index b40adbaeda..3182faf447 100644 --- a/windows/deployment/usmt/xml-file-requirements.md +++ b/windows/deployment/usmt/xml-file-requirements.md @@ -1,13 +1,14 @@ --- title: XML File Requirements description: Learn about the XML file requirements for creating custom .xml files, like the file must be in UTF-8 and have a unique migration URL ID. +ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj -ms.date: 01/03/2024 +ms.date: 01/09/2024 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md index aefcd10aa4..0e1c0ccf66 100644 --- a/windows/deployment/vda-subscription-activation.md +++ b/windows/deployment/vda-subscription-activation.md @@ -5,8 +5,8 @@ ms.reviewer: nganguly manager: aaroncz ms.author: frankroj author: frankroj -ms.prod: windows-client -ms.technology: itpro-fundamentals +ms.service: windows-client +ms.subservice: itpro-fundamentals ms.localizationpriority: medium ms.topic: how-to ms.date: 11/14/2023 diff --git a/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md b/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md index 956036f01b..4c3cae83e2 100644 --- a/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md +++ b/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md @@ -4,11 +4,11 @@ description: Learn how to use the Volume Activation Management Tool (VAMT) Activ ms.reviewer: nganguly manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.date: 11/07/2022 ms.topic: article -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals --- # Activate by Proxy an Active Directory Forest diff --git a/windows/deployment/volume-activation/activate-forest-vamt.md b/windows/deployment/volume-activation/activate-forest-vamt.md index ce77d52b35..82278ce278 100644 --- a/windows/deployment/volume-activation/activate-forest-vamt.md +++ b/windows/deployment/volume-activation/activate-forest-vamt.md @@ -4,11 +4,11 @@ description: Use the Volume Activation Management Tool (VAMT) Active Directory-B ms.reviewer: nganguly manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.date: 11/07/2022 ms.topic: article -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals --- # Activate an Active Directory Forest Online diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md index 9304d88783..94a2db6f87 100644 --- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md +++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md @@ -5,8 +5,8 @@ ms.reviewer: nganguly manager: aaroncz author: frankroj ms.author: frankroj -ms.prod: windows-client -ms.technology: itpro-fundamentals +ms.service: windows-client +ms.subservice: itpro-fundamentals ms.localizationpriority: medium ms.date: 11/07/2022 ms.topic: how-to diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md index b1056c9728..0f74f80116 100644 --- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md +++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md @@ -2,8 +2,8 @@ title: Activate using Key Management Service description: Learn how to use Key Management Service (KMS) to activate Windows. ms.reviewer: nganguly -ms.prod: windows-client -ms.technology: itpro-fundamentals +ms.service: windows-client +ms.subservice: itpro-fundamentals author: frankroj manager: aaroncz ms.author: frankroj diff --git a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md index 2dbac0a510..006a02b12c 100644 --- a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md +++ b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md @@ -4,12 +4,12 @@ description: After you have configured Key Management Service (KMS) or Active Di ms.reviewer: nganguly manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.localizationpriority: medium ms.date: 11/07/2022 ms.topic: article -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals --- # Activate clients running Windows 10 diff --git a/windows/deployment/volume-activation/active-directory-based-activation-overview.md b/windows/deployment/volume-activation/active-directory-based-activation-overview.md index 37122356a9..3d293922bf 100644 --- a/windows/deployment/volume-activation/active-directory-based-activation-overview.md +++ b/windows/deployment/volume-activation/active-directory-based-activation-overview.md @@ -4,11 +4,11 @@ description: Enable your enterprise to activate its computers through a connecti ms.reviewer: nganguly manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.date: 11/07/2022 ms.topic: article -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals --- # Active Directory-Based Activation overview diff --git a/windows/deployment/volume-activation/add-manage-products-vamt.md b/windows/deployment/volume-activation/add-manage-products-vamt.md index a57398003d..a458568f79 100644 --- a/windows/deployment/volume-activation/add-manage-products-vamt.md +++ b/windows/deployment/volume-activation/add-manage-products-vamt.md @@ -4,11 +4,11 @@ description: Add client computers into the Volume Activation Management Tool (VA ms.reviewer: nganguly manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.date: 11/07/2022 ms.topic: article -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals --- # Add and manage products diff --git a/windows/deployment/volume-activation/add-remove-computers-vamt.md b/windows/deployment/volume-activation/add-remove-computers-vamt.md index 20e49eabe0..4ee747359f 100644 --- a/windows/deployment/volume-activation/add-remove-computers-vamt.md +++ b/windows/deployment/volume-activation/add-remove-computers-vamt.md @@ -4,11 +4,11 @@ description: The Discover products function on the Volume Activation Management ms.reviewer: nganguly manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.date: 11/07/2022 ms.topic: article -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals --- # Add and remove computers diff --git a/windows/deployment/volume-activation/add-remove-product-key-vamt.md b/windows/deployment/volume-activation/add-remove-product-key-vamt.md index 229cb229b6..89439e87f0 100644 --- a/windows/deployment/volume-activation/add-remove-product-key-vamt.md +++ b/windows/deployment/volume-activation/add-remove-product-key-vamt.md @@ -4,11 +4,11 @@ description: Add a product key to the Volume Activation Management Tool (VAMT) d ms.reviewer: nganguly manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.date: 11/07/2022 ms.topic: article -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals --- # Add and remove a product key diff --git a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md index be88aa7204..4d9d39522a 100644 --- a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md +++ b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md @@ -5,8 +5,8 @@ ms.reviewer: nganguly manager: aaroncz ms.author: frankroj author: frankroj -ms.prod: windows-client -ms.technology: itpro-fundamentals +ms.service: windows-client +ms.subservice: itpro-fundamentals ms.localizationpriority: medium ms.date: 11/07/2022 ms.topic: article diff --git a/windows/deployment/volume-activation/configure-client-computers-vamt.md b/windows/deployment/volume-activation/configure-client-computers-vamt.md index a2282b3152..5b39a2996e 100644 --- a/windows/deployment/volume-activation/configure-client-computers-vamt.md +++ b/windows/deployment/volume-activation/configure-client-computers-vamt.md @@ -5,10 +5,10 @@ ms.reviewer: nganguly manager: aaroncz author: frankroj ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client ms.date: 11/07/2022 ms.topic: article -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals --- # Configure client computers diff --git a/windows/deployment/volume-activation/import-export-vamt-data.md b/windows/deployment/volume-activation/import-export-vamt-data.md index 378f187d4d..888523a907 100644 --- a/windows/deployment/volume-activation/import-export-vamt-data.md +++ b/windows/deployment/volume-activation/import-export-vamt-data.md @@ -4,8 +4,8 @@ description: Learn how to use the VAMT to import product-activation data from a ms.reviewer: nganguly manager: aaroncz ms.author: frankroj -ms.prod: windows-client -ms.technology: itpro-fundamentals +ms.service: windows-client +ms.subservice: itpro-fundamentals author: frankroj ms.date: 11/07/2022 ms.topic: how-to diff --git a/windows/deployment/volume-activation/install-configure-vamt.md b/windows/deployment/volume-activation/install-configure-vamt.md index c2f7b56ef2..ed447a8674 100644 --- a/windows/deployment/volume-activation/install-configure-vamt.md +++ b/windows/deployment/volume-activation/install-configure-vamt.md @@ -4,12 +4,12 @@ description: Learn how to install and configure the Volume Activation Management ms.reviewer: nganguly manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.localizationpriority: medium ms.date: 11/07/2022 ms.topic: article -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals --- # Install and configure VAMT diff --git a/windows/deployment/volume-activation/install-kms-client-key-vamt.md b/windows/deployment/volume-activation/install-kms-client-key-vamt.md index 1788056d42..0c65b30992 100644 --- a/windows/deployment/volume-activation/install-kms-client-key-vamt.md +++ b/windows/deployment/volume-activation/install-kms-client-key-vamt.md @@ -4,12 +4,12 @@ description: Learn to use the Volume Activation Management Tool (VAMT) to instal ms.reviewer: nganguly manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.localizationpriority: medium ms.date: 11/07/2022 ms.topic: article -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals --- # Install a KMS Client Key diff --git a/windows/deployment/volume-activation/install-product-key-vamt.md b/windows/deployment/volume-activation/install-product-key-vamt.md index e98a27e5cd..fec886a0b7 100644 --- a/windows/deployment/volume-activation/install-product-key-vamt.md +++ b/windows/deployment/volume-activation/install-product-key-vamt.md @@ -4,12 +4,12 @@ description: Learn to use the Volume Activation Management Tool (VAMT) to instal ms.reviewer: nganguly manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.localizationpriority: medium ms.date: 11/07/2022 ms.topic: article -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals --- # Install a Product Key diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md index 455f978c0a..e5e731a271 100644 --- a/windows/deployment/volume-activation/install-vamt.md +++ b/windows/deployment/volume-activation/install-vamt.md @@ -4,12 +4,12 @@ description: Learn how to install Volume Activation Management Tool (VAMT) as pa ms.reviewer: nganguly manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.localizationpriority: medium ms.date: 10/13/2023 ms.topic: article -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/volume-activation/introduction-vamt.md b/windows/deployment/volume-activation/introduction-vamt.md index ecd19f7dcc..ae69a809d3 100644 --- a/windows/deployment/volume-activation/introduction-vamt.md +++ b/windows/deployment/volume-activation/introduction-vamt.md @@ -4,8 +4,8 @@ description: VAMT enables administrators to automate and centrally manage the Wi ms.reviewer: nganguly manager: aaroncz ms.author: frankroj -ms.prod: windows-client -ms.technology: itpro-fundamentals +ms.service: windows-client +ms.subservice: itpro-fundamentals author: frankroj ms.date: 11/07/2022 ms.topic: overview diff --git a/windows/deployment/volume-activation/kms-activation-vamt.md b/windows/deployment/volume-activation/kms-activation-vamt.md index 5c00b19da0..97e5bcca16 100644 --- a/windows/deployment/volume-activation/kms-activation-vamt.md +++ b/windows/deployment/volume-activation/kms-activation-vamt.md @@ -4,11 +4,11 @@ description: The Volume Activation Management Tool (VAMT) can be used to perform ms.reviewer: nganguly manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.date: 11/07/2022 ms.topic: article -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals --- # Perform KMS activation diff --git a/windows/deployment/volume-activation/local-reactivation-vamt.md b/windows/deployment/volume-activation/local-reactivation-vamt.md index 51ac686f69..277342a97d 100644 --- a/windows/deployment/volume-activation/local-reactivation-vamt.md +++ b/windows/deployment/volume-activation/local-reactivation-vamt.md @@ -4,11 +4,11 @@ description: An initially activated a computer using scenarios like MAK, retail, ms.reviewer: nganguly manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.date: 11/07/2022 ms.topic: article -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals --- # Perform local reactivation diff --git a/windows/deployment/volume-activation/manage-activations-vamt.md b/windows/deployment/volume-activation/manage-activations-vamt.md index 92fe7a7905..20fa3589f1 100644 --- a/windows/deployment/volume-activation/manage-activations-vamt.md +++ b/windows/deployment/volume-activation/manage-activations-vamt.md @@ -4,11 +4,11 @@ description: Learn how to manage activations and how to activate a client comput ms.reviewer: nganguly manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.date: 11/07/2022 ms.topic: article -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals --- # Manage Activations diff --git a/windows/deployment/volume-activation/manage-product-keys-vamt.md b/windows/deployment/volume-activation/manage-product-keys-vamt.md index 51995c11dc..ccaa432308 100644 --- a/windows/deployment/volume-activation/manage-product-keys-vamt.md +++ b/windows/deployment/volume-activation/manage-product-keys-vamt.md @@ -4,11 +4,11 @@ description: In this article, learn how to add and remove a product key from the ms.reviewer: nganguly manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.date: 11/07/2022 ms.topic: article -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals --- # Manage Product Keys diff --git a/windows/deployment/volume-activation/manage-vamt-data.md b/windows/deployment/volume-activation/manage-vamt-data.md index 174118be90..b1556b3af2 100644 --- a/windows/deployment/volume-activation/manage-vamt-data.md +++ b/windows/deployment/volume-activation/manage-vamt-data.md @@ -4,11 +4,11 @@ description: Learn how to save, import, export, and merge a Computer Information ms.reviewer: nganguly manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.date: 11/07/2022 ms.topic: article -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals --- # Manage VAMT Data diff --git a/windows/deployment/volume-activation/monitor-activation-client.md b/windows/deployment/volume-activation/monitor-activation-client.md index 87357dbe84..e48768162a 100644 --- a/windows/deployment/volume-activation/monitor-activation-client.md +++ b/windows/deployment/volume-activation/monitor-activation-client.md @@ -4,11 +4,11 @@ ms.reviewer: nganguly manager: aaroncz ms.author: frankroj description: Understand the most common methods to monitor the success of the activation process for a computer running Windows. -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.localizationpriority: medium ms.topic: article -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals ms.date: 11/07/2022 --- diff --git a/windows/deployment/volume-activation/online-activation-vamt.md b/windows/deployment/volume-activation/online-activation-vamt.md index 8ca7a4f5bd..537f46d71e 100644 --- a/windows/deployment/volume-activation/online-activation-vamt.md +++ b/windows/deployment/volume-activation/online-activation-vamt.md @@ -4,11 +4,11 @@ description: Learn how to use the Volume Activation Management Tool (VAMT) to en ms.reviewer: nganguly manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.date: 11/07/2022 ms.topic: article -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals --- # Perform online activation diff --git a/windows/deployment/volume-activation/plan-for-volume-activation-client.md b/windows/deployment/volume-activation/plan-for-volume-activation-client.md index 71a14f511f..dee94991fe 100644 --- a/windows/deployment/volume-activation/plan-for-volume-activation-client.md +++ b/windows/deployment/volume-activation/plan-for-volume-activation-client.md @@ -4,11 +4,11 @@ description: Product activation is the process of validating software with the m ms.reviewer: nganguly manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.localizationpriority: medium ms.topic: article -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals ms.date: 11/07/2022 --- diff --git a/windows/deployment/volume-activation/proxy-activation-vamt.md b/windows/deployment/volume-activation/proxy-activation-vamt.md index 756957a315..9e14cf5631 100644 --- a/windows/deployment/volume-activation/proxy-activation-vamt.md +++ b/windows/deployment/volume-activation/proxy-activation-vamt.md @@ -4,11 +4,11 @@ description: Perform proxy activation by using the Volume Activation Management ms.reviewer: nganguly manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.date: 11/07/2022 ms.topic: article -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals --- # Perform Proxy Activation diff --git a/windows/deployment/volume-activation/remove-products-vamt.md b/windows/deployment/volume-activation/remove-products-vamt.md index 1da6d8b48a..2b49facf89 100644 --- a/windows/deployment/volume-activation/remove-products-vamt.md +++ b/windows/deployment/volume-activation/remove-products-vamt.md @@ -4,11 +4,11 @@ description: Learn how you must delete products from the product list view so yo ms.reviewer: nganguly manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.date: 11/07/2022 ms.topic: article -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals --- # Remove products diff --git a/windows/deployment/volume-activation/scenario-kms-activation-vamt.md b/windows/deployment/volume-activation/scenario-kms-activation-vamt.md index 414c9569db..0dc03e90e0 100644 --- a/windows/deployment/volume-activation/scenario-kms-activation-vamt.md +++ b/windows/deployment/volume-activation/scenario-kms-activation-vamt.md @@ -4,11 +4,11 @@ description: Learn how to use the Volume Activation Management Tool (VAMT) to ac ms.reviewer: nganguly manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.date: 11/07/2022 ms.topic: article -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals --- # Scenario 3: KMS client activation diff --git a/windows/deployment/volume-activation/scenario-online-activation-vamt.md b/windows/deployment/volume-activation/scenario-online-activation-vamt.md index 8040430270..1f573be911 100644 --- a/windows/deployment/volume-activation/scenario-online-activation-vamt.md +++ b/windows/deployment/volume-activation/scenario-online-activation-vamt.md @@ -4,11 +4,11 @@ description: Achieve network access by deploying the Volume Activation Managemen ms.reviewer: nganguly manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.date: 11/07/2022 ms.topic: article -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals --- # Scenario 1: Online Activation diff --git a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md index 61b958307c..654a67b2b3 100644 --- a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md +++ b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md @@ -4,11 +4,11 @@ description: Use the Volume Activation Management Tool (VAMT) to activate produc ms.reviewer: nganguly manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.date: 11/07/2022 ms.topic: article -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals --- # Scenario 2: Proxy Activation diff --git a/windows/deployment/volume-activation/update-product-status-vamt.md b/windows/deployment/volume-activation/update-product-status-vamt.md index 3a5330083f..713a1587f0 100644 --- a/windows/deployment/volume-activation/update-product-status-vamt.md +++ b/windows/deployment/volume-activation/update-product-status-vamt.md @@ -4,11 +4,11 @@ description: Learn how to use the Update license status function to add the prod ms.reviewer: nganguly manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.date: 11/07/2022 ms.topic: article -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals --- # Update product status diff --git a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md index d086a0d8ca..9962ec8943 100644 --- a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md +++ b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md @@ -4,12 +4,12 @@ description: The Volume Activation Management Tool (VAMT) provides several usefu ms.reviewer: nganguly manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.localizationpriority: medium ms.date: 11/07/2022 ms.topic: article -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals --- # Use the Volume Activation Management Tool diff --git a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md index 776d1007ab..0add9fe565 100644 --- a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md +++ b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md @@ -4,11 +4,11 @@ description: Learn how to use Volume Activation Management Tool (VAMT) PowerShel ms.reviewer: nganguly manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.date: 11/07/2022 ms.topic: article -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals --- # Use VAMT in Windows PowerShell diff --git a/windows/deployment/volume-activation/vamt-known-issues.md b/windows/deployment/volume-activation/vamt-known-issues.md index 4b52470719..a11eb40946 100644 --- a/windows/deployment/volume-activation/vamt-known-issues.md +++ b/windows/deployment/volume-activation/vamt-known-issues.md @@ -4,11 +4,11 @@ description: Find out the current known issues with the Volume Activation Manage ms.reviewer: nganguly manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.date: 11/07/2022 ms.topic: article -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals --- # VAMT known issues diff --git a/windows/deployment/volume-activation/vamt-requirements.md b/windows/deployment/volume-activation/vamt-requirements.md index d66ce6f5a0..0080eb1275 100644 --- a/windows/deployment/volume-activation/vamt-requirements.md +++ b/windows/deployment/volume-activation/vamt-requirements.md @@ -4,11 +4,11 @@ description: In this article, learn about the product key and system requieremen ms.reviewer: nganguly manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.date: 11/07/2022 ms.topic: article -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals --- # VAMT requirements diff --git a/windows/deployment/volume-activation/vamt-step-by-step.md b/windows/deployment/volume-activation/vamt-step-by-step.md index e085f009c8..d13bf3cb1e 100644 --- a/windows/deployment/volume-activation/vamt-step-by-step.md +++ b/windows/deployment/volume-activation/vamt-step-by-step.md @@ -4,11 +4,11 @@ description: Learn step-by-step instructions on implementing the Volume Activati ms.reviewer: nganguly manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.date: 11/07/2022 ms.topic: article -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals --- # VAMT step-by-step scenarios diff --git a/windows/deployment/volume-activation/volume-activation-management-tool.md b/windows/deployment/volume-activation/volume-activation-management-tool.md index 6d157c6365..438e8f8684 100644 --- a/windows/deployment/volume-activation/volume-activation-management-tool.md +++ b/windows/deployment/volume-activation/volume-activation-management-tool.md @@ -4,8 +4,8 @@ description: The Volume Activation Management Tool (VAMT) enables network admini ms.reviewer: nganguly manager: aaroncz ms.author: frankroj -ms.prod: windows-client -ms.technology: itpro-fundamentals +ms.service: windows-client +ms.subservice: itpro-fundamentals author: frankroj ms.date: 11/07/2022 ms.topic: overview diff --git a/windows/deployment/volume-activation/volume-activation-windows-10.md b/windows/deployment/volume-activation/volume-activation-windows-10.md index 3c213a2a45..a483753c32 100644 --- a/windows/deployment/volume-activation/volume-activation-windows-10.md +++ b/windows/deployment/volume-activation/volume-activation-windows-10.md @@ -4,12 +4,12 @@ description: Learn how to use volume activation to deploy & activate Windows 10. ms.reviewer: nganguly manager: aaroncz ms.author: frankroj -ms.prod: windows-client +ms.service: windows-client author: frankroj ms.localizationpriority: medium ms.date: 11/07/2022 ms.topic: article -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals --- # Volume Activation for Windows 10 diff --git a/windows/deployment/wds-boot-support.md b/windows/deployment/wds-boot-support.md index 5c34ff5222..13ee0fd808 100644 --- a/windows/deployment/wds-boot-support.md +++ b/windows/deployment/wds-boot-support.md @@ -1,14 +1,14 @@ --- title: Windows Deployment Services (WDS) boot.wim support description: This article provides details on the support capabilities of WDS for end to end operating system deployment. -ms.prod: windows-client +ms.service: windows-client ms.localizationpriority: medium author: frankroj ms.author: frankroj manager: aaroncz ms.topic: article ms.date: 11/23/2022 -ms.technology: itpro-deploy +ms.subservice: itpro-deploy --- # Windows Deployment Services (WDS) boot.wim support diff --git a/windows/deployment/windows-10-deployment-posters.md b/windows/deployment/windows-10-deployment-posters.md index 25168e8c14..aecea5c3dc 100644 --- a/windows/deployment/windows-10-deployment-posters.md +++ b/windows/deployment/windows-10-deployment-posters.md @@ -4,8 +4,8 @@ description: View and download Windows 10 deployment process flows for Microsoft manager: aaroncz author: frankroj ms.author: frankroj -ms.prod: windows-client -ms.technology: itpro-deploy +ms.service: windows-client +ms.subservice: itpro-deploy ms.localizationpriority: medium ms.topic: reference ms.date: 11/23/2022 diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md index c216cfa830..a45b5e94dc 100644 --- a/windows/deployment/windows-10-deployment-scenarios.md +++ b/windows/deployment/windows-10-deployment-scenarios.md @@ -4,11 +4,11 @@ description: Understand the different ways Windows 10 operating system can be de manager: aaroncz ms.author: frankroj author: frankroj -ms.prod: windows-client +ms.service: windows-client ms.localizationpriority: medium ms.topic: article ms.date: 11/23/2022 -ms.technology: itpro-deploy +ms.subservice: itpro-deploy --- # Windows 10 deployment scenarios @@ -94,7 +94,7 @@ There are some situations where you can't use in-place upgrade; in these situati - Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process can't change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers. -- Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed. +- Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed. - Updating existing images. It can be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image. But, it's not supported. Preparing an upgraded OS via `Sysprep.exe` before capturing an image isn't supported and won't work. When `Sysprep.exe` detects the upgraded OS, it will fail. diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md index 93cf409b93..7cfea55299 100644 --- a/windows/deployment/windows-10-enterprise-e3-overview.md +++ b/windows/deployment/windows-10-enterprise-e3-overview.md @@ -1,14 +1,14 @@ --- title: Windows 10/11 Enterprise E3 in CSP description: Describes Windows 10/11 Enterprise E3, an offering that delivers, by subscription, the features of Windows 10/11 Enterprise edition. -ms.prod: windows-client +ms.service: windows-client ms.localizationpriority: medium ms.date: 11/23/2022 author: frankroj ms.author: frankroj manager: aaroncz ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy --- # Windows 10/11 Enterprise E3 in CSP diff --git a/windows/deployment/windows-10-missing-fonts.md b/windows/deployment/windows-10-missing-fonts.md index 364c23a213..3ba1d1b034 100644 --- a/windows/deployment/windows-10-missing-fonts.md +++ b/windows/deployment/windows-10-missing-fonts.md @@ -1,14 +1,14 @@ --- title: How to install fonts missing after upgrading to Windows client description: Some of the fonts are missing from the system after you upgrade to Windows client. -ms.prod: windows-client +ms.service: windows-client ms.localizationpriority: medium author: frankroj ms.author: frankroj manager: aaroncz ms.topic: article ms.date: 11/23/2022 -ms.technology: itpro-deploy +ms.subservice: itpro-deploy --- # How to install fonts that are missing after upgrading to Windows client diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md deleted file mode 100644 index 61823c8faa..0000000000 --- a/windows/deployment/windows-10-poc-mdt.md +++ /dev/null @@ -1,668 +0,0 @@ ---- -title: Step by step - Deploy Windows 10 in a test lab using MDT -description: In this article, you'll learn how to deploy Windows 10 in a test lab using Microsoft Deployment Toolkit (MDT). -ms.prod: windows-client -ms.localizationpriority: medium -ms.date: 11/23/2022 -manager: aaroncz -ms.author: frankroj -author: frankroj -ms.topic: how-to -ms.technology: itpro-deploy ---- - -# Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit - -*Applies to:* - -- Windows 10 - -> [!IMPORTANT] -> This guide leverages the proof of concept (PoC) environment configured using procedures in the following guide: -> -> [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) -> -> Complete all steps in the prerequisite guide before starting this guide. This guide requires about 5 hours to complete, but can require less time or more time depending on the speed of the Hyper-V host. After completing the current guide, also see the companion guide: -> -> [Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md) - -The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs): - -- **DC1**: A contoso.com domain controller, DNS server, and DHCP server. -- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network. -- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been shadow-copied from a physical computer on your corporate network. - -This guide uses the Hyper-V server role. If you don't complete all steps in a single session, consider using [checkpoints](/virtualization/hyper-v-on-windows/user-guide/checkpoints) to pause, resume, or restart your work. - -## In this guide - -This guide provides instructions to install and configure the Microsoft Deployment Toolkit (MDT) to deploy a Windows 10 image. - -Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed. - -|Topic|Description|Time| -|--- |--- |--- | -|[About MDT](#about-mdt)|A high-level overview of the Microsoft Deployment Toolkit (MDT).|Informational| -|[Install MDT](#install-mdt)|Download and install MDT.|40 minutes| -|[Create a deployment share and reference image](#create-a-deployment-share-and-reference-image)|A reference image is created to serve as the template for deploying new images.|90 minutes| -|[Deploy a Windows 10 image using MDT](#deploy-a-windows-10-image-using-mdt)|The reference image is deployed in the PoC environment.|60 minutes| -|[Refresh a computer with Windows 10](#refresh-a-computer-with-windows-10)|Export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings.|60 minutes| -|[Replace a computer with Windows 10](#replace-a-computer-with-windows-10)|Back up an existing client computer, then restore this backup to a new computer.|60 minutes| -|[Troubleshooting logs, events, and utilities](#troubleshooting-logs-events-and-utilities)|Log locations and troubleshooting hints.|Informational| - -## About MDT - -MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch Installation (ZTI), and User-Driven Installation (UDI) deployment methods. - -- LTI is the deployment method used in the current guide, requiring only MDT and performed with a minimum amount of user interaction. - -- ZTI is fully automated, requiring no user interaction and is performed using MDT and Microsoft Configuration Manager. After completing the steps in the current guide, see [Step by step: Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md) to use the ZTI deployment method in the PoC environment. - -- UDI requires manual intervention to respond to installation prompts such as machine name, password and language settings. UDI requires MDT and Microsoft Configuration Manager. - -## Install MDT - -1. On SRV1, temporarily disable IE Enhanced Security Configuration for Administrators by typing the following commands at an elevated Windows PowerShell prompt: - - ```powershell - $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" - Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 0 - Stop-Process -Name Explorer - ``` - -1. Download and install the 64-bit version of [Microsoft Deployment Toolkit (MDT)](https://www.microsoft.com/download/details.aspx?id=54259) on SRV1 using the default options. - -1. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](/windows-hardware/get-started/adk-install) on SRV1 using the default installation settings. Installation might require several minutes to acquire all components. - -1. If desired, re-enable IE Enhanced Security Configuration: - - ```powershell - Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 1 - Stop-Process -Name Explorer - ``` - -## Create a deployment share and reference image - -A reference image serves as the foundation for Windows 10 devices in your organization. - -1. In [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md), the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and enter the following command: - - ```powershell - Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso - ``` - -2. On SRV1, verify that the Windows Enterprise installation DVD is mounted as drive letter D. - -3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, select **Start**, type **deployment**, and then select **Deployment Workbench**. - -4. To enable quick access to the application, right-click **Deployment Workbench** on the taskbar and then select **Pin this program to the taskbar**. - -5. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. - -6. Use the following settings for the New Deployment Share Wizard: - - Deployment share path: **C:\MDTBuildLab**
    - - Share name: **MDTBuildLab$**
    - - Deployment share description: **MDT build lab**
    - - Options: Select **Next** to accept the default
    - - Summary: Select **Next**
    - - Progress: settings will be applied
    - - Confirmation: Select **Finish** - -7. Expand the **Deployment Shares** node, and then expand **MDT build lab**. - -8. Right-click the **Operating Systems** node, and then select **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and select **Finish**. - -9. Right-click the **Windows 10** folder created in the previous step, and then select **Import Operating System**. - -10. Use the following settings for the Import Operating System Wizard: - - OS Type: **Full set of source files**
    - - Source: **D:\\**
    - - Destination: **W10Ent_x64**
    - - Summary: Select **Next** - - Progress: wait for files to be copied - - Confirmation: Select **Finish** - - For purposes of this test lab, we'll only add the prerequisite .NET Framework feature. Commercial applications (ex: Microsoft Office) won't be added to the deployment share. For information about adding applications, see the [Add applications](./deploy-windows-mdt/create-a-windows-10-reference-image.md#add-applications) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) article. - -11. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node and then select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - - - Task sequence ID: **REFW10X64-001**
    - - Task sequence name: **Windows 10 Enterprise x64 Default Image**
    - - Task sequence comments: **Reference Build**
    - - Template: **Standard Client Task Sequence** - - Select OS: Select **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim** - - Specify Product Key: **Do not specify a product key at this time** - - Full Name: **Contoso** - - Organization: **Contoso** - - Internet Explorer home page: `http://www.contoso.com` - - Admin Password: **Do not specify an Administrator password at this time** - - Summary: Select **Next** - - Confirmation: Select **Finish** - -12. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step. - -13. Select the **Task Sequence** tab. Under **State Restore** select **Tattoo** to highlight it, then select **Add** and choose **New Group**. - -14. On the Properties tab of the group that was created in the previous step, change the Name from **New Group** to **Custom Tasks (Pre-Windows Update)** and then select **Apply**. Select another location in the window to see the name change. - -15. Select the **Custom Tasks (Pre-Windows Update)** group again, select **Add**, point to **Roles**, and then select **Install Roles and Features**. - -16. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then select **Apply**. - -17. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox. - - > [!NOTE] - > Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications. - -18. Select **OK** to complete editing the task sequence. - -19. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click **MDT build lab (C:\MDTBuildLab)** and select **Properties**, and then select the **Rules** tab. - -20. Replace the default rules with the following text: - - ```ini - [Settings] - Priority=Default - - [Default] - _SMSTSORGNAME=Contoso - UserDataLocation=NONE - DoCapture=YES - OSInstall=Y - AdminPassword=pass@word1 - TimeZoneName=Pacific Standard Time - OSDComputername=#Left("PC-%SerialNumber%",7)# - JoinWorkgroup=WORKGROUP - HideShell=YES - FinishAction=SHUTDOWN - DoNotCreateExtraPartition=YES - ApplyGPOPack=NO - SkipAdminPassword=YES - SkipProductKey=YES - SkipComputerName=YES - SkipDomainMembership=YES - SkipUserData=YES - SkipLocaleSelection=YES - SkipTaskSequence=NO - SkipTimeZone=YES - SkipApplications=YES - SkipBitLocker=YES - SkipSummary=YES - SkipRoles=YES - SkipCapture=NO - SkipFinalSummary=NO - ``` - -21. Select **Apply** and then select **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file: - - ```ini - [Settings] - Priority=Default - - [Default] - DeployRoot=\\SRV1\MDTBuildLab$ - UserDomain=CONTOSO - UserID=MDT_BA - UserPassword=pass@word1 - SkipBDDWelcome=YES - ``` - -22. Select **OK** to complete the configuration of the deployment share. - -23. Right-click **MDT build lab (C:\MDTBuildLab)** and then select **Update Deployment Share**. - -24. Accept all default values in the Update Deployment Share Wizard by clicking **Next** twice. The update process will take 5 to 10 minutes. When it has completed, select **Finish**. - -25. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. In MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI). - - > [!TIP] - > To copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**. - -26. Open a Windows PowerShell prompt on the Hyper-V host computer and enter the following commands: - - ```powershell - New-VM REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB - Set-VMMemory REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20 - Set-VMDvdDrive REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso - Start-VM REFW10X64-001 - vmconnect localhost REFW10X64-001 - ``` - - The VM will require a few minutes to prepare devices and boot from the LiteTouchPE_x86.iso file. - -27. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then select **Next**. - -28. Accept the default values on the Capture Image page, and select **Next**. Operating system installation will complete after 5 to 10 minutes, and then the VM will reboot automatically. Allow the system to boot normally (don't press a key). The process is fully automated. - - Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures: - - - Install the Windows 10 Enterprise operating system. - - Install added applications, roles, and features. - - Update the operating system using Windows Update (or WSUS if optionally specified). - - Stage Windows PE on the local disk. - - Run System Preparation (Sysprep) and reboot into Windows PE. - - Capture the installation to a Windows Imaging (WIM) file. - - Turn off the virtual machine.

    - - This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host. After some time, you'll have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on your deployment server (SRV1). The file name is **REFW10X64-001.wim**. - -## Deploy a Windows 10 image using MDT - -This procedure will demonstrate how to deploy the reference image to the PoC environment using MDT. - -1. On SRV1, open the MDT Deployment Workbench console, right-click **Deployment Shares**, and then select **New Deployment Share**. Use the following values in the New Deployment Share Wizard: - - - **Deployment share path**: C:\MDTProd - - **Share name**: MDTProd$ - - **Deployment share description**: MDT Production - - **Options**: accept the default - -2. Select **Next**, verify the new deployment share was added successfully, then select **Finish**. - -3. In the Deployment Workbench console, expand the MDT Production deployment share, right-click **Operating Systems**, and then select **New Folder**. Name the new folder **Windows 10** and complete the wizard using default values. - -4. Right-click the **Windows 10** folder created in the previous step, and then select **Import Operating System**. - -5. On the **OS Type** page, choose **Custom image file** and then select **Next**. - -6. On the Image page, browse to the **C:\MDTBuildLab\Captures\REFW10X64-001.wim** file created in the previous procedure, select **Open**, and then select **Next**. - -7. On the Setup page, select **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path**. - -8. Under **Setup source directory**, browse to **C:\MDTBuildLab\Operating Systems\W10Ent_x64** select **OK** and then select **Next**. - -9. On the Destination page, accept the default Destination directory name of **REFW10X64-001**, select **Next** twice, wait for the import process to complete, and then select **Finish**. - -10. In the **Operating Systems** > **Windows 10** node, double-click the operating system that was added to view its properties. Change the operating system name to **Windows 10 Enterprise x64 Custom Image** and then select **OK**. See the following example: - - ![custom image.](images/image.png) - -### Create the deployment task sequence - -1. Using the Deployment Workbench, right-click **Task Sequences** under the **MDT Production** node, select **New Folder** and create a folder with the name: **Windows 10**. - -2. Right-click the **Windows 10** folder created in the previous step, and then select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - - - Task sequence ID: W10-X64-001 - - Task sequence name: Windows 10 Enterprise x64 Custom Image - - Task sequence comments: Production Image - - Select Template: Standard Client Task Sequence - - Select OS: Windows 10 Enterprise x64 Custom Image - - Specify Product Key: Don't specify a product key at this time - - Full Name: Contoso - - Organization: Contoso - - Internet Explorer home page: `http://www.contoso.com` - - Admin Password: pass@word1 - -### Configure the MDT production deployment share - -1. On SRV1, open an elevated Windows PowerShell prompt and enter the following commands: - - ```powershell - copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\Bootstrap.ini" C:\MDTProd\Control\Bootstrap.ini -Force - copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\CustomSettings.ini" C:\MDTProd\Control\CustomSettings.ini -Force - ``` - -2. In the Deployment Workbench console on SRV1, right-click the **MDT Production** deployment share and then select **Properties**. - -3. Select the **Rules** tab and replace the rules with the following text (don't select OK yet): - - ```ini - [Settings] - Priority=Default - - [Default] - _SMSTSORGNAME=Contoso - OSInstall=YES - UserDataLocation=AUTO - TimeZoneName=Pacific Standard Time - OSDComputername=#Left("PC-%SerialNumber%",7)# - AdminPassword=pass@word1 - JoinDomain=contoso.com - DomainAdmin=administrator - DomainAdminDomain=CONTOSO - DomainAdminPassword=pass@word1 - ScanStateArgs=/ue:*\* /ui:CONTOSO\* - USMTMigFiles001=MigApp.xml - USMTMigFiles002=MigUser.xml - HideShell=YES - ApplyGPOPack=NO - SkipAppsOnUpgrade=NO - SkipAdminPassword=YES - SkipProductKey=YES - SkipComputerName=YES - SkipDomainMembership=YES - SkipUserData=YES - SkipLocaleSelection=YES - SkipTaskSequence=NO - SkipTimeZone=YES - SkipApplications=NO - SkipBitLocker=YES - SkipSummary=YES - SkipCapture=YES - SkipFinalSummary=NO - EventService=http://SRV1:9800 - ``` - - > [!NOTE] - > The contents of the Rules tab are added to c:\MDTProd\Control\CustomSettings.ini. - - In this example, a **MachineObjectOU** entry isn't provided. Normally this entry describes the specific OU where new client computer objects are created in Active Directory. However, for the purposes of this test lab, clients are added to the default computers OU, which requires that this parameter be unspecified. - - If desired, edit the following line to include or exclude other users when migrating settings. Currently, the command is set to user exclude (`ue`) all users except for CONTOSO users specified by the user include option (ui): - - ```cmd - ScanStateArgs=/ue:*\* /ui:CONTOSO\* - ``` - - For example, to migrate **all** users on the computer, replace this line with the following line: - - ```cmd - ScanStateArgs=/all - ``` - - For more information, see [ScanState Syntax](/windows/deployment/usmt/usmt-scanstate-syntax). - -4. Select **Edit Bootstap.ini** and replace text in the file with the following text: - - ```ini - [Settings] - Priority=Default - - [Default] - DeployRoot=\\SRV1\MDTProd$ - UserDomain=CONTOSO - UserID=MDT_BA - UserPassword=pass@word1 - SkipBDDWelcome=YES - ``` - -5. Select **OK** when finished. - -### Update the deployment share - -1. Right-click the **MDT Production** deployment share and then select **Update Deployment Share**. - -2. Use the default options for the Update Deployment Share Wizard. The update process requires 5 to 10 minutes to complete. - -3. Select **Finish** when the update is complete. - -### Enable deployment monitoring - -1. In the Deployment Workbench console, right-click **MDT Production** and then select **Properties**. - -2. On the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then select **OK**. - -3. Verify the monitoring service is working as expected by opening the following link on SRV1: `http://localhost:9800/MDTMonitorEvent/`. If you don't see "**You have created a service**" at the top of the page, see [Troubleshooting MDT 2012 Monitoring](/archive/blogs/mniehaus/troubleshooting-mdt-2012-monitoring). - -4. Close Internet Explorer. - -### Configure Windows Deployment Services - -1. Initialize Windows Deployment Services (WDS) by typing the following command at an elevated Windows PowerShell prompt on SRV1: - - ```cmd - WDSUTIL.exe /Verbose /Progress /Initialize-Server /Server:SRV1 /RemInst:"C:\RemoteInstall" - WDSUTIL.exe /Set-Server /AnswerClients:All - ``` - -2. Select **Start**, type **Windows Deployment**, and then select **Windows Deployment Services**. - -3. In the Windows Deployment Services console, expand **Servers**, expand **SRV1.contoso.com**, right-click **Boot Images**, and then select **Add Boot Image**. - -4. Browse to the **C:\MDTProd\Boot\LiteTouchPE_x64.wim** file, select **Open**, select **Next**, and accept the defaults in the Add Image Wizard. Select **Finish** to complete adding a boot image. - -### Deploy the client image - -1. Before using WDS to deploy a client image, you must temporarily disable the external network adapter on SRV1. This configuration is just an artifact of the lab environment. In a typical deployment environment WDS wouldn't be installed on the default gateway. - - > [!NOTE] - > Do not disable the *internal* network interface. To quickly view IP addresses and interface names configured on the VM, enter **`Get-NetIPAddress | ft interfacealias, ipaddress** in a PowerShell prompt. - - Assuming the external interface is named "Ethernet 2", to disable the *external* interface on SRV1, open a Windows PowerShell prompt on SRV1 and enter the following command: - - ```powershell - Disable-NetAdapter "Ethernet 2" -Confirm:$false - ``` - - >Wait until the disable-netadapter command completes before proceeding. - -2. Next, switch to the Hyper-V host and open an elevated Windows PowerShell prompt. Create a generation 2 VM on the Hyper-V host that will load its OS using PXE. To create this VM, enter the following commands at an elevated Windows PowerShell prompt: - - ```powershell - New-VM -Name "PC2" -NewVHDPath "c:\vhd\pc2.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 - Set-VMMemory -VMName "PC2" -DynamicMemoryEnabled $true -MinimumBytes 720MB -MaximumBytes 2048MB -Buffer 20 - ``` - - Dynamic memory is configured on the VM to conserve resources. However, dynamic memory can cause memory allocation to be reduced below what is required to install an operating system. If memory is reduced below what is required, reset the VM and begin the OS installation task sequence immediately. The reset ensures the VM memory allocation isn't decreased too much while it's idle. - -3. Start the new VM and connect to it: - - ```powershell - Start-VM PC2 - vmconnect localhost PC2 - ``` - -4. When prompted, hit ENTER to start the network boot process. - -5. In the Windows Deployment Wizard, choose the **Windows 10 Enterprise x64 Custom Image** and then select **Next**. - -6. After MDT lite touch installation has started, be sure to re-enable the external network adapter on SRV1. Re-enabling the external network adapter is needed so the client can use Windows Update after operating system installation is complete. To re-enable the external network interface, open an elevated Windows PowerShell prompt on SRV1 and enter the following command: - - ```powershell - Enable-NetAdapter "Ethernet 2" - ``` - -7. On SRV1, in the Deployment Workbench console, select on **Monitoring** and view the status of installation. Right-click **Monitoring** and select **Refresh** if no data is displayed. - -8. OS installation requires about 10 minutes. When the installation is complete, the system will reboot automatically, configure devices, and install updates, requiring another 10-20 minutes. When the new client computer is finished updating, select **Finish**. You'll be automatically signed in to the local computer as administrator. - - ![finish.](images/deploy-finish.png) - -This completes the demonstration of how to deploy a reference image to the network. To conserve resources, turn off the PC2 VM before starting the next section. - -## Refresh a computer with Windows 10 - -This section will demonstrate how to export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. The scenario will use PC1, a computer that was cloned from a physical device to a VM, as described in [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md). - -1. If the PC1 VM isn't already running, then start and connect to it: - - ```powershell - Start-VM PC1 - vmconnect localhost PC1 - ``` - -2. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and performing additional scenarios. Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host: - - ```powershell - Checkpoint-VM -Name PC1 -SnapshotName BeginState - ``` - -3. Sign on to PC1 using the CONTOSO\Administrator account. - - Specify **contoso\administrator** as the user name to ensure you don't sign on using the local administrator account. You must sign in with this account so that you have access to the deployment share. - -4. Open an elevated command prompt on PC1 and enter the following command: - - ```cmd - cscript.exe \\SRV1\MDTProd$\Scripts\Litetouch.vbs - ``` - - > [!NOTE] - > For more information on tools for viewing log files and to assist with troubleshooting, see [Configuration Manager Tools](/configmgr/core/support/tools). - -5. Choose the **Windows 10 Enterprise x64 Custom Image** and then select **Next**. - -6. Choose **Do not back up the existing computer** and select **Next**. - - > [!NOTE] - > The USMT will still back up the computer. - -7. Lite Touch Installation will perform the following actions: - - Back up user settings and data using USMT. - - Install the Windows 10 Enterprise X64 operating system. - - Update the operating system via Windows Update. - - Restore user settings and data using USMT. - - You can review the progress of installation on SRV1 by clicking on the **Monitoring** node in the deployment workbench. When OS installation is complete, the computer will restart, set up devices, and configure settings. - -8. Sign in with the CONTOSO\Administrator account and verify that all CONTOSO domain user accounts and data have been migrated to the new operating system, or other user accounts as specified [previously](#configure-the-mdt-production-deployment-share). - -9. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host: - - ```powershell - Checkpoint-VM -Name PC1 -SnapshotName RefreshState - ``` - -10. Restore the PC1 VM to its previous state in preparation for the replace procedure. To restore a checkpoint, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host: - - ```powershell - Restore-VMSnapshot -VMName PC1 -Name BeginState -Confirm:$false - Start-VM PC1 - vmconnect localhost PC1 - ``` - -11. Sign in to PC1 using the contoso\administrator account. - -## Replace a computer with Windows 10 - -At a high level, the computer replace process consists of: - -- A special replace task sequence that runs the USMT backup and an optional full Windows Imaging (WIM) backup.
    -- A standard OS deployment on a new computer. At the end of the deployment, the USMT backup from the old computer is restored. - -### Create a backup-only task sequence - -1. On SRV1, in the deployment workbench console, right-click the MDT Production deployment share, select **Properties**, select the **Rules** tab, and change the line **SkipUserData=YES** to **SkipUserData=NO**. - -2. Select **OK**, right-click **MDT Production**, select **Update Deployment Share** and accept the default options in the wizard to update the share. - -3. enter the following commands at an elevated Windows PowerShell prompt on SRV1: - - ```powershell - New-Item -Path C:\MigData -ItemType directory - New-SmbShare -Name MigData$ -Path C:\MigData -ChangeAccess EVERYONE - icacls C:\MigData /grant '"contoso\administrator":(OI)(CI)(M)' - ``` - -4. On SRV1 in the deployment workbench, under **MDT Production**, right-click the **Task Sequences** node, and select **New Folder**. - -5. Name the new folder **Other**, and complete the wizard using default options. - -6. Right-click the **Other** folder and then select **New Task Sequence**. Use the following values in the wizard: - - - **Task sequence ID**: REPLACE-001 - - **Task sequence name**: Backup Only Task Sequence - - **Task sequence comments**: Run USMT to back up user data and settings - - **Template**: Standard Client Replace Task Sequence (note: this template isn't the default template) - -7. Accept defaults for the rest of the wizard and then select **Finish**. The replace task sequence will skip OS selection and settings. - -8. Open the new task sequence that was created and review it. Note the enter of capture and backup tasks that are present. Select **OK** when you're finished reviewing the task sequence. - -### Run the backup-only task sequence - -1. If you aren't already signed on to PC1 as **contoso\administrator**, sign in using this account. To verify the currently signed in account, enter the following command at an elevated command prompt: - - ```cmd - whoami.exe - ``` - -2. To ensure a clean environment before running the backup task sequence, enter the following commands at an elevated Windows PowerShell prompt on PC1: - - ```powershell - Remove-Item c:\minint -recurse - Remove-Item c:\_SMSTaskSequence -recurse - Restart-Computer - ``` - -3. Sign in to PC1 using the contoso\administrator account, and then enter the following command at an elevated command prompt: - - ```cmd - cscript.exe \\SRV1\MDTProd$\Scripts\Litetouch.vbs - ``` - -4. Complete the deployment wizard using the following settings: - - - **Task Sequence**: Backup Only Task Sequence - - **User Data**: Specify a location: **\\\\SRV1\MigData$\PC1** - - **Computer Backup**: Don't back up the existing computer. - -5. While the task sequence is running on PC1, open the deployment workbench console on SRV1 and select the **Monitoring* node. Press F5 to refresh the console, and view the status of current tasks. - -6. On PC1, verify that **The user state capture was completed successfully** is displayed, and select **Finish** when the capture is complete. - -7. On SRV1, verify that the file **USMT.MIG** was created in the **C:\MigData\PC1\USMT** directory. See the following example: - - ```cmd - dir C:\MigData\PC1\USMT - - Directory: C:\MigData\PC1\USMT - - Mode LastWriteTime Length Name - ---- ------------- ------ ---- - -a--- 9/6/2016 11:34 AM 14248685 USMT.MIG - ``` - -### Deploy PC3 - -1. On the Hyper-V host, enter the following commands at an elevated Windows PowerShell prompt: - - ```powershell - New-VM -Name "PC3" -NewVHDPath "c:\vhd\pc3.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 - Set-VMMemory -VMName "PC3" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20 - ``` - -2. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, enter the following command at an elevated Windows PowerShell prompt on SRV1: - - ```powershell - Disable-NetAdapter "Ethernet 2" -Confirm:$false - ``` - - As mentioned previously, ensure that you disable the **external** network adapter, and wait for the command to complete before proceeding. - -3. Start and connect to PC3 by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: - - ```powershell - Start-VM PC3 - vmconnect localhost PC3 - ``` - -4. When prompted, press ENTER for network boot. - -5. On PC3, use the following settings for the Windows Deployment Wizard: - - **Task Sequence**: Windows 10 Enterprise x64 Custom Image - - **Move Data and Settings**: Don't move user data and settings - - **User Data (Restore)**: Specify a location: **\\\\SRV1\MigData$\PC1** - -6. When OS installation has started on PC1, re-enable the external network adapter on SRV1 by typing the following command on SRV1: - - ```powershell - Enable-NetAdapter "Ethernet 2" - ``` - -7. Setup will install the Windows 10 Enterprise operating system, update via Windows Update, and restore the user settings and data from PC1. - -8. When PC3 has completed installing the OS, sign in to PC3 using the contoso\administrator account. When the PC completes updating, select **Finish**. - -9. Verify that settings have been migrated from PC1. This completes demonstration of the replace procedure. - -10. Shut down PC3 in preparation for the [next](windows-10-poc-sc-config-mgr.md) procedure. - -## Troubleshooting logs, events, and utilities - -Deployment logs are available on the client computer in the following locations: - -- Before the image is applied: X:\MININT\SMSOSD\OSDLOGS -- After the system drive has been formatted: C:\MININT\SMSOSD\OSDLOGS -- After deployment: %WINDIR%\TEMP\DeploymentLogs - -You can review WDS events in Event Viewer at: **Applications and Services Logs > Microsoft > Windows > Deployment-Services-Diagnostics**. By default, only the **Admin** and **Operational** logs are enabled. To enable other logs, right-click the log and then select **Enable Log**. - -Also see [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) for detailed troubleshooting information. - -## Related articles - -[Microsoft Deployment Toolkit](/mem/configmgr/mdt/) - -[Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md index d3c1320d86..0ea49d8ff8 100644 --- a/windows/deployment/windows-10-poc-sc-config-mgr.md +++ b/windows/deployment/windows-10-poc-sc-config-mgr.md @@ -1,8 +1,8 @@ --- title: Steps to deploy Windows 10 with Configuration Manager description: Learn how to deploy Windows 10 in a test lab using Microsoft Configuration Manager. -ms.prod: windows-client -ms.technology: itpro-deploy +ms.service: windows-client +ms.subservice: itpro-deploy ms.localizationpriority: medium manager: aaroncz ms.author: frankroj diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md index 11b304e822..2ce3939cc7 100644 --- a/windows/deployment/windows-10-poc.md +++ b/windows/deployment/windows-10-poc.md @@ -4,8 +4,8 @@ description: Learn about concepts and procedures for deploying Windows 10 in a p manager: aaroncz ms.author: frankroj author: frankroj -ms.prod: windows-client -ms.technology: itpro-deploy +ms.service: windows-client +ms.subservice: itpro-deploy ms.localizationpriority: medium ms.topic: tutorial ms.date: 11/23/2022 diff --git a/windows/deployment/windows-10-pro-in-s-mode.md b/windows/deployment/windows-10-pro-in-s-mode.md index d2bf8bb55d..82bb386aa3 100644 --- a/windows/deployment/windows-10-pro-in-s-mode.md +++ b/windows/deployment/windows-10-pro-in-s-mode.md @@ -5,10 +5,10 @@ author: frankroj ms.author: frankroj manager: aaroncz ms.localizationpriority: medium -ms.prod: windows-client +ms.service: windows-client ms.topic: article ms.date: 11/23/2022 -ms.technology: itpro-deploy +ms.subservice: itpro-deploy --- # Switch to Windows 10 Pro or Enterprise from S mode diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index b5fc8eb923..53e3545bcc 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -1,8 +1,8 @@ --- title: Windows subscription activation description: In this article, you'll learn how to dynamically enable Windows 10 and Windows 11 Enterprise or Education subscriptions. -ms.prod: windows-client -ms.technology: itpro-fundamentals +ms.service: windows-client +ms.subservice: itpro-fundamentals ms.localizationpriority: medium author: frankroj ms.author: frankroj diff --git a/windows/deployment/windows-adk-scenarios-for-it-pros.md b/windows/deployment/windows-adk-scenarios-for-it-pros.md index f38cf33ebe..62fb152578 100644 --- a/windows/deployment/windows-adk-scenarios-for-it-pros.md +++ b/windows/deployment/windows-adk-scenarios-for-it-pros.md @@ -4,11 +4,11 @@ description: The Windows Assessment and Deployment Kit (Windows ADK) contains to author: frankroj ms.author: frankroj manager: aaroncz -ms.prod: windows-client +ms.service: windows-client ms.localizationpriority: medium ms.date: 11/23/2022 ms.topic: article -ms.technology: itpro-deploy +ms.subservice: itpro-deploy --- # Windows ADK for Windows 10 scenarios for IT Pros diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml index e6232ddc8f..1592090c59 100644 --- a/windows/deployment/windows-autopatch/TOC.yml +++ b/windows/deployment/windows-autopatch/TOC.yml @@ -130,6 +130,8 @@ - name: What's new href: items: + - name: What's new 2024 + href: whats-new/windows-autopatch-whats-new-2024.md - name: What's new 2023 href: whats-new/windows-autopatch-whats-new-2023.md - name: What's new 2022 diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md index 3e70bd954a..ad9a0f5cd6 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md @@ -2,8 +2,8 @@ title: Add and verify admin contacts description: This article explains how to add and verify admin contacts ms.date: 09/15/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: how-to ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md index f9ce34d2ae..8b6b068ad3 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md @@ -2,8 +2,8 @@ title: Device registration overview description: This article provides an overview on how to register devices in Autopatch ms.date: 07/25/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md index ed02a37c7c..a6c9f21e50 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md @@ -2,8 +2,8 @@ title: Manage Windows Autopatch groups description: This article explains how to manage Autopatch groups ms.date: 12/13/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: how-to ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md index b482faa489..e2bea8f124 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md @@ -2,8 +2,8 @@ title: Windows Autopatch groups overview description: This article explains what Autopatch groups are ms.date: 07/20/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md index e41d8e60f4..3b645bbe9a 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md @@ -2,8 +2,8 @@ title: Post-device registration readiness checks description: This article details how post-device registration readiness checks are performed in Windows Autopatch ms.date: 09/16/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index 4cb39e3d34..eb42feb07c 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -2,8 +2,8 @@ title: Register your devices description: This article details how to register devices in Autopatch ms.date: 07/25/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: how-to ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/index.yml b/windows/deployment/windows-autopatch/index.yml index c79efcf511..85e775ab5f 100644 --- a/windows/deployment/windows-autopatch/index.yml +++ b/windows/deployment/windows-autopatch/index.yml @@ -12,11 +12,12 @@ metadata: ms.author: tiaraquan #Required; microsoft alias of author; optional team alias. manager: dougeby ms.date: 05/30/2022 #Required; mm/dd/yyyy format. - ms.prod: windows-client - ms.technology: itpro-updates + ms.service: windows-client + ms.subservice: itpro-updates ms.collection: - highpri - tier2 + - essentials-navigation # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md index 563e6370c5..580ce1d51e 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md @@ -2,8 +2,8 @@ title: Device alerts description: Provide notifications and information about the necessary steps to keep your devices up to date. ms.date: 08/01/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: how-to ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md index 5aadb310ef..7b7842753d 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md @@ -2,8 +2,8 @@ title: Microsoft Edge description: This article explains how Microsoft Edge updates are managed in Windows Autopatch ms.date: 09/15/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md index 843b7e8d3c..2d999981a9 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md @@ -2,8 +2,8 @@ title: Exclude a device description: This article explains how to exclude a device from the Windows Autopatch service ms.date: 08/08/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: how-to ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md index 0a4f67979c..da98fc8493 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md @@ -2,8 +2,8 @@ title: Manage Windows feature update releases description: This article explains how you can manage Windows feature updates with Autopatch groups ms.date: 07/25/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md index 66164cc373..d8a1374a2e 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md @@ -2,8 +2,8 @@ title: Software update management for Autopatch groups description: This article provides an overview of how updates are handled with Autopatch groups ms.date: 07/25/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: overview ms.localizationpriority: medium author: tiaraquan @@ -13,6 +13,7 @@ ms.reviewer: andredm7 ms.collection: - highpri - tier1 + - essentials-manage --- # Software update management diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md index 8ffc66a28a..576ea5c4fd 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md @@ -2,8 +2,8 @@ title: Windows feature updates overview description: This article explains how Windows feature updates are managed with Autopatch groups ms.date: 07/25/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md index 8fe50bb86f..2eca3870a8 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md @@ -2,8 +2,8 @@ title: Feature update status report description: Provides a per device view of the current Windows OS upgrade status for all devices registered with Windows Autopatch. ms.date: 07/25/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: how-to ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md index 6f8527fdc9..b17907bbd8 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md @@ -2,8 +2,8 @@ title: Windows feature update summary dashboard description: Provides a broader view of the current Windows OS upgrade status for all devices registered with Windows Autopatch. ms.date: 10/11/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: how-to ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-trending-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-trending-report.md index fba33aa57e..48b01d086c 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-trending-report.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-trending-report.md @@ -2,8 +2,8 @@ title: Feature update trending report description: Provides a visual representation of Windows OS upgrade trends for all devices over the last 90 days. ms.date: 07/25/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: how-to ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md index 880f821953..1b621ea6a9 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md @@ -2,8 +2,8 @@ title: Windows quality and feature update reports overview description: This article details the types of reports available and info about update device eligibility, device update health, device update trends in Windows Autopatch groups ms.date: 07/25/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-communications.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-communications.md index 07094d7204..a7d1e463bf 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-communications.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-communications.md @@ -2,8 +2,8 @@ title: Windows quality update communications for Autopatch groups description: This article explains Windows quality update communications for Autopatch groups ms.date: 07/25/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md index 3459608d52..5a8a4e050e 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md @@ -2,8 +2,8 @@ title: Windows quality update end user experience for Autopatch groups description: This article explains the Windows quality update end user experience using the Autopatch groups exp ms.date: 07/25/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md index 6082093e6d..4a50210c21 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md @@ -1,9 +1,9 @@ --- title: Windows quality updates overview with Autopatch groups experience description: This article explains how Windows quality updates are managed with Autopatch groups -ms.date: 08/23/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.date: 01/22/2024 +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual ms.localizationpriority: medium author: tiaraquan @@ -34,11 +34,82 @@ For devices in the [Default Autopatch group](../deploy/windows-autopatch-groups- ## Service level objective -Windows Autopatch aims to keep at least 95% of eligible devices on the latest Windows quality update 21 days after release. Devices that have cadence type set to Schedule install aren't eligible for Windows quality update SLO. For more information about the Schedule Install cadence type, see [Deployment cadence types](../operate/windows-autopatch-groups-windows-update.md#deployment-cadence). +Windows Autopatch aims to keep at least 95% of [Up to Date devices](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) on the latest quality update. Autopatch uses the previously defined release schedule on a per ring basis with a five-day reporting period to calculate and evaluate the service level objective (SLO). The result of the service level objective is the column “% with the latest quality update” displayed in release management and reporting. + +### Service level objective calculation + +There are two states a device can be in when calculating the service level objective (SLO): + +- Devices that are active during the release +- Devices that become active after the release + +The service level objective for each of these states is calculated as: + +| State | Calculation | +| ----- | ----- | +| Device that is active during release | This service level objective calculation assumes the device has typical activity during the scheduled release period. Calculated by:

    `Deferral + Deadline + Reporting Period = service level objective`

    | +| Device that becomes active after release | This service level objective calculation refers to offline devices during the scheduled release period but come back online later. Calculated by:

    `Grace Period + Reporting period = service level objective`

    | + +| Timeframe | Value defined in | +| ----- | ----- | +| Deferral | Targeted deployment ring | +| Deadline | Targeted deployment ring | +| Grace period | Targeted deployment ring | +| Reporting period | Five days. Value defined by Windows Autopatch. | + +> [!NOTE] +> Targeted deployment ring refers to the deployment ring value of the device in question. If a device has a five day deferral with a two day deadline, and two day grace period, the SLO for the device would be calculated to `5 + 2 + 5 = 12`-day service level objective from the second Tuesday of the month. The five day reporting period is one established by Windows Autopatch to allow enough time for device check-in reporting and data evaluation within the service. > [!IMPORTANT] > Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC. +## Import Update rings for Windows 10 and later (public preview) + +> [!IMPORTANT] +> This feature is in **public preview**. It's being actively developed, and might not be complete. + +You can import your organization’s existing Intune Update rings for Windows 10 and later into Windows Autopatch. Importing your organization’s Update rings provides the benefits of the Windows Autopatch's reporting and device readiness without the need to redeploy, or change your organization’s existing update rings.  + +Imported rings automatically register all targeted devices into Windows Autopatch. For more information about device registration, see the [device registration workflow diagram](../deploy/windows-autopatch-device-registration-overview.md#detailed-device-registration-workflow-diagram). + +> [!NOTE] +> Devices which are registered as part of an imported ring, might take up to 72 hours after the devices have received the latest version of the policy, to be reflected in Windows Autopatch devices blade and reporting. For more information about reporting, see [Windows quality and feature update reports overview](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md). + +> [!NOTE] +> Device registration failures don't affect your existing update schedule or targeting. However, devices that fail to register might affect Windows Autopatch’s ability to provide reporting and insights. Any conflicts should be resolved as needed. For additional assistance, [submit a support request](../operate/windows-autopatch-support-request.md). + +### Import Update rings for Windows 10 and later + +**To import Update rings for Windows 10 and later:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).  +2. Select **Devices** from the left navigation menu.  +3. Under the **Windows Autopatch** section, select **Release management**.  +4. In the **Release management** blade, go to the **Release schedule** tab and select **Windows quality updates**.  +5. Select **Import Update rings for Windows 10 and later**.  +6. Select the existing rings you would like to import.  +7. Select **Import**. + +### Remove an imported Update ring for Windows 10 and later + +**To remove an Imported Update rings for Windows 10 and later:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).  +2. Select **Devices** from the left navigation menu.  +3. Under the **Windows Autopatch** section, select **Release management**.  +4. In the **Release management** blade, go to the **Release schedule** tab and select **Windows quality updates**.  +5. Select the Update rings for Windows 10 and later you would like to remove.  +6. Select the **horizontal ellipses (...)** and select **Remove**. + +### Known limitations + +The following Windows Autopatch features aren't available with imported Intune Update rings:  + +- Autopatch groups and features dependent on Autopatch groups  +- Moving devices in between deployment rings in devices +- Automated deployment ring remediation functions  +- Policy health and remediation + ## Release management > [!NOTE] @@ -54,14 +125,14 @@ In the Release management blade, you can: For each [deployment ring](windows-autopatch-update-management.md#windows-autopatch-deployment-rings), the **Release schedule** tab contains: -- The status of the update. Releases appear as **Active**. The update schedule is based on the values of the [Windows 10 Update Ring policies](/mem/intune/protect/windows-update-for-business-configure), which have been configured on your behalf. +- The status of the update. Releases appear as **Active**. The update schedule is based on the values of the [Windows 10 Update Ring policies](/mem/intune/protect/windows-update-for-business-configure), which are configured on your behalf. - The date the update is available. - The target completion date of the update. - In the **Release schedule** tab, you can either [**Pause** and/or **Resume**](#pause-and-resume-a-release) a Windows quality update release. ### Expedited releases -Threat and vulnerability information about a new revision of Windows becomes available on the second Tuesday of each month. Windows Autopatch assesses that information shortly afterwards. If the service determines that it's critical to security, it may be expedited. The quality update is also evaluated on an ongoing basis throughout the release and Windows Autopatch may choose to expedite at any time during the release. +Threat and vulnerability information about a new revision of Windows becomes available on the second Tuesday of each month. Windows Autopatch assesses that information shortly afterwards. If the service determines that it's critical to security, it might be expedited. The quality update is also evaluated on an ongoing basis throughout the release and Windows Autopatch might choose to expedite at any time during the release. When expediting a release, the regular goal of 95% of devices in 21 days no longer applies. Instead, Windows Autopatch greatly accelerates the release schedule of the release to update the environment more quickly. This approach requires an updated schedule for all devices outside of the Test ring since those devices are already getting the update quickly. @@ -104,7 +175,7 @@ For the deployment rings that have passed quality updates deferral date, the OOB The service-level pause is driven by the various software update deployment-related signals Windows Autopatch receives from Windows Update for Business, and several other product groups within Microsoft. -If Windows Autopatch detects a [significant issue with a release](../operate/windows-autopatch-groups-windows-quality-update-signals.md), we may decide to pause that release. +If Windows Autopatch detects a [significant issue with a release](../operate/windows-autopatch-groups-windows-quality-update-signals.md), we might decide to pause that release. > [!IMPORTANT] > Pausing or resuming an update can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.

    For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).

    @@ -125,8 +196,8 @@ The three following statuses are associated with paused quality updates: | Status | Description | | ----- | ------ | -| Paused by Service | If the Windows Autopatch service has paused an update, the release has the **Paused by Service** status. The Paused by Service only applies to rings that aren't Paused by the Tenant. | -| Paused by Tenant | If you've paused an update, the release has the **Paused by Tenant** status. The Windows Autopatch service can't overwrite a tenant pause. You must select **Resume** to resume the update. | +| Paused by Service | If the Windows Autopatch service paused an update, the release has the **Paused by Service** status. The **Paused by Service** status only applies to rings that aren't Paused by the Tenant. | +| Paused by Tenant | If you paused an update, the release has the **Paused by Tenant** status. The Windows Autopatch service can't overwrite a tenant pause. You must select **Resume** to resume the update. | ## Remediating Not ready and/or Not up to Date devices diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-signals.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-signals.md index aa8e2f4e82..167b47ea89 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-signals.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-signals.md @@ -2,8 +2,8 @@ title: Windows quality update release signals with Autopatch groups description: This article explains the Windows quality update release signals with Autopatch groups ms.date: 07/25/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-status-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-status-report.md index af916925f0..1e0d0df041 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-status-report.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-status-report.md @@ -2,8 +2,8 @@ title: Quality update status report description: Provides a per device view of the current update status for all Windows Autopatch enrolled devices with Autopatch groups. ms.date: 07/25/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: how-to ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md index e744f0c407..7fcb83c86f 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md @@ -2,8 +2,8 @@ title: Windows quality update summary dashboard description: Provides a summary view of the current update status for all devices enrolled into Windows Autopatch with Autopatch groups ms.date: 10/04/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: how-to ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md index 71b96ec441..335e48b515 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md @@ -2,8 +2,8 @@ title: Quality update trending report description: Provides a visual representation of the update status trend for all devices over the last 90 days with Autopatch groups. ms.date: 09/01/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: how-to ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-update.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-update.md index 9f63be7938..eb838e0137 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-update.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-update.md @@ -2,8 +2,8 @@ title: Customize Windows Update settings Autopatch groups experience description: How to customize Windows Updates with Autopatch groups ms.date: 07/25/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: how-to ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md index fe9d6b3321..9dc0a3c904 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md @@ -2,8 +2,8 @@ title: Maintain the Windows Autopatch environment description: This article details how to maintain the Windows Autopatch environment ms.date: 09/15/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: how-to ms.localizationpriority: medium author: tiaraquan @@ -13,6 +13,7 @@ ms.reviewer: smithcharles ms.collection: - highpri - tier1 + - essentials-manage --- # Maintain the Windows Autopatch environment diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md index 041df4c91f..ce07a487cf 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md @@ -2,8 +2,8 @@ title: Manage driver and firmware updates description: This article explains how you can manage driver and firmware updates with Windows Autopatch ms.date: 08/22/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: how-to ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md index 3120c809f3..fe3318ac6a 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md @@ -2,8 +2,8 @@ title: Microsoft 365 Apps for enterprise description: This article explains how Windows Autopatch manages Microsoft 365 Apps for enterprise updates ms.date: 10/27/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: how-to ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md index d998b1df2c..884e726610 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md @@ -2,8 +2,8 @@ title: policy health and remediation description: Describes what Autopatch does it detects policies in the tenant are either missing or modified to states that affect the service ms.date: 07/25/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: how-to ms.localizationpriority: medium author: tiaraquan @@ -13,6 +13,7 @@ ms.reviewer: rekhanr ms.collection: - highpri - tier1 + - essentials-manage --- # Policy health and remediation diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md index 20c341551a..788caa8a4c 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md @@ -2,8 +2,8 @@ title: Submit a support request description: Details how to contact the Windows Autopatch Service Engineering Team and submit support requests ms.date: 09/06/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: how-to ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md index 21a44e576c..add843c19b 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md @@ -2,8 +2,8 @@ title: Microsoft Teams description: This article explains how Microsoft Teams updates are managed in Windows Autopatch ms.date: 09/15/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md index 2c89d2a8ce..2809bda9c5 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md @@ -2,8 +2,8 @@ title: Unenroll your tenant description: This article explains what unenrollment means for your organization and what actions you must take. ms.date: 08/08/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: how-to ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md index 7fc5bce674..a54e3315bc 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md @@ -2,8 +2,8 @@ title: Windows Autopatch deployment guide description: This guide explains how to successfully deploy Windows Autopatch in your environment ms.date: 08/24/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: how-to ms.localizationpriority: medium author: tiaraquan @@ -12,6 +12,7 @@ manager: dougeby ms.reviewer: hathind ms.collection: - tier2 + - essentials-get-started --- # Windows Autopatch deployment guide diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml index 3f0e20c935..c3b5f2432d 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml @@ -2,7 +2,7 @@ metadata: title: Windows Autopatch - Frequently Asked Questions (FAQ) description: Answers to frequently asked questions about Windows Autopatch. - ms.prod: windows-client + ms.service: windows-client ms.topic: faq ms.date: 12/04/2023 audience: itpro @@ -11,7 +11,7 @@ metadata: author: tiaraquan ms.author: tiaraquan ms.reviwer: hathind - ms.technology: itpro-updates + ms.subservice: itpro-updates title: Frequently Asked Questions about Windows Autopatch summary: This article answers frequently asked questions about Windows Autopatch. sections: diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md index 62ac288ad4..b20e87d864 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md @@ -2,8 +2,8 @@ title: What is Windows Autopatch? description: Details what the service is and shortcuts to articles. ms.date: 08/08/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual ms.localizationpriority: medium author: tiaraquan @@ -12,6 +12,7 @@ manager: dougeby ms.collection: - highpri - tier1 + - essentials-overview ms.reviewer: hathind --- diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md index 0e481d7a66..17f1503d40 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md @@ -2,8 +2,8 @@ title: Privacy description: This article provides details about the data platform and privacy compliance for Autopatch ms.date: 09/13/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: reference ms.localizationpriority: medium author: tiaraquan @@ -13,6 +13,7 @@ ms.reviewer: hathind ms.collection: - highpri - tier1 + - essentials-privacy --- # Privacy diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md index 5ac998067b..a58a816e1d 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md @@ -2,8 +2,8 @@ title: Roles and responsibilities description: This article describes the roles and responsibilities provided by Windows Autopatch and what the customer must do ms.date: 08/31/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md index c7695ea433..a682ec9b87 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md @@ -2,8 +2,8 @@ title: Configure your network description: This article details the network configurations needed for Windows Autopatch ms.date: 09/15/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: how-to ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md index 95f0ed85fc..8665175196 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md @@ -2,8 +2,8 @@ title: Enroll your tenant description: This article details how to enroll your tenant ms.date: 09/15/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: how-to ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md index bc26753af7..5250f979ca 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md @@ -2,8 +2,8 @@ title: Submit a tenant enrollment support request description: This article details how to submit a tenant enrollment support request ms.date: 09/13/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: how-to ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md index f7a2045294..b7e91d3f26 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md @@ -2,8 +2,8 @@ title: Fix issues found by the Readiness assessment tool description: This article details how to fix issues found by the Readiness assessment tool. ms.date: 09/12/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: how-to ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md index f1351f3709..f6579437b7 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md @@ -1,9 +1,9 @@ --- title: Prerequisites description: This article details the prerequisites needed for Windows Autopatch -ms.date: 12/04/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.date: 01/11/2024 +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual ms.localizationpriority: medium author: tiaraquan @@ -36,12 +36,19 @@ Windows Autopatch is included with Windows 10/11 Enterprise E3 or higher (user-b | [Microsoft 365 E3](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E3 | 05e9a617-0261-4cee-bb44-138d3ef5d965 | | [Microsoft 365 E3 (500 seats minimum_HUB)](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | Microsoft_365_E3 | 0c21030a-7e60-4ec7-9a0f-0042e0e0211a | | [Microsoft 365 E3 - Unattended License](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E3_RPA1 | c2ac2ee4-9bb1-47e4-8541-d689c7e83371 | +| Microsoft 365 E3 EEA (no Teams) - Unattended License | Microsoft_365_E3_EEA_(no_Teams)_Unattended_License | a23dbafb-3396-48b3-ad9c-a304fe206043 | +| Microsoft 365 E3 EEA (no Teams) (500 seats min)_HUB | O365_w/o Teams Bundle_M3_(500_seats_min)_HUB | 602e6573-55a3-46b1-a1a0-cc267991501a | +| [TEST - Microsoft 365 E3](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E3_TEST | 23a55cbc-971c-4ba2-8bae-04cd13d2f4ad | | [Microsoft 365 E5](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E5 | 06ebc4ee-1bb5-47dd-8120-11324bc54e06 | | [Microsoft 365 E5 (500 seats minimum)_HUB](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | Microsoft_365_E5 | db684ac5-c0e7-4f92-8284-ef9ebde75d33 | | [Microsoft 365 E5 with calling minutes](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E5_CALLINGMINUTES | a91fc4e0-65e5-4266-aa76-4037509c1626 | | [Microsoft 365 E5 without audio conferencing](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E5_NOPSTNCONF | cd2925a3-5076-4233-8931-638a8c94f773 | | [Microsoft 365 E5 without audio conferencing (500 seats minimum)_HUB](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | Microsoft_365_E5_without_Audio_Conferencing | 2113661c-6509-4034-98bb-9c47bd28d63c | -| [TEST - Microsoft 365 E3](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E3_TEST | 23a55cbc-971c-4ba2-8bae-04cd13d2f4ad | +| Microsoft 365 E5 EEA (no Teams) | O365_w/o_Teams_Bundle_M5 |3271cf8e-2be5-4a09-a549-70fd05baaa17 | +| Microsoft 365 E5 EEA (no Teams) with Calling Minutes | Microsoft_365_E5_EEA_(no_Teams)_with_Calling_Minutes | 6ee4114a-9b2d-4577-9e7a-49fa43d222d3 | +| Microsoft 365 E5 EEA (no Teams) without Audio Conferencing | Microsoft_365_E5_EEA_(no_Teams)_without_Audio_Conferencing | 90277bc7-a6fe-4181-99d8-712b08b8d32b | +| Microsoft 365 E5 EEA (no Teams) without Audio Conferencing (500 seats min)_HUB | Microsoft_365_E5_EEA_(no_Teams)_without_Audio_Conferencing_(500_seats_min)_HUB | a640eead-25f6-4bec-97e3-23cfd382d7c2 | +| Microsoft 365 E5 EEA (no Teams) (500 seats min)_HUB | O365_w/o_Teams_Bundle_M5_(500_seats_min)_HUB | 1e988bf3-8b7c-4731-bec0-4e2a2946600c | | [TEST - Microsoft 365 E5 without audio conferencing](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E5_NOPSTNCONF_TEST | 1362a0d9-b3c2-4112-bf1a-7a838d181c0f | | [Windows 10/11 Enterprise E3](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | WIN10_VDA_E3 | 6a0f6da5-0b87-4190-a6ae-9bb5a2b9546a | | [Windows 10/11 Enterprise E5](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | WIN10_VDA_E5 | 488ba24a-39a9-4473-8ee5-19291e71b002 | diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index be2b2ce1b9..c428363ee4 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -2,8 +2,8 @@ title: Changes made at tenant enrollment description: This reference article details the changes made to your tenant when enrolling into Windows Autopatch ms.date: 12/13/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: reference ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md b/windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md index 865f6c15c9..1d2b8bcc4c 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md @@ -2,8 +2,8 @@ title: Conflicting configurations description: This article explains how to remediate conflicting configurations affecting the Windows Autopatch service. ms.date: 09/05/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md b/windows/deployment/windows-autopatch/references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md index 21d90312fd..7f6dae1761 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md @@ -2,8 +2,8 @@ title: Driver and firmware updates for Windows Autopatch Public Preview Addendum description: This article explains how driver and firmware updates are managed in Autopatch ms.date: 06/26/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md b/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md index 2534e971d5..df14a0c2d1 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md @@ -2,8 +2,8 @@ title: Microsoft 365 Apps for enterprise update policies description: This article explains the Microsoft 365 Apps for enterprise policies in Windows Autopatch ms.date: 06/23/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md b/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md index e72d9e8042..dc612871a2 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md @@ -2,8 +2,8 @@ title: Windows update policies description: This article explains Windows update policies in Windows Autopatch ms.date: 09/02/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: conceptual ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md index dc5d2ccde2..e3dbdc77e2 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md @@ -2,8 +2,8 @@ title: What's new 2022 description: This article lists the 2022 feature releases and any corresponding Message center post numbers. ms.date: 12/09/2022 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: whats-new ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md index c47bb6418b..9ef78db499 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md @@ -2,8 +2,8 @@ title: What's new 2023 description: This article lists the 2023 feature releases and any corresponding Message center post numbers. ms.date: 12/14/2023 -ms.prod: windows-client -ms.technology: itpro-updates +ms.service: windows-client +ms.subservice: itpro-updates ms.topic: whats-new ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md new file mode 100644 index 0000000000..718ac4437b --- /dev/null +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md @@ -0,0 +1,38 @@ +--- +title: What's new 2024 +description: This article lists the 2024 feature releases and any corresponding Message center post numbers. +ms.date: 01/22/2024 +ms.service: windows-client +ms.subservice: itpro-updates +ms.topic: whats-new +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: hathind +ms.collection: + - highpri + - tier1 +--- + +# What's new 2024 + +This article lists new and updated feature releases, and service releases, with their corresponding Message center post numbers (if applicable). + +Minor corrections such as typos, style, or formatting issues aren't listed. + +## January 2024 + +### January feature releases or updates + +| Article | Description | +| ----- | ----- | +| [Windows quality updates overview](../operate/windows-autopatch-groups-windows-quality-update-overview.md) | Added [Import Update rings for Windows 10 and later](../operate/windows-autopatch-groups-windows-quality-update-overview.md#import-update-rings-for-windows-10-and-later-public-preview) | +| [Windows quality updates overview](../operate/windows-autopatch-groups-windows-quality-update-overview.md#service-level-objective) | Updated the Service level objective, added the Service level objective calculation. | +| [Prerequisites](../prepare/windows-autopatch-prerequisites.md#more-about-licenses) | Added more E3 and E5 licenses to the [More about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses) section. | + +## January service releases + +| Message center post number | Description | +| ----- | ----- | +| [MC708071](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Planned Maintenance: Service Improvements | diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md index b6ac225f0e..89a7b65ab6 100644 --- a/windows/deployment/windows-deployment-scenarios-and-tools.md +++ b/windows/deployment/windows-deployment-scenarios-and-tools.md @@ -4,10 +4,10 @@ description: Learn about the tools you can use to deploy Windows 10 and related manager: aaroncz ms.author: frankroj author: frankroj -ms.prod: windows-client +ms.service: windows-client ms.topic: article ms.date: 11/23/2022 -ms.technology: itpro-deploy +ms.subservice: itpro-deploy --- # Windows 10 deployment scenarios and tools diff --git a/windows/hub/index.yml b/windows/hub/index.yml index e651c1901d..51c7c76e38 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -11,6 +11,7 @@ metadata: ms.prod: windows-client ms.collection: - tier1 + - essentials-navigation author: paolomatarazzo ms.author: paoloma manager: aaroncz diff --git a/windows/privacy/Microsoft-DiagnosticDataViewer.md b/windows/privacy/Microsoft-DiagnosticDataViewer.md index 5187258157..3aa78b5848 100644 --- a/windows/privacy/Microsoft-DiagnosticDataViewer.md +++ b/windows/privacy/Microsoft-DiagnosticDataViewer.md @@ -1,8 +1,8 @@ --- title: Diagnostic Data Viewer for PowerShell Overview (Windows 10) description: Use this article to use the Diagnostic Data Viewer for PowerShell to review the diagnostic data sent to Microsoft by your device. -ms.prod: windows-client -ms.technology: itpro-privacy +ms.service: windows-client +ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index c574ccb678..55ed54b6bd 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -1,8 +1,8 @@ --- description: Learn more about the Windows 10, version 1703 diagnostic data gathered at the basic level. title: Windows 10, version 1703 basic diagnostic events and fields (Windows 10) -ms.prod: windows-client -ms.technology: itpro-privacy +ms.service: windows-client +ms.subservice: itpro-privacy localizationpriority: medium author: DHB-MSFT ms.author: danbrown diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index f4ff30a23c..9e654c4f7c 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -1,8 +1,8 @@ --- description: Learn more about the Windows 10, version 1709 diagnostic data gathered at the basic level. title: Windows 10, version 1709 basic diagnostic events and fields (Windows 10) -ms.prod: windows-client -ms.technology: itpro-privacy +ms.service: windows-client +ms.subservice: itpro-privacy localizationpriority: medium author: DHB-MSFT ms.author: danbrown diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index f5bdec7600..9a5fa7bcfb 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -1,8 +1,8 @@ --- description: Learn more about the Windows 10, version 1803 diagnostic data gathered at the basic level. title: Windows 10, version 1803 basic diagnostic events and fields (Windows 10) -ms.prod: windows-client -ms.technology: itpro-privacy +ms.service: windows-client +ms.subservice: itpro-privacy localizationpriority: medium author: DHB-MSFT ms.author: danbrown diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 56be393273..c047c5d610 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -1,8 +1,8 @@ --- description: Learn more about the Windows 10, version 1809 diagnostic data gathered at the basic level. title: Windows 10, version 1809 basic diagnostic events and fields (Windows 10) -ms.prod: windows-client -ms.technology: itpro-privacy +ms.service: windows-client +ms.subservice: itpro-privacy localizationpriority: high author: DHB-MSFT ms.author: danbrown diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 875429c841..749915474a 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -1,8 +1,8 @@ --- description: Learn more about the Windows 10, version 1903 diagnostic data gathered at the basic level. title: Windows 10, version 1909 and Windows 10, version 1903 required diagnostic events and fields (Windows 10) -ms.prod: windows-client -ms.technology: itpro-privacy +ms.service: windows-client +ms.subservice: itpro-privacy localizationpriority: medium author: DHB-MSFT ms.author: danbrown diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md index 0eb6b38dc9..4815879665 100644 --- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md +++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md @@ -1,8 +1,8 @@ --- title: Changes to Windows diagnostic data collection description: This article provides information on changes to Windows diagnostic data collection Windows 10 and Windows 11. -ms.prod: windows-client -ms.technology: itpro-privacy +ms.service: windows-client +ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index c47bf6303c..638225c604 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -1,8 +1,8 @@ --- description: Use this article to make informed decisions about how you can configure Windows diagnostic data in your organization. title: Configure Windows diagnostic data in your organization (Windows 10 and Windows 11) -ms.prod: windows-client -ms.technology: itpro-privacy +ms.service: windows-client +ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown diff --git a/windows/privacy/copilot-supplemental-terms.md b/windows/privacy/copilot-supplemental-terms.md index caf816b1d7..69ce081127 100644 --- a/windows/privacy/copilot-supplemental-terms.md +++ b/windows/privacy/copilot-supplemental-terms.md @@ -1,8 +1,8 @@ --- title: COPILOT IN WINDOWS (PREVIEW) SUPPLEMENTAL TERMS description: The Supplemental Terms for Copilot in Windows (Preview) -ms.prod: windows-client -ms.technology: itpro-privacy +ms.service: windows-client +ms.subservice: itpro-privacy ms.localizationpriority: medium author: DHB-MSFT ms.author: danbrown diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md index df75c73dc5..040d37454e 100644 --- a/windows/privacy/diagnostic-data-viewer-overview.md +++ b/windows/privacy/diagnostic-data-viewer-overview.md @@ -1,8 +1,8 @@ --- title: Diagnostic Data Viewer Overview (Windows 10 and Windows 11) description: Use this article to use the Diagnostic Data Viewer application to review the diagnostic data sent to Microsoft by your device. -ms.prod: windows-client -ms.technology: itpro-privacy +ms.service: windows-client +ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown diff --git a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md index b8bd28080f..c31afd7cdc 100644 --- a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md +++ b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md @@ -1,8 +1,8 @@ --- title: Enhanced diagnostic data required by Windows Analytics (Windows 10) description: Use this article to learn more about the limit enhanced diagnostic data events policy used by Desktop Analytics -ms.prod: windows-client -ms.technology: itpro-privacy +ms.service: windows-client +ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md index a16d53210c..f397b8c180 100644 --- a/windows/privacy/essential-services-and-connected-experiences.md +++ b/windows/privacy/essential-services-and-connected-experiences.md @@ -1,8 +1,8 @@ --- title: Essential services and connected experiences for Windows description: Explains what the essential services and connected experiences are for Windows -ms.prod: windows-client -ms.technology: itpro-privacy +ms.service: windows-client +ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown diff --git a/windows/privacy/index.yml b/windows/privacy/index.yml index a6892742ba..149f150ae7 100644 --- a/windows/privacy/index.yml +++ b/windows/privacy/index.yml @@ -9,7 +9,9 @@ metadata: description: Learn about how privacy is managed in Windows. ms.prod: windows-client ms.topic: hub-page # Required - ms.collection: highpri + ms.collection: + - highpri + - essentials-privacy author: DHB-MSFT ms.author: danbrown manager: laurawi diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index cf953e1759..45d6b7c45e 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -1,8 +1,8 @@ --- title: Manage connections from Windows operating system components to Microsoft services using Microsoft Intune MDM Server description: Use MDM CSPs to minimize connections from Windows to Microsoft services, or to configure particular privacy settings. -ms.prod: windows-client -ms.technology: itpro-privacy +ms.service: windows-client +ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index c487f33918..e5ca2312fd 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -1,8 +1,8 @@ --- title: Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services description: Learn how to minimize connections from Windows to Microsoft services, and configure particular privacy settings related to these connections. -ms.prod: windows-client -ms.technology: itpro-privacy +ms.service: windows-client +ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown diff --git a/windows/privacy/manage-windows-11-endpoints.md b/windows/privacy/manage-windows-11-endpoints.md index 79bba0d70f..fa51d0f255 100644 --- a/windows/privacy/manage-windows-11-endpoints.md +++ b/windows/privacy/manage-windows-11-endpoints.md @@ -1,8 +1,8 @@ --- title: Connection endpoints for Windows 11 Enterprise description: Explains what Windows 11 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 11. -ms.prod: windows-client -ms.technology: itpro-privacy +ms.service: windows-client +ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md index 8b7dd967e8..1bebf8277d 100644 --- a/windows/privacy/manage-windows-1809-endpoints.md +++ b/windows/privacy/manage-windows-1809-endpoints.md @@ -1,8 +1,8 @@ --- title: Connection endpoints for Windows 10, version 1809 description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 1809. -ms.prod: windows-client -ms.technology: itpro-privacy +ms.service: windows-client +ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown @@ -296,7 +296,6 @@ If you [turn off traffic for these endpoints](manage-connections-from-windows-op | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| | | HTTP | `storeedgefd.dsx.mp.microsoft.com` | -| | HTTP \ HTTPS | `pti.store.microsoft.com` | ||TLS v1.2| `cy2.*.md.mp.microsoft.com.*.` | | svchost | HTTPS | `displaycatalog.mp.microsoft.com` | diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md index fe97fc1a69..7f7c6dc96f 100644 --- a/windows/privacy/manage-windows-1903-endpoints.md +++ b/windows/privacy/manage-windows-1903-endpoints.md @@ -1,8 +1,8 @@ --- title: Connection endpoints for Windows 10 Enterprise, version 1903 description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 1903. -ms.prod: windows-client -ms.technology: itpro-privacy +ms.service: windows-client +ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown @@ -26,15 +26,15 @@ Some Windows components, app, and related services transfer data to Microsoft ne This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later. Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). -Where applicable, each endpoint covered in this topic includes a link to the specific details on how to control that traffic. +Where applicable, each endpoint covered in this article includes a link to the specific details on how to control that traffic. The following methodology was used to derive these network endpoints: 1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. -2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device). +2. Leave the device(s) running idle for a week ("idle" means a user isn't interacting with the system/device). 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. 4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory. +5. The test virtual machine(s) was logged into using a local account, and wasn't joined to a domain or Azure Active Directory. 6. All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here. 7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different. 8. These tests were conducted for one week, but if you capture traffic for longer you may have different results. @@ -50,11 +50,11 @@ The following methodology was used to derive these network endpoints: ||The following endpoints are used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|`blob.weather.microsoft.com`| |||HTTP|tile-service.weather.microsoft.com| |||HTTP|tile-service.weather.microsoft.com| -||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/livetile/?Language=en-US| -||The following endpoint is used for Twitter updates. To turn off traffic for these endpoints, either uninstall Twitter or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|*.twimg.com*| -||The following endpoint is used for Candy Crush Saga updates. To turn off traffic for this endpoint, either uninstall Candy Crush Saga or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLS v1.2|candycrushsoda.king.com| -||The following endpoint is used by the Photos app to download configuration files, and to connect to the Microsoft 365 admin center's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|evoke-windowsservices-tas.msedge.net| -||The following endpoint is used for by the Microsoft Wallet app. To turn off traffic for this endpoint, either uninstall the Wallet app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|wallet.microsoft.com| +||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/livetile/?Language=en-US| +||The following endpoint is used for Twitter updates. To turn off traffic for these endpoints, either uninstall Twitter or disable the Microsoft Store. If you disable the Microsoft store, other Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|*.twimg.com*| +||The following endpoint is used for Candy Crush Saga updates. To turn off traffic for this endpoint, either uninstall Candy Crush Saga or disable the Microsoft Store. If you disable the Microsoft store, other Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLS v1.2|candycrushsoda.king.com| +||The following endpoint is used by the Photos app to download configuration files, and to connect to the Microsoft 365 admin center's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|evoke-windowsservices-tas.msedge.net| +||The following endpoint is used for by the Microsoft Wallet app. To turn off traffic for this endpoint, either uninstall the Wallet app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|wallet.microsoft.com| ||The following endpoint is used by the Groove Music app for update HTTP handler status. If you turn off traffic for this endpoint, apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app.|HTTPS|mediaredirect.microsoft.com| ||The following endpoints are used when using the Whiteboard app. To turn off traffic for this endpoint disable the Microsoft Store.|HTTPS|int.whiteboard.microsoft.com| |||HTTPS|wbd.ms| @@ -63,11 +63,11 @@ The following methodology was used to derive these network endpoints: |Azure |The following endpoints are related to Azure. |HTTPS|wd-prod-*fe*.cloudapp.azure.com| |||HTTPS|ris-prod-atm.trafficmanager.net| |||HTTPS|validation-v2.sls.trafficmanager.net| -|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.

    If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| +|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or isn't trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.

    If automatic updates are turned off, applications and websites may stop working because they didn't receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| |||HTTP|ctldl.windowsupdate.com| |Cortana and Search|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)| -||The following endpoint is used to get images that are used for Microsoft Store suggestions. If you turn off traffic for this endpoint, you will block images that are used for Microsoft Store suggestions.|HTTPS|store-images.*microsoft.com| -||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|HTTPS|www.bing.com/client| +||The following endpoint is used to get images that are used for Microsoft Store suggestions. If you turn off traffic for this endpoint, you'll block images that are used for Microsoft Store suggestions.|HTTPS|store-images.*microsoft.com| +||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you'll block updates to Cortana greetings, tips, and Live Tiles.|HTTPS|www.bing.com/client| |||HTTPS|www.bing.com| |||HTTPS|www.bing.com/proactive| |||HTTPS|www.bing.com/threshold/xls.aspx| @@ -77,40 +77,39 @@ The following methodology was used to derive these network endpoints: |||HTTP|odinvzc.azureedge.net| |||HTTP|spo-ring.msedge.net| |Device authentication|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| -||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*| +||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device won't be authenticated.|HTTPS|login.live.com*| |Device metadata|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)| -||The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.|HTTP|dmd.metaservices.microsoft.com| -|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| +||The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata won't be updated for the device.|HTTP|dmd.metaservices.microsoft.com| +|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, won't be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| |||HTTP|v10.events.data.microsoft.com| |||HTTPS|v10.vortex-win.data.microsoft.com/collect/v1| |||HTTP|www.microsoft.com| -||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|HTTPS|co4.telecommand.telemetry.microsoft.com| +||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information won't be sent back to Microsoft.|HTTPS|co4.telecommand.telemetry.microsoft.com| |||HTTP|cs11.wpc.v0cdn.net| |||HTTPS|cs1137.wpc.gammacdn.net| |||TLS v1.2|modern.watson.data.microsoft.com*| |||HTTPS|watson.telemetry.microsoft.com| |Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#9-license-manager)| |||HTTPS|*licensing.mp.microsoft.com*| -|Location|The following endpoints are used for location data. If you turn off traffic for this endpoint, apps cannot use location data. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location)| +|Location|The following endpoints are used for location data. If you turn off traffic for this endpoint, apps can't use location data. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location)| |||HTTPS|inference.location.live.net| |||HTTP|location-inference-westus.cloudapp.net| |Maps|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps)| -||The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|HTTPS|*g.akamaiedge.net| +||The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps won't be updated.|HTTPS|*g.akamaiedge.net| |||HTTP|*maps.windows.com*| |Microsoft Account|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account)| -||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |HTTP|login.msa.akadns6.net| +||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users can't sign in with Microsoft accounts. |HTTP|login.msa.akadns6.net| |||HTTP|us.configsvc1.live.com.akadns.net| |Microsoft Edge|This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com| |Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTPS|go.microsoft.com| |||HTTP|www.microsoft.com| |Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| ||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|HTTPS|*.wns.windows.com| -||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTP|storecatalogrevocation.storequality.microsoft.com| -||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com*| +||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTP|storecatalogrevocation.storequality.microsoft.com| +||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps can't be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com*| |||HTTPS|store-images.microsoft.com| -||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|TLS v1.2|*.md.mp.microsoft.com*| +||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps can't be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|TLS v1.2|*.md.mp.microsoft.com*| |||HTTPS|*displaycatalog.mp.microsoft.com| -|||HTTP \ HTTPS|pti.store.microsoft.com| |||HTTP|storeedgefd.dsx.mp.microsoft.com| |||HTTP|markets.books.microsoft.com| |||HTTP |share.microsoft.com| @@ -139,30 +138,30 @@ The following methodology was used to derive these network endpoints: |||HTTPS|cy2.settings.data.microsoft.com.akadns.net| |||HTTPS|settings.data.microsoft.com| |||HTTPS|settings-win.data.microsoft.com| -|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)| +|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)| |||HTTPS|browser.pipe.aria.microsoft.com| |||HTTP|config.edge.skype.com| |||HTTP|s2s.config.skype.com| |||HTTPS|skypeecs-prod-usw-0-b.cloudapp.net| -|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)| +|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device won't use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)| |||HTTPS|wdcp.microsoft.com| |||HTTPS|definitionupdates.microsoft.com| |||HTTPS|go.microsoft.com| -||The following endpoints are used for Windows Defender Smartscreen reporting and notifications. If you turn off traffic for these endpoints, Smartscreen notifications will not appear.|HTTPS|*smartscreen.microsoft.com| +||The following endpoints are used for Windows Defender Smartscreen reporting and notifications. If you turn off traffic for these endpoints, Smartscreen notifications won't appear.|HTTPS|*smartscreen.microsoft.com| |||HTTPS|smartscreen-sn3p.smartscreen.microsoft.com| |||HTTPS|unitedstates.smartscreen-prod.microsoft.com| -|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)| +|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips won't be downloaded. For more information, see Windows Spotlight.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)| |||TLS v1.2|*.search.msn.com| |||HTTPS|arc.msn.com| |||HTTPS|g.msn.com*| |||HTTPS|query.prod.cms.rt.microsoft.com| |||HTTPS|ris.api.iris.microsoft.com| -|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)| +|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads won't be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network won't use peer devices for bandwidth reduction.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)| |||HTTPS|*.prod.do.dsp.mp.microsoft.com| |||HTTP|emdl.ws.microsoft.com| -||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|HTTP|*.dl.delivery.mp.microsoft.com| +||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device won't be able to download updates for the operating system.|HTTP|*.dl.delivery.mp.microsoft.com| |||HTTP|*.windowsupdate.com| -||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|HTTPS|*.delivery.mp.microsoft.com| +||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device won't be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device won't be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|HTTPS|*.delivery.mp.microsoft.com| |||HTTPS|*.update.microsoft.com| ||The following endpoint is used for compatibility database updates for Windows.|HTTP|adl.windows.com| ||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.|HTTPS|tsfe.trafficshaping.dsp.mp.microsoft.com| diff --git a/windows/privacy/manage-windows-1909-endpoints.md b/windows/privacy/manage-windows-1909-endpoints.md index 118a25fb5c..8bef710db9 100644 --- a/windows/privacy/manage-windows-1909-endpoints.md +++ b/windows/privacy/manage-windows-1909-endpoints.md @@ -1,8 +1,8 @@ --- title: Connection endpoints for Windows 10 Enterprise, version 1909 description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 1909. -ms.prod: windows-client -ms.technology: itpro-privacy +ms.service: windows-client +ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown @@ -25,15 +25,15 @@ Some Windows components, app, and related services transfer data to Microsoft ne - Using your location to show a weather forecast. Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). -Where applicable, each endpoint covered in this topic includes a link to the specific details on how to control that traffic. +Where applicable, each endpoint covered in this article includes a link to the specific details on how to control that traffic. The following methodology was used to derive these network endpoints: 1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. -2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device). +2. Leave the device(s) running idle for a week ("idle" means a user isn't interacting with the system/device). 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. 4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory. +5. The test virtual machine(s) was logged into using a local account, and wasn't joined to a domain or Azure Active Directory. 6. All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here. 7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different. 8. These tests were conducted for one week, but if you capture traffic for longer you may have different results. @@ -46,40 +46,39 @@ The following methodology was used to derive these network endpoints: |Area|Description|Protocol|Destination| |----------------|----------|----------|------------| |Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)| -||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com| +||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com| |||HTTP|tile-service.weather.microsoft.com/en-us/livetile/preinstall| -||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/*| -||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLS v1.2|evoke-windowsservices-tas.msedge.net| -|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.

    If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| +||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/*| +||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLS v1.2|evoke-windowsservices-tas.msedge.net| +|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or isn't trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.

    If automatic updates are turned off, applications and websites may stop working because they didn't receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| |||HTTP|ctldl.windowsupdate.com| |Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)| -||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|HTTPS|www.bing.com*| +||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you'll block updates to Cortana greetings, tips, and Live Tiles.|HTTPS|www.bing.com*| |||HTTPS|www.bing.com/client/config| |||TLS v1.2|fp.msedge.net| |Device authentication|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| -||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*| -|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| +||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device won't be authenticated.|HTTPS|login.live.com*| +|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, won't be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| |||HTTP|v10.events.data.microsoft.com| -||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|HTTPS|*.telecommand.telemetry.microsoft.com| +||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information won't be sent back to Microsoft.|HTTPS|*.telecommand.telemetry.microsoft.com| |||TLS v1.2|watson.*.microsoft.com| |Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#9-license-manager)| |||HTTPS|*licensing.mp.microsoft.com| |||HTTPS|licensing.mp.microsoft.com/v7.0/licenses/content| |Location|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location)| -||The following endpoints are used for location data. If you turn off traffic for this endpoint, apps cannot use location data.|TLS v1.2|inference.location.live.net| +||The following endpoints are used for location data. If you turn off traffic for this endpoint, apps can't use location data.|TLS v1.2|inference.location.live.net| |Maps|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps)| -||The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|HTTP|*maps.windows.com| +||The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps won't be updated.|HTTP|*maps.windows.com| |Microsoft Account|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account)| -||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |TLS v1.2|*login.live.com| +||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users can't sign in with Microsoft accounts. |TLS v1.2|*login.live.com| |Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)| ||This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com| |Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTPS|go.microsoft.com| |Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| -||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLS v1.2|1storecatalogrevocation.storequality.microsoft.com| +||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLS v1.2|1storecatalogrevocation.storequality.microsoft.com| |||HTTPS|storecatalogrevocation.storequality.microsoft.com| ||The following endpoint is used to get Microsoft Store analytics.|HTTPS|manage.devcenter.microsoft.com| -||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store.|HTTPS|displaycatalog.mp.microsoft.com/*| -|||HTTPS|pti.store.microsoft.com/*| +||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps can't be installed or updated from the Microsoft Store.|HTTPS|displaycatalog.mp.microsoft.com/*| |Network Connection Status Indicator (NCSI)|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi)| ||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTP|www.msftconnecttest.com*| |Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| @@ -94,24 +93,24 @@ The following methodology was used to derive these network endpoints: |||HTTP| windows.policies.live.net| |Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| |||TLS v1.2|settings-win.data.microsoft.com| -|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)| +|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)| |||HTTPS|*.pipe.aria.microsoft.com| |||HTTP/TLS v1.2|config.edge.skype.com| |Teams|The following endpoint is used for Microsoft Teams application.||[Learn how to turn off traffic to all of the following endpoint(s).]( manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| |||HTTPS|config.teams.microsoft.com| -|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)| +|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device won't use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)| |||HTTPS/TLS v1.2|wdcp.microsoft.com| -||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications will not appear.|HTTPS/TLS v1.2|*smartscreen-prod.microsoft.com| +||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications won't appear.|HTTPS/TLS v1.2|*smartscreen-prod.microsoft.com| |||HTTPS|checkappexec.microsoft.com| -|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)| +|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips won't be downloaded. For more information, see Windows Spotlight.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)| |||HTTPS/TLS v1.2|arc.msn.com| |||HTTPS|ris.api.iris.microsoft.com| -|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)| +|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads won't be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network won't use peer devices for bandwidth reduction.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)| |||HTTPS/TLS v1.2|*.prod.do.dsp.mp.microsoft.com| |||HTTP|emdl.ws.microsoft.com| -||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|HTTP|*.dl.delivery.mp.microsoft.com| +||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device won't be able to download updates for the operating system.|HTTP|*.dl.delivery.mp.microsoft.com| |||HTTP|*.windowsupdate.com| -||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|HTTP|*.delivery.mp.microsoft.com| +||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device won't be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device won't be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|HTTP|*.delivery.mp.microsoft.com| |||HTTPS/TLS v1.2|*.update.microsoft.com| ||The following endpoint is used for compatibility database updates for Windows.|HTTP|adl.windows.com| ||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly.|HTTPS/TLS v1.2|tsfe.trafficshaping.dsp.mp.microsoft.com| diff --git a/windows/privacy/manage-windows-2004-endpoints.md b/windows/privacy/manage-windows-2004-endpoints.md index f6b643c76d..319a0c8305 100644 --- a/windows/privacy/manage-windows-2004-endpoints.md +++ b/windows/privacy/manage-windows-2004-endpoints.md @@ -1,8 +1,8 @@ --- title: Connection endpoints for Windows 10 Enterprise, version 2004 description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 2004. -ms.prod: windows-client -ms.technology: itpro-privacy +ms.service: windows-client +ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown diff --git a/windows/privacy/manage-windows-20H2-endpoints.md b/windows/privacy/manage-windows-20H2-endpoints.md index 6d1f53fe97..3b17ebda7d 100644 --- a/windows/privacy/manage-windows-20H2-endpoints.md +++ b/windows/privacy/manage-windows-20H2-endpoints.md @@ -1,8 +1,8 @@ --- title: Connection endpoints for Windows 10 Enterprise, version 20H2 description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 20H2. -ms.prod: windows-client -ms.technology: itpro-privacy +ms.service: windows-client +ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown @@ -26,15 +26,15 @@ Some Windows components, app, and related services transfer data to Microsoft ne - Using your location to show a weather forecast. Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). -Where applicable, each endpoint covered in this topic includes a link to the specific details on how to control that traffic. +Where applicable, each endpoint covered in this article includes a link to the specific details on how to control that traffic. The following methodology was used to derive these network endpoints: 1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. -2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device). +2. Leave the device(s) running idle for a week ("idle" means a user isn't interacting with the system/device). 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. 4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory. +5. The test virtual machine(s) was logged into using a local account, and wasn't joined to a domain or Azure Active Directory. 6. All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here. 7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different. 8. These tests were conducted for one week, but if you capture traffic for longer you may have different results. @@ -47,46 +47,45 @@ The following methodology was used to derive these network endpoints: |Area|Description|Protocol|Destination| |----------------|----------|----------|------------| |Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)| -||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com| -||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net| -||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net| -|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.

    If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| +||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com| +||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net| +||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net| +|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or isn't trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.

    If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| |||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com| |Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)| -||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*| +||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you'll block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*| |||TLSv1.2/HTTPS/HTTP|fp.msedge.net| |||TLSv1.2|I-ring.msedge.net| |||HTTPS|s-ring.msedge.net| |Device authentication|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| -||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*| -|Device metadata|The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)| +||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device won't be authenticated.|HTTPS|login.live.com*| +|Device metadata|The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata won't be updated for the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)| |||HTTP|dmd.metaservices.microsoft.com| -|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| +|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, won't be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| |||TLSv1.2/HTTPS/HTTP|v10.events.data.microsoft.com| |||TLSv1.2/HTTPS/HTTP|v20.events.data.microsoft.com| |||HTTP|www.microsoft.com| -||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com| +||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information won't be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com| |||TLS v1.2/HTTPS/HTTP|watson.*.microsoft.com| -|Font Streaming|The following endpoints are used to download fonts on demand. If you turn off traffic for these endpoints, you will not be able to download fonts on demand.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#6-font-streaming)| +|Font Streaming|The following endpoints are used to download fonts on demand. If you turn off traffic for these endpoints, you won't be able to download fonts on demand.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#6-font-streaming)| |||HTTPS|fs.microsoft.com| |Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#9-license-manager)| |||TLSv1.2/HTTPS/HTTP|licensing.mp.microsoft.com| |Maps|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps)| -||The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|TLSv1.2/HTTPS/HTTP|maps.windows.com| +||The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps won't be updated.|TLSv1.2/HTTPS/HTTP|maps.windows.com| |Microsoft Account|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account)| -||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |TLSv1.2/HTTPS|login.live.com| +||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users can't sign in with Microsoft accounts. |TLSv1.2/HTTPS|login.live.com| |Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)| ||This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com| ||The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won't be able to check for and apply new edge updates.|TLSv1.2/HTTPS/HTTP|msedge.api.cdp.microsoft.com| |Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTP|go.microsoft.com| |Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| -||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net| +||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps can't be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net| ||The following endpoint is needed to load the content in the Microsoft Store app.|HTTPS|livetileedge.dsx.mp.microsoft.com| ||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|TLSv1.2/HTTPS|*.wns.windows.com| -||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com| +||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com| ||The following endpoint is used to get Microsoft Store analytics.|HTTPS|manage.devcenter.microsoft.com| -||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store.|TLSv1.2/HTTPS/HTTP|displaycatalog.mp.microsoft.com| -|||HTTPS|pti.store.microsoft.com| +||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps can't be installed or updated from the Microsoft Store.|TLSv1.2/HTTPS/HTTP|displaycatalog.mp.microsoft.com| |||HTTP|share.microsoft.com| ||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com| |Network Connection Status Indicator (NCSI)|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi)| @@ -104,24 +103,24 @@ The following methodology was used to derive these network endpoints: |Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| |||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com| |||HTTPS|settings.data.microsoft.com| -|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)| +|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)| |||HTTPS/HTTP|*.pipe.aria.microsoft.com| |||TLSv1.2/HTTPS/HTTP|config.edge.skype.com| |Teams|The following endpoint is used for Microsoft Teams application.||[Learn how to turn off traffic to all of the following endpoint(s).]( manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| |||TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com| -|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)| +|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device won't use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)| |||HTTPS/TLSv1.2|wdcp.microsoft.com| -||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications will not appear.|HTTPS|*smartscreen-prod.microsoft.com| +||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications won't appear.|HTTPS|*smartscreen-prod.microsoft.com| |||HTTPS/HTTP|checkappexec.microsoft.com| -|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)| +|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips won't be downloaded. For more information, see Windows Spotlight.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)| |||TLSv1.2/HTTPS/HTTP|arc.msn.com| |||HTTPS|ris.api.iris.microsoft.com| -|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)| +|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads won't be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network won't use peer devices for bandwidth reduction.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)| |||TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com| |||HTTP|emdl.ws.microsoft.com| -||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com| +||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device won't be able to download updates for the operating system.|TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com| |||HTTP|*.windowsupdate.com| -||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com| +||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device won't be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device won't be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com| |||TLSv1.2/HTTPS/HTTP|*.update.microsoft.com| ||The following endpoint is used for compatibility database updates for Windows.|HTTPS|adl.windows.com| ||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com| diff --git a/windows/privacy/manage-windows-21H1-endpoints.md b/windows/privacy/manage-windows-21H1-endpoints.md index 59568d1dd6..cc6b1a5407 100644 --- a/windows/privacy/manage-windows-21H1-endpoints.md +++ b/windows/privacy/manage-windows-21H1-endpoints.md @@ -1,8 +1,8 @@ --- title: Connection endpoints for Windows 10 Enterprise, version 21H1 description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 21H1. -ms.prod: windows-client -ms.technology: itpro-privacy +ms.service: windows-client +ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown @@ -26,15 +26,15 @@ Some Windows components, app, and related services transfer data to Microsoft ne - Using your location to show a weather forecast. Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). -Where applicable, each endpoint covered in this topic includes a link to the specific details on how to control that traffic. +Where applicable, each endpoint covered in this article includes a link to the specific details on how to control that traffic. The following methodology was used to derive these network endpoints: 1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. -2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device). +2. Leave the device(s) running idle for a week ("idle" means a user isn't interacting with the system/device). 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. 4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory. +5. The test virtual machine(s) was logged into using a local account, and wasn't joined to a domain or Azure Active Directory. 6. All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here. 7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different. 8. These tests were conducted for one week, but if you capture traffic for longer you may have different results. @@ -47,46 +47,45 @@ The following methodology was used to derive these network endpoints: |Area|Description|Protocol|Destination| |----------------|----------|----------|------------| |Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)| -||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft Store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com| -||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft Store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net| -||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft Store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net -|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.

    If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| +||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft Store, other Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com| +||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft Store, other Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net| +||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft Store, other Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net +|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or isn't trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.

    If automatic updates are turned off, applications and websites may stop working because they didn't receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| |||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com| |Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)| -||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*| +||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you'll block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*| |||TLSv1.2/HTTPS/HTTP|fp.msedge.net| |||TLSv1.2|I-ring.msedge.net| |||HTTPS|s-ring.msedge.net| |Device authentication|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| -||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*| -|Device metadata|The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)| +||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device won't be authenticated.|HTTPS|login.live.com*| +|Device metadata|The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata won't be updated for the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)| |||HTTP|dmd.metaservices.microsoft.com| -|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| +|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, won't be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| |||TLSv1.2/HTTPS/HTTP|v10.events.data.microsoft.com| |||TLSv1.2/HTTPS/HTTP|v20.events.data.microsoft.com| |||HTTP|www.microsoft.com| -||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: **Administrative Templates** > **Windows Components** > **Windows Error Reporting** > **Disable Windows Error Reporting**. This means error reporting information will not be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com| +||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: **Administrative Templates** > **Windows Components** > **Windows Error Reporting** > **Disable Windows Error Reporting**. This means error reporting information won't be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com| |||TLS v1.2/HTTPS/HTTP|watson.*.microsoft.com| -|Font Streaming|The following endpoints are used to download fonts on demand. If you turn off traffic for these endpoints, you will not be able to download fonts on demand.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#6-font-streaming)| +|Font Streaming|The following endpoints are used to download fonts on demand. If you turn off traffic for these endpoints, you won't be able to download fonts on demand.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#6-font-streaming)| |||HTTPS|fs.microsoft.com| |Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#9-license-manager)| |||TLSv1.2/HTTPS/HTTP|licensing.mp.microsoft.com| |Maps|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps)| -||The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|TLSv1.2/HTTPS/HTTP|maps.windows.com| +||The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps won't be updated.|TLSv1.2/HTTPS/HTTP|maps.windows.com| |Microsoft Account|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account)| -||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |TLSv1.2/HTTPS|login.live.com| +||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users can't sign in with Microsoft accounts. |TLSv1.2/HTTPS|login.live.com| |Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)| ||This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com| ||The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won't be able to check for and apply new edge updates.|TLSv1.2/HTTPS/HTTP|msedge.api.cdp.microsoft.com| |Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead, disable the traffic that's getting forwarded.|HTTP|go.microsoft.com| |Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| -||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net| +||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps can't be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net| ||The following endpoint is needed to load the content in the Microsoft Store app.|HTTPS|livetileedge.dsx.mp.microsoft.com| ||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|TLSv1.2/HTTPS|*.wns.windows.com| -||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com| +||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com| ||The following endpoint is used to get Microsoft Store analytics.|HTTPS|manage.devcenter.microsoft.com| -||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store.|TLSv1.2/HTTPS/HTTP|displaycatalog.mp.microsoft.com| -|||HTTPS|pti.store.microsoft.com| +||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps can't be installed or updated from the Microsoft Store.|TLSv1.2/HTTPS/HTTP|displaycatalog.mp.microsoft.com| |||HTTP|share.microsoft.com| ||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com| |Network Connection Status Indicator (NCSI)|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi)| @@ -104,24 +103,24 @@ The following methodology was used to derive these network endpoints: |Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| |||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com| |||HTTPS|settings.data.microsoft.com| -|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)| +|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)| |||HTTPS/HTTP|*.pipe.aria.microsoft.com| |||TLSv1.2/HTTPS/HTTP|config.edge.skype.com| |Teams|The following endpoint is used for Microsoft Teams application.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| |||TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com| -|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)| +|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device won't use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)| |||HTTPS/TLSv1.2|wdcp.microsoft.com| -||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications will not appear.|HTTPS|*smartscreen-prod.microsoft.com| +||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications won't appear.|HTTPS|*smartscreen-prod.microsoft.com| |||HTTPS/HTTP|checkappexec.microsoft.com| -|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)| +|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips won't be downloaded. For more information, see Windows Spotlight.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)| |||TLSv1.2/HTTPS/HTTP|arc.msn.com| |||HTTPS|ris.api.iris.microsoft.com| -|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)| +|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads won't be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network won't use peer devices for bandwidth reduction.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)| |||TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com| |||HTTP|emdl.ws.microsoft.com| -||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com| +||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device won't be able to download updates for the operating system.|TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com| |||HTTP|*.windowsupdate.com| -||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Microsoft Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com| +||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device won't be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device won't be able to acquire and update apps from the Microsoft Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com| |||TLSv1.2/HTTPS/HTTP|*.update.microsoft.com| ||The following endpoint is used for compatibility database updates for Windows.|HTTPS|adl.windows.com| ||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com| diff --git a/windows/privacy/manage-windows-21h2-endpoints.md b/windows/privacy/manage-windows-21h2-endpoints.md index b43864a94f..52a3f761ae 100644 --- a/windows/privacy/manage-windows-21h2-endpoints.md +++ b/windows/privacy/manage-windows-21h2-endpoints.md @@ -1,8 +1,8 @@ --- title: Connection endpoints for Windows 10 Enterprise, version 21H2 description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 21H2. -ms.prod: windows-client -ms.technology: itpro-privacy +ms.service: windows-client +ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown @@ -26,15 +26,15 @@ Some Windows components, app, and related services transfer data to Microsoft ne - Using your location to show a weather forecast. Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). -Where applicable, each endpoint covered in this topic includes a link to the specific details on how to control that traffic. +Where applicable, each endpoint covered in this article includes a link to the specific details on how to control that traffic. The following methodology was used to derive these network endpoints: 1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. -2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device). +2. Leave the device(s) running idle for a week ("idle" means a user isn't interacting with the system/device). 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. 4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory. +5. The test virtual machine(s) was logged into using a local account, and wasn't joined to a domain or Azure Active Directory. 6. All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here. 7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different. 8. These tests were conducted for one week, but if you capture traffic for longer you may have different results. @@ -47,44 +47,43 @@ The following methodology was used to derive these network endpoints: |Area|Description|Protocol|Destination| |----------------|----------|----------|------------| |Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)| -||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com| -||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net| -||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net| -|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.

    If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| +||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com| +||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net| +||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net| +|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or isn't trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.

    If automatic updates are turned off, applications and websites may stop working because they didn't receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| |||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com| |Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)| -||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*| +||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you'll block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*| |||TLSv1.2/HTTPS/HTTP|fp.msedge.net| |||TLSv1.2|I-ring.msedge.net| |||HTTPS|s-ring.msedge.net| |Device authentication|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| -||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*| -|Device metadata|The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)| +||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device won't be authenticated.|HTTPS|login.live.com*| +|Device metadata|The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata won't be updated for the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)| |||HTTP|dmd.metaservices.microsoft.com| -|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
    If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| +|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
    If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, won't be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| |||TLSv1.2/HTTPS/HTTP|v10.events.data.microsoft.com| -||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com| +||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information won't be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com| |||TLS v1.2/HTTPS/HTTP|watson.*.microsoft.com| -|Font Streaming|The following endpoints are used to download fonts on demand. If you turn off traffic for these endpoints, you will not be able to download fonts on demand.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#6-font-streaming)| +|Font Streaming|The following endpoints are used to download fonts on demand. If you turn off traffic for these endpoints, you won't be able to download fonts on demand.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#6-font-streaming)| |||HTTPS|fs.microsoft.com| |Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#9-license-manager)| |||TLSv1.2/HTTPS/HTTP|licensing.mp.microsoft.com| |Maps|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps)| -||The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|TLSv1.2/HTTPS/HTTP|maps.windows.com| +||The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps won't be updated.|TLSv1.2/HTTPS/HTTP|maps.windows.com| |Microsoft Account|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account)| -||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |TLSv1.2/HTTPS|login.live.com| +||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users can't sign in with Microsoft accounts. |TLSv1.2/HTTPS|login.live.com| |Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)| ||This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com| ||The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won’t be able to check for and apply new edge updates.|TLSv1.2/HTTPS/HTTP|msedge.api.cdp.microsoft.com| |Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTP|go.microsoft.com| |Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| -||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net| +||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps can't be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net| ||The following endpoint is needed to load the content in the Microsoft Store app.|HTTPS|livetileedge.dsx.mp.microsoft.com| ||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|TLSv1.2/HTTPS|*.wns.windows.com| -||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com| +||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com| ||The following endpoint is used to get Microsoft Store analytics.|HTTPS|manage.devcenter.microsoft.com| -||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store.|TLSv1.2/HTTPS/HTTP|displaycatalog.mp.microsoft.com| -|||HTTPS|pti.store.microsoft.com| +||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps can't be installed or updated from the Microsoft Store.|TLSv1.2/HTTPS/HTTP|displaycatalog.mp.microsoft.com| |||HTTP|share.microsoft.com| ||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com| |Network Connection Status Indicator (NCSI)|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi)| @@ -102,24 +101,24 @@ The following methodology was used to derive these network endpoints: |Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| |||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com| |||HTTPS|settings.data.microsoft.com| -|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)| +|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)| |||HTTPS/HTTP|*.pipe.aria.microsoft.com| |||TLSv1.2/HTTPS/HTTP|config.edge.skype.com| |Teams|The following endpoint is used for Microsoft Teams application.||[Learn how to turn off traffic to all of the following endpoint(s).]( manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| |||TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com| -|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)| +|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device won't use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)| |||HTTPS/TLSv1.2|wdcp.microsoft.com| -||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications will not appear.|HTTPS|*smartscreen-prod.microsoft.com| +||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications won't appear.|HTTPS|*smartscreen-prod.microsoft.com| |||HTTPS/HTTP|checkappexec.microsoft.com| -|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)| +|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips won't be downloaded. For more information, see Windows Spotlight.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)| |||TLSv1.2/HTTPS/HTTP|arc.msn.com| |||HTTPS|ris.api.iris.microsoft.com| -|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)| +|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads won't be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network won't use peer devices for bandwidth reduction.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)| |||TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com| |||HTTP|emdl.ws.microsoft.com| -||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com| +||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device won't be able to download updates for the operating system.|TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com| |||HTTP|*.windowsupdate.com| -||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com| +||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device won't be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device won't be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com| |||TLSv1.2/HTTPS/HTTP|*.update.microsoft.com| ||The following endpoint is used for compatibility database updates for Windows.|HTTPS|adl.windows.com| ||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com| diff --git a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md index f79b3dd872..91da38dfa3 100644 --- a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md +++ b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md @@ -2,8 +2,8 @@ description: Learn more about the diagnostic data gathered for Windows 11, versions 23H2 and 22H2. title: Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2 keywords: privacy, telemetry -ms.prod: windows-client -ms.technology: itpro-privacy +ms.service: windows-client +ms.subservice: itpro-privacy localizationpriority: high author: DHB-MSFT ms.author: danbrown diff --git a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md index 9b5cb9c9db..9716a4c5ce 100644 --- a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md +++ b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md @@ -1,8 +1,8 @@ --- description: Learn more about the Windows 11 diagnostic data gathered at the basic level. title: Required diagnostic events and fields for Windows 11, version 21H2 -ms.prod: windows-client -ms.technology: itpro-privacy +ms.service: windows-client +ms.subservice: itpro-privacy localizationpriority: high author: DHB-MSFT ms.author: danbrown diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md index dd99685ad0..b552e20cf5 100644 --- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md +++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md @@ -1,8 +1,8 @@ --- description: Learn more about the required Windows 10 diagnostic data gathered. title: Required diagnostic events and fields for Windows 10 (versions 22H2, 21H2, 21H1, 20H2, and 2004) -ms.prod: windows-client -ms.technology: itpro-privacy +ms.service: windows-client +ms.subservice: itpro-privacy localizationpriority: high author: DHB-MSFT ms.author: danbrown diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md index cc4c373f09..ab86dc703a 100644 --- a/windows/privacy/windows-10-and-privacy-compliance.md +++ b/windows/privacy/windows-10-and-privacy-compliance.md @@ -1,14 +1,15 @@ --- title: Windows Privacy Compliance Guide description: This article provides information to help IT and compliance professionals understand the personal data policies as related to Windows. -ms.prod: windows-client -ms.technology: itpro-privacy +ms.service: windows-client +ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: laurawi ms.date: 05/20/2019 ms.topic: conceptual +ms.collection: essentials-compliance --- # Windows Privacy Compliance:
    A Guide for IT and Compliance Professionals diff --git a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md index 483e61d221..f27e7c4961 100644 --- a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md +++ b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md @@ -1,8 +1,8 @@ --- title: Windows 11 connection endpoints for non-Enterprise editions description: Explains what Windows 11 endpoints are used in non-Enterprise editions. Specific to Windows 11. -ms.prod: windows-client -ms.technology: itpro-privacy +ms.service: windows-client +ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown diff --git a/windows/privacy/windows-diagnostic-data-1703.md b/windows/privacy/windows-diagnostic-data-1703.md index 7ae4b7f694..6716304894 100644 --- a/windows/privacy/windows-diagnostic-data-1703.md +++ b/windows/privacy/windows-diagnostic-data-1703.md @@ -1,8 +1,8 @@ --- title: Windows 10 diagnostic data for the Full diagnostic data level (Windows 10) description: Use this article to learn about the types of data that is collected the Full diagnostic data level. -ms.prod: windows-client -ms.technology: itpro-privacy +ms.service: windows-client +ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown diff --git a/windows/privacy/windows-diagnostic-data.md b/windows/privacy/windows-diagnostic-data.md index 8f05003e77..44ea57dcd1 100644 --- a/windows/privacy/windows-diagnostic-data.md +++ b/windows/privacy/windows-diagnostic-data.md @@ -1,8 +1,8 @@ --- title: Windows 10, version 1709 and Windows 11 and later optional diagnostic data (Windows 10) description: Use this article to learn about the types of optional diagnostic data that is collected. -ms.prod: windows-client -ms.technology: itpro-privacy +ms.service: windows-client +ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown diff --git a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md index 74b6ce5ab7..b4736b74ce 100644 --- a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md @@ -1,8 +1,8 @@ --- title: Windows 10, version 1809, connection endpoints for non-Enterprise editions description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 1809. -ms.prod: windows-client -ms.technology: itpro-privacy +ms.service: windows-client +ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown diff --git a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md index c10a331f56..b558fc1c1e 100644 --- a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md @@ -1,8 +1,8 @@ --- title: Windows 10, version 1903, connection endpoints for non-Enterprise editions description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 1903. -ms.prod: windows-client -ms.technology: itpro-privacy +ms.service: windows-client +ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown @@ -88,7 +88,6 @@ The following methodology was used to derive the network endpoints: | oneclient.sfx.ms\* | HTTPS | Used by OneDrive for Business to download and verify app updates | onecollector.cloudapp.aria.akadns.net | HTTPS | Microsoft Office | ow1.res.office365.com | HTTP | Microsoft Office -| pti.store.microsoft.com | HTTPS | Microsoft Store | purchase.mp.microsoft.com\* | HTTPS | Used to communicate with Microsoft Store | query.prod.cms.rt.microsoft.com\* | HTTPS | Used to retrieve Windows Spotlight metadata | ris.api.iris.microsoft.com\* | TLSv1.2/HTTPS | Used to retrieve Windows Spotlight metadata @@ -172,7 +171,6 @@ The following methodology was used to derive the network endpoints: | nav.smartscreen.microsoft.com | HTTPS | Windows Defender | ocsp.digicert.com\* | HTTP | CRL and OCSP checks to the issuing certificate authorities | oneclient.sfx.ms | HTTP | OneDrive -| pti.store.microsoft.com | HTTPS | Microsoft Store | ris.api.iris.microsoft.com.akadns.net | HTTPS | Used to retrieve Windows Spotlight metadata | ris-prod-atm.trafficmanager.net | HTTPS | Azure | s2s.config.skype.com | HTTP | Microsoft Skype @@ -251,7 +249,6 @@ The following methodology was used to derive the network endpoints: | ocsp.digicert.com\* | HTTP | CRL and OCSP checks to the issuing certificate authorities | oneclient.sfx.ms/\* | HTTPS | Used by OneDrive for Business to download and verify app updates | onecollector.cloudapp.aria.akadns.net | HTTPS | Microsoft Office -| pti.store.microsoft.com | HTTPS | Microsoft Store | settings-win.data.microsoft.com/settings/\* | HTTPS | Used as a way for apps to dynamically update their configuration | share.microsoft.com | HTTPS | Microsoft Store | skypeecs-prod-usw-0.cloudapp.net | HTTPS | Skype diff --git a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md index 22f613edc5..a0bfa21291 100644 --- a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md @@ -1,8 +1,8 @@ --- title: Windows 10, version 1909, connection endpoints for non-Enterprise editions description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 1909. -ms.prod: windows-client -ms.technology: itpro-privacy +ms.service: windows-client +ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown @@ -70,7 +70,6 @@ The following methodology was used to derive the network endpoints: |outlook.office365.com|HTTP|Used to connect to the Microsoft 365 admin center's shared infrastructure, including Office in a browser |ocsp.digicert.com|HTTP|Used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available |oneclient.sfx.ms|HTTPS|Used by OneDrive for Business to download and verify app updates -|pti.store.microsoft.com/*|HTTP|Used to communicate with Microsoft Store |img-prod-cms-rt-microsoft-com.akamaized.net|HTTP|Used to communicate with Microsoft Store |manage.devcenter.microsoft.com|HTTP/TLS v1.2|Used to get Microsoft Store analytics |ris.api.iris.microsoft.com|HTTPS|Used to retrieve Windows Spotlight metadata that describes content @@ -139,7 +138,6 @@ The following methodology was used to derive the network endpoints: |ocsp.msocsp.com|HTTP|Used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available |oneclient.sfx.ms|HTTPS|Used by OneDrive for Business to download and verify app updates |mobile.pipe.aria.microsoft.com|HTTP|Office Telemetry -|pti.store.microsoft.com/*|HTTP|Used to communicate with Microsoft Store |ris.api.iris.microsoft.com|TLS v1.2|Windows Spotlight |settings-win.data.microsoft.com|HTTPS/TLS v1.2|Used for Windows apps to dynamically update their configuration |spo-ring.msedge.net|TLSv1.2|Cortana and Live Tiles @@ -189,7 +187,6 @@ The following methodology was used to derive the network endpoints: |iecvlist.microsoft.com|HTTP|Microsoft Edge |download.windowsupdate.com|HTTP|Windows Update |checkappexec.microsoft.com|HTTPS|Windows Defender -|pti.store.microsoft.com/*|HTTP|Microsoft Store |emdl.ws.microsoft.com|HTTP|Windows Update |evoke-windowsservices-tas.msedge.net|HTTPS/TLS v1.2|Photos app |g.live.com|TLS v1.2|OneDrive diff --git a/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md b/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md index 2a78739318..c8f28f8ea4 100644 --- a/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md @@ -1,8 +1,8 @@ --- title: Windows 10, version 2004, connection endpoints for non-Enterprise editions description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 2004. -ms.prod: windows-client -ms.technology: itpro-privacy +ms.service: windows-client +ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown diff --git a/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md b/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md index dd6dc0c592..f41413a60a 100644 --- a/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md @@ -1,8 +1,8 @@ --- title: Windows 10, version 20H2, connection endpoints for non-Enterprise editions description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 20H2. -ms.prod: windows-client -ms.technology: itpro-privacy +ms.service: windows-client +ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown @@ -75,7 +75,6 @@ The following methodology was used to derive the network endpoints: ||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com| ||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com| ||The following endpoints are used to communicate with Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com| -|||HTTPS|pti.store.microsoft.com| |||HTTPS|storesdk.dsx.mp.microsoft.com| ||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com| ||The following endpoints are used get images that are used for Microsoft Store suggestions|TLSv1.2|store-images.s-microsoft.com| @@ -152,7 +151,6 @@ The following methodology was used to derive the network endpoints: ||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com| ||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com| ||The following endpoints are used to communicate with Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com| -|||HTTPS|pti.store.microsoft.com| |||HTTPS|storesdk.dsx.mp.microsoft.com| ||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com| |Network Connection Status Indicator (NCSI)|Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.|TLSv1.2/HTTP|www.msftconnecttest.com*| @@ -227,7 +225,6 @@ The following methodology was used to derive the network endpoints: ||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com| |||TLSv1.2/HTTPS/HTTP|1storecatalogrevocation.storequality.microsoft.com| ||The following endpoints are used to communicate with Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com| -|||HTTPS|pti.store.microsoft.com| |||HTTPS|storesdk.dsx.mp.microsoft.com| ||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com| |Network Connection Status Indicator (NCSI)|Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.|TLSv1.2/HTTP|www.msftconnecttest.com*| diff --git a/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md b/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md index c9fc4c9d3a..ae92428145 100644 --- a/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md @@ -1,8 +1,8 @@ --- title: Windows 10, version 21H1, connection endpoints for non-Enterprise editions description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 21H1. -ms.prod: windows-client -ms.technology: itpro-privacy +ms.service: windows-client +ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown @@ -73,7 +73,6 @@ The following methodology was used to derive the network endpoints: ||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com| ||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com| ||The following endpoints are used to communicate with Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com| -|||HTTPS|pti.store.microsoft.com| |||HTTPS|storesdk.dsx.mp.microsoft.com| ||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com| ||The following endpoints are used get images that are used for Microsoft Store suggestions|TLSv1.2|store-images.s-microsoft.com| @@ -148,7 +147,6 @@ The following methodology was used to derive the network endpoints: ||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com| ||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com| ||The following endpoints are used to communicate with Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com| -|||HTTPS|pti.store.microsoft.com| |||HTTPS|storesdk.dsx.mp.microsoft.com| ||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com| |Network Connection Status Indicator (NCSI)|Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.|TLSv1.2/HTTP|www.msftconnecttest.com*| @@ -221,7 +219,6 @@ The following methodology was used to derive the network endpoints: ||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com| |||TLSv1.2/HTTPS/HTTP|1storecatalogrevocation.storequality.microsoft.com| ||The following endpoints are used to communicate with Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com| -|||HTTPS|pti.store.microsoft.com| |||HTTPS|storesdk.dsx.mp.microsoft.com| ||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com| |Network Connection Status Indicator (NCSI)|Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.|TLSv1.2/HTTP|www.msftconnecttest.com*| diff --git a/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md b/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md index 2ec2462e4c..f268f032bb 100644 --- a/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md +++ b/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md @@ -1,12 +1,10 @@ --- title: Windows Defender Application Control and virtualization-based code integrity description: Hardware and software system integrity-hardening capabilities that can be deployed separately or in combination with Windows Defender Application Control (WDAC). -ms.prod: windows-client ms.localizationpriority: medium author: vinaypamnani-msft ms.author: vinpa manager: aaroncz -ms.technology: itpro-security ms.date: 03/16/2023 ms.topic: article --- diff --git a/windows/security/application-security/application-control/user-account-control/settings-and-configuration.md b/windows/security/application-security/application-control/user-account-control/settings-and-configuration.md index 284e549300..e9d01861ab 100644 --- a/windows/security/application-security/application-control/user-account-control/settings-and-configuration.md +++ b/windows/security/application-security/application-control/user-account-control/settings-and-configuration.md @@ -35,7 +35,7 @@ To configure UAC, you can use: The following instructions provide details how to configure your devices. Select the option that best suits your needs. -#### [:::image type="icon" source="../../../images/icons/intune.svg" border="false"::: **Intune/MDM**](#tab/intune) +#### [:::image type="icon" source="../../../images/icons/intune.svg" border="false"::: **Intune/CSP**](#tab/intune) ### Configure UAC with a Settings catalog policy @@ -61,7 +61,7 @@ The policy settings are located under: `./Device/Vendor/MSFT/Policy/Config/Local | **Setting name**: Switch to the secure desktop when prompting for elevation
    **Policy CSP name**: `UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation`| | **Setting name**: Virtualize file and registry write failures to per-user locations
    **Policy CSP name**: `UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations`| -#### [:::image type="icon" source="../../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo) +#### [:::image type="icon" source="../../../images/icons/group-policy.svg" border="false"::: **GPO**](#tab/gpo) You can use security policies to configure how User Account Control works in your organization. The policies can be configured locally by using the Local Security Policy snap-in (`secpol.msc`) or configured for the domain, OU, or specific groups by group policy. @@ -80,7 +80,7 @@ The policy settings are located under: `Computer Configuration\Windows Settings\ |User Account Control: Switch to the secure desktop when prompting for elevation | Enabled | |User Account Control: Virtualize file and registry write failures to per-user locations | Enabled | -#### [:::image type="icon" source="../../../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg) +#### [:::image type="icon" source="../../../images/icons/registry.svg" border="false"::: **Registry**](#tab/reg) The registry keys are found under the key: `HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System`. diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/administer-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/administer-applocker.md index ef477ce467..a095fd7246 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/administer-applocker.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/administer-applocker.md @@ -3,7 +3,7 @@ title: Administer AppLocker description: This article for IT professionals provides links to specific procedures to use when administering AppLocker policies. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 12/19/2023 +ms.date: 01/03/2024 --- # Administer AppLocker diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md index ffd2a32a70..654b172dca 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md @@ -6,7 +6,7 @@ ms.collection: - must-keep ms.topic: conceptual ms.localizationpriority: medium -ms.date: 12/19/2023 +ms.date: 01/03/2024 --- # AppLocker diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md index e237fc6361..e974fdf194 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md @@ -3,7 +3,7 @@ title: Deploy AppLocker policies by using the enforce rules setting description: This article for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 12/19/2023 +ms.date: 01/03/2024 --- # Deploy AppLocker policies by using the enforce rules setting diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/edit-an-applocker-policy.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/edit-an-applocker-policy.md index ed64315838..fe3ac2062b 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/edit-an-applocker-policy.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/edit-an-applocker-policy.md @@ -3,7 +3,7 @@ title: Edit an AppLocker policy description: This article for IT professionals describes the steps required to modify an AppLocker policy. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 12/19/2023 +ms.date: 01/03/2024 --- # Edit an AppLocker policy diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/maintain-applocker-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/maintain-applocker-policies.md index 933deb03c0..75f6df943a 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/maintain-applocker-policies.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/maintain-applocker-policies.md @@ -3,7 +3,7 @@ title: Maintain AppLocker policies description: Learn how to maintain rules within AppLocker policies. View common AppLocker maintenance scenarios and see the methods to use to maintain AppLocker policies. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 12/19/2023 +ms.date: 01/03/2024 --- # Maintain AppLocker policies diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/optimize-applocker-performance.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/optimize-applocker-performance.md index 6523b1bccc..63277272b1 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/optimize-applocker-performance.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/optimize-applocker-performance.md @@ -3,7 +3,7 @@ title: Optimize AppLocker performance description: This article for IT professionals describes how to optimize AppLocker policy enforcement. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 12/19/2023 +ms.date: 01/03/2024 --- # Optimize AppLocker performance diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md index 33b57f4bc0..e47477a31a 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md @@ -3,7 +3,7 @@ title: Test and update an AppLocker policy description: This article discusses the steps required to test an AppLocker policy prior to deployment. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 12/19/2023 +ms.date: 01/03/2024 --- # Test and update an AppLocker policy diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md index ffefd947e7..0678fb60b9 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md @@ -3,7 +3,7 @@ title: Use the AppLocker Windows PowerShell cmdlets description: This article for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 12/19/2023 +ms.date: 01/03/2024 --- # Use the AppLocker Windows PowerShell cmdlets diff --git a/windows/security/application-security/application-control/windows-defender-application-control/deployment/wdac-deployment-guide.md b/windows/security/application-security/application-control/windows-defender-application-control/deployment/wdac-deployment-guide.md index 90bdaa9748..21442ea394 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/deployment/wdac-deployment-guide.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/deployment/wdac-deployment-guide.md @@ -4,6 +4,7 @@ description: Learn how to plan and implement a WDAC deployment. ms.localizationpriority: medium ms.date: 01/23/2023 ms.topic: overview +ms.collection: essentials-get-started --- # Deploying Windows Defender Application Control (WDAC) policies diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md b/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md index 615226657c..2b18eadcc2 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md @@ -5,7 +5,7 @@ ms.localizationpriority: medium ms.collection: - tier3 - must-keep -ms.date: 06/06/2023 +ms.date: 01/24/2024 ms.topic: article --- @@ -20,7 +20,7 @@ Microsoft has strict requirements for code running in kernel. So, malicious acto - Malicious behaviors (malware) or certificates used to sign malware - Behaviors that aren't malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel -Drivers can be submitted to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). For more information about driver submission, see [Improve kernel security with the new Microsoft Vulnerable and Malicious Driver Reporting Center](https://www.microsoft.com/security/blog/2021/12/08/improve-kernel-security-with-the-new-microsoft-vulnerable-and-malicious-driver-reporting-center/). To report an issue or request a change to the vulnerable driver blocklist, including updating a block rule once a driver vulnerability has been patched, visit the [Microsoft Security Intelligence portal](https://www.microsoft.com/wdsi) or submit feedback on this article. +Drivers can be submitted to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). For more information about driver submission, see [Improve kernel security with the new Microsoft Vulnerable and Malicious Driver Reporting Center](https://www.microsoft.com/security/blog/2021/12/08/improve-kernel-security-with-the-new-microsoft-vulnerable-and-malicious-driver-reporting-center/). To report an issue or request a change to the blocklist, including updating a block rule once a driver has been fixed, visit the [Microsoft Security Intelligence portal](https://www.microsoft.com/wdsi) or submit feedback on this article. > [!NOTE] > Blocking drivers can cause devices or software to malfunction, and in rare cases, lead to blue screen. The vulnerable driver blocklist is not guaranteed to block every driver found to have vulnerabilities. Microsoft attempts to balance the security risks from vulnerable drivers with the potential impact on compatibility and reliability to produce the blocklist. As always, Microsoft recommends using an explicit allow list approach to security wherever possible. @@ -39,7 +39,7 @@ With Windows 11 2022 update, the vulnerable driver blocklist is enabled by defa The blocklist is updated with each new major release of Windows, typically 1-2 times per year, including most recently with the Windows 11 2022 update released in September 2022. The most current blocklist is now also available for Windows 10 20H2 and Windows 11 21H2 users as an optional update from Windows Update. Microsoft will occasionally publish future updates through regular Windows servicing. -Customers who always want the most up-to-date driver blocklist can also use Windows Defender Application Control (WDAC) to apply the latest recommended driver blocklist contained in this article. For your convenience, we've provided a download of the most up-to-date vulnerable driver blocklist along with instructions to apply it on your computer at the end of this article. Otherwise, you can use the XML provided below to create your own custom WDAC policies. +Customers who always want the most up-to-date driver blocklist can also use Windows Defender Application Control (WDAC) to apply the latest recommended driver blocklist contained in this article. For your convenience, we provide a download of the most up-to-date vulnerable driver blocklist along with instructions to apply it on your computer at the end of this article. Otherwise, use the following XML to create your own custom WDAC policies. ## Blocking vulnerable drivers using WDAC @@ -72,15 +72,17 @@ To check that the policy was successfully applied on your computer: ## Vulnerable driver blocklist XML > [!IMPORTANT] -> The policy listed below contains **Allow All** rules. If your version of Windows supports WDAC multiple policies, we recommend deploying this policy alongside any existing WDAC policies. If you do plan to merge this policy with another policy, you may need to remove the **Allow All** rules before merging it if the other policy applies an explicit allow list. For more information, see [Create a WDAC Deny Policy](/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy#single-policy-considerations). +> The following policy contains **Allow All** rules. If your version of Windows supports WDAC multiple policies, we recommend deploying this policy alongside any existing WDAC policies. If you do plan to merge this policy with another policy, you may need to remove the **Allow All** rules before merging it if the other policy applies an explicit allow list. For more information, see [Create a WDAC Deny Policy](/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy#single-policy-considerations). > [!NOTE] > To use this policy with Windows Server 2016, you must convert the policy XML on a device running a newer operating system. +The following recommended blocklist xml policy file can also be downloaded from the [Microsoft Download Center](https://aka.ms/VulnerableDriverBlockList). + ```xml - 10.0.25965.0 + 10.0.26025.0 {2E07F7E4-194C-4D20-B7C9-6F44A6C5A234} @@ -537,6 +539,26 @@ To check that the policy was successfully applied on your computer: + + + + + + + + + + + + + + + + + + + + @@ -653,6 +675,10 @@ To check that the policy was successfully applied on your computer: + + + + @@ -661,6 +687,24 @@ To check that the policy was successfully applied on your computer: + + + + + + + + + + + + + + + + + + @@ -868,6 +912,38 @@ To check that the policy was successfully applied on your computer: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1038,6 +1114,18 @@ To check that the policy was successfully applied on your computer: + + + + + + + + + + + + @@ -1182,42 +1270,98 @@ To check that the policy was successfully applied on your computer: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1240,6 +1384,14 @@ To check that the policy was successfully applied on your computer: + + + + + + + + @@ -1260,6 +1412,18 @@ To check that the policy was successfully applied on your computer: + + + + + + + + + + + + @@ -1363,35 +1527,45 @@ To check that the policy was successfully applied on your computer: + + + - - + + + + - + + + + + + @@ -1407,10 +1581,12 @@ To check that the policy was successfully applied on your computer: + + @@ -1425,27 +1601,39 @@ To check that the policy was successfully applied on your computer: + + - + + - + + + + + + + + + + @@ -1462,6 +1650,9 @@ To check that the policy was successfully applied on your computer: + + + @@ -1472,10 +1663,16 @@ To check that the policy was successfully applied on your computer: + + + + + + @@ -1506,6 +1703,7 @@ To check that the policy was successfully applied on your computer: + @@ -1525,12 +1723,14 @@ To check that the policy was successfully applied on your computer: + + + + - - @@ -1593,16 +1793,19 @@ To check that the policy was successfully applied on your computer: + + - - + + + @@ -1610,10 +1813,12 @@ To check that the policy was successfully applied on your computer: + + @@ -1630,9 +1835,11 @@ To check that the policy was successfully applied on your computer: + + @@ -1648,11 +1855,16 @@ To check that the policy was successfully applied on your computer: + + + + + @@ -1716,12 +1928,21 @@ To check that the policy was successfully applied on your computer: - + + + + + + + + + + @@ -1775,6 +1996,7 @@ To check that the policy was successfully applied on your computer: + @@ -1784,22 +2006,26 @@ To check that the policy was successfully applied on your computer: - + + - + + - + + - + + @@ -1964,11 +2190,13 @@ To check that the policy was successfully applied on your computer: + + @@ -2004,8 +2232,9 @@ To check that the policy was successfully applied on your computer: - + + @@ -2018,6 +2247,11 @@ To check that the policy was successfully applied on your computer: + + + + + @@ -2185,6 +2419,54 @@ To check that the policy was successfully applied on your computer: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2309,10 +2591,13 @@ To check that the policy was successfully applied on your computer: + + + @@ -2342,6 +2627,7 @@ To check that the policy was successfully applied on your computer: + @@ -2369,10 +2655,13 @@ To check that the policy was successfully applied on your computer: + + + @@ -2389,17 +2678,22 @@ To check that the policy was successfully applied on your computer: + + + + + @@ -2881,6 +3175,26 @@ To check that the policy was successfully applied on your computer: + + + + + + + + + + + + + + + + + + + + @@ -2985,6 +3299,10 @@ To check that the policy was successfully applied on your computer: + + + + @@ -2993,6 +3311,24 @@ To check that the policy was successfully applied on your computer: + + + + + + + + + + + + + + + + + + @@ -3201,6 +3537,38 @@ To check that the policy was successfully applied on your computer: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -3375,10 +3743,18 @@ To check that the policy was successfully applied on your computer: - - - - + + + + + + + + + + + + @@ -3523,38 +3899,98 @@ To check that the policy was successfully applied on your computer: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -3577,6 +4013,14 @@ To check that the policy was successfully applied on your computer: + + + + + + + + @@ -3597,6 +4041,18 @@ To check that the policy was successfully applied on your computer: + + + + + + + + + + + + @@ -3681,6 +4137,10 @@ To check that the policy was successfully applied on your computer: + + + + @@ -3713,7 +4173,7 @@ To check that the policy was successfully applied on your computer: - 10.0.25965.0 + 10.0.26025.0 diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-wizard-parsing-event-logs.md b/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-wizard-parsing-event-logs.md index 6710d78572..5fb5ff24d3 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-wizard-parsing-event-logs.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-wizard-parsing-event-logs.md @@ -3,7 +3,7 @@ title: Windows Defender Application Control Wizard WDAC Event Parsing description: Creating WDAC policy rules from the WDAC event logs and the MDE Advanced Hunting WDAC events. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 02/01/2023 +ms.date: 01/24/2024 --- # Creating WDAC Policy Rules from WDAC Events in the Wizard @@ -21,11 +21,11 @@ As of [version 2.2.0.0](https://webapp-wdac-wizard.azurewebsites.net/archives.ht To create rules from the WDAC event logs on the system: -1. Select **Policy Editor** from the WDAC Wizard main page. +1. Select **Policy Editor** from the main page. 2. Select **Convert Event Log to a WDAC Policy**. 3. Select the **Parse Event Logs** button under the **Parse Event Logs from the System Event Viewer to Policy** header. - The Wizard will parse the relevant audit and block events from the CodeIntegrity (WDAC) Operational and AppLocker MSI and Script logs. You'll see a notification when the Wizard successfully finishes reading the events. + The Wizard parses the relevant audit and block events from the CodeIntegrity (WDAC) Operational and AppLocker MSI and Script logs. You see a notification when the Wizard successfully finishes reading the events. > [!div class="mx-imgBorder"] > [![Parse WDAC and AppLocker event log system events](../images/wdac-wizard-event-log-system.png)](../images/wdac-wizard-event-log-system-expanded.png) @@ -37,12 +37,12 @@ To create rules from the WDAC event logs on the system: To create rules from the WDAC `.EVTX` event logs files on the system: -1. Select **Policy Editor** from the WDAC Wizard main page. +1. Select **Policy Editor** from the main page. 2. Select **Convert Event Log to a WDAC Policy**. 3. Select the **Parse Log File(s)** button under the **Parse Event Log evtx Files to Policy** header. 4. Select the WDAC CodeIntegrity Event log EVTX file(s) from the disk to parse. - The Wizard will parse the relevant audit and block events from the selected log files. You'll see a notification when the Wizard successfully finishes reading the events. + The Wizard parses the relevant audit and block events from the selected log files. You see a notification when the Wizard successfully finishes reading the events. > [!div class="mx-imgBorder"] > [![Parse evtx file WDAC events](../images/wdac-wizard-event-log-files.png)](../images/wdac-wizard-event-log-files-expanded.png) @@ -57,7 +57,7 @@ To create rules from the WDAC events in [MDE Advanced Hunting](../operations/que 1. Navigate to the Advanced Hunting section within the MDE console and query the WDAC events. **The Wizard requires the following fields** in the Advanced Hunting csv file export: ```KQL - | project Timestamp, DeviceId, DeviceName, ActionType, FileName, FolderPath, SHA1, SHA256, IssuerName, IssuerTBSHash, PublisherName, PublisherTBSHash, AuthenticodeHash, PolicyId, PolicyName + | project-keep Timestamp, DeviceId, DeviceName, ActionType, FileName, FolderPath, SHA1, SHA256, IssuerName, IssuerTBSHash, PublisherName, PublisherTBSHash, AuthenticodeHash, PolicyId, PolicyName ``` The following Advanced Hunting query is recommended: @@ -76,7 +76,7 @@ To create rules from the WDAC events in [MDE Advanced Hunting](../operations/que | extend PolicyId = parsejson(AdditionalFields).PolicyID | extend PolicyName = parsejson(AdditionalFields).PolicyName // Keep only required fields for the WDAC Wizard - | project Timestamp,DeviceId,DeviceName,ActionType,FileName,FolderPath,SHA1,SHA256,IssuerName,IssuerTBSHash,PublisherName,PublisherTBSHash,AuthenticodeHash,PolicyId,PolicyName + | project-keep Timestamp,DeviceId,DeviceName,ActionType,FileName,FolderPath,SHA1,SHA256,IssuerName,IssuerTBSHash,PublisherName,PublisherTBSHash,AuthenticodeHash,PolicyId,PolicyName ``` 2. Export the WDAC event results by selecting the **Export** button in the results view. @@ -84,12 +84,12 @@ To create rules from the WDAC events in [MDE Advanced Hunting](../operations/que > [!div class="mx-imgBorder"] > [![Export the MDE Advanced Hunting results to CSV](../images/wdac-wizard-event-log-mde-ah-export.png)](../images/wdac-wizard-event-log-mde-ah-export-expanded.png) -3. Select **Policy Editor** from the WDAC Wizard main page. +3. Select **Policy Editor** from the main page. 4. Select **Convert Event Log to a WDAC Policy**. 5. Select the **Parse Log File(s)** button under the "Parse MDE Advanced Hunting Events to Policy" header. 6. Select the WDAC MDE Advanced Hunting export CSV files from the disk to parse. - The Wizard will parse the relevant audit and block events from the selected Advanced Hunting log files. You'll see a notification when the Wizard successfully finishes reading the events. + The Wizard will parse the relevant audit and block events from the selected Advanced Hunting log files. You see a notification when the Wizard successfully finishes reading the events. > [!div class="mx-imgBorder"] > [![Parse the Advanced Hunting CSV WDAC event files](../images/wdac-wizard-event-log-mde-ah-parsing.png)](../images/wdac-wizard-event-log-mde-ah-parsing-expanded.png) @@ -99,14 +99,14 @@ To create rules from the WDAC events in [MDE Advanced Hunting](../operations/que ## Creating Policy Rules from the Events -On the "Configure Event Log Rules" page, the unique WDAC log events will be shown in the table. Event Ids, filenames, product names, the policy name that audited or blocked the file, and the file publisher are all shown in the table. The table can be sorted alphabetically by clicking on any of the headers. +On the "Configure Event Log Rules" page, the unique WDAC log events are shown in the table. Event Ids, filenames, product names, the policy name that audited or blocked the file, and the file publisher are all shown in the table. The table can be sorted alphabetically by clicking on any of the headers. To create a rule and add it to the WDAC policy: 1. Select an audit or block event in the table by selecting the row of interest. 2. Select a rule type from the dropdown. The Wizard supports creating Publisher, Path, File Attribute, Packaged App and Hash rules. 3. Select the attributes and fields that should be added to the policy rules using the checkboxes provided for the rule type. -4. Select the **Add Allow Rule** button to add the configured rule to the policy generated by the Wizard. The "Added to policy" label will be added to the selected row confirming that the rule will be generated. +4. Select the **Add Allow Rule** button to add the configured rule to the policy generated by the Wizard. The "Added to policy" label is shown in the selected row confirming that the rule will be generated. > [!div class="mx-imgBorder"] > [![Adding a publisher rule to the WDAC policy](../images/wdac-wizard-event-rule-creation.png)](../images/wdac-wizard-event-rule-creation-expanded.png) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/operations/wdac-operational-guide.md b/windows/security/application-security/application-control/windows-defender-application-control/operations/wdac-operational-guide.md index 9b0edc0e23..889b1c2d8d 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/operations/wdac-operational-guide.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/operations/wdac-operational-guide.md @@ -4,6 +4,7 @@ description: Gather information about how your deployed Windows Defender Applica ms.localizationpriority: medium ms.date: 03/30/2023 ms.topic: article +ms.collection: essentials-manage --- # Windows Defender Application Control operational guide diff --git a/windows/security/application-security/application-control/windows-defender-application-control/wdac-and-applocker-overview.md b/windows/security/application-security/application-control/windows-defender-application-control/wdac-and-applocker-overview.md index b6495d2d01..5e998b8788 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/wdac-and-applocker-overview.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/wdac-and-applocker-overview.md @@ -2,7 +2,7 @@ title: WDAC and AppLocker Overview description: Compare Windows application control technologies. ms.localizationpriority: medium -ms.date: 12/19/2023 +ms.date: 01/03/2024 ms.topic: article --- diff --git a/windows/security/application-security/application-control/windows-defender-application-control/wdac.md b/windows/security/application-security/application-control/windows-defender-application-control/wdac.md index 500f4c397b..e178b6f5e1 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/wdac.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/wdac.md @@ -5,6 +5,8 @@ ms.localizationpriority: medium ms.collection: - tier3 - must-keep +- essentials-navigation +- essentials-overview ms.date: 08/30/2023 ms.topic: article --- diff --git a/windows/security/docfx.json b/windows/security/docfx.json index 445dd2b03e..62c1b9f07b 100644 --- a/windows/security/docfx.json +++ b/windows/security/docfx.json @@ -33,6 +33,8 @@ "overwrite": [], "externalReference": [], "globalMetadata": { + "ms.subservice": "itpro-security", + "ms.service": "windows-client", "recommendations": true, "adobe-target": true, "ms.collection": [ @@ -42,8 +44,6 @@ "zone_pivot_group_filename": "resources/zone-pivot-groups.json", "uhfHeaderId": "MSDocsHeader-Windows", "ms.localizationpriority": "medium", - "ms.prod": "windows-client", - "ms.technology": "itpro-security", "manager": "aaroncz", "feedback_system": "Standard", "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", diff --git a/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md index d5451404d1..e68ce7f0d5 100644 --- a/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md +++ b/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md @@ -1,16 +1,16 @@ --- -title: How Windows Defender System Guard helps protect Windows -description: Learn how Windows Defender System Guard reorganizes the existing Windows system integrity features under one roof. +title: How System Guard helps protect Windows +description: Learn how System Guard reorganizes the existing Windows system integrity features under one roof. ms.localizationpriority: medium -ms.date: 10/25/2023 +ms.date: 01/16/2024 ms.topic: conceptual --- -# Windows Defender System Guard: How a hardware-based root of trust helps protect Windows +# System Guard: How a hardware-based root of trust helps protect Windows To protect critical resources such as the Windows authentication stack, single sign-on tokens, the Windows Hello biometric stack, and the Virtual Trusted Platform Module, a system's firmware and hardware must be trustworthy. -Windows Defender System Guard reorganizes the existing Windows system integrity features under one roof and sets up the next set of investments in Windows security. It's designed to make these security guarantees: +System Guard reorganizes the existing Windows system integrity features under one roof and sets up the next set of investments in Windows security. It's designed to make these security guarantees: - Protect and maintain the integrity of the system as it starts up - Validate that system integrity has truly been maintained through local and remote attestation @@ -33,7 +33,7 @@ Also, a bug fix for UEFI code can take a long time to design, build, retest, val ### Secure Launch—the Dynamic Root of Trust for Measurement (DRTM) -[Windows Defender System Guard Secure Launch](system-guard-secure-launch-and-smm-protection.md), first introduced in Windows 10 version 1809, aims to alleviate these issues by leveraging a technology known as the Dynamic Root of Trust for Measurement (DRTM). DRTM lets the system freely boot into untrusted code initially, but shortly after launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path. This has the benefit of allowing untrusted early UEFI code to boot the system, but then being able to securely transition into a trusted and measured state. +[System Guard Secure Launch](system-guard-secure-launch-and-smm-protection.md), first introduced in Windows 10 version 1809, aims to alleviate these issues by leveraging a technology known as the Dynamic Root of Trust for Measurement (DRTM). DRTM lets the system freely boot into untrusted code initially, but shortly after launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path. This has the benefit of allowing untrusted early UEFI code to boot the system, but then being able to securely transition into a trusted and measured state. ![System Guard Secure Launch.](images/system-guard-secure-launch.png) @@ -56,15 +56,15 @@ SMM protection is built on top of the Secure Launch technology and requires it t ## Validating platform integrity after Windows is running (run time) -While Windows Defender System Guard provides advanced protection that will help protect and maintain the integrity of the platform during boot and at run time, the reality is that we must apply an "assume breach" mentality to even our most sophisticated security technologies. We can trust that the technologies are successfully doing their jobs, but we also need the ability to verify that they were successful in achieving their goals. For platform integrity, we can't just trust the platform, which potentially could be compromised, to self-attest to its security state. So Windows Defender System Guard includes a series of technologies that enable remote analysis of the device's integrity. +While System Guard provides advanced protection that will help protect and maintain the integrity of the platform during boot and at run time, the reality is that we must apply an "assume breach" mentality to even our most sophisticated security technologies. We can trust that the technologies are successfully doing their jobs, but we also need the ability to verify that they were successful in achieving their goals. For platform integrity, we can't just trust the platform, which potentially could be compromised, to self-attest to its security state. So System Guard includes a series of technologies that enable remote analysis of the device's integrity. -As Windows boots, a series of integrity measurements are taken by Windows Defender System Guard using the device's Trusted Platform Module 2.0 (TPM 2.0). System Guard Secure Launch doesn't support earlier TPM versions, such as TPM 1.2. This process and data are hardware-isolated away from Windows to help ensure that the measurement data isn't subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device's firmware, hardware configuration state, and Windows boot-related components, to name a few. +As Windows boots, a series of integrity measurements are taken by System Guard using the device's Trusted Platform Module 2.0 (TPM 2.0). System Guard Secure Launch doesn't support earlier TPM versions, such as TPM 1.2. This process and data are hardware-isolated away from Windows to help ensure that the measurement data isn't subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device's firmware, hardware configuration state, and Windows boot-related components, to name a few. -![Boot time integrity.](images/windows-defender-system-guard-boot-time-integrity.png) +![Boot time integrity.](images/system-guard-boot-time-integrity.png) -After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or Microsoft Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources. +After the system boots, System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or Microsoft Configuration Manager can acquire them for remote analysis. If System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources. -[!INCLUDE [windows-defender-system-guard](../../../includes/licensing/windows-defender-system-guard.md)] +[!INCLUDE [system-guard](../../../includes/licensing/system-guard.md)] ## System requirements for System Guard @@ -78,7 +78,7 @@ This feature is available for the following processors: |Name|Description| |--------|-----------| -|64-bit CPU|A 64-bit computer with minimum four cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more information about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more information about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).| +|64-bit CPU|A 64-bit computer with minimum four cores (logical processors) is required for hypervisor and Virtualization-based security (VBS). For more information about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more information about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).| |Trusted Platform Module (TPM) 2.0|Platforms must support a discrete TPM 2.0. Integrated/firmware TPMs aren't supported, except Intel chips that support Platform Trust Technology (PTT), which is a type of integrated hardware TPM that meets the TPM 2.0 spec.| |Windows DMA Protection|Platforms must meet the Windows DMA Protection Specification (all external DMA ports must be off by default until the OS explicitly powers them).| |SMM communication buffers| All SMM communication buffers must be implemented in EfiRuntimeServicesData, EfiRuntimeServicesCode, EfiACPIMemoryNVS, or EfiReservedMemoryType memory types. | @@ -94,7 +94,7 @@ This feature is available for the following processors: |Name|Description| |--------|-----------| -|64-bit CPU|A 64-bit computer with minimum four cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more information about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more information about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).| +|64-bit CPU|A 64-bit computer with minimum four cores (logical processors) is required for hypervisor and Virtualization-based security (VBS). For more information about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more information about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).| |Trusted Platform Module (TPM) 2.0|Platforms must support a discrete TPM 2.0 OR Microsoft Pluton TPM.| |Windows DMA Protection|Platforms must meet the Windows DMA Protection Specification (all external DMA ports must be off by default until the OS explicitly powers them).| |SMM communication buffers| All SMM communication buffers must be implemented in EfiRuntimeServicesData, EfiRuntimeServicesCode, EfiACPIMemoryNVS, or EfiReservedMemoryType memory types. | diff --git a/windows/security/hardware-security/images/system-guard-boot-time-integrity.png b/windows/security/hardware-security/images/system-guard-boot-time-integrity.png new file mode 100644 index 0000000000..2dc989f2ef Binary files /dev/null and b/windows/security/hardware-security/images/system-guard-boot-time-integrity.png differ diff --git a/windows/security/hardware-security/images/system-guard-secure-launch.png b/windows/security/hardware-security/images/system-guard-secure-launch.png index b8167afbdc..9d02a7e2f3 100644 Binary files a/windows/security/hardware-security/images/system-guard-secure-launch.png and b/windows/security/hardware-security/images/system-guard-secure-launch.png differ diff --git a/windows/security/hardware-security/images/windows-defender-system-guard-boot-time-integrity.png b/windows/security/hardware-security/images/windows-defender-system-guard-boot-time-integrity.png deleted file mode 100644 index 1761e2e539..0000000000 Binary files a/windows/security/hardware-security/images/windows-defender-system-guard-boot-time-integrity.png and /dev/null differ diff --git a/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md b/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md index f4092a1bc3..6b5201c81c 100644 --- a/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md @@ -4,15 +4,14 @@ description: Learn how Kernel DMA Protection protects Windows devices against dr ms.collection: - tier1 ms.topic: conceptual -ms.date: 07/31/2023 +ms.date: 01/09/2024 --- # Kernel DMA Protection -Kernel DMA Protection is a Windows security feature that protects against external peripherals from gaining unauthorized access to memory. +Kernel Direct Memory Access (DMA) Protection is a Windows security feature that protects against external peripherals from gaining unauthorized access to memory. -PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach classes of external peripherals, including graphics cards, to their devices with the plug-and-play ease of USB.\ -These devices are DMA-capable, and can access system memory and perform read and write operations without the need for the system processor's involvement. This capability is the reason behind the exceptional performance of PCI devices, but it also makes them susceptible to *drive-by DMA attacks*. +PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach classes of external peripherals, including graphics cards, to their devices with the plug-and-play ease of USB. These devices are DMA-capable, and can access system memory and perform read and write operations without the need for the system processor's involvement. This capability is the reason behind the exceptional performance of PCI devices, but it also makes them susceptible to *drive-by DMA attacks*. Drive-by DMA attacks are attacks that occur while the owner of the system isn't present and usually take just a few minutes, with simple-to-moderate attacking tools (affordable, off-the-shelf hardware and software), that don't require the disassembly of the device. For example, attackers can plug in a USB-like device while the device owner is on a break, and walk away with all the secrets on the machine, or inject a malware that allows them to have full control over the device remotely while bypassing the lock screen. @@ -21,8 +20,7 @@ Drive-by DMA attacks are attacks that occur while the owner of the system isn't ## How Windows protects against DMA drive-by attacks -Windows uses the system *Input/Output Memory Management Unit (IOMMU)* to block external peripherals from starting and performing DMA, unless the drivers for these peripherals support memory isolation (such as DMA-remapping). -Peripherals with [DMA Remapping compatible drivers][LINK-1] will be automatically enumerated, started, and allowed to perform DMA to their assigned memory regions. +Windows uses the system *Input/Output Memory Management Unit (IOMMU)* to block external peripherals from starting and performing DMA, unless the drivers for these peripherals support memory isolation (such as DMA-remapping). Peripherals with [DMA Remapping compatible drivers][LINK-1] will be automatically enumerated, started, and allowed to perform DMA to their assigned memory regions. By default, peripherals with DMA Remapping incompatible drivers will be blocked from starting and performing DMA until an authorized user signs into the system or unlocks the screen. IT administrators can modify the default behavior applied to devices with DMA Remapping incompatible drivers using MDM or group policies. @@ -83,8 +81,7 @@ No, Kernel DMA Protection only protects against drive-by DMA attacks after the O ### How can I check if a certain driver supports DMA-remapping? -Not all devices and drivers support DMA-remapping. To check if a specific driver is opted into DMA-remapping, check the values corresponding to the DMA Remapping Policy property in the Details tab of a device in Device Manager*. A value of **0** or **1** means that the device driver doesn't support DMA-remapping. A value of **2** means that the device driver supports DMA-remapping. If the property isn't available, then the device driver doesn't support DMA-remapping. -Check the driver instance for the device you're testing. Some drivers may have varying values depending on the location of the device (internal vs. external). +Not all devices and drivers support DMA-remapping. To check if a specific driver is opted into DMA-remapping, check the values corresponding to the DMA Remapping Policy property in the Details tab of a device in Device Manager*. A value of **0** or **1** means that the device driver doesn't support DMA-remapping. A value of **2** means that the device driver supports DMA-remapping. If the property isn't available, then the device driver doesn't support DMA-remapping. Check the driver instance for the device you're testing. Some drivers may have varying values depending on the location of the device (internal vs. external). :::image type="content" source="images/device-details.png" alt-text="Screenshot of device details for a Thunderbolt controller showing a value of 2." border="false"::: diff --git a/windows/security/hardware-security/toc.yml b/windows/security/hardware-security/toc.yml index c941dc715a..92e9f40c56 100644 --- a/windows/security/hardware-security/toc.yml +++ b/windows/security/hardware-security/toc.yml @@ -3,7 +3,7 @@ items: href: index.md - name: Hardware root of trust items: - - name: Windows Defender System Guard + - name: System Guard href: how-hardware-based-root-of-trust-helps-protect-windows.md - name: Trusted Platform Module href: tpm/trusted-platform-module-overview.md diff --git a/windows/security/identity-protection/credential-guard/configure.md b/windows/security/identity-protection/credential-guard/configure.md index e6e9d95ed6..9f8373b96b 100644 --- a/windows/security/identity-protection/credential-guard/configure.md +++ b/windows/security/identity-protection/credential-guard/configure.md @@ -37,7 +37,7 @@ To enable Credential Guard, you can use: [!INCLUDE [tab-intro](../../../../includes/configure/tab-intro.md)] -#### [:::image type="icon" source="../../images/icons/intune.svg" border="false"::: **Intune/MDM**](#tab/intune) +#### [:::image type="icon" source="../../images/icons/intune.svg" border="false"::: **Intune/CSP**](#tab/intune) ### Configure Credential Guard with Intune @@ -64,7 +64,7 @@ Alternatively, you can configure devices using a [custom policy][INT-1] with the Once the policy is applied, restart the device. -#### [:::image type="icon" source="../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo) +#### [:::image type="icon" source="../../images/icons/group-policy.svg" border="false"::: **GPO**](#tab/gpo) ### Configure Credential Guard with group policy @@ -81,7 +81,7 @@ Once the policy is applied, restart the device. Once the policy is applied, restart the device. -#### [:::image type="icon" source="../../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg) +#### [:::image type="icon" source="../../images/icons/registry.svg" border="false"::: **Registry**](#tab/reg) ### Configure Credential Guard with registry settings @@ -232,7 +232,7 @@ There are different options to disable Credential Guard. The option you choose d [!INCLUDE [tab-intro](../../../../includes/configure/tab-intro.md)] -#### [:::image type="icon" source="../../images/icons/intune.svg" border="false"::: **Intune/MDM**](#tab/intune) +#### [:::image type="icon" source="../../images/icons/intune.svg" border="false"::: **Intune/CSP**](#tab/intune) ### Disable Credential Guard with Intune @@ -254,7 +254,7 @@ Alternatively, you can configure devices using a [custom policy][INT-1] with the Once the policy is applied, restart the device. -#### [:::image type="icon" source="../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo) +#### [:::image type="icon" source="../../images/icons/group-policy.svg" border="false"::: **GPO**](#tab/gpo) ### Disable Credential Guard with group policy @@ -270,7 +270,7 @@ If Credential Guard is enabled via Group Policy and without UEFI Lock, disabling Once the policy is applied, restart the device. -#### [:::image type="icon" source="../../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg) +#### [:::image type="icon" source="../../images/icons/registry.svg" border="false"::: **Registry**](#tab/reg) ### Disable Credential Guard with registry settings @@ -336,7 +336,7 @@ Use one of the following options to disable VBS: [!INCLUDE [tab-intro](../../../../includes/configure/tab-intro.md)] -#### [:::image type="icon" source="../../images/icons/intune.svg" border="false"::: **Intune/MDM**](#tab/intune) +#### [:::image type="icon" source="../../images/icons/intune.svg" border="false"::: **Intune/CSP**](#tab/intune) ### Disable VBS with Intune @@ -358,7 +358,7 @@ Alternatively, you can configure devices using a [custom policy][INT-1] with the Once the policy is applied, restart the device. -#### [:::image type="icon" source="../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo) +#### [:::image type="icon" source="../../images/icons/group-policy.svg" border="false"::: **GPO**](#tab/gpo) ### Disable VBS with group policy @@ -374,7 +374,7 @@ Configure the policy used to enable VBS to **Disabled**. Once the policy is applied, restart the device -#### [:::image type="icon" source="../../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg) +#### [:::image type="icon" source="../../images/icons/registry.svg" border="false"::: **Registry**](#tab/reg) ### Disable VBS with registry settings diff --git a/windows/security/identity-protection/hello-for-business/configure.md b/windows/security/identity-protection/hello-for-business/configure.md new file mode 100644 index 0000000000..7c498d0bb4 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/configure.md @@ -0,0 +1,137 @@ +--- +title: Configure Windows Hello for Business +description: Learn about the configuration options for Windows Hello for Business and how to implement them in your organization. +ms.topic: how-to +ms.date: 01/03/2024 +--- + +# Configure Windows Hello for Business + +This article describes the options to configure Windows Hello for Business in an organization, and how to implement them. + +## Configuration options + +You can configure Windows Hello for Business by using the following options: + +- Configuration Service Provider (CSP): commonly used for devices managed by a Mobile Device Management (MDM) solution, like Microsoft Intune. CSPs can also be configured with [provisioning packages](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers#csps-in-windows-configuration-designer), which are usually used at deployment time or for unamanged devices. To configure Windows Hello for Business, use the [PassportForWork CSP][CSP-2] +- Group policy (GPO): used for devices that are Active Directory joined or Microsoft Entra hybrid joined, and aren't managed by a device management solution + +## Policy precedence + +Some of the Windows Hello for Business policies are available for both computer and user configuration. The following list describes the policy precedence for Windows Hello for Business: + +- *User policies* take precedence over *computer policies*. If a user policy is set, the corresponded computer policy is ignored. If a user policy is not set, the computer policy is used +- Windows Hello for Business policy settings are enforced using the following hierarchy: + - User GPO + - Computer GPO + - User MDM + - Device MDM + - Device Lock policy + +>[!IMPORTANT] +>All devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP. + +>[!NOTE] +> If a policy isn't explicitly configured to require letters or special characters, users can optionally set an alphanumeric PIN. + +### Retrieve the Microsoft Entra tenant ID + +The configuration via CSP or registry of different Windows Hello for Business policy settings require to specify the Microsoft Entra tenant ID where the device is registered. + +To look up your Tenant ID, see [How to find your Microsoft Entra tenant ID][ENTRA-2] or try the following, ensuring to sign in with your organization's account: + +```msgraph-interactive +GET https://graph.microsoft.com/v1.0/organization?$select=id +``` + +For example, the [PassportForWork CSP documentation][CSP-1] describes how to configure Windows Hello for Business options using the OMA-URI: + +```Device +./Device/Vendor/MSFT/PassportForWork/{TenantId} +``` + +When configuring devices, replace `TenantID` with your Microsoft Entra tenant ID. For example, if your Microsoft Entra tenant ID is `dcd219dd-bc68-4b9b-bf0b-4a33a796be35`, the OMA-URI would be: + +```Device +./Device/Vendor/MSFT/PassportForWork/{dcd219dd-bc68-4b9b-bf0b-4a33a796be35} +``` + +## Configure Windows Hello for Business using Microsoft Intune + +For Microsoft Entra joined devices and Microsoft Entra hybrid joined devices enrolled in Intune, you can use Intune policies to manage Windows Hello for Business. + +There are different ways to enable and configure Windows Hello for Business in Intune: + +- Using a policy applied at the tenant level. The tenant policy: + - Is only applied at enrollment time, and any changes to its configuration won't apply to devices already enrolled in Intune + - It applies to *all devices* getting enrolled in Intune. For this reason, the policy is usually disabled and Windows Hello for Business is enabled using a policy targeted to a security group +- A device configuration policy that is applied *after* device enrollment. Any changes to the policy will be applied to the devices during regular policy refresh intervals. There are different policy types to choose from: + - [Settings catalog][MEM-1] + - [Security baselines][MEM-2] + - [Custom policy][MEM-3], via the [PassportForWork CSP][MEM-4] + - [Account protection policy][MEM-5] + - [Identity protection policy template][MEM-6] + +### Verify the tenant-wide policy + +To check the Windows Hello for Business policy settings applied at enrollment time: + +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Select **Devices** > **Windows** > **Windows Enrollment** +1. Select **Windows Hello for Business** +1. Verify the status of **Configure Windows Hello for Business** and any settings that may be configured + +:::image type="content" source="deploy/images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="deploy/images/whfb-intune-disable.png"::: + +## Policy conflicts from multiple policy sources + +Windows Hello for Business is designed to be managed by group policy or MDM, but not a combination of both. Avoid mixing group policy and MDM policy settings for Windows Hello for Business. If you mix group policy and MDM policy settings, the MDM settings are ignored until all group policy settings are cleared. + +> [!IMPORTANT] +> The [*MDMWinsOverGP*](/windows/client-management/mdm/policy-csp-controlpolicyconflict#mdmwinsovergp) policy setting doesn't apply to Windows Hello for Business. MDMWinsOverGP only applies to policies in the *Policy CSP*, while the Windows Hello for Business policies are in the *PassportForWork CSP*. + +> [!NOTE] +> For more information about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows device settings to enable Windows Hello for Business in Intune][MEM-1] and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). + +## Disable Windows Hello for Business enrollment + +Windows Hello for Business is enabled by default for devices that are Microsoft Entra joined. If you need to disable the automatic enablement, there are different options, including: + +- Disable Windows Hello using the [tenant-wide policy](#verify-the-tenant-wide-policy) +- Disable it using one of the policy types available in Intune, while enabling the Enrollment Status Page (ESP). The ESP can be configured to prevent a user from accessing the desktop until the device receives all the required policies. For more information, see [Set up the Enrollment Status Page](/mem/intune/enrollment/windows-enrollment-status). The policy setting to configure is [Use Windows Hello for Business](policy-settings.md#use-windows-hello-for-business) +- Provision the devices using a provisioning package that disables Windows Hello for Business. For more information, see [Provisioning packages for Windows](/windows/configuration/provisioning-packages/provisioning-packages) +- Scripted solutions that can modify the registry settings to disable Windows Hello for Business during OS deployment + +Configuration type| Details | +|--|-| +| CSP (user)|**Key path**: `HHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\UserSid\Policies`
    **Key name**: `UsePassportForWork`
    **Type**: `REG_DWORD`
    **Value**:
     `1` to enable
     `0` to disable | +| CSP (device)|**Key path**: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\Device\Policies`
    **Key name**: `UsePassportForWork`
    **Type**: `REG_DWORD`
    **Value**:
     `1` to enable
     `0` to disable | +| GPO (user)|**Key path**: `HKEY_USERS\\SOFTWARE\Policies\Microsoft\PassportForWork`
    **Key name**: `Enabled`
    **Type**: `REG_DWORD`
    **Value**:
     `1` to enable
     `0` to disable | +| GPO (user)|**Key path**: `KEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork`
    **Key name**: `Enabled`
    **Type**: `REG_DWORD`
    **Value**:
     `1` to enable
     `0` to disable | + +> [!NOTE] +> If there's a conflicting device policy and user policy, the user policy takes precedence. It's not recommended to create Local GPO or registry settings that could conflict with an MDM policy. This conflict could lead to unexpected results. + +## Next steps + +For a list of Windows Hello for Business policy settings, see [Windows Hello for Business policy settings](policy-settings.md). + +To learn more about Windows Hello for Business features and how to configure them, see: + +- [PIN reset](pin-reset.md) +- [Dual enrollment](hello-feature-dual-enrollment.md) +- [Dynamic Lock](hello-feature-dynamic-lock.md) +- [Multi-factor Unlock](multifactor-unlock.md) +- [Remote desktop (RDP) sign-in](rdp-sign-in.md) + + + +[CSP-1]: /windows/client-management/mdm/passportforwork-csp#devicetenantid +[CSP-2]: /windows/client-management/mdm/passportforwork-csp +[ENTRA-2]: /entra/fundamentals/how-to-find-tenant +[MEM-1]: /mem/intune/configuration/settings-catalog +[MEM-2]: /mem/intune/protect/security-baselines +[MEM-3]: /mem/intune/configuration/custom-settings-configure +[MEM-4]: /windows/client-management/mdm/passportforwork-csp +[MEM-5]: /mem/intune/protect/endpoint-security-account-protection-policy +[MEM-6]: /mem/intune/protect/identity-protection-configure diff --git a/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md b/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md new file mode 100644 index 0000000000..475b2dc597 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md @@ -0,0 +1,117 @@ +--- +title: Windows Hello for Business cloud-only deployment guide +description: Learn how to deploy Windows Hello for Business in a cloud-only deployment scenario. +ms.date: 01/03/2024 +ms.topic: how-to +--- + +# Cloud-only deployment guide + +[!INCLUDE [apply-to-cloud](includes/apply-to-cloud.md)] + +[!INCLUDE [requirements](includes/requirements.md)] + +> [!div class="checklist"] +> +> - [Authentication](index.md#authentication-to-microsoft-entra-id) +> - [Device configuration](index.md#device-configuration-options) +> - [Licensing for cloud services](index.md#licensing-for-cloud-services-requirements) +> - [Prepare users to use Windows Hello](prepare-users.md) + +## Deployment steps + +> [!div class="checklist"] +> Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps: +> +> - [Configure Windows Hello for Business policy settings](#configure-windows-hello-for-business-policy-settings) +> - [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business) + +## Configure Windows Hello for Business policy settings + +When you Microsoft Entra join a device, the system attempts to automatically enroll you in Windows Hello for Business. If you want to use Windows Hello for Business in a cloud-only environment with its default settings, there's no extra configuration needed. + +Cloud-only deployments use Microsoft Entra multifactor authentication (MFA) during Windows Hello for Business enrollment, and there's no other MFA configuration needed. If you aren't already registered in MFA, you're guided through the MFA registration as part of the Windows Hello for Business enrollment process. + +Policy settings can be configured to control the behavior of Windows Hello for Business, via configuration service provider (CSP) or group policy (GPO). In cloud-only deployments, devices are +typically configured via an MDM solution like Microsoft Intune, using the [PassportForWork CSP][WIN-1]. + +> [!NOTE] +> Review the article [Configure Windows Hello for Business using Microsoft Intune](../configure.md#configure-windows-hello-for-business-using-microsoft-intune) to learn about the different options offered by Microsoft Intune to configure Windows Hello for Business. + +If the Intune tenant-wide policy is configured to *disable Windows Hello for Business*, or if devices are deployed with Windows Hello disabled, you must configure one policy setting to enable Windows Hello for Business: + +- [Use Windows Hello for Business](../policy-settings.md#use-windows-hello-for-business) + +Another optional, but recommended, policy setting is: + +- [Use a hardware security device](../policy-settings.md#use-a-hardware-security-device) + +Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO). + +# [:::image type="icon" source="images/intune.svg"::: **Intune/CSP**](#tab/intune) + +[!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)] + +| Category | Setting name | Value | +|--|--|--| +| **Windows Hello for Business** | Use Passport For Work | true | +| **Windows Hello for Business** | Require Security Device | true | + +[!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)] + +Alternatively, you can configure devices using a [custom policy][MEM-1] with the [PassportForWork CSP][CSP-1]. + +| Setting | +|--------| +| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UsePassportForWork`
    - **Data type:** `bool`
    - **Value:** `True`| +| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/RequireSecurityDevice`
    - **Data type:** `bool`
    - **Value:** `True`| + +# [:::image type="icon" source="images/group-policy.svg"::: **GPO**](#tab/gpo) + +To configure a device with group policy, use the [Local Group Policy Editor](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731745(v=ws.10)). + +| Group policy path | Group policy setting | Value | +| - | - | - | +| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**
    or
    **User Configuration\Administrative Templates\Windows Components\Windows Hello for Business**|Use Windows Hello for Business| **Enabled**| +| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use a hardware security device| **Enabled**| + +--- + +> [!TIP] +> If you're using Microsoft Intune, and you're not using the [tenant-wide policy](../configure.md#verify-the-tenant-wide-policy), enable the Enrollment Status Page (ESP) to ensure that the devices receive the Windows Hello for Business policy settings before users can access their desktop. For more information about ESP, see [Set up the Enrollment Status Page][MEM-1]. + +More policy settings can be configured to control the behavior of Windows Hello for Business. For more information, see [Windows Hello for Business policy settings](../policy-settings.md). + +## Enroll in Windows Hello for Business + +The Windows Hello for Business provisioning process begins immediately after a user signs in, if certain prerequisite checks are passed. + +### User experience + +[!INCLUDE [user-experience](includes/user-experience.md)] + +> [!VIDEO https://learn-video.azurefd.net/vod/player?id=36dc8679-0fcc-4abf-868d-97ec8b749da7 alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."] + +### Sequence diagrams + +To better understand the provisioning flows, review the following sequence diagrams based on the authentication type: + +- [Provisioning for Microsoft Entra joined devices with managed authentication](../how-it-works-provisioning.md#provisioning-for-microsoft-entra-joined-devices-with-managed-authentication) +- [Provisioning for Microsoft Entra joined devices with federated authentication](../how-it-works-provisioning.md#provisioning-for-microsoft-entra-joined-devices-with-federated-authentication) + +To better understand the authentication flows, review the following sequence diagram: + +- [Microsoft Entra join authentication to Microsoft Entra ID](../how-it-works-authentication.md#microsoft-entra-join-authentication-to-microsoft-entra-id) + +## Disable automatic enrollment + +If you want to disable the automatic Windows Hello for Business enrollment, you can configure your devices with a policy setting or registry key. For more information, see [Disable Windows Hello for Business enrollment](../configure.md#disable-windows-hello-for-business-enrollment). + +> [!NOTE] +> During the out-of-box experience (OOBE) flow of a Microsoft Entra join, you are guided to enroll in Windows Hello for Business when you don't have Intune. You can cancel the PIN screen and access the desktop without enrolling in Windows Hello for Business. + + + +[CSP-1]: /windows/client-management/mdm/passportforwork-csp +[MEM-1]: /mem/intune/enrollment/windows-enrollment-status +[WIN-1]: /windows/client-management/mdm/passportforwork-csp diff --git a/windows/security/identity-protection/hello-for-business/deploy/cloud.md b/windows/security/identity-protection/hello-for-business/deploy/cloud.md deleted file mode 100644 index ca409fc0b7..0000000000 --- a/windows/security/identity-protection/hello-for-business/deploy/cloud.md +++ /dev/null @@ -1,84 +0,0 @@ ---- -title: Windows Hello for Business cloud-only deployment -description: Learn how to configure Windows Hello for Business in a cloud-only deployment scenario. -ms.date: 10/03/2023 -ms.topic: how-to ---- -# Cloud-only deployment - -[!INCLUDE [apply-to-cloud](includes/apply-to-cloud.md)] - -## Introduction - -When you Microsoft Entra join a Windows device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in a cloud-only environment, there's no additional configuration needed. - -You may wish to disable the automatic Windows Hello for Business enrollment prompts if you aren't ready to use it in your environment. This article describes how to disable Windows Hello for Business enrollment in a cloud only environment. - -> [!NOTE] -> During the out-of-box experience (OOBE) flow of a Microsoft Entra join, you will see a provisioning PIN when you don't have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts. - -## Prerequisites - -Cloud only deployments will use Microsoft Entra multifactor authentication (MFA) during Windows Hello for Business enrollment, and there's no additional MFA configuration needed. If you aren't already registered in MFA, you'll be guided through the MFA registration as part of the Windows Hello for Business enrollment process. - -The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](requirements.md#azure-ad-cloud-only-deployment). - -It's possible for federated domains to configure the *FederatedIdpMfaBehavior* flag. The flag instructs Microsoft Entra ID to accept, enforce, or reject the MFA challenge from the federated IdP. For more information, see [federatedIdpMfaBehavior values](/graph/api/resources/internaldomainfederation#federatedidpmfabehavior-values). To check this setting, use the following PowerShell command: - -```powershell -Connect-MgGraph -$DomainId = "" -Get-MgDomainFederationConfiguration -DomainId $DomainId |fl -``` - -To reject the MFA claim from the federated IdP, use the following command. This change impacts all MFA scenarios for the federated domain. - -```powershell -Update-MgDomainFederationConfiguration -DomainId $DomainId -FederatedIdpMfaBehavior rejectMfaByFederatedIdp -``` - -If you use configure the flag with a value of either `acceptIfMfaDoneByFederatedIdp` (default) or `enforceMfaByFederatedIdp`, you must verify that your federated IDP is correctly configured and working with the MFA adapter and provider used by your IdP. - -## Use Intune to disable Windows Hello for Business enrollment - -We recommend that you disable or manage Windows Hello for Business provisioning behavior through an Intune policy. For more specific information, see [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello). - -### Disable Windows Hello for Business using Intune Enrollment policy - -The following method explains how to disable Windows Hello for Business enrollment using Intune. - -1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. Go to **Devices** > **Enrollment** > **Enroll devices** > **Windows enrollment** > **Windows Hello for Business**. The Windows Hello for Business pane opens. -3. If you don't want to enable Windows Hello for Business during device enrollment, select **Disabled** for **Configure Windows Hello for Business**. - - When disabled, users can't provision Windows Hello for Business. When set to Disabled, you can still configure the subsequent settings for Windows Hello for Business even though this policy won't enable Windows Hello for Business. - -> [!NOTE] -> This policy is only applied during new device enrollments. For currently enrolled devices, you can [set the same settings in a device configuration policy](../hello-manage-in-organization.md). - -## Disable Windows Hello for Business enrollment without Intune - -If you don't use Intune in your organization, then you can disable Windows Hello for Business using the registry. You can use a third-party MDM, or some other method that you use to manage these devices. Because these systems are Microsoft Entra joined only, and not domain joined, these settings can also be made manually in the registry. - -Intune uses the following registry keys: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\Device\Policies`** - -To look up your Tenant ID, see [How to find your Microsoft Entra tenant ID](/azure/active-directory/fundamentals/how-to-find-tenant) or try the following, ensuring to sign in with your organization's account: - -```msgraph-interactive -GET https://graph.microsoft.com/v1.0/organization?$select=id -``` - -These registry settings are pushed from Intune for user policies: - -- Intune User Policy: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\UserSid\Policies`** -- DWORD: **UsePassportForWork** -- Value = **0** for Disable, or Value = **1** for Enable - -These registry settings can be applied from Local or Group Policies: - -- Local/GPO User Policy: **`HKEY_USERS\UserSID\SOFTWARE\Policies\Microsoft\PassportForWork`** -- Local/GPO Device Policy: **`HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork`** -- DWORD: **Enabled** -- Value = **0** for Disable or Value = **1** for Enable - -If there's a conflicting Device policy and User policy, the User policy would take precedence. We don't recommend creating Local/GPO registry settings that could conflict with an Intune policy. This conflict could lead to unexpected results. diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-adfs.md index c5e4939fc8..447f1f5c55 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-adfs.md @@ -1,23 +1,17 @@ --- title: Configure Active Directory Federation Services in a hybrid certificate trust model -description: Learn how to configure Active Directory Federation Services to support the Windows Hello for Business hybrid certificate trust model. -ms.date: 12/15/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 -- ✅ Windows Server 2022 -- ✅ Windows Server 2019 -- ✅ Windows Server 2016 +description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business hybrid certificate trust model. +ms.date: 01/03/2024 ms.topic: tutorial --- -# Configure Active Directory Federation Services - hybrid certificate trust +# Configure Active Directory Federation Services in a hybrid certificate trust model [!INCLUDE [apply-to-hybrid-cert-trust](includes/apply-to-hybrid-cert-trust.md)] The Windows Hello for Business certificate-based deployments use AD FS as the certificate registration authority (CRA). The CRA is responsible for issuing and revoking certificates to users. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.\ -The CRA enrolls for an *enrollment agent certificate*, and the Windows Hello for Business *authentication certificate template* is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. +The CRA enrolls for an *enrollment agent certificate*, and the Windows Hello for Business *authentication certificate template* is configured to only issue certificates to requests signed with an enrollment agent certificate. > [!NOTE] > In order for AD FS to verify user certificate requests for Windows Hello for Business, it needs to be able to access the `https://enterpriseregistration.windows.net` endpoint. @@ -39,11 +33,11 @@ Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplat AD FS performs its own certificate lifecycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts. -Approximately 60 days prior to enrollment agent certificate's expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate. +Approximately 60 days prior to enrollment agent certificate's expiration, the AD FS service attempts to renew the certificate until it's successful. If the certificate fails to renew, and the certificate expires, the AD FS server requests a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate. ### Group Memberships for the AD FS service account -The AD FS service account must be member of the security group targeted by the authentication certificate template auto-enrollment (e.g. *Window Hello for Business Users*). The security group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user. +The AD FS service account must be member of the security group targeted by the authentication certificate template autoenrollment (for example, *Window Hello for Business Users*). The security group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user. > [!TIP] > The adfssvc account is the AD FS service account. @@ -51,7 +45,7 @@ The AD FS service account must be member of the security group targeted by the a Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. 1. Open **Active Directory Users and Computers** -1. Search for the security group targeted by the authentication certificate template auto-enrollment (e.g. *Window Hello for Business Users*) +1. Search for the security group targeted by the authentication certificate template autoenrollment (for example, *Window Hello for Business Users*) 1. Select the **Members** tab and select **Add** 1. In the **Enter the object names to select** text box, type **adfssvc** or substitute the name of the AD FS service account in your AD FS deployment > **OK** 1. Select **OK** to return to **Active Directory Users and Computers** diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md index a9363c8a74..2bc061e33b 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md @@ -1,104 +1,62 @@ --- -title: Configure and provision Windows Hello for Business in a hybrid certificate trust model +title: Configure and enroll in Windows Hello for Business in hybrid certificate trust model description: Learn how to configure devices and enroll them in Windows Hello for Business in a hybrid certificate trust scenario. -ms.date: 12/15/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 -- ✅ Windows Server 2022 -- ✅ Windows Server 2019 -- ✅ Windows Server 2016 +ms.date: 01/03/2024 ms.topic: tutorial --- -# Configure and provision Windows Hello for Business - hybrid certificate trust +# Configure and enroll in Windows Hello for Business in hybrid certificate trust model [!INCLUDE [apply-to-hybrid-cert-trust](includes/apply-to-hybrid-cert-trust.md)] -## Policy Configuration +> [!div class="checklist"] +> Once the prerequisites are met, and the PKI and AD FS configurations are validated, deploying Windows Hello for Business consists of the following steps: +> +> - [Configure Windows Hello for Business policy settings](#configure-windows-hello-for-business-policy-settings) +> - [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business) -After the prerequisites are met and the PKI and AD FS configurations are validated, Windows Hello for business must be enabled on the Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO). +## Configure Windows Hello for Business policy settings + +There are two policy settings required to enable Windows Hello for Business in a certificate trust model: + +- [Use Windows Hello for Business](../policy-settings.md#use-windows-hello-for-business) +- [Use certificate for on-premises authentication](../policy-settings.md#use-certificate-for-on-premises-authentication) + +Another optional, but recommended, policy setting is: + +- [Use a hardware security device](../policy-settings.md#use-a-hardware-security-device) + +Use the following instructions to configure your devices using either Microsoft Intune or group policy (GPO). # [:::image type="icon" source="images/group-policy.svg"::: **GPO**](#tab/gpo) -> [!IMPORTANT] -> The information in this section applies to Microsoft Entra hybrid joined devices only. +[!INCLUDE [gpo-enable-whfb](includes/gpo-enable-whfb.md)] -For Microsoft Entra hybrid joined devices, you can use group policies to configure Windows Hello for Business. -It is suggested to create a security group (for example, *Windows Hello for Business Users*) to make it easy to deploy Windows Hello for Business in phases. You assign the **Group Policy** and **Certificate template permissions** to this group to simplify the deployment by adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business and to enroll in the Windows Hello for Business authentication certificate. - -### Enable Windows Hello for Business group policy setting - -The *Enable Windows Hello for Business* group policy setting is the configuration needed for Windows to determine if a user should attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to **enabled**.\ -You can configure the *Enable Windows Hello for Business* setting for computer or users: - -- Deploying this policy setting to computers (or group of computers) results in all users that sign-in that computer to attempt a Windows Hello for Business enrollment -- Deploying this policy setting to a user (or group of users), results in only that user attempting a Windows Hello for Business enrollment - -If both user and computer policy settings are deployed, the user policy setting has precedence. - -### Use certificate for on-premises authentication group policy setting - -The *Use certificate for on-premises authentication* group policy setting determines if the deployment uses the *key-trust* or *certificate trust* authentication model. You must configure this Group Policy setting to configure Windows to enroll for a Windows Hello for Business authentication certificate. If you do not configure this policy setting, Windows considers the deployment to use key-trust authentication. - -### Enable automatic enrollment of certificates group policy setting +> [!TIP] +> Use the same *Windows Hello for Business Users* security group to assign **Certificate template permissions** to ensure the same members can enroll in the Windows Hello for Business authentication certificate. Windows Hello for Business provisioning performs the initial enrollment of the Windows Hello for Business authentication certificate. This certificate expires based on the duration configured in the Windows Hello for Business *authentication certificate* template. The process requires no user interaction, provided the user signs-in using Windows Hello for Business. The certificate is renewed in the background before it expires. -### Enable and configure Windows Hello for Business with group policy +[!INCLUDE [gpo-settings-1](../../../../../includes/configure/gpo-settings-1.md)] -Sign-in a domain controller or management workstations with *Domain Admin* equivalent credentials. - -1. Start the **Group Policy Management Console** (gpmc.msc) -1. Expand the domain and select the **Group Policy Object** node in the navigation pane -1. Right-click **Group Policy object** and select **New** -1. Type *Enable Windows Hello for Business* in the name box and select **OK** -1. In the content pane, right-click the **Enable Windows Hello for Business** group policy object and select **Edit** -1. In the navigation pane, expand **Policies** under **User Configuration** -1. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business** -1. In the content pane, open **Use Windows Hello for Business**. Select **Enable > OK** -1. Open **Use certificate for on-premises authentication**. Select **Enable > OK** -1. Expand **Windows Settings > Security Settings > Public Key Policies** -1. In the details pane, right-click **Certificate Services Client - Auto-Enrollment** and select **Properties** -1. Select **Enabled** from the **Configuration Model** list -1. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check boxes -1. Select the **Update certificates that use certificate templates** check box -1. Select **OK** -1. Close the **Group Policy Management Editor** +| Group policy path | Group policy setting | Value | +| - | - | - | +| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**
    or
    **User Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use Windows Hello for Business| **Enabled**| +| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**
    or
    **User Configuration\Administrative Templates\Windows Components\Windows Hello for Business**|Use certificate for on-premises authentication| **Enabled**| +| **Computer Configuration\Windows Settings\Security Settings\Public Key Policies**
    or
    **User Configuration\Windows Settings\Security Settings\Public Key Policies** |Certificate Services Client - Auto-Enrollment| - Select **Enabled** from the **Configuration Model**
    - Select the **Renew expired certificates, update pending certificates, and remove revoked certificates**
    - Select **Update certificates that use certificate templates**| +| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use a hardware security device| **Enabled**| > [!NOTE] -> Windows Hello for Business can be configured using different policies. These policies are optional to configure, but it's recommended to enable *Use a hardware security device*. -> -> For more information about these policies, see [Group Policy settings for Windows Hello for Business](../hello-manage-in-organization.md#group-policy-settings-for-windows-hello-for-business). +> The enablement of the *Use a hardware security device* policy setting is optional, but recommended. -### Configure security for GPO +[!INCLUDE [gpo-settings-2](../../../../../includes/configure/gpo-settings-2.md)] -The best way to deploy the Windows Hello for Business GPO is to use security group filtering. Only members of the targeted security group will provision Windows Hello for Business, enabling a phased rollout. +> [!TIP] +> The best way to deploy the Windows Hello for Business GPO is to use security group filtering. Only members of the targeted security group will provision Windows Hello for Business, enabling a phased rollout. This solution allows linking the GPO to the domain, ensuring the GPO is scoped to all security principals. The security group filtering ensures that only the members of the global group receive and apply the GPO, which results in the provisioning of Windows Hello for Business. -1. Start the **Group Policy Management Console** (gpmc.msc) -1. Expand the domain and select the **Group Policy Object** node in the navigation pane -1. Open the **Enable Windows Hello for Business** GPO -1. In the **Security Filtering** section of the content pane, select **Add**. Type the name of the security group you previously created (for example, *Windows Hello for Business Users*) and select **OK** -1. Select the **Delegation** tab. Select **Authenticated Users > Advanced** -1. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Select **OK** - -### Deploy the Windows Hello for Business Group Policy object - -The application of Group Policy object uses security group filtering. This solution allows linking the GPO to the domain, ensuring the GPO is scoped to all users. The security group filtering ensures that only the members of the *Windows Hello for Business Users* global group receive and apply the GPO, which results in the provisioning of Windows Hello for Business. - -1. Start the **Group Policy Management Console** (gpmc.msc) -1. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and select **Link an existing GPO** -1. In the **Select GPO** dialog box, select *Enable Windows Hello for Business* or the name of the Windows Hello for Business Group Policy object you previously created and select **OK** - -### Add members to the targeted group - -Users (or devices) must receive the Windows Hello for Business group policy settings and have the proper permission to provision Windows Hello for Business. You can provide users with these settings and permissions by adding members to the *Windows Hello for Business Users* group. Users and groups who aren't members of this group won't attempt to enroll for Windows Hello for Business. - -# [:::image type="icon" source="images/intune.svg"::: **Intune**](#tab/intune) - -## Configure Windows Hello for Business using Microsoft Intune +# [:::image type="icon" source="images/intune.svg"::: **Intune/CSP**](#tab/intune) > [!IMPORTANT] > The information in this section applies to Microsoft Entra joined devices managed by Intune. Before proceeding, ensure that you completed the steps described in: @@ -106,99 +64,77 @@ Users (or devices) must receive the Windows Hello for Business group policy sett > - [Configure single sign-on for Microsoft Entra joined devices](../hello-hybrid-aadj-sso.md) > - [Using Certificates for AADJ On-premises Single-sign On](../hello-hybrid-aadj-sso-cert.md) -For Microsoft Entra joined devices enrolled in Intune, you can use Intune policies to manage Windows Hello for Business. +> [!NOTE] +> Review the article [Configure Windows Hello for Business using Microsoft Intune](../configure.md#configure-windows-hello-for-business-using-microsoft-intune) to learn about the different options offered by Microsoft Intune to configure Windows Hello for Business. -There are different ways to enable and configure Windows Hello for Business in Intune: +If the Intune tenant-wide policy is enabled and configured to your needs, you can skip to [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business). -- Using a policy applied at the tenant level. The tenant policy: - - Is only applied at enrollment time, and any changes to its configuration won't apply to devices already enrolled in Intune - - It applies to *all devices* getting enrolled in Intune. For this reason, the policy is usually disabled and Windows Hello for Business is enabled using a policy targeted to a security group -- A device configuration policy that is applied *after* device enrollment. Any changes to the policy will be applied to the devices during regular policy refresh intervals. Choose from the following policy types: - - [Settings catalog][MEM-1] - - [Security baselines][MEM-2] - - [Custom policy][MEM-3], via the [PassportForWork CSP][MEM-4] - - [Account protection policy][MEM-5] - - [Identity protection policy template][MEM-6] +[!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)] -### Verify the tenant-wide policy +| Category | Setting name | Value | +|--|--|--| +| **Windows Hello for Business** | Use Passport For Work | true | +| **Windows Hello for Business** | Use Certificate For On Prem Auth | Enabled | +| **Windows Hello for Business** | Require Security Device | true | -To check the Windows Hello for Business policy applied at enrollment time: +[!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)] -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Select **Devices** > **Windows** > **Windows Enrollment** -1. Select **Windows Hello for Business** -1. Verify the status of **Configure Windows Hello for Business** and any settings that may be configured +Alternatively, you can configure devices using a [custom policy][MEM-1] with the [PassportForWork CSP][CSP-1]. -:::image type="content" source="images/whfb-intune-disable.png" alt-text="Screenshot that shows disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="images/whfb-intune-disable.png"::: +| Setting | +|--------| +| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UsePassportForWork`
    - **Data type:** `bool`
    - **Value:** `True`| +| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UseCertificateForOnPremAuth`
    - **Data type:** `bool`
    - **Value:** `True`| +| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/RequireSecurityDevice`
    - **Data type:** `bool`
    - **Value:** `True`| -If the tenant-wide policy is enabled and configured to your needs, you can skip to [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business). Otherwise, follow the instructions below to create a policy using an *account protection* policy. - -### Enable and configure Windows Hello for Business - -To configure Windows Hello for Business using an *account protection* policy: - -1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Select **Endpoint security** > **Account protection** -1. Select **+ Create Policy** -1. For *Platform**, select **Windows 10 and later** and for *Profile* select **Account protection** -1. Select **Create** -1. Specify a **Name** and, optionally, a **Description** > **Next** -1. Under *Block Windows Hello for Business*, select **Disabled** and multiple policies become available - - These policies are optional to configure, but it's recommended to configure *Enable to use a Trusted Platform Module (TPM)* to **Yes** - - For more information about these policies, see [MDM policy settings for Windows Hello for Business](../hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business) -1. Under *Enable to certificate for on-premises resources*, select **YES** -1. Select **Next** -1. Optionally, add *scope tags* > **Next** -1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next** -1. Review the policy configuration and select **Create** - -:::image type="content" source="images/whfb-intune-account-protection-cert-enable.png" alt-text="Screenshot that shows enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="images/whfb-intune-account-protection-cert-enable.png"::: +For more information about the certificate trust policy, see [Windows Hello for Business policy settings](../policy-settings.md#use-certificate-for-on-premises-authentication). --- +If you deploy Windows Hello for Business configuration using both Group Policy and Intune, Group Policy settings take precedence, and Intune settings are ignored. For more information about policy conflicts, see [Policy conflicts from multiple policy sources](../configure.md#policy-conflicts-from-multiple-policy-sources) + +More policy settings can be configured to control the behavior of Windows Hello for Business. For more information, see [Windows Hello for Business policy settings](../policy-settings.md). + ## Enroll in Windows Hello for Business The Windows Hello for Business provisioning process begins immediately after the user profile is loaded and before the user receives their desktop. For the provisioning process to begin, all prerequisite checks must pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** admin log under **Applications and Services Logs > Microsoft > Windows**.\ -This information is also available using the `dsregcmd /status` command from a console. For more information, see [dsregcmd][AZ-4]. +This information is also available using the `dsregcmd.exe /status` command from a console. For more information, see [dsregcmd][AZ-4]. -### PIN Setup +### User experience -This is the process that occurs after a user signs in, to enroll in Windows Hello for Business: +[!INCLUDE [user-experience](includes/user-experience.md)] -1. The user is prompted with a full screen page to use Windows Hello with the organization account. The user selects **OK** -1. The provisioning flow proceeds to the multi-factor authentication portion of the enrollment. Provisioning informs the user that it's actively attempting to contact the user through their configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry -1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device -1. The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Microsoft Entra ID to register the public key. When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in. The user may close the provisioning application and see their desktop. While the user has completed provisioning, Microsoft Entra Connect synchronizes the user's key to Active Directory +> [!VIDEO https://learn-video.azurefd.net/vod/player?id=36dc8679-0fcc-4abf-868d-97ec8b749da7 alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."] -:::image type="content" source="images/haadj-whfb-pin-provisioning.gif" alt-text="Screenshot that shows animation showing a user logging on to an HAADJ device with a password, and being prompted to enroll in Windows Hello for Business."::: - -> [!IMPORTANT] -> The following is the enrollment behavior prior to Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889). -> -> The minimum time needed to synchronize the user's public key from Microsoft Entra ID to the on-premises Active Directory is 30 minutes. The Microsoft Entra Connect scheduler controls the synchronization interval. -> **This synchronization latency delays the user's ability to authenticate and use on-premises resources until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources. -> Read [Microsoft Entra Connect Sync: Scheduler](/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization. -> -> [!NOTE] -> Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning. With this update, users no longer need to wait for Microsoft Entra Connect to sync their public key on-premises. Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completing the provisioning. The update needs to be installed on the federation servers. - -After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate. Windows send the certificate request to the AD FS server for certificate enrollment. +After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate. Windows sends the certificate request to the AD FS server for certificate enrollment. The AD FS registration authority verifies the key used in the certificate request matches the key that was previously registered. On a successful match, the AD FS registration authority signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. > [!NOTE] -> In order for AD FS to verify the key used in the certificate request, it needs to be able to access the ```https://enterpriseregistration.windows.net``` endpoint. +> In order for AD FS to verify the key used in the certificate request, it needs to be able to access the `https://enterpriseregistration.windows.net` endpoint. -The certificate authority validates the certificate was signed by the registration authority. On successful validation of the signature, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user's certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user that they can use their PIN to sign-in through the Windows Action Center. +The CA validates that the certificate is signed by the registration authority. On successful validation, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user's certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user that they can use their PIN to sign-in through the Action Center. + +> [!NOTE] +> Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning. With this update, users don't need to wait for Microsoft Entra Connect to sync their public key on-premises. Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completing the provisioning. The update needs to be installed on the federation servers. + +### Sequence diagrams + +To better understand the provisioning flows, review the following sequence diagrams based on the device join and authentication type: + +- [Provisioning for Microsoft Entra joined devices with managed authentication](../how-it-works-provisioning.md#provisioning-for-microsoft-entra-joined-devices-with-managed-authentication) +- [Provisioning for Microsoft Entra joined devices with federated authentication](../how-it-works-provisioning.md#provisioning-for-microsoft-entra-joined-devices-with-federated-authentication) +- [Provisioning in a hybrid certificate trust deployment model with federated authentication](../how-it-works-provisioning.md#provisioning-in-a-hybrid-certificate-trust-deployment-model-with-federated-authentication) + +To better understand the authentication flows, review the following sequence diagram: + +- [Microsoft Entra join authentication to Active Directory using a certificate](../how-it-works-authentication.md#microsoft-entra-join-authentication-to-active-directory-using-a-certificate) +- [Microsoft Entra hybrid join authentication using a certificate](../how-it-works-authentication.md#microsoft-entra-hybrid-join-authentication-using-a-certificate) -[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd -[MEM-1]: /mem/intune/configuration/settings-catalog -[MEM-2]: /mem/intune/protect/security-baselines -[MEM-3]: /mem/intune/configuration/custom-settings-configure -[MEM-4]: /windows/client-management/mdm/passportforwork-csp -[MEM-5]: /mem/intune/protect/endpoint-security-account-protection-policy -[MEM-6]: /mem/intune/protect/identity-protection-configure +[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd +[CSP-1]: /windows/client-management/mdm/passportforwork-csp +[MEM-1]: /mem/intune/configuration/custom-settings-configure diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md index 7ff5c70e48..85dd13860f 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md @@ -1,20 +1,15 @@ --- title: Configure and validate the PKI in an hybrid certificate trust model description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in a hybrid certificate trust model. -ms.date: 12/15/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 -- ✅ Windows Server 2022 -- ✅ Windows Server 2019 -- ✅ Windows Server 2016 +ms.date: 01/03/2024 ms.topic: tutorial --- + # Configure and validate the PKI in a hybrid certificate trust model [!INCLUDE [apply-to-hybrid-cert-trust](includes/apply-to-hybrid-cert-trust.md)] -Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a *root of trust* for clients. The certificate ensures that clients don't communicate with rogue domain controllers. +Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *certificate trust* models. The domain controllers must have a certificate, which serves as a *root of trust* for clients. The certificate ensures that clients don't communicate with rogue domain controllers. Hybrid certificate trust deployments issue users a sign-in certificate, enabling them to authenticate to Active Directory using Windows Hello for Business credentials. Additionally, hybrid certificate trust deployments issue certificates to registration authorities to provide defense-in-depth security when issuing user authentication certificates. @@ -22,22 +17,15 @@ Hybrid certificate trust deployments issue users a sign-in certificate, enabling ## Configure the enterprise PKI -[!INCLUDE [dc-certificate-template](includes/dc-certificate-template.md)] +[!INCLUDE [dc-certificate-template](includes/certificate-template-dc.md)] -> [!NOTE] -> Inclusion of the *KDC Authentication* OID in domain controller certificate is not required for Microsoft Entra hybrid joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Microsoft Entra joined devices. - -> [!IMPORTANT] -> For Microsoft Entra joined devices to authenticate to on-premises resources, ensure to: -> -> - Install the root CA certificate in the device's trusted root certificate store. See [how to deploy a trusted certificate profile](/mem/intune/protect/certificates-trusted-root#to-create-a-trusted-certificate-profile) via Intune -> - Publish your certificate revocation list to a location that is available to Microsoft Entra joined devices, such as a web-based URL +[!INCLUDE [dc-certificate-template-dc-hybrid-notes](includes/certificate-template-dc-hybrid-notes.md)] [!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)] -[!INCLUDE [enrollment-agent-certificate-template](includes/enrollment-agent-certificate-template.md)] +[!INCLUDE [enrollment-agent-certificate-template](includes/certificate-template-enrollment-agent.md)] -[!INCLUDE [auth-certificate-template](includes/auth-certificate-template.md)] +[!INCLUDE [auth-certificate-template](includes/certificate-template-auth.md)] [!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)] diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md index a9d49ebfec..3fcb86b928 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md @@ -1,74 +1,51 @@ --- -title: Windows Hello for Business hybrid certificate trust deployment +title: Windows Hello for Business hybrid certificate trust deployment guide description: Learn how to deploy Windows Hello for Business in a hybrid certificate trust scenario. -ms.date: 12/15/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 -- ✅ Windows Server 2022 -- ✅ Windows Server 2019 -- ✅ Windows Server 2016 +ms.date: 01/03/2024 ms.topic: tutorial --- -# Hybrid certificate trust deployment +# Hybrid certificate trust deployment guide [!INCLUDE [apply-to-hybrid-cert-trust](includes/apply-to-hybrid-cert-trust.md)] -Hybrid environments are distributed systems that enable organizations to use on-premises and Microsoft Entra protected resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication and single sign-on to modern resources. - -This deployment guide describes how to deploy Windows Hello for Business in a hybrid certificate trust scenario. - > [!IMPORTANT] > Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. It is also the recommended deployment model if you don't need to deploy certificates to the end users. For more information, see [cloud Kerberos trust deployment](hybrid-cloud-kerberos-trust.md). -It's recommended that you review the [Windows Hello for Business planning guide](../hello-planning-guide.md) prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. - -## Prerequisites +[!INCLUDE [requirements](includes/requirements.md)] > [!div class="checklist"] -> The following prerequisites must be met for a hybrid certificate trust deployment: > -> - Directories and directory synchronization -> - Federated authentication to Microsoft Entra ID -> - Device registration -> - Public Key Infrastructure -> - Multifactor authentication -> - Device management +> - [Public Key Infrastructure](index.md#pki-requirements) +> - [Authentication](index.md#authentication-to-microsoft-entra-id) +> - [Device configuration](index.md#device-configuration-options) +> - [Licensing for cloud services](index.md#licensing-for-cloud-services-requirements) +> - [Prepare users to use Windows Hello](prepare-users.md) -### Directories and directory synchronization +## Deployment steps -Hybrid Windows Hello for Business needs two directories: +> [!div class="checklist"] +> Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps: +> +> - [Configure and validate the Public Key Infrastructure](hybrid-cert-trust-pki.md) +> - [Configure Active Directory Federation Services](hybrid-cert-trust-adfs.md) +> - [Configure and enroll in Windows Hello for Business](hybrid-cert-trust-enroll.md) +> - (optional) [Configure single sign-on for Microsoft Entra joined devices](../hello-hybrid-aadj-sso.md) -- An on-premises Active Directory -- A Microsoft Entra tenant with a Microsoft Entra ID P1 or P2 subscription +## Federated authentication to Microsoft Entra ID -The two directories must be synchronized with [Microsoft Entra Connect Sync][AZ-1], which synchronizes user accounts from the on-premises Active Directory to Microsoft Entra ID. -The hybrid-certificate trust deployment needs a *Microsoft Entra ID P1 or P2* subscription because it uses the device write-back synchronization feature. - -> [!NOTE] -> Windows Hello for Business hybrid certificate trust is not supported if the users' on-premises UPN suffix cannot be added as a verified domain in Microsoft Entra ID. - -> [!IMPORTANT] -> Windows Hello for Business is tied between a user and a device. Both the user and device object must be synchronized between Microsoft Entra ID and Active Directory. - -### Federated authentication to Microsoft Entra ID - -Windows Hello for Business hybrid certificate trust doesn't support Microsoft Entra ID *Pass-through Authentication* (PTA) or *password hash sync* (PHS).\ -Windows Hello for Business hybrid certificate trust requires Active Directory to be federated with Microsoft Entra ID using AD FS. Additionally, you need to configure your AD FS farm to support Azure registered devices. +Windows Hello for Business hybrid certificate trust requires Active Directory to be federated with Microsoft Entra ID using AD FS. You must also configure the AD FS farm to support Azure registered devices. If you're new to AD FS and federation services: - Review [key AD FS concepts][SER-3] prior to deploying the AD FS farm - Review the [AD FS design guide][SER-4] to design and plan your federation service -Once you have your AD FS design ready: - -- Review [deploying a federation server farm][SER-2] to configure AD FS in your environment +Once you have your AD FS design ready, review [deploying a federation server farm][SER-2] to configure AD FS in your environment The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889). -### Device registration and device write-back +## Device registration and device write-back Windows devices must be registered in Microsoft Entra ID. Devices can be registered in Microsoft Entra ID using either *Microsoft Entra join* or *Microsoft Entra hybrid join*.\ For Microsoft Entra hybrid joined devices, review the guidance on the [plan your Microsoft Entra hybrid join implementation][AZ-8] page. @@ -79,9 +56,9 @@ For a **manual configuration** of your AD FS farm to support device registration Hybrid certificate trust deployments require the *device write-back* feature. Authentication to AD FS needs both the user and the device to authenticate. Typically the users are synchronized, but not devices. This prevents AD FS from authenticating the device and results in Windows Hello for Business certificate enrollment failures. For this reason, Windows Hello for Business deployments need device write-back. > [!NOTE] -> Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Microsoft Entra ID and Active Directory. Device write-back is used to update the *msDS-KeyCredentialLink* attribute on the computer object. +> Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Microsoft Entra ID and Active Directory. Device write-back is used to update the `msDS-KeyCredentialLink` attribute on the computer object. -If you manually configured AD FS, or if you ran Microsoft Entra Connect Sync using *Custom Settings*, you must ensure that you have configured **device write-back** and **device authentication** in your AD FS farm. For more information, see [Configure Device Write Back and Device Authentication][SER-5]. +If you manually configured AD FS, or if you ran Microsoft Entra Connect Sync using *Custom Settings*, you must ensure to configure **device write-back** and **device authentication** in your AD FS farm. For more information, see [Configure Device Write Back and Device Authentication][SER-5]. ### Public Key Infrastructure @@ -90,21 +67,6 @@ The enterprise PKI and a certificate registration authority (CRA) are required t During Windows Hello for Business provisioning, users receive a sign-in certificate through the CRA. -### Multifactor authentication - -The Windows Hello for Business provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but requires a second factor of authentication.\ -Hybrid deployments can use: - -- [Microsoft Entra multifactor authentication][AZ-2] -- A multifactor authentication provided by AD FS, which includes an adapter model that enables third parties to integrate their MFA into AD FS - -For more information how to configure Microsoft Entra multifactor authentication, see [Configure Microsoft Entra multifactor authentication settings][AZ-3].\ -For more information how to configure AD FS to provide multifactor authentication, see [Configure Azure MFA as authentication provider with AD FS][SER-1]. - -### Device management - -To configure Windows Hello for Business, devices can be configured through a mobile device management (MDM) solution like Intune, or via group policy. - ## Next steps > [!div class="checklist"] @@ -120,14 +82,10 @@ To configure Windows Hello for Business, devices can be configured through a mob > [Next: configure and validate the Public Key Infrastructure >](hybrid-cert-trust-pki.md) -[AZ-1]: /azure/active-directory/hybrid/how-to-connect-sync-whatis -[AZ-2]: /azure/multi-factor-authentication/multi-factor-authentication -[AZ-3]: /azure/multi-factor-authentication/multi-factor-authentication-whats-next [AZ-8]: /azure/active-directory/devices/hybrid-azuread-join-plan [AZ-10]: /azure/active-directory/devices/howto-hybrid-azure-ad-join#federated-domains [AZ-11]: /azure/active-directory/devices/hybrid-azuread-join-manual -[SER-1]: /windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa [SER-2]: /windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm [SER-3]: /windows-server/identity/ad-fs/technical-reference/understanding-key-ad-fs-concepts [SER-4]: /windows-server/identity/ad-fs/design/ad-fs-design-guide-in-windows-server-2012-r2 diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust-enroll.md deleted file mode 100644 index da843f036d..0000000000 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust-enroll.md +++ /dev/null @@ -1,218 +0,0 @@ ---- -title: Windows Hello for Business cloud Kerberos trust clients configuration and enrollment -description: Learn how to configure devices and enroll them in Windows Hello for Business in a cloud Kerberos trust scenario. -ms.date: 02/24/2023 -appliesto: -- ✅ Windows 10, version 21H2 and later -ms.topic: tutorial ---- -# Configure and provision Windows Hello for Business - cloud Kerberos trust - -[!INCLUDE [apply-to-hybrid-cloud-kerberos-trust](includes/apply-to-hybrid-cloud-kerberos-trust.md)] - -## Deployment steps - -Deploying Windows Hello for Business cloud Kerberos trust consists of two steps: - -1. Set up Microsoft Entra Kerberos. -1. Configure a Windows Hello for Business policy and deploy it to the devices. - - - -### Deploy Microsoft Entra Kerberos - -If you've already deployed on-premises SSO for passwordless security key sign-in, then you've already deployed Microsoft Entra Kerberos in your hybrid environment. You don't need to redeploy or change your existing Microsoft Entra Kerberos deployment to support Windows Hello for Business and you can skip this section. - -If you haven't deployed Microsoft Entra Kerberos, follow the instructions in the [Enable passwordless security key sign-in to on-premises resources by using Microsoft Entra ID][AZ-2] documentation. This page includes information on how to install and use the Microsoft Entra Kerberos PowerShell module. Use the module to create a Microsoft Entra Kerberos server object for the domains where you want to use Windows Hello for Business cloud Kerberos trust. - -### Configure Windows Hello for Business policy - -After setting up the Microsoft Entra Kerberos object, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO). - -#### [:::image type="icon" source="images/intune.svg"::: **Intune**](#tab/intune) - -For devices managed by Intune, you can use Intune policies to configure Windows Hello for Business. - -There are different ways to enable and configure Windows Hello for Business in Intune: - -- When the device is enrolled in Intune, a tenant-wide policy is applied to the device. This policy is applied at enrollment time only, and any changes to its configuration won't apply to devices already enrolled in Intune. For this reason, this policy is usually disabled, and Windows Hello for Business can be enabled using a policy targeted to a security group. -- After the device is enrolled in Intune, you can apply a device configuration policy. Any changes to the policy will be applied to the devices during regular policy refresh intervals. There are different policy types to choose from: - - [Settings catalog][MEM-7] - - [Security baselines][MEM-2] - - [Custom policy][MEM-3], via the [PassportForWork CSP][MEM-4] - - [Account protection policy][MEM-5] - - [Identity protection policy template][MEM-6] - -### Verify the tenant-wide policy - -To check the Windows Hello for Business policy applied at enrollment time: - -1. Sign in to the Microsoft Intune admin center. -1. Select **Devices** > **Windows** > **Windows Enrollment**. -1. Select **Windows Hello for Business**. -1. Verify the status of **Configure Windows Hello for Business** and any settings that may be configured. - -:::image type="content" source="images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." border="true" lightbox="images/whfb-intune-disable.png"::: - -If the tenant-wide policy is enabled and configured to your needs, you can skip to [Configure cloud Kerberos trust policy](#configure-the-cloud-kerberos-trust-policy). Otherwise, follow the instructions below to create a policy using an *account protection* policy. - -### Enable Windows Hello for Business - -To configure Windows Hello for Business using an account protection policy: - -1. Sign in to the Microsoft Intune admin center. -1. Select **Endpoint security** > **Account protection**. -1. Select **+ Create Policy**. -1. For **Platform**, select **Windows 10 and later** and for **Profile** select **Account protection**. -1. Select **Create**. -1. Specify a **Name** and, optionally, a **Description** > **Next**. -1. Under **Block Windows Hello for Business**, select **Disabled** and multiple policies become available. - - These policies are optional to configure, but it's recommended to configure **Enable to use a Trusted Platform Module (TPM)** to **Yes**. - - For more information about these policies, see [MDM policy settings for Windows Hello for Business](../hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business). -1. Under **Enable to certificate for on-premises resources**, select **Not configured** -1. Select **Next**. -1. Optionally, add **scope tags** and select **Next**. -1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**. -1. Review the policy configuration and select **Create**. - -> [!TIP] -> If you want to enforce the use of digits for your Windows Hello for Business PIN, use the settings catalog and choose **Digits** or **Digits (User)** instead of using the Account protection template. - -:::image type="content" source="images/whfb-intune-account-protection-enable.png" alt-text="This image shows the enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="images/whfb-intune-account-protection-enable.png"::: - -Assign the policy to a security group that contains as members the devices or users that you want to configure. - -### Configure the cloud Kerberos trust policy - -The cloud Kerberos trust policy can be configured using a custom template, and it's configured separately from enabling Windows Hello for Business. - -To configure the cloud Kerberos trust policy: - -1. Sign in to the Microsoft Intune admin center. -1. Select **Devices** > **Windows** > **Configuration Profiles** > **Create profile**. -1. For Profile Type, select **Templates** and select the **Custom** Template. -1. Name the profile with a familiar name, for example, "Windows Hello for Business cloud Kerberos trust". -1. In Configuration Settings, add a new configuration with the following settings: - - - Name: **Windows Hello for Business cloud Kerberos trust** or another familiar name - - Description (optional): *Enable Windows Hello for Business cloud Kerberos trust for sign-in and on-premises SSO* - - OMA-URI: **`./Device/Vendor/MSFT/PassportForWork/`*\*`/Policies/UseCloudTrustForOnPremAuth`** - - Data type: **Boolean** - - Value: **True** - - > [!IMPORTANT] - > *Tenant ID* in the OMA-URI must be replaced with the tenant ID for your Microsoft Entra tenant. See [How to find your Microsoft Entra tenant ID][AZ-3] for instructions on looking up your tenant ID. - - :::image type="content" alt-text ="Intune custom-device configuration policy creation" source="images/hello-cloud-trust-intune.png" lightbox="images/hello-cloud-trust-intune-large.png"::: - -1. Assign the policy to a security group that contains as members the devices or users that you want to configure. - -#### [:::image type="icon" source="images/group-policy.svg"::: **GPO**](#tab/gpo) - -Microsoft Entra hybrid joined organizations can use Windows Hello for Business Group Policy to manage the feature. Group Policy can be configured to enable users to enroll and use Windows Hello for Business. - -The Enable Windows Hello for Business Group Policy setting is used by Windows to determine if a user should attempt to enroll a credential. A user will only attempt enrollment if this policy is configured to enabled. - -You can configure the Enable Windows Hello for Business Group Policy setting for computers or users. Deploying this policy setting to computers results in all users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence. - -Cloud Kerberos trust requires setting a dedicated policy for it to be enabled. This policy is only available as a computer configuration. - -> [!NOTE] -> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows device settings to enable Windows Hello for Business in Intune][MEM-1] and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). For more information about policy conflicts, see [Policy conflicts from multiple policy sources](../hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources). - -#### Update administrative templates - -You may need to update your Group Policy definitions to be able to configure the cloud Kerberos trust policy. You can copy the ADMX and ADML files from a Windows client that supports cloud Kerberos trust to their respective language folder on your Group Policy management server. Windows Hello for Business settings are in the *Passport.admx* and *Passport.adml* files. - -You can also create a Group Policy Central Store and copy them their respective language folder. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows][TS-1]. - -#### Create the Windows Hello for Business group policy object - -You can configure Windows Hello for Business cloud Kerberos trust using a Group Policy Object (GPO). - -1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer objects in Active Directory. -1. Edit the Group Policy object from Step 1. -1. Expand **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**. -1. Select **Use Windows Hello for Business** > **Enable** > **OK**. -1. Select **Use cloud Kerberos trust for on-premises authentication** > **Enable** > **OK**. -1. Optional, but recommended: select **Use a hardware security device** > **Enable** > **OK**. - ---- - -> [!IMPORTANT] -> If the **Use certificate for on-premises authentication** policy is enabled, certificate trust will take precedence over cloud Kerberos trust. Ensure that the machines that you want to enable cloud Kerberos trust have this policy **not configured**. - -## Provision Windows Hello for Business - -The Windows Hello for Business provisioning process begins immediately after a user has signed in if certain prerequisite checks are passed. Windows Hello for Business *cloud Kerberos trust* adds a prerequisite check for Microsoft Entra hybrid joined devices when cloud Kerberos trust is enabled by policy. - -You can determine the status of the prerequisite check by viewing the **User Device Registration** admin log under **Applications and Services Logs** > **Microsoft** > **Windows**.\ -This information is also available using the `dsregcmd /status` command from a console. For more information, see [dsregcmd][AZ-4]. - -:::image type="content" alt-text="Cloud Kerberos trust prerequisite check in the user device registration log" source="images/cloud-trust-prereq-check.png" lightbox="images/cloud-trust-prereq-check.png"::: - -The cloud Kerberos trust prerequisite check detects whether the user has a partial TGT before allowing provisioning to start. The purpose of this check is to validate whether Microsoft Entra Kerberos is set up for the user's domain and tenant. If Microsoft Entra Kerberos is set up, the user will receive a partial TGT during sign-in with one of their other unlock methods. This check has three states: Yes, No, and Not Tested. The *Not Tested* state is reported if cloud Kerberos trust isn't being enforced by policy or if the device is Microsoft Entra joined. - -> [!NOTE] -> The cloud Kerberos trust prerequisite check isn't done on Microsoft Entra joined devices. If Microsoft Entra Kerberos isn't provisioned, a user on a Microsoft Entra joined device will still be able to sign in, but won't have SSO to on-premises resources secured by Active Directory. - -### PIN Setup - -After a user signs in, this is the process that occurs to enroll in Windows Hello for Business: - -1. The user is prompted with a full screen page to use Windows Hello with the organization account. The user selects **OK**. -1. The provisioning flow proceeds to the multi-factor authentication portion of the enrollment. Provisioning informs the user that it's actively attempting to contact the user through their configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry. -1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device. - -:::image type="content" source="images/haadj-whfb-pin-provisioning.gif" alt-text="Animation showing a user logging on to an HAADJ device with a password, and being prompted to enroll in Windows Hello for Business."::: - -### Sign-in - -Once a user has set up a PIN with cloud Kerberos trust, it can be used **immediately** for sign-in. On a Microsoft Entra hybrid joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached sign-in can be used for subsequent unlocks without line of sight or network connectivity. - -## Migrate from key trust deployment model to cloud Kerberos trust - -If you deployed Windows Hello for Business using the key trust model, and want to migrate to the cloud Kerberos trust model, follow these steps: - -1. [Set up Microsoft Entra Kerberos in your hybrid environment](#deploy-azure-ad-kerberos). -1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy). -1. For Microsoft Entra joined devices, sign out and sign in to the device using Windows Hello for Business. - -> [!NOTE] -> For Microsoft Entra hybrid joined devices, users must perform the first sign in with new credentials while having line of sight to a DC. - -## Migrate from certificate trust deployment model to cloud Kerberos trust - -> [!IMPORTANT] -> There is no *direct* migration path from a certificate trust deployment to a cloud Kerberos trust deployment. The Windows Hello container must be deleted before you can migrate to cloud Kerberos trust. - -If you deployed Windows Hello for Business using the certificate trust model, and want to use the cloud Kerberos trust model, you must redeploy Windows Hello for Business by following these steps: - -1. Disable the certificate trust policy. -1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy). -1. Remove the certificate trust credential using the command `certutil -deletehellocontainer` from the user context. -1. Sign out and sign back in. -1. Provision Windows Hello for Business using a method of your choice. - -> [!NOTE] -> For Microsoft Entra hybrid joined devices, users must perform the first sign-in with new credentials while having line of sight to a DC. - -## Frequently Asked Questions - -For a list of frequently asked questions about Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business Frequently Asked Questions](../hello-faq.yml#cloud-kerberos-trust). - - - -[AZ-2]: /azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azure-ad-kerberos-powershell-module -[AZ-3]: /azure/active-directory/fundamentals/how-to-find-tenant -[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd - -[MEM-1]: /mem/intune/protect/identity-protection-windows-settings -[MEM-2]: /mem/intune/protect/security-baselines -[MEM-3]: /mem/intune/configuration/custom-settings-configure -[MEM-4]: /windows/client-management/mdm/passportforwork-csp -[MEM-5]: /mem/intune/protect/endpoint-security-account-protection-policy -[MEM-6]: /mem/intune/protect/identity-protection-configure -[MEM-7]: /mem/intune/configuration/settings-catalog - -[TS-1]: /troubleshoot/windows-client/group-policy/create-and-manage-central-store diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md index c53e872bb1..1c67b375b7 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md @@ -1,38 +1,43 @@ --- -title: Windows Hello for Business cloud Kerberos trust deployment +title: Windows Hello for Business cloud Kerberos trust deployment guide description: Learn how to deploy Windows Hello for Business in a cloud Kerberos trust scenario. -ms.date: 02/24/2023 -appliesto: -- ✅ Windows 10, version 21H2 and later +ms.date: 01/03/2024 ms.topic: tutorial --- -# Cloud Kerberos trust deployment + +# Cloud Kerberos trust deployment guide [!INCLUDE [apply-to-hybrid-cloud-kerberos-trust](includes/apply-to-hybrid-cloud-kerberos-trust.md)] -Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This deployment guide provides the information to deploy Windows Hello for Business in a *cloud Kerberos trust* scenario. +[!INCLUDE [requirements](includes/requirements.md)] -## Introduction to cloud Kerberos trust +> [!div class="checklist"] +> +> - [Authentication](index.md#authentication-to-microsoft-entra-id) +> - [Device configuration](index.md#device-configuration-options) +> - [Windows requirements](index.md#windows-requirements) +> - [Windows Server requirements](index.md#windows-server-requirements) +> - [Prepare users to use Windows Hello](prepare-users.md) -The goal of Windows Hello for Business cloud Kerberos trust is to bring the simplified deployment experience of [*passwordless security key sign-in*][AZ-1] to Windows Hello for Business, and it can be used for new or existing Windows Hello for Business deployments. +> [!IMPORTANT] +> When implementing the cloud Kerberos trust deployment model, you *must* ensure that you have an adequate number of *read-write domain controllers* in each Active Directory site where users will be authenticating with Windows Hello for Business. For more information, see [Capacity planning for Active Directory][SERV-1]. -Windows Hello for Business cloud Kerberos trust uses *Microsoft Entra Kerberos*, which enables a simpler deployment when compared to the *key trust model*: +## Deployment steps -- No need to deploy a public key infrastructure (PKI) or to change an existing PKI -- No need to synchronize public keys between Microsoft Entra ID and Active Directory for users to access on-premises resources. There isn't any delay between the user's Windows Hello for Business provisioning, and being able to authenticate to Active Directory -- [Passwordless security key sign-in][AZ-1] can be deployed with minimal extra setup +> [!div class="checklist"] +> Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps: +> +> - [Deploy Microsoft Entra Kerberos](#deploy-microsoft-entra-kerberos) +> - [Configure Windows Hello for Business policy settings](#configure-windows-hello-for-business-policy-settings) +> - [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business) -> [!NOTE] -> Windows Hello for Business cloud Kerberos trust is the recommended deployment model when compared to the *key trust model*. It is also the preferred deployment model if you do not need to support certificate authentication scenarios. +## Deploy Microsoft Entra Kerberos - +If you've already deployed on-premises SSO for passwordless security key sign-in, then Microsoft Entra Kerberos is already deployed in your organization. You don't need to redeploy or change your existing Microsoft Entra Kerberos deployment to support Windows Hello for Business, and you can skip to the [Configure Windows Hello for Business policy settings](#configure-windows-hello-for-business-policy-settings) section. -## Microsoft Entra Kerberos and cloud Kerberos trust authentication +If you haven't deployed Microsoft Entra Kerberos, follow the instructions in the [Enable passwordless security key sign-in][ENTRA-1] documentation. This page includes information on how to install and use the Microsoft Entra Kerberos PowerShell module. Use the module to create a Microsoft Entra Kerberos server object for the domains where you want to use Windows Hello for Business cloud Kerberos trust. -*Key trust* and *certificate trust* use certificate authentication-based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires a PKI for DC certificates, and requires end-user certificates for certificate trust. - -Cloud Kerberos trust uses Microsoft Entra Kerberos, which doesn't require a PKI to request TGTs.\ -With Microsoft Entra Kerberos, Microsoft Entra ID can issue TGTs for one or more AD domains. Windows can request a TGT from Microsoft Entra ID when authenticating with Windows Hello for Business, and use the returned TGT for sign-in or to access AD-based resources. The on-premises domain controllers are still responsible for Kerberos service tickets and authorization. +### Microsoft Entra Kerberos and cloud Kerberos trust authentication When Microsoft Entra Kerberos is enabled in an Active Directory domain, an *AzureADKerberos* computer object is created in the domain. This object: @@ -42,55 +47,164 @@ When Microsoft Entra Kerberos is enabled in an Active Directory domain, an *Azur > [!NOTE] > Similar rules and restrictions used for RODCs apply to the AzureADKerberos computer object. For example, users that are direct or indirect members of priviliged built-in security groups won't be able to use cloud Kerberos trust. -:::image type="content" source="images/azuread-kerberos-object.png" alt-text="Active Directory Users and Computers console, showing the computer object representing the Microsoft Entra Kerberos server "::: +:::image type="content" source="images/azuread-kerberos-object.png" alt-text="Screenshot of the Active Directory Users and Computers console, showing the computer object representing the Microsoft Entra Kerberos server."::: -For more information about how Microsoft Entra Kerberos enables access to on-premises resources, see [enabling passwordless security key sign-in to on-premises resources][AZ-1].\ -For more information about how Microsoft Entra Kerberos works with Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business authentication technical deep dive](../hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-cloud-kerberos-trust). - -> [!IMPORTANT] -> When implementing the cloud Kerberos trust deployment model, you *must* ensure that you have an adequate number of *read-write domain controllers* in each Active Directory site where users will be authenticating with Windows Hello for Business. For more information, see [Capacity planning for Active Directory][SERV-1]. - -## Prerequisites - -| Requirement | Notes | -| --- | --- | -| Multifactor authentication | This requirement can be met using [Microsoft Entra multifactor authentication](/azure/active-directory/authentication/howto-mfa-getstarted), multifactor authentication provided through AD FS, or a comparable solution. | -| Windows 10, version 21H2 or Windows 11 and later | If you're using Windows 10 21H2, KB5010415 must be installed. If you're using Windows 11 21H2, KB5010414 must be installed. There's no Windows version support difference between Microsoft Entra joined and Microsoft Entra hybrid joined devices. | -| Windows Server 2016 or later Domain Controllers | If you're using Windows Server 2016, [KB3534307][SUP-1] must be installed. If you're using Server 2019, [KB4534321][SUP-2] must be installed. | -| Microsoft Entra Kerberos PowerShell module | This module is used for enabling and managing Microsoft Entra Kerberos. It's available through the [PowerShell Gallery](https://www.powershellgallery.com/packages/AzureADHybridAuthenticationManagement).| -| Device management | Windows Hello for Business cloud Kerberos trust can be managed with group policy or through mobile device management (MDM) policy. This feature is disabled by default and must be enabled using policy. | - -### Unsupported scenarios - -The following scenarios aren't supported using Windows Hello for Business cloud Kerberos trust: - -- On-premises only deployments -- RDP/VDI scenarios using supplied credentials (RDP/VDI can be used with Remote Credential Guard or if a certificate is enrolled into the Windows Hello for Business container) -- Using cloud Kerberos trust for "Run as" -- Signing in with cloud Kerberos trust on a Microsoft Entra hybrid joined device without previously signing in with DC connectivity +For more information about how Microsoft Entra Kerberos works with Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business authentication technical deep dive](../how-it-works-authentication.md#microsoft-entra-hybrid-join-authentication-using-cloud-kerberos-trust). > [!NOTE] > The default *Password Replication Policy* configured on the AzureADKerberos computer object doesn't allow to sign high privilege accounts on to on-premises resources with cloud Kerberos trust or FIDO2 security keys. > -> Due to possible attack vectors from Microsoft Entra ID to Active Directory, it **isn't recommended** to unblock these accounts by relaxing the Password Replication Policy of the computer object `CN=AzureADKerberos,OU=Domain Controllers,`. +> Due to possible attack vectors from Microsoft Entra ID to Active Directory, it's not recommended to unblock these accounts by relaxing the Password Replication Policy of the computer object `CN=AzureADKerberos,OU=Domain Controllers,`. -## Next steps +## Configure Windows Hello for Business policy settings -Once the prerequisites are met, deploying Windows Hello for Business with a cloud Kerberos trust model consists of the following steps: +After setting up the Microsoft Entra Kerberos object, Windows Hello for business must be enabled and configured to use cloud Kerberos trust. There are two policy settings required to configure Windows Hello for Business in a cloud Kerberos trust model: -> [!div class="checklist"] -> * Deploy Microsoft Entra Kerberos -> * Configure Windows Hello for Business settings -> * Provision Windows Hello for Business on Windows clients +- [Use Windows Hello for Business](../policy-settings.md#use-windows-hello-for-business) +- [Use cloud trust for on-premises authentication](../policy-settings.md#use-cloud-trust-for-on-premises-authentication) -> [!div class="nextstepaction"] -> [Next: configure and provision Windows Hello for Business >](hybrid-cloud-kerberos-trust-enroll.md) +Another optional, but recommended, policy setting is: + +- [Use a hardware security device](../policy-settings.md#use-a-hardware-security-device) + +> [!IMPORTANT] +> If the **Use certificate for on-premises authentication** policy is enabled, certificate trust takes precedence over cloud Kerberos trust. Ensure that the machines that you want to enable cloud Kerberos trust have this policy **not configured**. + +The following instructions explain how to configure your devices using either Microsoft Intune or group policy (GPO). + +# [:::image type="icon" source="images/intune.svg"::: **Intune/CSP**](#tab/intune) + +> [!NOTE] +> Review the article [Configure Windows Hello for Business using Microsoft Intune](../configure.md#configure-windows-hello-for-business-using-microsoft-intune) to learn about the different options offered by Microsoft Intune to configure Windows Hello for Business. + +If the Intune tenant-wide policy is enabled and configured to your needs, you only need to enable the policy setting **Use Cloud Trust For On Prem Auth**. Otherwise, both settings must be configured. + +[!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)] + +| Category | Setting name | Value | +|--|--|--| +| **Windows Hello for Business** | Use Passport For Work | true | +| **Windows Hello for Business** | Use Cloud Trust For On Prem Auth | Enabled | +| **Windows Hello for Business** | Require Security Device | true | + +[!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)] + +Alternatively, you can configure devices using a [custom policy][MEM-1] with the [PassportForWork CSP][CSP-1]. + +| Setting | +|--------| +| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UsePassportForWork`
    - **Data type:** `bool`
    - **Value:** `True`| +| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UseCloudTrustForOnPremAuth`
    - **Data type:** `bool`
    - **Value:** `True`| +| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/RequireSecurityDevice`
    - **Data type:** `bool`
    - **Value:** `True`| + +# [:::image type="icon" source="images/group-policy.svg"::: **GPO**](#tab/gpo) + +[!INCLUDE [gpo-enable-whfb](includes/gpo-enable-whfb.md)] + +> [!NOTE] +> Cloud Kerberos trust requires setting a dedicated policy for it to be enabled. This policy setting is only available as a computer configuration. +> +>You may need to update your Group Policy definitions to be able to configure the cloud Kerberos trust policy. You can copy the ADMX and ADML files from a Windows client that supports cloud Kerberos trust to their respective language folder on your Group Policy management server. Windows Hello for Business settings are in the *Passport.admx* and *Passport.adml* files. +> +>You can also create a Group Policy Central Store and copy them their respective language folder. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows][TS-1]. + +[!INCLUDE [gpo-settings-1](../../../../../includes/configure/gpo-settings-1.md)] + +| Group policy path | Group policy setting | Value | +| - | - | - | +| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**
    or
    **User Configuration\Administrative Templates\Windows Components\Windows Hello for Business**|Use Windows Hello for Business| **Enabled**| +| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use cloud Kerberos trust for on-premises authentication| **Enabled**| +| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use a hardware security device| **Enabled**| + +[!INCLUDE [gpo-settings-2](../../../../../includes/configure/gpo-settings-2.md)] + +> [!TIP] +> The best way to deploy the Windows Hello for Business GPO is to use security group filtering. Only members of the targeted security group will provision Windows Hello for Business, enabling a phased rollout. This solution allows linking the GPO to the domain, ensuring the GPO is scoped to all security principals. The security group filtering ensures that only the members of the global group receive and apply the GPO, which results in the provisioning of Windows Hello for Business. + +--- + +If you deploy Windows Hello for Business configuration using both Group Policy and Intune, Group Policy settings take precedence, and Intune settings are ignored. For more information about policy conflicts, see [Policy conflicts from multiple policy sources](../configure.md#policy-conflicts-from-multiple-policy-sources). + +More policy settings can be configured to control the behavior of Windows Hello for Business. For more information, see [Windows Hello for Business policy settings](../policy-settings.md). + +## Enroll in Windows Hello for Business + +The Windows Hello for Business provisioning process begins immediately after a user signs in, if the prerequisite checks pass. Windows Hello for Business *cloud Kerberos trust* adds a prerequisite check for Microsoft Entra hybrid joined devices when cloud Kerberos trust is enabled by policy. + +You can determine the status of the prerequisite check by viewing the **User Device Registration** admin log under **Applications and Services Logs** > **Microsoft** > **Windows**.\ +This information is also available using the `dsregcmd.exe /status` command from a console. For more information, see [dsregcmd][AZ-4]. + +The cloud Kerberos trust prerequisite check detects whether the user has a partial TGT before allowing provisioning to start. The purpose of this check is to validate whether Microsoft Entra Kerberos is set up for the user's domain and tenant. If Microsoft Entra Kerberos is set up, the user receives a partial TGT during sign-in with one of their other unlock methods. This check has three states: Yes, No, and Not Tested. The *Not Tested* state is reported if cloud Kerberos trust isn't enforced by policy or if the device is Microsoft Entra joined. + +> [!NOTE] +> The cloud Kerberos trust prerequisite check isn't done on Microsoft Entra joined devices. If Microsoft Entra Kerberos isn't provisioned, a user on a Microsoft Entra joined device will still be able to sign in, but won't have SSO to on-premises resources secured by Active Directory. + +### User experience + +[!INCLUDE [user-experience](includes/user-experience.md)] + +> [!VIDEO https://learn-video.azurefd.net/vod/player?id=36dc8679-0fcc-4abf-868d-97ec8b749da7 alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."] + +Once a user completes enrollment with cloud Kerberos trust, the Windows Hello gesture can be used **immediately** for sign-in. On a Microsoft Entra hybrid joined device, the first use of the PIN requires line of sight to a DC. Once the user signs in or unlocks with the DC, cached sign-in can be used for subsequent unlocks without line of sight or network connectivity. + +After enrollment, Microsoft Entra Connect synchronizes the user's key from Microsoft Entra ID to Active Directory. + +### Sequence diagrams + +To better understand the provisioning flows, review the following sequence diagrams based on the device join and authentication type: + +- [Provisioning for Microsoft Entra joined devices with managed authentication](../how-it-works-provisioning.md#provisioning-for-microsoft-entra-joined-devices-with-managed-authentication) +- [Provisioning for Microsoft Entra joined devices with federated authentication](../how-it-works-provisioning.md#provisioning-for-microsoft-entra-joined-devices-with-federated-authentication) +- [Provisioning in a cloud Kerberos trust deployment model with managed authentication](../how-it-works-provisioning.md#provisioning-in-a-cloud-kerberos-trust-deployment-model-with-managed-authentication) + +To better understand the authentication flows, review the following sequence diagram: + +- [Microsoft Entra join authentication to Active Directory using cloud Kerberos trust](../how-it-works-authentication.md#microsoft-entra-join-authentication-to-active-directory-using-cloud-kerberos-trust) + +## Migrate from key trust deployment model to cloud Kerberos trust + +If you deployed Windows Hello for Business using the key trust model, and want to migrate to the cloud Kerberos trust model, follow these steps: + +1. [Set up Microsoft Entra Kerberos in your hybrid environment](#deploy-microsoft-entra-kerberos) +1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy-settings) +1. For Microsoft Entra joined devices, sign out and sign in to the device using Windows Hello for Business + +> [!NOTE] +> For Microsoft Entra hybrid joined devices, users must perform the first sign in with new credentials while having line of sight to a DC. + +## Migrate from certificate trust deployment model to cloud Kerberos trust + +> [!IMPORTANT] +> There is no *direct* migration path from a certificate trust deployment to a cloud Kerberos trust deployment. The Windows Hello container must be deleted before you can migrate to cloud Kerberos trust. + +If you deployed Windows Hello for Business using the certificate trust model, and want to use the cloud Kerberos trust model, you must redeploy Windows Hello for Business by following these steps: + +1. Disable the certificate trust policy +1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy-settings) +1. Remove the certificate trust credential using the command `certutil.exe -deletehellocontainer` from the user context +1. Sign out and sign back in +1. Provision Windows Hello for Business using a method of your choice + +> [!NOTE] +> For Microsoft Entra hybrid joined devices, users must perform the first sign-in with new credentials while having line of sight to a DC. + +## Frequently Asked Questions + +For a list of frequently asked questions about Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business Frequently Asked Questions](../hello-faq.yml#cloud-kerberos-trust). + +## Unsupported scenarios + +The following scenarios aren't supported using Windows Hello for Business cloud Kerberos trust: + +- RDP/VDI scenarios using supplied credentials (RDP/VDI can be used with Remote Credential Guard or if a certificate is enrolled into the Windows Hello for Business container) +- Using cloud Kerberos trust for *Run as* +- Signing in with cloud Kerberos trust on a Microsoft Entra hybrid joined device without previously signing in with DC connectivity -[AZ-1]: /azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises - +[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd +[CSP-1]: /windows/client-management/mdm/passportforwork-csp +[ENTRA-1]: /entra/identity/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azureadhybridauthenticationmanagement-module +[MEM-1]: /mem/intune/configuration/custom-settings-configure [SERV-1]: /windows-server/administration/performance-tuning/role/active-directory-server/capacity-planning-for-active-directory-domain-services - -[SUP-1]: https://support.microsoft.com/topic/january-23-2020-kb4534307-os-build-14393-3474-b181594e-2c6a-14ea-e75b-678efea9d27e -[SUP-2]: https://support.microsoft.com/topic/january-23-2020-kb4534321-os-build-17763-1012-023e84c3-f9aa-3b55-8aff-d512911c459f +[TS-1]: /troubleshoot/windows-client/group-policy/create-and-manage-central-store diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md index 10b8e56a94..a1686099b6 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md @@ -1,165 +1,114 @@ --- -title: Windows Hello for Business hybrid key trust clients configuration and enrollment +title: Configure and enroll in Windows Hello for Business in a hybrid key trust model description: Learn how to configure devices and enroll them in Windows Hello for Business in a hybrid key trust scenario. -ms.date: 01/03/2023 +ms.date: 12/29/2023 ms.topic: tutorial --- -# Configure and enroll in Windows Hello for Business - hybrid key trust +# Configure and enroll in Windows Hello for Business in a hybrid key trust model [!INCLUDE [apply-to-hybrid-key-trust](includes/apply-to-hybrid-key-trust.md)] -After the prerequisites are met and the PKI configuration is validated, Windows Hello for business must be enabled on the Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO). - -#### [:::image type="icon" source="images/intune.svg"::: **Intune**](#tab/intune) - -## Configure Windows Hello for Business using Microsoft Intune - -For Microsoft Entra joined devices and Microsoft Entra hybrid joined devices enrolled in Intune, you can use Intune policies to manage Windows Hello for Business. - -There are different ways to enable and configure Windows Hello for Business in Intune: - -- Using a policy applied at the tenant level. The tenant policy: - - Is only applied at enrollment time, and any changes to its configuration won't apply to devices already enrolled in Intune - - It applies to *all devices* getting enrolled in Intune. For this reason, the policy is usually disabled and Windows Hello for Business is enabled using a policy targeted to a security group -- A device configuration policy that is applied *after* device enrollment. Any changes to the policy will be applied to the devices during regular policy refresh intervals. There are different policy types to choose from: - - [Settings catalog][MEM-1] - - [Security baselines][MEM-2] - - [Custom policy][MEM-3], via the [PassportForWork CSP][MEM-4] - - [Account protection policy][MEM-5] - - [Identity protection policy template][MEM-6] - -### Verify the tenant-wide policy - -To check the Windows Hello for Business policy applied at enrollment time: - -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Select **Devices** > **Windows** > **Windows Enrollment** -1. Select **Windows Hello for Business** -1. Verify the status of **Configure Windows Hello for Business** and any settings that may be configured - -:::image type="content" source="images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="images/whfb-intune-disable.png"::: - -If the tenant-wide policy is enabled and configured to your needs, you can skip to [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business). Otherwise, follow the instructions below to create a policy using an *account protection* policy. - -### Enable and configure Windows Hello for Business - -To configure Windows Hello for Business using an *account protection* policy: - -1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Select **Endpoint security** > **Account protection** -1. Select **+ Create Policy** -1. For *Platform**, select **Windows 10 and later** and for *Profile* select **Account protection** -1. Select **Create** -1. Specify a **Name** and, optionally, a **Description** > **Next** -1. Under *Block Windows Hello for Business*, select **Disabled** and multiple policies become available - - These policies are optional to configure, but it's recommended to configure *Enable to use a Trusted Platform Module (TPM)* to **Yes** - - For more information about these policies, see [MDM policy settings for Windows Hello for Business](../hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business) -1. Select **Next** -1. Optionally, add *scope tags* > **Next** -1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next** -1. Review the policy configuration and select **Create** - -:::image type="content" source="images/whfb-intune-account-protection-enable.png" alt-text="Enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="images/whfb-intune-account-protection-enable.png"::: - -#### [:::image type="icon" source="images/group-policy.svg"::: **GPO**](#tab/gpo) - -## Configure Windows Hello for Business using group policies - -For Microsoft Entra hybrid joined devices, you can use group policies to configure Windows Hello for Business. -It's suggested to create a security group (for example, *Windows Hello for Business Users*) to make it easy to deploy Windows Hello for Business in phases. You assign **Group Policy permissions** to this group to simplify the deployment by adding the users to the group. - -The Windows Hello for Business Group Policy object delivers the correct Group Policy settings to the user, which enables them to enroll and use Windows Hello for Business to authenticate to Azure and Active Directory - -> [!NOTE] -> If you deployed Windows Hello for Business configuration using both Group Policy and Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about policy conflicts, see [Policy conflicts from multiple policy sources](../hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources) - -### Enable Windows Hello for Business group policy setting - -The *Enable Windows Hello for Business* group policy setting is the configuration needed for Windows to determine if a user should attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to **enabled**.\ -You can configure the *Enable Windows Hello for Business* setting for computer or users: - -- Deploying this policy setting to computers (or group of computers) results in all users that sign-in that computer to attempt a Windows Hello for Business enrollment -- Deploying this policy setting to a user (or group of users), results in only that user attempting a Windows Hello for Business enrollment - -If both user and computer policy settings are deployed, the user policy setting has precedence. - -### Enable and configure Windows Hello for Business - -Sign-in a domain controller or management workstations with *Domain Admin* equivalent credentials. - -1. Start the **Group Policy Management Console** (gpmc.msc) -1. Expand the domain and select the **Group Policy Object** node in the navigation pane -1. Right-click **Group Policy object** and select **New** -1. Type *Enable Windows Hello for Business* in the name box and select **OK** -1. In the content pane, right-click the **Enable Windows Hello for Business** group policy object and select **Edit** -1. In the navigation pane, expand **Policies** under **User Configuration** -1. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business** -1. In the content pane, open **Use Windows Hello for Business**. Select **Enable > OK** -1. Close the **Group Policy Management Editor** - -> [!NOTE] -> Windows Hello for Business can be configured using different policies. These policies are optional to configure, but it's recommended to enable *Use a hardware security device*. +> [!div class="checklist"] +> Once the prerequisites are met and the PKI configuration is validated, deploying Windows Hello for Business consists of the following steps: > -> For more information about these policies, see [Group Policy settings for Windows Hello for Business](../hello-manage-in-organization.md#group-policy-settings-for-windows-hello-for-business). +> - [Configure Windows Hello for Business policy settings](#configure-windows-hello-for-business-policy-settings) +> - [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business) -### Configure security for GPO +## Configure Windows Hello for Business policy settings -The best way to deploy the Windows Hello for Business GPO is to use security group filtering. Only members of the targeted security group will provision Windows Hello for Business, enabling a phased rollout. +There's one policy setting required to enable Windows Hello for Business in a key trust model: -1. Start the **Group Policy Management Console** (gpmc.msc) -1. Expand the domain and select the **Group Policy Object** node in the navigation pane -1. Open the **Enable Windows Hello for Business** GPO -1. In the **Security Filtering** section of the content pane, select **Add**. Type the name of the security group you previously created (for example, *Windows Hello for Business Users*) and select **OK** -1. Select the **Delegation** tab. Select **Authenticated Users > Advanced** -1. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Select **OK** +- [Use Windows Hello for Business](../policy-settings.md#use-windows-hello-for-business) -### Deploy the Windows Hello for Business Group Policy object +Another optional, but recommended, policy setting is: -The application of Group Policy object uses security group filtering. This solution allows linking the GPO to the domain, ensuring the GPO is scoped to all users. The security group filtering ensures that only the members of the *Windows Hello for Business Users* global group receive and apply the GPO, which results in the provisioning of Windows Hello for Business. +- [Use a hardware security device](../policy-settings.md#use-a-hardware-security-device) -1. Start the **Group Policy Management Console** (gpmc.msc) -1. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and select **Link an existing GPO** -1. In the **Select GPO** dialog box, select *Enable Windows Hello for Business* or the name of the Windows Hello for Business Group Policy object you previously created and select **OK** +The following instructions describe how to configure your devices using either Microsoft Intune or group policy (GPO). -### Add members to the targeted group +# [:::image type="icon" source="images/intune.svg"::: **Intune/CSP**](#tab/intune) -Users (or devices) must receive the Windows Hello for Business group policy settings and have the proper permission to provision Windows Hello for Business. You can provide users with these settings and permissions by adding members to the *Windows Hello for Business Users* group. Users and groups who aren't members of this group won't attempt to enroll for Windows Hello for Business. +> [!NOTE] +> Review the article [Configure Windows Hello for Business using Microsoft Intune](../configure.md#configure-windows-hello-for-business-using-microsoft-intune) to learn about the different options offered by Microsoft Intune to configure Windows Hello for Business. + +If the Intune tenant-wide policy is enabled and configured to your needs, you can skip to [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business). + +[!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)] + +| Category | Setting name | Value | +|--|--|--| +| **Windows Hello for Business** | Use Passport For Work | true | +| **Windows Hello for Business** | Require Security Device | true | + +[!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)] + +Alternatively, you can configure devices using a [custom policy][MEM-1] with the [PassportForWork CSP][CSP-1]. + +| Setting | +|--------| +| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/UsePassportForWork`
    - **Data type:** `bool`
    - **Value:** `True`| +| - **OMA-URI:** `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/RequireSecurityDevice`
    - **Data type:** `bool`
    - **Value:** `True`| + +# [:::image type="icon" source="images/group-policy.svg"::: **GPO**](#tab/gpo) + +[!INCLUDE [gpo-enable-whfb](includes/gpo-enable-whfb.md)] + +[!INCLUDE [gpo-settings-1](../../../../../includes/configure/gpo-settings-1.md)] + +| Group policy path | Group policy setting | Value | +| - | - | - | +| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**
    or
    **User Configuration\Administrative Templates\Windows Components\Windows Hello for Business**|Use Windows Hello for Business| **Enabled**| +| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use a hardware security device| **Enabled**| + +[!INCLUDE [gpo-settings-2](../../../../../includes/configure/gpo-settings-2.md)] + +> [!TIP] +> The best way to deploy the Windows Hello for Business GPO is to use security group filtering. Only members of the targeted security group will provision Windows Hello for Business, enabling a phased rollout. This solution allows linking the GPO to the domain, ensuring the GPO is scoped to all security principals. The security group filtering ensures that only the members of the global group receive and apply the GPO, which results in the provisioning of Windows Hello for Business. --- +If you deploy Windows Hello for Business configuration using both Group Policy and Intune, Group Policy settings take precedence, and Intune settings are ignored. For more information about policy conflicts, see [Policy conflicts from multiple policy sources](../configure.md#policy-conflicts-from-multiple-policy-sources) + +Other policy settings can be configured to control the behavior of Windows Hello for Business. For more information, see [Windows Hello for Business policy settings](../policy-settings.md). + ## Enroll in Windows Hello for Business The Windows Hello for Business provisioning process begins immediately after the user profile is loaded and before the user receives their desktop. For the provisioning process to begin, all prerequisite checks must pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** admin log under **Applications and Services Logs > Microsoft > Windows**.\ -This information is also available using the `dsregcmd /status` command from a console. For more information, see [dsregcmd][AZ-4]. +This information is also available using the `dsregcmd.exe /status` command from a console. For more information, see [dsregcmd][AZ-4]. :::image type="content" source="images/Event358.png" alt-text="Details about event ID 358 showing that the device is ready to enroll in Windows Hello for Business." border="false" lightbox="images/Event358.png"::: -### PIN Setup +### User experience -The following process occurs after a user signs in, to enroll in Windows Hello for Business: +[!INCLUDE [user-experience](includes/user-experience.md)] -1. The user is prompted with a full screen page to use Windows Hello with the organization account. The user selects **OK** -1. The enrollment flow proceeds to the multi-factor authentication phase. The process informs the user that there's an MFA contact attempt, using the configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry -1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device -1. The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Microsoft Entra ID to register the public key. When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in. The user may close the provisioning application and see their desktop. While the user has completed provisioning, Microsoft Entra Connect synchronizes the user's key to Active Directory +> [!VIDEO https://learn-video.azurefd.net/vod/player?id=36dc8679-0fcc-4abf-868d-97ec8b749da7 alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."] -:::image type="content" source="images/haadj-whfb-pin-provisioning.gif" alt-text="Animation showing a user logging on to an HAADJ device with a password, and being prompted to enroll in Windows Hello for Business."::: +After enrollment, Microsoft Entra Connect synchronizes the user's key from Microsoft Entra ID to Active Directory. > [!IMPORTANT] > The minimum time needed to synchronize the user's public key from Microsoft Entra ID to the on-premises Active Directory is 30 minutes. The Microsoft Entra Connect scheduler controls the synchronization interval. -> **This synchronization latency delays the user's ability to authenticate and use on-premises resources until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources. +> **This synchronization latency delays the user's ability to authenticate and use on-premises resources until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and access on-premises resources. > Read [Microsoft Entra Connect Sync: Scheduler][AZ-5] to view and adjust the **synchronization cycle** for your organization. +### Sequence diagrams + +To better understand the provisioning flows, review the following sequence diagrams based on the device join and authentication type: + +- [Provisioning for Microsoft Entra joined devices with managed authentication](../how-it-works-provisioning.md#provisioning-for-microsoft-entra-joined-devices-with-managed-authentication) +- [Provisioning for Microsoft Entra joined devices with federated authentication](../how-it-works-provisioning.md#provisioning-for-microsoft-entra-joined-devices-with-federated-authentication) +- [Provisioning in a hybrid key trust deployment model with managed authentication](../how-it-works-provisioning.md#provisioning-in-a-hybrid-key-trust-deployment-model-with-managed-authentication) + +To better understand the authentication flows, review the following sequence diagram: + +- [Microsoft Entra hybrid join authentication using a key](../how-it-works-authentication.md#microsoft-entra-hybrid-join-authentication-using-a-key) +- [Microsoft Entra join authentication to Active Directory using a key](../how-it-works-authentication.md#microsoft-entra-join-authentication-to-active-directory-using-a-key) + [AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd [AZ-5]: /azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler - -[MEM-1]: /mem/intune/configuration/settings-catalog -[MEM-2]: /mem/intune/protect/security-baselines -[MEM-3]: /mem/intune/configuration/custom-settings-configure -[MEM-4]: /windows/client-management/mdm/passportforwork-csp -[MEM-5]: /mem/intune/protect/endpoint-security-account-protection-policy -[MEM-6]: /mem/intune/protect/identity-protection-configure +[CSP-1]: /windows/client-management/mdm/passportforwork-csp +[MEM-1]: /mem/intune/configuration/custom-settings-configure diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md deleted file mode 100644 index 2fa08c15c9..0000000000 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-pki.md +++ /dev/null @@ -1,107 +0,0 @@ ---- -title: Configure and validate the Public Key Infrastructure in a hybrid key trust model -description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in a hybrid key trust model. -ms.date: 01/03/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 -- ✅ Windows Server 2022 -- ✅ Windows Server 2019 -- ✅ Windows Server 2016 -ms.topic: tutorial ---- -# Configure and validate the Public Key Infrastructure - hybrid key trust - -[!INCLUDE [apply-to-hybrid-key-trust](includes/apply-to-hybrid-key-trust.md)] - -Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* model. The domain controllers must have a certificate, which serves as a *root of trust* for clients. The certificate ensures that clients don't communicate with rogue domain controllers. - -Key trust deployments do not need client-issued certificates for on-premises authentication. Active Directory user accounts are configured for public key mapping by *Microsoft Entra Connect Sync*, which synchronizes the public key of the Windows Hello for Business credential to an attribute on the user's Active Directory object (`msDS-KeyCredentialLink`). - -A Windows Server-based PKI or a third-party Enterprise certification authority can be used. The requirements for the domain controller certificate are shown below. For more details, see [Requirements for domain controller certificates from a third-party CA][SERV-1]. - -## Deploy an enterprise certification authority - -This guide assumes most enterprises have an existing public key infrastructure. Windows Hello for Business depends on an enterprise PKI running the Windows Server *Active Directory Certificate Services* role.\ -If you don't have an existing PKI, review [Certification Authority Guidance][PREV-1] to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy][PREV-2] for instructions on how to configure your PKI using the information from your design session. - -### Lab-based PKI - -The following instructions may be used to deploy simple public key infrastructure that is suitable **for a lab environment**. - -Sign in using *Enterprise Administrator* equivalent credentials on a Windows Server where you want the certification authority (CA) installed. - ->[!NOTE] ->Never install a certification authority on a domain controller in a production environment. - -1. Open an elevated Windows PowerShell prompt -1. Use the following command to install the Active Directory Certificate Services role. - ```PowerShell - Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools - ``` -1. Use the following command to configure the CA using a basic certification authority configuration - ```PowerShell - Install-AdcsCertificationAuthority - ``` - -## Configure the enterprise PKI - -[!INCLUDE [dc-certificate-template](includes/dc-certificate-template.md)] - -> [!NOTE] -> Inclusion of the *KDC Authentication* OID in domain controller certificate is not required for Microsoft Entra hybrid joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Microsoft Entra joined devices. - -> [!IMPORTANT] -> For Microsoft Entra joined devices to authenticate to on-premises resources, ensure to: -> -> - Install the root CA certificate in the device's trusted root certificate store. See [how to deploy a trusted certificate profile](/mem/intune/protect/certificates-trusted-root#to-create-a-trusted-certificate-profile) via Intune -> - Publish your certificate revocation list to a location that is available to Microsoft Entra joined devices, such as a web-based URL - -[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)] - -[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)] - -### Publish the certificate template to the CA - -A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them. - -Sign in to the CA or management workstations with **Enterprise Admin** equivalent credentials. - -1. Open the **Certification Authority** management console -1. Expand the parent node from the navigation pane -1. Select **Certificate Templates** in the navigation pane -1. Right-click the **Certificate Templates** node. Select **New > Certificate Template to issue** -1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)* template you created in the previous steps > select **OK** -1. Close the console - -> [!IMPORTANT] -> If you plan to deploy **Microsoft Entra joined** devices, and require single sign-on (SSO) to on-premises resources when signing in with Windows Hello for Business, follow the procedures to [update your CA to include an http-based CRL distribution point](../hello-hybrid-aadj-sso.md). - -## Configure and deploy certificates to domain controllers - -[!INCLUDE [dc-certificate-deployment](includes/dc-certificate-deployment.md)] - -## Validate the configuration - -[!INCLUDE [dc-certificate-validate](includes/dc-certificate-validate.md)] - -## Section review and next steps - -Before moving to the next section, ensure the following steps are complete: - -> [!div class="checklist"] -> -> - Configure domain controller certificates -> - Supersede existing domain controller certificates -> - Unpublish superseded certificate templates -> - Publish the certificate template to the CA -> - Deploy certificates to the domain controllers -> - Validate the domain controllers configuration - -> [!div class="nextstepaction"] -> [Next: configure and provision Windows Hello for Business >](hybrid-key-trust-enroll.md) - - -[SERV-1]: /troubleshoot/windows-server/windows-security/requirements-domain-controller -[PREV-1]: /previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831574(v=ws.11) -[PREV-2]: /previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831348(v=ws.11) diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md index 2b0ec7021d..e5a08f2117 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md @@ -1,109 +1,93 @@ --- -title: Windows Hello for Business hybrid key trust deployment +title: Windows Hello for Business hybrid key trust deployment guide description: Learn how to deploy Windows Hello for Business in a hybrid key trust scenario. -ms.date: 12/28/2022 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 -- ✅ Windows Server 2022 -- ✅ Windows Server 2019 -- ✅ Windows Server 2016 -ms.topic: how-to +ms.date: 01/03/2024 +ms.topic: tutorial --- -# Hybrid key trust deployment + +# Hybrid key trust deployment guide [!INCLUDE [apply-to-hybrid-key-trust](includes/apply-to-hybrid-key-trust.md)] -Hybrid environments are distributed systems that enable organizations to use on-premises and Microsoft Entra protected resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication and single sign-on to modern resources. - -This deployment guide describes how to deploy Windows Hello for Business in a hybrid key trust scenario. - > [!IMPORTANT] > Windows Hello for Business *cloud Kerberos trust* is the recommended deployment model when compared to the *key trust model*. For more information, see [cloud Kerberos trust deployment](hybrid-cloud-kerberos-trust.md). -It is recommended that you review the [Windows Hello for Business planning guide](../hello-planning-guide.md) prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. - -## Prerequisites - -The following prerequisites must be met for a hybrid key trust deployment: +[!INCLUDE [requirements](includes/requirements.md)] > [!div class="checklist"] -> * Directories and directory synchronization -> * Authentication to Microsoft Entra ID -> * Device registration -> * Public Key Infrastructure -> * Multifactor authentication -> * Device management +> +> - [Public Key Infrastructure](index.md#pki-requirements) +> - [Authentication](index.md#authentication-to-microsoft-entra-id) +> - [Device configuration](index.md#device-configuration-options) +> - [Prepare users to use Windows Hello](prepare-users.md) -### Directories and directory synchronization - -Hybrid Windows Hello for Business needs two directories: - -- An on-premises Active Directory -- A Microsoft Entra tenant - -The two directories must be synchronized with [Microsoft Entra Connect Sync][AZ-1], which synchronizes user accounts from the on-premises Active Directory to Microsoft Entra ID.\ -During the Window Hello for Business provisioning process, users register the public portion of their Windows Hello for Business credential with Microsoft Entra ID. *Microsoft Entra Connect Sync* synchronizes the Windows Hello for Business public key to Active Directory. - -> [!NOTE] -> Windows Hello for Business hybrid key trust is not supported if the users' on-premises UPN suffix cannot be added as a verified domain in Microsoft Entra ID. - - - -### Authentication to Microsoft Entra ID - -Authentication to Microsoft Entra ID can be configured with or without federation: - -- [Password hash synchronization][AZ-6] or [Microsoft Entra pass-through authentication][AZ-7] is required for non-federated environments -- Active Directory Federation Services (AD FS) or a third-party federation service is required for federated environments - -### Device registration - -The Windows devices must be registered in Microsoft Entra ID. Devices can be registered in Microsoft Entra ID using either *Microsoft Entra join* or *Microsoft Entra hybrid join*.\ -For *Microsoft Entra hybrid joined* devices, review the guidance on the [Plan your Microsoft Entra hybrid join implementation][AZ-8] page. - -### Public Key Infrastructure - -An enterprise PKI is required as *trust anchor* for authentication. Domain controllers require a certificate for Windows clients to trust them. - - - -### Multifactor authentication - -The Windows Hello for Business provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but requires a second factor of authentication.\ -Hybrid deployments can use: - -- [Microsoft Entra multifactor authentication][AZ-2] -- A multifactor authentication provided by AD FS, which includes an adapter model that enables third parties to integrate their MFA into AD FS - -For more information how to configure Microsoft Entra multifactor authentication, see [Configure Microsoft Entra multifactor authentication settings][AZ-3].\ -For more information how to configure AD FS to provide multifactor authentication, see [Configure Azure MFA as authentication provider with AD FS][SER-1]. - -### Device management - -To configure Windows Hello for Business, devices can be configured through a mobile device management (MDM) solution like Intune, or via group policy. - -## Next steps - -Once the prerequisites are met, deploying Windows Hello for Business with a hybrid key trust model consists of the following steps: +## Deployment steps > [!div class="checklist"] -> * Configure and validate the PKI -> * Configure Windows Hello for Business settings -> * Provision Windows Hello for Business on Windows clients -> * Configure single sign-on (SSO) for Microsoft Entra joined devices +> Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps: +> +> - [Configure and validate the Public Key Infrastructure](#configure-and-validate-the-public-key-infrastructure) +> - [Configure and enroll in Windows Hello for Business](hybrid-key-trust-enroll.md) +> - (optional) [Configure single sign-on for Microsoft Entra joined devices](../hello-hybrid-aadj-sso.md) + +## Configure and validate the Public Key Infrastructure + +Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* model. The domain controllers must have a certificate, which serves as a *root of trust* for clients. The certificate ensures that clients don't communicate with rogue domain controllers. + +Key trust deployments don't need client-issued certificates for on-premises authentication. *Microsoft Entra Connect Sync* configures Active Directory user accounts for public key mapping, by synchronizing the public key of the Windows Hello for Business credential to an attribute on the user's Active Directory object (`msDS-KeyCredentialLink` attribute). + +A Windows Server-based PKI or a third-party Enterprise certification authority can be used. For more information, see [Requirements for domain controller certificates from a third-party CA][SERV-1]. + +[!INCLUDE [lab-based-pki-deploy](includes/lab-based-pki-deploy.md)] + +## Configure the enterprise PKI + +[!INCLUDE [dc-certificate-template](includes/certificate-template-dc.md)] + +[!INCLUDE [dc-certificate-template-dc-hybrid-notes](includes/certificate-template-dc-hybrid-notes.md)] + +[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)] + +[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)] + +### Publish the certificate template to the CA + +A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them. + +Sign in to the CA or management workstations with **Enterprise Admin** equivalent credentials. + +1. Open the **Certification Authority** management console +1. Expand the parent node from the navigation pane +1. Select **Certificate Templates** in the navigation pane +1. Right-click the **Certificate Templates** node. Select **New > Certificate Template to issue** +1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)* template you created in the previous steps > select **OK** +1. Close the console + +> [!IMPORTANT] +> If you plan to deploy **Microsoft Entra joined** devices, and require single sign-on (SSO) to on-premises resources when signing in with Windows Hello for Business, follow the procedures to [update your CA to include an http-based CRL distribution point](../hello-hybrid-aadj-sso.md). + +## Configure and deploy certificates to domain controllers + +[!INCLUDE [dc-certificate-deployment](includes/dc-certificate-deployment.md)] + +## Validate the configuration + +[!INCLUDE [dc-certificate-validate](includes/dc-certificate-validate.md)] + +## Section review and next steps + +> [!div class="checklist"] +> Before moving to the next section, ensure the following steps are complete: +> +> - Configure domain controller certificate template +> - Supersede existing domain controller certificates +> - Unpublish superseded certificate templates +> - Publish the certificate template to the CA +> - Deploy certificates to the domain controllers +> - Validate the domain controllers configuration > [!div class="nextstepaction"] -> [Next: configure and validate the Public Key Infrastructure >](hybrid-key-trust-pki.md) +> [Next: configure and enroll in Windows Hello for Business >](hybrid-key-trust-enroll.md) -[AZ-1]: /azure/active-directory/hybrid/how-to-connect-sync-whatis -[AZ-2]: /azure/multi-factor-authentication/multi-factor-authentication -[AZ-3]: /azure/multi-factor-authentication/multi-factor-authentication-whats-next -[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd -[AZ-5]: /azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler -[AZ-6]: /azure/active-directory/hybrid/whatis-phs -[AZ-7]: /azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication -[AZ-8]: /azure/active-directory/devices/hybrid-azuread-join-plan - -[SER-1]: /windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa +[SERV-1]: /troubleshoot/windows-server/windows-security/requirements-domain-controller diff --git a/windows/security/identity-protection/hello-for-business/deploy/images/cloud-trust-prereq-check.png b/windows/security/identity-protection/hello-for-business/deploy/images/cloud-trust-prereq-check.png deleted file mode 100644 index f327f79f32..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/deploy/images/cloud-trust-prereq-check.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/deploy/images/group-policy.svg b/windows/security/identity-protection/hello-for-business/deploy/images/group-policy.svg index ace95add6b..c9cb511415 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/images/group-policy.svg +++ b/windows/security/identity-protection/hello-for-business/deploy/images/group-policy.svg @@ -1,3 +1,9 @@ - - - \ No newline at end of file + + + + + + + + + diff --git a/windows/security/identity-protection/hello-for-business/deploy/images/haadj-whfb-pin-provisioning.gif b/windows/security/identity-protection/hello-for-business/deploy/images/haadj-whfb-pin-provisioning.gif deleted file mode 100644 index 7bff02eada..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/deploy/images/haadj-whfb-pin-provisioning.gif and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/deploy/images/hello-cloud-trust-intune-large.png b/windows/security/identity-protection/hello-for-business/deploy/images/hello-cloud-trust-intune-large.png deleted file mode 100644 index e9d0876738..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/deploy/images/hello-cloud-trust-intune-large.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/deploy/images/hello-cloud-trust-intune.png b/windows/security/identity-protection/hello-for-business/deploy/images/hello-cloud-trust-intune.png deleted file mode 100644 index fd6644b8b7..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/deploy/images/hello-cloud-trust-intune.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/deploy/images/whfb-intune-account-protection-cert-enable.png b/windows/security/identity-protection/hello-for-business/deploy/images/whfb-intune-account-protection-cert-enable.png deleted file mode 100644 index ec2ba07684..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/deploy/images/whfb-intune-account-protection-cert-enable.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/deploy/images/whfb-intune-account-protection-enable.png b/windows/security/identity-protection/hello-for-business/deploy/images/whfb-intune-account-protection-enable.png deleted file mode 100644 index b5ff9bbb58..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/deploy/images/whfb-intune-account-protection-enable.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-additional-servers.md b/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-additional-servers.md new file mode 100644 index 0000000000..04964c59b0 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-additional-servers.md @@ -0,0 +1,95 @@ +--- +ms.date: 01/03/2024 +ms.topic: include +--- + +## Additional federation servers + +Organizations should deploy more than one federation server in their federation farm for high-availability. You should have a minimum of two federation services in your AD FS farm, however most organizations are likely to have more. This largely depends on the number of devices and users using the services provided by the AD FS farm. + +### Server authentication certificate + +Each server you add to the AD FS farm must have a proper server authentication certificate. Refer to the [Enroll for a TLS Server Authentication Certificate](#enroll-for-a-tls-server-authentication-certificate) section of this document to determine the requirements for your server authentication certificate. As previously stated, AD FS servers used exclusively for on-premises deployments of Windows Hello for Business can use enterprise server authentication certificates rather than server authentication certificates issued by public certificate authorities. + +### Install additional servers + +Adding federation servers to the existing AD FS farm begins with ensuring the server are fully patched, to include Windows Server 2016 Update needed to support Windows Hello for Business deployments (https://aka.ms/whfbadfs1703). Next, install the Active Directory Federation Service role on the additional servers and then configure the server as an additional server in an existing farm. + +## Load balance AD FS + +Many environments load balance using hardware devices. Environments without hardware load-balancing capabilities can take advantage the network load-balancing feature included in Windows Server to load balance the AD FS servers in the federation farm. Install the Windows Network Load Balancing feature on all nodes participating in the AD FS farm that should be load balanced. + +### Install Network Load Balancing Feature on AD FS Servers + +Sign-in the federation server with *Enterprise Administrator* equivalent credentials. + +1. Start **Server Manager**. Select **Local Server** in the navigation pane +1. Select **Manage** and then select **Add Roles and Features** +1. Select **Next** On the **Before you begin** page +1. On the **Select installation type** page, select **Role-based or feature-based installation** and select **Next** +1. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Select **Next** +1. On the **Select server roles** page, select **Next** +1. Select **Network Load Balancing** on the **Select features** page +1. Select **Install** to start the feature installation + +### Configure Network Load Balancing for AD FS + +Before you can load balance all the nodes in the AD FS farm, you must first create a new load balance cluster. Once you have created the cluster, then you can add new nodes to that cluster. + +Sign-in a node of the federation farm with *Administrator* equivalent credentials. + +1. Open **Network Load Balancing Manager** from **Administrative Tools** +1. Right-click **Network Load Balancing Clusters**, and then select **New Cluster** +1. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then select **Connect** +1. Select the interface that you want to use with the cluster, and then select **Next** (the interface hosts the virtual IP address and receives the client traffic to load balance) +1. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Select **Next** +1. In **Cluster IP Addresses**, select **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Select **Next** +1. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster +1. In **Cluster operation mode**, select **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Select **Next** +1. In Port Rules, select Edit to modify the default port rules to use port 443 + +### Additional AD FS Servers + +1. To add more hosts to the cluster, right-click the new cluster, and then select **Add Host to Cluster** +1. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same + +## Configure DNS for Device Registration + +Sign-in the domain controller or administrative workstation with domain administrator equivalent credentials.\ +You'll need the *federation service* name to complete this task. You can view the federation service name by selecting **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server. + +1. Open the **DNS Management** console +1. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones** +1. In the navigation pane, select the node that has the name of your internal Active Directory domain name +1. In the navigation pane, right-click the domain name node and select **New Host (A or AAAA)** +1. In the **name** box, type the name of the federation service. In the **IP address** box, type the IP address of your federation server. Select **Add Host** +1. Right-click the `` node and select **New Alias (CNAME)** +1. In the **New Resource Record** dialog box, type `enterpriseregistration` in the **Alias** name box +1. In the **fully qualified domain name (FQDN)** of the target host box, type `federation_service_farm_name. [!NOTE] +> If your forest has multiple UPN suffixes, please make sure that `enterpriseregistration.` is present for each suffix. + +## Configure the Intranet Zone to include the federation service + +The Windows Hello provisioning presents web pages from the federation service. Configuring the intranet zone to include the federation service enables the user to authenticate to the federation service using integrated authentication. Without this setting, the connection to the federation service during Windows Hello provisioning prompts the user for authentication. + +### Create an Intranet Zone Group Policy + +Sign-in the domain controller or administrative workstation with *Domain Admin* equivalent credentials: + +1. Start the **Group Policy Management Console** (`gpmc.msc`) +1. Expand the domain and select the **Group Policy Object** node in the navigation pane +1. Right-click **Group Policy object** and select **New** +1. Type **Intranet Zone Settings** in the name box and select **OK** +1. In the content pane, right-click the **Intranet Zone Settings** Group Policy object and select **Edit** +1. In the navigation pane, expand **Policies** under **Computer Configuration** +1. Expand **Administrative Templates > Windows Component > Internet Explorer > Internet Control Panel >Security Page**. Open **Site to Zone Assignment List** +1. Select **Enable > Show**. In the **Value Name** column, type the url of the federation service beginning with https. In the **Value** column, type the number **1**. Select OK twice, then close the Group Policy Management Editor + +### Deploy the Intranet Zone Group Policy object + +1. Start the **Group Policy Management Console** (gpmc.msc) +1. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and select **Link an existing GPO…** +1. In the **Select GPO** dialog box, select **Intranet Zone Settings** or the name of the Windows Hello for Business Group Policy object you previously created and select **OK** diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-deploy.md b/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-deploy.md new file mode 100644 index 0000000000..acbd3a6a42 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-deploy.md @@ -0,0 +1,95 @@ +--- +ms.date: 01/03/2024 +ms.topic: include +--- + +## Deploy the AD FS role + +>[!IMPORTANT] +> Finish the entire AD FS configuration on the first server in the farm before adding the second server to the AD FS farm. Once complete, the second server receives the configuration through the shared configuration database when it is added the AD FS farm. + +Sign-in the federation server with *Enterprise Administrator* equivalent credentials. + +1. Start **Server Manager**. Select **Local Server** in the navigation pane +1. Select **Manage > Add Roles and Features** +1. Select **Next** on the **Before you begin** page +1. On the **Select installation type** page, select **Role-based or feature-based installation > Next** +1. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list and **Next** +1. On the **Select server roles** page, select **Active Directory Federation Services** and **Next** +1. Select **Next** on the **Select features** page +1. Select **Next** on the **Active Directory Federation Service** page +1. Select **Install** to start the role installation + +## Review to validate the AD FS deployment + +Before you continue with the deployment, validate your deployment progress by reviewing the following items: + +> [!div class="checklist"] +> * Confirm the AD FS farm uses the correct database configuration +> * Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load +> * Confirm **all** AD FS servers in the farm have the latest updates installed +> * Confirm all AD FS servers have a valid server authentication certificate + +## Device registration service account prerequisites + +The use of Group Managed Service Accounts (GMSA) is the preferred way to deploy service accounts for services that support them. GMSAs have security advantages over normal user accounts because Windows handles password management. This means the password is long, complex, and changes periodically. AD FS supports GMSAs, and it should be configured using them for additional security. + +GSMA uses the *Microsoft Key Distribution Service* that is located on the domain controllers. Before you can create a GSMA, you must first create a root key for the service. You can skip this if your environment already uses GSMA. + +### Create KDS Root Key + +Sign-in a domain controller with *Enterprise Administrator* equivalent credentials. + +Start an elevated PowerShell console and execute the following command: + +```PowerShell +Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10) +``` + +## Configure the Active Directory Federation Service Role + +Use the following procedures to configure AD FS. + +Sign-in to the federation server with *Domain Administrator* equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm. + +1. Start **Server Manager** +1. Select the notification flag in the upper right corner and select **Configure the federation services on this server** +1. On the **Welcome** page, select **Create the first federation server farm > Next** +1. On the **Connect to Active Directory Domain Services** page, select **Next** +1. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as *sts.corp.contoso.com* +1. Select the federation service name from the **Federation Service Name** list +1. Type the *Federation Service Display Name* in the text box. This is the name users see when signing in. Select **Next** +1. On the **Specify Service Account** page, select **Create a Group Managed Service Account**. In the **Account Name** box, type *adfssvc* +1. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and select **Next** +1. On the **Review Options** page, select **Next** +1. On the **Pre-requisite Checks** page, select **Configure** +1. When the process completes, select **Close** + +### Add the AD FS service account to the *Key Admins* group + +During Windows Hello for Business enrollment, the public key is registered in an attribute of the user object in Active Directory. To ensure that the AD FS service can add and remove keys are part of its normal workflow, it must be a member of the *Key Admins* global group. + +Sign-in to a domain controller or management workstation with *Domain Administrator* equivalent credentials. + +1. Open **Active Directory Users and Computers** +1. Select the **Users** container in the navigation pane +1. Right-click **Key Admins** in the details pane and select **Properties** +1. Select the **Members > Add…** +1. In the **Enter the object names to select** text box, type *adfssvc*. Select **OK** +1. Select **OK** to return to **Active Directory Users and Computers** +1. Change to server hosting the AD FS role and restart it + +## Configure the device registration service + +Sign-in to the federation server with *Enterprise Administrator* equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm. + +1. Open the **AD FS management** console +1. In the navigation pane, expand **Service**. Select **Device Registration** +1. In the details pane, select **Configure device registration** +1. In the **Configure Device Registration** dialog, Select **OK** + +:::image type="content" source="../images/adfs-device-registration.png" lightbox="../images/adfs-device-registration.png" alt-text="Screenshot that shows AD FS device registration: configuration of the service connection point."::: + +Triggering device registration from AD FS, creates the service connection point (SCP) in the Active Directory configuration partition. The SCP is used to store the device registration information that Windows clients will automatically discover. + +:::image type="content" source="../images/adfs-scp.png" lightbox="../images/adfs-scp.png" alt-text="Screenshot that shows AD FS device registration: service connection point object created by AD FS."::: \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-mfa.md b/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-mfa.md similarity index 56% rename from windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-mfa.md rename to windows/security/identity-protection/hello-for-business/deploy/includes/adfs-mfa.md index bcc3c3b497..e9f18f3925 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-mfa.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-mfa.md @@ -1,19 +1,9 @@ --- -title: Validate and Deploy MFA for Windows Hello for Business with key trust -description: Validate and deploy multifactor authentication (MFA) for Windows Hello for Business in an on-premises key trust model. -ms.date: 09/07/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 -- ✅ Windows Server 2022 -- ✅ Windows Server 2019 -- ✅ Windows Server 2016 -ms.topic: tutorial +ms.date: 01/03/2024 +ms.topic: include --- -# Validate and deploy multifactor authentication - on-premises key trust - -[!INCLUDE [apply-to-on-premises-key-trust](includes/apply-to-on-premises-key-trust.md)] +## Validate and deploy multifactor authentication (MFA) Windows Hello for Business requires users perform multifactor authentication (MFA) prior to enroll in the service. On-premises deployments can use, as MFA option: @@ -27,6 +17,3 @@ Windows Hello for Business requires users perform multifactor authentication (MF For information on available third-party authentication methods see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method) Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multifactor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies). - -> [!div class="nextstepaction"] -> [Next: configure Windows Hello for Business Policy settings](on-premises-key-trust-enroll.md) diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-validate.md b/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-validate.md new file mode 100644 index 0000000000..2e56e0614a --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-validate.md @@ -0,0 +1,47 @@ +--- +ms.date: 01/03/2024 +ms.topic: include +--- + +The following guidance describes the deployment of a new instance of AD FS using the Windows Information Database (WID) as the configuration database.\ +WID is ideal for environments with no more than **30 federation servers** and no more than **100 relying party trusts**. If your environment exceeds either of these factors, or needs to provide *SAML artifact resolution*, *token replay detection*, or needs AD FS to operate as a federated provider role, then the deployment requires the use of SQL as a configuration database.\ +To deploy AD FS using SQL as its configuration database, review the [Deploying a Federation Server Farm](/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) checklist. + +A new AD FS farm should have a minimum of two federation servers for proper load balancing, which can be accomplished with external networking peripherals, or with using the Network Load Balancing Role included in Windows Server. + +Prepare the AD FS deployment by installing and **updating** two Windows Servers. + +## Enroll for a TLS server authentication certificate + +Typically, a federation service is an edge facing role. However, the federation services and instance used with the on-premises deployment of Windows Hello for Business does not need Internet connectivity. + +The AD FS role needs a *server authentication* certificate for the federation services, and you can use a certificate issued by your enterprise (internal) CA. The server authentication certificate should have the following names included in the certificate, if you are requesting an individual certificate for each node in the federation farm: + + - **Subject Name**: the internal FQDN of the federation server + - **Subject Alternate Name**: the federation service name (e.g. *sts.corp.contoso.com*) or an appropriate wildcard entry (e.g. *\*.corp.contoso.com*) + +The federation service name is set when the AD FS role is configured. You can choose any name, but that name must be different than the name of the server or host. For example, you can name the host server *adfs* and the federation service *sts*. In this example, the FQDN of the host is *adfs.corp.contoso.com* and the FQDN of the federation service is *sts.corp.contoso.com*. + +You can also issue one certificate for all hosts in the farm. If you chose this option, leave the subject name *blank*, and include all the names in the subject alternate name when creating the certificate request. All names should include the FQDN of each host in the farm and the federation service name. + +When creating a wildcard certificate, mark the private key as exportable, so that the same certificate can be deployed across each federation server and web application proxy within the AD FS farm. Note that the certificate must be trusted (chain to a trusted root CA). Once you have successfully requested and enrolled the server authentication certificate on one node, you can export the certificate and private key to a PFX file using the Certificate Manager console. You can then import the certificate on the remaining nodes in the AD FS farm. + +Be sure to enroll or import the certificate into the AD FS server's computer certificate store. Also, ensure all nodes in the farm have the proper TLS server authentication certificate. + +### AD FS authentication certificate enrollment + +Sign-in the federation server with *domain administrator* equivalent credentials. + +1. Start the Local Computer **Certificate Manager** (certlm.msc) +1. Expand the **Personal** node in the navigation pane +1. Right-click **Personal**. Select **All Tasks > Request New Certificate** +1. Select **Next** on the **Before You Begin** page +1. Select **Next** on the **Select Certificate Enrollment Policy** page +1. On the **Request Certificates** page, select the **Internal Web Server** check box +1. Select the **⚠️ More information is required to enroll for this certificate. Click here to configure settings** link + :::image type="content" source="../images/hello-internal-web-server-cert.png" lightbox="../images/hello-internal-web-server-cert.png" alt-text="Example of Certificate Properties Subject Tab - This is what shows when you select the above link."::: +1. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the AD FS role and then select **Add** +1. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name that you will use for your federation services (*sts.corp.contoso.com*). The name you use here MUST match the name you use when configuring the AD FS server role. Select **Add** and **OK** when finished +1. Select **Enroll** + +A server authentication certificate should appear in the computer's personal certificate store. diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-cloud.md b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-cloud.md index 69c159b0a2..5e7aad158e 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-cloud.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-cloud.md @@ -1,9 +1,9 @@ --- -ms.date: 12/15/2023 +ms.date: 01/03/2024 ms.topic: include --- [!INCLUDE [intro](intro.md)] - **Deployment type:** [!INCLUDE [tooltip-deployment-cloud](tooltip-deployment-cloud.md)] - **Join type:** [!INCLUDE [tootip-join-entra](tooltip-join-entra.md)] ---- \ No newline at end of file +--- diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cert-trust-entra.md b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cert-trust-entra.md index 31073eae23..b36534846f 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cert-trust-entra.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cert-trust-entra.md @@ -1,5 +1,5 @@ --- -ms.date: 12/15/2023 +ms.date: 01/03/2024 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cert-trust.md index 4f8eb7e613..9e61b4c795 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cert-trust.md @@ -1,5 +1,5 @@ --- -ms.date: 12/15/2023 +ms.date: 01/03/2024 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cloud-kerberos-trust.md index 9fd4c16a63..0c93b4c352 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-cloud-kerberos-trust.md @@ -1,5 +1,5 @@ --- -ms.date: 12/15/2023 +ms.date: 01/03/2024 ms.topic: include --- @@ -7,4 +7,4 @@ ms.topic: include - **Deployment type:** [!INCLUDE [tooltip-deployment-hybrid](tooltip-deployment-hybrid.md)] - **Trust type:** [!INCLUDE [tooltip-trust-cloud-kerberos](tooltip-trust-cloud-kerberos.md)] - **Join type:** [!INCLUDE [tooltip-join-entra](tooltip-join-entra.md)], [!INCLUDE [tooltip-join-hybrid](tooltip-join-hybrid.md)] ---- \ No newline at end of file +--- diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-key-and-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-key-and-cert-trust.md index 1a17ea9d1f..427b68841d 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-key-and-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-key-and-cert-trust.md @@ -1,5 +1,5 @@ --- -ms.date: 12/15/2023 +ms.date: 01/03/2024 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-key-trust.md index a74e9ead78..f3f5b968e1 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-hybrid-key-trust.md @@ -1,5 +1,5 @@ --- -ms.date: 12/15/2023 +ms.date: 01/03/2024 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-cert-trust-entra.md b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-cert-trust.md similarity index 92% rename from windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-cert-trust-entra.md rename to windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-cert-trust.md index e3c6bad7b3..ea1dc22c2d 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-cert-trust-entra.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-cert-trust.md @@ -1,5 +1,5 @@ --- -ms.date: 12/15/2023 +ms.date: 01/03/2024 ms.topic: include --- @@ -7,4 +7,4 @@ ms.topic: include - **Deployment type:** [!INCLUDE [tooltip-deployment-onpremises](tooltip-deployment-onpremises.md)] - **Trust type:** [!INCLUDE [tooltip-cert-trust](tooltip-trust-cert.md)] - **Join type:** [!INCLUDE [tooltip-join-domain](tooltip-join-domain.md)] ---- \ No newline at end of file +--- diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-key-trust.md index 1966807ca5..c7a85a3e1d 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/apply-to-on-premises-key-trust.md @@ -1,5 +1,5 @@ --- -ms.date: 12/08/2022 +ms.date: 01/03/2024 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/auth-certificate-template.md b/windows/security/identity-protection/hello-for-business/deploy/includes/auth-certificate-template.md deleted file mode 100644 index c3f30f246e..0000000000 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/auth-certificate-template.md +++ /dev/null @@ -1,83 +0,0 @@ ---- -ms.date: 12/28/2022 -ms.topic: include ---- - -### Configure a Windows Hello for Business authentication certificate template - -During Windows Hello for Business provisioning, Windows clients request an authentication certificate from AD FS, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. - -Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials. - -1. Open the **Certification Authority** management console -1. Right-click **Certificate Templates** and select **Manage** -1. Right-click the **Smartcard Logon** template and choose **Duplicate Template** -1. On the **Compatibility** tab: - - Clear the **Show resulting changes** check box - - Select **Windows Server 2016** from the **Certification Authority** list - - Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list -1. On the **General** tab: - - Type *WHFB Authentication* in **Template display name** - - Adjust the validity and renewal period to meet your enterprise's needs - > [!NOTE] - > If you use different template names, you'll need to remember and substitute these names in different portions of the deployment. -1. On the **Cryptography** tab - - Select **Key Storage Provider** from the **Provider Category** list - - Select **RSA** from the **Algorithm name** list - - Type *2048* in the **Minimum key size** text box - - Select **SHA256** from the **Request hash** list -1. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon** -1. On the **Issuance Requirements** tab, - - Select the **This number of authorized signatures** check box. Type *1* in the text box - - Select **Application policy** from the **Policy type required in signature** - - Select **Certificate Request Agent** from in the **Application policy** list - - Select the **Valid existing certificate** option -1. On the **Subject** tab, - - Select the **Build from this Active Directory information** button - - Select **Fully distinguished name** from the **Subject name format** list - - Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name** -1. On the **Request Handling** tab, select the **Renew with same key** check box -1. On the **Security** tab, select **Add**. Target an Active Directory security group that contains the users that you want to enroll in Windows Hello for Business. For example, if you have a group called *Window Hello for Business Users*, type it in the **Enter the object names to select** text box and select **OK** -1. Select the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section: - - Select the **Allow** check box for the **Enroll** permission - - Excluding the group above (for example, *Window Hello for Business Users*), clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes aren't already cleared - - Select **OK** -1. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they'll be superseded by this template for the users that have Enroll permission for this template -1. Select on the **Apply** to save changes and close the console - -#### Mark the template as the Windows Hello Sign-in template - -Sign in to a CA or management workstations with *Enterprise Administrator* equivalent credentials - -Open an elevated command prompt end execute the following command - -```cmd -certutil.exe -dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY -``` - -If the template was changed successfully, the output of the command will contain old and new values of the template parameters. The new value must contain the `CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY` parameter. Example: - -```cmd -CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=[yourdomain]:WHFBAuthentication - -Old Value: -msPKI-Private-Key-Flag REG_DWORD = 5050080 (84213888) -CTPRIVATEKEY_FLAG_REQUIRE_SAME_KEY_RENEWAL -- 80 (128) -CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0 -TEMPLATE_SERVER_VER_WINBLUE<[!NOTE] ->If you gave your Windows Hello for Business Authentication certificate template a different name, then replace `WHFBAuthentication` in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the `Get-CATemplate` ADCS Administration Windows PowerShell cmdlet on your certification authority. - - \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-auth.md b/windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-auth.md new file mode 100644 index 0000000000..aab8d0e4c9 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-auth.md @@ -0,0 +1,64 @@ +--- +ms.date: 01/03/2024 +ms.topic: include +--- + +### Configure a Windows Hello for Business authentication certificate template + +During Windows Hello for Business provisioning, Windows clients request an authentication certificate from AD FS, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. + +Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials. + +1. Open the **Certification Authority** management console +1. Right-click **Certificate Templates** and select **Manage** +1. In the **Certificate Template Console**, right-click the **Smartcard Logon** template and select **Duplicate Template** +1. Use the following table to configure the template: + + | Tab Name | Configurations | + | --- | --- | + | *Compatibility* |
    • Clear the **Show resulting changes** check box
    • Select **Windows Server 2016** from the *Certification Authority list*
    • Select **Windows 10 / Windows Server 2016** from the *Certification Recipient list*
    | + | *General* |
    • Specify a **Template display name**, for example *WHFB Authentication*
    • Set the validity period to the desired value
    • Take note of the template name for later, which should be the same as the Template display name minus spaces
    | + | *Subject Name* |
    • Select **Build from this Active Directory information**
    • Select **Fully distinguished name** from the **Subject name format** list
    • Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**
    | + |*Cryptography*|
    • Set the *Provider Category* to **Key Storage Provider**
    • Set the *Algorithm name* to **RSA**
    • Set the *minimum key size* to **2048**
    • Set the *Request hash* to **SHA256**
      • | + |*Extensions*|Verify the **Application Policies** extension includes **Smart Card Logon**| + |*Issuance Requirements*|
      • Select the **This number of authorized signatures** check box. Type *1* in the text box
      • Select **Application policy** from the *Policy type required in signature*
      • Select **Certificate Request Agent** from in the *Application policy* list
      • Select the **Valid existing certificate** option
      | + |*Request Handling*|Select the **Renew with same key** check box| + |*Security*|
      • Select **Add**
      • Target an Active Directory security group that contains the users that you want to enroll in Windows Hello for Business. For example, if you have a group called *Window Hello for Business Users*, type it in the **Enter the object names to select** text box and select **OK**
      • Select the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section:
        • Select the **Allow** check box for the **Enroll** permission
        • Excluding the group above (for example, *Window Hello for Business Users*), clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes aren't already cleared
      • Select **OK**
      | + +1. Select **OK** to finalize your changes and create the new template +1. Close the console + +#### Mark the template as the Windows Hello Sign-in template + +Sign in to a CA or management workstations with *Enterprise Administrator* equivalent credentials + +Open an elevated command prompt end execute the following command + +```cmd +certutil.exe -dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY +``` + +If the template was changed successfully, the output of the command will contain old and new values of the template parameters. The new value must contain the `CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY` parameter. Example: + +```cmd +CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=[yourdomain]:WHFBAuthentication + +Old Value: +msPKI-Private-Key-Flag REG_DWORD = 5050080 (84213888) +CTPRIVATEKEY_FLAG_REQUIRE_SAME_KEY_RENEWAL -- 80 (128) +CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0 +TEMPLATE_SERVER_VER_WINBLUE<[!NOTE] +>If you gave your Windows Hello for Business Authentication certificate template a different name, then replace `WHFBAuthentication` in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the `Get-CATemplate` ADCS Administration Windows PowerShell cmdlet on your certification authority. diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-dc-hybrid-notes.md b/windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-dc-hybrid-notes.md new file mode 100644 index 0000000000..7024a9071d --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-dc-hybrid-notes.md @@ -0,0 +1,13 @@ +--- +ms.date: 01/03/2024 +ms.topic: include +--- + +> [!NOTE] +> Inclusion of the *KDC Authentication* OID in domain controller certificate is not required for Microsoft Entra hybrid joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Microsoft Entra joined devices. + +> [!IMPORTANT] +> For Microsoft Entra joined devices to authenticate to on-premises resources, ensure to: +> +> - Install the root CA certificate in the device's trusted root certificate store. See [how to deploy a trusted certificate profile](/mem/intune/protect/certificates-trusted-root#to-create-a-trusted-certificate-profile) via Intune +> - Publish your certificate revocation list to a location that is available to Microsoft Entra joined devices, such as a web-based URL diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-template.md b/windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-dc.md similarity index 99% rename from windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-template.md rename to windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-dc.md index 9c85020231..422ff72167 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-template.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-dc.md @@ -1,5 +1,5 @@ --- -ms.date: 12/15/2023 +ms.date: 01/03/2024 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-enrollment-agent.md b/windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-enrollment-agent.md new file mode 100644 index 0000000000..b43c9f754a --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-enrollment-agent.md @@ -0,0 +1,53 @@ +--- +ms.date: 01/03/2024 +ms.topic: include +--- + +### Configure an enrollment agent certificate template + +A certificate registration authority (CRA) is a trusted authority that validates certificate request. Once it validates the request, it presents the request to the certification authority (CA) for issuance. The CA issues the certificate, returns it to the CRA, which returns the certificate to the requesting user. Windows Hello for Business certificate trust deployments use AD FS as the CRA. + +The CRA enrolls for an *enrollment agent certificate*. Once the CRA verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the CA. The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. The CA only issues a certificate for that template if the registration authority signs the certificate request. + +> [!IMPORTANT] +> Follow the procedures below based on the AD FS service account used in your environment. + +#### Create an enrollment agent certificate for Group Managed Service Accounts (GMSA) + +Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials. + +1. Open the **Certification Authority** management console +1. Right-click **Certificate Templates** and select **Manage** +1. In the **Certificate Template Console**, right-click on the **Exchange Enrollment Agent (Offline request)** template details pane and select **Duplicate Template** +1. Use the following table to configure the template: + + | Tab Name | Configurations | + | --- | --- | + | *Compatibility* |
      • Clear the **Show resulting changes** check box
      • Select **Windows Server 2016** from the *Certification Authority list*
      • Select **Windows 10 / Windows Server 2016** from the *Certification Recipient list*
      | + | *General* |
      • Specify a **Template display name**, for example *WHFB Enrollment Agent*
      • Set the validity period to the desired value
      | + | *Subject Name* | Select **Supply in the request**

      **Note:** Group Managed Service Accounts (GMSA) don't support the *Build from this Active Directory information* option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with *Supply in the request* to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.| + | *Cryptography* |
      • Set the *Provider Category* to **Key Storage Provider**
      • Set the *Algorithm name* to **RSA**
      • Set the *minimum key size* to **2048**
      • Set the *Request hash* to **SHA256**
        • | + | *Security* |
        • Select **Add**
        • Select **Object Types** and select the **Service Accounts** check box
        • Select **OK**
        • Type `adfssvc` in the **Enter the object names to select** text box and select **OK**
        • Select the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section:
          • In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission
          • Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list
        • Select **OK**
        | + +1. Select **OK** to finalize your changes and create the new template +1. Close the console + +#### Create an enrollment agent certificate for a standard service account + +Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials. + +1. Open the **Certification Authority** management console +1. Right-click **Certificate Templates** and select **Manage** +1. In the **Certificate Template Console**, right-click on the **Exchange Enrollment Agent (Offline request)** template details pane and select **Duplicate Template** +1. Use the following table to configure the template: + + | Tab Name | Configurations | + | --- | --- | + | *Compatibility* |
        • Clear the **Show resulting changes** check box
        • Select **Windows Server 2016** from the **Certification Authority** list
        • Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list
        | + | *General* |
        • Specify a **Template display name**, for example *WHFB Enrollment Agent*
        • Set the validity period to the desired value
        | + | *Subject Name* |
        • Select **Build from this Active Directory information**
        • Select **Fully distinguished name** from the **Subject name format** list
        • Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**
        | + |*Cryptography*|
        • Set the *Provider Category* to **Key Storage Provider**
        • Set the *Algorithm name* to **RSA**
        • Set the *minimum key size* to **2048**
        • Set the *Request hash* to **SHA256**
        | + | *Security* |
        • Select **Add**
        • Select **Object Types** and select the **Service Accounts** check box
        • Select **OK**
        • Type `adfssvc` in the **Enter the object names to select** text box and select **OK**
        • Select the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section:
          • In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission
          • Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list
        • Select **OK**
        | + +1. Select **OK** to finalize your changes and create the new template +1. Close the console diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/web-server-certificate-template.md b/windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-web-server.md similarity index 98% rename from windows/security/identity-protection/hello-for-business/deploy/includes/web-server-certificate-template.md rename to windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-web-server.md index 1bde4860fe..c75a03a96f 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/web-server-certificate-template.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-web-server.md @@ -1,5 +1,5 @@ --- -ms.date: 12/15/2023 +ms.date: 01/03/2024 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-deployment.md b/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-deployment.md index 07d8c9cc38..77fad7cbbf 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-deployment.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-deployment.md @@ -1,5 +1,5 @@ --- -ms.date: 12/15/2023 +ms.date: 01/03/2024 ms.topic: include --- @@ -29,4 +29,3 @@ Sign in to domain controller or management workstations with *Domain Administrat 1. In the navigation pane, expand the domain and expand the node with the Active Directory domain name. Right-click the **Domain Controllers** organizational unit and select **Link an existing GPO…** 1. In the **Select GPO** dialog box, select *Domain Controller Auto Certificate Enrollment* or the name of the domain controller certificate enrollment Group Policy object you previously created 1. Select **OK** - diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-supersede.md b/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-supersede.md index 92853ac52e..e2d6f588de 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-supersede.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-supersede.md @@ -1,5 +1,5 @@ --- -ms.date: 12/15/2023 +ms.date: 01/03/2024 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-validate.md b/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-validate.md index ec0faae68f..87e7467d71 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-validate.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/dc-certificate-validate.md @@ -1,5 +1,5 @@ --- -ms.date: 12/15/2023 +ms.date: 01/03/2024 ms.topic: include --- @@ -11,14 +11,14 @@ Confirm your domain controllers enroll the correct certificates and not any supe Sign in to domain controller or management workstations with *Domain Administrator* equivalent credentials. -1. Using the Event Viewer, navigate to the **Application and Services > Microsoft > Windows > CertificateServices-Lifecycles-System** event log +1. Using the Event Viewer, navigate to the **Application and Services** > **Microsoft** > **Windows** > **CertificateServices-Lifecycles-System** event log 1. Look for an event indicating a new certificate enrollment (autoenrollment): - The details of the event include the certificate template on which the certificate was issued - The name of the certificate template used to issue the certificate should match the certificate template name included in the event - The certificate thumbprint and EKUs for the certificate are also included in the event - The EKU needed for proper Windows Hello for Business authentication is Kerberos Authentication, in addition to other EKUs provide by the certificate template -Certificates superseded by your new domain controller certificate generate an archive event in the event log. The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate. +Certificates superseded by your new domain controller certificate generate an *archive event* in the Event Log. The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate. ### Certificate Manager @@ -26,9 +26,17 @@ You can use the Certificate Manager console to validate the domain controller ha ### Certutil.exe -You can use `certutil.exe` command to view enrolled certificates in the local computer. Certutil shows enrolled and archived certificates for the local computer. From an elevated command prompt, run `certutil.exe -q -store my` to view locally enrolled certificates. +You can use `certutil.exe` command to view enrolled certificates in the local computer. Certutil shows enrolled and archived certificates for the local computer. From an elevated command prompt, run the following command: -To view detailed information about each certificate in the store, use `certutil.exe -q -v -store my` to validate automatic certificate enrollment enrolled the proper certificates. +```cmd +certutil.exe -q -store my +``` + +To view detailed information about each certificate in the store, and to validate automatic certificate enrollment enrolled the proper certificates, use the following command: + +```cmd +certutil.exe -q -v -store my +``` ### Troubleshooting @@ -36,4 +44,4 @@ Windows triggers automatic certificate enrollment for the computer during boot, Alternatively, you can forcefully trigger automatic certificate enrollment using `certreq.exe -autoenroll -q` from an elevated command prompt. -Use the event logs to monitor certificate enrollment and archive. Review the configuration, such as publishing certificate templates to issuing certification authority and the allow auto enrollment permissions. \ No newline at end of file +Use the event logs to monitor certificate enrollment and archive. Review the configuration, such as publishing certificate templates to issuing certification authority and the *allow* auto enrollment permissions. \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/enrollment-agent-certificate-template.md b/windows/security/identity-protection/hello-for-business/deploy/includes/enrollment-agent-certificate-template.md deleted file mode 100644 index 8e3cfc064b..0000000000 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/enrollment-agent-certificate-template.md +++ /dev/null @@ -1,79 +0,0 @@ ---- -ms.date: 12/15/2023 -ms.topic: include ---- - -### Configure an enrollment agent certificate template - -A certificate registration authority (CRA) is a trusted authority that validates certificate request. Once it validates the request, it presents the request to the certification authority (CA) for issuance. The CA issues the certificate, returns it to the CRA, which returns the certificate to the requesting user. Windows Hello for Business certificate trust deployments use AD FS as the CRA. - -The CRA enrolls for an *enrollment agent certificate*. Once the CRA verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the CA. The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. The CA only issues a certificate for that template if the registration authority signs the certificate request. - -> [!IMPORTANT] -> Follow the procedures below based on the AD FS service account used in your environment. - -#### Create an enrollment agent certificate for Group Managed Service Accounts (GMSA) - -Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials. - -1. Open the **Certification Authority** management console -1. Right-click **Certificate Templates** and select **Manage** -1. In the **Certificate Template Console**, right-click on the **Exchange Enrollment Agent (Offline request)** template details pane and select **Duplicate Template** -1. On the **Compatibility** tab: - - Clear the **Show resulting changes** check box - - Select **Windows Server 2016** from the **Certification Authority** list. - - Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list -1. On the **General** tab: - - Type *WHFB Enrollment Agent* in **Template display name** - - Adjust the validity and renewal period to meet your enterprise's needs -1. On the **Subject** tab, select the **Supply in the request** button if it isn't already selected - - > [!NOTE] - > Group Managed Service Accounts (GMSA) do not support the *Build from this Active Directory information* option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with *Supply in the request* to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate. - -1. On the **Cryptography** tab: - - Select **Key Storage Provider** from the **Provider Category** list - - Select **RSA** from the **Algorithm name** list - - Type *2048* in the **Minimum key size** text box - - Select **SHA256** from the **Request hash** list -1. On the **Security** tab, select **Add** -1. Select **Object Types** and select the **Service Accounts** check box. Select **OK** -1. Type *adfssvc* in the **Enter the object names to select** text box and select **OK** -1. Select the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section: - - In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission - - Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list - - Select **OK** -1. Close the console - -#### Create an enrollment agent certificate for a standard service account - -Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials. - -1. Open the **Certification Authority** management console -1. Right-click **Certificate Templates** and select **Manage** -1. In the **Certificate Template Console**, right-click on the **Exchange Enrollment Agent (Offline request)** template details pane and select **Duplicate Template** -1. On the **Compatibility** tab: - - Clear the **Show resulting changes** check box - - Select **Windows Server 2016** from the **Certification Authority** list. - - Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list -1. On the **General** tab: - - Type *WHFB Enrollment Agent* in **Template display name** - - Adjust the validity and renewal period to meet your enterprise's needs -1. On the **Subject** tab: - - Select the **Build from this Active Directory information** button - - Select **Fully distinguished name** from the **Subject name format** - - Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name** -1. On the **Cryptography** tab: - - Select **Key Storage Provider** from the **Provider Category** list - - Select **RSA** from the **Algorithm name** list - - Type *2048* in the **Minimum key size** text box - - Select **SHA256** from the **Request hash** list -1. On the **Security** tab, select **Add** -1. Select **Object Types** and select the **Service Accounts** check box. Select **OK** -1. Type *adfssvc* in the **Enter the object names to select** text box and select **OK** -1. Select the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section: - - In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission - - Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list - - Select **OK** -1. Close the console - diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/gpo-enable-whfb.md b/windows/security/identity-protection/hello-for-business/deploy/includes/gpo-enable-whfb.md new file mode 100644 index 0000000000..4a2a01ac0b --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/gpo-enable-whfb.md @@ -0,0 +1,11 @@ +--- +ms.date: 01/03/2024 +ms.topic: include +--- + +You can configure the [Use Windows Hello for Business](../../policy-settings.md#use-windows-hello-for-business) policy setting in the computer or user node of a GPO: + +- Deploying the computer node policy setting, results in all users that sign-in to the targeted devices to attempt a Windows Hello for Business enrollment +- Deploying the user node policy setting, results in only the targeted users to attempt a Windows Hello for Business enrollment + +If both user and computer policy settings are deployed, the user policy setting has precedence. diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/intro.md b/windows/security/identity-protection/hello-for-business/deploy/includes/intro.md index 89062e7d07..6f98abf51b 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/intro.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/intro.md @@ -1,6 +1,6 @@ --- -ms.date: 12/15/2023 +ms.date: 01/03/2024 ms.topic: include --- -This document describes Windows Hello for Business functionalities or scenarios that apply to: \ No newline at end of file +**This article describes Windows Hello for Business functionalities or scenarios that apply to:** \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/lab-based-pki-deploy.md b/windows/security/identity-protection/hello-for-business/deploy/includes/lab-based-pki-deploy.md index 2ccadb00cb..c0ad0664a4 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/lab-based-pki-deploy.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/lab-based-pki-deploy.md @@ -1,5 +1,5 @@ --- -ms.date: 12/15/2023 +ms.date: 01/03/2024 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/requirements.md b/windows/security/identity-protection/hello-for-business/deploy/includes/requirements.md new file mode 100644 index 0000000000..86a5353764 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/requirements.md @@ -0,0 +1,10 @@ +--- +ms.date: 01/03/2024 +ms.topic: include +--- + +## Requirements + +Before starting the deployment, review the requirements described in the [Plan a Windows Hello for Business Deployment](../index.md) article. + +Ensure that the following requirements are met before you begin: diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md index fa5e9a3489..128a9cd1a5 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-cloud.md @@ -1,6 +1,6 @@ --- -ms.date: 12/15/2023 +ms.date: 01/03/2024 ms.topic: include --- -[cloud :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#cloud-deployment "For organizations using Microsoft Entra-only identities. Device management is usually done via Intune/MDM") +[cloud-only :::image type="icon" source="../images/information.svg" border="false":::](../index.md#deployment-models "For organizations using Microsoft Entra-only identities. Device management is usually done via Intune/MDM") diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md index d273002ddd..7ebb44bfc0 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-hybrid.md @@ -1,6 +1,6 @@ --- -ms.date: 12/15/2023 +ms.date: 01/03/2024 ms.topic: include --- -[hybrid :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#hybrid-deployment "For organizations using Active Directory identities synchronized to Microsoft Entra ID. Device management is usually done via Group Policy or Intune/MDM") +[hybrid :::image type="icon" source="../images/information.svg" border="false":::](../index.md#deployment-models "For organizations using Active Directory identities synchronized to Microsoft Entra ID. Device management is usually done via Group Policy or Intune/MDM") diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md index 5594bf39dd..6406e82fc4 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-deployment-onpremises.md @@ -1,6 +1,6 @@ --- -ms.date: 12/15/2023 +ms.date: 01/03/2024 ms.topic: include --- -[on-premises :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#on-premises-deployment "For organizations using Active Directory identities, not synchronized to Microsoft Entra ID. Device management is usually done via Group Policy") +[on-premises :::image type="icon" source="../images/information.svg" border="false":::](../index.md#deployment-models "For organizations using Active Directory identities, not synchronized to Microsoft Entra ID. Device management is usually done via Group Policy") diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md index 5e4dd851b9..512be88987 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-domain.md @@ -1,6 +1,6 @@ --- -ms.date: 12/15/2023 +ms.date: 01/03/2024 ms.topic: include --- -[domain join :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md) +[domain join :::image type="icon" source="../images/information.svg" border="false":::](../index.md "Devices that are Active Directory joined don't have any dependencies on Microsoft Entra ID. Only local users accounts and Active Directory users can sign in to these devices") diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md index dbddf38006..05bbdd63e1 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-entra.md @@ -1,6 +1,6 @@ --- -ms.date: 12/15/2023 +ms.date: 01/03/2024 ms.topic: include --- -[Microsoft Entra join :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#azure-active-directory-join "Devices that are Microsoft Entra joined do not have any dependencies on Active Directory. Only local users accounts and Microsoft Entra users can sign in to these devices") +[Microsoft Entra join :::image type="icon" source="../images/information.svg" border="false":::](../index.md "Devices that are Microsoft Entra joined don't have any dependencies on Active Directory. Only local users accounts and Microsoft Entra users can sign in to these devices") diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md index 206857ace8..b878a41559 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-join-hybrid.md @@ -1,6 +1,6 @@ --- -ms.date: 12/15/2023 +ms.date: 01/03/2024 ms.topic: include --- -[Microsoft Entra hybrid join :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#hybrid-azure-ad-join "Devices that are Microsoft Entra hybrid joined don't have any dependencies on Microsoft Entra ID. Only local users accounts and Active Directory users can sign in to these devices. Active Directory users that are synchronized to Microsoft Entra ID will have single-sign on to both Active Directory and Microsoft Entra protected resources") +[Microsoft Entra hybrid join :::image type="icon" source="../images/information.svg" border="false":::](../index.md "Devices that are Microsoft Entra hybrid joined don't have any dependencies on Microsoft Entra ID. Only local users accounts and Active Directory users can sign in to these devices. Active Directory users that are synchronized to Microsoft Entra ID have single-sign on to both Active Directory and Microsoft Entra protected resources") diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cert.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cert.md index 8719e2a1cc..17ffcc98b4 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cert.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cert.md @@ -1,6 +1,6 @@ --- -ms.date: 12/15/2023 +ms.date: 01/03/2024 ms.topic: include --- -[certificate trust :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#certificate-trust "This trust type uses a certificate to authenticate the users to Active Directory. It's required to issue certificates to the users and to the domain controllers") \ No newline at end of file +[certificate trust :::image type="icon" source="../images/information.svg" border="false":::](../index.md#trust-types "This trust type uses a certificate to authenticate the users to Active Directory. It's required to issue certificates to the users and to the domain controllers") \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md index 57fd74f5c3..58bad86a1c 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-cloud-kerberos.md @@ -3,4 +3,4 @@ ms.date: 12/08/2022 ms.topic: include --- -[cloud Kerberos trust :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#cloud-kerberos-trust "This trust type uses security keys to authenticate the users to Active Directory. It's not required to issue any certificates, making it the recommended choice for environments that don't need certificate authentication") \ No newline at end of file +[cloud Kerberos trust :::image type="icon" source="../images/information.svg" border="false":::](../index.md#trust-types "This trust type uses security keys to authenticate the users to Active Directory. It's not required to issue any certificates, making it the recommended choice for environments that don't need certificate authentication") \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md index 3bbbe2214f..41d9b6cdf9 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/tooltip-trust-key.md @@ -3,4 +3,4 @@ ms.date: 12/08/2022 ms.topic: include --- -[key trust :::image type="icon" source="../images/information.svg" border="false":::](../../hello-how-it-works-technology.md#key-trust "This trust type uses a raw key to authenticate the users to Active Directory. It's not required to issue certificates to users, but it's required to deploy certificates to domain controllers") \ No newline at end of file +[key trust :::image type="icon" source="../images/information.svg" border="false":::](../index.md#trust-types "This trust type uses a raw key to authenticate the users to Active Directory. It's not required to issue certificates to users, but it's required to deploy certificates to domain controllers") \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/unpublish-superseded-templates.md b/windows/security/identity-protection/hello-for-business/deploy/includes/unpublish-superseded-templates.md index 22db188040..94d2e088de 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/includes/unpublish-superseded-templates.md +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/unpublish-superseded-templates.md @@ -1,5 +1,5 @@ --- -ms.date: 12/15/2023 +ms.date: 01/03/2024 ms.topic: include --- diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/user-experience.md b/windows/security/identity-protection/hello-for-business/deploy/includes/user-experience.md new file mode 100644 index 0000000000..e8185673e6 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/deploy/includes/user-experience.md @@ -0,0 +1,12 @@ +--- +ms.date: 01/03/2024 +ms.topic: include +--- + +After a user signs in, the Windows Hello for Business enrollment process begins: + +1. If the device supports biometric authentication, the user is prompted to set up a biometric gesture. This gesture can be used to unlock the device and authenticate to resources that require Windows Hello for Business. The user can skip this step if they don't want to set up a biometric gesture +1. The user is prompted to use Windows Hello with the organization account. The user selects **OK** +1. The provisioning flow proceeds to the multi-factor authentication portion of the enrollment. Provisioning informs the user that it's actively attempting to contact the user through their configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry +1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device +1. The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with the IdP to register the public key. When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in. The user may close the provisioning application and access their desktop diff --git a/windows/security/identity-protection/hello-for-business/deploy/index.md b/windows/security/identity-protection/hello-for-business/deploy/index.md index 46c44a5c62..061c4a62e1 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/index.md +++ b/windows/security/identity-protection/hello-for-business/deploy/index.md @@ -1,65 +1,310 @@ --- -title: Windows Hello for Business Deployment Overview -description: Use this deployment guide to successfully deploy Windows Hello for Business in an existing environment. -ms.date: 02/15/2022 +title: Plan a Windows Hello for Business Deployment +description: Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure. +ms.date: 01/02/2024 ms.topic: overview -appliesto: --- -# Windows Hello for Business Deployment Overview +# Plan a Windows Hello for Business deployment -Windows Hello for Business is the springboard to a world without passwords. It replaces username and password sign-in to Windows with strong user authentication based on an asymmetric key pair. +This planning guide helps you understand the different topologies, architectures, and components that encompass a Windows Hello for Business infrastructure. -This deployment overview is to guide you through deploying Windows Hello for Business. Your first step should be to use the Passwordless Wizard in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup) or the [Planning a Windows Hello for Business Deployment](../hello-planning-guide.md) guide to determine the right deployment model for your organization. +This guide explains the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of the infrastructure. -Once you've chosen a deployment model, the deployment guide for that model will provide you with the information needed to successfully deploy Windows Hello for Business in your environment. Read the [Windows Hello for Business Deployment Prerequisite Overview](requirements.md) for a summary of the prerequisites for each different Windows Hello for Business deployment model. +> [!TIP] +> If you have a Microsoft Entra ID tenant, you can use our online, interactive Passwordless Wizard which walks through the same choices instead of using our manual guide below. The Passwordless Wizard is available in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup). -## Requirements +## Using this guide -This guide assumes that baseline infrastructure exists which meets the requirements for your deployment. For either hybrid or on-premises deployments, it is expected that you have: +There are many options available for deploying Windows Hello for Business, ensuring compatibility with various organizational infrastructures. While the deployment process may appear complex, most organizations will find that they have already implemented the necessary infrastructure. It is important to note that Windows Hello for Business is a distributed system and requires proper planning across multiple teams within an organization. -- A well-connected, working network -- Internet access -- Multi-factor Authentication is required during Windows Hello for Business provisioning -- Proper name resolution, both internal and external names -- Active Directory and an adequate number of domain controllers per site to support authentication -- Active Directory Certificate Services 2012 or later (Note: certificate services aren't needed for cloud Kerberos trust deployments) -- One or more workstation computers running Windows 10, version 1703 or later +This guide aims to simplify the deployment process by helping you make informed decisions about each aspect of your Windows Hello for Business deployment. It provides information on the options available and assists in selecting the deployment approach that best suits your environment. -If you're installing a server role for the first time, ensure the appropriate server operating system is installed, updated with the latest patches, and joined to the domain. This document provides guidance to install and configure the specific roles on that server. +### How to proceed -Don't begin your deployment until the hosting servers and infrastructure (not roles) identified in your prerequisite worksheet are configured and properly working. +Read this document and record your decisions. When finished, you should have all the necessary information to evaluate the available options and to determine requirements for your Windows Hello for Business deployment. -## Deployment and trust models +There are seven main areas to consider when planning a Windows Hello for Business deployment: -Windows Hello for Business has three deployment models: Microsoft Entra cloud only, hybrid, and on-premises. Hybrid has three trust models: *Key Trust*, *Certificate Trust*, and *cloud Kerberos trust*. On-premises deployment models only support *Key Trust* and *Certificate Trust*. +> [!div class="checklist"] +> +> - [Deployment options](#deployment-options) +> - [Public Key Infrastructure (PKI) requirements](#pki-requirements) +> - [Authentication to Microsoft Entra ID requirements](#authentication-to-microsoft-entra-id) +> - [Device configuration options](#device-configuration-options) +> - [Licensing for cloud services requirements](#licensing-for-cloud-services-requirements) +> - [Operating System requirements](#operating-system-requirements) +> - [Prepare users](#prepare-users) -Hybrid deployments are for enterprises that use Microsoft Entra ID. On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments that use Microsoft Entra ID must use the hybrid deployment model for all domains in that forest. +## Deployment options -The trust model determines how you want users to authenticate to the on-premises Active Directory: +The goal of Windows Hello for Business is to enable deployments for all organizations of any size or scenario. To provide this type of granular deployment, Windows Hello for Business offers a diverse choice of deployment options. -- The key-trust model is for enterprises who don't want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. This still requires Active Directory Certificate Services for domain controller certificates. -- The cloud-trust model is also for hybrid enterprises who don't want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. This trust model is simpler to deploy than key trust and doesn't require Active Directory Certificate Services. We recommend using **cloud Kerberos trust** instead of **Key Trust** if the clients in your enterprise support it. -- The certificate-trust model is for enterprises that *do* want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today. -- The certificate trust model also supports enterprises, which aren't ready to deploy Windows Server 2016 Domain Controllers. +### Deployment models -> [!NOTE] -> RDP does not support authentication with Windows Hello for Business Key Trust or cloud Kerberos trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business Key Trust and cloud Kerberos trust can be used with [Remote Credential Guard](../../remote-credential-guard.md). +It's fundamentally important to understand which deployment model to use for a successful deployment. Some aspects of the deployment might have already been decided for you based on your current infrastructure. -Following are the various deployment guides and models included in this topic: +There are three deployment models from which you can choose: -- [Microsoft Entra hybrid joined cloud Kerberos trust Deployment](hybrid-cloud-kerberos-trust.md) -- [Microsoft Entra hybrid joined Key Trust Deployment](hybrid-key-trust.md) -- [Microsoft Entra hybrid joined Certificate Trust Deployment](hybrid-cert-trust.md) -- [Microsoft Entra join Single Sign-on Deployment Guides](../hello-hybrid-aadj-sso.md) -- [On Premises Key Trust Deployment](hybrid-cloud-kerberos-trust.md) -- [On Premises Certificate Trust Deployment](on-premises-cert-trust.md) +| | Deployment model | Description | +|--|--|--| +| **🔲** | **Cloud-only** | For organizations that only have cloud identities and don't access on-premises resources. These organizations typically join their devices to the cloud and exclusively use resources in the cloud such as SharePoint Online, OneDrive, and others. Also, since the users don't use on-premises resources, they don't need certificates for things like VPN because everything they need is hosted in cloud services. | +| **🔲** | **Hybrid** | For organizations that have identities synchronized from Active Directory to Microsoft Entra ID. These organizations use applications registered in Microsoft Entra ID, and want a single sign-on (SSO) experience for both on-premises and Microsoft Entra resources. | +| **🔲** | **On-premises** | For organizations that don't have cloud identities or use applications hosted in Microsoft Entra ID. These organizations use on-premises applications, integrated in Active Directory, and want an SSO user experiences when accessing them. | -For Windows Hello for Business hybrid [certificate trust prerequisites](/windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust#directory-synchronization) and [key trust prerequisites](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust#directory-synchronization) deployments, you'll need Microsoft Entra Connect to synchronize user accounts in the on-premises Active Directory with Microsoft Entra ID. For on-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials aren't synchronized to Microsoft Entra ID. Learn how to [deploy Multifactor Authentication Services (MFA) for key trust](on-premises-key-trust-mfa.md) and [for certificate trust](on-premises-cert-trust-mfa.md) deployments. +>[!NOTE] +> +>- Main use case of On-Premises deployment is for "Enhanced Security Administrative Environments" also known as "Red Forests" +>- Migration from on-premise to hybrid deployment requires redeployment -## Provisioning +### Trust types -Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**. +A deployment's trust type defines how Windows Hello for Business clients **authenticate to Active Directory**. The trust type doesn't affect authentication to Microsoft Entra ID. For this reason, the trust type isn't applicable to a cloud-only deployment model. -> [!NOTE] -> You must allow access to the URL `account.microsoft.com` to initiate Windows Hello for Business provisioning. This URL launches the subsequent steps in the provisioning process and is required to successfully complete Windows Hello for Business provisioning. This URL doesn't require any authentication and as such, doesn't collect any user data. +Windows Hello for Business authentication to Microsoft Entra ID always uses the key, not a certificate (excluding smart card authentication in a federated environment). + +The trust type determines whether you issue authentication certificates to your users. One trust model isn't more secure than the other. + +The deployment of certificates to users and Domain Controllers requires more configuration and infrastructure, which could also be a factor to consider in your decision. More infrastructure needed for certificate-trust deployments includes a certificate registration authority. In a federated environment, you must activate the Device Writeback option in Microsoft Entra Connect. + +There are three trust types from which you can choose: + +|| Trust type | Description | +|--|--|--| +| **🔲**| **Cloud Kerberos**| Users authenticate to Active Directory by requesting a TGT from Microsoft Entra ID, using Microsoft Entra Kerberos. The on-premises domain controllers are still responsible for Kerberos service tickets and authorization. Cloud Kerberos trust uses the same infrastructure required for FIDO2 security key sign-in, and it can be used for new or existing Windows Hello for Business deployments. | +| **🔲**| **Key**| Users authenticate to the on-premises Active Directory using a device-bound key (hardware or software) created during the Windows Hello provisioning experience. It requires to distribute certificates to domain controllers. | +| **🔲**| **Certificate**| The certificate trust type issues authentication certificates to users. Users authenticate using a certificate requested using a device-bound key (hardware or software) created during the Windows Hello provisioning experience. | + +*Key trust* and *certificate trust* use certificate authentication-based Kerberos when requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires a PKI for DC certificates, and requires end-user certificates for certificate trust. + +The goal of Windows Hello for Business cloud Kerberos trust is to provide a simpler deployment experience, when compared to the other trust types: + +- No need to deploy a public key infrastructure (PKI) or to change an existing PKI +- No need to synchronize public keys between Microsoft Entra ID and Active Directory for users to access on-premises resources. There isn't any delay between the user's Windows Hello for Business provisioning, and being able to authenticate to Active Directory +- [FIDO2 security key sign-in][ENTRA-1] can be deployed with minimal extra setup + +> [!TIP] +> Windows Hello for Business cloud Kerberos trust is the recommended deployment model when compared to the *key trust model*. It is also the preferred deployment model if you do not need to support certificate authentication scenarios. + +Cloud Kerberos trust requires the deployment of Microsoft Entra Kerberos. For more information about how Microsoft Entra Kerberos enables access to on-premises resources, see [enabling passwordless security key sign-in to on-premises resources][ENTRA-1]. + +## PKI requirements + +Cloud Kerberos trust is the only hybrid deployment option that doesn't require the deployment of any certificates. The other hybrid and on-premises models depend on an enterprise PKI as a trust anchor for authentication: + +- Domain controllers for hybrid and on-premises deployments need a certificate for Windows devices to trust the domain controller as legitimate +- Deployments using the certificate trust type require an enterprise PKI and a certificate registration authority (CRA) to issue authentication certificates to users. AD FS is used as a CRA +- Hybrid deployments might need to issue VPN certificates to users to enable connectivity on-premises resources + +| | Deployment model | Trust type | PKI required? | +|--|--|--|--| +| **🔲** | **Cloud-only** | n/a | no | +| **🔲** | **Hybrid** | Cloud Kerberos | no | +| **🔲** | **Hybrid** | Key | yes | +| **🔲** | **Hybrid** | Certificate | yes | +| **🔲** | **On-premises** | Key | yes | +| **🔲** | **On-premises** | Certificate | yes | + +## Authentication to Microsoft Entra ID + +Users can authenticate to Microsoft Entra ID using federated authentication or cloud (nonfederated) authentication. Requirements vary based on trust type: + +| | Deployment model | Trust type | Authentication to Microsoft Entra ID | Requirements | +|--|--|--|--|--| +| **🔲** | **Cloud-only** | n/a | Cloud authentication | n/a | +| **🔲** | **Cloud-only** | n/a | Federated authentication | Third-party federation service | +| **🔲** | **Hybrid** | Cloud Kerberos trust | Cloud authentication | Password hash sync (PHS) or Pass-through authentication (PTA) | +| **🔲** | **Hybrid** | Cloud Kerberos trust | Federated authentication | AD FS or third-party federation service | +| **🔲** | **Hybrid** | Key trust | Cloud authentication | Password hash sync (PHS) or Pass-through authentication (PTA) | +| **🔲** | **Hybrid** | Key trust | Federated authentication | AD FS or third-party federation service | +| **🔲** | **Hybrid** | Certificate trust | Federated authentication | This deployment model doesn't support PTA or PHS. Active Directory must be federated with Microsoft Entra ID using AD FS| + +To learn more: + +- [Federation with Microsoft Entra ID][ENTRA-10] +- [Password hash synchronization (PHS)][ENTRA-6] +- [Pass-through authentication (PTA)][ENTRA-7] + +### Device registration + +For on-premises deployments, the server running the Active Directory Federation Services (AD FS) role is responsible for device registration. For cloud-only and hybrid deployments, devices must register in Microsoft Entra ID. + +| Deployment model | Supported join type | Device registration service provider | +|-|-|-| +| **Cloud-only** |Microsoft Entra joined
        Microsoft Entra registered|Microsoft Entra ID | +| **Hybrid** |Microsoft Entra joined
        Microsoft Entra hybrid joined
        Microsoft Entra registered|Microsoft Entra ID| +| **On-premises** | Active Directory domain joined | AD FS | + +> [!IMPORTANT] +> For *Microsoft Entra hybrid joined* guidance, review [Plan your Microsoft Entra hybrid join implementation][ENTRA-5]. + +### Multifactor authentication + +The goal of Windows Hello for Business is to move organizations away from passwords by providing them with a *strong credential* that enables easy two-factor authentication. The built-in provisioning experience accepts the user's weak credentials (username and password) as the first factor authentication. However, the user must provide a second factor of authentication before Windows provisions a strong credential: + +- For cloud-only and hybrid deployments, there are different choices for multifactor authentication, including [Microsoft Entra MFA][ENTRA-1] +- On-premises deployments must use a multifactor option that can integrate as an AD FS multifactor adapter. Organizations can choose from third-party options that offer an AD FS MFA adapter. For more information, see [Microsoft and third-party additional authentication methods][SER-2] + +> [!IMPORTANT] +> As of July 1, 2019, Microsoft doesn't offer MFA Server for new deployments. New deployments that require multifactor authentication should use cloud-based Microsoft Entra multifactor authentication. Existing deployment where the MFA Server was activated prior to July 1, 2019 can download the latest version, future updates, and generate activation credentials. For more information, see [Getting started with the Azure Multi-Factor Authentication Server][ENTRA-2]. + +|| Deployment model | MFA options | +|--|--|--| +| **🔲** | **Cloud-only** | Microsoft Entra MFA | +| **🔲** | **Cloud-only** | Third-party MFA via Microsoft Entra ID custom controls or federation | +| **🔲** | **Hybrid** | Microsoft Entra MFA | +| **🔲** | **Hybrid** | Third-party MFA via Microsoft Entra ID custom controls or federation| +| **🔲** | **On-premises** | AD FS MFA adapter | + +For more information how to configure Microsoft Entra multifactor authentication, see [Configure Microsoft Entra multifactor authentication settings][ENTRA-4]. + +For more information how to configure AD FS to provide multifactor authentication, see [Configure Azure MFA as authentication provider with AD FS][SER-1]. + +#### MFA and federated authentication + +It's possible for federated domains to configure the *FederatedIdpMfaBehavior* flag. The flag instructs Microsoft Entra ID to accept, enforce, or reject the MFA challenge from the federated IdP. For more information, see [federatedIdpMfaBehavior values](/graph/api/resources/internaldomainfederation#federatedidpmfabehavior-values). To check this setting, use the following PowerShell command: + +```powershell +Connect-MgGraph +$DomainId = "" +Get-MgDomainFederationConfiguration -DomainId $DomainId |fl +``` + +To reject the MFA claim from the federated IdP, use the following command. This change impacts all MFA scenarios for the federated domain: + +```powershell +Update-MgDomainFederationConfiguration -DomainId $DomainId -FederatedIdpMfaBehavior rejectMfaByFederatedIdp +``` + +If you configure the flag with a value of either `acceptIfMfaDoneByFederatedIdp` (default) or `enforceMfaByFederatedIdp`, you must verify that your federated IDP is correctly configured and working with the MFA adapter and provider used by your IdP. + +### Key registration + +The built-in Windows Hello for Business provisioning experience creates a device-bound asymmetric key pair as the user's credentials. The private key is protected by the device's security modules. The credential is a *user key*, not a *device key*. The provisioning experience registers the user's public key with the identity provider: + +| Deployment model | Key registration service provider | +|-|-| +| **Cloud-only** | Microsoft Entra ID | +| **Hybrid** | Microsoft Entra ID | +| **On-premises** | AD FS | + +### Directory synchronization + +Hybrid and on-premises deployments use directory synchronization, however, each for a different purpose: + +- Hybrid deployments use [Microsoft Entra Connect Sync][ENTRA-3] to synchronize Active Directory identities (users and devices) or credentials between itself and Microsoft Entra ID. During the Window Hello for Business provisioning process, users register the public portion of their Windows Hello for Business credential with Microsoft Entra ID. Microsoft Entra Connect Sync synchronizes the Windows Hello for Business public key to Active Directory. This synchronization enables SSO to Microsoft Entra ID and its federated components. + > [!IMPORTANT] + > Windows Hello for Business is tied between a user and a device. Both the user and device object must be synchronized between Microsoft Entra ID and Active Directory. +- On-premises deployments use directory synchronization to import users from Active Directory to the Azure MFA server, which sends data to the MFA cloud service to perform the verification + +| Deployment model | Directory sync options | +|-|-| +| **Cloud-only** | n/a | +| **Hybrid** | Microsoft Entra Connect Sync| +| **On-premises** | Azure MFA server | + +## Device configuration options + +Windows Hello for Business provides a rich set of granular policy settings. There are two main options to configure Windows Hello for Business: configuration service provider (CSP) and group policy (GPO). + +- The CSP option is ideal for devices that are managed through a Mobile Device Management (MDM) solution, like Microsoft Intune. CSPs can also be configured with [provisioning packages][WIN-1] +- GPO can be used to configure domain joined devices and where devices aren't managed via MDM + +|| Deployment model | Device configuration options| +|--|--|--| +| **🔲** | **Cloud-only** | CSP | +| **🔲** | **Cloud-only** | GPO (local) | +| **🔲** | **Hybrid** | CSP | +| **🔲** | **Hybrid** | GPO (Active Directory or local) | +| **🔲** | **On-premises** | CSP | +| **🔲** | **On-premises** | GPO (Active Directory or local) | + +## Licensing for cloud services requirements + +Here are some considerations regarding licensing requirements for cloud services: + +- Windows Hello for Business doesn't require a Microsoft Entra ID P1 or P2 subscription. However, some dependencies, such as [MDM automatic enrollment][MEM-1] and [Conditional Access][ENTRA-8] do + - Devices managed via MDM don't require a Microsoft Entra ID P1 or P2 subscription. By forgoing the subscription, users must manually enroll devices in the MDM solution, such as Microsoft Intune or a supported third-party MDM +- You can deploy Windows Hello for Business using the Microsoft Entra ID Free tier. All Microsoft Entra ID Free accounts can use Microsoft Entra multifactor authentication for the Windows passwordless features + - Some Microsoft Entra multifactor authentication features require a license. For more information, see [Features and licenses for Microsoft Entra multifactor authentication][ENTRA-9]. +- Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, a Microsoft Entra ID P1 or P2 feature + +|| Deployment model | Trust type | Cloud services licenses (minimum)| +|--|--|--|--| +| **🔲** | **Cloud-only** | n/a | not required | +| **🔲** | **Hybrid** | Cloud Kerberos | not required | +| **🔲** | **Hybrid** | Key| not required | +| **🔲** | **Hybrid** | Certificate | Microsoft Entra ID P1 | +| **🔲** | **On-premises** | Key | Azure MFA, if used as MFA solution | +| **🔲** | **On-premises** | Certificate | Azure MFA, if used as MFA solution | + +## Operating System requirements + +### Windows requirements + +All supported Windows versions can be used with Windows Hello for Business. However, cloud Kerberos trust requires minimum versions: + +|| Deployment model | Trust type | Windows version| +|--|--|--|--| +| **🔲** | **Cloud-only** | n/a | All supported versions | +| **🔲** | **Hybrid** | Cloud Kerberos | - Windows 10 21H2, with [KB5010415][KB-1] and later
        - Windows 11 21H2, with [KB5010414][KB-2] and later | +| **🔲** | **Hybrid** | Key | All supported versions | +| **🔲** | **Hybrid** | Certificate | All supported versions | +| **🔲** | **On-premises** | Key| All supported versions | +| **🔲** | **On-premises** | Certificate | All supported versions | + +### Windows Server requirements + +All supported Windows Server versions can be used with Windows Hello for Business as Domain Controller. However, cloud Kerberos trust requires minimum versions: + +| | Deployment model | Trust type | Domain Controller OS version | +|--|--|--|--| +| **🔲** | **Cloud-only** | n/a | All supported versions | +| **🔲** | **Hybrid** | Cloud Kerberos | - Windows Server 2016, with [KB3534307][KB-3] and later
        - Windows Server 2019, with [KB4534321][KB-4] and later
        - Windows Server 2022 | +| **🔲** | **Hybrid** | Key | All supported versions | +| **🔲** | **Hybrid** | Certificate | All supported versions | +| **🔲** | **On-premises** | Key | All supported versions | +| **🔲** | **On-premises** | Certificate | All supported versions | + +## Prepare users + +When you are ready to enable Windows Hello for Business in your organization, make sure to prepare the users by explaining how to provision and use Windows Hello. + +To learn more, see [Prepare users](prepare-users.md). + +## Next steps + +Now that you've read about the different deployment options and requirements, you can choose the implementation that best suits your organization. + +> [!div class="op_multi_selector" title1="Deployment model:" title2="Trust type:"] +> To learn more about the deployment process, chose a deployment model and trust type from the following drop-down lists: +> +> - [(cloud-only|n/a)](cloud-only.md) +> - [(hybrid | cloud Kerberos trust)](hybrid-cloud-kerberos-trust.md) +> - [(hybrid | key trust)](hybrid-key-trust.md) +> - [(hybrid | certificate trust)](hybrid-cert-trust.md) +> - [(on-premises | key trust)](on-premises-key-trust.md) +> - [(on-premises | certificate trust)](on-premises-cert-trust.md) + + + +[ENTRA-1]: /entra/identity/authentication/concept-mfa-howitworks +[ENTRA-2]: /entra/identity/authentication/howto-mfaserver-deploy +[ENTRA-3]: /entra/identity/hybrid/connect/how-to-connect-sync-whatis +[ENTRA-4]: /entra/identity/authentication/howto-mfa-mfasettings +[ENTRA-5]: /entra/identity/devices/hybrid-join-plan +[ENTRA-6]: /entra/identity/hybrid/connect/whatis-phs +[ENTRA-7]: /entra/identity/hybrid/connect/how-to-connect-pta +[ENTRA-8]: /entra/identity/conditional-access/overview +[ENTRA-9]: /entra/identity/authentication/concept-mfa-licensing +[ENTRA-10]: /entra/identity/hybrid/connect/whatis-fed + +[SER-1]: /windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa +[SER-2]: /windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods + +[KB-1]: https://support.microsoft.com/topic/5010415 +[KB-2]: https://support.microsoft.com/topic/5010414 +[KB-3]: https://support.microsoft.com/topic/4534307 +[KB-4]: https://support.microsoft.com/topic/4534321 +[MEM-1]: /mem/intune/enrollment/quickstart-setup-auto-enrollment +[WIN-1]: /windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers#csps-in-windows-configuration-designer diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md index 1757f9c6b1..335e4d5cb6 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md @@ -1,180 +1,44 @@ --- -title: Prepare and deploy Active Directory Federation Services in an on-premises certificate trust model -description: Learn how to configure Active Directory Federation Services to support the Windows Hello for Business on-premises certificate trust model. -ms.date: 12/15/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 -- ✅ Windows Server 2022 -- ✅ Windows Server 2019 -- ✅ Windows Server 2016 +title: Configure Active Directory Federation Services in an on-premises certificate trust model +description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business on-premises certificate trust model. +ms.date: 01/03/2024 ms.topic: tutorial --- # Prepare and deploy Active Directory Federation Services - on-premises certificate trust -[!INCLUDE [apply-to-on-premises-cert-trust-entra](includes/apply-to-on-premises-cert-trust-entra.md)] +[!INCLUDE [apply-to-on-premises-cert-trust-entra](includes/apply-to-on-premises-cert-trust.md)] -Windows Hello for Business works exclusively with the Active Directory Federation Service (AD FS) role included with Windows Server. The on-premises certificate trust deployment model uses AD FS for *certificate enrollment* and *device registration*. +Windows Hello for Business works exclusively with the Active Directory Federation Service (AD FS) role included with Windows Server. The on-premises certificate trust deployment model uses AD FS for *certificate enrollment* (CRA) and *device registration*. -The following guidance describes the deployment of a new instance of AD FS using the Windows Information Database (WID) as the configuration database.\ -WID is ideal for environments with no more than **30 federation servers** and no more than **100 relying party trusts**. If your environment exceeds either of these factors, or needs to provide *SAML artifact resolution*, *token replay detection*, or needs AD FS to operate as a federated provider role, then the deployment requires the use of SQL as a configuration database.\ -To deploy AD FS using SQL as its configuration database, review the [Deploying a Federation Server Farm](/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) checklist. +[!INCLUDE [adfs-validate](includes/adfs-validate.md)] -A new AD FS farm should have a minimum of two federation servers for proper load balancing, which can be accomplished with external networking peripherals, or with using the Network Load Balancing Role included in Windows Server. - -Prepare the AD FS deployment by installing and **updating** two Windows Servers. - -## Enroll for a TLS server authentication certificate - -Typically, a federation service is an edge facing role. However, the federation services and instance used with the on-premises deployment of Windows Hello for Business does not need Internet connectivity. - -The AD FS role needs a *server authentication* certificate for the federation services, and you can use a certificate issued by your enterprise (internal) CA. The server authentication certificate should have the following names included in the certificate, if you are requesting an individual certificate for each node in the federation farm: - - - **Subject Name**: the internal FQDN of the federation server - - **Subject Alternate Name**: the federation service name (e.g. *sts.corp.contoso.com*) or an appropriate wildcard entry (e.g. *\*.corp.contoso.com*) - -The federation service name is set when the AD FS role is configured. You can choose any name, but that name must be different than the name of the server or host. For example, you can name the host server *adfs* and the federation service *sts*. In this example, the FQDN of the host is *adfs.corp.contoso.com* and the FQDN of the federation service is *sts.corp.contoso.com*. - -You can also issue one certificate for all hosts in the farm. If you chose this option, leave the subject name *blank*, and include all the names in the subject alternate name when creating the certificate request. All names should include the FQDN of each host in the farm and the federation service name. - -When creating a wildcard certificate, mark the private key as exportable, so that the same certificate can be deployed across each federation server and web application proxy within the AD FS farm. Note that the certificate must be trusted (chain to a trusted root CA). Once you have successfully requested and enrolled the server authentication certificate on one node, you can export the certificate and private key to a PFX file using the Certificate Manager console. You can then import the certificate on the remaining nodes in the AD FS farm. - -Be sure to enroll or import the certificate into the AD FS server's computer certificate store. Also, ensure all nodes in the farm have the proper TLS server authentication certificate. -### AD FS authentication certificate enrollment - -Sign-in the federation server with *domain administrator* equivalent credentials. - -1. Start the Local Computer **Certificate Manager** (certlm.msc) -1. Expand the **Personal** node in the navigation pane -1. Right-click **Personal**. Select **All Tasks > Request New Certificate** -1. Select **Next** on the **Before You Begin** page -1. Select **Next** on the **Select Certificate Enrollment Policy** page -1. On the **Request Certificates** page, select the **Internal Web Server** check box -1. Select the **⚠️ More information is required to enroll for this certificate. Click here to configure settings** link - :::image type="content" source="images/hello-internal-web-server-cert.png" lightbox="images/hello-internal-web-server-cert.png" alt-text="Screenshot that shows example of Certificate Properties Subject Tab - This is what shows when you select the above link."::: -1. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the AD FS role and then select **Add** -1. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name that you will use for your federation services (*sts.corp.contoso.com*). The name you use here MUST match the name you use when configuring the AD FS server role. Select **Add** and **OK** when finished -1. Select **Enroll** - -A server authentication certificate should appear in the computer's personal certificate store. - -## Deploy the AD FS role - -AD FS provides the following services to support Windows Hello for Business on-premises deployments in a certificate trust model: - -- Device registration -- Key registration -- Certificate registration authority (CRA) - ->[!IMPORTANT] -> Finish the entire AD FS configuration on the first server in the farm before adding the second server to the AD FS farm. Once complete, the second server receives the configuration through the shared configuration database when it is added the AD FS farm. - -Sign-in the federation server with *Enterprise Administrator* equivalent credentials. - -1. Start **Server Manager**. Select **Local Server** in the navigation pane -1. Select **Manage > Add Roles and Features** -1. Select **Next** on the **Before you begin** page -1. On the **Select installation type** page, select **Role-based or feature-based installation > Next** -1. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list and **Next** -1. On the **Select server roles** page, select **Active Directory Federation Services** and **Next** -1. Select **Next** on the **Select features** page -1. Select **Next** on the **Active Directory Federation Service** page -1. Select **Install** to start the role installation - -## Review to validate the AD FS deployment - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: - -> [!div class="checklist"] -> * Confirm the AD FS farm uses the correct database configuration -> * Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load -> * Confirm **all** AD FS servers in the farm have the latest updates installed -> * Confirm all AD FS servers have a valid server authentication certificate - -## Device registration service account prerequisites - -The use of Group Managed Service Accounts (GMSA) is the preferred way to deploy service accounts for services that support them. GMSAs have security advantages over normal user accounts because Windows handles password management. This means the password is long, complex, and changes periodically. AD FS supports GMSAs, and it should be configured using them for additional security. - -GSMA uses the *Microsoft Key Distribution Service* that is located on the domain controllers. Before you can create a GSMA, you must first create a root key for the service. You can skip this if your environment already uses GSMA. - -### Create KDS Root Key - -Sign-in a domain controller with *Enterprise Administrator* equivalent credentials. - -Start an elevated PowerShell console and execute the following command: -```PowerShell -Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10) -``` - -## Configure the Active Directory Federation Service Role - -Use the following procedures to configure AD FS. - -Sign-in to the federation server with *Domain Administrator* equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm. - -1. Start **Server Manager** -1. Select the notification flag in the upper right corner and select **Configure the federation services on this server** -1. On the **Welcome** page, select **Create the first federation server farm > Next** -1. On the **Connect to Active Directory Domain Services** page, select **Next** -1. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as *sts.corp.contoso.com* -1. Select the federation service name from the **Federation Service Name** list -1. Type the *Federation Service Display Name* in the text box. This is the name users see when signing in. Select **Next** -1. On the **Specify Service Account** page, select **Create a Group Managed Service Account**. In the **Account Name** box, type *adfssvc* -1. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and select **Next** -1. On the **Review Options** page, select **Next** -1. On the **Pre-requisite Checks** page, select **Configure** -1. When the process completes, select **Close** +[!INCLUDE [adfs-deploy](includes/adfs-deploy.md)] > [!NOTE] > For AD FS 2019 and later in a certificate trust model, a known PRT issue exists. You may encounter this error in AD FS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error: > > 1. Launch AD FS management console. Browse to ***Services > Scope Descriptions** -> 2. Right-click **Scope Descriptions** and select **Add Scope Description** -> 3. Under name type *ugs* and select **Apply > OK** -> 4. Launch PowerShell as an administrator and execute the following commands: -> ```PowerShell -> $id = (Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier -> Set-AdfsApplicationPermission -TargetIdentifier $id -AddScope 'ugs' -> ``` -> 7. Restart the AD FS service -> 8. Restart the client. User should be prompted to provision Windows Hello for Business - -### Add the AD FS service account to the *Key Admins* group - -During Windows Hello for Business enrollment, the public key is registered in an attribute of the user object in Active Directory. To ensure that the AD FS service can add and remove keys are part of its normal workflow, it must be a member of the *Key Admins* global group. - -Sign-in to a domain controller or management workstation with *Domain Administrator* equivalent credentials. - -1. Open **Active Directory Users and Computers** -1. Select the **Users** container in the navigation pane -1. Right-click **Key Admins** in the details pane and select **Properties** -1. Select the **Members > Add…** -1. In the **Enter the object names to select** text box, type *adfssvc*. Select **OK** -1. Select **OK** to return to **Active Directory Users and Computers** -1. Change to server hosting the AD FS role and restart it - -Sign-in to the federation server with *Enterprise Administrator* equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm. - -1. Open the **AD FS management** console -1. In the navigation pane, expand **Service**. Select **Device Registration** -1. In the details pane, select **Configure device registration** -1. In the **Configure Device Registration** dialog, Select **OK** - -:::image type="content" source="images/adfs-device-registration.png" lightbox="images/adfs-device-registration.png" alt-text="Screenshot that shows AD FS device registration: configuration of the service connection point."::: - -Triggering device registration from AD FS, creates the service connection point (SCP) in the Active Directory configuration partition. The SCP is used to store the device registration information that Windows clients will automatically discover. - -:::image type="content" source="images/adfs-scp.png" lightbox="images/adfs-scp.png" alt-text="Screenshot that shows AD FS device registration: service connection point object created by AD FS."::: +> 1. Right-click **Scope Descriptions** and select **Add Scope Description** +> 1. Under name type *ugs* and select **Apply > OK** +> 1. Launch PowerShell as an administrator and execute the following commands: +> +> ```PowerShell +> $id = (Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier +> Set-AdfsApplicationPermission -TargetIdentifier $id -AddScope 'ugs' +> ``` +> +> 1. Restart the AD FS service +> 1. Restart the client. User should be prompted to provision Windows Hello for Business ## Review to validate the AD FS and Active Directory configuration -Before you continue with the deployment, validate your deployment progress by reviewing the following items: - > [!div class="checklist"] -> * Record the information about the AD FS certificate, and set a renewal reminder at least six weeks before it expires. Relevant information includes: certificate serial number, thumbprint, common name, subject alternate name, name of the physical host server, the issued date, the expiration date, and issuing CA vendor (if a third-party certificate) -> * Confirm you added the AD FS service account to the KeyAdmins group -> * Confirm you enabled the Device Registration service +> Before you continue with the deployment, validate your deployment progress by reviewing the following items: +> +> - Record the information about the AD FS certificate, and set a renewal reminder at least six weeks before it expires. Relevant information includes: certificate serial number, thumbprint, common name, subject alternate name, name of the physical host server, the issued date, the expiration date, and issuing CA vendor (if a third-party certificate) +> - Confirm you added the AD FS service account to the KeyAdmins group +> - Confirm you enabled the Device Registration service ## Configure the certificate registration authority @@ -187,6 +51,7 @@ Open a **Windows PowerShell** prompt and type the following command: ```PowerShell Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication ``` + >[!NOTE] > If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace *WHFBEnrollmentAgent* and *WHFBAuthentication* in the above command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template by using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name by using the `Get-CATemplate` PowerShell cmdlet on a CA. @@ -196,111 +61,7 @@ AD FS performs its own certificate lifecycle management. Once the registration a Approximately 60 days prior to enrollment agent certificate's expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate. -## Additional federation servers - -Organizations should deploy more than one federation server in their federation farm for high-availability. You should have a minimum of two federation services in your AD FS farm, however most organizations are likely to have more. This largely depends on the number of devices and users using the services provided by the AD FS farm. - -### Server authentication certificate - -Each server you add to the AD FS farm must have a proper server authentication certificate. Refer to the [Enroll for a TLS Server Authentication Certificate](#enroll-for-a-tls-server-authentication-certificate) section of this document to determine the requirements for your server authentication certificate. As previously stated, AD FS servers used exclusively for on-premises deployments of Windows Hello for Business can use enterprise server authentication certificates rather than server authentication certificates issued by public certificate authorities. - -### Install additional servers - -Adding federation servers to the existing AD FS farm begins with ensuring the server are fully patched, to include Windows Server 2016 Update needed to support Windows Hello for Business deployments (https://aka.ms/whfbadfs1703). Next, install the Active Directory Federation Service role on the additional servers and then configure the server as an additional server in an existing farm. - -## Load balance AD FS - -Many environments load balance using hardware devices. Environments without hardware load-balancing capabilities can take advantage the network load-balancing feature included in Windows Server to load balance the AD FS servers in the federation farm. Install the Windows Network Load Balancing feature on all nodes participating in the AD FS farm that should be load balanced. - -### Install Network Load Balancing Feature on AD FS Servers - -Sign-in the federation server with *Enterprise Administrator* equivalent credentials. - -1. Start **Server Manager**. Select **Local Server** in the navigation pane -1. Select **Manage** and then select **Add Roles and Features** -1. Select **Next** On the **Before you begin** page -1. On the **Select installation type** page, select **Role-based or feature-based installation** and select **Next** -1. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Select **Next** -1. On the **Select server roles** page, select **Next** -1. Select **Network Load Balancing** on the **Select features** page -1. Select **Install** to start the feature installation - -### Configure Network Load Balancing for AD FS - -Before you can load balance all the nodes in the AD FS farm, you must first create a new load balance cluster. Once you have created the cluster, then you can add new nodes to that cluster. - -Sign-in a node of the federation farm with *Administrator* equivalent credentials. - -1. Open **Network Load Balancing Manager** from **Administrative Tools** -1. Right-click **Network Load Balancing Clusters**, and then select **New Cluster** -1. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then select **Connect** -1. Select the interface that you want to use with the cluster, and then select **Next** (the interface hosts the virtual IP address and receives the client traffic to load balance) -1. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Select **Next** -1. In **Cluster IP Addresses**, select **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Select **Next** -1. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster -1. In **Cluster operation mode**, select **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Select **Next** -1. In Port Rules, select Edit to modify the default port rules to use port 443 - -### Additional AD FS Servers - -1. To add more hosts to the cluster, right-click the new cluster, and then select **Add Host to Cluster** -1. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same - -## Configure DNS for Device Registration - -Sign-in the domain controller or administrative workstation with domain administrator equivalent credentials.\ -You'll need the *federation service* name to complete this task. You can view the federation service name by selecting **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server. - -1. Open the **DNS Management** console -1. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones** -1. In the navigation pane, select the node that has the name of your internal Active Directory domain name -1. In the navigation pane, right-click the domain name node and select **New Host (A or AAAA)** -1. In the **name** box, type the name of the federation service. In the **IP address** box, type the IP address of your federation server. Select **Add Host** -1. Right-click the `` node and select **New Alias (CNAME)** -1. In the **New Resource Record** dialog box, type `enterpriseregistration` in the **Alias** name box -1. In the **fully qualified domain name (FQDN)** of the target host box, type `federation_service_farm_name. [!NOTE] -> If your forest has multiple UPN suffixes, please make sure that `enterpriseregistration.` is present for each suffix. - -## Configure the Intranet Zone to include the federation service - -The Windows Hello provisioning presents web pages from the federation service. Configuring the intranet zone to include the federation service enables the user to authenticate to the federation service using integrated authentication. Without this setting, the connection to the federation service during Windows Hello provisioning prompts the user for authentication. - -### Create an Intranet Zone Group Policy - -Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials -1. Start the **Group Policy Management Console** (gpmc.msc) -1. Expand the domain and select the **Group Policy Object** node in the navigation pane -1. Right-click **Group Policy object** and select **New** -1. Type **Intranet Zone Settings** in the name box and select **OK** -1. In the content pane, right-click the **Intranet Zone Settings** Group Policy object and select **Edit** -1. In the navigation pane, expand **Policies** under **Computer Configuration** -1. Expand **Administrative Templates > Windows Component > Internet Explorer > Internet Control Panel >Security Page**. Open **Site to Zone Assignment List** -1. Select **Enable > Show**. In the **Value Name** column, type the url of the federation service beginning with https. In the **Value** column, type the number **1**. Select OK twice, then close the Group Policy Management Editor - -### Deploy the Intranet Zone Group Policy object - -1. Start the **Group Policy Management Console** (gpmc.msc) -1. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and select **Link an existing GPO…** -1. In the **Select GPO** dialog box, select **Intranet Zone Settings** or the name of the Windows Hello for Business Group Policy object you previously created and select **OK** - -## Review to validate the configuration - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: - -> [!div class="checklist"] -> * Confirm only the AD FS service account has the allow enroll permission for the enrollment agent certificate template -> * Consider using an HSM to protect the enrollment agent certificate; however, understand the frequency and quantity of signature operations the enrollment agent server makes and understand the impact it has on overall performance -> * Confirm you properly configured the Windows Hello for Business authentication certificate template -> * Confirm all certificate templates were properly published to the appropriate issuing certificate authorities -> * Confirm the AD FS service account has the allow enroll permission for the Windows Hello Business authentication certificate template -> * Confirm the AD FS certificate registration authority is properly configured using the `Get-AdfsCertificateAuthority` Windows PowerShell cmdlet -> Confirm you restarted the AD FS service -> * Confirm you properly configured load-balancing (hardware or software) -> * Confirm you created a DNS A Record for the federation service and the IP address used is the load-balanced IP address -> * Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server. +[!INCLUDE [adfs-additional-servers](includes/adfs-additional-servers.md)] ### Event Logs @@ -308,7 +69,7 @@ Use the event logs on the AD FS service to confirm the service account enrolled - The account name under which the certificate was enrolled - The action, which should read enroll --_ The thumbprint of the certificate +- The thumbprint of the certificate - The certificate template used to issue the certificate You cannot use the Certificate Manager to view enrolled certificates for group managed service accounts. Use the event log information to confirm the AD FS service account enrolled a certificate. Use certutil.exe to view the details of the certificate shown in the event log. @@ -319,5 +80,24 @@ Each file in this folder represents a certificate in the service account's Perso For detailed information about the certificate, use `Certutil -q -v `. +[!INCLUDE [adfs-mfa](includes/adfs-mfa.md)] + +## Review to validate the configuration + +> [!div class="checklist"] +> Before you continue with the deployment, validate your deployment progress by reviewing the following items: +> +> - Confirm only the AD FS service account has the allow enroll permission for the enrollment agent certificate template +> - Consider using an HSM to protect the enrollment agent certificate; however, understand the frequency and quantity of signature operations the enrollment agent server makes and understand the impact it has on overall performance +> - Confirm you properly configured the Windows Hello for Business authentication certificate template +> - Confirm all certificate templates were properly published to the appropriate issuing certificate authorities +> - Confirm the AD FS service account has the allow enroll permission for the Windows Hello Business authentication certificate template +> - Confirm the AD FS certificate registration authority is properly configured using the `Get-AdfsCertificateAuthority` Windows PowerShell cmdlet +> Confirm you restarted the AD FS service +> - Confirm you properly configured load-balancing (hardware or software) +> - Confirm you created a DNS A Record for the federation service and the IP address used is the load-balanced IP address +> - Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server +> - Confirm you have deployed a MFA solution for AD FS + > [!div class="nextstepaction"] -> [Next: validate and deploy multi-factor authentication (MFA) >](on-premises-cert-trust-mfa.md) +> [Next: configure and enroll in Windows Hello for Business >](on-premises-cert-trust-enroll.md) diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md index 016c4b4c9e..045a6ba24c 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md @@ -1,131 +1,85 @@ --- +ms.date: 01/03/2024 +ms.topic: tutorial title: Configure Windows Hello for Business Policy settings in an on-premises certificate trust description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises certificate trust scenario -ms.date: 12/15/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 -- ✅ Windows Server 2022 -- ✅ Windows Server 2019 -- ✅ Windows Server 2016 -ms.topic: tutorial --- -# Configure Windows Hello for Business group policy settings - on-premises certificate Trust +# Configure and enroll in Windows Hello for Business in an on-premises certificate trust model -[!INCLUDE [apply-to-on-premises-cert-trust-entra](includes/apply-to-on-premises-cert-trust-entra.md)] - -On-premises certificate-based deployments of Windows Hello for Business need three Group Policy settings: - -- Enable Windows Hello for Business -- Use certificate for on-premises authentication -- Enable automatic enrollment of certificates - -## Enable Windows Hello for Business group policy setting - -The group policy setting determines whether users are allowed, and prompted, to enroll for Windows Hello for Business. It can be configured for computers or users. - -If you configure the group policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the group policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business. - -## Use certificate for on-premises authentication group policy setting - -The group policy setting determines if the on-premises deployment uses the key-trust or certificate trust on-premises authentication model. You must configure this group policy setting to configure Windows to enroll for a Windows Hello for Business authentication certificate. If you do not configure this policy setting, Windows considers the deployment to use key-trust on-premises authentication. - -You can configure this setting for computer or users. Deploying this setting to computers results in *all* users requesting a Windows Hello for Business authentication certificate. Deploying this policy setting to a user results in only that user requesting a Windows Hello for Business authentication certificate. Additionally, you can deploy the policy setting to a group of users so only those users request a Windows Hello for Business authentication certificate. If both user and computer policy settings are deployed, the user policy setting has precedence. - -## Enable automatic enrollment of certificates group policy setting - -Windows Hello for Business provisioning performs the initial enrollment of the Windows Hello for Business authentication certificate. This certificate expires based on the duration configured in the Windows Hello for Business authentication certificate template. The process requires no user interaction provided the user signs-in using Windows Hello for Business. The certificate is renewed in the background before it expires. - -## Create the GPO - -Sign in to a domain controller or management workstations with *Domain Administrator* equivalent credentials. - -1. Start the **Group Policy Management Console** (gpmc.msc) -1. Expand the domain and select the **Group Policy Object** node in the navigation pane -1. Right-click **Group Policy object** and select **New** -1. Type *Enable Windows Hello for Business* in the name box and select **OK** -1. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and select **Edit** -1. In the navigation pane, select **User Configuration > Policies > Administrative Templates > Windows Component > Windows Hello for Business** -1. In the content pane, double-click **Use Windows Hello for Business**. Select **Enable** and **OK** -1. Select **Use certificate for on-premises authentication > Enable > OK** -1. In the navigation pane, expand **Policies > User Configuration** -1. Expand **Windows Settings > Security Settings > Public Key Policies** -1. In the details pane, right-click **Certificate Services Client - Auto-Enrollment** and select **Properties** -1. Select **Enabled** from the **Configuration Model** list -1. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box -1. Select the **Update certificates that use certificate templates** check box -1. Select **OK** and close the **Group Policy Management Editor**. - -## Configure security in the Windows Hello for Business GPO - -The best way to deploy the Windows Hello for Business Group Policy object is to use security group filtering. The enables you to easily manage the users that should receive Windows Hello for Business by simply adding them to a group. This enables you to deploy Windows Hello for Business in phases. - -Sign in to a domain controller or management workstations with *Domain Administrator* equivalent credentials. - -1. Start the **Group Policy Management Console** (gpmc.msc) -1. Expand the domain and select the **Group Policy Object** node in the navigation pane -1. Double-click the **Enable Windows Hello for Business** Group Policy object -1. In the **Security Filtering** section of the content pane, select **Add**. Type *Windows Hello for Business Users* or the name of the security group you previously created and select **OK** -1. Select the **Delegation** tab. Select **Authenticated Users** and **Advanced** -1. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Select **OK** - -## Deploy the Windows Hello for Business Group Policy object - -The application of the Windows Hello for Business Group Policy object uses security group filtering. This solution enables you to link the Group Policy object at the domain level, ensuring the GPO is within scope to all users. However, the security group filtering ensures that only the users included in the *Windows Hello for Business Users* global group receive and apply the Group Policy object, which results in the provisioning of Windows Hello for Business. - -1. Start the **Group Policy Management Console** (gpmc.msc) -1. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and select **Link an existing GPO…** -1. In the **Select GPO** dialog box, select **Enable Windows Hello for Business** or the name of the Windows Hello for Business Group Policy object you previously created and select **OK** - -## Other Related Group Policy settings - -There are other Windows Hello for Business policy settings you can configure to manage your Windows Hello for Business deployment. These policy settings are computer-based policy setting; so they are applicable to any user that sign-in from a computer with these policy settings. - -### Use a hardware security device - -The default configuration for Windows Hello for Business is to prefer hardware protected credentials; however, not all computers are able to create hardware protected credentials. When Windows Hello for Business enrollment encounters a computer that cannot create a hardware protected credential, it will create a software-based credential. - -You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials. Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business. - -Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiving during anti-hammering and PIN lockout activities. Some organizations may not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object. - -### Use biometrics - -Windows Hello for Business provides a great user experience when combined with the use of biometrics. Rather than providing a PIN to sign-in, a user can use a fingerprint or facial recognition to sign-in to Windows, without sacrificing security. - -The default Windows Hello for Business enables users to enroll and use biometrics. However, some organization may want more time before using biometrics and want to disable their use until they are ready. To not allow users to use biometrics, configure the **Use biometrics** Group Policy setting to disabled and apply it to your computers. The policy setting disables all biometrics. Currently, Windows does not provide the ability to set granular policies that enable you to disable specific modalities of biometrics, such as allowing facial recognition, but disallowing fingerprint recognition. - -### PIN Complexity - -PIN complexity is not specific to Windows Hello for Business. Windows enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. - -Windows provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically. The policy settings included are: - -- Require digits -- Require lowercase letters -- Maximum PIN length -- Minimum PIN length -- Expiration -- History -- Require special characters -- Require uppercase letters - -The settings can be found in *Administrative Templates\System\PIN Complexity*, under both the Computer and User Configuration nodes of the Group Policy editor. - -## Review to validate the configuration - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: +[!INCLUDE [apply-to-on-premises-cert-trust](includes/apply-to-on-premises-cert-trust.md)] > [!div class="checklist"] -> - Confirm you configured the Enable Windows Hello for Business to the scope that matches your deployment (Computer vs. User) -> - Confirm you configure the Use Certificate enrollment for on-premises authentication policy setting -> - Confirm you configured the proper security settings for the Group Policy object -> - Confirm you removed the allow permission for Apply Group Policy for Domain Users (Domain Users must always have the read permissions) -> - Confirm you added the Windows Hello for Business Users group to the Group Policy object, and gave the group the allow permission to Apply Group Policy -> - Linked the Group Policy object to the correct locations within Active Directory -> - Deployed any additional Windows Hello for Business Group Policy settings +> Once the prerequisites are met, and the PKI and AD FS configurations are validated, deploying Windows Hello for Business consists of the following steps: +> +> - [Configure Windows Hello for Business policy settings](#configure-windows-hello-for-business-policy-settings) +> - [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business) -## Add users to the Windows Hello for Business Users group +## Configure Windows Hello for Business policy settings -Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the Windows Hello for Business Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the *Windows Hello for Business Users* group. Users and groups that are not members of this group will not attempt to enroll for Windows Hello for Business. \ No newline at end of file +There are 2 policy setting required to enable Windows Hello for Business in a certificate trust model: + +- [Use Windows Hello for Business](../policy-settings.md#use-windows-hello-for-business) +- [Use certificate for on-premises authentication](../policy-settings.md#use-certificate-for-on-premises-authentication) + +Another optional, but recommended, policy setting is: + +- [Use a hardware security device](../policy-settings.md#use-a-hardware-security-device) + +Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO). + +[!INCLUDE [gpo-enable-whfb](includes/gpo-enable-whfb.md)] + +> [!TIP] +> Use the same *Windows Hello for Business Users* security group to assign **Certificate template permissions** to ensure the same members can enroll in the Windows Hello for Business authentication certificate. + +### Enable automatic enrollment of certificates group policy setting + +Windows Hello for Business provisioning performs the initial enrollment of the Windows Hello for Business authentication certificate. This certificate expires based on the duration configured in the Windows Hello for Business *authentication certificate* template. + +The process requires no user interaction, provided the user signs-in using Windows Hello for Business. The certificate is renewed in the background before it expires. + +[!INCLUDE [gpo-settings-1](../../../../../includes/configure/gpo-settings-1.md)] + +| Group policy path | Group policy setting | Value | +| - | - | - | +| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**
        or
        **User Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use Windows Hello for Business| **Enabled**| +| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**
        or
        **User Configuration\Administrative Templates\Windows Components\Windows Hello for Business**|Use certificate for on-premises authentication| **Enabled**| +| **Computer Configuration\Windows Settings\Security Settings\Public Key Policies**
        or
        **User Configuration\Windows Settings\Security Settings\Public Key Policies** |Certificate Services Client - Auto-Enrollment| - Select **Enabled** from the **Configuration Model**
        - Select the **Renew expired certificates, update pending certificates, and remove revoked certificates**
        - Select **Update certificates that use certificate templates**| +| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use a hardware security device| **Enabled**| + +> [!NOTE] +> The enablement of the *Use a hardware security device* policy setting is optional, but recommended. + +[!INCLUDE [gpo-settings-2](../../../../../includes/configure/gpo-settings-2.md)] + +> [!TIP] +> The best way to deploy the Windows Hello for Business GPO is to use security group filtering. Only members of the targeted security group will provision Windows Hello for Business, enabling a phased rollout. This solution allows linking the GPO to the domain, ensuring the GPO is scoped to all security principals. The security group filtering ensures that only the members of the global group receive and apply the GPO, which results in the provisioning of Windows Hello for Business. + +Additional policy settings can be configured to control the behavior of Windows Hello for Business. For more information, see [Windows Hello for Business policy settings](../policy-settings.md). + +## Enroll in Windows Hello for Business + +The Windows Hello for Business provisioning process begins immediately after the user profile is loaded and before the user receives their desktop. For the provisioning process to begin, all prerequisite checks must pass. + +You can determine the status of the prerequisite checks by viewing the **User Device Registration** admin log under **Applications and Services Logs > Microsoft > Windows**.\ +This information is also available using the `dsregcmd.exe /status` command from a console. For more information, see [dsregcmd][AZ-4]. + +### User experience + +[!INCLUDE [user-experience](includes/user-experience.md)] + +After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate. Windows sends the certificate request to the AD FS server for certificate enrollment. + +The AD FS registration authority verifies the key used in the certificate request matches the key that was previously registered. On a successful match, the AD FS registration authority signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. + +The CA validates that the certificate is signed by the registration authority. On successful validation, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user's certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user that they can use their PIN to sign-in through the Action Center. + +### Sequence diagram + +To better understand the provisioning flows, review the following sequence diagram: + +- [Provisioning in an on-premises certificate trust deployment model](../how-it-works-provisioning.md#provisioning-in-an-on-premises-certificate-trust-deployment-model) + + +[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-mfa.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-mfa.md deleted file mode 100644 index 35fd08dd4d..0000000000 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-mfa.md +++ /dev/null @@ -1,31 +0,0 @@ ---- -title: Validate and Deploy MFA for Windows Hello for Business with certificate trust -description: Validate and deploy multifactor authentication (MFA) for Windows Hello for Business in an on-premises certificate trust model. -ms.date: 12/15/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 -- ✅ Windows Server 2022 -- ✅ Windows Server 2019 -- ✅ Windows Server 2016 -ms.topic: tutorial ---- - -# Validate and deploy multifactor authentication - on-premises certificate trust - -[!INCLUDE [apply-to-on-premises-cert-trust-entra](includes/apply-to-on-premises-cert-trust-entra.md)] - -Windows Hello for Business requires users perform multifactor authentication (MFA) prior to enroll in the service. On-premises deployments can use, as MFA option: - -- third-party authentication providers for AD FS -- custom authentication provider for AD FS - -> [!IMPORTANT] -> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multifactor authentication from their users should use cloud-based Microsoft Entra multifactor authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual. - -For information about third-party authentication methods, see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). To create a custom authentication method, see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method). - -Follow the integration and deployment guide for the authentication provider you plan to integrate to AD FS. Make sure that the authentication provider is selected as a multifactor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies, see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies). - -> [!div class="nextstepaction"] -> [Next: configure Windows Hello for Business Policy settings >](on-premises-cert-trust-enroll.md) diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-pki.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-pki.md deleted file mode 100644 index 2c8db04a8f..0000000000 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-pki.md +++ /dev/null @@ -1,60 +0,0 @@ ---- -title: Configure and validate the Public Key Infrastructure in an on-premises certificate trust model -description: Configure and validate the Public Key Infrastructure the Public Key Infrastructure when deploying Windows Hello for Business in a certificate trust model. -ms.date: 12/15/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 -- ✅ Windows Server 2022 -- ✅ Windows Server 2019 -- ✅ Windows Server 2016 -ms.topic: tutorial ---- - -# Configure and validate the Public Key Infrastructure - on-premises certificate trust - -[!INCLUDE [apply-to-on-premises-cert-trust-entra](includes/apply-to-on-premises-cert-trust-entra.md)] - -Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a root of trust for clients. The certificate ensures that clients don't communicate with rogue domain controllers. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate. - -[!INCLUDE [lab-based-pki-deploy](includes/lab-based-pki-deploy.md)] - -## Configure the enterprise PKI - -[!INCLUDE [dc-certificate-template](includes/dc-certificate-template.md)] - -[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)] - -[!INCLUDE [web-server-certificate-template](includes/web-server-certificate-template.md)] - -[!INCLUDE [enrollment-agent-certificate-template](includes/enrollment-agent-certificate-template.md)] - -[!INCLUDE [auth-certificate-template](includes/auth-certificate-template.md)] - -[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)] - -### Publish certificate templates to the CA - -A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them. - -Sign in to the CA or management workstations with **Enterprise Admin** equivalent credentials. - -1. Open the **Certification Authority** management console -1. Expand the parent node from the navigation pane -1. Select **Certificate Templates** in the navigation pane -1. Right-click the **Certificate Templates** node. Select **New > Certificate Template** to issue -1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)*, *Internal Web Server*, *WHFB Enrollment Agent* and *WHFB Authentication* templates you created in the previous steps. Select **OK** to publish the selected certificate templates to the certification authority -1. If you published the *Domain Controller Authentication (Kerberos)* certificate template, then unpublish the certificate templates you included in the superseded templates list - - To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation -1. Close the console - -## Configure and deploy certificates to domain controllers - -[!INCLUDE [dc-certificate-deployment](includes/dc-certificate-deployment.md)] - -## Validate the configuration - -[!INCLUDE [dc-certificate-validate](includes/dc-certificate-validate.md)] - -> [!div class="nextstepaction"] -> [Next: prepare and deploy AD FS >](on-premises-cert-trust-adfs.md) \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md index 4c3f3c04e8..6bd1a94800 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md @@ -1,43 +1,94 @@ --- -title: Deployment guide for the on-premises certificate trust model -description: Learn how to deploy Windows Hello for Business in an on-premises, certificate trust model. -ms.date: 12/15/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 -- ✅ Windows Server 2022 -- ✅ Windows Server 2019 -- ✅ Windows Server 2016 +title: Windows Hello for Business on-premises certificate trust deployment guide +description: Learn how to deploy Windows Hello for Business in an on-premises, certificate trust scenario. +ms.date: 01/03/2024 ms.topic: tutorial --- -# Deployment guide for the on-premises certificate trust model +# On-premises certificate trust deployment guide -[!INCLUDE [apply-to-on-premises-cert-trust-entra](includes/apply-to-on-premises-cert-trust-entra.md)] -Windows Hello for Business replaces username and password authentication to Windows with an asymmetric key pair. This deployment guide provides the information to deploy Windows Hello for Business in an on-premises environment. +[!INCLUDE [apply-to-on-premises-cert-trust](includes/apply-to-on-premises-cert-trust.md)] -There are four steps to deploying Windows Hello for Business in an on-premises certificate trust model: +[!INCLUDE [requirements](includes/requirements.md)] -1. [Validate and configure a PKI](on-premises-cert-trust-pki.md) -1. [Prepare and deploy AD FS](on-premises-cert-trust-adfs.md) -1. [Validate and deploy multi-factor authentication (MFA)](on-premises-cert-trust-mfa.md) -1. [Configure Windows Hello for Business Policy settings](on-premises-cert-trust-enroll.md) +> [!div class="checklist"] +> +> - [Public Key Infrastructure](index.md#pki-requirements) +> - [Authentication](index.md#authentication-to-microsoft-entra-id) +> - [Device configuration](index.md#device-configuration-options) +> - [Licensing for cloud services](index.md#licensing-for-cloud-services-requirements) +> - [Windows requirements](index.md#windows-requirements) +> - [Windows Server requirements](index.md#windows-server-requirements) +> - [Prepare users to use Windows Hello](prepare-users.md) -## Create the Windows Hello for Business Users security group +## Deployment steps -While this is not a required step, it is recommended to create a security group to simplify the deployment. +Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps: -The *Windows Hello for Business Users* group is used to make it easy to deploy Windows Hello for Business in phases. You assign certificate templates and group policy permissions to this group to simplify the deployment by adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business. +> [!div class="checklist"] +> +> - [Configure and validate the Public Key Infrastructure](#configure-and-validate-the-public-key-infrastructure) +> - [Prepare and deploy AD FS with MFA](on-premises-cert-trust-adfs.md) +> - [Configure and enroll in Windows Hello for Business](on-premises-cert-trust-enroll.md) -Sign-in to a domain controller or to a management workstation with a *Domain Administrator* equivalent credentials. +## Configure and validate the Public Key Infrastructure -1. Open **Active Directory Users and Computers** -1. Select **View > Advanced Features** -1. Expand the domain node from the navigation pane -1. Right-click the **Users** container. Select **New > Group** -1. Type *Windows Hello for Business Users* in the **Group Name** -1. Select **OK** +[!INCLUDE [apply-to-on-premises-cert-trust](includes/apply-to-on-premises-cert-trust.md)] + +Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a root of trust for clients. The certificate ensures that clients don't communicate with rogue domain controllers. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate. + +[!INCLUDE [lab-based-pki-deploy](includes/lab-based-pki-deploy.md)] + +## Configure the enterprise PKI + +[!INCLUDE [dc-certificate-template](includes/certificate-template-dc.md)] + +[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)] + +[!INCLUDE [web-server-certificate-template](includes/certificate-template-web-server.md)] + +[!INCLUDE [enrollment-agent-certificate-template](includes/certificate-template-enrollment-agent.md)] + +[!INCLUDE [auth-certificate-template](includes/certificate-template-auth.md)] + +[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)] + +### Publish certificate templates to the CA + +A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them. + +Sign in to the CA or management workstations with **Enterprise Admin** equivalent credentials. + +1. Open the **Certification Authority** management console +1. Expand the parent node from the navigation pane +1. Select **Certificate Templates** in the navigation pane +1. Right-click the **Certificate Templates** node. Select **New > Certificate Template** to issue +1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)*, *Internal Web Server*, *WHFB Enrollment Agent* and *WHFB Authentication* templates you created in the previous steps. Select **OK** to publish the selected certificate templates to the certification authority +1. If you published the *Domain Controller Authentication (Kerberos)* certificate template, then unpublish the certificate templates you included in the superseded templates list + - To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation +1. Close the console + +## Configure and deploy certificates to domain controllers + +[!INCLUDE [dc-certificate-deployment](includes/dc-certificate-deployment.md)] + +## Validate the configuration + +[!INCLUDE [dc-certificate-validate](includes/dc-certificate-validate.md)] + +## Section review and next steps + +> [!div class="checklist"] +> Before moving to the next section, ensure the following steps are complete: +> +> - Configure domain controller and web server certificate templates +> - Supersede existing domain controller certificates +> - Unpublish superseded certificate templates +> - Configure an enrollment agent certificate template +> - Publish the certificate templates to the CA +> - Deploy certificates to the domain controllers +> - Validate the domain controllers configuration > [!div class="nextstepaction"] -> [Next: validate and configure a PKI >](on-premises-cert-trust-pki.md) \ No newline at end of file +> [Next: prepare and deploy AD FS >](on-premises-cert-trust-adfs.md) diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md index 4446ced825..12685b46eb 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md @@ -1,264 +1,46 @@ --- -ms.date: 09/07/2023 -title: Prepare and deploy Active Directory Federation Services in an on-premises key trust -description: Learn how to configure Active Directory Federation Services to support the Windows Hello for Business key trust model. -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 -- ✅ Windows Server 2022 -- ✅ Windows Server 2019 -- ✅ Windows Server 2016 +title: Configure Active Directory Federation Services in an on-premises key trust model +description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business key trust model. +ms.date: 01/03/2024 ms.topic: tutorial --- + # Prepare and deploy Active Directory Federation Services - on-premises key trust [!INCLUDE [apply-to-on-premises-key-trust](includes/apply-to-on-premises-key-trust.md)] Windows Hello for Business works exclusively with the Active Directory Federation Service (AD FS) role included with Windows Server. The on-premises key trust deployment model uses AD FS for *key registration* and *device registration*. -The following guidance describes the deployment of a new instance of AD FS using the Windows Information Database (WID) as the configuration database.\ -WID is ideal for environments with no more than **30 federation servers** and no more than **100 relying party trusts**. If your environment exceeds either of these factors, or needs to provide *SAML artifact resolution*, *token replay detection*, or needs AD FS to operate as a federated provider role, then the deployment requires the use of SQL as a configuration database.\ -To deploy AD FS using SQL as its configuration database, review the [Deploying a Federation Server Farm](/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) checklist. +[!INCLUDE [adfs-validate](includes/adfs-validate.md)] -A new AD FS farm should have a minimum of two federation servers for proper load balancing, which can be accomplished with external networking peripherals, or with using the Network Load Balancing Role included in Windows Server. - -Prepare the AD FS deployment by installing and **updating** two Windows Servers. - -## Enroll for a TLS server authentication certificate - -Typically, a federation service is an edge facing role. However, the federation services and instance used with the on-premises deployment of Windows Hello for Business does not need Internet connectivity. - -The AD FS role needs a *server authentication* certificate for the federation services, and you can use a certificate issued by your enterprise (internal) CA. The server authentication certificate should have the following names included in the certificate, if you are requesting an individual certificate for each node in the federation farm: - - **Subject Name**: the internal FQDN of the federation server - - **Subject Alternate Name**: the federation service name (e.g. *sts.corp.contoso.com*) or an appropriate wildcard entry (e.g. *\*.corp.contoso.com*) - -The federation service name is set when the AD FS role is configured. You can choose any name, but that name must be different than the name of the server or host. For example, you can name the host server *adfs* and the federation service *sts*. In this example, the FQDN of the host is *adfs.corp.contoso.com* and the FQDN of the federation service is *sts.corp.contoso.com*. - -You can also issue one certificate for all hosts in the farm. If you chose this option, leave the subject name *blank*, and include all the names in the subject alternate name when creating the certificate request. All names should include the FQDN of each host in the farm and the federation service name. - -When creating a wildcard certificate, mark the private key as exportable, so that the same certificate can be deployed across each federation server and web application proxy within the AD FS farm. Note that the certificate must be trusted (chain to a trusted root CA). Once you have successfully requested and enrolled the server authentication certificate on one node, you can export the certificate and private key to a PFX file using the Certificate Manager console. You can then import the certificate on the remaining nodes in the AD FS farm. - -Be sure to enroll or import the certificate into the AD FS server's computer certificate store. Also, ensure all nodes in the farm have the proper TLS server authentication certificate. - -### AD FS authentication certificate enrollment - -Sign-in the federation server with *domain administrator* equivalent credentials. - -1. Start the Local Computer **Certificate Manager** (certlm.msc) -1. Expand the **Personal** node in the navigation pane -1. Right-click **Personal**. Select **All Tasks > Request New Certificate** -1. Select **Next** on the **Before You Begin** page -1. Select **Next** on the **Select Certificate Enrollment Policy** page -1. On the **Request Certificates** page, select the **Internal Web Server** check box -1. Select the **⚠️ More information is required to enroll for this certificate. Click here to configure settings** link - :::image type="content" source="images/hello-internal-web-server-cert.png" lightbox="images/hello-internal-web-server-cert.png" alt-text="Example of Certificate Properties Subject Tab - This is what shows when you select the above link."::: -1. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the AD FS role and then select **Add** -1. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name that you will use for your federation services (*sts.corp.contoso.com*). The name you use here MUST match the name you use when configuring the AD FS server role. Select **Add** and **OK** when finished -1. Select **Enroll** - -A server authentication certificate should appear in the computer's personal certificate store. - -## Deploy the AD FS role - -AD FS provides *device registration* and *key registration* services to support the Windows Hello for Business on-premises deployments. - ->[!IMPORTANT] -> Finish the entire AD FS configuration on the first server in the farm before adding the second server to the AD FS farm. Once complete, the second server receives the configuration through the shared configuration database when it is added the AD FS farm. - -Sign-in the federation server with *Enterprise Administrator* equivalent credentials. - -1. Start **Server Manager**. Select **Local Server** in the navigation pane -1. Select **Manage > Add Roles and Features** -1. Select **Next** on the **Before you begin** page -1. On the **Select installation type** page, select **Role-based or feature-based installation > Next** -1. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list and **Next** -1. On the **Select server roles** page, select **Active Directory Federation Services** and **Next** -1. Select **Next** on the **Select features** page -1. Select **Next** on the **Active Directory Federation Service** page -1. Select **Install** to start the role installation - -## Review to validate the AD FS deployment - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: - -> [!div class="checklist"] -> * Confirm the AD FS farm uses the correct database configuration -> * Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load -> * Confirm **all** AD FS servers in the farm have the latest updates installed -> * Confirm all AD FS servers have a valid server authentication certificate - -## Device registration service account prerequisites - -The use of Group Managed Service Accounts (GMSA) is the preferred way to deploy service accounts for services that support them. GMSAs have security advantages over normal user accounts because Windows handles password management. This means the password is long, complex, and changes periodically. AD FS supports GMSAs, and it should be configured using them for additional security. - -GSMA uses the *Microsoft Key Distribution Service* that is located on the domain controllers. Before you can create a GSMA, you must first create a root key for the service. You can skip this if your environment already uses GSMA. - -### Create KDS Root Key - -Sign-in a domain controller with *Enterprise Administrator* equivalent credentials. - -Start an elevated PowerShell console and execute the following command: -```PowerShell -Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10) -``` - -## Configure the Active Directory Federation Service Role - -Use the following procedures to configure AD FS. - -Sign-in to the federation server with *Domain Administrator* equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm. - -1. Start **Server Manager** -1. Select the notification flag in the upper right corner and select **Configure the federation services on this server** -1. On the **Welcome** page, select **Create the first federation server farm > Next** -1. On the **Connect to Active Directory Domain Services** page, select **Next** -1. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as *sts.corp.contoso.com* -1. Select the federation service name from the **Federation Service Name** list -1. Type the *Federation Service Display Name* in the text box. This is the name users see when signing in. Select **Next** -1. On the **Specify Service Account** page, select **Create a Group Managed Service Account**. In the **Account Name** box, type *adfssvc* -1. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and select **Next** -1. On the **Review Options** page, select **Next** -1. On the **Pre-requisite Checks** page, select **Configure** -1. When the process completes, select **Close** - -### Add the AD FS service account to the *Key Admins* group - -During Windows Hello for Business enrollment, the public key is registered in an attribute of the user object in Active Directory. To ensure that the AD FS service can add and remove keys are part of its normal workflow, it must be a member of the *Key Admins* global group. - -Sign-in to a domain controller or management workstation with *Domain Administrator* equivalent credentials. - -1. Open **Active Directory Users and Computers** -1. Select the **Users** container in the navigation pane -1. Right-click **Key Admins** in the details pane and select **Properties** -1. Select the **Members > Add…** -1. In the **Enter the object names to select** text box, type *adfssvc*. Select **OK** -1. Select **OK** to return to **Active Directory Users and Computers** -1. Change to server hosting the AD FS role and restart it - -## Configure the device registration service - -Sign-in to the federation server with *Enterprise Administrator* equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm. - -1. Open the **AD FS management** console -1. In the navigation pane, expand **Service**. Select **Device Registration** -1. In the details pane, select **Configure device registration** -1. In the **Configure Device Registration** dialog, Select **OK** - -:::image type="content" source="images/adfs-device-registration.png" lightbox="images/adfs-device-registration.png" alt-text="AD FS device registration: configuration of the service connection point."::: - -Triggering device registration from AD FS, creates the service connection point (SCP) in the Active Directory configuration partition. The SCP is used to store the device registration information that Windows clients will automatically discover. - -:::image type="content" source="images/adfs-scp.png" lightbox="images/adfs-scp.png" alt-text="AD FS device registration: service connection point object created by AD FS."::: +[!INCLUDE [adfs-deploy](includes/adfs-deploy.md)] ## Review to validate the AD FS and Active Directory configuration Before you continue with the deployment, validate your deployment progress by reviewing the following items: > [!div class="checklist"] -> * Record the information about the AD FS certificate, and set a renewal reminder at least six weeks before it expires. Relevant information includes: certificate serial number, thumbprint, common name, subject alternate name, name of the physical host server, the issued date, the expiration date, and issuing CA vendor (if a third-party certificate) -> * Confirm you added the AD FS service account to the KeyAdmins group -> * Confirm you enabled the Device Registration service +> +> - Record the information about the AD FS certificate, and set a renewal reminder at least six weeks before it expires. Relevant information includes: certificate serial number, thumbprint, common name, subject alternate name, name of the physical host server, the issued date, the expiration date, and issuing CA vendor (if a third-party certificate) +> - Confirm you added the AD FS service account to the KeyAdmins group +> - Confirm you enabled the Device Registration service -## Additional federation servers +[!INCLUDE [adfs-additional-servers](includes/adfs-additional-servers.md)] -Organizations should deploy more than one federation server in their federation farm for high-availability. You should have a minimum of two federation services in your AD FS farm, however most organizations are likely to have more. This largely depends on the number of devices and users using the services provided by the AD FS farm. - -### Server authentication certificate - -Each server you add to the AD FS farm must have a proper server authentication certificate. Refer to the [Enroll for a TLS Server Authentication Certificate](#enroll-for-a-tls-server-authentication-certificate) section of this document to determine the requirements for your server authentication certificate. As previously stated, AD FS servers used exclusively for on-premises deployments of Windows Hello for Business can use enterprise server authentication certificates rather than server authentication certificates issued by public certificate authorities. - -### Install additional servers - -Adding federation servers to the existing AD FS farm begins with ensuring the server are fully patched, to include Windows Server 2016 Update needed to support Windows Hello for Business deployments (https://aka.ms/whfbadfs1703). Next, install the Active Directory Federation Service role on the additional servers and then configure the server as an additional server in an existing farm. - -## Load balance AD FS - -Many environments load balance using hardware devices. Environments without hardware load-balancing capabilities can take advantage the network load-balancing feature included in Windows Server to load balance the AD FS servers in the federation farm. Install the Windows Network Load Balancing feature on all nodes participating in the AD FS farm that should be load balanced. - -### Install Network Load Balancing Feature on AD FS Servers - -Sign-in the federation server with *Enterprise Administrator* equivalent credentials. - -1. Start **Server Manager**. Select **Local Server** in the navigation pane -1. Select **Manage** and then select **Add Roles and Features** -1. Select **Next** On the **Before you begin** page -1. On the **Select installation type** page, select **Role-based or feature-based installation** and select **Next** -1. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Select **Next** -1. On the **Select server roles** page, select **Next** -1. Select **Network Load Balancing** on the **Select features** page -1. Select **Install** to start the feature installation - -### Configure Network Load Balancing for AD FS - -Before you can load balance all the nodes in the AD FS farm, you must first create a new load balance cluster. Once you have created the cluster, then you can add new nodes to that cluster. - -Sign-in a node of the federation farm with *Administrator* equivalent credentials. - -1. Open **Network Load Balancing Manager** from **Administrative Tools** -1. Right-click **Network Load Balancing Clusters**, and then select **New Cluster** -1. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then select **Connect** -1. Select the interface that you want to use with the cluster, and then select **Next** (the interface hosts the virtual IP address and receives the client traffic to load balance) -1. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Select **Next** -1. In **Cluster IP Addresses**, select **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Select **Next** -1. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster -1. In **Cluster operation mode**, select **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Select **Next** -1. In Port Rules, select Edit to modify the default port rules to use port 443 - -### Additional AD FS Servers - -1. To add more hosts to the cluster, right-click the new cluster, and then select **Add Host to Cluster** -1. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same - -## Configure DNS for Device Registration - -Sign-in the domain controller or administrative workstation with domain administrator equivalent credentials.\ -You'll need the *federation service* name to complete this task. You can view the federation service name by selecting **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server. - -1. Open the **DNS Management** console -1. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones** -1. In the navigation pane, select the node that has the name of your internal Active Directory domain name -1. In the navigation pane, right-click the domain name node and select **New Host (A or AAAA)** -1. In the **name** box, type the name of the federation service. In the **IP address** box, type the IP address of your federation server. Select **Add Host** -1. Right-click the `` node and select **New Alias (CNAME)** -1. In the **New Resource Record** dialog box, type `enterpriseregistration` in the **Alias** name box -1. In the **fully qualified domain name (FQDN)** of the target host box, type `federation_service_farm_name. [!NOTE] -> If your forest has multiple UPN suffixes, please make sure that `enterpriseregistration.` is present for each suffix. - -## Configure the Intranet Zone to include the federation service - -The Windows Hello provisioning presents web pages from the federation service. Configuring the intranet zone to include the federation service enables the user to authenticate to the federation service using integrated authentication. Without this setting, the connection to the federation service during Windows Hello provisioning prompts the user for authentication. - -### Create an Intranet Zone Group Policy - -Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials -1. Start the **Group Policy Management Console** (gpmc.msc) -1. Expand the domain and select the **Group Policy Object** node in the navigation pane -1. Right-click **Group Policy object** and select **New** -1. Type **Intranet Zone Settings** in the name box and select **OK** -1. In the content pane, right-click the **Intranet Zone Settings** Group Policy object and select **Edit** -1. In the navigation pane, expand **Policies** under **Computer Configuration** -1. Expand **Administrative Templates > Windows Component > Internet Explorer > Internet Control Panel >Security Page**. Open **Site to Zone Assignment List** -1. Select **Enable > Show**. In the **Value Name** column, type the url of the federation service beginning with https. In the **Value** column, type the number **1**. Select OK twice, then close the Group Policy Management Editor - -### Deploy the Intranet Zone Group Policy object - -1. Start the **Group Policy Management Console** (gpmc.msc) -1. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and select **Link an existing GPO…** -1. In the **Select GPO** dialog box, select **Intranet Zone Settings** or the name of the Windows Hello for Business Group Policy object you previously created and select **OK** +[!INCLUDE [adfs-mfa](includes/adfs-mfa.md)] ## Review to validate the configuration Before you continue with the deployment, validate your deployment progress by reviewing the following items: > [!div class="checklist"] -> * Confirm all AD FS servers have a valid server authentication certificate. The subject of the certificate is the common name (FQDN) of the host or a wildcard name. The alternate name of the certificate contains a wildcard or the FQDN of the federation service -> * Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load -> * Confirm you restarted the AD FS service -> * Confirm you created a DNS A Record for the federation service and the IP address used is the load-balanced IP address -> * Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server +> +> - Confirm all AD FS servers have a valid server authentication certificate. The subject of the certificate is the common name (FQDN) of the host or a wildcard name. The alternate name of the certificate contains a wildcard or the FQDN of the federation service +> - Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load +> - Confirm you restarted the AD FS service +> - Confirm you created a DNS A Record for the federation service and the IP address used is the load-balanced IP address +> - Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server +> - Confirm you have deployed a MFA solution for AD FS > [!div class="nextstepaction"] -> [Next: validate and deploy multi-factor authentication (MFA)](on-premises-key-trust-mfa.md) +> [Next: configure and enroll in Windows Hello for Business >](on-premises-key-trust-enroll.md) diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md index eca8d12e30..442ead237c 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md @@ -1,108 +1,61 @@ --- -ms.date: 09/07/2023 +ms.date: 01/03/2024 +ms.topic: tutorial title: Configure Windows Hello for Business Policy settings in an on-premises key trust description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises key trust scenario -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 -ms.topic: tutorial --- -# Configure Windows Hello for Business group policy settings - on-premises key trust + +# Configure and enroll in Windows Hello for Business in an on-premises key trust model [!INCLUDE [apply-to-on-premises-key-trust](includes/apply-to-on-premises-key-trust.md)] -On-premises key trust deployments of Windows Hello for Business need one Group Policy setting: *Enable Windows Hello for Business*. -The Group Policy setting determines whether users are allowed, and prompted, to enroll for Windows Hello for Business. It can be configured for computers or users. - -If you configure the Group Policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the Group Policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business. - -## Enable Windows Hello for Business group policy setting - -The Group Policy setting determines whether users are allowed, and prompted, to enroll for Windows Hello for Business. It can be configured for computers or users. - -If you configure the Group Policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the Group Policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business. - -## Create the GPO - -Sign in to a domain controller or management workstations with *Domain Administrator* equivalent credentials. - -1. Start the **Group Policy Management Console** (gpmc.msc) -1. Expand the domain and select the **Group Policy Object** node in the navigation pane -1. Right-click **Group Policy object** and select **New** -1. Type *Enable Windows Hello for Business* in the name box and select **OK** -1. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and select **Edit** -1. In the navigation pane, select **User Configuration > Policies > **Administrative Templates > Windows Component > Windows Hello for Business** -1. In the content pane, double-click **Use Windows Hello for Business**. Select **Enable** and **OK** -1. Close the **Group Policy Management Editor** - -## Configure security in the Windows Hello for Business GPO - -The best way to deploy the Windows Hello for Business Group Policy object is to use security group filtering. The enables you to easily manage the users that should receive Windows Hello for Business by simply adding them to a group. This enables you to deploy Windows Hello for Business in phases. - -Sign in to a domain controller or management workstations with *Domain Administrator* equivalent credentials. - -1. Start the **Group Policy Management Console** (gpmc.msc) -1. Expand the domain and select the **Group Policy Object** node in the navigation pane -1. Double-click the **Enable Windows Hello for Business** Group Policy object -1. In the **Security Filtering** section of the content pane, select **Add**. Type *Windows Hello for Business Users* or the name of the security group you previously created and select **OK** -1. Select the **Delegation** tab. Select **Authenticated Users** and **Advanced** -1. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Select **OK** - -## Deploy the Windows Hello for Business Group Policy object - -The application of the Windows Hello for Business Group Policy object uses security group filtering. This solution enables you to link the Group Policy object at the domain level, ensuring the GPO is within scope to all users. However, the security group filtering ensures that only the users included in the *Windows Hello for Business Users* global group receive and apply the Group Policy object, which results in the provisioning of Windows Hello for Business. - -1. Start the **Group Policy Management Console** (gpmc.msc) -1. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and select **Link an existing GPO…** -1. In the **Select GPO** dialog box, select **Enable Windows Hello for Business** or the name of the Windows Hello for Business Group Policy object you previously created and select **OK** - -## Other Related Group Policy settings - -There are other Windows Hello for Business policy settings you can configure to manage your Windows Hello for Business deployment. These policy settings are computer-based policy setting; so they are applicable to any user that sign-in from a computer with these policy settings. - -### Use a hardware security device - -The default configuration for Windows Hello for Business is to prefer hardware protected credentials; however, not all computers are able to create hardware protected credentials. When Windows Hello for Business enrollment encounters a computer that cannot create a hardware protected credential, it will create a software-based credential. - -You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials. Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business. - -Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiving during anti-hammering and PIN lockout activities. Some organizations may not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object. - -### Use biometrics - -Windows Hello for Business provides a great user experience when combined with the use of biometrics. Rather than providing a PIN to sign-in, a user can use a fingerprint or facial recognition to sign-in to Windows, without sacrificing security. - -The default Windows Hello for Business enables users to enroll and use biometrics. However, some organization may want more time before using biometrics and want to disable their use until they are ready. To not allow users to use biometrics, configure the **Use biometrics** Group Policy setting to disabled and apply it to your computers. The policy setting disables all biometrics. Currently, Windows does not provide the ability to set granular policies that enable you to disable specific modalities of biometrics, such as allowing facial recognition, but disallowing fingerprint recognition. - -### PIN Complexity - -PIN complexity is not specific to Windows Hello for Business. Windows enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. - -Windows provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically. The policy settings included are: - -- Require digits -- Require lowercase letters -- Maximum PIN length -- Minimum PIN length -- Expiration -- History -- Require special characters -- Require uppercase letters - -The settings can be found in *Administrative Templates\System\PIN Complexity*, under both the Computer and User Configuration nodes of the Group Policy editor. - -## Review to validate the configuration - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: - > [!div class="checklist"] -> * Confirm you configured the Enable Windows Hello for Business to the scope that matches your deployment (Computer vs. User) -> * Confirm you configured the proper security settings for the Group Policy object -> * Confirm you removed the allow permission for Apply Group Policy for Domain Users (Domain Users must always have the read permissions) -> * Confirm you added the Windows Hello for Business Users group to the Group Policy object, and gave the group the allow permission to Apply Group Policy -> * Linked the Group Policy object to the correct locations within Active Directory -> * Deployed any additional Windows Hello for Business Group Policy settings +> Once the prerequisites are met, and the PKI and AD FS configurations are validated, deploying Windows Hello for Business consists of the following steps: +> +> - [Configure Windows Hello for Business policy settings](#configure-windows-hello-for-business-policy-settings) +> - [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business) -## Add users to the Windows Hello for Business Users group +## Configure Windows Hello for Business policy settings -Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the Windows Hello for Business Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the *Windows Hello for Business Users* group. Users and groups that are not members of this group will not attempt to enroll for Windows Hello for Business. +There's 1 policy setting required to enable Windows Hello for Business in a key trust model: + +- [Use Windows Hello for Business](../policy-settings.md#use-windows-hello-for-business) + +Another optional, but recommended, policy setting is: + +- [Use a hardware security device](../policy-settings.md#use-a-hardware-security-device) + +[!INCLUDE [gpo-enable-whfb](includes/gpo-enable-whfb.md)] + +[!INCLUDE [gpo-settings-1](../../../../../includes/configure/gpo-settings-1.md)] + +| Group policy path | Group policy setting | Value | +| - | - | - | +| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**
        or
        **User Configuration\Administrative Templates\Windows Components\Windows Hello for Business**|Use Windows Hello for Business| **Enabled**| +| **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business** |Use a hardware security device| **Enabled**| + +[!INCLUDE [gpo-settings-2](../../../../../includes/configure/gpo-settings-2.md)] + +> [!TIP] +> The best way to deploy the Windows Hello for Business GPO is to use security group filtering. Only members of the targeted security group will provision Windows Hello for Business, enabling a phased rollout. This solution allows linking the GPO to the domain, ensuring the GPO is scoped to all security principals. The security group filtering ensures that only the members of the global group receive and apply the GPO, which results in the provisioning of Windows Hello for Business. + +Additional policy settings can be configured to control the behavior of Windows Hello for Business. For more information, see [Windows Hello for Business policy settings](../policy-settings.md). + +## Enroll in Windows Hello for Business + +The Windows Hello for Business provisioning process begins immediately after the user profile is loaded and before the user receives their desktop. For the provisioning process to begin, all prerequisite checks must pass. + +You can determine the status of the prerequisite checks by viewing the **User Device Registration** admin log under **Applications and Services Logs > Microsoft > Windows**.\ +This information is also available using the `dsregcmd.exe /status` command from a console. For more information, see [dsregcmd][AZ-4]. + +### User experience + +[!INCLUDE [user-experience](includes/user-experience.md)] + +### Sequence diagram + +To better understand the provisioning flows, review the following sequence diagram: + +- [Provisioning in an on-premises key trust deployment model](../how-it-works-provisioning.md#provisioning-in-an-on-premises-key-trust-deployment-model) + +[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-pki.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-pki.md deleted file mode 100644 index 6d7aef36c5..0000000000 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-pki.md +++ /dev/null @@ -1,55 +0,0 @@ ---- -title: Configure and validate the Public Key Infrastructure in an on-premises key trust model -description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in a key trust model. -ms.date: 09/07/2023 -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 -- ✅ Windows Server 2022 -- ✅ Windows Server 2019 -- ✅ Windows Server 2016 -ms.topic: tutorial ---- -# Configure and validate the Public Key Infrastructure - on-premises key trust - -[!INCLUDE [apply-to-on-premises-key-trust](includes/apply-to-on-premises-key-trust.md)] - -Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a root of trust for clients. The certificate ensures that clients don't communicate with rogue domain controllers. - -[!INCLUDE [lab-based-pki-deploy](includes/lab-based-pki-deploy.md)] - -## Configure the enterprise PKI - -[!INCLUDE [dc-certificate-template](includes/dc-certificate-template.md)] - -[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)] - -[!INCLUDE [web-server-certificate-template](includes/web-server-certificate-template.md)] - -[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)] - -### Publish certificate templates to the CA - -A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them. - -Sign in to the CA or management workstations with **Enterprise Admin** equivalent credentials. - -1. Open the **Certification Authority** management console -1. Expand the parent node from the navigation pane -1. Select **Certificate Templates** in the navigation pane -1. Right-click the **Certificate Templates** node. Select **New > Certificate Template** to issue -1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)*, and *Internal Web Server* templates you created in the previous steps. Select **OK** to publish the selected certificate templates to the certification authority -1. If you published the *Domain Controller Authentication (Kerberos)* certificate template, then unpublish the certificate templates you included in the superseded templates list - - To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation -1. Close the console - -## Configure and deploy certificates to domain controllers - -[!INCLUDE [dc-certificate-deployment](includes/dc-certificate-deployment.md)] - -## Validate the configuration - -[!INCLUDE [dc-certificate-validate](includes/dc-certificate-validate.md)] - -> [!div class="nextstepaction"] -> [Next: prepare and deploy AD FS >](on-premises-key-trust-adfs.md) \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md index 961219b27e..a5a2281196 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md @@ -1,35 +1,86 @@ --- -title: Windows Hello for Business deployment guide for the on-premises key trust model -description: Learn how to deploy Windows Hello for Business in an on-premises, key trust model. -ms.date: 12/12/2022 +title: Windows Hello for Business on-premises key trust deployment guide +description: Learn how to deploy Windows Hello for Business in an on-premises, key trust scenario. +ms.date: 01/03/2024 ms.topic: tutorial --- -# Deployment guide overview - on-premises key trust +# On-premises key trust deployment guide [!INCLUDE [apply-to-on-premises-key-trust](includes/apply-to-on-premises-key-trust.md)] -Windows Hello for Business replaces username and password authentication to Windows with an asymmetric key pair. This deployment guide provides the information to deploy Windows Hello for Business in an on-premises environment: +[!INCLUDE [requirements](includes/requirements.md)] -1. [Validate and configure a PKI](on-premises-key-trust-pki.md) -1. [Prepare and deploy AD FS](on-premises-key-trust-adfs.md) -1. [Validate and deploy multifactor authentication (MFA)](on-premises-key-trust-mfa.md) -1. [Configure Windows Hello for Business Policy settings](on-premises-key-trust-enroll.md) +> [!div class="checklist"] +> +> - [Public Key Infrastructure](index.md#pki-requirements) +> - [Authentication](index.md#authentication-to-microsoft-entra-id) +> - [Device configuration](index.md#device-configuration-options) +> - [Licensing for cloud services](index.md#licensing-for-cloud-services-requirements) +> - [Windows requirements](index.md#windows-requirements) +> - [Windows Server requirements](index.md#windows-server-requirements) +> - [Prepare users to use Windows Hello](prepare-users.md) -## Create the Windows Hello for Business Users security group +## Deployment steps -While this isn't a required step, it's recommended to create a security group to simplify the deployment. +Once the prerequisites are met, deploying Windows Hello for Business consists of the following steps: -The *Windows Hello for Business Users* group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy permissions to this group to simplify the deployment by adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business. +> [!div class="checklist"] +> +> - [Configure and validate the Public Key Infrastructure](#configure-and-validate-the-public-key-infrastructure) +> - [Prepare and deploy AD FS with MFA](on-premises-key-trust-adfs.md) +> - [Configure and enroll in Windows Hello for Business](on-premises-key-trust-enroll.md) -Sign-in to a domain controller or to a management workstation with a *Domain Administrator* equivalent credentials. +## Configure and validate the Public Key Infrastructure -1. Open **Active Directory Users and Computers** -1. Select **View > Advanced Features** -1. Expand the domain node from the navigation pane -1. Right-click the **Users** container. Select **New > Group** -1. Type *Windows Hello for Business Users* in the **Group Name** -1. Select **OK** +Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a root of trust for clients. The certificate ensures that clients don't communicate with rogue domain controllers. + +[!INCLUDE [lab-based-pki-deploy](includes/lab-based-pki-deploy.md)] + +## Configure the enterprise PKI + +[!INCLUDE [dc-certificate-template](includes/certificate-template-dc.md)] + +[!INCLUDE [dc-certificate-template-supersede](includes/dc-certificate-supersede.md)] + +[!INCLUDE [web-server-certificate-template](includes/certificate-template-web-server.md)] + +[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)] + +### Publish certificate templates to the CA + +A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them. + +Sign in to the CA or management workstations with **Enterprise Admin** equivalent credentials. + +1. Open the **Certification Authority** management console +1. Expand the parent node from the navigation pane +1. Select **Certificate Templates** in the navigation pane +1. Right-click the **Certificate Templates** node. Select **New > Certificate Template** to issue +1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)*, and *Internal Web Server* templates you created in the previous steps. Select **OK** to publish the selected certificate templates to the certification authority +1. If you published the *Domain Controller Authentication (Kerberos)* certificate template, then unpublish the certificate templates you included in the superseded templates list + - To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation +1. Close the console + +## Configure and deploy certificates to domain controllers + +[!INCLUDE [dc-certificate-deployment](includes/dc-certificate-deployment.md)] + +## Validate the configuration + +[!INCLUDE [dc-certificate-validate](includes/dc-certificate-validate.md)] + +## Section review and next steps + +> [!div class="checklist"] +> Before moving to the next section, ensure the following steps are complete: +> +> - Configure domain controller and web server certificate templates +> - Supersede existing domain controller certificates +> - Unpublish superseded certificate templates +> - Publish the certificate templates to the CA +> - Deploy certificates to the domain controllers +> - Validate the domain controllers configuration > [!div class="nextstepaction"] -> [Next: validate and configure PKI >](on-premises-key-trust-pki.md) \ No newline at end of file +> [Next: prepare and deploy AD FS >](on-premises-key-trust-adfs.md) diff --git a/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md b/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md new file mode 100644 index 0000000000..9dbdfc8a07 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md @@ -0,0 +1,45 @@ +--- +title: Prepare users to provision and use Windows Hello for Business +description: Learn how to prepare users to enroll and to use Windows Hello for Business. +ms.date: 01/02/2024 +ms.topic: end-user-help +--- + +# Prepare users to provision and use Windows Hello for Business + +This article provides guidance on how to prepare users to enroll and to use Windows Hello for Business. It also provides guidance on how to communicate the benefits of Windows Hello for Business to users. + +## Multi-factor authentication + +The provisioning of Windows Hello requires users to authenticate with multi-factor (MFA). Ensure that you have a solution in place for users to use MFA during the process. + +> [!TIP] +> To facilitate user communication and to ensure a successful Windows Hello for Business deployment, you can find customizable material (email templates, posters, trainings, etc.) at [Microsoft Entra templates](https://aka.ms/adminmails). + +## Biometric gestures + +Depending on the hardware, users might be prompted to register their fingerprint or face. Explain to users that for convenience, they should register their biometric gesture during the provisioning process. The biometric gesture can be used to unlock the device and to authenticate to resources that require Windows Hello for Business. Biometric gestures are valid only on the enrolled device and are not stored outside the device. + +## User experience + +The next video shows the Windows Hello for Business enrollment experience after a user signs in with a password: + +1. Since the device supports biometric authentication, the user is prompted to set up a biometric gesture. This gesture can be used to unlock the device and authenticate to resources that require Windows Hello for Business. The user can skip this step if they don't want to set up a biometric gesture +1. The user is prompted to use Windows Hello with the organization account. The user selects **OK** +1. The provisioning flow proceeds to the multi-factor authentication portion of the enrollment. Provisioning informs the user that it's actively attempting to contact the user through their configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry +1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device + +> [!VIDEO https://learn-video.azurefd.net/vod/player?id=36dc8679-0fcc-4abf-868d-97ec8b749da7 alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."] + +After enrollment in Windows Hello, users should use their gesture (such as a PIN or fingerprint) for access to their devices and corporate resources. The unlock gesture is valid only on the enrolled device. + +> [!IMPORTANT] +> Although the organization might require users to change their Active Directory or Microsoft Entra account password at regular intervals, changes to their passwords have no effect on Hello. + +The next video shows the Windows Hello for Business enrollment experience as part of the out-of-box-experience (OOBE) process: + +1. The user joins the device to Microsoft Entra ID and is prompted for MFA during the join process +1. The device is Managed by Microsoft Intune and applies Windows Hello for Business policy settings +1. After the user profile is loaded, but before the access to the desktop is granted, the user must enroll in Windows Hello + +> [!VIDEO https://learn-video.azurefd.net/vod/player?id=44c16430-756f-490a-9fc1-80e2724fef8d alt-text="Video showing the Windows Hello for Business enrollment steps after the out-of-box-experience process."] \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/deploy/requirements.md b/windows/security/identity-protection/hello-for-business/deploy/requirements.md deleted file mode 100644 index 61dffe9d37..0000000000 --- a/windows/security/identity-protection/hello-for-business/deploy/requirements.md +++ /dev/null @@ -1,55 +0,0 @@ ---- -ms.date: 10/09/2023 -title: Windows Hello for Business Deployment Prerequisite Overview -description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models -ms.topic: overview -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 -- ✅ Windows Server 2022 -- ✅ Windows Server 2019 -- ✅ Windows Server 2016 ---- - -# Windows Hello for Business Deployment Prerequisite Overview - -This article lists the infrastructure requirements for the different deployment models for Windows Hello for Business. - - - -## Microsoft Entra Cloud Only Deployment - -- Microsoft Entra ID -- Microsoft Entra multifactor authentication -- Device management solution (Intune or supported third-party MDM), *optional* -- Microsoft Entra ID P1 or P2 subscription - *optional*, needed for automatic MDM enrollment when the device joins Microsoft Entra ID - -## Hybrid Deployments - -The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process. - -| Requirement | Cloud Kerberos trust
        Group Policy or Modern managed | Key trust
        Group Policy or Modern managed | Certificate Trust
        Mixed managed | Certificate Trust
        Modern managed | -| --- | --- | --- | --- | --- | -| **Windows Version** | Any supported Windows client versions| Any supported Windows client versions | Any supported Windows client versions | -| **Schema Version** | No specific Schema requirement | Windows Server 2016 or later schema | Windows Server 2016 or later schema | Windows Server 2016 or later schema | -| **Domain and Forest Functional Level** | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level |Windows Server 2008 R2 Domain/Forest functional level | -| **Domain Controller Version** | Any supported Windows Server versions | Any supported Windows Server versions | Any supported Windows Server versions | Any supported Windows Server versions | -| **Certificate Authority**| Not required |Any supported Windows Server versions | Any supported Windows Server versions | Any supported Windows Server versions | -| **AD FS Version** | Not required | Not required | Any supported Windows Server versions | Any supported Windows Server versions | -| **MFA Requirement** | Azure MFA, or
        AD FS w/Azure MFA adapter, or
        AD FS w/Azure MFA Server adapter, or
        AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
        AD FS w/Azure MFA adapter, or
        AD FS w/Azure MFA Server adapter, or
        AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
        AD FS w/Azure MFA adapter, or
        AD FS w/Azure MFA Server adapter, or
        AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
        AD FS w/Azure MFA adapter, or
        AD FS w/Azure MFA Server adapter, or
        AD FS w/3rd Party MFA Adapter | -| **Microsoft Entra Connect** | Not required. It's recommended to use [Microsoft Entra Connect cloud sync](/azure/active-directory/hybrid/cloud-sync/what-is-cloud-sync) | Required | Required | Required | -| **Microsoft Entra ID license** | Microsoft Entra ID P1 or P2, optional | Microsoft Entra ID P1 or P2, optional | Microsoft Entra ID P1 or P2, needed for device write-back | Microsoft Entra ID P1 or P2, optional. Intune license required | - -## On-premises Deployments - -The table shows the minimum requirements for each deployment. - -| Requirement | Key trust
        Group Policy managed | Certificate trust
        Group Policy managed| -| --- | --- | ---| -| **Windows Version** | Any supported Windows client versions|Any supported Windows client versions| -| **Schema Version**| Windows Server 2016 Schema | Windows Server 2016 Schema| -| **Domain and Forest Functional Level**| Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level | -| **Domain Controller Version**| Any supported Windows Server versions | Any supported Windows Server versions | -| **Certificate Authority**| Any supported Windows Server versions | Any supported Windows Server versions | -| **AD FS Version**| Any supported Windows Server versions | Any supported Windows Server versions | -| **MFA Requirement**| AD FS with 3rd Party MFA Adapter | AD FS with 3rd Party MFA Adapter | diff --git a/windows/security/identity-protection/hello-for-business/deploy/toc.yml b/windows/security/identity-protection/hello-for-business/deploy/toc.yml index 87ab1eb026..55964be416 100644 --- a/windows/security/identity-protection/hello-for-business/deploy/toc.yml +++ b/windows/security/identity-protection/hello-for-business/deploy/toc.yml @@ -1,29 +1,18 @@ items: -- name: Windows Hello for Business deployment overview +- name: Plan a Windows Hello for Business Deployment href: index.md -- name: Deployment prerequisite overview - href: requirements.md - name: Cloud-only deployment - href: cloud.md + href: cloud-only.md - name: Hybrid deployments items: - name: Cloud Kerberos trust deployment - items: - - name: Overview - href: hybrid-cloud-kerberos-trust.md - displayName: cloud Kerberos trust - - name: Configure and provision Windows Hello for Business - href: hybrid-cloud-kerberos-trust-enroll.md - displayName: cloud Kerberos trust + href: hybrid-cloud-kerberos-trust.md - name: Key trust deployment items: - - name: Overview + - name: Requirements and validation href: hybrid-key-trust.md displayName: key trust - - name: Configure and validate the PKI - href: hybrid-key-trust-pki.md - displayName: key trust - - name: Configure and provision Windows Hello for Business + - name: Configure and enroll in Windows Hello for Business href: hybrid-key-trust-enroll.md displayName: key trust - name: Configure SSO for Microsoft Entra joined devices @@ -31,7 +20,7 @@ items: displayName: key trust - name: Certificate trust deployment items: - - name: Overview + - name: Requirements and validation href: hybrid-cert-trust.md displayName: certificate trust - name: Configure and validate Public Key Infrastructure (PKI) @@ -53,25 +42,19 @@ items: items: - name: Key trust deployment items: - - name: Overview - href: hybrid-cloud-kerberos-trust.md - - name: Configure and validate the PKI - href: on-premises-key-trust-pki.md + - name: Requirements and validation + href: on-premises-key-trust.md - name: Prepare and deploy Active Directory Federation Services (AD FS) href: on-premises-key-trust-adfs.md - - name: Validate and deploy multi-factor authentication (MFA) services - href: on-premises-key-trust-mfa.md - - name: Configure Windows Hello for Business policy settings + - name: Configure and enroll in Windows Hello for Business href: on-premises-key-trust-enroll.md - name: Certificate trust deployment items: - - name: Overview + - name: Requirements and validation href: on-premises-cert-trust.md - - name: Configure and validate Public Key Infrastructure (PKI) - href: on-premises-cert-trust-pki.md - name: Prepare and Deploy Active Directory Federation Services (AD FS) href: on-premises-cert-trust-adfs.md - - name: Validate and deploy multi-factor authentication (MFA) - href: on-premises-cert-trust-mfa.md - name: Configure and enroll in Windows Hello for Business href: on-premises-cert-trust-enroll.md +- name: Prepare users to provision and use Hello + href: prepare-users.md diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/faq.yml similarity index 58% rename from windows/security/identity-protection/hello-for-business/hello-faq.yml rename to windows/security/identity-protection/hello-for-business/faq.yml index 6f42bde365..1b9e0947ca 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/faq.yml @@ -5,7 +5,7 @@ metadata: author: paolomatarazzo ms.author: paoloma ms.topic: faq - ms.date: 12/08/2023 + ms.date: 01/03/2024 title: Common questions about Windows Hello for Business summary: Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This Frequently Asked Questions (FAQ) article is intended to help you learn more about Windows Hello for Business. @@ -17,45 +17,31 @@ sections: - question: What's the difference between Windows Hello and Windows Hello for Business? answer: | Windows Hello represents the biometric framework provided in Windows. Windows Hello lets users use biometrics to sign in to their devices by securely storing their user name and password and releasing it for authentication when the user successfully identifies themselves using biometrics. Windows Hello for Business uses asymmetric keys protected by the device's security module that requires a user gesture (PIN or biometrics) to authenticate. - - question: How can a PIN be more secure than a password? + - question: Why a PIN is better than an online password answer: | - When using Windows Hello for Business, the PIN isn't a symmetric key, whereas the password is a symmetric key. With passwords, there's a server that has some representation of the password. With Windows Hello for Business, the PIN is user-provided entropy used to load the private key in the Trusted Platform Module (TPM). The server doesn't have a copy of the PIN. For that matter, the Windows client doesn't have a copy of the current PIN either. The user must provide the entropy, the TPM-protected key, and the TPM that generated that key in order to successfully access the private key. - The statement "PIN is stronger than Password" is not directed at the strength of the entropy used by the PIN. It's about the difference between providing entropy versus continuing the use of a symmetric key (the password). The TPM has anti-hammering features that thwart brute-force PIN attacks (an attacker's continuous attempt to try all combination of PINs). Some organizations may worry about shoulder surfing. For those organizations, rather than increase the complexity of the PIN, implement the [Multifactor Unlock](feature-multifactor-unlock.md) feature. - - question: How does Windows Hello for Business authentication work? - answer: | - When a user wants to access protected key material, the authentication process begins with the user entering a PIN or biometric gesture to unlock the device, a process sometimes called releasing the key. Think of it like using a physical key to unlock a door: before you can unlock the door, you need to remove the key from your pocket or purse. The user's PIN unlocks the protector key for the container on the device. When that container is unlocked, applications (and thus the user) can use whatever IDP keys reside inside the container. - These keys are used to sign requests that are sent to the IDP, requesting access to specified resources. It's important to understand that although the keys are unlocked, applications cannot use them at will. Applications can use specific APIs to request operations that require key material for particular actions (for example, decrypt an email message or sign in to a website). Access through these APIs doesn't require explicit validation through a user gesture, and the key material isn't exposed to the requesting application. Rather, the application asks for authentication, encryption, or decryption, and the Windows Hello layer handles the actual work and returns the results. Where appropriate, an application can request a forced authentication even on an unlocked device. Windows prompts the user to reenter the PIN or perform an authentication gesture, which adds an extra level of protection for sensitive data or actions. For example, you can configure an application to require re-authentication anytime a specific operation is performed, even though the same account and PIN or gesture were already used to unlock the device. - For more information about the different authentication flows used by Windows Hello for Business, see [Windows Hello for Business and Authentication](hello-how-it-works-authentication.md). - - question: What happens after a user registers a PIN during the Windows Hello for Business enrollment process? - answer: | - Windows Hello generates a new public-private key pair on the device. The TPM generates and protects this private key; if the device doesn't have a TPM, the private key is encrypted and stored in software. This initial key is referred to as the *protector key*. It's associated only with a single gesture; in other words, if a user registers a PIN, a fingerprint, and a face on the same device, each of those gestures will have a unique protector key. **Each unique gesture generates a unique protector key**. The protector key securely wraps the *authentication key*. The container has only one authentication key, but there can be multiple copies of that key wrapped with different unique protector keys. Windows Hello also generates an administrative key that the user or administrator can use to reset credentials, when necessary (for example, when using the PIN reset service). In addition to the protector key, TPM-enabled devices generate a block of data that contains attestations from the TPM. - At this point, the user has a PIN gesture defined on the device and an associated protector key for that PIN gesture. That means the user is able to securely sign in to the device with the PIN and thus be able to establish a trusted session with the device to add support for a biometric gesture as an alternative for the PIN. When you add a biometric gesture, it follows the same basic sequence: the user authenticates to the system by using the PIN, and then registers the new biometric, after which Windows generates a unique key pair and stores it securely. Future sign-ins can then use either the PIN or the registered biometric gestures. - - question: What's a container? - answer: | - In the context of Windows Hello for Business, a container is a logical grouping of *key material* or data. Windows Hello uses a single container that holds user key material for personal accounts, including key material associated with the user's Microsoft account or with other consumer identity providers, and credentials associated with a workplace or school account. - The container holds enterprise credentials only on devices that have been registered with an organization; it contains key material for the enterprise IDP, such as on-premises Active Directory or Microsoft Entra ID. - - > [!NOTE] - > There are no physical containers on disk, in the registry, or elsewhere. Containers are logical units used to group related items. The keys, certificates, and credentials that Windows Hello stores, are protected without the creation of actual containers or folders. + Three main reasons: + 1. **A PIN is tied to a device**: one important difference between an online password and a Hello PIN is that the PIN is tied to the specific device on which it's set up. That PIN is useless to anyone without that specific hardware. Someone who obtains your online password can sign in to your account from anywhere, but if they obtain your PIN, they'd have to access your device too. The PIN can't be used anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device + 1. **A PIN is local to the device**: an online password is transmitted to the server. The password can be intercepted in transmission or obtained from a server. A PIN is local to the device, never transmitted anywhere, and it isn't stored on the server. When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, you unlock the authentication key, which is used to sign the request that is sent to the authenticating server. With Windows Hello for Business, the PIN is user-provided entropy used to load the private key in the Trusted Platform Module (TPM). The server doesn't have a copy of the PIN. For that matter, the Windows client doesn't have a copy of the current PIN either. The user must provide the entropy, the TPM-protected key, and the TPM that generated that key in order to successfully access the private key + 1. **A PIN is backed by hardware**: the Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Windows doesn't link local passwords to TPM, therefore PINs are considered more secure than local passwords. User key material is generated and available within the TPM of the device. The TPM protects the key material from attackers who want to capture and reuse it. Since Hello uses asymmetric key pairs, users credentials can't be stolen in cases where the identity provider or websites the user accesses have been compromised. The TPM protects against various known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked - The container contains a set of keys, some of which are used to protect other keys. The following image shows an example: the protector key is used to encrypt the authentication key, and the authentication key is used to encrypt the individual keys stored in the container. Each logical container holds one or more sets of keys.\ - :::image type="content" source="images/passport-fig3-logicalcontainer.png" alt-text="logical container with set of keys"::: - - Containers can contain several types of key material: - - An authentication key, which is always an asymmetric public-private key pair. This key pair is generated during registration. It must be unlocked each time it's accessed, by using either the user's PIN or a biometric gesture. The authentication key exists until the user resets the PIN, at which time a new key will be generated. When the new key is generated, all the key material that the old key previously protected must be decrypted and re-encrypted using the new key. - - The IDP key. These keys can be either symmetric or asymmetric, depending on which IDP you use. A single container may contain zero or more IDP keys, with some restrictions (for example, the enterprise container can contain zero or one IDP key). IDP keys are stored in the container. For certificate-based Windows Hello for Work, when the container is unlocked, applications that require access to the IDP key or key pair can request access. IDP keys are used to sign or encrypt authentication requests or tokens sent from this device to the IDP. IDP keys are typically long-lived but could have a shorter lifetime than the authentication key. Microsoft accounts, Active Directory accounts, and Microsoft Entra accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IDP (which stores it for later verification), and securely stores the private key. For enterprises, the IDP keys can be generated in two ways: - - The IDP key pair can be associated with an enterprise Certificate Authority (CA) through the Windows Network Device Enrollment Service (NDES). In this case, Windows Hello requests a new certificate with the same key as the certificate from the existing PKI. This option lets organizations that have an existing PKI continue to use it where appropriate. Given that many applications, such as VPN solutions, require the use of certificates, when you deploy Windows Hello in this mode, it allows a faster transition away from user passwords while still preserving certificate-based functionality. This option also allows the enterprise to store additional certificates in the protected container. - - The IDP can generate the IDP key pair directly, which allows quick, lower-overhead deployment of Windows Hello in environments that don't have or need a PKI. + The statement *A PIN is stronger than a password* is not directed at the strength of the entropy used by the PIN. It's about the difference between providing entropy versus continuing the use of a symmetric key (the password). The TPM has anti-hammering features that thwart brute-force PIN attacks (an attacker's continuous attempt to try all combination of PINs). Some organizations may worry about shoulder surfing. For those organizations, rather than increase the complexity of the PIN, implement the [Multifactor Unlock](multifactor-unlock.md) feature. + - question: What if someone steals the device? + answer: | + To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device. Then, the attacker must find a way to spoof the user's biometrics or guess the PIN. All these actions must be done before [TPM anti-hammering](/windows/device-security/tpm/tpm-fundamentals#anti-hammering) protection locks the device. + - question: Why do you need a PIN to use biometrics? + answer: | + Windows Hello enables biometric sign-in with fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN after the biometric setup. The PIN enables you to sign in when you can't use your preferred biometric because of an injury or because the sensor is unavailable or not working properly. + If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account and password, which doesn't provide you with the same level of protection as Hello. - question: How are keys protected? answer: | - Anytime key material is generated, it must be protected against attack. The most robust way to do this is through specialized hardware. There's a long history of using hardware security modules (HSMs) to generate, store, and process keys for security-critical applications. Smart cards are a special type of HSM, as are devices that are compliant with the Trusted Computing Group TPM standard. Wherever possible, the Windows Hello for Business implementation takes advantage of onboard TPM hardware to generate and protect keys. Administrators can choose to allow key operations in software, but it's recommended the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will have to reset the PIN (which means the user will have to use MFA to reauthenticate to the IDP before the IDP allows re-registration). Resetting the PIN means that all keys and certificates encrypted with the old key material will be removed. + Anytime key material is generated, it must be protected against attack. The most robust way to do this is through specialized hardware. There's a long history of using hardware security modules (HSMs) to generate, store, and process keys for security-critical applications. Smart cards are a special type of HSM, as are devices that are compliant with the Trusted Computing Group TPM standard. Wherever possible, the Windows Hello for Business implementation takes advantage of onboard TPM hardware to generate and protect keys. Administrators can choose to allow key operations in software, but it's recommended the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will have to reset the PIN (which means the user will have to use MFA to reauthenticate to the IdP before the IdP allows re-registration). Resetting the PIN means that all keys and certificates encrypted with the old key material will be removed. - question: How does PIN caching work with Windows Hello for Business? answer: | Windows Hello for Business provides a PIN caching user experience by using a ticketing system. Rather than caching a PIN, processes cache a ticket they can use to request private key operations. Microsoft Entra ID and Active Directory sign-in keys are cached under lock. This means the keys remain available for use without prompting, as long as the user is interactively signed-in. Microsoft Account sign-in keys are transactional keys, which means the user is always prompted when accessing the key. - Beginning with Windows 10, version 1709, Windows Hello for Business used as a smart card (smart card emulation that is enabled by default) provides the same user experience of default smart card PIN caching. Each process requesting a private key operation will prompt the user for the PIN on first use. Subsequent private key operations won't prompt the user for the PIN. + Windows Hello for Business used as a smart card (smart card emulation that is enabled by default) provides the same user experience of default smart card PIN caching. Each process requesting a private key operation prompts the user for the PIN on first use. Subsequent private key operations won't prompt the user for the PIN. - The smart card emulation feature of Windows Hello for Business verifies the PIN and then discards the PIN in exchange for a ticket. The process doesn't receive the PIN, but rather the ticket that grants them private key operations. Windows 10 doesn't provide any Group Policy settings to adjust this caching. + The smart card emulation feature of Windows Hello for Business verifies the PIN and then discards the PIN in exchange for a ticket. The process doesn't receive the PIN, but rather the ticket that grants them private key operations. There isn't a policy setting to adjust the caching. - question: Where is Windows Hello biometrics data stored? answer: | When you enroll in Windows Hello, a representation of your biometrics, called an enrollment profile, is created more information can be found on [Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn't roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details, see [Windows Hello biometrics in the enterprise](/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored). @@ -65,34 +51,26 @@ sections: - question: Who has access on Windows Hello biometrics data? answer: | Since Windows Hello biometrics data is stored in encrypted format, no user, or any process other than Windows Hello has access to it. - - question: What's the difference between non-destructive and destructive PIN reset? - answer: | - Windows Hello for Business has two types of PIN reset: non-destructive and destructive. Organizations running Windows 10 version 1903 and later and Microsoft Entra ID can take advantage of the Microsoft PIN Reset service. Once on-boarded to a tenant and deployed to computers, users who have forgotten their PINs can authenticate to Azure, provide a second factor of authentication, and reset their PIN without reprovisioning a new Windows Hello for Business enrollment. This flow is a non-destructive PIN reset because the user doesn't delete the current credential and obtain a new one. For more information, see [PIN Reset](hello-feature-pin-reset.md). - - Organizations that have the on-premises deployment of Windows Hello for Business, or those not using Windows 10 version 1903 and later can use destructive PIN reset. With destructive PIN reset, users that have forgotten their PIN can authenticate by using their password and then performing a second factor of authentication to reprovision their Windows Hello for Business credential. Reprovisioning deletes the old credential and requests a new credential and certificate. On-premises deployments need network connectivity to their domain controllers, Active Directory Federation Services, and their issuing certificate authority to perform a destructive PIN reset. For Microsoft Entra hybrid joined devices, destructive PIN reset is only supported with the certificate trust model and the latest updates to Active Directory Federation Services. - question: When is Windows Hello biometrics database file created? How is a user enrolled into Windows Hello face or fingerprint authentication? answer: | - Windows Hello biometrics template database file is created on the device only when a user is enrolled into Windows Hello biometrics-based authentication. Your workplace or IT administrator may have turned certain authentication functionality, however, it is always your choice if you want to use Windows Hello or an alternative method, like a PIN. Users can check their current enrollment into Windows Hello biometrics by going to sign-in options on their device. Go to **Start > Settings > Accounts > Sign-in** options. If you don't see Windows Hello in Sign-in options, then it may not be available for your device or blocked by admin via policy. Admins can request users to enroll into Windows Hello during Autopilot or during the initial setup of the device. Admins can disallow users to enroll into biometrics via Windows Hello for Business policy configurations. However, when allowed via policy configurations, enrollment into Windows Hello biometrics is always optional for users. + Windows Hello biometrics template database file is created on the device only when a user is enrolled into Windows Hello biometrics-based authentication. An IT administrator may configure policy settings, but it's always a user's choice if they want to use biometrics or PIN. Users can check their current enrollment into Windows Hello biometrics by going to sign-in options on their device. Go to **Start > Settings > Accounts > Sign-in** options. If you don't see Windows Hello in Sign-in options, then it may not be available for your device or blocked by admin via policy. Admins can request users to enroll into Windows Hello during Autopilot or during the initial setup of the device. Admins can disallow users to enroll into biometrics via Windows Hello for Business policy configurations. However, when allowed via policy configurations, enrollment into Windows Hello biometrics is always optional for users. - question: When is Windows Hello biometrics database file deleted? How can a user be unenrolled from Windows Hello face or fingerprint authentication? answer: | - To remove Windows Hello and any associated biometric identification data from the device, user can go to **Start > Settings > Accounts > Sign-in options**. Select the Windows Hello biometrics authentication method you want to remove, and then select **Remove**. This will u-enroll the user from Windows Hello biometrics authentication and will also delete the associated biometrics template database file. For more details, see [Windows sign-in options and account protection (microsoft.com)](https://support.microsoft.com/windows/windows-sign-in-options-and-account-protection-7b34d4cf-794f-f6bd-ddcc-e73cdf1a6fbf#bkmk_helloandprivacy). + To remove Windows Hello and any associated biometric identification data from the device, open **Start > Settings > Accounts > Sign-in options**. Select the Windows Hello biometrics authentication method you want to remove, and then select **Remove**. The action unenrolls from Windows Hello biometrics authentication and deletes the associated biometrics template database file. For more details, see [Windows sign-in options and account protection (microsoft.com)](https://support.microsoft.com/windows/windows-sign-in-options-and-account-protection-7b34d4cf-794f-f6bd-ddcc-e73cdf1a6fbf#bkmk_helloandprivacy). - name: Management and operations questions: - - question: Can I deploy and manage Windows Hello for Business using Microsoft Intune? - answer: | - Yes, hybrid and cloud-only Windows Hello for Business deployments can use Microsoft Intune. For more information, see [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello). - question: Can I deploy and manage Windows Hello for Business by using Microsoft Configuration Manager? answer: | Starting in Configuration Manager, version 2203, Windows Hello for Business deployments using Configuration Manager are no longer supported. - question: How do I delete a Windows Hello for Business container on a device? answer: | - You can effectively disable Windows Hello for Business by launching `certutil.exe -deleteHelloContainer` on the end device under a user account, and then restarting the device. + You can delete the Windows Hello for Business container by executing the command `certutil.exe -deleteHelloContainer`. - question: What happens when a user forgets their PIN? answer: | - If the user can sign in with a password, they can reset their PIN by selecting the *I forgot my PIN* link in the Settings app. Users can reset also their PIN from the lock screen by selecting the *I forgot my PIN* link on the PIN credential provider. + If the user can sign in with a password, they can reset their PIN by selecting the *I forgot my PIN* link in the Settings app or from the lock screen, by selecting the *I forgot my PIN* link on the PIN credential provider. - For on-premises deployments, devices must be connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid deployments can onboard their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs. Non-destructive PIN reset works without access to the corporate network. Destructive PIN reset requires access to the corporate network. For more details about destructive and non-destructive PIN reset, see [PIN reset](/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset). + For on-premises deployments, devices must be connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid deployments can onboard their Microsoft Entra tenant to use the *Windows Hello for Business PIN reset service* to reset their PINs. Non-destructive PIN reset works without access to the corporate network. Destructive PIN reset requires access to the corporate network. For more details about destructive and non-destructive PIN reset, see [PIN reset](/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset). - question: Does Windows Hello for Business prevent the use of simple PINs? answer: | Yes. Our simple PIN algorithm looks for and disallows any PIN that has a constant delta from one digit to the next. The algorithm counts the number of steps required to reach the next digit, overflowing at 10 ('zero'). @@ -118,9 +96,6 @@ sections: - question: Can I disable the PIN while using Windows Hello for Business? answer: | No. The movement away from passwords is accomplished by gradually reducing the use of the password. In situations where you can't authenticate by using biometrics, you need a fallback mechanism that isn't a password. The PIN is the fallback mechanism. Disabling or hiding the PIN credential provider will disable the use of biometrics. - - question: What is Event ID 300? - answer: | - This event is created when Windows Hello for Business is successfully created and registered with Microsoft Entra ID. Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request. This is a normal condition and no further action is required. - question: What happens when an unauthorized user gains possession of a device enrolled in Windows Hello for Business? answer: | The unauthorized user won't be able to utilize any biometric options and will have the only option to enter a PIN. @@ -144,7 +119,7 @@ sections: No. If your organization is using Microsoft cloud services, then you must use a hybrid deployment model. On-premises deployments are exclusive to organizations who need more time before moving to the cloud and exclusively use Active Directory. - question: What attributes are synchronized by Microsoft Entra Connect with Windows Hello for Business? answer: | - Review [Microsoft Entra Connect Sync: Attributes synchronized to Microsoft Entra ID](/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized) for a list of attributes that sync based on scenarios. The base scenarios that include Windows Hello for Business are the [Windows 10](/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#windows-10) scenario and the [Device writeback](/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#device-writeback) scenario. Your environment may include other attributes. + Review [Microsoft Entra Connect Sync: Attributes synchronized to Microsoft Entra ID](/entra/identity/hybrid/connect/reference-connect-sync-attributes-synchronized) for a list of attributes that sync based on scenarios. The base scenarios that include Windows Hello for Business are the [Windows 10](/entra/identity/hybrid/connect/reference-connect-sync-attributes-synchronized#windows-10) scenario and the [Device writeback](/entra/identity/hybrid/connect/reference-connect-sync-attributes-synchronized#device-writeback) scenario. Your environment may include other attributes. - question: Can I use third-party MFA providers with Windows Hello for Business? answer: | Yes, if you're using federated hybrid deployment, you can use any third-party that provides an AD FS MFA adapter. A list of third-party MFA adapters can be found [here](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods). @@ -166,19 +141,19 @@ sections: Read [Windows Hello biometric requirements](/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) for more information. - question: Can I wear a mask to enroll or unlock using Windows Hello face authentication? answer: | - Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock your device. The product group is aware of this behavior and is investigating this article further. Remove a mask if you're wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn't allow you to remove a mask temporarily, consider un-enrolling from face authentication and only using PIN or fingerprint. + Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock your device. Remove a mask if you're wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn't allow you to remove a mask temporarily, consider un-enrolling from face authentication and only using PIN or fingerprint. - question: How does Windows Hello for Business work with Microsoft Entra registered devices? answer: | - A user will be prompted to set up a Windows Hello for Business key on a Microsoft Entra registered devices if the feature is enabled by policy. If the user has an existing Windows Hello container, the Windows Hello for Business key will be enrolled in that container and will be protected using existing gestures. + A user will be prompted to set up a Windows Hello for Business key on a Microsoft Entra registered devices if the feature is enabled by policy. If the user has an existing Windows Hello container, the Windows Hello for Business key will be enrolled in that container and will be protected using existing gestures. If a user has signed into their Microsoft Entra registered device with Windows Hello, their Windows Hello for Business key will be used to authenticate the user's work identity when they try to use Microsoft Entra resources. The Windows Hello for Business key meets Microsoft Entra multifactor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources. It's possible to Microsoft Entra register a domain joined device. If the domain joined device has a convenience PIN, sign in with the convenience PIN will no longer work. This configuration isn't supported by Windows Hello for Business. - For more information, please read [Microsoft Entra registered devices](/azure/active-directory/devices/concept-azure-ad-register). + For more information, see [Microsoft Entra registered devices](/azure/active-directory/devices/concept-azure-ad-register). - question: Does Windows Hello for Business work with non-Windows operating systems? answer: | - Windows Hello for Business is a feature of the Windows platform. At this time, Microsoft isn't developing clients for other platforms. However, Microsoft is open to third-parties who are interested in moving these platforms away from passwords. Interested third-parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration). + Windows Hello for Business is a feature of the Windows platform. - question: Does Windows Hello for Business work with Microsoft Entra Domain Services clients? answer: | No, Microsoft Entra Domain Services is a separately managed environment in Azure, and hybrid device registration with cloud Microsoft Entra ID isn't available for it via Microsoft Entra Connect. Hence, Windows Hello for Business doesn't work with Microsoft Entra Domain Services. @@ -191,7 +166,7 @@ sections: - question: Which is a better or more secure for of authentication, key or certificate? answer: | Both types of authentication provide the same security; one is not more secure than the other. - The trust models of your deployment determine how you authenticate to Active Directory (on-premises). Both key trust and certificate trust use the same hardware-backed, two-factor credential. The difference between the two trust types is the issuance of end-entity certificates: + The trust models of your deployment determine how you authenticate to Active Directory. Both key trust and certificate trust use the same hardware-backed, two-factor credential. The difference between the two trust types is the issuance of end-entity certificates: - The *key trust* model authenticates to Active Directory by using a raw key. Key trust doesn't require an enterprise-issued certificate, therefore you don't need to issue certificates to users (domain controller certificates are still needed) - The *certificate trust* model authenticates to Active Directory by using a certificate. Therefore, you need to issue certificates to users. The certificate used in certificate trust uses the TPM-protected private key to request a certificate from your enterprise's issuing CA - question: What is convenience PIN? @@ -202,7 +177,7 @@ sections: No. While it's possible to set a convenience PIN on Microsoft Entra joined and Microsoft Entra hybrid joined devices, convenience PIN isn't supported for Microsoft Entra user accounts (including synchronized identities). Convenience PIN is only supported for on-premises Active Directory users and local account users. - question: What about virtual smart cards? answer: | - Windows Hello for Business is the modern, two-factor authentication for Windows. Microsoft will deprecate virtual smart cards in the near future. Customers using virtual smart cards are strongly encouraged to move to Windows Hello for Business. Microsoft will publish the deprecation date to ensure customers have adequate lead time to move to Windows Hello for Business. We recommend that new Windows deployments use Windows Hello for Business. + Windows Hello for Business is the modern, two-factor authentication for Windows. Customers using virtual smart cards are strongly encouraged to move to Windows Hello for Business. - question: What URLs do I need to allow for a hybrid deployment? answer: | For a list of required URLs, see [Microsoft 365 Common and Office Online](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide#microsoft-365-common-and-office-online). @@ -222,13 +197,13 @@ sections: Windows Hello for Business credentials need access to device state, which is not available in private browser mode or incognito mode. Hence it can't be used in private browser or Incognito mode. - question: Can I use both a PIN and biometrics to unlock my device? answer: | - You can use *multifactor unlock* to require users to provide an extra factor to unlock their device. Authentication remains two-factor, but another factor is required before Windows allows the user to reach the desktop. To learn more, see [Multifactor Unlock](feature-multifactor-unlock.md). + You can use *multifactor unlock* to require users to provide an extra factor to unlock their device. Authentication remains two-factor, but another factor is required before Windows allows the user to reach the desktop. To learn more, see [Multifactor Unlock](multifactor-unlock.md). - name: Cloud Kerberos trust questions: - question: What is Windows Hello for Business cloud Kerberos trust? answer: | - Windows Hello for Business *cloud Kerberos trust* is a *trust model* that enables Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Microsoft Entra hybrid joined devices and on-premises resource access on Microsoft Entra joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). Cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [cloud Kerberos trust deployment](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust). + Windows Hello for Business *cloud Kerberos trust* is a *trust model* that enables Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Microsoft Entra hybrid joined devices and on-premises resource access on Microsoft Entra joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). Cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [cloud Kerberos trust deployment](/windows/security/identity-protection/hello-for-business/deploy). - question: Does Windows Hello for Business cloud Kerberos trust work in my on-premises environment? answer: | This feature doesn't work in a pure on-premises AD domain services environment. @@ -242,7 +217,7 @@ sections: - attempting to access on-premises resources secured by Active Directory - question: Can I use RDP/VDI with Windows Hello for Business cloud Kerberos trust? answer: | - Windows Hello for Business cloud Kerberos trust can't be used as a supplied credential with RDP/VDI. Similar to key trust, cloud Kerberos trust can be used for RDP with [Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard) or if a [certificate is enrolled into Windows Hello for Business](rdp-sign-in.md) for this purpose. + Windows Hello for Business cloud Kerberos trust can't be used as a supplied credential with RDP/VDI. Similar to key trust, cloud Kerberos trust can be used for RDP if a [certificate is enrolled into Windows Hello for Business](rdp-sign-in.md) for this purpose. As an alternative, consider using [Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard) which doesn't require to deploy certificates. - question: Do all my domain controllers need to be fully patched as per the prerequisites for me to use Windows Hello for Business cloud Kerberos trust? answer: | No, only the number necessary to handle the load from all cloud Kerberos trust devices. @@ -254,4 +229,4 @@ sections: In a hybrid deployment, a user's public key must sync from Microsoft Entra ID to Active Directory before it can be used to authenticate against a domain controller. This sync is handled by Microsoft Entra Connect and will occur during a normal sync cycle. - question: Can I use Windows Hello for Business key trust and RDP? answer: | - Remote Desktop Protocol (RDP) doesn't currently support using key-based authentication and self-signed certificates as supplied credentials. However, you can deploy certificates in the key trust model to enable RDP. For more information, see [Deploying certificates to key trust users to enable RDP](hello-deployment-rdp-certs.md). In addition, Windows Hello for Business key trust can be also used with RDP with [Remote Credential Guard](../remote-credential-guard.md) without deploying certificates. + Remote Desktop Protocol (RDP) doesn't support using key-based authentication as supplied credentials. However, you can deploy certificates in the key trust model to enable RDP. For more information, see [Deploying certificates to key trust users to enable RDP](hello-deployment-rdp-certs.md). As an alternative, consider using [Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard) which doesn't require to deploy certificates. diff --git a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md deleted file mode 100644 index 3d9b51898d..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md +++ /dev/null @@ -1,33 +0,0 @@ ---- -title: Windows Hello and password changes -description: Learn the impact of changing a password when using Windows Hello. -ms.date: 03/15/2023 -ms.topic: concept-article ---- -# Windows Hello and password changes - -When you set up Windows Hello, the PIN or biometric gesture that you use is specific to that device. You can set up Hello for the same account on multiple devices. If Windows Hello for Business isn't deployed and the password for that account changes, you must provide the new password on each device to continue to use Hello. - -> [!Note] -> This article doesn't apply to Windows Hello for Business. Change the account password will not affect sign-in or unlock, since Windows Hello for Business uses a key or certificate. - -**Example 1** - -Let's suppose that you have set up a PIN for your Microsoft account on **Device A**. You use your PIN to sign in on **Device A** and then change the password for your Microsoft account. -Since you were using **Device A** when you changed your password, the PIN on **Device A** will continue to work with no other action on your part. - -**Example 2** - -Suppose that you sign in on **Device B** and change your password for your Microsoft account. The next time that you try to sign in on **Device A** using your PIN, sign-in will fail because the account credentials that Hello on **Device A** knows will be outdated. - ->[!NOTE] ->This example also applies to an Active Directory account when [Windows Hello for Business is not implemented](hello-manage-in-organization.md). - -## How to update Hello after you change your password on another device - -1. When you try to sign in using your PIN or biometric, you'll see the following message: **Your password was changed on a different device. You must sign in to this device once with your new password, and then you can sign in with your PIN.** -1. Select **OK** -1. Select **Sign-in options** -1. Select **Password** -1. Sign in with new password -1. The next time that you sign in, you can select **Sign-in options > PIN** to resume using your PIN. diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md deleted file mode 100644 index d80393b040..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md +++ /dev/null @@ -1,88 +0,0 @@ ---- -title: Windows Hello biometrics in the enterprise -description: Windows Hello uses biometrics to authenticate users and guard against potential spoofing, through fingerprint matching and facial recognition. -ms.date: 01/12/2021 -ms.topic: concept-article ---- - -# Windows Hello biometrics in the enterprise - -Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition. - ->[!NOTE] ->When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. - -Because we realize your employees are going to want to use this new technology in your enterprise, we've been actively working with the device manufacturers to create strict design and performance recommendations that help to ensure that you can more confidently introduce Windows Hello biometrics into your organization. - -## How does Windows Hello work? - -Windows Hello lets your employees use fingerprint, facial recognition, or iris recognition as an alternative method to unlocking a device. With Windows Hello, authentication happens when the employee provides his or her unique biometric identifier while accessing the device-specific Windows Hello credentials. - -The Windows Hello authenticator works to authenticate and allow employees onto your enterprise network. Authentication doesn't roam among devices, isn't shared with a server, and can't easily be extracted from a device. If multiple employees share a device, each employee will use his or her own biometric data on the device. - -## Why should I let my employees use Windows Hello? - -Windows Hello provides many benefits, including: - -- It helps to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric info or PIN, it's much more difficult to gain access without the employee's knowledge. -- Employees get a simple authentication method (backed up with a PIN) that's always with them, so there's nothing to lose. No more forgetting passwords! -- Support for Windows Hello is built into the operating system so you can add additional biometric devices and policies as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.
        For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](hello-manage-in-organization.md) topic. - -## Where is Windows Hello data stored? - -The biometric data used to support Windows Hello is stored on the local device only. It doesn't roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data from a device, it cannot be converted back into a raw biometric sample that could be recognized by the biometric sensor. - -> [!NOTE] ->Each sensor on a device will have its own biometric database file where template data is stored. Each database has a unique, randomly generated key that is encrypted to the system. The template data for the sensor will be encrypted with this per-database key using AES with CBC chaining mode. The hash is SHA256. Some fingerprint sensors have the capability to complete matching on the fingerprint sensor module instead of in the OS. These sensors will store biometric data on the fingerprint module instead of in the database file. - -## Has Microsoft set any device requirements for Windows Hello? - -We've been working with the device manufacturers to help ensure a high-level of performance and protection is met by each sensor and device, based on these requirements: - -- **False Accept Rate (FAR).** Represents the instance a biometric identification solution verifies an unauthorized person. This is normally represented as a ratio of number of instances in a given population size, for example 1 in 100 000. This can also be represented as a percentage of occurrence, for example, 0.001%. This measurement is heavily considered the most important with regard to the security of the biometric algorithm. - -- **False Reject Rate (FRR).** Represents the instances a biometric identification solution fails to verify an authorized person correctly. Usually represented as a percentage, the sum of the True Accept Rate and False Reject Rate is 1. Can be with or without anti-spoofing or liveness detection. - -### Fingerprint sensor requirements - -To allow fingerprint matching, you must have devices with fingerprint sensors and software. Fingerprint sensors, or sensors that use an employee's unique fingerprint as an alternative logon option, can be touch sensors (large area or small area) or swipe sensors. Each type of sensor has its own set of detailed requirements that must be implemented by the manufacturer, but all of the sensors must include anti-spoofing measures (required). - -**Acceptable performance range for small to large size touch sensors** - -- False Accept Rate (FAR): <0.001 – 0.002% - -- Effective, real world FRR with Anti-spoofing or liveness detection: <10% - -**Acceptable performance range for swipe sensors** - -- False Accept Rate (FAR): <0.002% - -- Effective, real world FRR with Anti-spoofing or liveness detection: <10% - -### Facial recognition sensors - -To allow facial recognition, you must have devices with integrated special infrared (IR) sensors and software. Facial recognition sensors use special cameras that see in IR light, letting them tell the difference between a photo and a living person while scanning an employee's facial features. These sensors, like the fingerprint sensors, must also include anti-spoofing measures (required) and a way to configure them (optional). - -- False Accept Rate (FAR): <0.001% - -- False Reject Rate (FRR) without Anti-spoofing or liveness detection: <5% - -- Effective, real world FRR with Anti-spoofing or liveness detection: <10% - -> [!NOTE] ->Windows Hello face authentication does not currently support wearing a mask during enrollment or authentication. Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock your device. The product group is aware of this behavior and is investigating this topic further. Please remove a mask if you are wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn't allow you to remove a mask temporarily, please consider unenrolling from face authentication and only using PIN or fingerprint. - -### Iris recognition sensor requirements - -To use Iris authentication, you'll need a [HoloLens 2 device](/hololens/). All HoloLens 2 editions are equipped with the same sensors. Iris is implemented the same way as other Windows Hello technologies and achieves biometrics security FAR of 1/100K. - -## Related topics - -- [Windows Hello for Business](deploy/requirements.md) -- [How Windows Hello for Business works](hello-how-it-works.md) -- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) -- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) -- [Windows Hello and password changes](hello-and-password-changes.md) -- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md index b5c4e51668..a1df8320f4 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md @@ -4,12 +4,11 @@ description: This article is a troubleshooting guide for known Windows Hello for ms.date: 06/02/2023 ms.topic: troubleshooting --- + # Windows Hello for Business known deployment issues The content of this article is to help troubleshoot known deployment issues for Windows Hello for Business. - - ## PIN reset on Microsoft Entra join devices fails with *We can't open that page right now* error PIN reset on Microsoft Entra joined devices uses a flow called *web sign-in* to authenticate the user above lock. Web sign in only allows navigation to specific domains. If web sign-in attempts to navigate to a domain that isn't allowed, it displays a page with the error message *We can't open that page right now*. @@ -50,8 +49,6 @@ After the initial sign-in attempt, the user's Windows Hello for Business public To resolve the issue, update Windows Server 2016 and 2019 domain controllers with the latest patches. For Windows Server 2016, the behavior is fixed in build *14393.4104* ([KB4593226](https://support.microsoft.com/help/4593226)) and later. For Windows Server 2019, the behavior is fixed in build *17763.1637* ([KB4592440](https://support.microsoft.com/help/4592440)). - - ## Microsoft Entra joined device access to on-premises resources using key trust and third-party Certificate Authority (CA) Applies to: @@ -71,10 +68,10 @@ The issue can be identified using network traces or Kerberos logging from the cl Log Name: Microsoft-Windows-Kerberos/Operational Source: Microsoft-Windows-Security-Kerberos Event ID: 107 -GUID: {98e6cfcb-ee0a-41e0-a57b-622d4e1b30b1} +GUID: {98e6cfcb-ee0a-41e0-a57b-622d4e1b30b1} Task Category: None Level: Error -Keywords: +Keywords: User: SYSTEM Description: @@ -137,7 +134,7 @@ Date: Event ID: 362 Task Category: None Level: Warning -Keywords: +Keywords: User: Computer: Description: @@ -150,7 +147,7 @@ Local computer meets Windows hello for business hardware requirements: Yes User is not connected to the machine via Remote Desktop: Yes User certificate for on premise auth policy is enabled: Yes Enterprise user logon certificate enrollment endpoint is ready: Not Tested -Enterprise user logon certificate template is : No ( 1 : StateNoPolicy ) +Enterprise user logon certificate template is : No ( 1 : StateNoPolicy ) User has successfully authenticated to the enterprise STS: No Certificate enrollment method: enrollment authority See https://go.microsoft.com/fwlink/?linkid=832647 for more details. diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index d048d6409f..2c3b021381 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -2,7 +2,7 @@ title: Windows Hello errors during PIN creation description: When you set up Windows Hello, you may get an error during the Create a work PIN step. ms.topic: troubleshooting -ms.date: 04/24/2023 +ms.date: 01/26/2024 --- # Windows Hello errors during PIN creation @@ -13,7 +13,7 @@ When you set up Windows Hello in Windows client, you may get an error during the The following image shows an example of an error during **Create a PIN**. -![PIN error.](images/pinerror.png) +![PIN error.](images/provisioning-error.png) ## Error mitigations @@ -28,12 +28,12 @@ If the error occurs again, check the error code against the following table to s | Hex | Cause | Mitigation | | :--------- | :----------------------------------------------------------------- | :------------------------------------------ | -| 0x80090005 | NTE\_BAD\_DATA | Unjoin the device from Microsoft Entra ID and rejoin. | +| 0x80090005 | NTE_BAD_DATA | Unjoin the device from Microsoft Entra ID and rejoin. | | 0x8009000F | The container or key already exists. | Unjoin the device from Microsoft Entra ID and rejoin. | | 0x80090011 | The container or key was not found. | Unjoin the device from Microsoft Entra ID and rejoin. | | 0x80090029 | TPM is not set up. | Sign on with an administrator account. Select **Start**, type `tpm.msc`, and select **tpm.msc Microsoft Common Console Document**. In the **Actions** pane, select **Prepare the TPM**. | -| 0x8009002A | NTE\_NO\_MEMORY | Close programs which are taking up memory and try again. | -| 0x80090031 | NTE\_AUTHENTICATION\_IGNORED | Reboot the device. If the error occurs again after rebooting, [reset the TPM](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd851452(v=ws.11)) or run [Clear-TPM](/powershell/module/trustedplatformmodule/clear-tpm). | +| 0x8009002A | NTE_NO_MEMORY | Close programs which are taking up memory and try again. | +| 0x80090031 | NTE_AUTHENTICATION_IGNORED | Reboot the device. If the error occurs again after rebooting, [reset the TPM](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd851452(v=ws.11)) or run [Clear-TPM](/powershell/module/trustedplatformmodule/clear-tpm). | | 0x80090035 | Policy requires TPM and the device does not have TPM. | Change the Windows Hello for Business policy to not require a TPM. | | 0x80090036 | User canceled an interactive dialog. | User will be asked to try again. | | 0x801C0003 | User is not authorized to enroll. | Check if the user has permission to perform the operation​. | @@ -53,11 +53,11 @@ If the error occurs again, check the error code against the following table to s | 0x801C03ED | Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed.

        -or-

        Token was not found in the Authorization header.

        -or-

        Failed to read one or more objects.

        -or-

        The request sent to the server was invalid.

        -or-

        User does not have permissions to join to Microsoft Entra ID. | Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure AD and rejoin.
        Allow user(s) to join to Microsoft Entra ID under Microsoft Entra Device settings. | 0x801C03EE | Attestation failed. | Sign out and then sign in again. | | 0x801C03EF | The AIK certificate is no longer valid. | Sign out and then sign in again. | -| 0x801C03F2 | Windows Hello key registration failed. | ERROR\_BAD\_DIRECTORY\_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue, refer to [Duplicate Attributes Prevent Dirsync](/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). Also, if no sync conflict exists, please verify that the "Mail/Email address" in Microsoft Entra ID and the Primary SMTP address are the same in the proxy address. +| 0x801C03F2 | Windows Hello key registration failed. | ERROR_BAD_DIRECTORY_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue, refer to [Duplicate Attributes Prevent Dirsync](/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). Also, if no sync conflict exists, please verify that the "Mail/Email address" in Microsoft Entra ID and the Primary SMTP address are the same in the proxy address. | 0x801C044D | Authorization token does not contain device ID. | Unjoin the device from Microsoft Entra ID and rejoin. | | | Unable to obtain user token. | Sign out and then sign in again. Check network and credentials. | | 0x801C044E | Failed to receive user credentials input. | Sign out and then sign in again. | -| 0x801C0451 | User token switch account. | Delete the Web Account Manager token broker files located in `%LOCALAPPDATA%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\TokenBroker\Accounts\*.*\` and reboot.| +| 0x801C0451 | User token switch account. | Delete the Web Account Manager token broker files located in `%LOCALAPPDATA%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\TokenBroker\Accounts\*.*\` and reboot.| | 0xC00000BB | Your PIN or this option is temporarily unavailable. | The destination domain controller doesn't support the login method. Most often the KDC service doesn't have the proper certificate to support the login. Another common cause can be the client cannot verify the KDC certificate CRL. Use a different login method.| ## Errors with unknown mitigation @@ -70,9 +70,9 @@ For errors listed in this table, contact Microsoft Support for assistance. | 0X80072F0C | Unknown | | 0x80072F8F | A mismatch happens between the system's clock and the activation server's clock when attempting to activate Windows.| | 0x80090010 | NTE_PERM | -| 0x80090020 | NTE\_FAIL | +| 0x80090020 | NTE_FAIL | | 0x80090027 | Caller provided a wrong parameter. If third-party code receives this error, they must change their code. | -| 0x8009002D | NTE\_INTERNAL\_ERROR | +| 0x8009002D | NTE_INTERNAL_ERROR | | 0x801C0001 | ADRS server response is not in a valid format. | | 0x801C0002 | Server failed to authenticate the user. | | 0x801C0006 | Unhandled exception from server. | diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md deleted file mode 100644 index 3ed49353ea..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md +++ /dev/null @@ -1,412 +0,0 @@ ---- -title: How Windows Hello for Business works - technology and terms -description: Explore technology and terms associated with Windows Hello for Business. Learn how Windows Hello for Business works. -ms.date: 10/08/2018 -ms.topic: glossary ---- - -# Technology and terms - -## Attestation identity keys - -Because the endorsement certificate is unique for each device and doesn't change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service. - -> [!NOTE] -> The AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK. -> The AIK is an asymmetric (public/private) key pair that is used as a substitute for the EK as an identity for the TPM for privacy purposes. The private portion of an AIK is never revealed or used outside the TPM and can only be used inside the TPM for a limited set of operations. Furthermore, it can only be used for signing, and only for limited, TPM-defined operations. - -Windows creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft hosts a cloud service called Microsoft Cloud CA to establish cryptographically that it's communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft Cloud CA service has established these facts, it will issue an AIK certificate to the Windows device. - -Many existing devices that will upgrade to Windows 10 won't have a TPM, or the TPM won't contain an endorsement certificate. **To accommodate those devices, Windows 10 or Windows 11 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates aren't issued by Microsoft Cloud CA. This behavior isn't as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM. - -In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the attestation process. This information can be used by a relying party to decide whether to reject devices that are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to not allow access to high-value assets from devices that are attested by an AIK certificate that's not backed by an endorsement certificate. - -### Related to attestation identity keys - -- [Endorsement key](#endorsement-key) -- [Storage root key](#storage-root-key) -- [Trusted platform module](#trusted-platform-module) - -### More information about attestation identity keys - -- [Windows client certificate enrollment protocol: glossary](/openspecs/windows_protocols/ms-wcce/719b890d-62e6-4322-b9b1-1f34d11535b4#gt_70efa425-6b46-462f-911d-d399404529ab) -- [TPM library specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/) - - - -## Microsoft Entra join - -Microsoft Entra join is intended for organizations that desire to be cloud-first or cloud-only. There's no restriction on the size or type of organizations that can deploy Microsoft Entra join. Microsoft Entra join also works in a hybrid environment and can enable access to on-premises applications and resources. - - - -### Related to Microsoft Entra join - -- [Join type](#join-type) -- [Microsoft Entra hybrid join](#hybrid-azure-ad-join) - - - -### More information about Microsoft Entra join - -[Introduction to device identity in Microsoft Entra ID](/azure/active-directory/devices/overview). - - - -## Microsoft Entra registration - -The goal of Microsoft Entra registered devices is to provide you with support for the _bring your own device_ (BYOD) scenario. In this scenario, a user can access your organization's Microsoft Entra ID-controlled resources using a personal device. - - - -### Related to Microsoft Entra registration - -- [Microsoft Entra join](#azure-active-directory-join) -- [Microsoft Entra hybrid join](#hybrid-azure-ad-join) -- [Join type](#join-type) - - - -### More information about Microsoft Entra registration - -[Introduction to device identity in Microsoft Entra ID](/azure/active-directory/devices/overview). - -## Certificate trust - -The certificate trust model uses a securely issued certificate based on the user's Windows Hello for Business identity to authenticate to on-premises Active Directory. The certificate trust model is supported in hybrid and on-premises deployments and is compatible with Windows Server 2008 R2 and later domain controllers. - -### Related to certificate trust - -- [Deployment type](#deployment-type) -- [Microsoft Entra hybrid join](#hybrid-azure-ad-join) -- [Hybrid deployment](#hybrid-deployment) -- [Cloud Kerberos trust](#cloud-kerberos-trust) -- [Key trust](#key-trust) -- [On-premises deployment](#on-premises-deployment) -- [Trust type](#trust-type) - -### More information about certificate trust - -[Windows Hello for Business planning guide](hello-planning-guide.md) - -## Cloud deployment - -The Windows Hello for Business cloud deployment is exclusively for organizations using cloud-based identities and resources. Device management is accomplished using Intune or a modern management alternative. Cloud deployments use Microsoft Entra joined or Microsoft Entra registered devices. - -### Related to cloud deployment - -- [Microsoft Entra join](#azure-active-directory-join) -- [Microsoft Entra registration](#azure-ad-registration) -- [Deployment type](#deployment-type) -- [Join type](#join-type) - -## Cloud experience host - -In Windows 10 and Windows 11, cloud experience host is an application used while joining the workplace environment or Microsoft Entra ID for rendering the experience when collecting your company-provided credentials. Once you enroll your device to your workplace environment or Microsoft Entra ID, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC. - -### Related to cloud experience host - -- [Windows Hello for Business](deploy/requirements.md) -- [Managed Windows Hello in organization](hello-manage-in-organization.md) - -### More information on cloud experience host - -[Windows Hello for Business and device registration](/azure/active-directory/devices/device-registration-how-it-works) - -## Cloud Kerberos trust - -The cloud Kerberos trust model offers a simplified deployment experience, when compared to the other trust types.\ -With cloud Kerberos trust, there's no need to deploy certificates to the users or to the domain controllers, which is ideal for environments without an existing PKI. - -Giving the simplicity offered by this model, cloud Kerberos trust is the recommended model when compared to the key trust model. It is also the preferred deployment model if you do not need to support certificate authentication scenarios. - -### Related to cloud Kerberos trust - -- [Deployment type](#deployment-type) -- [Microsoft Entra hybrid join](#hybrid-azure-ad-join) -- [Hybrid deployment](#hybrid-deployment) -- [Key trust](#key-trust) -- [On-premises deployment](#on-premises-deployment) -- [Trust type](#trust-type) - -### More information about cloud Kerberos trust - -[Cloud Kerberos trust deployment](deploy/hybrid-cloud-kerberos-trust.md) - -## Deployment type - -Windows Hello for Business has three deployment models to accommodate the needs of different organizations. The three deployment models include: - -- Cloud -- Hybrid -- On-premises - -### Related to deployment type - -- [Cloud deployment](#cloud-deployment) -- [Hybrid deployment](#hybrid-deployment) -- [On-premises deployment](#on-premises-deployment) - -### More information about deployment type - -[Windows Hello for Business planning guide](hello-planning-guide.md) - -## Endorsement key - -The TPM has an embedded unique cryptographic key called the endorsement key. The TPM endorsement key is a pair of asymmetric keys (RSA size 2048 bits). - -The endorsement key public key is used for sending securely sensitive parameters, such as when taking possession of the TPM that contains the defining hash of the owner password. The EK private key is used when creating secondary keys like AIKs. - -The endorsement key acts as an identity card for the TPM. - -The endorsement key is often accompanied by one or two digital certificates: - -- One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it's a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service. - -- The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device. - -For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows 10 and Windows 11. - -### Related to endorsement key - -- [Attestation identity keys](#attestation-identity-keys) -- [Storage root key](#storage-root-key) -- [Trusted platform module](#trusted-platform-module) - -### More information about endorsement key - -- [Understand the TPM endorsement key](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770443(v=ws.11)) -- [TPM library specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/) - -## Federated environment - -Primarily for large enterprise organizations with more complex authentication requirements, on-premises directory objects are synchronized with Microsoft Entra ID and users accounts are managed on-premises. With AD FS, users have the same password on-premises and in the cloud and they don't have to sign in again to use Microsoft cloud services. This federated authentication model can provide extra authentication requirements, such as smart card-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Microsoft Entra ID. - -### Related to federated environment - -- [Hybrid deployment](#hybrid-deployment) -- [Managed environment](#managed-environment) -- [Pass-through authentication](#pass-through-authentication) -- [Password hash sync](#password-hash-sync) - -### More information about federated environment - -[Choose the right authentication method for your Microsoft Entra hybrid identity solution](/azure/active-directory/hybrid/choose-ad-authn) - - - -## Microsoft Entra hybrid join - -For more than a decade, many organizations have used the domain join to their on-premises Active Directory to enable: - -- IT departments to manage work-owned devices from a central location. -- Users to sign in to their devices with their Active Directory work or school accounts. - -Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use or group policy to manage them. - -If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Microsoft Entra ID, you can implement Microsoft Entra hybrid joined devices. These devices are joined to both your on-premises Active Directory and your Microsoft Entra ID. - - - -### Related to Microsoft Entra hybrid join - -- [Microsoft Entra join](#azure-active-directory-join) -- [Microsoft Entra registration](#azure-ad-registration) -- [Hybrid deployment](#hybrid-deployment) - - - -### More information about Microsoft Entra hybrid join - -[Introduction to device identity in Microsoft Entra ID](/azure/active-directory/devices/overview) - -## Hybrid deployment - -The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Microsoft Entra ID. Hybrid deployments support devices that are Microsoft Entra registered, Microsoft Entra joined, and Microsoft Entra hybrid joined. The Hybrid deployment model supports three trust types for on-premises authentication: cloud Kerberos trust, key trust and certificate trust. - -### Related to hybrid deployment - -- [Microsoft Entra join](#azure-active-directory-join) -- [Microsoft Entra registration](#azure-ad-registration) -- [Microsoft Entra hybrid join](#hybrid-azure-ad-join) - -### More information about hybrid deployment - -[Windows Hello for Business planning guide](hello-planning-guide.md) - -## Join type - -Join type is how devices are associated with Microsoft Entra ID. For a device to authenticate to Microsoft Entra it must be registered or joined. - -Registering a device to Microsoft Entra ID enables you to manage a device's identity. When a device is registered, Microsoft Entra device registration provides the device with an identity that is used to authenticate the device when a user signs-in to Microsoft Entra ID. You can use the identity to enable or disable a device. - -When combined with a mobile device management (MDM) solution such as Microsoft Intune, the device attributes in Microsoft Entra ID are updated with additional information about the device. This behavior allows you to create conditional access rules that enforce access from devices to meet your standards for security and compliance. For more information on enrolling devices in Microsoft Intune, see Enroll devices for management in Intune. - -Joining a device is an extension to registering a device. This method provides you with all the benefits of registering a device, and changes the local state of a device. Changing the local state enables your users to sign-in to a device using an organizational work or school account instead of a personal account. - -### Related to join type - -- [Microsoft Entra join](#azure-active-directory-join) -- [Microsoft Entra registration](#azure-ad-registration) -- [Microsoft Entra hybrid join](#hybrid-azure-ad-join) - -### More information about join type - -[Introduction to device identity in Microsoft Entra ID](/azure/active-directory/devices/overview) - -## Key trust - -The key trust model uses the user's Windows Hello for Business identity to authenticate to on-premises Active Directory. The key trust model is supported in hybrid and on-premises deployments and requires Windows Server 2016 domain controllers. - -### Related to key trust - -- [Cloud Kerberos trust](#cloud-kerberos-trust) -- [Certificate trust](#certificate-trust) -- [Deployment type](#deployment-type) -- [Microsoft Entra hybrid join](#hybrid-azure-ad-join) -- [Hybrid deployment](#hybrid-deployment) -- [On-premises deployment](#on-premises-deployment) -- [Trust type](#trust-type) - -### More information about key trust - -[Windows Hello for Business planning guide](hello-planning-guide.md) - -## Managed environment - -Managed environments are for non-federated environments where Microsoft Entra ID manages the authentication using technologies such as Password Hash Synchronization and Pass-through Authentication rather than a federation service such as Active Directory Federation Services (ADFS). - -### Related to managed environment - -- [Federated environment](#federated-environment) -- [Pass-through authentication](#pass-through-authentication) -- [Password hash synchronization](#password-hash-sync) - -## On-premises deployment - -The Windows Hello for Business on-premises deployment is for organizations that exclusively have on-premises resources that are accessed using Active Directory identities. On-premises deployments support domain joined devices. The on-premises deployment model supports two authentication trust types, key trust and certificate trust. - -### Related to on-premises deployment - -- [Cloud deployment](#cloud-deployment) -- [Deployment type](#deployment-type) -- [Hybrid deployment](#hybrid-deployment) - -### More information about on-premises deployment - -[Windows Hello for Business planning guide](hello-planning-guide.md) - -## Pass-through authentication - -Pass-through authentication provides a simple password validation for Microsoft Entra authentication services. It uses a software agent that runs on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Microsoft Entra ID and manage your users on-premises. Allows your users to sign in to both on-premises and Microsoft cloud resources and applications using their on-premises account and password. This configuration validates users' passwords directly against your on-premises Active Directory without sending password hashes to Microsoft Entra ID. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Microsoft Entra ID when they are on their corporate devices and connected to your corporate network. - -### Related to pass-through authentication - -- [Federated environment](#federated-environment) -- [Managed environment](#managed-environment) -- [Password hash synchronization](#password-hash-sync) - -### More information about pass-through authentication - -[Choose the right authentication method for your Microsoft Entra hybrid identity solution](/azure/active-directory/hybrid/choose-ad-authn) - -## Password hash sync - -Password hash sync is the simplest way to enable authentication for on-premises directory objects in Microsoft Entra ID. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Microsoft Entra ID and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Microsoft Entra ID so that the users have the same password on-premises and in the cloud. When passwords are changed or reset on-premises, the new password hashes are synchronized to Microsoft Entra ID so that your users can always use the same password for cloud resources and on-premises resources. The passwords are never sent to Microsoft Entra ID or stored in Microsoft Entra ID in clear text. Some premium features of Microsoft Entra ID, such as Identity Protection, require PHS regardless of which authentication method is selected. With seamless single sign-on, users are automatically signed in to Microsoft Entra ID when they are on their corporate devices and connected to your corporate network. - -### Related to password hash sync - -- [Federated environment](#federated-environment) -- [Managed environment](#managed-environment) -- [Pass-through authentication](#pass-through-authentication) - -### More information about password hash sync - -[Choose the right authentication method for your Microsoft Entra hybrid identity solution](/azure/active-directory/hybrid/choose-ad-authn) - -## Primary refresh token - -Single sign on (SSO) relies on special tokens obtained for each of the types of applications above. These special tokens are then used to obtain access tokens to specific applications. In the traditional Windows Integrated authentication case using Kerberos, this token is a Kerberos TGT (ticket-granting ticket). For Microsoft Entra ID and AD FS applications, this token is a _primary refresh token_ (PRT). It's a [JSON Web Token](https://openid.net/specs/draft-jones-json-web-token-07.html) that contains claims about both the user and the device. - -The PRT is initially obtained during Windows user sign-in or unlock in a similar way the Kerberos TGT is obtained. This behavior is true for both Microsoft Entra joined and Microsoft Entra hybrid joined devices. For personal devices registered with Microsoft Entra ID, the PRT is initially obtained upon Add Work or School Account. For a personal device the account to unlock the device isn't the work account, but a consumer account. For example, hotmail.com, live.com, or outlook.com. - -The PRT is needed for SSO. Without it, the user will be prompted for credentials when accessing applications every time. The PRT also contains information about the device. If you have any [device-based conditional access](/azure/active-directory/conditional-access/concept-conditional-access-grant) policy set on an application, without the PRT, access will be denied. - -## Storage root key - -The storage root key (SRK) is also an asymmetric key pair (RSA with a minimum of 2048-bits length). The SRK has a major role and is used to protect TPM keys, so that these keys can't be used without the TPM. The SRK key is created when the ownership of the TPM is taken. - -### Related to storage root key - -- [Attestation identity keys](#attestation-identity-keys) -- [Endorsement key](#endorsement-key) -- [Trusted platform module](#trusted-platform-module) - -### More information about storage root key - -[TPM library specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/) - -## Trust type - -The trust type determines how a user authenticates to the Active Directory to access on-premises resources. There are two trust types, key trust and certificate trust. The hybrid and on-premises deployment models support both trust types. The trust type doesn't affect authentication to Microsoft Entra ID. Windows Hello for Business authentication to Microsoft Entra ID always uses the key, not a certificate (excluding smart card authentication in a federated environment). - -### Related to trust type - -- [Cloud Kerberos trust](#cloud-kerberos-trust) -- [Certificate trust](#certificate-trust) -- [Hybrid deployment](#hybrid-deployment) -- [Key trust](#key-trust) -- [On-premises deployment](#on-premises-deployment) - -### More information about trust type - -[Windows Hello for Business planning guide](hello-planning-guide.md) - -## Trusted platform module - -A trusted platform module (TPM) is a hardware component that provides unique security features. - -Windows uses security characteristics of a TPM for the following functions: - -- Measuring boot integrity sequence. Based on that sequence, it automatically unlocks BitLocker-protected drives -- Protecting credentials -- Health attestation - -A TPM implements controls that meet the specification described by the Trusted Computing Group (TCG). There are currently two versions of the TPM specification produced by TCG that aren't compatible with each other: - -- The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard. -- The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015. - -Windows 10 and Windows 11 use the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows](../../hardware-security/tpm/tpm-recommendations.md). - -Windows recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 and Windows 11 support only TPM 2.0. - -TPM 2.0 provides a major revision to the capabilities over TPM 1.2: - -- Update cryptography strength to meet modern security needs - - Support for SHA-256 for PCRs - - Support for HMAC command -- Cryptographic algorithms flexibility to support government needs - - TPM 1.2 is severely restricted in terms of what algorithms it can support - - TPM 2.0 can support arbitrary algorithms with minor updates to the TCG specification documents -- Consistency across implementations - - The TPM 1.2 specification allows vendors wide latitude when choosing implementation details - - TPM 2.0 standardizes much of this behavior - -In a simplified manner, the TPM is a passive component with limited resources. It can calculate random numbers, RSA keys, decrypt short data, store hashes taken when booting the device. A TPM incorporates in a single component: - -- An RSA 2048-bit key generator -- A random number generator -- Nonvolatile memory for storing EK, SRK, and AIK keys -- A cryptographic engine to encrypt, decrypt, and sign -- Volatile memory for storing the PCRs and RSA keys - -### Related to trusted platform module - -- [Attestation identity keys](#attestation-identity-keys) -- [Endorsement key](#endorsement-key) -- [Storage root key](#storage-root-key) - -### More information about trusted platform module - -[TPM library specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md deleted file mode 100644 index d8f299c354..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -title: How Windows Hello for Business works -description: Learn how Windows Hello for Business works, and how it can help your users authenticate to services. -ms.date: 05/05/2018 -ms.topic: overview ---- -# How Windows Hello for Business works in Windows Devices - -Windows Hello for Business is a two-factor credential that is a more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Microsoft Entra joined, Microsoft Entra hybrid joined, or Microsoft Entra registered devices. Windows Hello for Business also works for domain joined devices. - -Watch this quick video where Pieter Wigleven gives a simple explanation of how Windows Hello for Business works and some of its supporting features. -> [!VIDEO https://www.youtube.com/embed/G-GJuDWbBE8] - -## Technical Deep Dive - -Windows Hello for Business is a distributed system that uses several components to accomplish device registration, provisioning, and authentication. Use this section to gain a better understanding of each of the categories and how they support Windows Hello for Business. - -### Device Registration - -Registration is a fundamental prerequisite for Windows Hello for Business. Without registration, Windows Hello for Business provisioning cannot start. Registration is where the device **registers** its identity with the identity provider. For cloud and hybrid deployments, the identity provider is Microsoft Entra ID and the device registers with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the device registers with the enterprise device registration service hosted on the federation servers (AD FS). - -For more information, read [how device registration works](/azure/active-directory/devices/device-registration-how-it-works). - -### Provisioning - -Provisioning is when the user uses one form of authentication to request a new Windows Hello for Business credential. Typically the user signs in to Windows using user name and password. The provisioning flow requires a second factor of authentication before it will create a strong, two-factor Windows Hello for Business credential. - -Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business provisioning works. - -> [!VIDEO https://www.youtube.com/embed/RImGsIjSJ1s] - -For more information, read [how provisioning works](hello-how-it-works-provisioning.md). - -### Authentication - -With the device registered and provisioning complete, users can sign-in to Windows using biometrics or a PIN. PIN is the most common gesture and is available on all computers unless restricted by policy requiring a TPM. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. Neither the PIN nor the private portion of the credential are ever sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential. - -Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business authentication works. - -> [!VIDEO https://www.youtube.com/embed/WPmzoP_vMek] - -For more information read [how authentication works](hello-how-it-works-authentication.md). - -## Related topics - -- [Technology and Terminology](hello-how-it-works-technology.md) -- [Windows Hello for Business](deploy/requirements.md) -- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) -- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) -- [Windows Hello and password changes](hello-and-password-changes.md) -- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) -- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index ba06402421..1b1ad680bf 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -16,7 +16,7 @@ If you plan to use certificates for on-premises single-sign on, then follow thes Steps you'll perform include: -- [Prepare Microsoft Entra Connect](#prepare-azure-ad-connect) +- [Prepare Microsoft Entra Connect](#prepare-microsoft-entra-connect) - [Prepare the Network Device Enrollment Services Service Account](#prepare-the-network-device-enrollment-services-ndes-service-account) - [Prepare Active Directory Certificate Services](#prepare-active-directory-certificate-authority) - [Install the Network Device Enrollment Services Role](#install-and-configure-the-ndes-role) @@ -49,8 +49,6 @@ If you need to deploy more than three types of certificates to the Microsoft Ent All communication occurs securely over port 443. - - ## Prepare Microsoft Entra Connect Successful authentication to on-premises resources using a certificate requires the certificate to provide a hint about the on-premises domain. The hint can be the user's Active Directory distinguished name as the subject of the certificate, or the hint can be the user's user principal name where the suffix matches the Active Directory domain name. @@ -59,8 +57,6 @@ Most environments change the user principal name suffix to match the organizatio To include the on-premises distinguished name in the certificate's subject, Microsoft Entra Connect must replicate the Active Directory **distinguishedName** attribute to the Microsoft Entra ID **onPremisesDistinguishedName** attribute. Microsoft Entra Connect version 1.1.819 includes the proper synchronization rules needed for these attributes. - - ### Verify Microsoft Entra Connect version Sign-in to computer running Microsoft Entra Connect with access equivalent to _local administrator_. @@ -287,8 +283,6 @@ Sign-in to the issuing certificate authority or management workstations with _Do 11. Select on the **Apply** to save changes and close the console. - - ### Create a Microsoft Entra joined Windows Hello for Business authentication certificate template During Windows Hello for Business provisioning, Windows requests an authentication certificate from Microsoft Intune, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring the NDES Server. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md index 4a2846f9e6..f1666e6453 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md @@ -4,6 +4,7 @@ description: Learn how to configure single sign-on to on-premises resources for ms.date: 12/30/2022 ms.topic: how-to --- + # Configure single sign-on for Microsoft Entra joined devices [!INCLUDE [apply-to-hybrid-key-and-cert-trust](deploy/includes/apply-to-hybrid-key-and-cert-trust.md)] @@ -65,7 +66,7 @@ Use this set of procedures to update the CA that issues domain controller certif You need to host your new certificate revocation list on a web server so Microsoft Entra joined devices can easily validate certificates without authentication. You can host these files on web servers many ways. The following steps are just one and may be useful for admins unfamiliar with adding a new CRL distribution point. > [!IMPORTANT] -> Do not configure the IIS server hosting your CRL distribution point to use https or a server authentication certificate. Clients should access the distribution point using http. +> Do not configure the IIS server hosting your CRL distribution point to use https or a server authentication certificate. Clients should access the distribution point using http. ### Install the web server @@ -119,7 +120,7 @@ These procedures configure NTFS and share permissions on the web server to allow > [!Tip] > Make sure that users can access **\\\Server FQDN\sharename**. -### Disable Caching +### Disable Caching 1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server) 1. Right-click the **cdp** folder and select **Properties**. Select the **Sharing** tab. Select **Advanced Sharing** 1. Select **Caching**. Select **No files or programs from the shared folder are available offline** @@ -190,7 +191,7 @@ Validate the new CRL distribution point is working. #### Reissue domain controller certificates -With the CA properly configured with a valid HTTP-based CRL distribution point, you need to reissue certificates to domain controllers as the old certificate doesn't have the updated CRL distribution point. +With the CA properly configured with a valid HTTP-based CRL distribution point, you need to reissue certificates to domain controllers as the old certificate doesn't have the updated CRL distribution point. 1. Sign-in a domain controller using administrative credentials 1. Open the **Run** dialog box. Type **certlm.msc** to open the **Certificate Manager** for the local computer @@ -217,8 +218,6 @@ With the CA properly configured with a valid HTTP-based CRL distribution point, 1. Review the information below the list of fields to confirm the new URL for the CRL distribution point is present in the certificate. Select **OK** ![New Certificate with updated CDP.](images/aadj/dc-cert-with-new-cdp.png) - - ## Deploy the root CA certificate to Microsoft Entra joined devices The domain controllers have a certificate that includes the new CRL distribution point. Next, you need the enterprise root certificate so you can deploy it to Microsoft Entra joined devices. When you deploy the enterprise root certificates to a device, it ensures the device trusts any certificates issued by the certificate authority. Without the certificate, Microsoft Entra joined devices don't trust domain controller certificates and authentication fails. diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md deleted file mode 100644 index 896453d0bf..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md +++ /dev/null @@ -1,103 +0,0 @@ ---- -title: Manage Windows Hello in your organization -description: Learn how to create a Group Policy or mobile device management (MDM) policy to configure and deploy Windows Hello for Business. -ms.date: 9/25/2023 -ms.topic: reference ---- - -# Manage Windows Hello for Business in your organization - -You can create a Group Policy or mobile device management (MDM) policy to configure Windows Hello for Business on Windows devices. - ->[!IMPORTANT] ->Windows Hello as a convenience PIN is disabled by default on all domain joined and Microsoft Entra joined devices. To enable a convenience PIN, enable the Group Policy setting **Turn on convenience PIN sign-in**. -> ->Use **PIN Complexity** policy settings to manage PINs for Windows Hello for Business. - -## Group Policy settings for Windows Hello for Business - -The following table lists the Group Policy settings that you can configure for Windows Hello use in your organization. These policy settings are available in **User configuration** and **Computer Configuration** under **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**. - -> [!NOTE] -> The location of the PIN complexity section of the Group Policy is: **Computer Configuration > Administrative Templates > System > PIN Complexity**. - -|Policy|Scope|Options| -|--- |--- |--- | -|Use Windows Hello for Business|Computer or user|- **Not configured**: Device doesn't provision Windows Hello for Business for any user.
        - **Enabled**: Device provisions Windows Hello for Business using keys or certificates for all users.
        - **Disabled**: Device doesn't provision Windows Hello for Business for any user.| -|Use a hardware security device|Computer|- **Not configured**: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM isn't available.
        - **Enabled**: Windows Hello for Business will only be provisioned using TPM. This feature will provision Windows Hello for Business using TPM 1.2 unless the option to exclude them is explicitly set.
        - **Disabled**: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM isn't available.| -|Use certificate for on-premises authentication|Computer or user|- **Not configured**: Windows Hello for Business enrolls a key that is used for on-premises authentication.
        - **Enabled**: Windows Hello for Business enrolls a sign-in certificate using ADFS that is used for on-premises authentication.
        - **Disabled**: Windows Hello for Business enrolls a key that is used for on-premises authentication.| -|Use PIN recovery|Computer|- Added in Windows 10, version 1703
        - **Not configured**: Windows Hello for Business doesn't create or store a PIN recovery secret. PIN reset doesn't use the Azure-based PIN recovery service
        - **Enabled**: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset
        - **Disabled**: Windows Hello for Business doesn't create or store a PIN recovery secret. PIN reset doesn't use the Azure-based PIN recovery service.
        - For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).| -|Use biometrics|Computer|- **Not configured**: Biometrics can be used as a gesture in place of a PIN
        - **Enabled**: Biometrics can be used as a gesture in place of a PIN.
        - **Disabled**: Only a PIN can be used as a gesture.| - -### PIN Complexity - -|Policy|Scope|Options| -|--- |--- |--- | -|Require digits|Computer|- **Not configured**: Users must include a digit in their PIN.
        - **Enabled**: Users must include a digit in their PIN.
        - **Disabled**: Users can't use digits in their PIN.| -|Require lowercase letters|Computer|- **Not configured**: Users can't use lowercase letters in their PIN
        - **Enabled**: Users must include at least one lowercase letter in their PIN.
        - **Disabled**: Users can't use lowercase letters in their PIN.| -|Maximum PIN length|Computer|- **Not configured**: PIN length must be less than or equal to 127.
        - **Enabled**: PIN length must be less than or equal to the number you specify.
        - **Disabled**: PIN length must be less than or equal to 127.| -|Minimum PIN length|Computer|- **Not configured**: PIN length must be greater than or equal to 4.
        - **Enabled**: PIN length must be greater than or equal to the number you specify.
        - **Disabled**: PIN length must be greater than or equal to 4.| -|Expiration|Computer|- **Not configured**: PIN doesn't expire.
        - **Enabled**: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0.
        - **Disabled**: PIN doesn't expire.| -|History|Computer|- **Not configured**: Previous PINs aren't stored.
        - **Enabled**: Specify the number of previous PINs that can be associated to a user account that can't be reused.
        - **Disabled**: Previous PINs aren't stored.
        **Note** Current PIN is included in PIN history. -|Require special characters|Computer|- **Not configured**: Windows allows, but doesn't require, special characters in the PIN.
        - **Enabled**: Windows requires the user to include at least one special character in their PIN.
        - **Disabled**: Windows doesn't allow the user to include special characters in their PIN.| -|Require uppercase letters|Computer|- **Not configured**: Users can't include an uppercase letter in their PIN.
        - **Enabled**: Users must include at least one uppercase letter in their PIN.
        - **Disabled**: Users can't include an uppercase letter in their PIN.| - -### Phone Sign-in - -|Policy|Scope|Options| -|--- |--- |--- | -|Use Phone Sign-in|Computer|Not currently supported.| - -## MDM policy settings for Windows Hello for Business - -The following table lists the MDM policy settings that you can configure for Windows Hello for Business use in your workplace. These MDM policy settings use the [PassportForWork configuration service provider (CSP)](/windows/client-management/mdm/passportforwork-csp). - ->[!IMPORTANT] ->All devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP. - -|Policy|Scope|Default|Options| -|--- |--- |--- |--- | -|UsePassportForWork|Device or user|True|- True: Windows Hello for Business will be provisioned for all users on the device.
        - False: Users won't be able to provision Windows Hello for Business.
        **Note:** If Windows Hello for Business is enabled, and then the policy is changed to False, users who previously set up Windows Hello for Business can continue to use it, but won't be able to set up Windows Hello for Business on other devices| -|RequireSecurityDevice|Device or user|False|- True: Windows Hello for Business will only be provisioned using TPM.
        - False: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM isn't available.| -|ExcludeSecurityDevice
        - TPM12|Device|False|Added in Windows 10, version 1703
        - True: TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business.
        - False: TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.| -|EnablePinRecovery|Device or use|False|- Added in Windows 10, version 1703
        - True: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset.
        - False: Windows Hello for Business doesn't create or store a PIN recovery secret. PIN reset doesn't use the Azure-based PIN recovery service. For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).| - -### Biometrics - -|Policy|Scope|Default|Options| -|--- |--- |--- |--- | -|UseBiometrics|Device |False|- True: Biometrics can be used as a gesture in place of a PIN for domain sign-in.
        - False: Only a PIN can be used as a gesture for domain sign-in.| -|- FacialFeaturesUser
        - EnhancedAntiSpoofing|Device|Not configured|- Not configured: users can choose whether to turn on enhanced anti-spoofing.
        - True: Enhanced anti-spoofing is required on devices which support it.
        - False: Users can't turn on enhanced anti-spoofing.| - -### PINComplexity - -|Policy|Scope|Default|Options| -|--- |--- |--- |--- | -|Digits |Device or user|1 |- 0: Digits are allowed.
        - 1: At least one digit is required.
        - 2: Digits aren't allowed.| -|Lowercase letters |Device or user|2|- 0: Lowercase letters are allowed.
        - 1: At least one lowercase letter is required.
        - 2: Lowercase letters aren't allowed.| -|Special characters|Device or user|2|- 0: Special characters are allowed.
        - 1: At least one special character is required.
        - 2: Special characters aren't allowed.| -|Uppercase letters|Device or user|2|- 0: Uppercase letters are allowed.
        - 1: At least one uppercase letter is required.
        - 2: Uppercase letters aren't allowed.| -|Maximum PIN length |Device or user|127 |- Maximum length that can be set is 127. Maximum length can't be less than minimum setting.| -|Minimum PIN length|Device or user|6|- Minimum length that can be set is 6. Minimum length can't be greater than maximum setting.| -|Expiration |Device or user|0|- Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user's PIN will never expire.| -|History|Device or user|0|- Integer value that specifies the number of past PINs that can be associated to a user account that can't be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs isn't required.| - -### Remote - -|Policy|Scope|Default|Options| -|--- |--- |--- |--- | -|UseRemotePassport|Device or user|False|Not currently supported.| - ->[!NOTE] -> If a policy isn't explicitly configured to require letters or special characters, users can optionally set an alphanumeric PIN. - -## Policy conflicts from multiple policy sources - -Windows Hello for Business is designed to be managed by group policy or MDM, but not a combination of both. Avoid mixing group policy and MDM policy settings for Windows Hello for Business. If you mix group policy and MDM policy settings, the MDM settings are ignored until all group policy settings are cleared. - -> [!IMPORTANT] -> The [*MDMWinsOverGP*](/windows/client-management/mdm/policy-csp-controlpolicyconflict#mdmwinsovergp) policy setting doesn't apply to Windows Hello for Business. MDMWinsOverGP only applies to policies in the *Policy CSP*, while the Windows Hello for Business policies are in the *PassportForWork CSP*. - -## Policy precedence - -Windows Hello for Business *user policies* take precedence over *computer policies*. If a user policy is set, the corresponded computer policy is ignored. If a user policy is not set, the computer policy is used. diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md deleted file mode 100644 index 55a70b9a89..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ /dev/null @@ -1,342 +0,0 @@ ---- -title: Plan a Windows Hello for Business Deployment -description: Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure. -ms.date: 09/16/2020 -ms.topic: overview ---- - -# Plan a Windows Hello for Business Deployment - -Congratulations! You're taking the first step forward in helping move your organizations away from password to a two-factor, convenience authentication for Windows — Windows Hello for Business. This planning guide helps you understand the different topologies, architectures, and components that encompass a Windows Hello for Business infrastructure. - -This guide explains the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of the infrastructure. Armed with your planning worksheet, you'll use that information to select the correct deployment guide for your needs. - -> [!Note] -> If you have a Microsoft Entra ID tenant, you can use our online, interactive Passwordless Wizard which walks through the same choices instead of using our manual guide below. The Passwordless Wizard is available in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup). - -## Using this guide - -There are many options from which you can choose when deploying Windows Hello for Business. Providing multiple options ensures nearly every organization can deploy Windows Hello for Business. Providing many options makes the deployment appear complex, however, most organization will realize they've already implemented most of the infrastructure on which the Windows Hello for Business deployment depends. It's important to understand that Windows Hello for Business is a distributed system and does take proper planning across multiple teams within an organization. - -This guide removes the appearance of complexity by helping you make decisions on each aspect of your Windows Hello for Business deployment and the options you'll need to consider. Using this guide also identifies the information needed to help you make decisions about the deployment that best suits your environment. Download the [Windows Hello for Business planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514) from the Microsoft Download Center to help track your progress and make your planning easier. - -### How to Proceed - -Read this document and record your decisions on the worksheet. When finished, your worksheet has all the necessary information for your Windows Hello for Business deployment. - -There are six major categories you need to consider for a Windows Hello for Business deployment. Those categories are: - -- Deployment Options -- Client -- Management -- Active Directory -- Public Key Infrastructure -- Cloud - -### Baseline Prerequisites - -Windows Hello for Business has a few baseline prerequisites with which you can begin. These baseline prerequisites are provided in the worksheet. - -### Deployment Options - -The goal of Windows Hello for Business is to enable deployments for all organizations of any size or scenario. To provide this type of granular deployment, Windows Hello for Business offers a diverse choice of deployment options. - -#### Deployment models - -There are three deployment models from which you can choose: cloud only, hybrid, and on-premises. - -##### Cloud only - -The cloud only deployment model is for organizations who only have cloud identities and don't access on-premises resources. These organizations typically join their devices to the cloud and exclusively use resources in the cloud such as SharePoint, OneDrive, and others. Also, because these users don't use on-premises resources, they don't need certificates for things like VPN because everything they need is hosted in Azure. - -##### Hybrid - -The hybrid deployment model is for organizations that: - -- Are federated with Microsoft Entra ID -- Have identities synchronized to Microsoft Entra ID using Microsoft Entra Connect -- Use applications hosted in Microsoft Entra ID, and want a single sign-in user experience for both on-premises and Microsoft Entra resources - -> [!Important] -> Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models. -> -> **Requirements:** -> - Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903 -> - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 - -##### On-premises -The on-premises deployment model is for organizations that don't have cloud identities or use applications hosted in Microsoft Entra ID. - -> [!Important] -> On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models. -> -> **Requirements:** -> - Reset from settings - Windows 10, version 1703, Professional -> - Reset above lock screen - Windows 10, version 1709, Professional -> - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 - -It's fundamentally important to understand which deployment model to use for a successful deployment. Some aspects of the deployment may have already been decided for you based on your current infrastructure. - -#### Trust types - -A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trust types: key trust and certificate trust. - -> [!NOTE] -> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Microsoft Entra hybrid joined devices and on-premises resource access on Microsoft Entra joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Hybrid Cloud Kerberos Trust Deployment](deploy/hybrid-cloud-kerberos-trust.md). - -The key trust type doesn't require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. - -The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust doesn't require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 or later Active Directory schema](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller. - -> [!NOTE] -> RDP does not support authentication with Windows Hello for Business key trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust can be used with [Remote Credential Guard](../remote-credential-guard.md). - -#### Device registration - -All devices included in the Windows Hello for Business deployment must go through device registration. Device registration enables devices to authenticate to identity providers. For cloud only and hybrid deployment, the identity provider is Microsoft Entra ID. For on-premises deployments, the identity provider is the on-premises server running the Windows Server 2016 Active Directory Federation Services (AD FS) role. - -#### Key registration - -The built-in Windows Hello for Business provisioning experience creates a hardware bound asymmetric key pair as their user's credentials. The private key is protected by the device's security modules; however, the credential is a user key (not a device key). The provisioning experience registers the user's public key with the identity provider. For cloud only and hybrid deployments, the identity provider is Microsoft Entra ID. For on-premises deployments, the identity provider is the on-premises server running Windows Server 2016 Active Directory Federation Services (AD FS) role. - -#### Multifactor authentication - -> [!IMPORTANT] -> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who require multifactor authentication for their users should use cloud-based Microsoft Entra multifactor authentication. Existing customers who have activated MFA Server prior to July 1, 2019 will be able to download the latest version, future updates and generate activation credentials as usual. See [Getting started with the Azure Multi-Factor Authentication Server](/azure/active-directory/authentication/howto-mfaserver-deploy) for more details. - -The goal of Windows Hello for Business is to move organizations away from passwords by providing them with a strong credential that enables easy two-factor authentication. The built-in provisioning experience accepts the user's weak credentials (username and password) as the first factor authentication; however, the user must provide a second factor of authentication before Windows provisions a strong credential. - -Cloud only and hybrid deployments provide many choices for multifactor authentication. On-premises deployments must use a multifactor authentication that provides an AD FS multifactor adapter to be used in conjunction with the on-premises Windows Server 2016 AD FS server role. Organizations can use the on-premises Azure Multi-Factor Authentication Server, or choose from several third parties (Read [Microsoft and third-party additional authentication methods](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods) for more information). -> [!NOTE] -> Microsoft Entra multifactor authentication is available through: -> * Microsoft Enterprise Agreement -> * Open Volume License Program -> * Cloud Solution Providers program -> * Bundled with -> * Microsoft Entra ID P1 or P2 -> * Enterprise Mobility Suite -> * Enterprise Cloud Suite - -#### Directory synchronization - -Hybrid and on-premises deployments use directory synchronization, however, each for a different purpose. Hybrid deployments use Microsoft Entra Connect to synchronize Active Directory identities or credentials between itself and Microsoft Entra ID. This helps enable single sign-on to Microsoft Entra ID and its federated components. On-premises deployments use directory synchronization to import users from Active Directory to the Azure MFA Server, which sends data to the Azure MFA cloud service to perform the verification. - -### Management - -Windows Hello for Business provides organizations with a rich set of granular policy settings with which they can use to manage their devices and users. There are three ways in which you can manage Windows Hello for Business: Group Policy, Modern Management, and Mixed. - -#### Group Policy - -Group Policy is the easiest and most popular way to manage Windows Hello for Business on domain joined devices. Simply create a Group Policy object with the settings you desire. Link the Group Policy object high in your Active Directory and use security group filtering to target specific sets of computers or users. Or, link the GPO directly to the organizational units. - -#### Modern management - -Modern management is an emerging device management paradigm that leverages the cloud for managing domain joined and nondomain joined devices. Organizations can unify their device management into one platform and apply policy settings using a single platform - -### Client - -Windows Hello for Business is an exclusive Windows 10 and Windows 11 feature. As part of the Windows as a Service strategy, Microsoft has improved the deployment, management, and user experience with each new release of Windows and introduced support for new scenarios. - -Most deployment scenarios require a minimum of Windows 10, version 1511, also known as the November Update. The client requirement might change based on different components in your existing infrastructure, or other infrastructure choices made later in planning your deployment. Those components and choices might require a minimum client running Windows 10, version 1703, also known as the Creators Update. - - -### Active Directory - -Hybrid and on-premises deployments include Active Directory as part of their infrastructure. Most of the Active Directory requirements, such as schema, and domain and forest functional levels are predetermined. However, your trust type choice for authentication determines the version of domain controller needed for the deployment. - -### Public Key Infrastructure - -The Windows Hello for Business deployment depends on an enterprise public key infrastructure as a trust anchor for authentication. Domain controllers for hybrid and on-premises deployments need a certificate in order for Windows devices to trust the domain controller as legitimate. Deployments using the certificate trust type need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. Hybrid deployments might need to issue VPN certificates to users to enable connectivity on-premises resources. - -### Cloud - -Some deployment combinations require an Azure account, and some require Microsoft Entra ID for user identities. These cloud requirements may only need an Azure account while other features need a Microsoft Entra ID P1 or P2 subscription. The planning process identifies and differentiates the components that are needed from those that are optional. - -## Planning a Deployment - -Planning your Windows Hello for Business deployment begins with choosing a deployment type. Like all distributed systems, Windows Hello for Business depends on multiple components within your organization's infrastructure. - -Use the remainder of this guide to help with planning your deployment. As you make decisions, write the results of those decisions in your planning worksheet. When finished, you'll have all the information needed to complete the planning process and the appropriate deployment guide that best helps you with your deployment. - -### Deployment Model - -Choose the deployment model based on the resources your users access. Use the following guidance to make your decision. - -If your organization doesn't have on-premises resources, write **Cloud Only** in box **1a** on your planning worksheet. - -If your organization is federated with Azure or uses any service, such as AD Connect, Office365 or OneDrive, or your users access cloud and on-premises resources, write **Hybrid** in box **1a** on your planning worksheet. - -If your organization doesn't have cloud resources, write **On-Premises** in box **1a** on your planning worksheet. - ->[!NOTE] -> ->- Main use case of On-Premises deployment is for "Enhanced Security Administrative Environments" also known as "Red Forests" ->- Migration from on-premise to hybrid deployment will require redeployment - -### Trust type - -Microsoft Entra hybrid joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Microsoft Entra hybrid joined devices and Microsoft Entra joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates. - -Choose a trust type that is best suited for your organizations. Remember, the trust type determines two things. Whether you issue authentication certificates to your users and if your deployment needs Windows Server 2016 domain controllers. - -One trust model isn't more secure than the other. The major difference is based on the organization comfort with deploying Windows Server 2016 domain controllers and not enrolling users with end entity certificates (key-trust) against using existing domain controllers and needing to enroll certificates for all their users (certificate trust). - -Because the certificate trust types issues certificates, there's more configuration and infrastructure needed to accommodate user certificate enrollment, which could also be a factor to consider in your decision. Additional infrastructure needed for certificate-trust deployments includes a certificate registration authority. In a federated environment, you need to activate the Device Writeback option in Microsoft Entra Connect. - -If your organization wants to use the key trust type, write **key trust** in box **1b** on your planning worksheet. Write **Windows Server 2016** in box **4d**. Write **N/A** in box **5b**. - -If your organization wants to use the certificate trust type, write **certificate trust** in box **1b** on your planning worksheet. Write **Windows Server 2008 R2 or later** in box **4d**. In box **5c**, write **smart card logon** under the **Template Name** column and write **users** under the **Issued To** column on your planning worksheet. - -### Device Registration - -A successful Windows Hello for Business requires all devices to register with the identity provider. The identity provider depends on the deployment model. - -If box **1a** on your planning worksheet reads **cloud only** or **hybrid**, write **Azure** in box **1c** on your planning worksheet. - -If box **1a** on your planning worksheet reads **on-premises**, write **AD FS** in box **1c** on your planning worksheet. - -### Key Registration - -All users provisioning Windows Hello for Business have their public key registered with the identity provider. The identity provider depends on the deployment model. - -If box **1a** on your planning worksheet reads **cloud only** or **hybrid**, write **Azure** in box **1d** on your planning worksheet. - -If box **1a** on your planning worksheet reads **on-premises**, write **AD FS** in box **1d** on your planning worksheet. - -### Directory Synchronization - -Windows Hello for Business is strong user authentication, which usually means there's an identity (a user or username) and a credential (typically a key pair). Some operations require writing or reading user data to or from the directory. For example, reading the user's phone number to perform multifactor authentication during provisioning or writing the user's public key. - -If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **1e**. User information is written directly to Microsoft Entra ID and there isn't another directory with which the information must be synchronized. - -If box **1a** on your planning worksheet reads **hybrid**, then write **Microsoft Entra Connect** in box **1e** on your planning worksheet. - -If box **1a** on your planning worksheet reads **on-premises**, then write **Azure MFA Server**. This deployment exclusively uses Active Directory for user information with the exception of the multifactor authentication. The on-premises Azure MFA server synchronizes a subset of the user information, such as phone number, to provide multifactor authentication while the user's credentials remain on the on-premises network. - -### Multifactor authentication - -The goal of Windows Hello for Business is to move user authentication away from passwords to a strong, key-based user authentication. Passwords are weak credentials and can't be trusted by themselves as an attacker with a stolen password could be attempting to enroll in Windows Hello for Business. To keep the transition from a weak to a strong credential secure, Windows Hello for Business relies on multifactor authentication during provisioning to have some assurances that the user identity provisioning a Windows Hello for Business credential is the proper identity. - -If box **1a** on your planning worksheet reads **cloud only**, then your only option is to use the Azure MFA cloud service. Write **Azure MFA** in box **1f** on your planning worksheet. - -If box **1a** on your planning worksheet reads **hybrid**, then you have a few options, some of which depend on your directory synchronization configuration. The options from which you may choose include: -* Directly use Azure MFA cloud service -* Use AD FS w/Azure MFA cloud service adapter -* Use AD FS w/Azure MFA Server adapter -* Use AD FS w/3rd Party MFA Adapter - -You can directly use the Azure MFA cloud service for the second factor of authentication. Users contacting the service must authenticate to Azure prior to using the service. - -If your Microsoft Entra Connect is configured to synchronize identities (usernames only), then your users are redirected to your local on-premises federation server for authentication and then redirected back to the Azure MFA cloud service. Otherwise, your Microsoft Entra Connect is configured to synchronize credentials (username and passwords), which enables your users to authenticate to Microsoft Entra ID and use the Azure MFA cloud service. If you choose to use the Azure MFA cloud service directly, write **Azure MFA** in box **1f** on your planning worksheet. - -You can configure your on-premises Windows Server 2016 AD FS role to use the Azure MFA service adapter. In this configuration, users are redirected to the on premises AD FS server (synchronizing identities only). The AD FS server uses the MFA adapter to communicate to the Azure MFA service to perform the second factor of authentication. If you choose to use AD FS with the Azure MFA cloud service adapter, write **AD FS with Azure MFA cloud adapter** in box **1f** on your planning worksheet. - -Alternatively, you can use AD FS with an on-premises Azure MFA server adapter. Rather than AD FS communicating directly with the Azure MFA cloud service, it communicates with an on-premises Azure MFA server that synchronizes user information with the on-premises Active Directory. The Azure MFA server communicates with Azure MFA cloud services to perform the second factor of authentication. If you choose to use AD FS with the Azure MFA server adapter, write **AD FS with Azure MFA server adapter** in box **1f** on your planning worksheet. - -The last option is for you to use AD FS with a third-party adapter as the second factor of authentication. If you choose to use AD FS with a third-party MFA adapter, write **AD FS with third party** in box **1f** on your planning worksheet. - -If box **1a** on your planning worksheet reads **on-premises**, then you have two-second factor authentication options. You must use Windows Server 2016 AD FS with your choice of the on-premises Azure MFA server or with a third-party MFA adapter. - -If you choose to use AD FS with the Azure MFA server adapter, write **AD FS with Azure MFA server adapter** in box **1f** on your planning worksheet. If you choose to use AD FS with a third-party MFA adapter, write **AD FS with third party** in box **1f** on your planning worksheet. - -### Management - -Windows Hello for Business provides organizations with many policy settings and granular control on how these settings may be applied to both computers and users. The type of policy management you can use depends on your selected deployment and trust models. - -If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **2a** on your planning worksheet. You have the option to manage nondomain joined devices. If you choose to manage Microsoft Entra joined devices, write **modern management** in box **2b** on your planning worksheet. Otherwise, write** N/A** in box **2b**. - -> [!NOTE] -> Microsoft Entra joined devices without modern management automatically enroll in Windows Hello for Business using the default policy settings. Use modern management to adjust policy settings to match the business needs of your organization. - -If box **1a** on your planning worksheet reads **on-prem**, write **GP** in box **2a** on your planning worksheet. Write **N/A** in box **2b** on your worksheet. - -Managing hybrid deployments includes two categories of devices to consider for your Windows Hello for Business deployment—domain joined and nondomain joined. All devices are registered, however, not all devices are domain joined. You have the option of using Group Policy for domain joined devices and modern management for nondomain joined devices. Or, you can use modern management for both domain and nondomain joined devices. - -If you use Group Policy to manage your domain joined devices, write **GP** in box **2a** on your planning worksheet. Write **modern management** in box **2b** if you decide to manage nondomain joined devices; otherwise, write **N/A**. - -If you use modern management for both domain and nondomain joined devices, write **modern management** in box **2a** and **2b** on your planning worksheet. - -### Client - -Windows Hello for Business is a feature exclusive to Windows 10 and Windows 11. Some deployments and features are available using earlier versions of Windows 10. Others need the latest versions. - -If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **3a** on your planning worksheet. Optionally, you may write **1511 or later** in box **3b** on your planning worksheet if you plan to manage nondomain joined devices. -> [!NOTE] -> Microsoft Entra joined devices without modern management automatically enroll in Windows Hello for Business using the default policy settings. Use modern management to adjust policy settings to match the business needs of your organization. - -Write **1511 or later** in box **3a** on your planning worksheet if any of the following are true. -* Box **2a** on your planning worksheet read **modern management**. - * Optionally, you may write **1511 or later** in box **3b** on your planning worksheet if you plan to manage nondomain joined devices. -* Box **1a** on your planning worksheet reads **hybrid**, box **1b** reads **key trust**, and box **2a** reads **GP**. - Optionally, you may write **1511 or later* in box **3b** on your planning worksheet if you plan to manage nondomain joined devices. - -Write **1703 or later** in box **3a** on your planning worksheet if any of the following are true. -* Box **1a** on your planning worksheet reads **on-premises**. - Write **N/A** in box **3b** on your planning worksheet. -* Box **1a** on your planning worksheet reads **hybrid**, box **1b** reads **certificate trust**, and box **2a** reads **GP**. - * Optionally, you may write **1511 or later** in box **3b** on your planning worksheet if you plan to manage nondomain joined devices. - -### Active Directory - -The Active Directory portion of the planning guide should be complete. Most of the conditions are baseline prerequisites except for your domain controllers. The domain controllers used in your deployment are decided by the chosen trust type. - -Review the trust type portion of this section if box **4d** on your planning worksheet remains empty. - -### Public Key Infrastructure - -Public key infrastructure prerequisites already exist in your planning worksheet. These conditions are the minimum requirements for any hybrid or on-premises deployment. Additional conditions may be needed based on your trust type. - -If box **1a** on your planning worksheet reads **cloud only**, ignore the public key infrastructure section of your planning worksheet. Cloud only deployments don't use a public key infrastructure. - -If box **1b** on your planning worksheet reads **key trust**, write **N/A** in box **5b** on your planning worksheet. Key trust doesn't require any change in public key infrastructure, skip this part and go to **Cloud** section. - -The registration authority only relates to certificate trust deployments and the management used for domain and nondomain joined devices. Microsoft Entra hybrid joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Microsoft Entra hybrid joined devices and Microsoft Entra joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates. - -If box **2a** reads **GP** and box **2b** reads **modern management**, write **AD FS RA and NDES** in box **5b** on your planning worksheet. In box **5c**, write the following certificate templates names and issuances: - -| Certificate Template Name | Issued To | -| --- | --- | -| Exchange Enrollment Agent | AD FS RA | -| Web Server | AD FS RA | -| Exchange Enrollment Agent | NDES | -| Web Server | NDES | -| CEP Encryption | NDES | - -If box **2a** reads **GP** and box **2b** reads **N/A**, write **AD FS RA** in box **5b** and write the following certificate template names and issuances in box **5c** on your planning worksheet. - -| Certificate Template Name | Issued To | -| --- | --- | -| Exchange Enrollment Agent | AD FS RA | -| Web Server | AD FS RA | - -If box **2a** or **2b** reads modern management, write **NDES** in box **5b** and write the following certificate template names and issuances in box 5c on your planning worksheet. - -| Certificate Template Name | Issued To | -| --- | --- | -| Exchange Enrollment Agent | NDES | -| Web Server | NDES | -| CEP Encryption | NDES | - -### Cloud - -Nearly all deployments of Windows Hello for Business require an Azure account. - -If box **1a** on your planning worksheet reads **cloud only** or **hybrid**, write **Yes** in boxes **6a** and **6b** on your planning worksheet. - -If box **1a** on your planning worksheet reads **on-premises**, and box **1f** reads **AD FS with third party**, write **No** in box **6a** on your planning worksheet. Otherwise, write **Yes** in box **6a** as you need an Azure account for per-consumption MFA billing. Write **No** in box **6b** on your planning worksheet—on-premises deployments don't use the cloud directory. - -Windows Hello for Business doesn't require a Microsoft Entra ID P1 or P2 subscription. However, some dependencies, such as [MDM automatic enrollment](/mem/intune/enrollment/quickstart-setup-auto-enrollment) and [Conditional Access](/azure/active-directory/conditional-access/overview) do. - -If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet. - -If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the Microsoft Entra ID Free tier. All Microsoft Entra ID Free accounts can use Microsoft Entra multifactor authentication through the use of security defaults. Some Microsoft Entra multifactor authentication features require a license. For more details, see [Features and licenses for Microsoft Entra multifactor authentication](/azure/active-directory/authentication/concept-mfa-licensing). - -If box **5b** on your planning worksheet reads **AD FS RA**, write **Yes** in box **6c** on your planning worksheet. Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, a Microsoft Entra ID P1 or P2 feature. - -Modern managed devices don't require a Microsoft Entra ID P1 or P2 subscription. By forgoing the subscription, your users must manually enroll devices in the modern management software, such as Intune or a supported third-party MDM. - -If boxes **2a** or **2b** read **modern management** and you want devices to automatically enroll in your modern management software, write **Yes** in box **6c** on your planning worksheet. Otherwise, write **No** in box **6c**. - -## Congratulations, You're Done - -Your Windows Hello for Business planning worksheet should be complete. This guide provided understanding of the components used in the Windows Hello for Business infrastructure and rationalization of why they're used. The worksheet gives you an overview of the requirements needed to continue the next phase of the deployment. With this worksheet, you'll be able to identify key elements of your Windows Hello for Business deployment. diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md deleted file mode 100644 index 52459fe655..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -title: Prepare people to use Windows Hello -description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization. -ms.date: 08/19/2018 -ms.topic: end-user-help ---- -# Prepare people to use Windows Hello - -When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization by explaining how to use Hello. - -After enrollment in Hello, users should use their gesture (such as a PIN or fingerprint) for access to corporate resources. Their gesture is only valid on the enrolled device. - -Although the organization may require users to change their Active Directory or Microsoft Entra account password at regular intervals, changes to their passwords have no effect on Hello. - -People who are currently using virtual or physical smart cards for authentication can use their virtual smart card to verify their identity when they set up Hello. - -[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)] - -## On devices owned by the organization - -When someone sets up a new device, they are prompted to choose who owns the device. For corporate devices, they select **This device belongs to my organization**. - -![who owns this pc.](images/corpown.png) - -Next, they select a way to connect. Tell the people in your enterprise which option they should pick here. - -![choose how you'll connect.](images/connect.png) - -They sign in, and are then asked to verify their identity. People have options to choose from a text message, phone call, or the authentication application. After verification, they create their PIN. The **Create a PIN** screen displays any complexity requirements that you have set, such as minimum length. - -After Hello is set up, people use their PIN to unlock the device, and that will automatically log them on. - -## On personal devices - -People who want to access work resources on their personal devices can add a work or school account in **Settings** > **Accounts** > **Work or school**, and then sign in with work credentials. The person selects the method for receiving the verification code, such as text message or email. The verification code is sent and the person then enters the verification code. After verification, the person enters and confirms new PIN. The person can access any token-based resource using this device without being asked for credentials. - -People can go to **Settings** > **Accounts** > **Work or school**, select the work account, and then select **Unjoin** to remove the account from their device. - -## Using Windows Hello and biometrics - -If your policy allows it, people can use biometrics (fingerprint, iris, and facial recognition) with Windows Hello for Business, if the hardware supports it. - -:::image type="content" alt-text="This screenshot shows account sign-in options to windows, apps, and services using fingerprint or face." source="images/hellosettings.png"::: - -## Related topics - -- [Windows Hello for Business](deploy/requirements.md) -- [How Windows Hello for Business works](hello-how-it-works.md) -- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) -- [Windows Hello and password changes](hello-and-password-changes.md) -- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) -- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-videos.md b/windows/security/identity-protection/hello-for-business/hello-videos.md deleted file mode 100644 index 24b362c125..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-videos.md +++ /dev/null @@ -1,36 +0,0 @@ ---- -title: Windows Hello for Business Videos -description: View several informative videos describing features and experiences in Windows Hello for Business in Windows 10 and Windows 11. -ms.date: 09/07/2023 -ms.topic: get-started ---- -# Windows Hello for Business Videos -## Overview of Windows Hello for Business and Features - -Watch Pieter Wigleven explain Windows Hello for Business, Multi-factor Unlock, and Dynamic Lock - -> [!VIDEO https://www.youtube.com/embed/G-GJuDWbBE8] - -## Why PIN is more secure than a password - -Watch Dana Huang explain why a Windows Hello for Business PIN is more secure than a password. - -> [!VIDEO https://www.youtube.com/embed/cC24rPBvdhA] - -## Microsoft's passwordless strategy - -Watch Karanbir Singh's Ignite 2017 presentation **Microsoft's guide for going password-less** - -> [!VIDEO https://www.youtube.com/embed/mXJS615IGLM] - -## Windows Hello for Business Provisioning - -Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business provisioning works. - -> [!VIDEO https://www.youtube.com/embed/RImGsIjSJ1s] - -## Windows Hello for Business Authentication - -Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business authentication works. - -> [!VIDEO https://www.youtube.com/embed/WPmzoP_vMek] \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md deleted file mode 100644 index 6fe91595bc..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md +++ /dev/null @@ -1,68 +0,0 @@ ---- -title: Why a PIN is better than an online password -description: Windows Hello enables users to sign in to their devices using a PIN. Learn how is a PIN different from (and better than) an online password. -ms.date: 03/15/2023 -ms.topic: concept-article ---- -# Why a PIN is better than an online password - -Windows Hello enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a local password? -On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might enforce complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than an online password, it's how it works. First, we need to distinguish between two types of passwords: *local passwords* are validated against the machine's password store, whereas *online passwords* are validated against a server. This article mostly covers the benefits a PIN has over an online password, and also why it can be considered even better than a local password. - -Watch Dana Huang explain why a Windows Hello for Business PIN is more secure than an online password. - -> [!VIDEO https://www.youtube.com/embed/cC24rPBvdhA] - -## A PIN is tied to the device - -One important difference between an online password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who obtains your online password can sign in to your account from anywhere, but if they obtain your PIN, they'd have to access your device too. - -The PIN can't be used anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device. - -## PIN is local to the device - -An online password is transmitted to the server. The password can be intercepted in transmission or obtained from a server. A PIN is local to the device, never transmitted anywhere, and it isn't stored on the server. -When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, you unlock the authentication key, which is used to sign the request that is sent to the authenticating server. -Even though local passwords are local to the device, they're less secure than a PIN, as described in the next section. - ->[!NOTE] ->For details on how Hello uses asymmetric key pairs for authentication, see [Windows Hello for Business](index.md#benefits-of-windows-hello). - -## PIN is backed by hardware - -The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Windows doesn't link local passwords to TPM, therefore PINs are considered more secure than local passwords. - -User key material is generated and available within the TPM of the device. The TPM protects the key material from attackers who want to capture and reuse it. Since Hello uses asymmetric key pairs, users credentials can't be stolen in cases where the identity provider or websites the user accesses have been compromised. - -The TPM protects against various known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked. - -## PIN can be complex - -The Windows Hello for Business PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration, and history. Although we generally think of a PIN as a simple four-digit code, administrators can set [policies](hello-manage-in-organization.md) for managed devices to require a PIN complexity similar to a password. You can require or block: special characters, uppercase characters, lowercase characters, and digits. - -## What if someone steals the device? - -To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device. Then, the attacker must find a way to spoof the user's biometrics or guess the PIN. All these actions must be done before [TPM anti-hammering](/windows/device-security/tpm/tpm-fundamentals#anti-hammering) protection locks the device. -You can provide more protection for laptops that don't have TPM by enabling BitLocker and setting a policy to limit failed sign-ins. - -### Configure BitLocker without TPM - -To enable BitLocker without TPM, follow these steps: - -1. Open the Local Group Policy Editor (gpedit.msc) and enable the policy: **Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require additional authentication at startup** -1. In the policy option, select **Allow BitLocker without a compatible TPM > OK** -1. On the device, open **Control Panel > System and Security > BitLocker Drive Encryption** -1. Select the operating system drive to protect - -### Set account lockout threshold - -To configure account lockout threshold, follow these steps: - -1. Open the Local Group Policy Editor (gpedit.msc) and enable the policy: **Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy > Account lockout threshold** -1. Set the number of invalid logon attempts to allow, and then select OK - -## Why do you need a PIN to use biometrics? - -Windows Hello enables biometric sign-in for Windows: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN after the biometric setup. The PIN enables you to sign in when you can't use your preferred biometric because of an injury or because the sensor is unavailable or not working properly. - -If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account and password, which doesn't provide you with the same level of protection as Hello. diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/how-it-works-authentication.md similarity index 81% rename from windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md rename to windows/security/identity-protection/hello-for-business/how-it-works-authentication.md index af0ff0de5a..5bd47775ff 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md +++ b/windows/security/identity-protection/hello-for-business/how-it-works-authentication.md @@ -1,7 +1,7 @@ --- title: How Windows Hello for Business authentication works description: Learn about the Windows Hello for Business authentication flows. -ms.date: 05/24/2023 +ms.date: 01/03/2024 ms.topic: reference --- # Windows Hello for Business authentication @@ -10,11 +10,9 @@ Windows Hello for Business authentication is a passwordless, two-factor authenti Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in and can, optionally, authenticate to Active Directory. Microsoft Entra hybrid joined devices authenticate to Active Directory during sign-in, and authenticate to Microsoft Entra ID in the background. - - ## Microsoft Entra join authentication to Microsoft Entra ID -![Microsoft Entra join authentication to Microsoft Entra ID.](images/howitworks/auth-aadj-cloud.png) +:::image type="content" source="images/howitworks/auth/entra-join-entra.png" alt-text="Diagram of a Microsoft Entra join device authenticating to Microsoft Entra ID." lightbox="images/howitworks/auth/entra-join-entra.png" border="false"::: > [!NOTE] > All Microsoft Entra joined devices authenticate with Windows Hello for Business to Microsoft Entra ID the same way. The Windows Hello for Business trust type only impacts how the device authenticates to on-premises AD. @@ -27,37 +25,31 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in |D | The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.| |E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.| - - ## Microsoft Entra join authentication to Active Directory using cloud Kerberos trust -![Microsoft Entra join authentication to Active Directory.](images/howitworks/auth-aadj-cloudtrust-kerb.png) +:::image type="content" source="images/howitworks/auth/entra-join-ad-ckt.png" alt-text="Diagram of a Microsoft Entra join device authenticating to Active Directory using cloud Kerberos trust." lightbox="images/howitworks/auth/entra-join-ad-ckt.png" border="false"::: | Phase | Description | | :----: | :----------- | -|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a 2016 domain controller. +|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a domain controller. |B | After locating a domain controller, the Kerberos provider sends a partial TGT that it received from Microsoft Entra ID from a previous Microsoft Entra authentication to the domain controller. The partial TGT contains only the user SID, and it's signed by Microsoft Entra Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client.| - - ## Microsoft Entra join authentication to Active Directory using a key -![Microsoft Entra join authentication to Active Directory using a Key.](images/howitworks/auth-aadj-keytrust-kerb.png) +:::image type="content" source="images/howitworks/auth/entra-join-ad-kt.png" alt-text="Diagram of a Microsoft Entra join device authenticating to Active Directory using key trust." lightbox="images/howitworks/auth/entra-join-ad-kt.png" border="false"::: | Phase | Description | | :----: | :----------- | -|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a 2016 domain controller. After the provider locates a domain controller, the provider uses the private key to sign the Kerberos preauthentication data.| -|B | The Kerberos provider sends the signed preauthentication data and its public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the 2016 domain controller in the form of a KERB_AS_REQ.
        The 2016 domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed preauthentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.| +|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates a domain controller, the provider uses the private key to sign the Kerberos preauthentication data.| +|B | The Kerberos provider sends the signed preauthentication data and its public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.
        The domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed preauthentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.| |C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.| > [!NOTE] > You might have an on-premises domain federated with Microsoft Entra ID. Once you have successfully provisioned Windows Hello for Business PIN/Bio on the Microsoft Entra joined device, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Microsoft Entra ID to get PRT and trigger authenticate against your DC (if LOS to DC is available) to get Kerberos. It no longer uses AD FS to authenticate for Windows Hello for Business sign-ins. - - ## Microsoft Entra join authentication to Active Directory using a certificate -![Microsoft Entra join authentication to Active Directory using a Certificate.](images/howitworks/auth-aadj-certtrust-kerb.png) +:::image type="content" source="images/howitworks/auth/entra-join-ad-ct.png" alt-text="Diagram of a Microsoft Entra join device authenticating to Active Directory using certificate trust." lightbox="images/howitworks/auth/entra-join-ad-ct.png" border="false"::: | Phase | Description | | :----: | :----------- | @@ -68,11 +60,9 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in > [!NOTE] > You may have an on-premises domain federated with Microsoft Entra ID. Once you have successfully provisioned Windows Hello for Business PIN/Bio on, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Microsoft Entra ID to get PRT, as well as authenticate against your DC (if LOS to DC is available) to get Kerberos as mentioned previously. AD FS federation is used only when Enterprise PRT calls are placed from the client. You need to have device write-back enabled to get "Enterprise PRT" from your federation. - - ## Microsoft Entra hybrid join authentication using cloud Kerberos trust -![Microsoft Entra hybrid join authentication using Microsoft Entra Kerberos](images/howitworks/auth-haadj-cloudtrust.png) +:::image type="content" source="images/howitworks/auth/hybrid-entra-join-ckt.png" alt-text="Diagram of a Microsoft Entra hybrid join device authenticating to Active Directory using cloud Kerberos trust." lightbox="images/howitworks/auth/hybrid-entra-join-ckt.png" border="false"::: | Phase | Description | | :----: | :----------- | @@ -80,18 +70,16 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in |B | Cloud AP signs the nonce using the user's private key and returns the signed nonce to Microsoft Entra ID. |C | Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Microsoft Entra ID then validates the returned signed nonce. After validating the nonce, Microsoft Entra ID creates a PRT with session key that is encrypted to the device's transport key and creates a Partial TGT from Microsoft Entra Kerberos and returns them to Cloud AP. |D | Cloud AP receives the encrypted PRT with session key. Using the device's private transport key, Cloud AP decrypts the session key and protects the session key using the device's TPM (if available). Cloud AP returns a successful authentication response to lsass. Lsass caches the PRT and the Partial TGT. -|E | The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a 2016 domain controller. After locating an active 2016 domain controller, the Kerberos provider sends the partial TGT that it received from Microsoft Entra ID to the domain controller. The partial TGT contains only the user SID and is signed by Microsoft Entra Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client. Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests. Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.| - - +|E | The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a domain controller. After locating an active domain controller, the Kerberos provider sends the partial TGT that it received from Microsoft Entra ID to the domain controller. The partial TGT contains only the user SID and is signed by Microsoft Entra Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client. Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests. Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.| ## Microsoft Entra hybrid join authentication using a key -![Microsoft Entra hybrid join authentication using a key.](images/howitworks/auth-haadj-keytrust.png) +:::image type="content" source="images/howitworks/auth/hybrid-entra-join-kt.png" alt-text="Diagram of a Microsoft Entra hybrid join device authenticating to Active Directory using key trust." lightbox="images/howitworks/auth/hybrid-entra-join-kt.png" border="false"::: | Phase | Description | | :----: | :----------- | |A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.| -|B | The Kerberos provider sends the signed preauthentication data and the user's public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the 2016 domain controller in the form of a KERB_AS_REQ.
        The 2016 domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed preauthentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.| +|B | The Kerberos provider sends the signed preauthentication data and the user's public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.
        The domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed preauthentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.| |C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. |D | After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.| |E | Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.| @@ -101,11 +89,9 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in > [!IMPORTANT] > In the above deployment model, a newly provisioned user will not be able to sign in using Windows Hello for Business until (a) Microsoft Entra Connect successfully synchronizes the public key to the on-premises Active Directory and (b) device has line of sight to the domain controller for the first time. - - ## Microsoft Entra hybrid join authentication using a certificate -![Microsoft Entra hybrid join authentication using a Certificate.](images/howitworks/auth-haadj-certtrust.png) +:::image type="content" source="images/howitworks/auth/hybrid-entra-join-ct.png" alt-text="Diagram of a Microsoft Entra hybrid join device authenticating to Active Directory using certificate trust." lightbox="images/howitworks/auth/hybrid-entra-join-ct.png" border="false"::: | Phase | Description | | :----: | :----------- | diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/how-it-works-provisioning.md similarity index 85% rename from windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md rename to windows/security/identity-protection/hello-for-business/how-it-works-provisioning.md index b2e01e88dd..9c6ef249eb 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md +++ b/windows/security/identity-protection/hello-for-business/how-it-works-provisioning.md @@ -1,7 +1,7 @@ --- title: How Windows Hello for Business provisioning works description: Explore the provisioning flows for Windows Hello for Business, from within a variety of environments. -ms.date: 12/12/2022 +ms.date: 01/03/2024 ms.topic: reference appliesto: --- @@ -14,23 +14,12 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, - The Windows Hello for Business deployment type - If the environment is managed or federated -List of provisioning flows: - -- [Microsoft Entra joined provisioning in a managed environment](#microsoft-entra-joined-provisioning-in-a-managed-environment) -- [Microsoft Entra joined provisioning in a federated environment](#microsoft-entra-joined-provisioning-in-a-federated-environment) -- [Microsoft Entra hybrid joined provisioning in a cloud Kerberos trust deployment in a managed environment](#microsoft-entra-hybrid-joined-provisioning-in-a-cloud-kerberos-trust-deployment-in-a-managed-environment) -- [Microsoft Entra hybrid joined provisioning in a key trust deployment in a managed environment](#microsoft-entra-hybrid-joined-provisioning-in-a-key-trust-deployment-in-a-managed-environment) -- [Microsoft Entra hybrid joined provisioning in a synchronous certificate trust deployment in a federated environment](#microsoft-entra-hybrid-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-federated-environment) -- [Domain joined provisioning in an On-premises key trust deployment](#domain-joined-provisioning-in-an-on-premises-key-trust-deployment) -- [Domain joined provisioning in an On-premises certificate trust deployment](#domain-joined-provisioning-in-an-on-premises-certificate-trust-deployment) - > [!NOTE] > The flows in this section are not exhaustive for every possible scenario. For example, Federated Key Trust is also a supported configuration. -## Microsoft Entra joined provisioning in a managed environment +## Provisioning for Microsoft Entra joined devices with managed authentication -![Microsoft Entra joined provisioning in a managed environment.](images/howitworks/prov-aadj-managed.png) -[Full size image](images/howitworks/prov-aadj-managed.png) +:::image type="content" source="images/howitworks/prov/entra-join-managed.png" alt-text="Sequence diagram of the Windows Hello provisioning flow for Microsoft Entra joined devices with managed authentication." lightbox="images/howitworks/prov/entra-join-managed.png" border="false"::: | Phase | Description | |:-:|:-| @@ -38,10 +27,9 @@ List of provisioning flows: | B | After receiving an ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pregeneration pool, which includes attestation data. This is the user key (ukpub/ukpriv). | | C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Microsoft Entra ID, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Microsoft Entra ID returns a key ID to the application, which signals the end of user provisioning and the application exits. | -## Microsoft Entra joined provisioning in a federated environment +## Provisioning for Microsoft Entra joined devices with federated authentication -![Microsoft Entra joined provisioning in federated environment.](images/howitworks/prov-aadj-federated.png) -[Full size image](images/howitworks/prov-aadj-federated.png) +:::image type="content" source="images/howitworks/prov/entra-join-federated.png" alt-text="Sequence diagram of the Windows Hello provisioning flow for Microsoft Entra joined devices with federated authentication." lightbox="images/howitworks/prov/entra-join-federated.png" border="false"::: | Phase | Description | |:-:|:-| @@ -49,10 +37,9 @@ List of provisioning flows: | B | After receiving an ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pregeneration pool, which includes attestation data. This is the user key (ukpub/ukpriv). | | C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates MFA claim remains current. On successful validation, Azure DRS locates the user's object in Microsoft Entra ID, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Microsoft Entra ID returns key ID to the application, which signals the end of user provisioning and the application exits. | -## Microsoft Entra hybrid joined provisioning in a cloud Kerberos trust deployment in a managed environment +## Provisioning in a cloud Kerberos trust deployment model with managed authentication -![Microsoft Entra hybrid joined provisioning in a cloud Kerberos trust deployment in a Managed environment.](images/howitworks/prov-haadj-cloudtrust-managed.png) -[Full size image](images/howitworks/prov-haadj-cloudtrust-managed.png) +:::image type="content" source="images/howitworks/prov/hybrid-entra-join-ckt.png" alt-text="Sequence diagram of the Windows Hello provisioning flow in a hybrid cloud Kerberos trust deployment model with managed authentication." lightbox="images/howitworks/prov/hybrid-entra-join-ckt.png" border="false"::: | Phase | Description | |:-:|:-| @@ -63,25 +50,23 @@ List of provisioning flows: > [!NOTE] > Windows Hello for Business cloud Kerberos trust does not require users' keys to be synced from Microsoft Entra ID to Active Directory. Users can immediately authenticate to Microsoft Entra ID and AD after provisioning their credential. -## Microsoft Entra hybrid joined provisioning in a key trust deployment in a managed environment +## Provisioning in a hybrid key trust deployment model with managed authentication -![Microsoft Entra hybrid joined provisioning in a key trust deployment in a managed environment.](images/howitworks/prov-haadj-keytrust-managed.png) -[Full size image](images/howitworks/prov-haadj-keytrust-managed.png) +:::image type="content" source="images/howitworks/prov/hybrid-entra-join-managed-kt.png" alt-text="Sequence diagram of the Windows Hello provisioning flow in a hybrid key trust deployment model with managed authentication." lightbox="images/howitworks/prov/hybrid-entra-join-managed-kt.png" border="false"::: | Phase | Description | |:-:|:-| | A | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Microsoft Entra Web Account Manager plug-in.
        Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. The Microsoft Entra multifactor authentication service provides the second factor of authentication. If the user has performed Microsoft Entra multifactor authentication within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they aren't prompted for MFA because the current MFA remains valid.
        Microsoft Entra ID validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. | | B | After receiving an ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pregeneration pool, which includes attestation data. This is the user key (ukpub/ukpriv). | | C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Microsoft Entra ID, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Microsoft Entra ID returns a key ID to the application, which signals the end of user provisioning and the application exits. | -| D | Microsoft Entra Connect requests updates on its next synchronization cycle. Microsoft Entra ID sends the user's public key that was securely registered through provisioning. Microsoft Entra Connect receives the public key and writes it to user's msDS-KeyCredentialLink attribute in Active Directory. | +| D | Microsoft Entra Connect requests updates on its next synchronization cycle. Microsoft Entra ID sends the user's public key that was securely registered through provisioning. Microsoft Entra Connect receives the public key and writes it to user's `msDS-KeyCredentialLink` attribute in Active Directory. | > [!IMPORTANT] > The newly provisioned user will not be able to sign in using Windows Hello for Business until Microsoft Entra Connect successfully synchronizes the public key to the on-premises Active Directory. -## Microsoft Entra hybrid joined provisioning in a synchronous certificate trust deployment in a federated environment +## Provisioning in a hybrid certificate trust deployment model with federated authentication -![Microsoft Entra hybrid joined provisioning in a synchronous Certificate trust deployment in a federated environment.](images/howitworks/prov-haadj-instant-certtrust-federated.png) -[Full size image](images/howitworks/prov-haadj-instant-certtrust-federated.png) +:::image type="content" source="images/howitworks/prov/hybrid-entra-join-federated.png" alt-text="Sequence diagram of the Windows Hello provisioning flow in a hybrid certificate trust deployment model with federated authentication." lightbox="images/howitworks/prov/hybrid-entra-join-federated.png" border="false"::: | Phase | Description | |:-|:-| @@ -96,10 +81,9 @@ List of provisioning flows: > [!IMPORTANT] > Synchronous certificate enrollment doesn't depend on Microsoft Entra Connect to synchronize the user's public key to issue the Windows Hello for Business authentication certificate. Users can sign-in using the certificate immediately after provisioning completes. Microsoft Entra Connect continues to synchronize the public key to Active Directory, but is not shown in this flow. -## Domain joined provisioning in an On-premises Key Trust deployment +## Provisioning in an on-premises key trust deployment model -![Domain joined provisioning in an On-premises Key Trust deployment.](images/howitworks/prov-onprem-keytrust.png) -[Full size image](images/howitworks/prov-onprem-keytrust.png) +:::image type="content" source="images/howitworks/prov/onprem-kt.png" alt-text="Sequence diagram of the Windows Hello provisioning flow in an on-premises key trust deployment model." lightbox="images/howitworks/prov/onprem-kt.png" border="false"::: | Phase | Description | | :----: | :----------- | @@ -107,10 +91,9 @@ List of provisioning flows: | B| After receiving an EDRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pregeneration pool, which includes attestation data. This is the user key (ukpub/ukpriv).| |C | The application sends the EDRS token, ukpub, attestation data, and device information to the Enterprise DRS for user key registration. Enterprise DRS validates the MFA claim remains current. On successful validation, the Enterprise DRS locates the user's object in Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. The Enterprise DRS returns a key ID to the application, which represents the end of user key registration.| -## Domain joined provisioning in an On-premises Certificate Trust deployment +## Provisioning in an on-premises certificate trust deployment model -![Domain joined provisioning in an On-premises Certificate Trust deployment.](images/howitworks/prov-onprem-certtrust.png) -[Full size image](images/howitworks/prov-onprem-certtrust.png) +:::image type="content" source="images/howitworks/prov/onprem-ct.png" alt-text="Sequence diagram of the Windows Hello provisioning flow in an on-premises certificate trust deployment model." lightbox="images/howitworks/prov/onprem-ct.png" border="false"::: | Phase | Description | | :----: | :----------- | diff --git a/windows/security/identity-protection/hello-for-business/how-it-works.md b/windows/security/identity-protection/hello-for-business/how-it-works.md new file mode 100644 index 0000000000..87250d1fa9 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/how-it-works.md @@ -0,0 +1,236 @@ +--- +title: How Windows Hello for Business works +description: Learn how Windows Hello for Business works, and how it can help you protect your organization. +ms.date: 01/09/2024 +ms.topic: concept-article +--- + +# How Windows Hello for Business works + +Windows Hello for Business is a distributed system that requires multiple technologies to work together. To simplify the explanation of how Windows Hello for Business works, let's break it down into five phases, which represent the chronological order of the deployment process. + +> [!NOTE] +> Two of these phases are required only for certain deployment scenarios. +> +> The deployment scenarios are described in the article: [Plan a Windows Hello for Business deployment](deploy/index.md). + +:::row::: + :::column span="1"::: + :::image type="content" source="images/howitworks/device-registration.png" alt-text="Icon representing the device registration phase." border="false"::: + :::column-end::: + :::column span="3"::: + #### Device registration phase + :::column-end::: +:::row-end::: + +In this phase, the device registers its identity with the identity provider (IdP), so that it can be associated and authenticate to the IdP. + +:::row::: + :::column span="1"::: + :::image type="content" source="images/howitworks/provision.png" alt-text="Icon representing the provisioning phase." border="false"::: + :::column-end::: + :::column span="3"::: + #### Provisioning phase + :::column-end::: +:::row-end::: + +During this phase, the user authenticates using one form of authentication (typically, username/password) to request a new Windows Hello for Business credential. The provisioning flow requires a second factor of authentication before it can generate a public/private key pair. The public key is registered with the IdP, mapped to the user account. + +:::row::: + :::column span="1"::: + :::image type="content" source="images/howitworks/synchronization.png" alt-text="Icon representing the synchronization phase." border="false"::: + :::column-end::: + :::column span="3"::: + #### Key synchronization phase + :::column-end::: +:::row-end::: + +In this phase, **required by some hybrid deployments**, the user's public key is synchronized from Microsoft Entra ID to Active Directory. + +:::row::: + :::column span="1"::: + :::image type="content" source="images/howitworks/certificate-enrollment.png" alt-text="Icon representing the certificate enrollment phase." border="false"::: + :::column-end::: + :::column span="3"::: + #### Certificate enrollment phase + :::column-end::: +:::row-end::: + +In this phase, **required only by deployments using certificates**, a certificate is issued to the user using the organization's public key infrastructure (PKI). + +:::row::: + :::column span="1"::: + :::image type="content" source="images/howitworks/authentication.png" alt-text="Icon representing the authentication phase." border="false"::: + :::column-end::: + :::column span="3"::: + #### Authentication phase + :::column-end::: +:::row-end::: + +In this last phase, the user can sign-in to Windows using biometrics or a PIN. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. The IdP validates the user identity by mapping the user account to the public key registered during the provisioning phase. + +The following sections provide deeper insights into each of these phases. + +## Device Registration + +All devices included in the Windows Hello for Business deployment must go through a process called *device registration*. Device registration enables devices to be associated and to authenticate to an IdP: + +- For cloud and hybrid deployments, the identity provider is Microsoft Entra ID, and the device registers with the *Device Registration Service* +- For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the device registers with the *Enterprise Device Registration Service* hosted on AD FS + +When a device is registered, the IdP provides the device with an identity that is used to authenticate the device when a user signs-in. + +There are different registration types, which are identified as *join type*. For more information, see [What is a device identity][ENTRA-1]. + +For detailed sequence diagrams, see [how device registration works][ENTRA-4]. + +## Provisioning + +:::row::: + :::column::: + Windows Hello provisioning is triggered once device registration completes, and after the device receives a policy that enables Windows Hello. If all the prerequisites are met, a Cloud eXperience Host (CXH) window is launched to take the user through the provisioning flow. + :::column-end::: + :::column::: + :::image type="content" source="images/howitworks/cxh-provision.png" alt-text="Screenshot of the Cloud Experience Host prompting the user to provision Windows Hello." border="false" lightbox="images/howitworks/cxh-provision.png"::: + :::column-end::: +:::row-end::: + +> [!NOTE] +> The list of prerequisites varies depending on the deployment type, as described in the article [Plan a Windows Hello for Business deployment](deploy/index.md). + +During the provisioning phase, a *Windows Hello container* is created. A Windows Hello container is a logical grouping of *key material*, or data. The container holds organization's credentials only on devices that are *registered* with the organization's IdP. + +> [!NOTE] +> There are no physical containers on disk, in the registry, or elsewhere. Containers are logical units used to group related items. The keys, certificates, and credentials that Windows Hello stores, are protected without the creation of actual containers or folders. + +Here are the steps involved with the provisioning phase: + +1. In the CXH window, the user is prompted to authenticate to the IdP with MFA +1. After successful MFA, the user must provide a bio gesture (if available), and a PIN +1. After the PIN confirmation, the Windows Hello container is created +1. A public/private key pair is generated. The key pair is bound to the Trusted Platform Module (TPM), if available, or in software +1. The private key is stored locally and protected by the TPM, and can't be exported +1. The public key is registered with the IdP, mapped to the user account + 1. The Device Registration Service writes the key to the user object in Microsoft Entra ID + 1. For on-premises scenarios, AD FS writes the key to Active Directory + +The following video shows the Windows Hello for Business enrollment steps after signing in with a password: + +> [!VIDEO https://learn-video.azurefd.net/vod/player?id=36dc8679-0fcc-4abf-868d-97ec8b749da7 alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."] + +For more information and detailed sequence diagrams, see [how provisioning works](how-it-works-provisioning.md). + +### Windows Hello container details + +:::row::: + :::column::: + During the provisioning phase, Windows Hello generates a new public/private key pair on the device. The TPM generates and protects the private key. If the device doesn't have a TPM, the private key is encrypted and stored in software. This initial key is referred to as the *protector key*. The protector key is associated with a single gesture: if a user registers a PIN, a fingerprint, and a face on the same device, each of those gestures has a unique protector key. + + The protector key securely wraps the *authentication key*. The authentication key is used to unlock the *user ID keys*. The container has only one authentication key, but there can be multiple copies of that key wrapped with different unique protector keys. + :::column-end::: + :::column::: + :::image type="content" source="images/howitworks/hello-container.png" alt-text="Diagram of the Windows Hello container." border="false" lightbox="images/howitworks/hello-container.png"::: + :::column-end::: +:::row-end::: + +Each protector encrypts its own copy of the authentication key. How the encryption is performed is up to the protector itself. For example, the PIN protector performs a TPM seal operation using the PIN as entropy, or when no TPM is available, performs symmetric encryption of the authentication key using a key derived from the PIN itself. + +> [!IMPORTANT] +> Keys can be generated in hardware (TPM 1.2 or 2.0) or software, based on the configured policy setting. To guarantee that keys are generated in hardware, you must configure a policy setting. For more information, see [Use a hardware security device](policy-settings.md#use-a-hardware-security-device). + +Personal (Microsoft account) and Work or School (Active Directory or Microsoft Entra ID) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy. + +Windows Hello also generates an *administrative key*. The administrative key can be used to reset credentials when necessary. For example, when using the [PIN reset service](pin-reset.md). In addition to the protector key, TPM-enabled devices generate a block of data that contains attestations from the TPM. + +Access to the key material stored in the container, is enabled only by the PIN or biometric gesture. The two-step verification that takes place during provisioning creates a trusted relationship between the IdP and the user. This happens when the public portion of the public/private key pair is sent to an identity provider and associated with the user account. When a user enters the gesture on the device, the identity provider knows that it's a verified identity, because of the combination of Windows Hello keys and gestures. It then provides an authentication token that allows Windows to access resources and services. + +A container can contain several types of key material: + +- An *authentication key*, which is always an asymmetric public-private key pair. This key pair is generated during registration. It must be unlocked each time it's accessed, by using either the user's PIN or a biometric gesture. The authentication key exists until the user resets the PIN, at which time a new key is generated. When the new key is generated, all the key material that the old key previously protected must be decrypted and re-encrypted using the new key +- One or multiple *user ID keys*. These keys can be either symmetric or asymmetric, depending on which IdP you use. For certificate-based Windows Hello for Work, when the container is unlocked, applications that require access to the user ID key or key pair can request access. User ID keys are used to sign or encrypt authentication requests or tokens sent from this device to the IdP. User ID keys are typically long-lived but could have a shorter lifetime than the authentication key. Microsoft accounts, Active Directory accounts, and Microsoft Entra accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IdP (which stores it for later verification), and securely stores the private key. For organizatrons, the user ID keys can be generated in two ways: + - The user ID key pair can be associated with an organization's Certificate Authority (CA). This option lets organizations that have an existing PKI continue to use it where appropriate. Given that many applications, such as VPN solutions, require the use of certificates, when you deploy Windows Hello in this mode, it allows a faster transition away from user passwords while still preserving certificate-based functionality. This option also allows the organization to store other certificates in the protected container. For example, certificates that allows the user to authenticate via RDP + - The IdP can generate the user ID key pair directly, which allows quick, lower-overhead deployment of Windows Hello in environments that don't have or need a PKI + +User ID keys are used to authenticate the user to a service. For example, by signing a nonce to prove possession of the private key, which corresponds to a registered public key. Users with an Active Directory, Microsoft Entra ID or Microsoft account have a key associated with their account. The key can be used to sign into their Windows device by authenticating to a domain controller (Active Directory scenario), or to the cloud (Microsoft Entra ID and MSA scenarios). + +Windows Hello can also be used as a FIDO2 authenticator to authenticate to any website that supports WebAuthn. Websites or application can create a FIDO user ID key in the user's Windows Hello container using APIs. On subsequent visits, the user can authenticate to the website or app using their Windows Hello PIN or biometric gesture. + +To learn more how Windows uses the TPM in support of Windows Hello for Business, see [How Windows uses the Trusted Platform Module](../../hardware-security/tpm/how-windows-uses-the-tpm.md). + +### Biometric data storage + +The biometric data used to support Windows Hello is stored on the local device only. It doesn't roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Even if an attacker could obtain the biometric data from a device, it couldn't be converted back into a raw biometric sample recognizable by the biometric sensor. + +Each sensor has its own biometric database file where template data is stored (path `C:\WINDOWS\System32\WinBioDatabase`). Each database file has a unique, randomly generated key that is encrypted to the system. The template data for the sensor is encrypted with the per-database key using AES with CBC chaining mode. The hash is SHA256. + +> [!NOTE] +>Some fingerprint sensors have the capability to complete matching on the fingerprint sensor module instead of in the OS. These sensors store biometric data on the fingerprint module instead of in the database file. For more information, see [Windows Hello Enhanced Security Sign-in (ESS)][WINH-1]. + +## Key synchronization + +Key synchronization is required in hybrid environments. After the user provisions a Windows Hello for Business credential, the key must synchronize from Microsoft Entra ID to Active Directory. + +The user's public key is written to the `msDS-KeyCredentialLink` attribute of the user object in Active Directory. The synchronization is handled by Microsoft Entra Connect Sync. + +## Certificate enrollment + +For certificate deployments, after registering the key, the client generates a certificate request. The request is sent to the Certificate Registration Authority (CRA). The CRA is on the Active Directory Federation Services (AD FS) server, which validates the certificate request and fulfills it using the enterprise PKI. + +A certificate is enrolled on the user's Hello container, which is used to authenticate to on-premises resources. + +## Authentication + +Windows Hello credentials are based on certificate or asymmetrical key pair. Windows Hello credentials, and the token that is obtained using those credentials, are bound to the device. + +Authentication is the two-factor authentication with the combination of: + +- A key, or certificate, tied to a device and + - something that the person knows (a PIN) or + - something that the person is (biometrics) + +PIN entry and biometric gesture both trigger Windows to use the private key to cryptographically sign data that is sent to the identity provider. The IdP verifies the user's identity and authenticates the user. + +The PIN or the private portion of the credentials is never sent to the IdP, and the PIN isn't stored on the device. The PIN and bio gestures are *user-provided entropy* when performing operations that use the private portion of the credential. + +When a user wants to access protected key material, the authentication process begins with the user entering a PIN or biometric gesture to unlock the device, a process sometimes called *releasing the key*. Think of it like using a physical key to unlock a door: before you can unlock the door, you need to remove the key from your pocket or purse. The user's PIN unlocks the protector key for the container on the device. When that container is unlocked, applications (and thus the user) can use whatever User ID keys reside inside the container. + +These keys are used to sign requests that are sent to the IdP, requesting access to specified resources. + +> [!IMPORTANT] +> Although the keys are unlocked, applications cannot use them at will. Applications can use specific APIs to request operations that require key material for particular actions (for example, decrypt an email message or sign in to a website). Access through these APIs doesn't require explicit validation through a user gesture, and the key material isn't exposed to the requesting application. Rather, the application asks for authentication, encryption, or decryption, and the Windows Hello layer handles the actual work and returns the results. Where appropriate, an application can request a forced authentication even on an unlocked device. Windows prompts the user to reenter the PIN or perform an authentication gesture, which adds an extra level of protection for sensitive data or actions. For example, you can configure an application to require re-authentication anytime a specific operation is performed, even though the same account and PIN or gesture were already used to unlock the device. + +For more information and detailed sequence diagrams, see [how authentication works](how-it-works-authentication.md). + +### Primary refresh token + +Single sign-on (SSO) relies on special tokens obtained to access specific applications. In the traditional Windows Integrated authentication case using Kerberos, the token is a Kerberos TGT (ticket-granting ticket). For Microsoft Entra ID and AD FS applications, this token is a *primary refresh token* (PRT). It's a [JSON Web Token][WEB-1] that contains claims about both the user and the device. + +The PRT is initially obtained during sign-in or unlock in a similar way the Kerberos TGT is obtained. This behavior is true for both Microsoft Entra joined and Microsoft Entra hybrid joined devices. For personal devices registered with Microsoft Entra ID, the PRT is initially obtained upon *Add Work or School Account*. For a personal device, the account to unlock the device isn't the work account, but a consumer account (*Microsoft account*). + +The PRT is needed for SSO. Without it, users would be prompted for credentials every time they access applications. The PRT also contains information about the device. If you have any [device-based conditional access][ENTRA-3] policies set on an application, without the PRT access is denied. + +> [!TIP] +> The Windows Hello for Business key meets Microsoft Entra multifactor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources. + +For more information, see [What is a Primary Refresh Token][ENTRA-2]. + +### Windows Hello for Business and password changes + +Changing a user account password doesn't affect sign-in or unlock, since Windows Hello for Business uses a key or certificate. + +## Next steps + +> [!div class="nextstepaction"] +> To accommodate the multitude of organizations needs and requirements, Windows Hello for Business offers different deployment options. To learn how to plan a Windows Hello for Business deployment, see: +> +> [Plan a Windows Hello for Business Deployment](deploy/index.md) + + + +[ENTRA-1]: /entra/identity/devices/overview +[ENTRA-2]: /entra/identity/devices/concept-primary-refresh-token +[ENTRA-3]: /entra/identity/conditional-access/concept-conditional-access-grant +[ENTRA-4]: /entra/identity/devices/device-registration-how-it-works + +[WEB-1]: https://openid.net/specs/draft-jones-json-web-token-07.html +[WINH-1]: /windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security diff --git a/windows/security/identity-protection/hello-for-business/images/authflow.png b/windows/security/identity-protection/hello-for-business/images/authflow.png deleted file mode 100644 index 1ddf18cc1f..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/authflow.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/connect.png b/windows/security/identity-protection/hello-for-business/images/connect.png deleted file mode 100644 index 2338eda8d2..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/connect.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/corpown.png b/windows/security/identity-protection/hello-for-business/images/corpown.png deleted file mode 100644 index f87d33ce86..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/corpown.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/fingerprint.svg b/windows/security/identity-protection/hello-for-business/images/fingerprint.svg new file mode 100644 index 0000000000..e2b816716a --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/images/fingerprint.svg @@ -0,0 +1,3 @@ + + + diff --git a/windows/security/identity-protection/hello-for-business/images/hello.svg b/windows/security/identity-protection/hello-for-business/images/hello.svg new file mode 100644 index 0000000000..5601c82127 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/images/hello.svg @@ -0,0 +1,3 @@ + + + diff --git a/windows/security/identity-protection/hello-for-business/images/hellosettings.png b/windows/security/identity-protection/hello-for-business/images/hellosettings.png deleted file mode 100644 index 9b897a136e..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hellosettings.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-certtrust-kerb.png b/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-certtrust-kerb.png deleted file mode 100644 index 344be6aa22..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-certtrust-kerb.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-cloud.png b/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-cloud.png deleted file mode 100644 index 751e2fbe99..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-cloud.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-cloudtrust-kerb.png b/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-cloudtrust-kerb.png deleted file mode 100644 index 1fec70ce5a..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-cloudtrust-kerb.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-keytrust-kerb.png b/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-keytrust-kerb.png deleted file mode 100644 index 095ebc3417..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-keytrust-kerb.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/auth-haadj-certtrust.png b/windows/security/identity-protection/hello-for-business/images/howitworks/auth-haadj-certtrust.png deleted file mode 100644 index 905d36fa8f..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/auth-haadj-certtrust.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/auth-haadj-cloudtrust.png b/windows/security/identity-protection/hello-for-business/images/howitworks/auth-haadj-cloudtrust.png deleted file mode 100644 index 0a803d8fbb..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/auth-haadj-cloudtrust.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/auth-haadj-keytrust.png b/windows/security/identity-protection/hello-for-business/images/howitworks/auth-haadj-keytrust.png deleted file mode 100644 index 7f82cda5ae..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/auth-haadj-keytrust.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/auth/entra-join-ad-ckt.png b/windows/security/identity-protection/hello-for-business/images/howitworks/auth/entra-join-ad-ckt.png new file mode 100644 index 0000000000..ef60414e70 Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/auth/entra-join-ad-ckt.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/auth/entra-join-ad-ct.png b/windows/security/identity-protection/hello-for-business/images/howitworks/auth/entra-join-ad-ct.png new file mode 100644 index 0000000000..e45839808a Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/auth/entra-join-ad-ct.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/auth/entra-join-ad-kt.png b/windows/security/identity-protection/hello-for-business/images/howitworks/auth/entra-join-ad-kt.png new file mode 100644 index 0000000000..213efe1241 Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/auth/entra-join-ad-kt.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/auth/entra-join-entra.png b/windows/security/identity-protection/hello-for-business/images/howitworks/auth/entra-join-entra.png new file mode 100644 index 0000000000..584702dcd1 Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/auth/entra-join-entra.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/auth/hybrid-entra-join-ckt.png b/windows/security/identity-protection/hello-for-business/images/howitworks/auth/hybrid-entra-join-ckt.png new file mode 100644 index 0000000000..2ee3ebd7ff Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/auth/hybrid-entra-join-ckt.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/auth/hybrid-entra-join-ct.png b/windows/security/identity-protection/hello-for-business/images/howitworks/auth/hybrid-entra-join-ct.png new file mode 100644 index 0000000000..7e4cb22dcf Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/auth/hybrid-entra-join-ct.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/auth/hybrid-entra-join-kt.png b/windows/security/identity-protection/hello-for-business/images/howitworks/auth/hybrid-entra-join-kt.png new file mode 100644 index 0000000000..9f085f40e9 Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/auth/hybrid-entra-join-kt.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/authentication.png b/windows/security/identity-protection/hello-for-business/images/howitworks/authentication.png new file mode 100644 index 0000000000..4c36e92b32 Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/authentication.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/certificate-enrollment.png b/windows/security/identity-protection/hello-for-business/images/howitworks/certificate-enrollment.png new file mode 100644 index 0000000000..5b491739be Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/certificate-enrollment.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/cxh-provision.png b/windows/security/identity-protection/hello-for-business/images/howitworks/cxh-provision.png new file mode 100644 index 0000000000..28fe43819e Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/cxh-provision.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/device-registration.png b/windows/security/identity-protection/hello-for-business/images/howitworks/device-registration.png new file mode 100644 index 0000000000..f2efb0a732 Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/device-registration.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/hello-container.png b/windows/security/identity-protection/hello-for-business/images/howitworks/hello-container.png new file mode 100644 index 0000000000..2cd717e7f4 Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/hello-container.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-aadj-federated.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-aadj-federated.png deleted file mode 100644 index dd7eee063e..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-aadj-federated.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-aadj-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-aadj-managed.png deleted file mode 100644 index 3e67ac6b42..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-aadj-managed.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-cloudtrust-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-cloudtrust-managed.png deleted file mode 100644 index b2867c3aeb..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-cloudtrust-managed.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-instant-certtrust-federated.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-instant-certtrust-federated.png deleted file mode 100644 index b7f4927730..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-instant-certtrust-federated.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-keytrust-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-keytrust-managed.png deleted file mode 100644 index 5bf7d96a34..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-keytrust-managed.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-onprem-certtrust.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-onprem-certtrust.png deleted file mode 100644 index 6afa492270..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-onprem-certtrust.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-onprem-keytrust.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-onprem-keytrust.png deleted file mode 100644 index 3e051918ce..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-onprem-keytrust.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov/entra-join-federated.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov/entra-join-federated.png new file mode 100644 index 0000000000..b1d934b030 Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/prov/entra-join-federated.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov/entra-join-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov/entra-join-managed.png new file mode 100644 index 0000000000..8cba709a71 Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/prov/entra-join-managed.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov/hybrid-entra-join-ckt.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov/hybrid-entra-join-ckt.png new file mode 100644 index 0000000000..2c49786e91 Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/prov/hybrid-entra-join-ckt.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov/hybrid-entra-join-federated.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov/hybrid-entra-join-federated.png new file mode 100644 index 0000000000..9cbe229993 Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/prov/hybrid-entra-join-federated.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov/hybrid-entra-join-managed-kt.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov/hybrid-entra-join-managed-kt.png new file mode 100644 index 0000000000..66b65155ee Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/prov/hybrid-entra-join-managed-kt.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov/onprem-ct.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov/onprem-ct.png new file mode 100644 index 0000000000..9a19b71d78 Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/prov/onprem-ct.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov/onprem-kt.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov/onprem-kt.png new file mode 100644 index 0000000000..8a01d2dc3e Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/prov/onprem-kt.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/provision.png b/windows/security/identity-protection/hello-for-business/images/howitworks/provision.png new file mode 100644 index 0000000000..3c79cec610 Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/provision.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/synchronization.png b/windows/security/identity-protection/hello-for-business/images/howitworks/synchronization.png new file mode 100644 index 0000000000..2823638bc5 Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/synchronization.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/iris.svg b/windows/security/identity-protection/hello-for-business/images/iris.svg new file mode 100644 index 0000000000..871cac50d5 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/images/iris.svg @@ -0,0 +1,3 @@ + + + diff --git a/windows/security/identity-protection/hello-for-business/images/multifactorUnlock/gp-setting.png b/windows/security/identity-protection/hello-for-business/images/multifactorUnlock/gp-setting.png deleted file mode 100644 index 47823d76a8..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/multifactorUnlock/gp-setting.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/multifactorUnlock/gpme.png b/windows/security/identity-protection/hello-for-business/images/multifactorUnlock/gpme.png deleted file mode 100644 index fd7afd80cb..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/multifactorUnlock/gpme.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/passport-fig3-logicalcontainer.png b/windows/security/identity-protection/hello-for-business/images/passport-fig3-logicalcontainer.png deleted file mode 100644 index d00836529a..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/passport-fig3-logicalcontainer.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/aduc-account-scril.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/aduc-account-scril.png deleted file mode 100644 index 6b19520041..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/aduc-account-scril.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/exclude-credential-providers-properties.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/exclude-credential-providers-properties.png deleted file mode 100644 index 21329d0ffa..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/exclude-credential-providers-properties.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/four-steps-passwordless-strategy.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/four-steps-passwordless-strategy.png deleted file mode 100644 index 8552a3ee2f..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/four-steps-passwordless-strategy.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-exclude-credential-providers.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-exclude-credential-providers.png deleted file mode 100644 index fd9085fbd1..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-exclude-credential-providers.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-require-smart-card-policy.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-require-smart-card-policy.png deleted file mode 100644 index 1ec0fe5a29..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-require-smart-card-policy.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-security-options.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-security-options.png deleted file mode 100644 index 9731de1222..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/gpmc-security-options.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/require-whfb-smart-card-policy.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/require-whfb-smart-card-policy.png deleted file mode 100644 index 5935422718..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/require-whfb-smart-card-policy.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2012-adac-user-scril.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2012-adac-user-scril.png deleted file mode 100644 index 9e3a5509a9..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2012-adac-user-scril.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2016-adac-domain-scril.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2016-adac-domain-scril.png deleted file mode 100644 index 9b068a70a2..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2016-adac-domain-scril.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2016-adac-user-scril.png b/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2016-adac-user-scril.png deleted file mode 100644 index b4e1575d05..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/passwordless-strategy/server-2016-adac-user-scril.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/edge-on.png b/windows/security/identity-protection/hello-for-business/images/passwordless/edge-on.png deleted file mode 100644 index 06a13b6f1a..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/passwordless/edge-on.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/key-credential-provider.svg b/windows/security/identity-protection/hello-for-business/images/passwordless/key-credential-provider.svg deleted file mode 100644 index dd8c09b2dd..0000000000 --- a/windows/security/identity-protection/hello-for-business/images/passwordless/key-credential-provider.svg +++ /dev/null @@ -1,11 +0,0 @@ - - - - - - - - - - - diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/lock-screen-on.png b/windows/security/identity-protection/hello-for-business/images/passwordless/lock-screen-on.png deleted file mode 100644 index abb9b6456d..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/passwordless/lock-screen-on.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/uac-off.png b/windows/security/identity-protection/hello-for-business/images/passwordless/uac-off.png deleted file mode 100644 index 8913baa8ce..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/passwordless/uac-off.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/uac-on.png b/windows/security/identity-protection/hello-for-business/images/passwordless/uac-on.png deleted file mode 100644 index b0d03a6299..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/passwordless/uac-on.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/pin.svg b/windows/security/identity-protection/hello-for-business/images/pin.svg new file mode 100644 index 0000000000..a34b2fa5db --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/images/pin.svg @@ -0,0 +1,3 @@ + + + diff --git a/windows/security/identity-protection/hello-for-business/images/pinerror.png b/windows/security/identity-protection/hello-for-business/images/pinerror.png deleted file mode 100644 index 28a759f2fc..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/pinerror.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/provisioning-error.png b/windows/security/identity-protection/hello-for-business/images/provisioning-error.png new file mode 100644 index 0000000000..4f14752014 Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/provisioning-error.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/smartcard.svg b/windows/security/identity-protection/hello-for-business/images/smartcard.svg new file mode 100644 index 0000000000..c9d40368b5 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/images/smartcard.svg @@ -0,0 +1,3 @@ + + + diff --git a/windows/security/identity-protection/hello-for-business/includes/allow-enumeration-of-emulated-smart-card-for-all-users.md b/windows/security/identity-protection/hello-for-business/includes/allow-enumeration-of-emulated-smart-card-for-all-users.md new file mode 100644 index 0000000000..9157046e94 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/allow-enumeration-of-emulated-smart-card-for-all-users.md @@ -0,0 +1,17 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 01/03/2024 +ms.topic: include +--- + +### Allow enumeration of emulated smart card for all users + +Windows prevents users on the same device from enumerating provisioned Windows Hello for Business credentials for other users. If you enable this policy setting, Windows allows all users of the device to enumerate all Windows Hello for Business credentials, but still require each user to provide their own factors for authentication. If you disable or don't configure this policy setting, Windows doesn't allow the enumeration of provisioned Windows Hello for Business credentials for other users on the same device. + +This policy setting is designed for a single user who enrolls *privileged* and *nonprivileged* accounts on a single device. The user owns both credentials, which enable them to sign-in using nonprivileged credentials, but can perform elevated tasks without signing-out. This policy setting is incompatible with Windows Hello for Business credentials provisioned when the *Turn off smart card emulation* policy setting is enabled. + +| | Path | +|--|--| +| **CSP** | Not available | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** | diff --git a/windows/security/identity-protection/hello-for-business/includes/configure-device-unlock-factors.md b/windows/security/identity-protection/hello-for-business/includes/configure-device-unlock-factors.md new file mode 100644 index 0000000000..23a614db9d --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/configure-device-unlock-factors.md @@ -0,0 +1,19 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 01/03/2024 +ms.topic: include +--- + +### Configure device unlock factors + +Configure a comma separated list of credential provider GUIDs, such as face and fingerprint provider GUIDs, to be used as the first and second unlock factors. If the trusted signal provider is specified as one of the unlock factors, you should also configure a comma separated list of signal rules in the form of xml for each signal type to be verified. + +If you enable this policy setting, the user must use one factor from each list to successfully unlock. If you disable or don't configure this policy setting, users can continue to unlock with existing options. + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/PassportForWork/`[DeviceUnlock](/windows/client-management/mdm/passportforwork-csp#devicedeviceunlock) | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** | + +For more information, see [Multi-factor unlock](../multifactor-unlock.md). diff --git a/windows/security/identity-protection/hello-for-business/includes/configure-dynamic-lock-factors.md b/windows/security/identity-protection/hello-for-business/includes/configure-dynamic-lock-factors.md new file mode 100644 index 0000000000..4cd7b376f1 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/configure-dynamic-lock-factors.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 01/03/2024 +ms.topic: include +--- + +### Configure dynamic lock factors + +Configure a comma separated list of signal rules in the form of xml for each signal type. + +- If you enable this policy setting, the signal rules are evaluated to detect user absence and automatically lock the device +- If you disable or don't configure the setting, users can continue to lock with existing options + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/PassportForWork/DynamicLock/`[DynamicLock](/windows/client-management/mdm/passportforwork-csp#devicedynamiclock) | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** | diff --git a/windows/security/identity-protection/hello-for-business/includes/configure-enhanced-anti-spoofing.md b/windows/security/identity-protection/hello-for-business/includes/configure-enhanced-anti-spoofing.md new file mode 100644 index 0000000000..057da41f74 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/configure-enhanced-anti-spoofing.md @@ -0,0 +1,20 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 01/03/2024 +ms.topic: include +--- + +### Configure enhanced anti-spoofing + +This policy setting determines whether enhanced anti-spoofing is required for Windows Hello face authentication. + +- If you enable this setting, Windows requires to use enhanced anti-spoofing for face authentication + > [!IMPORTANT] + > This disables face authentication on devices that don't support enhanced anti-spoofing. +- If you disable or don't configure this setting, Windows doesn't require enhanced anti-spoofing for face authentication + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/PassportForWork/Biometrics/`[FacialFeaturesUseEnhancedAntiSpoofing](/windows/client-management/mdm/passportforwork-csp#devicebiometricsfacialfeaturesuseenhancedantispoofing) | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** | diff --git a/windows/security/identity-protection/hello-for-business/includes/enable-ess-with-supported-peripherals.md b/windows/security/identity-protection/hello-for-business/includes/enable-ess-with-supported-peripherals.md new file mode 100644 index 0000000000..d5308cbb87 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/enable-ess-with-supported-peripherals.md @@ -0,0 +1,25 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 01/03/2024 +ms.topic: include +--- + +### Enable ESS with supported peripherals + +Enhanced Sign-in Security (ESS) adds a layer of security to biometric data by using specialized hardware and software components, for example Virtualization Based Security (VBS) and Trusted Platform Module 2.0. +With ESS, Windows Hello biometric (face and fingerprint) template data and matching operations are isolated to trusted hardware or specified memory regions, and the rest of the operating system can't access or tamper with them. Since the channel of communication between the sensors and the algorithm is also secured, it's impossible for malware to inject or replay data in order to simulate a user signing in or to lock a user out of their machine. + +If you enable this policy, you can configure the following values: + +- `0`: ESS is enabled with peripheral or built-in non-ESS sensors. Authentication operations of peripheral Windows Hello capable devices are allowed, subject to current feature limitations. ESS is enabled on devices with a mixture of biometric devices, such as an ESS-capable fingerprint reader and a non-ESS capable camera. Therefore, this setting is not recommended +- `1`: ESS is enabled without peripheral or built-in non-ESS sensors. Authentication operations of any peripheral biometric device are blocked and not available for Windows Hello. This setting is recommended for highest security + +If you disable or not configure this setting, then non-ESS sensors are blocked on the ESS device. + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/PassportForWork/Biometrics/`[EnableESSwithSupportedPeripherals](/windows/client-management/mdm/passportforwork-csp#devicebiometricsenableesswithsupportedperipherals) | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** | + +For more information, see [How does Enhanced Sign-in Security protect biometric data](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security#how-does-enhanced-sign-in-security-protect-biometric-data). diff --git a/windows/security/identity-protection/hello-for-business/includes/expiration.md b/windows/security/identity-protection/hello-for-business/includes/expiration.md new file mode 100644 index 0000000000..6d5e71de6c --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/expiration.md @@ -0,0 +1,17 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 01/03/2024 +ms.topic: include +--- + +### Expiration + +This setting specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The PIN can be set to expire after any number of days between 1 and 730, or PINs can be set to never expire if the policy is set to 0. + +The default value is 0. + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[devicetenantidpoliciespincomplexityexpiration](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexityexpiration)

        `./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[usertenantidpoliciespincomplexityexpiration](/windows/client-management/mdm/passportforwork-csp#usertenantidpoliciespincomplexityexpiration) | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity**| diff --git a/windows/security/identity-protection/hello-for-business/includes/history.md b/windows/security/identity-protection/hello-for-business/includes/history.md new file mode 100644 index 0000000000..f172d6e9f6 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/history.md @@ -0,0 +1,20 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 01/03/2024 +ms.topic: include +--- + +### History + +This setting specifies the number of past PINs that can be associated to a user account that can't be reused. This policy enhances security by ensuring that old PINs are not reused continually. The value must be between 0 to 50 PINs. If this policy is set to 0, then storage of previous PINs is not required. + +The default value is 0. + +> [!NOTE] +> PIN history is not preserved through PIN reset. + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[devicetenantidpoliciespincomplexityhistory](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexityhistory)

        `./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[usertenantidpoliciespincomplexityhistory](/windows/client-management/mdm/passportforwork-csp#usertenantidpoliciespincomplexityhistory) | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity** | diff --git a/windows/security/identity-protection/hello-for-business/includes/maximum-pin-length.md b/windows/security/identity-protection/hello-for-business/includes/maximum-pin-length.md new file mode 100644 index 0000000000..9ab86cb5f7 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/maximum-pin-length.md @@ -0,0 +1,20 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 01/03/2024 +ms.topic: include +--- + +### Maximum PIN length + +Maximum PIN length configures the maximum number of characters allowed for the PIN. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater. If you configure this policy setting, the PIN length must be less than or equal to this number. + +If you disable or don't configure this policy setting, the PIN length must be less than or equal to 127. + +> [!NOTE] +> If the above specified conditions for the maximum PIN length aren't met, default values are used for both the maximum and minimum PIN lengths. + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[devicetenantidpoliciespincomplexitymaximumpinlength](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexitymaximumpinlength)

        `./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[usertenantidpoliciespincomplexitymaximumpinlength](/windows/client-management/mdm/passportforwork-csp#usertenantidpoliciespincomplexitymaximumpinlength) | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity** | diff --git a/windows/security/identity-protection/hello-for-business/includes/minimum-pin-length.md b/windows/security/identity-protection/hello-for-business/includes/minimum-pin-length.md new file mode 100644 index 0000000000..ba9b806c2b --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/minimum-pin-length.md @@ -0,0 +1,21 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 01/03/2024 +ms.topic: include +--- + +### Minimum PIN length + +Minimum PIN length configures the minimum number of characters required for the PIN. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest. + +If you configure this policy setting, the PIN length must be greater than or equal to this number. +If you disable or don't configure this policy setting, the PIN length must be greater than or equal to 6. + +> [!NOTE] +> If the above specified conditions for the minimum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths. + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[devicetenantidpoliciespincomplexityminimumpinlength](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexityminimumpinlength)

        `./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[usertenantidpoliciespincomplexityminimumpinlength](/windows/client-management/mdm/passportforwork-csp#usertenantidpoliciespincomplexityminimumpinlength)| +| **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity** | diff --git a/windows/security/identity-protection/hello-for-business/includes/require-digits.md b/windows/security/identity-protection/hello-for-business/includes/require-digits.md new file mode 100644 index 0000000000..e2ca5a2621 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/require-digits.md @@ -0,0 +1,19 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 01/03/2024 +ms.topic: include +--- + +### Require digits + +Use this policy setting to configure the use of digits in the PIN: + +- If you enable this policy setting, Windows requires the user to include at least one digit in their PIN +- If you disable this policy setting, Windows doesn't allow the user to include digits in their PINs +- If you don't configure this policy setting, Windows allows, but doesn't require, digits in the PIN + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[devicetenantidpoliciespincomplexitydigits](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexitydigits)

        `./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[usertenantidpoliciespincomplexitydigits](/windows/client-management/mdm/passportforwork-csp#usertenantidpoliciespincomplexitydigits) | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity** | diff --git a/windows/security/identity-protection/hello-for-business/includes/require-lowercase-letters.md b/windows/security/identity-protection/hello-for-business/includes/require-lowercase-letters.md new file mode 100644 index 0000000000..b84ed743ee --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/require-lowercase-letters.md @@ -0,0 +1,19 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 01/03/2024 +ms.topic: include +--- + +### Require lowercase letters + +Use this policy setting to configure the use of lowercase letters in the PIN: + +- If you enable this policy setting, Windows requires the user to include at least one lowercase letter in their PIN +- If you disable this policy setting, Windows doesn't allow the user to include lowercase letters in their PIN +- If you don't configure this policy setting, Windows allows, but doesn't require, lowercase letters in the PIN + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[devicetenantidpoliciespincomplexitylowercaseletters](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexitylowercaseletters)

        `./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[usertenantidpoliciespincomplexitylowercaseletters](/windows/client-management/mdm/passportforwork-csp#usertenantidpoliciespincomplexitylowercaseletters) | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity** | diff --git a/windows/security/identity-protection/hello-for-business/includes/require-special-characters.md b/windows/security/identity-protection/hello-for-business/includes/require-special-characters.md new file mode 100644 index 0000000000..deeb7f56e4 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/require-special-characters.md @@ -0,0 +1,25 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 01/03/2024 +ms.topic: include +--- + +### Require special characters + +Scope: Machine + +Use this policy setting to configure the use of special characters in the PIN. Special characters include the following set: + +``` text +! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~ +``` + +- If you enable this policy setting, Windows requires the user to include at least one special character in their PIN +- If you disable this policy setting, Windows doesn't allow the user to include special characters in their PIN +- If you don't configure this policy setting, Windows allows, but doesn't require, special characters in the PIN + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[devicetenantidpoliciespincomplexityspecialcharacters](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexityspecialcharacters)

        `./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[usertenantidpoliciespincomplexityspecialcharacters](/windows/client-management/mdm/passportforwork-csp#usertenantidpoliciespincomplexityspecialcharacters) | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity** | diff --git a/windows/security/identity-protection/hello-for-business/includes/require-uppercase-letters.md b/windows/security/identity-protection/hello-for-business/includes/require-uppercase-letters.md new file mode 100644 index 0000000000..b90cda9fa3 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/require-uppercase-letters.md @@ -0,0 +1,19 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 01/03/2024 +ms.topic: include +--- + +### Require uppercase letters + +Use this policy setting to configure the use of uppercase letters in the PIN: + +- If you enable this policy setting, Windows requires the user to include at least one uppercase letter in their PIN +- If you disable this policy setting, Windows doesn't allow the user to include uppercase letters in their PIN +- If you don't configure this policy setting, Windows allows, but doesn't require, uppercase letters in the PIN + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[devicetenantidpoliciespincomplexityuppercaseletters](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexityuppercaseletters)

        `./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[usertenantidpoliciespincomplexityuppercaseletters](/windows/client-management/mdm/passportforwork-csp#usertenantidpoliciespincomplexityuppercaseletters) | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity** | diff --git a/windows/security/identity-protection/hello-for-business/includes/turn-off-smart-card-emulation.md b/windows/security/identity-protection/hello-for-business/includes/turn-off-smart-card-emulation.md new file mode 100644 index 0000000000..502e1d18f1 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/turn-off-smart-card-emulation.md @@ -0,0 +1,21 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 01/03/2024 +ms.topic: include +--- + +### Turn off smart card emulation + +Windows Hello for Business automatically provides smart card emulation for compatibility with smart card enabled applications. + +- If you enable this policy setting, Windows Hello for Business provisions Windows Hello for Business credentials that are not compatible with smart card applications +- If you disable or don't configure this policy setting, Windows Hello for Business provisions Windows Hello for Business credentials compatible with smart card applications + +> [!IMPORTANT] +> This policy affects Windows Hello for Business credentials at the time of creation. Credentials created before the application of this policy continue to provide smart card emulation. To change an existing credential, enable this policy setting and select *I forgot my PIN* from Settings. + +| | Path | +|--|--| +| **CSP** | Not available | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** | diff --git a/windows/security/identity-protection/hello-for-business/includes/use-a-hardware-security-device.md b/windows/security/identity-protection/hello-for-business/includes/use-a-hardware-security-device.md new file mode 100644 index 0000000000..3dfb45f8ba --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/use-a-hardware-security-device.md @@ -0,0 +1,20 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 01/03/2024 +ms.topic: include +--- + +### Use a hardware security device + +A Trusted Platform Module (TPM) provides additional security benefits over software because data protected by it can't be used on other devices. + +- If you enable this policy setting, Windows Hello for Business provisioning only occurs on devices with usable 1.2 or 2.0 TPMs. You can optionally exclude TPM revision 1.2 modules, which prevents Windows Hello for Business provisioning on those devices + > [!TIP] + > The TPM 1.2 specification only allows the use of RSA and the SHA-1 hashing algorithm. TPM 1.2 implementations vary in policy settings, which may result in support issues as lockout policies vary. It's recommended to exclude TPM 1.2 devices from Windows Hello for Business provisioning. +-If you disable or don't configure this policy setting, the TPM is still preferred, but all devices can provision Windows Hello for Business using software if the TPM is nonfunctional or unavailable. + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/`[RequireSecurityDevice](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciesrequiresecuritydevice)

        `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/ExcludeSecurityDevices/`[TPM12](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciesexcludesecuritydevicestpm12) | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** | diff --git a/windows/security/identity-protection/hello-for-business/includes/use-biometrics.md b/windows/security/identity-protection/hello-for-business/includes/use-biometrics.md new file mode 100644 index 0000000000..761017763f --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/use-biometrics.md @@ -0,0 +1,21 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 01/03/2024 +ms.topic: include +--- + +### Use biometrics + +Windows Hello for Business enables users to use biometric gestures, such as face and fingerprints, as an alternative to the PIN gesture. However users must still configure a PIN to use in case of failures. + +- If you enable or don't configure this policy setting, Windows Hello for Business allows the use biometric gestures +- If you disable this policy setting, Windows Hello for Business prevents the use of biometric gestures + +> [!NOTE] +> Disabling this policy prevents the user of biometric gestures on the device for all account types. + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/PassportForWork/Biometrics/`[UseBiometrics](/windows/client-management/mdm/passportforwork-csp#devicebiometricsusebiometrics) | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** | diff --git a/windows/security/identity-protection/hello-for-business/includes/use-certificate-for-on-premises-authentication.md b/windows/security/identity-protection/hello-for-business/includes/use-certificate-for-on-premises-authentication.md new file mode 100644 index 0000000000..78c1064fbe --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/use-certificate-for-on-premises-authentication.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 01/03/2024 +ms.topic: include +--- + +### Use certificate for on-premises authentication + +Use this policy setting to configure Windows Hello for Business to enroll a sign-in certificate used for on-premises authentication. + +- If you enable this policy setting, Windows Hello for Business enrolls a sign-in certificate that is used for on-premises authentication +- If you disable or don't configure this policy setting, Windows Hello for Business will use a key or a Kerberos ticket (depending on other policy settings) for on-premises authentication + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/`[UseCertificateForOnPremAuth](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciesusecertificateforonpremauth)| +| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**

        **User Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**| diff --git a/windows/security/identity-protection/hello-for-business/includes/use-cloud-trust-for-on-premises-authentication.md b/windows/security/identity-protection/hello-for-business/includes/use-cloud-trust-for-on-premises-authentication.md new file mode 100644 index 0000000000..77b3878741 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/use-cloud-trust-for-on-premises-authentication.md @@ -0,0 +1,21 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 01/03/2024 +ms.topic: include +--- + +### Use cloud trust for on-premises authentication + +Use this policy setting to configure Windows Hello for Business to use the cloud Kerberos trust model. + +- If you enable this policy setting, Windows Hello for Business uses a Kerberos ticket retrieved from authenticating to Microsoft Entra ID for on-premises authentication +- If you disable or don't configure this policy setting, Windows Hello for Business uses a key or certificate (depending on other policy settings) for on-premises authentication + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/`[UseCloudTrustForOnPremAuth](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciesusecloudtrustforonpremauth) | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** | + +> [!NOTE] +> Cloud Kerberos trust is incompatible with certificate trust. If the certificate trust policy setting is enabled, it takes precedence over this policy setting. diff --git a/windows/security/identity-protection/hello-for-business/includes/use-pin-recovery.md b/windows/security/identity-protection/hello-for-business/includes/use-pin-recovery.md new file mode 100644 index 0000000000..8f28f8f8d1 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/use-pin-recovery.md @@ -0,0 +1,24 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 01/03/2024 +ms.topic: include +--- + +### Use PIN recovery + +PIN Recovery enables a user to change a forgotten PIN using the Windows Hello for Business PIN recovery service, without losing any associated credentials or certificates, including any keys associated with the user's personal accounts on the device. + +To achieve this, the PIN recovery service encrypts a recovery secret, which is stored on the device, and requires both the PIN recovery service and the device to decrypt. + +PIN recovery requires the user to perform multi-factor authentication to Microsoft Entra ID. + +- If you enable this policy setting, Windows Hello for Business uses the PIN recovery service +- If you disable or don't configure this policy setting, Windows doesn't create or store the PIN recovery secret. If the user forgets their PIN, they must delete their existing PIN and create a new one, and they must re-register with any services to which the old PIN provided access + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/`[EnablePinRecovery](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciesenablepinrecovery)
        `./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/`[EnablePinRecovery](/windows/client-management/mdm/passportforwork-csp#usertenantidpoliciesenablepinrecovery) | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** | + +For more information, see [PIN reset](../pin-reset.md). diff --git a/windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business-certificates-as-smart-card-certificates.md b/windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business-certificates-as-smart-card-certificates.md new file mode 100644 index 0000000000..2d3b0707f3 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business-certificates-as-smart-card-certificates.md @@ -0,0 +1,20 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 01/03/2024 +ms.topic: include +--- + +### Use Windows Hello for Business certificates as smart card certificates + +This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates. + +- If you enable this policy setting, applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key +- If you disable or don't configure this policy setting, applications don't use Windows Hello for Business certificates as smart card certificates, and biometric factors are available when a user is asked to authorize the use of the certificate's private key + +This policy setting is incompatible with Windows Hello for Business credentials provisioned when [Turn off smart card emulation](../policy-settings.md#turn-off-smart-card-emulation) is enabled. + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/`[UseHelloCertificatesAsSmartCardCertificates](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciesusehellocertificatesassmartcardcertificates) | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** | diff --git a/windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business.md b/windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business.md new file mode 100644 index 0000000000..9278bcd9ef --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business.md @@ -0,0 +1,32 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 01/03/2024 +ms.topic: include +--- + +### Use Windows Hello for Business + +- If you enable this policy, the device provisions Windows Hello for Business using keys or certificates for all users +- If you disable this policy setting, the device doesn't provision Windows Hello for Business for any user +- If you don't configure this policy setting, users can provision Windows Hello for Business + +Select the option *Don't start Windows Hello provisioning after sign-in* when you use a third-party solution to provision Windows Hello for Business: + +- If you select *Don't start Windows Hello provisioning after sign-in*, Windows Hello for Business doesn't automatically start provisioning after the user has signed in +- If you don't select *Don't start Windows Hello provisioning after sign-in*, Windows Hello for Business automatically starts provisioning after the user has signed in + +:::row::: +:::column span="1"::: +:::image type="content" source="../../../images/insider.png" alt-text="Logo of Windows Insider." border="false"::: +:::column-end::: +:::column span="3"::: +> [!IMPORTANT] +>This policy setting is available via CSP only for [Windows Insider Preview builds](/windows-insider/). +:::column-end::: +:::row-end::: + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/`[UsePassportForWork](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciesusepassportforwork)

        `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/`[DisablePostLogonProvisioning](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciesdisablepostlogonprovisioning)| +| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**

        **User Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**| diff --git a/windows/security/identity-protection/hello-for-business/index.md b/windows/security/identity-protection/hello-for-business/index.md index e0be2b5b93..7c03078ac9 100644 --- a/windows/security/identity-protection/hello-for-business/index.md +++ b/windows/security/identity-protection/hello-for-business/index.md @@ -1,112 +1,106 @@ --- -title: Windows Hello for Business Overview +title: Windows Hello for Business overview description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on Windows devices. ms.topic: overview -ms.date: 04/24/2023 +ms.date: 01/03/2024 --- -# Windows Hello for Business Overview -Windows Hello for Business replaces passwords with strong two-factor authentication on devices. This authentication consists of a type of user credential that is tied to a device and uses a biometric or PIN. +# Windows Hello for Business ->[!NOTE] -> When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. +## Overview -Windows Hello addresses the following problems with passwords: +*Windows Hello* is an authentication technology that allows users to sign in to their Windows devices using biometric data, or a PIN, instead of a traditional password. It provides enhanced security through phish-resistant two-factor authentication, and built-in brute force protection. With FIDO/WebAuthn, Windows Hello can also be used to sign in to supported websites, reducing the need to remember multiple complex passwords. -- Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites. -- Server breaches can expose symmetric network credentials (passwords). -- Passwords are subject to [replay attacks](/previous-versions/dotnet/netframework-4.0/aa738652(v=vs.100)). -- Users can inadvertently expose their passwords due to phishing attacks. +*Windows Hello for Business* is an **extension** of Windows Hello that provides enterprise-grade security and management capabilities, including device attestation, certificate-based authentication, and conditional access policies. Policy settings can be deployed to devices to ensure they're secure and compliant with organizational requirements. -Windows Hello lets users authenticate to: +The following table lists the main authentication and security differences between Windows Hello and Windows Hello for business: -- A Microsoft account. -- An Active Directory account. -- A Microsoft Entra account. -- Identity Provider Services or Relying Party Services that support [Fast ID Online (FIDO) v2.0](https://fidoalliance.org/) authentication. +||Windows Hello for Business|Windows Hello| +|-|-|-| +|**Authentication**|Users can authenticate to:
        - A Microsoft Entra ID account
        - An Active Directory account
        - Identity provider (IdP) or relying party (RP) services that support [Fast ID Online (FIDO) v2.0](https://fidoalliance.org/) authentication.|Users can authenticate to:
        - A Microsoft account
        - Identity provider (IdP) or relying party (RP) services that support [Fast ID Online (FIDO) v2.0](https://fidoalliance.org/) authentication.| +|**Security**|It uses **key-based** or **certificate-based** authentication. There's no symmetric secret (password) which can be stolen from a server or phished from a user and used remotely.
        Enhanced security is available on devices with a Trusted Platform Module (TPM).|Users can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Windows Hello is unique to the device on which it's set up, but can use a password hash depending on the account type. This configuration is referred to as *Windows Hello convenience PIN*, and it's not backed by asymmetric (public/private key) or certificate-based authentication.| -After an initial two-step verification of the user during enrollment, Windows Hello is set up on the user's device and Windows asks the user to set a gesture, which can be a biometric, such as a fingerprint, or a PIN. The user provides the gesture to verify their identity. Windows then uses Windows Hello to authenticate users. +> [!NOTE] +> FIDO2 (Fast Identity Online) authentication is an open standard for passwordless authentication. It allows users to sign in to their devices and apps using biometric authentication or a physical security key, without the need for a traditional password. FIDO2 support in Windows Hello for Business provides an additional layer of security and convenience for users, while also reducing the risk of password-related attacks. -As an administrator in an enterprise or educational organization, you can create policies to manage Windows Hello for Business use on Windows 10-based devices that connect to your organization. +## Benefits + +Windows Hello for Business provides many benefits, including: + +- It helps to strengthen protections against credential theft. An attacker must have both the device and the biometric or PIN, making it much more difficult to gain access without the user's knowledge +- Since no passwords are used, it circumvents phishing and brute force attacks. Most importantly, it prevents server breaches and replay attacks because the credentials are asymmetric and generated within isolated environments of TPMs +- Users get a simple and convenient authentication method (backed up with a PIN) that's always with them, so there's nothing to lose. The use of a PIN doesn't compromise security, since Windows Hello has built-in brute force protection, and the PIN never leaves the device +- You can add biometric devices as part of a coordinated rollout or to specific users, as needed + +The following video shows a demonstration of Windows Hello for Business in action, where a user signs in with a fingerprint: + +> [!VIDEO https://learn-video.azurefd.net/vod/player?id=fb5ceb53-d82b-4997-bde1-d473b620038a] + +## Windows Hello and two factor authentication + +Windows Hello for Business uses a two-factor authentication method that combines a device-specific credential with a biometric or PIN gesture. This credential is tied to your identity provider, such as Microsoft Entra ID or Active Directory, and can be used to access organization apps, websites, and services. + +After an initial two-step verification of the user during provisioning, Windows Hello is set up on the user's device and Windows asks the user to set a gesture, which can be a biometric, and a PIN. The user provides the gesture to verify their identity. Windows then uses Windows Hello to authenticate users. + +Windows Hello for Business is considered two-factor authentication based on the observed authentication factors of: *something you have*, *something you know*, and *something that's part of you*. Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. By using biometrics, you can replace the *something you know* authentication factor with the *something that is part of you* factor, with the assurances that users can fall back to the *something you know factor*. ## Biometric sign-in - Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Windows Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing. Major hardware vendors are shipping devices that have integrated Windows Hello-compatible cameras. Fingerprint reader hardware can be used or added to devices that don't currently have it. On devices that support Windows Hello, an easy biometric gesture unlocks users' credentials. + Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Windows Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing. Major hardware vendors are shipping devices that have integrated Windows Hello-compatible cameras and fingerprint readers. -- **Facial recognition**. This type of biometric recognition uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major laptop manufacturers are incorporating it into their devices, as well. -- **Fingerprint recognition**. This type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is more reliable and less error-prone. Most existing fingerprint readers work with Windows 10 and Windows 11, whether they're external or integrated into laptops or USB keyboards. -- **Iris Recognition**. This type of biometric recognition uses cameras to perform scan of your iris. HoloLens 2 is the first Microsoft device to introduce an Iris scanner. These iris scanners are the same across all HoloLens 2 devices. +On devices that support Windows Hello, an easy biometric gesture unlocks users' credentials: -Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesn't roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there's no single collection point an attacker can compromise to steal biometric data. For more information about biometric authentication with Windows Hello for Business, see [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md). +- **Facial recognition**: this type of biometric recognition uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors offer external cameras that incorporate this technology, and many laptop manufacturers incorporate it into their devices +- **Fingerprint recognition**: this type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. Most existing fingerprint readers work with Windows, whether they're external or integrated into laptops or USB keyboards +- **Iris Recognition**: this type of biometric recognition uses cameras to perform scan of your iris. HoloLens 2 is the first Microsoft device to introduce an Iris scanner -## The difference between Windows Hello and Windows Hello for Business - -- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Windows Hello is unique to the device on which it's set up, but can use a password hash depending on an individual's account type. This configuration is referred to as *Windows Hello convenience PIN* and it's not backed by asymmetric (public/private key) or certificate-based authentication. - -- *Windows Hello for Business*, which is configured by group policy or mobile device management (MDM) policy, always uses key-based or certificate-based authentication. This behavior makes it more secure than *Windows Hello convenience PIN*. - -## Benefits of Windows Hello - -Reports of identity theft and large-scale hacking are frequent headlines. Nobody wants to be notified that their user name and password have been exposed. - -You may wonder [how a PIN can help protect a device better than a password](hello-why-pin-is-better-than-password.md). Passwords are shared secrets; they're entered on a device and transmitted over the network to the server. An intercepted account name and password can be used by anyone, anywhere. Because they're stored on the server, a server breach can reveal those stored credentials. - -In Windows 10 and later, Windows Hello replaces passwords. When an identity provider supports keys, the Windows Hello provisioning process creates a cryptographic key pair bound to the Trusted Platform Module (TPM), if a device has a TPM 2.0, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Windows Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identity provider knows that it's a verified identity, because of the combination of Windows Hello keys and gestures. It then provides an authentication token that allows Windows to access resources and services. - -> [!NOTE] -> Windows Hello as a convenience sign-in uses regular username and password authentication, without the user entering the password. - -:::image type="content" alt-text="How authentication works in Windows Hello." source="images/authflow.png" lightbox="images/authflow.png"::: - -Imagine that someone is looking over your shoulder as you get money from an ATM and sees the PIN that you enter. Having that PIN won't help them access your account because they don't have your ATM card. In the same way, learning your PIN for your device doesn't allow that attacker to access your account because the PIN is local to your specific device and doesn't enable any type of authentication from any other device. - -Windows Hello helps protect user identities and user credentials. Because the user doesn't enter a password (except during provisioning), it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Windows Hello credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are protected by TPMs. +Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesn't roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there's no single collection point an attacker can compromise to steal biometric data. [!INCLUDE [windows-hello-for-business](../../../../includes/licensing/windows-hello-for-business.md)] -## How Windows Hello for Business works: key points +> [!NOTE] +> Windows Hello for Business doesn't work with [Microsoft Entra Domain Services](/entra/identity/domain-services/overview). -- Windows Hello credentials are based on certificate or asymmetrical key pair. Windows Hello credentials can be bound to the device, and the token that is obtained using the credential is also bound to the device. +## Hardware requirements -- An identity provider validates the user identity and maps the Windows Hello public key to a user account during the registration step. Example providers are Active Directory, Microsoft Entra ID, or a Microsoft account. +Microsoft collaborates with manufacturers to help ensuring a high-level of performance and protection is met by each sensor and device, based on the following requirements: -- Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy. To guarantee that keys are generated in hardware, you must set policy. +- **False Accept Rate (FAR):** represents the instance a biometric identification solution verifies an unauthorized person. This is normally represented as a ratio of number of instances in a given population size, for example 1 in 100,000. This can also be represented as a percentage of occurrence, for example, 0.001%. This measurement is heavily considered the most important regarding the security of the biometric algorithm +- **False Reject Rate (FRR):** represents the instances a biometric identification solution fails to verify an authorized person correctly. Represented as a percentage, the sum of the True Accept Rate and False Reject Rate is 1. Can be with or without anti-spoofing or liveness detection -- Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (biometrics). The Windows Hello gesture doesn't roam between devices and isn't shared with the server. Biometrics templates are stored locally on a device. The PIN is never stored or shared. +### Fingerprint sensor requirements -- The private key never leaves a device when using TPM. The authenticating server has a public key that is mapped to the user account during the registration process. +To allow fingerprint matching, devices must have fingerprint sensors and software. Fingerprint sensors can be touch sensors (large area or small area) or swipe sensors. Each type of sensor has its own set of detailed requirements that must be implemented by the manufacturer, but all of the sensors must include anti-spoofing measures. -- PIN entry and biometric gesture both trigger Windows 10 and later to use the private key to cryptographically sign data that is sent to the identity provider. The identity provider verifies the user's identity and authenticates the user. +Acceptable performance range for small to large size touch sensors: -- Personal (Microsoft account) and corporate (Active Directory or Microsoft Entra ID) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy. +- False Accept Rate (FAR): <0.001 - 0.002% +- Effective, real world FRR with Anti-spoofing or liveness detection: <10% -- Certificate private keys can be protected by the Windows Hello container and the Windows Hello gesture. +Acceptable performance range for swipe sensors: -For details, see [How Windows Hello for Business works](hello-how-it-works.md). +- False Accept Rate (FAR): <0.002% +- Effective, real world FRR with Anti-spoofing or liveness detection: <10% -## Comparing key-based and certificate-based authentication +### Facial recognition sensors -Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing end user certificates can continue to use PKI in combination with Windows Hello for Business. Enterprises that don't use PKI or want to reduce the effort associated with managing user certificates can rely on key-based credentials for Windows Hello. This functionality still uses certificates on the domain controllers as a root of trust. Starting with Windows 10 version 21H2, there's a feature called cloud Kerberos trust for hybrid deployments, which uses Microsoft Entra ID as the root of trust. cloud Kerberos trust uses key-based credentials for Windows Hello but doesn't require certificates on the domain controller. +To allow facial recognition, you must have devices with integrated special infrared (IR) sensors and software. Facial recognition sensors use special cameras that see in IR light, letting them tell the difference between a photo and a living person while scanning an employee's facial features. These sensors, like the fingerprint sensors, must also include anti-spoofing measures (required) and a way to configure them (optional). -Windows Hello for Business with a key, including cloud Kerberos trust, doesn't support supplied credentials for RDP. RDP doesn't support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business with a key credential can be used with [Remote Credential Guard](../remote-credential-guard.md). +- False Accept Rate (FAR): <0.001% +- False Reject Rate (FRR) without Anti-spoofing or liveness detection: <5% +- Effective, real world FRR with Anti-spoofing or liveness detection: <10% -## Learn more +> [!NOTE] +>Windows Hello face authentication doesn't support wearing a mask during enrollment or authentication. If your working environment doesn't allow you to remove a mask temporarily, consider using PIN or fingerprint. -[Implementing strong user authentication with Windows Hello for Business](https://www.microsoft.com/insidetrack/implementing-strong-user-authentication-with-windows-hello-for-business) +### Iris recognition sensor requirements -[Implementing Windows Hello for Business at Microsoft](https://www.microsoft.com/insidetrack/implementing-windows-hello-for-business-at-microsoft) +To use Iris authentication, you need a [HoloLens 2 device](/hololens/). All HoloLens 2 editions are equipped with the same sensors. Iris is implemented the same way as other Windows Hello technologies and achieves biometrics security FAR of 1/100K. -[Windows Hello for Business: Authentication](https://youtu.be/WPmzoP_vMek): In this video, learn about Windows Hello for Business and how it's used to sign-in and access resources. +For more information about the hardware requirements for Windows Hello, see [Windows Hello biometric requirements](/windows-hardware/design/device-experiences/windows-hello-biometric-requirements). -[Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication) +## Next steps -## Related articles - -- [How Windows Hello for Business works](hello-how-it-works.md) -- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) -- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) -- [Windows Hello and password changes](hello-and-password-changes.md) -- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) -- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) +> [!div class="nextstepaction"] +> +> [Learn how Windows Hello for Business works >](how-it-works.md) diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/multifactor-unlock.md similarity index 82% rename from windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md rename to windows/security/identity-protection/hello-for-business/multifactor-unlock.md index a99c25dc3c..2662652a30 100644 --- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md +++ b/windows/security/identity-protection/hello-for-business/multifactor-unlock.md @@ -1,9 +1,10 @@ --- title: Multi-factor unlock -description: Learn how Windows offers multi-factor device unlock by extending Windows Hello with trusted signals. -ms.date: 03/30/2023 +description: Learn how to configure Windows Hello for Business multi-factor unlock by extending Windows Hello with trusted signals. +ms.date: 01/03/2024 ms.topic: how-to --- + # Multi-factor unlock Windows Hello for Business supports the use of a single credential (PIN and biometrics) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system. @@ -331,35 +332,66 @@ The following example configures **Wi-Fi** as a trusted signal. ``` -## Deploy Multifactor Unlock +## Configure multi-factor unlock ->[!IMPORTANT] ->You need to remove all third party credential providers to ensure users cannot unlock their devices if they do not have the required factors. The fall back options are to use passwords or smart cards (both of which could be disabled as needed). +To configure multi-factor unlock you can use: -### Create the Multifactor Unlock Group Policy object - -The Group Policy object contains the policy settings needed to trigger Windows Hello for Business provisioning and to ensure Windows Hello for Business authentication certificates are automatically renewed. +- Microsoft Intune/CSP +- Group policy >[!IMPORTANT] > > - PIN **must** be in at least one of the groups > - Trusted signals **must** be combined with another credential provider -> - You cannot use the same unlock factor to satisfy both categories. Therefore, if you include any credential provider in both categories, it means it can satisfy either category, but not both -> - The multifactor unlock feature is also supported via the Passport for Work CSP. For more information, see [Passport For Work CSP](/windows/client-management/mdm/passportforwork-csp). +> - You can't use the same unlock factor to satisfy both categories. Therefore, if you include any credential provider in bothcategories, it means it can satisfy either category, but not both -1. Start the **Group Policy Management Console** (`gpmc.msc`). -1. Expand the domain and select the **Group Policy Object** node in the navigation pane. -1. Right-click **Group Policy object** and select **New**. -1. Type *Multifactor Unlock* in the name box and select **OK**. -1. In the content pane, right-click the **Multifactor Unlock** Group Policy object and select **Edit**. -1. In the navigation pane, expand **Policies** under **Computer Configuration**. -1. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**. - ![Group Policy Editor.](images/multifactorUnlock/gpme.png) -1. In the content pane, open **Configure device unlock factors**. Select **Enable**. The **Options** section populates the policy setting with default values. - ![Multifactor Policy Setting.](images/multifactorUnlock/gp-setting.png) -1. Configure first and second unlock factors using the information in [Configure Unlock Factors](#configure-unlock-factors). -1. If using trusted signals, configure the trusted signals used by the unlock factor using the information in [Configure Signal Rules for the Trusted Signal Credential Provider](#configure-signal-rules-for-the-trusted-signal-credential-provider). -1. Select **OK** to close the **Group Policy Management Editor**. Use the **Group Policy Management Console** to deploy the newly created Group Policy object to your organization's computers. +[!INCLUDE [tab-intro](../../../../includes/configure/tab-intro.md)] + +#### [:::image type="icon" source="../../images/icons/intune.svg" border="false"::: **Intune/CSP**](#tab/intune) + +[!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)] + +| Category | Setting name | +|--|--| +| **Administrative Templates** > **Windows Hello for Business** | Device Unlock Plugins | + +1. Configure first and second unlock factors using the information in [Configure Unlock Factors](#configure-unlock-factors) +1. If using trusted signals, configure the trusted signals used by the unlock factor using the information in [Configure Signal Rules for the Trusted Signal Credential Provider](#configure-signal-rules-for-the-trusted-signal-credential-provider) + +[!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)] + +Alternatively, you can configure devices using a [custom policy][INT-1] with the [PassportForWork CSP][CSP-1]. + +| Setting | +|--------| +| ./Device/Vendor/MSFT/PassportForWork/[DeviceUnlock](/windows/client-management/mdm/passportforwork-csp#devicedeviceunlock)| + +#### [:::image type="icon" source="../../images/icons/group-policy.svg" border="false"::: **GPO**](#tab/gpo) + +[!INCLUDE [gpo-settings-1](../../../../includes/configure/gpo-settings-1.md)] + +| Group policy path | Group policy setting | Value | +| - | - | - | +| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** | Configure device unlock factors | Enabled | + +1. Configure first and second unlock factors using the information in [Configure Unlock Factors](#configure-unlock-factors) +1. If using trusted signals, configure the trusted signals used by the unlock factor using the information in [Configure Signal Rules for the Trusted Signal Credential Provider](#configure-signal-rules-for-the-trusted-signal-credential-provider) + +[!INCLUDE [gpo-settings-2](../../../../includes/configure/gpo-settings-2.md)] + +--- + +>[!IMPORTANT] +>You should remove all third party credential providers to ensure users cannot unlock their devices if they do not have the required factors. The fall back options are to use passwords or smart cards (both of which could be disabled as needed). + +## User experience + +Here's a brief video showing the user experience when multi-factor unlock is enabled: + +1. The user first signs in with fingerprint + Bluetooth-paired phone +1. The user then signs in with fingerprint + PIN + +> [!VIDEO https://learn-video.azurefd.net/vod/player?id=2bdf21db-30c9-4d8e-99ff-f3ae72c494fe alt-text="Video showing the user experience of multi-factor unlock using fingerprint+Bluetooth and fingerprint+PIN."] ## Troubleshoot @@ -374,3 +406,8 @@ Multi-factor unlock writes events to event log under **Application and Services |6520|Warning event| |7520|Error event| |8520|Success event| + + + +[CSP-1]: /windows/client-management/mdm/passportforwork-csp +[INT-1]: /mem/intune/configuration/settings-catalog diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md deleted file mode 100644 index fd387134b6..0000000000 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ /dev/null @@ -1,338 +0,0 @@ ---- -title: Password-less strategy -description: Learn about the password-less strategy and how Windows Hello for Business implements this strategy in Windows 10 and Windows 11. -ms.topic: conceptual -ms.date: 05/24/2022 ---- - -# Password-less strategy - -This article describes Windows' password-less strategy and how Windows Hello for Business implements this strategy. - -## Four steps to password freedom - -Over the past few years, Microsoft has continued their commitment to enabling a world without passwords. - -:::image type="content" source="images/passwordless-strategy/four-steps-passwordless-strategy.png" alt-text="Diagram of stair-step strategy with four steps."::: - -### 1. Develop a password replacement offering - -Before you move away from passwords, you need something to replace them. With Windows 10 and Windows 11, Microsoft introduced Windows Hello for Business, a strong, hardware protected two-factor credential that enables single sign-on to Microsoft Entra ID and Active Directory. - -Deploying Windows Hello for Business is the first step towards a password-less environment. Windows Hello for Business coexists nicely with existing password-based security. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it. - -### 2. Reduce user-visible password surface area - -With Windows Hello for Business and passwords coexisting in your environment, the next step is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the users know they have a password, but they never use it. This state helps decondition users from providing a password anytime a password prompt shows on their computer. This behavior is how passwords are phished. Users who rarely, if at all, use their password are unlikely to provide it. Password prompts are no longer the norm. - -### 3. Transition into a password-less deployment - -Once the user-visible password surface has been eliminated, your organization can begin to transition those users into a password-less world. A world where: - -- The users never type their password. -- The users never change their password. -- The users don't know their password. - -In this world, the user signs in to Windows using Windows Hello for Business and enjoys single sign-on to Azure and Active Directory resources. If the user is forced to authenticate, their authentication uses Windows Hello for Business. - -### 4. Eliminate passwords from the identity directory - -The final step of the password-less story is where passwords simply don't exist. At this step, identity directories no longer persist any form of the password. This stage is where Microsoft achieves the long-term security promise of a truly password-less environment. - -## Methodology - -Four steps to password freedom provide an overall view of how Microsoft envisions the road to eliminating passwords. But this road is frequently traveled and derailed by many. The scope of work is vast and filled with many challenges and frustrations. Nearly everyone wants the instant gratification of achieving a password-less environment, but can easily become overwhelmed by any of the steps. You aren't alone and Microsoft understands. While there are many ways to accomplish freedom from passwords, here's one recommendation based on several years of research, investigation, and customer conversations. - -### Prepare for the journey - -The road to being password-less is a journey. The duration of that journey varies for each organization. It's important for IT decision-makers to understand the criteria influencing the length of that journey. - -The most intuitive answer is the size of the organization, and that would be correct. However, what exactly determines size? One way to break down the size of the organization is by creating a summary of the following components: - -- Number of departments -- Organization or department hierarchy -- Number and type of applications and services -- Number of work personas -- Organization's IT structure - -#### Number of departments - -The number of departments within an organization varies. Most organizations have a common set of departments such as executive leadership, human resources, accounting, sales, and marketing. Other organizations will have those departments and others such as research and development or support. Small organizations may not explicitly segment their departments, while larger ones may. Additionally, there may be subdepartments, and subdepartments of those subdepartments as well. - -You need to know all the departments within your organization and you need to know which departments use computers and which ones don't. It's fine if a department doesn't use computers (probably rare, but acceptable). This circumstance means there's one less department with which you need to concern yourself. Nevertheless, ensure this department is in your list and you've assessed that it's not applicable. - -Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will put you and your staff on the road to password freedom. Realistically, many of us lose sight of our organizational chart and how it grows or shrinks over time. This realization is why you need to inventory all of them. Also, don't forget to include external departments such as vendors or federated partners. If your organization goes password-free, but your partners continue to use passwords and then access your corporate resources, you should know about it and include them in your password-less strategy. - -#### Organization or department hierarchy - -Organization and department hierarchy is the management layers within the departments or the organization as a whole. How the device is used, what applications and how they're used, most likely differs between each department, but also within the structure of the department. To determine the correct password-less strategy, you need to know these differences across your organization. An executive leader is likely to use their device differently compared to a member of middle management in the sales department. Both of those user cases are probably different to how an individual contributor in the customer service department uses their device. - -#### Number and type of applications and services - -Most organizations have many applications and rarely do they have one centralized list that's accurate. Applications and services are the most critical items in your password-less assessment. Applications and services take considerable effort to move to a different type of authentication. Changing policies and procedures can be a daunting task. Consider the trade-off between updating your standard operating procedures and security policies compared to changing 100 lines (or more) of authentication code in the critical path of your internally developed CRM application. - -Capturing the number of applications used is easier once you have the departments, their hierarchy, and their stakeholders. In this approach, you should have an organized list of departments and the hierarchy in each. You can now associate the applications that are used by all levels within each department. You'll also want to document whether the application is internally developed or commercially available off-the-shelf (COTS). If the latter, document the manufacturer and the version. Also, don't forget web-based applications or services when inventorying applications. - -#### Number of work personas - -Work personas are where the three previous efforts converge. You know the departments, the organizational levels within each department, the numbers of applications used by each, respectively, and the type of application. From this information, you want to create a work persona. - -A work persona classifies a category of user, title or role (individual contributor, manager, middle manager, etc.), within a specific department to a collection of applications used. There's a high probability that you'll have many work personas. These work personas will become units of work, and you'll refer to them in documentation and in meetings. You need to give them a name. - -Give your personas easy and intuitive names like Abby Accounting, Mark Marketing, or Sue Sales. If the organization levels are common across departments, then decide on a first name that represents the common levels in a department. For example, Abby could be the first name of an individual contributor in any given department, while the first name Sue could represent someone from middle management in any given department. Additionally, you can use suffixes such as (I, II, Senior, etc.) to further define departmental structure for a given persona. - -Ultimately, create a naming convention that doesn't require your stakeholders and partners to read through a long list of tables or a secret decoder ring. Also, if possible, try to keep the references as names of people. After all, you're talking about a person who is in that department and who uses that specific software. - -#### Organization's IT structure - -IT department structures can vary more than the organization. Some IT departments are centralized while others are decentralized. Also, the road to password freedom will probably have you interacting with the client authentication team, the deployment team, the security team, the PKI team, the Active Directory team, the cloud team, and the list continues. Most of these teams will be your partner on your journey to password freedom. Ensure there's a password-less stakeholder on each of these teams, and that the effort is understood and funded. - -#### Assess your organization - -You have a ton of information. You've created your work personas, you've identified your stakeholders throughout the different IT groups. Now what? - -By now you can see why it's a journey and not a weekend project. You need to investigate user-visible password surfaces for each of your work personas. Once you've identified the password surfaces, you need to mitigate them. Resolving some password surfaces are simple - meaning a solution already exists in the environment and it's only a matter of moving users to it. Resolution to some passwords surfaces may exist, but aren't deployed in your environment. That resolution results in a project that must be planned, tested, and then deployed. That project is likely to span multiple IT departments with multiple people, and potentially one or more distributed systems. Those types of projects take time and need dedicated cycles. This same sentiment is true with in-house software development. Even with agile development methodologies, changing the way someone authenticates to an application is critical. Without the proper planning and testing, it has the potential to severely affect productivity. - -How long does it take to become password-less? The answer is "it depends". It depends on the organizational alignment of a password-less strategy. Top-down agreement that a password-less environment is the organization's goal makes conversations much easier. Easier conversations mean less time spent convincing people and more time spent moving forward toward the goal. Top-down agreement, as a priority within the ranks of other on-going IT projects, helps everyone understand how to prioritize existing projects. Agreeing on priorities should reduce and minimize manager and executive level escalations. After these organizational discussions, modern project management techniques are used to continue the password-less effort. The organization allocates resources based on the priority (after they've agreed on the strategy). Those resources will: - -- Work through the work personas. -- Organize and deploy user acceptance testing. -- Evaluate user acceptance testing results for user visible password surfaces. -- Work with stakeholders to create solutions that mitigate user visible password surfaces. -- Add the solution to the project backlog and prioritize against other projects. -- Deploy the solution. -- Perform user acceptance testing to confirm that the solution mitigates the user visible password surface. -- Repeat the testing as needed. - -Your organization's journey to password freedom may take some time. Counting the number of work personas and the number of applications is probably a good indicator of the investment. Hopefully, your organization is growing, which means that the list of personas and the list of applications is unlikely to shrink. If the work to go password-less today is *n*, then it's likely that to go password-less tomorrow is *n x 2* or more, *n x n*. Don't let the size or duration of the project be a distraction. As you progress through each work persona, the actions and tasks will become more familiar for you and your stakeholders. Scope the project to sizable, realistic phases, pick the correct work personas, and soon you'll see parts of your organization transition to a password-less state. - -### Where to start? - -What's the best guidance for kicking off the journey to password freedom? You'll want to show your management a proof of concept as soon as possible. Ideally, you want to show it at each step of your password-less journey. Keeping your password-less strategy top of mind and showing consistent progress keeps everyone focused. - -#### Work persona - -You begin with your work personas. These were part of your preparation process. They have a persona name, such as Abby Accounting II, or any other naming convention your organization defined. That work persona includes a list of all the applications Abby uses to perform her assigned duties in the accounting department. To start, you need to pick a work persona. It's the targeted work persona you'll enable so that you can climb the steps to password freedom. - -> [!IMPORTANT] -> Avoid using any work personas from your IT department. This method is probably the worst way to start the password-less journey. IT roles are very difficult and time consuming. IT workers typically have multiple credentials, run a multitude of scripts and custom applications, and are the worst offenders of password usage. It is better to save these work personas for the middle or end of your journey. - -Review your collection of work personas. Early in your password-less journey, identify personas with the fewest applications. These work personas could represent an entire department or two. These roles are the perfect work personas for your proof-of-concept or pilot. - -Most organizations host their proof of concept in a test lab or environment. If you do that test with a password-free strategy, it may be more challenging and take more time. To test in a lab, you must first duplicate the environment of the targeted persona. This process could take a few days or several weeks, depending on the complexity of the targeted work persona. - -You'll want to balance lab testing with providing results to management quickly. Continuing to show forward progress on your journey to password freedom is always a good thing. If there are ways you can test in production with low or no risk, it may be advantageous to your timeline. - -## The process - -The journey to password freedom is to take each work persona through each step of the process. In the beginning, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow. The process looks something like this: - -1. Password-less replacement offering (step 1) - 1. Identify test users representing the targeted work persona. - 2. Deploy Windows Hello for Business to test users. - 3. Validate that passwords and Windows Hello for Business work. -2. Reduce user-visible password surface (step 2) - 1. Survey test user workflow for password usage. - 2. Identify password usage and plan, develop, and deploy password mitigations. - 3. Repeat until all user password usage is mitigated. - 4. Remove password capabilities from Windows. - 5. Validate that **none of the workflows** need passwords. -3. Transition into a password-less scenario (step 3) - 1. Awareness campaign and user education. - 2. Include remaining users who fit the work persona. - 3. Validate that **none of the users** of the work personas need passwords. - 4. Configure user accounts to disallow password authentication. - -After successfully moving a work persona to password freedom, you can prioritize the remaining work personas and repeat the process. - -### Password-less replacement offering (step 1) - -The first step to password freedom is providing an alternative to passwords. Windows 10 and Windows 11 provide an affordable and easy in-box alternative to passwords, Windows Hello for Business, a strong, two-factor authentication to Microsoft Entra ID and Active Directory. - -#### Identify test users that represent the targeted work persona - -A successful transition relies on user acceptance testing. It's impossible for you to know how every work persona goes about their day-to-day activities, or how to accurately validate them. You need to enlist the help of users who fit the targeted work persona. You only need a few users from the targeted work persona. As you cycle through step 2, you may want to change a few of the users (or add a few) as part of your validation process. - -#### Deploy Windows Hello for Business to test users - -Next, you'll want to plan your Windows Hello for Business deployment. Your test users will need an alternative way to sign-in during step 2 of the journey to becoming password-less. Use the [Windows Hello for Business planning guide](hello-planning-guide.md) to help learning which deployment is best suited for your environment. Next, use the [Windows Hello for Business deployment guides](index.md) to deploy Windows Hello for Business. - -With the Windows Hello for Business infrastructure in place, you can limit Windows Hello for Business enrollments to the targeted work personas. The great news is that you'll only need to deploy the infrastructure once. When other targeted work personas need to start using Windows Hello for Business, add them to a group. You'll use the first work persona to validate your Windows Hello for Business deployment. - -> [!NOTE] -> There are many different ways to connect a device to Azure. Deployments may vary based on how the device is joined to Microsoft Entra ID. Review your planning guide and deployment guide to ensure additional infrastructure is not needed for an additional Azure joined devices. - -#### Validate that passwords and Windows Hello for Business work - -In this first step, passwords and Windows Hello for Business must coexist. You want to validate that while your targeted work personas can sign in and unlock using Windows Hello for Business, but they can also sign-in, unlock, and use passwords as needed. Reducing the user-visible password surface too soon can create frustration and confusion with your targeted user personas. - -### Reduce user-visible password surface (step 2) - -Before you move to step 2, make sure you've: - -- Selected your targeted work persona. -- Identified your test users who represent the targeted work persona. -- Deployed Windows Hello for Business to test users. -- Validated passwords and Windows Hello for Business both work for the test users. - -#### Survey test user workflow for password usage - -Now is the time to learn more about the targeted work persona. You have a list of applications they use, but you don't know what, why, when, and how frequently. This information is important as you further your progress through step 2. - -Test users create the workflows associated with the targeted work persona. Their initial goal is to do one simple task: Document password usage. This list isn't a comprehensive one, but it gives you an idea of the type of information you want. The general idea is to learn about all the scenarios in which that work persona encounters a password. A good approach is to ask yourself the following set of questions: - -- What's the name of the application that asked for a password? -- Why do they use the application that asked for a password? For example, is there more than one application that can do the same thing? -- What part of their workflow makes them use the application? Try to be as specific as possible. For example, "I use application x to issue credit card refunds for amounts over y." -- How frequently do you use this application in a given day or week? -- Is the password you type into the application the same as the password you use to sign-in to Windows? - -Some organizations will empower their users to write this information while some may insist on having a member of the IT department shadow them. An objective viewer may notice a password prompt that the user overlooks simply because of muscle memory. As previously mentioned, this information is critical. You could miss one password prompt that could delay the transition to being password-less. - -#### Identify password usage and plan, develop, and deploy password mitigations - -Your test users have provided you valuable information that describes how, what, why, and when they use a password. It's now time for your team to identify each of these password use cases and understand why the user must use a password. - -Create a list of the scenarios. Each scenario should have a clear problem statement. Name the scenario with a one-sentence summary of the problem statement. Include in the scenario the results of your team's investigation as to why the user is prompted by a password. Include relevant, but accurate details. If it's policy or procedure driven, then include the name and section of the policy that dictates why the workflow uses a password. - -Keep in mind your test users won't uncover all scenarios. Some scenarios you'll need to force on your users because they're low percentage scenarios. Remember to include the following scenarios: - -- Provisioning a new brand new user without a password. -- Users who forget the PIN or other remediation flows when the strong credential is unusable. - -Next, review your list of scenarios. You can start with the workflows that are dictated by process or policy, or you can begin with workflows that need technical solutions, whichever of the two is easier or quicker. This choice will certainly vary by organization. - -Start mitigating password usages based on the workflows of your targeted personas. Document the mitigation as a solution to your scenario. Don't worry about the implementation details for the solution. An overview of the changes needed to reduce the password usages is all you need. If there are technical changes needed, either infrastructure or code changes, the exact details will likely be included in the project documentation. However your organization tracks projects, create a new project in that system. Associate your scenario to that project and start the processes needed to get that project funded. - -Mitigating password usage with applications is one of the more challenging obstacles in the password-less journey. If your organization develops the application, then you are in better shape the common-off-the-shelf software (COTS). - -The ideal mitigation for applications that prompt the user for a password is to enable those applications to use an existing authenticated identity, such as Microsoft Entra ID or Active Directory. Work with the applications vendors to have them add support for Azure identities. For on-premises applications, have the application use Windows integrated authentication. The goal for your users should be a seamless single sign-on experience where each user authenticates once when they sign-in to Windows. Use this same strategy for applications that store their own identities in their own databases. - -Each scenario on your list should now have a problem statement, an investigation as to why the password was used, and a mitigation plan on how to make the password usage go away. Armed with this data, one-by-one, close the gaps on user-visible passwords. Change policies and procedures as needed, make infrastructure changes where possible. Convert in-house applications to use federated identities or Windows integrated authentication. Work with third-party software vendors to update their software to support federated identities or Windows integrated authentication. - -#### Repeat until all user password usage is mitigated - -Some or all of your mitigations are in place. You need to validate that your solutions have solved their problem statements. This stage is where you rely on your test users. You want to keep a good portion of your first test users, but this point is a good opportunity to replace a few or add a few. Survey test users workflow for password usage. If all goes well, you've closed most or all of the gaps. A few are likely to remain. Evaluate your solutions and what went wrong, change your solution as needed until you reach a solution that removes your user's need to type a password. If you're stuck, others might be too. Use the forums from various sources or your network of IT colleagues to describe your problem and see how others are solving it. If you're out of options, contact Microsoft for assistance. - -#### Remove password capabilities from Windows - -You believe you've mitigated all the password usage for the targeted work persona. Now comes the true test: configure Windows so the user can't use a password. - -Windows provides two ways to prevent your users from using passwords. You can use an interactive logon security policy to only allow Windows Hello for Business sign-in and unlocks, or you can exclude the password credential provider. - -##### Security policy - -You can use Group Policy to deploy an interactive logon security policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Windows Settings > Local Policy > Security Options**. The name of the policy setting depends on the version of the operating systems you use to configure Group Policy. - -:::image type="content" source="images/passwordless-strategy/gpmc-security-options.png" alt-text="The Group Policy Management Editor displaying the location of the Security Options node."::: - -**Windows Server 2016 and earlier** -The policy name for these operating systems is **Interactive logon: Require smart card**. - -:::image type="content" source="images/passwordless-strategy/gpmc-require-smart-card-policy.png" alt-text="The Group Policy Management Editor displaying the location of the policy 'Interactive logon: Require smart card'."::: - -**Windows 10, version 1703 or later using Remote Server Administrator Tools** -The policy name for these operating systems is **Interactive logon: Require Windows Hello for Business or smart card**. - -:::image type="content" source="images/passwordless-strategy/require-whfb-smart-card-policy.png" alt-text="Highlighting the security policy 'Interactive logon: Require Windows Hello for Business or smart card'."::: - -When you enable this security policy setting, Windows prevents users from signing in or unlocking with a password. The password credential provider remains visible to the user. If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card. - -#### Excluding the password credential provider - -You can use Group Policy to deploy an administrative template policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Administrative Templates > System > Logon**: - -:::image type="content" source="images/passwordless-strategy/gpmc-exclude-credential-providers.png" alt-text="The Group Policy Management Editor displaying the location of 'Logon' node and the policy setting 'Exclude credential providers'."::: - -The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is `{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}`. - -:::image type="content" source="images/passwordless-strategy/exclude-credential-providers-properties.png" alt-text="Properties of the policy setting 'Exclude credential providers'."::: - -Excluding the password credential provider hides the password credential provider from Windows and any application that attempts to load it. This configuration prevents the user from entering a password using the credential provider. However, this change doesn't prevent applications from creating their own password collection dialogs and prompting the user for a password using custom dialogs. - -#### Validate that none of the workflows needs passwords - -This stage is the significant moment. You have identified password usage, developed solutions to mitigate password usage, and have removed or disabled password usage from Windows. In this configuration, your users won't be able to use a password. Users will be blocked if any of their workflows ask them for a password. Ideally, your test users should be able to complete all the work flows of the targeted work persona without any password usage. Don't forget those low percentage work flows, such as provisioning a new user or a user that forgot their PIN or can't use their strong credential. Ensure those scenarios are validated as well. - -### Transition into a password-less deployment (step 3) - -Congratulations! You're ready to transition one or more portions of your organization to a password-less deployment. You've validated that the targeted work persona is ready to go where the user no longer needs to know or use their password. You're just a few steps away from declaring success. - -#### Awareness and user education - -In this last step, you're going to include the remaining users that fit the targeted work persona to the wonderful world of password freedom. Before you do this step, you want to invest in an awareness campaign. - -An awareness campaign introduces the users to the new way of authenticating to their device, such as using Windows Hello for Business. The idea of the campaign is to positively promote the change to the users in advance. Explain the value and why your company is changing. The campaign should provide dates and encourage questions and feedback. This campaign can coincide with user education, where you can show the users the changes and, if your environment allows, enable the users to try out the experience. - -#### Including remaining users that fit the work persona - -You've implemented the awareness campaign for the targeted users. These users are informed and ready to transition to being password-less. Add the remaining users that match the targeted work persona to your deployment. - -#### Validate that none of the users of the work personas needs passwords - -You've successfully transitioned all users for the targeted work persona to being password-less. Monitor the users within the work persona to ensure they don't encounter any issues while working in a password-less environment. - -Track all reported issues. Set priority and severity to each reported issue and have your team triage the issues appropriately. As you triage issues, consider the following questions: - -- Is the reporting user performing a task outside the work persona? -- Is the reported issue affecting the entire work persona, or only specific users? -- Is the outage a result of a misconfiguration? -- Is the outage an overlooked gap from step 2? - -Each organization's priority and severity will differ. However, most organizations consider work stoppages to be fairly significant. Your team should predefine levels of priority and severity. With each of these levels, create service level agreements (SLAs) for each combination of severity and priority, and hold everyone accountable to those agreements. Reactive planning enables people to spend more time on the issue and resolving it, and less time on the process. - -Resolve the issues per your service level agreements. Higher severity items may require returning some or all of the user's password surface. Clearly this outcome isn't the end goal, but don't let it slow down your momentum towards becoming password-less. Refer to how you reduced the user's password surface in step 2 and progress forward to a solution, deploying that solution and validating it. - -#### Configure user accounts to disallow password authentication - -You transitioned all the users for the targeted work persona to a password-less environment and you've successfully validated all their workflows. The last step to complete the password-less transition is to remove the user's knowledge of the password and prevent the authenticating authority from accepting passwords. - -You can change the user's password to random data and prevent domain controllers from allowing users to use passwords for interactive sign-ins using an account configuration on the user object. - -The account options on a user account include the option **Smart card is required for interactive logon**, also known as SCRIL. - -> [!NOTE] -> Do not confuse the Interactive Logon security policy for SCRIL. Security policies are enforced on the client (locally). A user account configured for SCRIL is enforced at the domain controller. - -The following image shows the SCRIL setting for a user in Active Directory Users and Computers: - -:::image type="content" source="images/passwordless-strategy/aduc-account-scril.png" alt-text="Example user properties in Active Directory that shows the SCRIL setting on Account options."::: - -When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account don't allow the user to sign-in interactively with a password. Users will no longer need to change their password when it expires, because passwords for SCRIL users don't expire. The users are effectively password-less because: - -- They don't know their password. -- Their password is 128 random bits of data and is likely to include non-typable characters. -- The user isn't asked to change their password. -- Domain controllers don't allow passwords for interactive authentication. - -The following image shows the SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2012: - -:::image type="content" source="images/passwordless-strategy/server-2012-adac-user-scril.png" alt-text="Example user properties in Windows Server 2012 Active Directory Administrative Center that shows the SCRIL setting."::: - -> [!NOTE] -> Although a SCRIL user's password never expires in early domains, you can toggle the SCRIL configuration on a user account to generate a new random 128 bit password. Use the following process to toggle this configuration: -> -> 1. Disable the setting. -> 1. Save changes. -> 1. Enable the setting. -> 1. Save changes again. -> -> When you upgrade the domain functional level to Windows Server 2016 or later, the domain controller automatically does this action for you. - -The following image shows the SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2016: - -:::image type="content" source="images/passwordless-strategy/server-2016-adac-user-scril.png" alt-text="Example user properties in Windows Server 2016 Active Directory Administrative Center that shows the SCRIL setting."::: - -> [!TIP] -> Windows Hello for Business was formerly known as Microsoft Passport. - -##### Automatic password change for SCRIL configured users - -Domains configured for Windows Server 2016 or later domain functional level can further secure the unknown password for SCRIL-enabled users by configuring the domain to automatically change the password for SCRIL users. - -In this configuration, passwords for SCRIL-configured users expire based on Active Directory password policy settings. When the SCRIL user authenticates from a domain controller, the domain controller recognizes the password has expired, and automatically generates a new random 128-bit password for the user as part of the authentication. This feature is great because your users don't experience any change password notifications or any authentication outages. - -:::image type="content" source="images/passwordless-strategy/server-2016-adac-domain-scril.png" alt-text="The Active Directory Administrative Center on Windows Server 2016 showing the domain setting for SCRIL."::: - -> [!NOTE] -> Some components within Windows 10, such as Data Protection APIs and NTLM authentication, still need artifacts of a user possessing a password. This configuration provides interoperability by reducing the usage surface while Microsoft continues to close the gaps to remove the password completely. diff --git a/windows/security/identity-protection/hello-for-business/pin-reset.md b/windows/security/identity-protection/hello-for-business/pin-reset.md index 1b06da1cd6..85a33cf10c 100644 --- a/windows/security/identity-protection/hello-for-business/pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/pin-reset.md @@ -1,7 +1,7 @@ --- title: PIN reset description: Learn how Microsoft PIN reset service enables your users to recover a forgotten Windows Hello for Business PIN, and how to configure it. -ms.date: 12/12/2023 +ms.date: 01/03/2024 ms.topic: how-to --- @@ -38,8 +38,6 @@ The following table compares destructive and nondestructive PIN reset: |**Additional configuration required**|Supported by default and doesn't require configuration|Deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature.| |**MSA/Enterprise**|MSA and Enterprise|Enterprise only.| - - ## Enable the Microsoft PIN Reset Service in your Microsoft Entra tenant Before you can use nondestructive PIN reset, you must register two applications in your Microsoft Entra tenant: @@ -176,8 +174,6 @@ The _PIN reset_ configuration can be viewed by running [**dsregcmd /status**](/a +----------------------------------------------------------------------+ ``` - - ## Configure allowed URLs for federated identity providers on Microsoft Entra joined devices **Applies to:** Microsoft Entra joined devices diff --git a/windows/security/identity-protection/hello-for-business/policy-settings.md b/windows/security/identity-protection/hello-for-business/policy-settings.md new file mode 100644 index 0000000000..050b2a862d --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/policy-settings.md @@ -0,0 +1,86 @@ +--- +title: Windows Hello for Business policy settings +description: Learn about the policy settings to configure Configure Windows Hello for Business. +ms.topic: reference +ms.date: 01/03/2024 +--- + +# Windows Hello for Business policy settings + +This reference article provides a comprehensive list of policy settings for Windows Hello for Business. The list of settings is sorted alphabetically and organized in four categories: + +- **Feature settings**: used to enable Windows Hello for Business and configure basic options +- **PIN setting**: used to configure PIN authentication, like PIN complexity and recovery +- **Biometric setting**: used to configure biometric authentication +- **Smart card settings**: used to configure smart card authentication used in conjunction with Windows Hello for Business + +For information about how to configure these settings, see [Configure Windows Hello for Business](configure.md). + +Select one of the tabs to see the list of available settings: + +# [:::image type="icon" source="images/hello.svg"::: **Feature settings**](#tab/feature) + +|Setting Name|CSP|GPO| +|-|-|-| +|[Configure device unlock factors](#configure-device-unlock-factors)|✅|✅| +|[Configure dynamic lock factors](#configure-dynamic-lock-factors)|✅|✅| +|[Use a hardware security device](#use-a-hardware-security-device)|✅|✅| +|[Use certificate for on-premises authentication](#use-certificate-for-on-premises-authentication)|✅|✅| +|[Use cloud (Kerberos) trust for on-premises authentication](#use-cloud-trust-for-on-premises-authentication)|✅|✅| +|[Use Windows Hello for Business](#use-windows-hello-for-business)|✅|✅| + +[!INCLUDE [configure-device-unlock-factors](includes/configure-device-unlock-factors.md)] +[!INCLUDE [configure-dynamic-lock-factors](includes/configure-dynamic-lock-factors.md)] +[!INCLUDE [use-a-hardware-security-device](includes/use-a-hardware-security-device.md)] +[!INCLUDE [use-certificate-for-on-premises-authentication](includes/use-certificate-for-on-premises-authentication.md)] +[!INCLUDE [use-cloud-trust-for-on-premises-authentication](includes/use-cloud-trust-for-on-premises-authentication.md)] +[!INCLUDE [use-windows-hello-for-business](includes/use-windows-hello-for-business.md)] + +# [:::image type="icon" source="images/pin.svg"::: **PIN settings**](#tab/pin) + +|Setting Name|CSP|GPO| +|-|-|-|-| +|[Expiration](#expiration)|✅|✅| +|[History](#history)|✅|✅| +|[Maximum PIN length](#maximum-pin-length)|✅|✅| +|[Minimum PIN length](#minimum-pin-length)|✅|✅| +|[Require digits](#require-digits)|✅|✅| +|[Require lowercase letters](#require-lowercase-letters)|✅|✅| +|[Require special characters](#require-special-characters)|✅|✅| +|[Require uppercase letters](#require-uppercase-letters)|✅|✅| +|[Use PIN recovery](#use-pin-recovery)|✅|✅| + +[!INCLUDE [expiration](includes/expiration.md)] +[!INCLUDE [history](includes/history.md)] +[!INCLUDE [maximum-pin-length](includes/maximum-pin-length.md)] +[!INCLUDE [minimum-pin-length](includes/minimum-pin-length.md)] +[!INCLUDE [require-digits](includes/require-digits.md)] +[!INCLUDE [require-lowercase-letters](includes/require-lowercase-letters.md)] +[!INCLUDE [require-special-characters](includes/require-special-characters.md)] +[!INCLUDE [require-uppercase-letters](includes/require-uppercase-letters.md)] +[!INCLUDE [use-pin-recovery](includes/use-pin-recovery.md)] + +# [:::image type="icon" source="images/fingerprint.svg"::: **Biometric settings**](#tab/bio) + +|Setting Name|CSP|GPO| +|-|-|-| +|[Configure enhanced anti-spoofing](#configure-enhanced-anti-spoofing)|✅|✅| +|[Enable ESS with Supported Peripherals](#enable-ess-with-supported-peripherals)|✅|✅| +|[Use biometrics](#use-biometrics)|✅|✅| + +[!INCLUDE [configure-enhanced-anti-spoofing](includes/configure-enhanced-anti-spoofing.md)] +[!INCLUDE [enable-ess-with-supported-peripherals](includes/enable-ess-with-supported-peripherals.md)] +[!INCLUDE [use-biometrics](includes/use-biometrics.md)] + +# [:::image type="icon" source="images/smartcard.svg"::: **Smart card settings**](#tab/smartcard) + +|Setting Name|CSP|GPO| +|-|-|-| +|[Turn off smart card emulation](#turn-off-smart-card-emulation)|❌|✅| +|[Allow enumeration of emulated smart card for all users](#allow-enumeration-of-emulated-smart-card-for-all-users)|❌|✅| +|[Use Windows Hello for Business certificates as smart card certificates](#use-windows-hello-for-business-certificates-as-smart-card-certificates)|✅|✅| + +[!INCLUDE [allow-enumeration-of-emulated-smart-card-for-all-users](includes/allow-enumeration-of-emulated-smart-card-for-all-users.md)] +[!INCLUDE [turn-off-smart-card-emulation](includes/turn-off-smart-card-emulation.md)] +[!INCLUDE [use-windows-hello-for-business-certificates-as-smart-card-certificates](includes/use-windows-hello-for-business-certificates-as-smart-card-certificates.md)] +--- diff --git a/windows/security/identity-protection/hello-for-business/rdp-sign-in.md b/windows/security/identity-protection/hello-for-business/rdp-sign-in.md index f3b6b984fe..6a84e6ea32 100644 --- a/windows/security/identity-protection/hello-for-business/rdp-sign-in.md +++ b/windows/security/identity-protection/hello-for-business/rdp-sign-in.md @@ -271,16 +271,7 @@ Here's a brief video showing the user experience from a Microsoft Entra joined d While users appreciate the convenience of biometrics, and administrators value the security, you might experience compatibility issues with applications and Windows Hello for Business certificates. In such scenarios, you can deploy a policy setting to revert to the previous behavior for the users needing it. -### Use Windows Hello for Business certificates as smart card certificates - -If you enable this policy setting, applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key. This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates. - -If you disable or don't configure this policy setting, applications don't use Windows Hello for Business certificates as smart card certificates. Biometric factors are available when a user is asked to authorize the use of the certificate's private key. - -| | Path | -|--|--| -| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/`[UseHelloCertificatesAsSmartCardCertificates][WIN-1]| -| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** | +For more information, see [Use Windows Hello for Business certificates as smart card certificate](policy-settings.md#use-windows-hello-for-business-certificates-as-smart-card-certificates) diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml index 61aa6291c3..d328574c69 100644 --- a/windows/security/identity-protection/hello-for-business/toc.yml +++ b/windows/security/identity-protection/hello-for-business/toc.yml @@ -1,40 +1,31 @@ items: - name: Overview href: index.md -- name: Concepts - expanded: true +- name: How Windows Hello for Business works items: - - name: Why a PIN is better than a password - href: hello-why-pin-is-better-than-password.md - - name: Windows Hello biometrics in the enterprise - href: hello-biometrics-in-enterprise.md - - name: How Windows Hello for Business works - href: hello-how-it-works.md -- name: Plan a Windows Hello for Business deployment - href: hello-planning-guide.md + - name: Core concepts + href: how-it-works.md + - name: How device registration works 🔗 + href: /entra/identity/devices/device-registration-how-it-works + - name: How provisioning works + href: how-it-works-provisioning.md + - name: How authentication works + href: how-it-works-authentication.md +- name: Configure Windows Hello for Business + href: configure.md - name: Deployment guides href: deploy/toc.yml -- name: How-to Guides +- name: How-to-guides items: - - name: Prepare people to use Windows Hello - href: hello-prepare-people-to-use.md - - name: Manage Windows Hello for Business in your organization - href: hello-manage-in-organization.md - - name: Windows Hello and password changes - href: hello-and-password-changes.md -- name: Windows Hello for Business features - items: - - name: PIN reset + - name: Configure PIN reset href: pin-reset.md - - name: Windows Hello Enhanced Security Sign-in (ESS) 🔗 - href: /windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security - - name: Dual enrollment + - name: Configure dual enrollment href: hello-feature-dual-enrollment.md - - name: Dynamic Lock + - name: Configure dynamic lock href: hello-feature-dynamic-lock.md - - name: Multi-factor Unlock - href: feature-multifactor-unlock.md - - name: Remote desktop (RDP) sign-in + - name: Configure multi-factor unlock + href: multifactor-unlock.md + - name: Configure remote desktop (RDP) sign-in href: rdp-sign-in.md - name: Troubleshooting items: @@ -44,16 +35,11 @@ items: href: hello-errors-during-pin-creation.md - name: Reference items: - - name: How Windows Hello for Business provisioning works - href: hello-how-it-works-provisioning.md - - name: How Windows Hello for Business authentication works - href: hello-how-it-works-authentication.md + - name: Windows Hello for Business policy settings + href: policy-settings.md - name: WebAuthn APIs href: webauthn-apis.md - - name: Technology and terminology - href: hello-how-it-works-technology.md + - name: Windows Hello Enhanced Security Sign-in (ESS) 🔗 + href: /windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security - name: Frequently Asked Questions (FAQ) - href: hello-faq.yml - - name: Windows Hello for Business videos - href: hello-videos.md - + href: faq.yml diff --git a/windows/security/identity-protection/images/security-stages.png b/windows/security/identity-protection/images/security-stages.png deleted file mode 100644 index 249ced9d4b..0000000000 Binary files a/windows/security/identity-protection/images/security-stages.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/lock-screen-off.png b/windows/security/identity-protection/passwordless-strategy/images/lock-screen.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/passwordless/lock-screen-off.png rename to windows/security/identity-protection/passwordless-strategy/images/lock-screen.png diff --git a/windows/security/identity-protection/passwordless-strategy/images/passwordless-experience.png b/windows/security/identity-protection/passwordless-strategy/images/passwordless-experience.png new file mode 100644 index 0000000000..9e6208dc50 Binary files /dev/null and b/windows/security/identity-protection/passwordless-strategy/images/passwordless-experience.png differ diff --git a/windows/security/identity-protection/passwordless-strategy/images/step-1-off.svg b/windows/security/identity-protection/passwordless-strategy/images/step-1-off.svg new file mode 100644 index 0000000000..e94f7a1297 --- /dev/null +++ b/windows/security/identity-protection/passwordless-strategy/images/step-1-off.svg @@ -0,0 +1,28 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/windows/security/identity-protection/passwordless-strategy/images/step-1-on.svg b/windows/security/identity-protection/passwordless-strategy/images/step-1-on.svg new file mode 100644 index 0000000000..e2aa74f089 --- /dev/null +++ b/windows/security/identity-protection/passwordless-strategy/images/step-1-on.svg @@ -0,0 +1,26 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/windows/security/identity-protection/passwordless-strategy/images/step-2-off.svg b/windows/security/identity-protection/passwordless-strategy/images/step-2-off.svg new file mode 100644 index 0000000000..add20cb602 --- /dev/null +++ b/windows/security/identity-protection/passwordless-strategy/images/step-2-off.svg @@ -0,0 +1,28 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/windows/security/identity-protection/passwordless-strategy/images/step-2-on.svg b/windows/security/identity-protection/passwordless-strategy/images/step-2-on.svg new file mode 100644 index 0000000000..688724e117 --- /dev/null +++ b/windows/security/identity-protection/passwordless-strategy/images/step-2-on.svg @@ -0,0 +1,26 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/windows/security/identity-protection/passwordless-strategy/images/step-3-off.svg b/windows/security/identity-protection/passwordless-strategy/images/step-3-off.svg new file mode 100644 index 0000000000..6faecafc75 --- /dev/null +++ b/windows/security/identity-protection/passwordless-strategy/images/step-3-off.svg @@ -0,0 +1,28 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/windows/security/identity-protection/passwordless-strategy/images/step-3-on.svg b/windows/security/identity-protection/passwordless-strategy/images/step-3-on.svg new file mode 100644 index 0000000000..b5cfd72d86 --- /dev/null +++ b/windows/security/identity-protection/passwordless-strategy/images/step-3-on.svg @@ -0,0 +1,26 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/windows/security/identity-protection/passwordless-strategy/images/step-4-off.svg b/windows/security/identity-protection/passwordless-strategy/images/step-4-off.svg new file mode 100644 index 0000000000..4507a878b5 --- /dev/null +++ b/windows/security/identity-protection/passwordless-strategy/images/step-4-off.svg @@ -0,0 +1,28 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/windows/security/identity-protection/passwordless-strategy/images/step-4-on.svg b/windows/security/identity-protection/passwordless-strategy/images/step-4-on.svg new file mode 100644 index 0000000000..2eeee15393 --- /dev/null +++ b/windows/security/identity-protection/passwordless-strategy/images/step-4-on.svg @@ -0,0 +1,26 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/windows/security/identity-protection/passwordless-strategy/index.md b/windows/security/identity-protection/passwordless-strategy/index.md new file mode 100644 index 0000000000..b0887dd2fd --- /dev/null +++ b/windows/security/identity-protection/passwordless-strategy/index.md @@ -0,0 +1,153 @@ +--- +title: Passwordless strategy overview +description: Learn about the passwordless strategy and how Windows security features help implementing it. +ms.topic: concept-article +ms.date: 01/29/2024 +--- + +# Passwordless strategy overview + +This article describes Microsoft's passwordless strategy and how Windows security features help implementing it. + +## Four steps to password freedom + +Microsoft is working hard to create a world where passwords are no longer needed. This is how Microsoft envisions the four steps approach to end the era of passwords for the organizations: + +:::row::: + :::column span="1"::: + :::image type="icon" source="images/step-1-on.svg" border="false"::: + :::column-end::: + :::column span="3"::: + ### Deploy a password replacement option + :::column-end::: +:::row-end::: + +Before you move away from passwords, you need something to replace them. Windows Hello for Business and FIDO2 security keys offer a strong, hardware-protected two-factor credential that enables single sign-on to Microsoft Entra ID and Active Directory.\ +Deploy Windows Hello for Business or FIDO2 security keys is the first step toward a passwordless environment. Users are likely to use these features because of their convenience, especially when combined with biometrics. However, some workflows and applications might still need passwords. This early stage is about implementing an alternative solution to passwords, and getting users accustomed to it. + +:::row::: + :::column span="1"::: + :::image type="icon" source="images/step-2-on.svg" border="false"::: + :::column-end::: + :::column span="3"::: + ### Reduce user-visible password surface area + :::column-end::: +:::row-end::: + +With a password replacement option and passwords coexisting in the environment, the next step is to reduce the password surface area. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the users know they have a password, **but they never use it**. This state helps decondition users from providing a password anytime a password prompt shows on their computer. This behavior is how passwords are phished. Users who rarely, if at all, use their password are unlikely to provide it. **Password prompts are no longer the norm**. + + + +:::row::: + :::column span="1"::: + :::image type="icon" source="images/step-3-on.svg" border="false"::: + :::column-end::: + :::column span="3"::: + ### Transition into a passwordless deployment + :::column-end::: +:::row-end::: + +Once the user-visible password surface is eliminated, your organization can begin to transition users into a passwordless environment. In this stage, users never type, change, or even know their password.\ +The user signs in to Windows using Windows Hello for Business or FIDO2 security keys, and enjoys single sign-on to Microsoft Entra ID and Active Directory resources. If the user is forced to authenticate, their authentication uses Windows Hello for Business or FIDO2 security keys. + +:::row::: + :::column span="1"::: + :::image type="icon" source="images/step-4-on.svg" border="false"::: + :::column-end::: + :::column span="3"::: + ### Eliminate passwords from the identity directory + :::column-end::: +:::row-end::: + +The final step of the passwordless journey is where passwords don't exist. At this stage, identity directories don't store any form of the password. + +## Prepare for the passwordless journey + +The road to being passwordless is a journey. The duration of the journey varies for each organization. It's important for IT decision makers to understand the criteria influencing the length of that journey. + +The most intuitive answer is the size of the organization, but what exactly defines size? We can look at these factors to get a summary of the organization's size: + +| Size factor | Details | +|--|--| +| **Number of departments**|The number of departments within an organization varies. Most organizations have a common set of departments such as *executive leadership*, *human resources*, *accounting*, *sales*, and *marketing*. Small organizations might not explicitly segment their departments, while larger ones might. Additionally, there may be subdepartments, and subdepartments of those subdepartments as well.

        You need to know all the departments within your organization, and you need to know which departments use computers and which ones don't. It's fine if a department doesn't use computers (probably rare, but acceptable). This circumstance means there's one less department with which you need to concern yourself. Nevertheless, ensure this department is in your list and that it's not applicable.

        Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that put you and your staff on the road to password freedom. Realistically, many of us lose sight of our organizational chart and how it grows or shrinks over time. This realization is why you need to inventory all of them. Also, don't forget to include external departments such as vendors or federated partners. If your organization goes passwordless, but your partners continue to use passwords to access your corporate resources, you should know about it and include them in your passwordless strategy.| +| **Organization or department hierarchy**|Organization and department hierarchy is the management layers within the departments or the organization as a whole. How the device is used, what applications and how they're used, most likely differs between each department, but also within the structure of the department. To determine the correct passwordless strategy, you need to know these differences across your organization. An executive leader is likely to use their device differently compared to a member of middle management in the sales department. Both of those user cases are probably different to how an individual contributor in the customer service department uses their device.| +| **Number and type of applications and services**|Most organizations have many applications and rarely have one centralized list that's accurate. Applications and services are the most critical items in your passwordless assessment. Applications and services take considerable effort to move to a different type of authentication. Changing policies and procedures can be a daunting task. Consider the trade-off between updating your standard operating procedures and security policies compared to changing 100 lines (or more) of authentication code in the critical path of your internally developed CRM application.

        Capturing the number of applications used is easier once you have the departments, their hierarchy, and their stakeholders. In this approach, you should have an organized list of departments and the hierarchy in each. You can now associate the applications that are used by all levels within each department. You also want to document whether the application is internally developed or commercially available off-the-shelf. If the latter, document the manufacturer and the version. Also, don't forget web-based applications or services when inventorying applications.| +| **Number of work personas**|Work personas are where the three previous efforts converge. You know the departments, the organizational levels within each department, the numbers of applications used by each, respectively, and the type of application. From this information, you want to create a work persona.

        A work persona classifies a category of user, title or role (individual contributor, manager, middle manager, etc.), within a specific department to a collection of applications used. There's a high probability that you have many work personas. These work personas will become units of work, and you refer to them in documentation and in meetings. You need to give them a name.

        Give your personas easy and intuitive names like *Amanda - Accounting*, *Mark - Marketing*, or *Sue - Sales*. If the organization levels are common across departments, then decide on a first name that represents the common levels in a department. For example, *Amanda* could be the first name of an individual contributor in any given department, while the first name *Sue* could represent someone from middle management in any given department. Additionally, you can use suffixes (such as *I*, *II*, *Senior*, etc.) to further define departmental structure for a given persona.

        Ultimately, create a naming convention that doesn't require your stakeholders and partners to read through a long list of tables or a secret decoder ring. Also, if possible, try to keep the references as names of people. After all, you're talking about a person who is in that department and who uses that specific software.| +| **Organization's IT structure**|IT department structures can vary more than the organization. Some IT departments are centralized while others are decentralized. Also, the road to password freedom will probably have you interacting with the *client authentication* team, the *deployment* team, the *security* team, the *PKI* team, the *identity* team, the *cloud* team, etc. Most of these teams are your partner on your journey to password freedom. Ensure there's a passwordless stakeholder on each of these teams, and that the effort is understood and funded.| + +## Assess your organization + +By now you can understand why this is a journey and not a quick task. You need to investigate user-visible password surfaces for each of your work personas. Once you've identified the password surfaces, you need to mitigate them. Resolving some password surfaces are simple - meaning a solution already exists in the environment and it's only a matter of moving users to it. Resolution to some passwords surfaces might exist, but aren't deployed in your environment. That resolution results in a project that must be planned, tested, and then deployed. That project is likely to span multiple IT departments with multiple people, and potentially one or more distributed systems. Those types of projects take time and need dedicated cycles. This same sentiment is true with in-house software development. Even with agile development methodologies, changing the way someone authenticates to an application is critical. Without the proper planning and testing, it has the potential to severely affect productivity. + +The time to complete the passwordless journey varies, depending on the organizational alignment to a passwordless strategy. Top-down agreement that a passwordless environment is the organization's goal makes conversations easier. Easier conversations mean less time spent convincing people and more time spent moving toward the goal. Top-down agreement, as a priority within the ranks of other on-going IT projects, helps everyone understand how to prioritize existing projects. Agreeing on priorities should reduce and minimize manager and executive level escalations. After these organizational discussions, modern project management techniques are used to continue the passwordless effort. The organization allocates resources based on the priority (after they agreed on the strategy). Those resources will: + +- Work through the work personas +- Organize and deploy user acceptance testing +- Evaluate user acceptance testing results for user visible password surfaces +- Work with stakeholders to create solutions that mitigate user visible password surfaces +- Add the solution to the project backlog and prioritize against other projects +- Deploy the solution +- Perform user acceptance testing to confirm that the solution mitigates the user visible password surface +- Repeat the testing as needed + +Your organization's journey to password freedom may take some time. Counting the number of work personas and the number of applications is a good indicator of the investment. Hopefully, your organization is growing, which means that the list of personas and the list of applications is unlikely to shrink. If the work to go passwordless today is *n*, then it's likely that to go passwordless tomorrow is *n x 2* or more, *n x n*. Don't let the size or duration of the project be a distraction. As you progress through each work persona, the actions and tasks become more familiar for you and your stakeholders. Scope the project to sizable, realistic phases, pick the correct work personas, and soon you'll see parts of your organization transition to a passwordless state. + +What's the best guidance for kicking off the journey to password freedom? **You want to show your management a proof of concept as soon as possible**. Ideally, you want to show it at each step of your passwordless journey. Keeping your passwordless strategy top of mind and showing consistent progress keeps everyone focused. + +## Work persona + +You begin with your work personas. These were part of your preparation process. They have a persona name, such as *Amanda - Accounting II*, or any other naming convention your organization defined. That work persona includes a list of all the applications *Amanda* uses to perform her assigned duties in the accounting department. To start, you need to pick a work persona. It's the targeted work persona you enable to complete the journey. + +> [!TIP] +> Avoid using any work personas from your IT department. This method is probably the worst way to start the passwordless journey. IT roles are very difficult and time consuming. IT workers typically have multiple credentials, run a multitude of scripts and custom applications, and are the worst offenders of password usage. It is better to save these work personas for the middle or end of your journey. + +Review your collection of work personas. Early in your passwordless journey, identify personas with the fewest applications. These work personas could represent an entire department or two. These roles are the perfect work personas for your proof-of-concept (POC) or pilot. + +Most organizations host their POC in a test lab or environment. If you do that test with a password-free strategy, it might be more challenging and take more time. To test in a lab, you must first duplicate the environment of the targeted persona. This process could take a few days or several weeks, depending on the complexity of the targeted work persona. + +You want to balance lab testing with providing results to management quickly. Continuing to show forward progress on your journey to password freedom is always a good thing. If there are ways you can test in production with low or no risk, it might be advantageous to your timeline. + +The journey to password freedom is to take each work persona through each step of the process. In the beginning, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow. The process looks something like this: + +:::row::: + :::column span="1"::: + :::image type="icon" source="images/step-1-on.svg" border="false" link="journey-step-1.md"::: + :::column-end::: + :::column span="1"::: + :::image type="icon" source="images/step-2-on.svg" border="false" link="journey-step-2.md"::: + :::column-end::: + :::column span="1"::: + :::image type="icon" source="images/step-3-on.svg" border="false" link="journey-step-3.md"::: + :::column-end::: +:::row-end::: +:::row::: + :::column span="1"::: +**[Deploy a passwordless replacement option](journey-step-1.md)** +- Identify test users representing the targeted work persona +- Deploy Windows Hello for Business to test users +- Validate that passwords and Windows Hello for Business work + :::column-end::: + :::column span="1"::: +**[Reduce user-visible password surface](journey-step-2.md)** +- Survey test user workflow for password usage +- Identify password usage and plan, develop, and deploy password mitigations +- Repeat until all user password usage is mitigated +- Remove password capabilities from Windows +- Validate that **none of the workflows** need passwords + :::column-end::: + :::column span="1"::: +**[Transition into a passwordless scenario](journey-step-3.md)** +- Awareness campaign and user education +- Include remaining users who fit the work persona +- Validate that **none of the users** of the work personas need passwords +- Configure user accounts to prevent password authentication + :::column-end::: +:::row-end::: + +After successfully moving a work persona to password freedom, you can prioritize the remaining work personas and repeat the process. + +## Next steps + +> [!div class="nextstepaction"] +> +> [Step 1: deploy a passwordless replacement option >](journey-step-1.md) diff --git a/windows/security/identity-protection/passwordless-strategy/journey-step-1.md b/windows/security/identity-protection/passwordless-strategy/journey-step-1.md new file mode 100644 index 0000000000..0708d80254 --- /dev/null +++ b/windows/security/identity-protection/passwordless-strategy/journey-step-1.md @@ -0,0 +1,61 @@ +--- +title: Deploy a passwordless replacement option +description: Learn about how to deploy a passwordless replacement option, the first step of the Microsoft passwordless journey. +ms.topic: concept-article +ms.date: 01/29/2024 +--- + +# Deploy a passwordless replacement option + +:::row::: + :::column span="1"::: + :::image type="icon" source="images/step-1-on.svg" border="false" link="journey-step-1.md"::: + :::column-end::: + :::column span="1"::: + :::image type="icon" source="images/step-2-off.svg" border="false" link="journey-step-2.md"::: + :::column-end::: + :::column span="1"::: + :::image type="icon" source="images/step-3-off.svg" border="false" link="journey-step-3.md"::: + :::column-end::: + :::column span="1"::: + :::image type="icon" source="images/step-4-off.svg" border="false"::: + :::column-end::: +:::row-end::: + +The first step to password freedom is providing an alternative to passwords.\ +Windows provides an affordable and easy in-box alternative to passwords, *Windows Hello for Business*. Another option is to use *FIDO2 security keys*, but they require the organization to purchase and distribute them. + +Both options provide a strong, two-factor authentication to Microsoft Entra ID and Active Directory. + +## Identify test users representing the targeted work persona + +A successful transition relies on user acceptance testing. It's impossible for you to know how every work persona goes about their day-to-day activities, or how to accurately validate them. You need to enlist the help of users who fit the targeted work persona. You only need a few users from the targeted work persona. As you cycle through step 2, you might want to change a few of the users (or add a few) as part of your validation process. + +## Deploy Windows Hello for Business or FIDO2 security keys to test users + +Next, you want to plan your password replacement deployment. Your test users need an alternative way to sign-in during step 2 of the journey to becoming passwordless. Use the [Windows Hello for Business planning guide](..\hello-for-business\deploy\index.md) to help learning which deployment is best suited for your environment. Next, use one of the deployment guides to deploy Windows Hello for Business. With the Windows Hello for Business infrastructure in place, you can limit Windows Hello for Business enrollments to the targeted work personas. The great news is that you only need to deploy the infrastructure once. When other targeted work personas need to start using Windows Hello for Business, add them to a group. You use the first work persona to validate your Windows Hello for Business deployment. + +If you decide to use FIDO2 security keys, follow the [Enable security key sign-in to Windows guide](/entra/identity/authentication/howto-authentication-passwordless-security-key-windows) to learn how to adopt FIDO2 security keys. + +> [!NOTE] +> Deployments vary based on how the device is joined to Microsoft Entra ID. Review the planning guide to learn the type of infrastructure required to support your devices. + +## Validate passwords and Windows Hello for Business or FIDO2 security keys + +In this first step, passwords and your password replacement choice must coexist. You want to validate all scenarios while the targeted work personas can sign in and unlock using Windows Hello or security keys. Users can also sign-in, unlock, and use passwords as needed. Reducing the user-visible password surface too soon can create frustration and confusion with your targeted user personas. + +:::image type="content" source="images/lock-screen.png" alt-text="Screenshot of the Windows lock screen showing the fingerprint, PIN and password credential providers." border="false"::: + +## Next steps + +> [!div class="checklist"] +> Before you move to step 2, make sure you've: +> +> - Selected your targeted work persona +> - Identified your test users who represent the targeted work persona +> - Deployed Windows Hello for Business or FIDO2 security keys to test users +> - Validated that both your password replacement choice and passwords work for the test users + +> [!div class="nextstepaction"] +> +> [Step 2: reduce the user-visible password surface area >](journey-step-2.md) diff --git a/windows/security/identity-protection/passwordless-strategy/journey-step-2.md b/windows/security/identity-protection/passwordless-strategy/journey-step-2.md new file mode 100644 index 0000000000..4d8d3b920a --- /dev/null +++ b/windows/security/identity-protection/passwordless-strategy/journey-step-2.md @@ -0,0 +1,105 @@ +--- +title: Reduce the user-visible password surface area +description: Learn about how to reduce the user-visible password surface area, the second step of the Microsoft passwordless journey. +ms.topic: concept-article +ms.date: 01/29/2024 +--- + +# Reduce the user-visible password surface area + +:::row::: + :::column span="1"::: + :::image type="icon" source="images/step-1-off.svg" border="false" link="journey-step-1.md"::: + :::column-end::: + :::column span="1"::: + :::image type="icon" source="images/step-2-on.svg" border="false" link="journey-step-2.md"::: + :::column-end::: + :::column span="1"::: + :::image type="icon" source="images/step-3-off.svg" border="false" link="journey-step-3.md"::: + :::column-end::: + :::column span="1"::: + :::image type="icon" source="images/step-4-off.svg" border="false"::: + :::column-end::: +:::row-end::: + +## Survey test user workflow for password usage + +Now is the time to learn more about the targeted work persona. You should have a list of applications they use, but you don't know what, why, when, and how frequently. This information is important as you further your progress through step 2. Test users create the workflows associated with the targeted work persona. Their initial goal is to do one simple task: document password usage. This list isn't a comprehensive one, but it gives you an idea of the type of information you want. The goal is to learn about all the scenarios in which that work persona encounters a password. A good approach is to ask yourself the following set of questions: + +| | Question | +|--|--| +| **🔲** | *What's the name of the application that asked for a password?* | +| **🔲** | *Why do they use the application that asked for a password? For example, is there more than one application that can do the same thing?* | +| **🔲** | *What part of their workflow makes them use the application? Try to be as specific as possible. For example, "I use application x to issue credit card refunds for amounts over y."* | +| **🔲** | *How frequently do you use the application in a given day or week?* | +| **🔲** | *Is the password you type into the application the same as the password you use to sign-in to Windows?* | + +Some organizations empower their users to write this information, while some might insist on having a member of the IT department shadow them. An objective viewer might notice a password prompt that the user overlooks simply because of muscle memory. As previously mentioned, this information is critical. You could miss one password prompt that could delay the transition to being passwordless. + +## Identify password usage and plan, develop, and deploy password mitigations + +Your test users provided you valuable with information that describes how, what, why, and when they use a password. It's now time for your team to identify each of these password use cases and understand why the user must use a password.\ +Create a list of the scenarios. Each scenario should have a clear problem statement. Name the scenario with a one-sentence summary of the problem statement. Include in the scenario the results of your team's investigation as to why the user is asked to provide a password. Include relevant, but accurate details. If the scenario is policy or procedure-driven, then include the name and section of the policy that dictates why the workflow uses a password. + +Your test users won't uncover all scenarios, therefore you must force on them some uncommon scenarios. Remember to include the following: + +- Provision a new user with an unknown password +- Users who forget the PIN or other remediation flows when the strong credential is unusable + +Next, review your list of scenarios. You can start with the workflows that are dictated by process or policy, or you can begin with workflows that need technical solutions, whichever of the two is easier or quicker. This choice varies by organization. + +Start mitigating password usages based on the workflows of your targeted personas. Document the mitigation as a solution to your scenario. Don't worry about the implementation details for the solution. An overview of the changes needed to reduce the password usages is all you need. If there are technical changes needed, either infrastructure or code changes, the exact details are likely included in the project documentation. However your organization tracks projects, create a new project in that system. Associate your scenario to that project and start the processes needed to get that project funded. + +Mitigating password usage with applications is one of the more challenging obstacles in the passwordless journey. If your organization develops the application, then you are in better shape the common-off-the-shelf software (COTS). + +The ideal mitigation for applications that prompt the user for a password is to enable those applications to use an existing authenticated identity, such as Microsoft Entra ID or Active Directory. Work with the applications vendors to have them add support for Microsoft Entra identities. For on-premises applications, have the application use Windows integrated authentication. The goal for your users should be a seamless single sign-on experience where each user authenticates once when they sign-in to Windows. Use this same strategy for applications that store their own identities in their own databases. + +Each scenario on your list should now have a problem statement, an investigation as to why the password was used, and a mitigation plan on how to make the password usage go away. Armed with this data, one-by-one, close the gaps on user-visible passwords. Change policies and procedures as needed, make infrastructure changes where possible. Convert in-house applications to integrate in your Microsoft Entra ID tenant, use federated identities, or use Windows integrated authentication. Work with third-party software publishers to update their software to integrate in Microsoft Entra ID, support federated identities, or use Windows integrated authentication. + +## Repeat until all user password usage is mitigated + +Some or all of your mitigations are in place. You need to validate that your solutions solved their problem statements. This stage is where you rely on your test users. You want to keep a good portion of your first test users, but this point is a good opportunity to replace or add a few. Survey test users workflow for password usage. If all goes well, you closed most or all of the gaps. A few are likely to remain. Evaluate your solutions and what went wrong, change your solution as needed until you reach a solution that removes your user's need to type a password. If you're stuck, others might be too. Use the forums from various sources or your network of IT colleagues to describe your problem and see how others are solving it. If you're out of options, contact Microsoft for assistance. + +## Remove password capabilities from Windows + +You believe you mitigated all the password usage for the targeted work persona. Now comes the true test: configure Windows so the user can't use a password.\ +Windows offers three main options to reduce or eliminate the password surface area: + +- Windows passwordless experience +- Exclude the password credential provider +- Require Windows Hello for Business or a smart card + +### Windows passwordless experience + +*Windows Passwordless experience* is a security policy that hides the password credential provider for user accounts that sign in with Windows Hello or a FIDO2 security key. Windows Passwordless experience is the recommended option, but it's only available on Microsoft Entra joined devices. The following image shows the Windows lock screen when Windows passwordless experience is enabled. A user enrolled in Windows Hello for Business doesn't have the option to use a password to sign in: + +:::image type="content" source="images/passwordless-experience.png" alt-text="Screenshot of the Windows lock screen with passwordless experience enabled." border="false"::: + +To learn more, see [Windows passwordless experience](../passwordless-experience/index.md) + +### Exclude the password credential provider + +The *Exclude credential providers* policy setting can be used to disable the password credential provider. When configured, Windows disables the possibility to use passwords for *all accounts*, including local accounts. It also prevents the use of passwords for RDP and *Run as* authentication scenarios. This policy setting might impact support scenarios, such as when a user needs to sign in with a local account to troubleshoot a problem. For this reason, carefully evaluate all scenarios before you enable the setting. + +- GPO: **Computer Configuration** > **Administrative Templates** > **System** > **Logon** > **Exclude credential providers** +- CSP: `./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/`[ExcludedCredentialProviders](/windows/client-management/mdm/policy-csp-admx-credentialproviders#excludedcredentialproviders) + +The value to enter in the policy to hide the password credential provider is `{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}`. + +### Require Windows Hello for Business or a smart card + +The *Require Windows Hello for Business or a smart card* policy setting can be used to require Windows Hello for Business or a smart card for interactive logon. When enabled, Windows prevents users from signing in or unlocking with a password. The password credential provider remains visible to the user. If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card. Before you enable this policy setting, the user must be enrolled in Windows Hello for Business or have a smart card. Therefore, implementing this policy requires careful planning and coordination. + +- GPO: **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** > **Interactive logon: Require Windows Hello for Business or smart card** +- CSP: not available + +## Validate that none of the workflows needs passwords + +This stage is the significant moment. You identified password usage, developed solutions to mitigate password usage, and removed or disabled password usage from Windows. In this configuration, your users can't use a password. Users are blocked if any of their workflows ask them for a password. Ideally, your test users should be able to complete all the work flows of the targeted work persona without any password usage. Don't forget those low percentage work flows, such as provisioning a new user or a user that forgot their PIN or can't use their strong credential. Ensure those scenarios are validated as well. + +## Next steps + +> [!div class="nextstepaction"] +> You're ready to transition one or more portions of your organization to a passwordless deployment. You've validated that the targeted work persona is ready to go where the user no longer needs to know or use their password. You're just a few steps away from declaring success. +> +> [Step 3: transition into a passwordless deployment >](journey-step-3.md) diff --git a/windows/security/identity-protection/passwordless-strategy/journey-step-3.md b/windows/security/identity-protection/passwordless-strategy/journey-step-3.md new file mode 100644 index 0000000000..b50cd4f910 --- /dev/null +++ b/windows/security/identity-protection/passwordless-strategy/journey-step-3.md @@ -0,0 +1,144 @@ +--- +title: Transition into a passwordless deployment +description: Learn about how to transition into a passwordless deployment, the third step of the Microsoft passwordless journey. +ms.topic: concept-article +ms.date: 01/29/2024 +--- + +# Transition into a passwordless deployment + +:::row::: + :::column span="1"::: + :::image type="icon" source="images/step-1-off.svg" border="false" link="journey-step-1.md"::: + :::column-end::: + :::column span="1"::: + :::image type="icon" source="images/step-2-off.svg" border="false" link="journey-step-2.md"::: + :::column-end::: + :::column span="1"::: + :::image type="icon" source="images/step-3-on.svg" border="false" link="journey-step-3.md"::: + :::column-end::: + :::column span="1"::: + :::image type="icon" source="images/step-4-off.svg" border="false"::: + :::column-end::: +:::row-end::: + +## Awareness and user education + +In this last step, you're going to include the remaining users that fit the targeted work persona to the passwordless deployment. Before you do this step, you want to invest in an awareness campaign. + +An awareness campaign introduces the users to the new way of authenticating to their device, such as using Windows Hello for Business. The idea of the campaign is to positively promote the change to the users in advance. Explain the value and why your company is changing. The campaign should provide dates and encourage questions and feedback. This campaign can coincide with user education, where you can show the users the changes and, if your environment allows, enable the users to try out the experience. + +> [!TIP] +> To facilitate user communication and to ensure a successful Windows Hello for Business deployment, you can find customizable material (email templates, posters, trainings, etc.) at [Microsoft Entra templates](https://aka.ms/adminmails). + +## Include remaining users that fit the work persona + +You implemented the awareness campaign for the targeted users. These users are informed and ready to transition to being passwordless. Add the remaining users that match the targeted work persona to your deployment. + +## Validate that none of the users of the work personas need passwords + +You successfully transitioned all users for the targeted work persona to being passwordless. Monitor the users within the work persona to ensure they don't encounter any issues while working in a passwordless environment. + +Track all reported issues. Set priority and severity to each reported issue and have your team triage the issues appropriately. As you triage issues, consider the following questions: + +| | Question | +|--|--| +| **🔲** | *Is the reporting user performing a task outside the work persona?* | +| **🔲** | *Is the reported issue affecting the entire work persona, or only specific users?* | +| **🔲** | *Is the outage a result of a misconfiguration?* | +| **🔲** | *Is the outage an overlooked gap from step 2?* | + +Each organization's priority and severity differ. However, most organizations consider work stoppages to be fairly significant. Your team should predefine levels of priority and severity. With each of these levels, create service level agreements (SLAs) for each combination of severity and priority, and hold everyone accountable to those agreements. Reactive planning enables people to spend more time on the issue and resolving it, and less time on the process. + +Resolve the issues per your service level agreements. Higher severity items might require returning some or all of the user's password surface. Clearly this outcome isn't the end goal, but don't let it slow down your momentum towards becoming passwordless. Refer to how you reduced the user's password surface in step 2, and progress forward to a solution, deploying that solution and validating it. + +> [!TIP] +> Monitor your domain controllers for password authentication events. This helps to proactively identify users who are still using passwords, and to reach out to them. + +## Configure user accounts to prevent password authentication + +You transitioned all the users for the targeted work persona to a passwordless environment and validated all their workflows. The last step to complete the passwordless transition is to remove the user's knowledge of the password. + +### Password scrambling + +While you can't completely remove the password from the user's account, you can prevent the user from using the password to authenticate. The easiest and most effective approach is to set the password to a random value. This approach prevents the user from knowing the password and using it to authenticate, but it allows the user to reset the password whenever needed. + +> [!TIP] +> Enable [Microsoft Entra self-service password reset (SSPR)](/entra/identity/authentication/tutorial-enable-sspr) to allow the users to reset their password. Once implemented, users can sign in to their Windows devices using Windows Hello for Business or a FIDO2 security key, and reset their password from https://aka.ms/sspr. Combine it with [password writeback](/entra/identity/authentication/tutorial-enable-cloud-sync-sspr-writeback) to have the password reset synchronized to your on-premises Active Directory. + +The following sample PowerShell script generates a random password of 64 characters and sets it for the user specified in the variable name $userId against Microsoft Entra ID. +Modify the **userId** variable of the script to match your environment (first line), and then run it in a PowerShell session. When prompted to authenticate to Microsoft Entra ID, use the credentials of an account with a role capable of resetting passwords. + +```azurepowershell-interactive +$userId = "" + +function Generate-RandomPassword{ + [CmdletBinding()] + param ( + [int]$Length = 64 + ) + $chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-_=+[]{};:,.<>/?\|`~" + $random = New-Object System.Random + $password = "" + for ($i = 0; $i -lt $Length; $i++) { + $index = $random.Next(0, $chars.Length) + $password += $chars[$index] + } + return $password +} + +Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser -Force +Install-Module Microsoft.Graph -Scope CurrentUser +Import-Module Microsoft.Graph.Users.Actions +Connect-MgGraph -Scopes "UserAuthenticationMethod.ReadWrite.All" -NoWelcome + +$passwordParams = @{ + UserId = $userId + AuthenticationMethodId = "28c10230-6103-485e-b985-444c60001490" + NewPassword = Generate-RandomPassword +} + +Reset-MgUserAuthenticationMethodPassword @passwordParams +``` + +A similar script can be used to reset the password against Active Directory. Modify the **samAccountName** variable of the script to match your environment (first line), and then run it in a PowerShell session. + +```PowerShell +$samAccountName = + +function Generate-RandomPassword{ + [CmdletBinding()] + param ( + [int]$Length = 64 + ) + $chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-_=+[]{};:,.<>/?\|`~" + $random = New-Object System.Random + $password = "" + for ($i = 0; $i -lt $Length; $i++) { + $index = $random.Next(0, $chars.Length) + $password += $chars[$index] + } + return $password +} + +$NewPassword = ConvertTo-SecureString -String (Generate-RandomPassword) -AsPlainText -Force + +Set-ADAccountPassword -identity $userId -NewPassword $NewPassword -Reset +``` + +If your organizational policies allow it, you can configure the randomized passwords to never expire, or use a long expiration period. This configuration prevents the user from being prompted to change their password. + +> [!CAUTION] +> Execute the script only from a secure and trusted environment, and ensure that the script is not logged. Treat the host where the script is executed as a privileged host, with the same level of security as a domain controller. + +### Password age and password rotation + +If your organization doesn't have password rotation requirements, it's recommended to disable password age. + +If your organization has a password rotation policy, consider implementing automation to rotate the user's password regularly. This approach ensures that the user's password is always randomized and prevents the user from knowing the password. + +For more password-related guidance, see the whitepaper [Password Guidance](https://aka.ms/PasswordGuidance). + +## Next steps + +Microsoft is working hard to make the passwordless journey easier for you. We're working on new features and capabilities to help you transition to a passwordless environment, and to achieve the long-term security promise of a truly passwordless environment. Check back often to see what's new. diff --git a/windows/security/identity-protection/passwordless-strategy/toc.yml b/windows/security/identity-protection/passwordless-strategy/toc.yml new file mode 100644 index 0000000000..452824f4c4 --- /dev/null +++ b/windows/security/identity-protection/passwordless-strategy/toc.yml @@ -0,0 +1,9 @@ +items: +- name: Overview + href: index.md +- name: 1. Deploy password replacement options + href: journey-step-1.md +- name: 2. Reduce the password surface area + href: journey-step-2.md +- name: 3. Transition into a passwordless deployment + href: journey-step-3.md \ No newline at end of file diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md index d7ffee21b2..dc9d66ddbd 100644 --- a/windows/security/identity-protection/remote-credential-guard.md +++ b/windows/security/identity-protection/remote-credential-guard.md @@ -1,9 +1,9 @@ --- -title: Remote Credential Guard +title: Remote Credential Guard description: Learn how Remote Credential Guard helps to secure Remote Desktop credentials by never sending them to the target device. ms.topic: how-to ms.date: 12/08/2023 -appliesto: +appliesto: - ✅ Windows 11 - ✅ Windows 10 - ✅ Windows Server 2022 @@ -36,7 +36,7 @@ The security benefits of Remote Credential Guard include: - During the remote session, you can connect to other systems using SSO - An attacker can act on behalf of the user only when the session is ongoing -The security benefits of [Restricted Admin mode][TECH-1] include: +The security benefits of Restricted Admin mode include: - Credentials aren't sent to the remote host - The Remote Desktop session connects to other resources as the remote host's identity @@ -84,7 +84,7 @@ To enable delegation of nonexportable credentials on the remote hosts, you can u [!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)] -#### [:::image type="icon" source="../images/icons/intune.svg" border="false"::: **Intune/MDM**](#tab/intune) +#### [:::image type="icon" source="../images/icons/intune.svg" border="false"::: **Intune/CSP**](#tab/intune) [!INCLUDE [intune-settings-catalog-1](../../../includes/configure/intune-settings-catalog-1.md)] @@ -100,7 +100,7 @@ Alternatively, you can configure devices using a [custom policy][INT-3] with the |--------| | - **OMA-URI:** `./Device/Vendor/MSFT/Policy/Config/CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials`
        - **Data type:** string
        - **Value:** ``| -#### [:::image type="icon" source="../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo) +#### [:::image type="icon" source="../images/icons/group-policy.svg" border="false"::: **GPO**](#tab/gpo) [!INCLUDE [gpo-settings-1](../../../includes/configure/gpo-settings-1.md)] @@ -109,7 +109,7 @@ Alternatively, you can configure devices using a [custom policy][INT-3] with the | **Computer Configuration\Administrative Templates\System\Credentials Delegation** | Remote host allows delegation of nonexportable credentials | Enabled | [!INCLUDE [gpo-settings-2](../../../includes/configure/gpo-settings-2.md)] -#### [:::image type="icon" source="../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg) +#### [:::image type="icon" source="../images/icons/registry.svg" border="false"::: **Registry**](#tab/reg) To configure devices using the registry, use the following settings: @@ -155,7 +155,7 @@ To configure your clients, you can use: [!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)] -#### [:::image type="icon" source="../images/icons/intune.svg" border="false"::: **Intune/MDM**](#tab/intune) +#### [:::image type="icon" source="../images/icons/intune.svg" border="false"::: **Intune/CSP**](#tab/intune) [!INCLUDE [intune-settings-catalog-1](../../../includes/configure/intune-settings-catalog-1.md)] @@ -171,7 +171,7 @@ Alternatively, you can configure devices using a [custom policy][INT-3] with the |--| |- **OMA-URI:** `./Device/Vendor/MSFT/Policy/Config/ADMX_CredSsp/RestrictedRemoteAdministration`
        - **Data type:** string
        - **Value:** ``

        Possible values for `RestrictedRemoteAdministrationDrop` are:
        - `0`: Disabled
        - `1`: Require Restricted Admin
        - `2`: Require Remote Credential Guard
        - `3`: Restrict credential delegation | -#### [:::image type="icon" source="../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo) +#### [:::image type="icon" source="../images/icons/group-policy.svg" border="false"::: **GPO**](#tab/gpo) [!INCLUDE [gpo-settings-1](../../../includes/configure/gpo-settings-1.md)] @@ -181,7 +181,7 @@ Alternatively, you can configure devices using a [custom policy][INT-3] with the [!INCLUDE [gpo-settings-2](../../../includes/configure/gpo-settings-2.md)] -#### [:::image type="icon" source="../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg) +#### [:::image type="icon" source="../images/icons/registry.svg" border="false"::: **Registry**](#tab/reg) Not documented. @@ -224,5 +224,4 @@ Here are some considerations for Remote Credential Guard: [CSP-2]: /windows/client-management/mdm/policy-csp-admx-credssp [INT-3]: /mem/intune/configuration/settings-catalog [LEARN-1]: /windows-server/identity/laps/laps-overview -[TECH-1]: https://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx [PTH-1]: https://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md index cb77691205..583823e56f 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md +++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md @@ -1,8 +1,8 @@ --- -ms.date: 11/22/2023 title: Smart Card and Remote Desktop Services description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in. ms.topic: concept-article +ms.date: 01/16/2024 --- # Smart Card and Remote Desktop Services diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md index 3fa6fe2bae..bd640b89fd 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md +++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md @@ -2,7 +2,7 @@ title: Smart Card Architecture description: This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system. ms.topic: reference-architecture -ms.date: 11/22/2023 +ms.date: 01/16/2024 --- # Smart Card Architecture diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md index fe6f0b5c39..770de019ca 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md @@ -2,7 +2,7 @@ title: Certificate propagation service description: Learn about the certificate propagation service (CertPropSvc), which is used in smart card implementation. ms.topic: concept-article -ms.date: 11/22/2023 +ms.date: 01/16/2024 --- # Certificate propagation service diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md index 9f8291d4a6..5b33c9f79c 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md +++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md @@ -2,7 +2,7 @@ title: Certificate Requirements and Enumeration description: This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in. ms.topic: concept-article -ms.date: 11/22/2023 +ms.date: 01/16/2024 --- # Certificate Requirements and Enumeration diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md index d5df22275e..ce951db2a1 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md +++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md @@ -2,7 +2,7 @@ title: Smart Card Troubleshooting description: Describes the tools and services that smart card developers can use to help identify certificate issues with the smart card deployment. ms.topic: troubleshooting -ms.date: 11/22/2023 +ms.date: 01/16/2024 --- # Smart Card Troubleshooting diff --git a/windows/security/identity-protection/smart-cards/smart-card-events.md b/windows/security/identity-protection/smart-cards/smart-card-events.md index 96a66ee27a..6aef6b3288 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-events.md +++ b/windows/security/identity-protection/smart-cards/smart-card-events.md @@ -2,7 +2,7 @@ title: Smart card events description: Learn about smart card deployment and development events. ms.topic: troubleshooting -ms.date: 11/22/2023 +ms.date: 01/16/2024 --- # Smart card events diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md index d218b20bc5..79e5f674c9 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md +++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md @@ -2,7 +2,7 @@ title: Smart Card Group Policy and Registry Settings description: Discover the Group Policy, registry key, local security policy, and credential delegation policy settings that are available for configuring smart cards. ms.topic: reference -ms.date: 11/22/2023 +ms.date: 01/16/2024 --- # Smart Card Group Policy and Registry Settings @@ -373,7 +373,7 @@ The following smart card-related Group Policy settings are in **Computer Configu | Group Policy setting and registry key | Default | Description | |--|--|--| -| Interactive logon: Require smart card

        **scforceoption** | Disabled | This security policy setting requires users to sign in to a computer by using a smart card.

        **Enabled** Users can sign in to the computer only by using a smart card.
        **Disabled** Users can sign in to the computer by using any method.

        NOTE: the Windows LAPS-managed local account is exempted from this policy when Enabled. For more information see [Windows LAPS integration with smart card policy](/windows-server/identity/laps/laps-concepts#windows-laps-integration-with-smart-card-policy).
        | +| Interactive logon: Require smart card

        **scforceoption** | Disabled | This security policy setting requires users to sign in to a computer by using a smart card.

        **Enabled** Users can sign in to the computer only by using a smart card.
        **Disabled** Users can sign in to the computer by using any method.

        NOTE: the Windows LAPS-managed local account is exempted from this policy when Enabled. | | Interactive logon: Smart card removal behavior

        **scremoveoption** | This policy setting isn't defined, which means that the system treats it as **No Action**. | This setting determines what happens when the smart card for a signed-in user is removed from the smart card reader. The options are:
        **No Action**
        **Lock Workstation**: The workstation is locked when the smart card is removed, so users can leave the area, take their smart card with them, and still maintain a protected session.
        **Force Logoff**: The user is automatically signed out when the smart card is removed.
        **Disconnect if a Remote Desktop Services session**: Removal of the smart card disconnects the session without signing out the user. The user can reinsert the smart card and resume the session later, or at another computer that's equipped with a smart card reader, without having to sign in again. If the session is local, this policy setting functions identically to the **Lock Workstation** option. | From the Local Security Policy Editor (secpol.msc), you can edit and apply system policies to manage credential delegation for local or domain computers. diff --git a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md index 6727a73a66..6f23ce09a9 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md +++ b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md @@ -2,7 +2,7 @@ title: How Smart Card Sign-in Works in Windows description: This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system. ms.topic: overview -ms.date: 11/22/2023 +ms.date: 01/16/2024 --- # How Smart Card Sign-in Works in Windows diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md index 7709e7524f..65933d65a1 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md @@ -2,7 +2,7 @@ title: Smart Card Removal Policy Service description: This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation. ms.topic: concept-article -ms.date: 11/22/2023 +ms.date: 01/16/2024 --- # Smart Card Removal Policy Service diff --git a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md index cf988e8549..ad2cd71fb9 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md @@ -2,7 +2,7 @@ title: Smart Cards for Windows Service description: This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service manages readers and application interactions. ms.topic: concept-article -ms.date: 11/22/2023 +ms.date: 01/16/2024 --- # Smart Cards for Windows Service diff --git a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md index 0d0d5e8372..f703ec1f9c 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md +++ b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md @@ -2,7 +2,7 @@ title: Smart Card Tools and Settings description: This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events. ms.topic: get-started -ms.date: 11/22/2023 +ms.date: 01/16/2024 --- # Smart Card Tools and Settings diff --git a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md index da1a559648..d615e2079c 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md +++ b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md @@ -2,7 +2,7 @@ title: Smart Card Technical Reference description: Learn about the Windows smart card infrastructure for physical smart cards, and how smart card-related components work in Windows. ms.topic: overview -ms.date: 11/22/2023 +ms.date: 01/16/2024 --- # Smart Card Technical Reference diff --git a/windows/security/identity-protection/toc.yml b/windows/security/identity-protection/toc.yml index 26eafa1368..9d0a3a0397 100644 --- a/windows/security/identity-protection/toc.yml +++ b/windows/security/identity-protection/toc.yml @@ -4,7 +4,7 @@ items: - name: Passwordless sign-in items: - name: Passwordless strategy - href: hello-for-business/passwordless-strategy.md + href: passwordless-strategy/toc.yml - name: Windows Hello for Business href: hello-for-business/toc.yml - name: Windows presence sensing @@ -28,8 +28,8 @@ items: href: /education/windows/federated-sign-in - name: Advanced credential protection items: - - name: Windows LAPS (Local Administrator Password Solution) 🔗 - displayName: LAPS + - name: Windows LAPS 🔗 + displayName: Local Administrator Password Solution href: /windows-server/identity/laps/laps-overview - name: Account Lockout Policy 🔗 href: ../threat-protection/security-policy-settings/account-lockout-policy.md diff --git a/windows/security/images/icons/group-policy.svg b/windows/security/images/icons/group-policy.svg index ace95add6b..c9cb511415 100644 --- a/windows/security/images/icons/group-policy.svg +++ b/windows/security/images/icons/group-policy.svg @@ -1,3 +1,9 @@ - - - \ No newline at end of file + + + + + + + + + diff --git a/windows/security/images/icons/registry.svg b/windows/security/images/icons/registry.svg new file mode 100644 index 0000000000..bc4aa2f534 --- /dev/null +++ b/windows/security/images/icons/registry.svg @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/windows/security/images/insider.png b/windows/security/images/insider.png new file mode 100644 index 0000000000..dc227a95bd Binary files /dev/null and b/windows/security/images/insider.png differ diff --git a/windows/security/includes/insider-note.md b/windows/security/includes/insider-note.md new file mode 100644 index 0000000000..a1160f8047 --- /dev/null +++ b/windows/security/includes/insider-note.md @@ -0,0 +1,16 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.topic: include +ms.date: 01/11/2024 +--- + +:::row::: +:::column span="1"::: +:::image type="content" source="../images/insider.png" alt-text="Logo of Windows Insider." border="false"::: +:::column-end::: +:::column span="3"::: +> [!IMPORTANT] +>This article describes features or settings that are under development and only applicable to [Windows Insider Preview builds](/windows-insider/). The content is subject to change and may have dependencies on other features or services in preview. +:::column-end::: +:::row-end::: diff --git a/windows/security/index.yml b/windows/security/index.yml index 069ecf8fb7..8f543bcde6 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -6,10 +6,9 @@ brand: windows metadata: ms.topic: hub-page - ms.prod: windows-client - ms.technology: itpro-security ms.collection: - tier1 + - essentials-navigation author: paolomatarazzo ms.author: paoloma manager: aaroncz diff --git a/windows/security/introduction.md b/windows/security/introduction.md index 92105b512d..dd2492a6b9 100644 --- a/windows/security/introduction.md +++ b/windows/security/introduction.md @@ -4,6 +4,9 @@ description: System security book. ms.date: 09/01/2023 ms.topic: tutorial ms.author: paoloma +ms.collection: + - essentials-security + - essentials-overview content_well_notification: - AI-contribution author: paolomatarazzo diff --git a/windows/security/licensing-and-edition-requirements.md b/windows/security/licensing-and-edition-requirements.md index 5f18fd26da..ece47c14a8 100644 --- a/windows/security/licensing-and-edition-requirements.md +++ b/windows/security/licensing-and-edition-requirements.md @@ -7,7 +7,6 @@ appliesto: - ✅ Windows 11 ms.author: paoloma author: paolomatarazzo -ms.prod: windows-client --- # Windows security features licensing and edition requirements diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/network-unlock-diagram.png b/windows/security/operating-system-security/data-protection/bitlocker/images/network-unlock-diagram.png deleted file mode 100644 index f158bc4c67..0000000000 Binary files a/windows/security/operating-system-security/data-protection/bitlocker/images/network-unlock-diagram.png and /dev/null differ diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/network-unlock-diagram.svg b/windows/security/operating-system-security/data-protection/bitlocker/images/network-unlock-diagram.svg new file mode 100644 index 0000000000..27acdfd665 --- /dev/null +++ b/windows/security/operating-system-security/data-protection/bitlocker/images/network-unlock-diagram.svg @@ -0,0 +1 @@ +WDSDHCPClientWDSDHCPClient1. Network unlock detected2. DHCP reqDHCP offer3. DHCP + Network key 🔑4. Request5. Decryption 🔓7. Intermediate key 🔑7. 🔑+🗝️8. Volume unlock 🔓9. Windows boot \ No newline at end of file diff --git a/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md b/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md index f81e6c585f..f0745f7122 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md @@ -46,7 +46,7 @@ The server side configuration to enable Network Unlock also requires provisionin The Network Unlock process follows these phases: :::row::: - :::column span="3"::: + :::column span="2"::: 1. The Windows boot manager detects a Network Unlock protector in the BitLocker configuration 2. The client computer uses its DHCP driver in the UEFI to get a valid IPv4 IP address 3. The client computer broadcasts a vendor-specific DHCP request that contains a network key (a 256-bit intermediate key) and an AES-256 session key for the reply. The network key is encrypted by using the 2048-bit RSA Public Key of the Network Unlock certificate from the WDS server @@ -57,8 +57,8 @@ The Network Unlock process follows these phases: 8. This combined key is used to create an AES-256 key that unlocks the volume 9. Windows continues the boot sequence :::column-end::: - :::column span="1"::: - :::image type="content" source="images/network-unlock-diagram.png" alt-text="Diagram of the Network Unlock sequence." lightbox="images/network-unlock-diagram.png" border="false"::: + :::column span="2"::: + :::image type="content" source="images/network-unlock-diagram.svg" alt-text="Diagram of the Network Unlock sequence." lightbox="images/network-unlock-diagram.svg" border="false"::: :::column-end::: :::row-end::: diff --git a/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md b/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md index 380ac306c4..1eaff6b4ec 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md @@ -230,7 +230,7 @@ Add the desired protectors prior to encrypting the volume. The following example ```powershell $pw = Read-Host -AsSecureString -Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw +Add-BitLockerKeyProtector E: -PasswordProtector -Password $pw ``` > [!NOTE] diff --git a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md index 1e17d437e3..7325710e0c 100644 --- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md +++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md @@ -64,8 +64,8 @@ No. SCM supported only SCAP 1.0, which wasn't updated as SCAP evolved. The new t | Name | Details | Security Tools | |--|--|--| -| Microsoft 365 Apps for enterprise, version 2206 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-365-apps-for-enterprise-v2206/ba-p/3502714) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | -| Microsoft Edge, version 107 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-v98/ba-p/3165443) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | +| Microsoft 365 Apps for enterprise, version 2306 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-m365-apps-for-enterprise-v2306/ba-p/3858702) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | +| Microsoft Edge, version 117 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-version-117/ba-p/3930862) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | ## Related articles diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-logging.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-logging.md index 06fbba84f9..bce157495f 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/configure-logging.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/configure-logging.md @@ -47,7 +47,7 @@ Alternatively, you can configure devices using a [custom policy][INT-1] with the | *Public* | Setting name: [EnableLogSuccessConnections][CSP-10]
        OMA-URI: `./Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableLogSuccessConnections` | | *Public* | Setting name: [LogMaxFileSize][CSP-13]
        OMA-URI: `./Vendor/MSFT/Firewall/MdmStore/PublicProfile/LogMaxFileSize` | -# [:::image type="icon" source="../../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo) +# [:::image type="icon" source="../../../images/icons/group-policy.svg" border="false"::: **GPO**](#tab/gpo) [!INCLUDE [gpo-settings-1](../../../../../includes/configure/gpo-settings-1.md)] diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/images/icons/group-policy.svg b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/images/icons/group-policy.svg index ace95add6b..95957a5914 100644 --- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/images/icons/group-policy.svg +++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/images/icons/group-policy.svg @@ -1,3 +1,9 @@ - - - \ No newline at end of file + + + + + + + + + diff --git a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md index eaa7ed73d3..4c63211e0c 100644 --- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md +++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md @@ -3,7 +3,6 @@ title: Advanced security audit policy settings description: This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate. ms.assetid: 93b28b92-796f-4036-a53b-8b9e80f9f171 ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,7 +11,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 09/06/2021 -ms.technology: itpro-security --- # Advanced security audit policy settings (Windows 10) diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml index 9b46b2d3a3..768de067a0 100644 --- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml +++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml @@ -2,13 +2,11 @@ metadata: title: Advanced security auditing FAQ description: This article lists common questions and answers about understanding, deploying, and managing security audit policies. - ms.prod: windows-client author: vinaypamnani-msft ms.author: vinpa manager: aaroncz ms.topic: faq ms.date: 05/24/2022 - ms.technology: itpro-security title: Advanced security auditing FAQ diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing.md b/windows/security/threat-protection/auditing/advanced-security-auditing.md index 1aed416fd1..84c93ea504 100644 --- a/windows/security/threat-protection/auditing/advanced-security-auditing.md +++ b/windows/security/threat-protection/auditing/advanced-security-auditing.md @@ -4,7 +4,6 @@ description: Advanced security audit policy settings might appear to overlap wit ms.assetid: 6FE8AC10-F48E-4BBF-979B-43A5DFDC5DFC ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 09/6/2021 -ms.technology: itpro-security --- # Advanced security audit policies diff --git a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md index e27eedd443..2ddc4a8249 100644 --- a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md +++ b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md @@ -2,7 +2,6 @@ title: Appendix A, Security monitoring recommendations for many audit events description: Learn about recommendations for the type of monitoring required for certain classes of security audit events. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/06/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index d8dcb28e30..5e7b8bfd19 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -4,7 +4,6 @@ description: Apply audit policies to individual files and folders on your comput ms.assetid: 565E7249-5CD0-4B2E-B2C0-B3A0793A51E2 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -17,7 +16,6 @@ ms.collection: - tier3 ms.topic: reference ms.date: 09/06/2021 -ms.technology: itpro-security --- # Apply a basic audit policy on a file or folder diff --git a/windows/security/threat-protection/auditing/audit-account-lockout.md b/windows/security/threat-protection/auditing/audit-account-lockout.md index 5f21d6eab6..e4bbde6028 100644 --- a/windows/security/threat-protection/auditing/audit-account-lockout.md +++ b/windows/security/threat-protection/auditing/audit-account-lockout.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-application-generated.md b/windows/security/threat-protection/auditing/audit-application-generated.md index ad5c87de63..3c22b0237f 100644 --- a/windows/security/threat-protection/auditing/audit-application-generated.md +++ b/windows/security/threat-protection/auditing/audit-application-generated.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-application-group-management.md b/windows/security/threat-protection/auditing/audit-application-group-management.md index 9fb1c10453..fd489adaac 100644 --- a/windows/security/threat-protection/auditing/audit-application-group-management.md +++ b/windows/security/threat-protection/auditing/audit-application-group-management.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-audit-policy-change.md b/windows/security/threat-protection/auditing/audit-audit-policy-change.md index be89c50a5a..d1291e568e 100644 --- a/windows/security/threat-protection/auditing/audit-audit-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-audit-policy-change.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md index 2b14cd5e29..7ab38720e0 100644 --- a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md index b86b2d9b6b..5ad0e5fff3 100644 --- a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md b/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md index b330e72006..dbadfb80dd 100644 --- a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md +++ b/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-certification-services.md b/windows/security/threat-protection/auditing/audit-certification-services.md index cb33e2480b..1818d6abea 100644 --- a/windows/security/threat-protection/auditing/audit-certification-services.md +++ b/windows/security/threat-protection/auditing/audit-certification-services.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-computer-account-management.md b/windows/security/threat-protection/auditing/audit-computer-account-management.md index 78bd0d1701..836f66077c 100644 --- a/windows/security/threat-protection/auditing/audit-computer-account-management.md +++ b/windows/security/threat-protection/auditing/audit-computer-account-management.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-credential-validation.md b/windows/security/threat-protection/auditing/audit-credential-validation.md index 3d6283d2ab..776717c166 100644 --- a/windows/security/threat-protection/auditing/audit-credential-validation.md +++ b/windows/security/threat-protection/auditing/audit-credential-validation.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md index d909d6ba62..7f07a68413 100644 --- a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md +++ b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-detailed-file-share.md b/windows/security/threat-protection/auditing/audit-detailed-file-share.md index bb87079a1b..0b41ec8acd 100644 --- a/windows/security/threat-protection/auditing/audit-detailed-file-share.md +++ b/windows/security/threat-protection/auditing/audit-detailed-file-share.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-directory-service-access.md b/windows/security/threat-protection/auditing/audit-directory-service-access.md index 0576b52401..2a83b4b3ec 100644 --- a/windows/security/threat-protection/auditing/audit-directory-service-access.md +++ b/windows/security/threat-protection/auditing/audit-directory-service-access.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-directory-service-changes.md b/windows/security/threat-protection/auditing/audit-directory-service-changes.md index d2b294d326..d746cc2a12 100644 --- a/windows/security/threat-protection/auditing/audit-directory-service-changes.md +++ b/windows/security/threat-protection/auditing/audit-directory-service-changes.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-directory-service-replication.md index bae794b8c0..c3efe2134f 100644 --- a/windows/security/threat-protection/auditing/audit-directory-service-replication.md +++ b/windows/security/threat-protection/auditing/audit-directory-service-replication.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-distribution-group-management.md b/windows/security/threat-protection/auditing/audit-distribution-group-management.md index e254cd23b0..87cfeca376 100644 --- a/windows/security/threat-protection/auditing/audit-distribution-group-management.md +++ b/windows/security/threat-protection/auditing/audit-distribution-group-management.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-dpapi-activity.md b/windows/security/threat-protection/auditing/audit-dpapi-activity.md index edc400cd02..f7a7cf3eaa 100644 --- a/windows/security/threat-protection/auditing/audit-dpapi-activity.md +++ b/windows/security/threat-protection/auditing/audit-dpapi-activity.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-file-share.md b/windows/security/threat-protection/auditing/audit-file-share.md index 65ea03ef20..c57ba2e002 100644 --- a/windows/security/threat-protection/auditing/audit-file-share.md +++ b/windows/security/threat-protection/auditing/audit-file-share.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-file-system.md b/windows/security/threat-protection/auditing/audit-file-system.md index 18e5b32a55..689b7bd0e5 100644 --- a/windows/security/threat-protection/auditing/audit-file-system.md +++ b/windows/security/threat-protection/auditing/audit-file-system.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md index 2edf237cad..8393e5be1c 100644 --- a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md +++ b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md index a3d70e667a..9c77101ee8 100644 --- a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md +++ b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md index fe1236b0e6..9ab9af405b 100644 --- a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-group-membership.md b/windows/security/threat-protection/auditing/audit-group-membership.md index b5531fb996..771769f0be 100644 --- a/windows/security/threat-protection/auditing/audit-group-membership.md +++ b/windows/security/threat-protection/auditing/audit-group-membership.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-handle-manipulation.md b/windows/security/threat-protection/auditing/audit-handle-manipulation.md index 081f3a3d34..2452d552c4 100644 --- a/windows/security/threat-protection/auditing/audit-handle-manipulation.md +++ b/windows/security/threat-protection/auditing/audit-handle-manipulation.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-ipsec-driver.md b/windows/security/threat-protection/auditing/audit-ipsec-driver.md index 1719e81ee6..20882eebbc 100644 --- a/windows/security/threat-protection/auditing/audit-ipsec-driver.md +++ b/windows/security/threat-protection/auditing/audit-ipsec-driver.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md index 0e2168d0f5..45b5d1ef63 100644 --- a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md +++ b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md index 81cfde4d9d..f1c660e1e8 100644 --- a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md +++ b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md index 0ee38a23f7..c456fc1f21 100644 --- a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md +++ b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md b/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md index bd54abd7d0..6ec1fcf9e4 100644 --- a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md +++ b/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md index f942a116de..2d13eeaf23 100644 --- a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md +++ b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-kernel-object.md b/windows/security/threat-protection/auditing/audit-kernel-object.md index afb2069653..ae38545e9f 100644 --- a/windows/security/threat-protection/auditing/audit-kernel-object.md +++ b/windows/security/threat-protection/auditing/audit-kernel-object.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-logoff.md b/windows/security/threat-protection/auditing/audit-logoff.md index 8c631d2e0a..0525d84b24 100644 --- a/windows/security/threat-protection/auditing/audit-logoff.md +++ b/windows/security/threat-protection/auditing/audit-logoff.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-logon.md b/windows/security/threat-protection/auditing/audit-logon.md index fcd5e254ef..1437ead2f9 100644 --- a/windows/security/threat-protection/auditing/audit-logon.md +++ b/windows/security/threat-protection/auditing/audit-logon.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md b/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md index a6f72640dc..d00998a052 100644 --- a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-network-policy-server.md b/windows/security/threat-protection/auditing/audit-network-policy-server.md index 8c46beb77a..9af80769b0 100644 --- a/windows/security/threat-protection/auditing/audit-network-policy-server.md +++ b/windows/security/threat-protection/auditing/audit-network-policy-server.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md index 298b8a5061..937e8bc34c 100644 --- a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md +++ b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md index 664c5f6b17..9b973c0b7b 100644 --- a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md +++ b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-other-account-management-events.md b/windows/security/threat-protection/auditing/audit-other-account-management-events.md index 68fa5e72ef..670cf6612d 100644 --- a/windows/security/threat-protection/auditing/audit-other-account-management-events.md +++ b/windows/security/threat-protection/auditing/audit-other-account-management-events.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md index 075d245ab1..86e40c99ae 100644 --- a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md +++ b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-other-object-access-events.md b/windows/security/threat-protection/auditing/audit-other-object-access-events.md index fc6e2dbd2e..5807ad6849 100644 --- a/windows/security/threat-protection/auditing/audit-other-object-access-events.md +++ b/windows/security/threat-protection/auditing/audit-other-object-access-events.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md index 8f78be458c..b05830fca8 100644 --- a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md +++ b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md index d7b89004e2..123145fdaf 100644 --- a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md +++ b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-other-system-events.md b/windows/security/threat-protection/auditing/audit-other-system-events.md index 9c768d486b..5472834fd9 100644 --- a/windows/security/threat-protection/auditing/audit-other-system-events.md +++ b/windows/security/threat-protection/auditing/audit-other-system-events.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-pnp-activity.md b/windows/security/threat-protection/auditing/audit-pnp-activity.md index b0f231d898..bd82df1b1e 100644 --- a/windows/security/threat-protection/auditing/audit-pnp-activity.md +++ b/windows/security/threat-protection/auditing/audit-pnp-activity.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-process-creation.md b/windows/security/threat-protection/auditing/audit-process-creation.md index 53eec87d8c..c19e613f2c 100644 --- a/windows/security/threat-protection/auditing/audit-process-creation.md +++ b/windows/security/threat-protection/auditing/audit-process-creation.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 03/16/2022 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-process-termination.md b/windows/security/threat-protection/auditing/audit-process-termination.md index 0a9089db1f..0ecd8f1351 100644 --- a/windows/security/threat-protection/auditing/audit-process-termination.md +++ b/windows/security/threat-protection/auditing/audit-process-termination.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-registry.md b/windows/security/threat-protection/auditing/audit-registry.md index 418fda413d..a4cea25938 100644 --- a/windows/security/threat-protection/auditing/audit-registry.md +++ b/windows/security/threat-protection/auditing/audit-registry.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 01/05/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-removable-storage.md b/windows/security/threat-protection/auditing/audit-removable-storage.md index faa143e4c6..5ef92d1b38 100644 --- a/windows/security/threat-protection/auditing/audit-removable-storage.md +++ b/windows/security/threat-protection/auditing/audit-removable-storage.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-rpc-events.md b/windows/security/threat-protection/auditing/audit-rpc-events.md index 1b6a9b69ca..b5dd671672 100644 --- a/windows/security/threat-protection/auditing/audit-rpc-events.md +++ b/windows/security/threat-protection/auditing/audit-rpc-events.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-sam.md b/windows/security/threat-protection/auditing/audit-sam.md index 4eb4577d13..c0253c800f 100644 --- a/windows/security/threat-protection/auditing/audit-sam.md +++ b/windows/security/threat-protection/auditing/audit-sam.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-security-group-management.md b/windows/security/threat-protection/auditing/audit-security-group-management.md index 8fd69b4b8a..ce479065a5 100644 --- a/windows/security/threat-protection/auditing/audit-security-group-management.md +++ b/windows/security/threat-protection/auditing/audit-security-group-management.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-security-state-change.md b/windows/security/threat-protection/auditing/audit-security-state-change.md index 93830b3271..c1a71e863e 100644 --- a/windows/security/threat-protection/auditing/audit-security-state-change.md +++ b/windows/security/threat-protection/auditing/audit-security-state-change.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-security-system-extension.md b/windows/security/threat-protection/auditing/audit-security-system-extension.md index ceef6d3134..a058f09795 100644 --- a/windows/security/threat-protection/auditing/audit-security-system-extension.md +++ b/windows/security/threat-protection/auditing/audit-security-system-extension.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md index becca46597..3f5fa3f97d 100644 --- a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md +++ b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-special-logon.md b/windows/security/threat-protection/auditing/audit-special-logon.md index 12308ff6e3..291c011a68 100644 --- a/windows/security/threat-protection/auditing/audit-special-logon.md +++ b/windows/security/threat-protection/auditing/audit-special-logon.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-system-integrity.md b/windows/security/threat-protection/auditing/audit-system-integrity.md index 8d64f386ff..85cd8f762c 100644 --- a/windows/security/threat-protection/auditing/audit-system-integrity.md +++ b/windows/security/threat-protection/auditing/audit-system-integrity.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-token-right-adjusted.md b/windows/security/threat-protection/auditing/audit-token-right-adjusted.md index 1b9208a8d5..ca2b5b0186 100644 --- a/windows/security/threat-protection/auditing/audit-token-right-adjusted.md +++ b/windows/security/threat-protection/auditing/audit-token-right-adjusted.md @@ -5,8 +5,6 @@ manager: aaroncz author: vinaypamnani-msft ms.author: vinpa ms.pagetype: security -ms.prod: windows-client -ms.technology: itpro-security ms.date: 12/31/2017 ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-user-account-management.md b/windows/security/threat-protection/auditing/audit-user-account-management.md index a504763fe3..22bd1134da 100644 --- a/windows/security/threat-protection/auditing/audit-user-account-management.md +++ b/windows/security/threat-protection/auditing/audit-user-account-management.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/audit-user-device-claims.md b/windows/security/threat-protection/auditing/audit-user-device-claims.md index 27e1a7f23d..748184d302 100644 --- a/windows/security/threat-protection/auditing/audit-user-device-claims.md +++ b/windows/security/threat-protection/auditing/audit-user-device-claims.md @@ -6,13 +6,11 @@ ms.reviewer: manager: aaroncz ms.author: vinpa ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/06/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md index 017fb5ec82..7c8b3b1d1a 100644 --- a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md +++ b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md @@ -4,7 +4,6 @@ description: Determines whether to audit each instance of a user logging on to o ms.assetid: 84B44181-E325-49A1-8398-AECC3CE0A516 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 09/06/2021 -ms.technology: itpro-security --- # Audit account logon events diff --git a/windows/security/threat-protection/auditing/basic-audit-account-management.md b/windows/security/threat-protection/auditing/basic-audit-account-management.md index e3e8fa199c..0f902b9980 100644 --- a/windows/security/threat-protection/auditing/basic-audit-account-management.md +++ b/windows/security/threat-protection/auditing/basic-audit-account-management.md @@ -4,7 +4,6 @@ description: Determines whether to audit each event of account management on a d ms.assetid: 369197E1-7E0E-45A4-89EA-16D91EF01689 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 09/06/2021 -ms.technology: itpro-security --- # Audit account management diff --git a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md index 82647ef71b..fb7213123d 100644 --- a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md +++ b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md @@ -4,7 +4,6 @@ description: Determines whether to audit the event of a user accessing an Active ms.assetid: 52F02EED-3CFE-4307-8D06-CF1E27693D09 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 09/06/2021 -ms.technology: itpro-security --- # Audit directory service access diff --git a/windows/security/threat-protection/auditing/basic-audit-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-logon-events.md index 4b5e68258f..6019102b0e 100644 --- a/windows/security/threat-protection/auditing/basic-audit-logon-events.md +++ b/windows/security/threat-protection/auditing/basic-audit-logon-events.md @@ -4,7 +4,6 @@ description: Determines whether to audit each instance of a user logging on to o ms.assetid: 78B5AFCB-0BBD-4C38-9FE9-6B4571B94A35 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -17,7 +16,6 @@ ms.collection: - tier3 ms.topic: reference ms.date: 09/06/2021 -ms.technology: itpro-security --- # Audit logon events diff --git a/windows/security/threat-protection/auditing/basic-audit-object-access.md b/windows/security/threat-protection/auditing/basic-audit-object-access.md index 66a2833e20..a27f9b77a0 100644 --- a/windows/security/threat-protection/auditing/basic-audit-object-access.md +++ b/windows/security/threat-protection/auditing/basic-audit-object-access.md @@ -4,7 +4,6 @@ description: The policy setting, Audit object access, determines whether to audi ms.assetid: D15B6D67-7886-44C2-9972-3F192D5407EA ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 09/06/2021 -ms.technology: itpro-security --- # Audit object access diff --git a/windows/security/threat-protection/auditing/basic-audit-policy-change.md b/windows/security/threat-protection/auditing/basic-audit-policy-change.md index 4db162688d..c8c2ed48d0 100644 --- a/windows/security/threat-protection/auditing/basic-audit-policy-change.md +++ b/windows/security/threat-protection/auditing/basic-audit-policy-change.md @@ -4,7 +4,6 @@ description: Determines whether to audit every incident of a change to user righ ms.assetid: 1025A648-6B22-4C85-9F47-FE0897F1FA31 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 09/06/2021 -ms.technology: itpro-security --- # Audit policy change diff --git a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md index 11a05ab720..1275bd3206 100644 --- a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md +++ b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md @@ -4,7 +4,6 @@ description: Determines whether to audit each instance of a user exercising a us ms.assetid: C5C6DAAF-8B58-4DFB-B1CE-F0675AE0E9F8 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 09/06/2021 -ms.technology: itpro-security --- # Audit privilege use diff --git a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md index 796e7f323f..71a2c2735c 100644 --- a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md +++ b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md @@ -4,7 +4,6 @@ description: Determines whether to audit detailed tracking information for event ms.assetid: 91AC5C1E-F4DA-4B16-BEE2-C92D66E4CEEA ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 09/06/2021 -ms.technology: itpro-security --- # Audit process tracking diff --git a/windows/security/threat-protection/auditing/basic-audit-system-events.md b/windows/security/threat-protection/auditing/basic-audit-system-events.md index c3a231e65c..d29c89b90f 100644 --- a/windows/security/threat-protection/auditing/basic-audit-system-events.md +++ b/windows/security/threat-protection/auditing/basic-audit-system-events.md @@ -4,7 +4,6 @@ description: Determines whether to audit when a user restarts or shuts down the ms.assetid: BF27588C-2AA7-4365-A4BF-3BB377916447 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 09/06/2021 -ms.technology: itpro-security --- # Audit system events diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policies.md b/windows/security/threat-protection/auditing/basic-security-audit-policies.md index 93ea3850e5..a238c70e5c 100644 --- a/windows/security/threat-protection/auditing/basic-security-audit-policies.md +++ b/windows/security/threat-protection/auditing/basic-security-audit-policies.md @@ -4,7 +4,6 @@ description: Learn about basic security audit policies that specify the categori ms.assetid: 3B678568-7AD7-4734-9BB4-53CF5E04E1D3 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 09/06/2021 -ms.technology: itpro-security --- # Basic security audit policies diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md index 70b4c9c798..1b496de6ee 100644 --- a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md +++ b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md @@ -4,7 +4,6 @@ description: Basic security audit policy settings are found under Computer Confi ms.assetid: 31C2C453-2CFC-4D9E-BC88-8CE1C1A8F900 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 09/06/2021 -ms.technology: itpro-security --- # Basic security audit policy settings diff --git a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md index 90f66f7720..0dbeef18fc 100644 --- a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md +++ b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md @@ -4,7 +4,6 @@ description: By defining auditing settings for specific event categories, you ca ms.assetid: C9F52751-B40D-482E-BE9D-2C61098249D3 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 09/07/2021 -ms.technology: itpro-security --- # Create a basic audit policy for an event category diff --git a/windows/security/threat-protection/auditing/event-1100.md b/windows/security/threat-protection/auditing/event-1100.md index c243b5aac7..fd669405ba 100644 --- a/windows/security/threat-protection/auditing/event-1100.md +++ b/windows/security/threat-protection/auditing/event-1100.md @@ -2,7 +2,6 @@ title: 1100(S) The event logging service has shut down. description: Describes security event 1100(S) The event logging service has shut down. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-1102.md b/windows/security/threat-protection/auditing/event-1102.md index f576776df5..3f66f12f17 100644 --- a/windows/security/threat-protection/auditing/event-1102.md +++ b/windows/security/threat-protection/auditing/event-1102.md @@ -2,7 +2,6 @@ title: 1102(S) The audit log was cleared. description: Though you shouldn't normally see it, this event generates every time Windows Security audit log is cleared. This is for event 1102(S). ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-1104.md b/windows/security/threat-protection/auditing/event-1104.md index bb5e126fa3..60114513f7 100644 --- a/windows/security/threat-protection/auditing/event-1104.md +++ b/windows/security/threat-protection/auditing/event-1104.md @@ -2,7 +2,6 @@ title: 1104(S) The security log is now full. description: This event generates every time Windows security log becomes full and the event log retention method is set to Do not overwrite events. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-1105.md b/windows/security/threat-protection/auditing/event-1105.md index 52cf7ef880..ab01840a97 100644 --- a/windows/security/threat-protection/auditing/event-1105.md +++ b/windows/security/threat-protection/auditing/event-1105.md @@ -2,7 +2,6 @@ title: 1105(S) Event log automatic backup. description: This event generates every time Windows security log becomes full and new event log file was created. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-1108.md b/windows/security/threat-protection/auditing/event-1108.md index 82f001a25b..df61026142 100644 --- a/windows/security/threat-protection/auditing/event-1108.md +++ b/windows/security/threat-protection/auditing/event-1108.md @@ -2,7 +2,6 @@ title: The event logging service encountered an error description: Describes security event 1108(S) The event logging service encountered an error while processing an incoming event published from %1. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4608.md b/windows/security/threat-protection/auditing/event-4608.md index fe0e35c6f0..4d229afc2d 100644 --- a/windows/security/threat-protection/auditing/event-4608.md +++ b/windows/security/threat-protection/auditing/event-4608.md @@ -2,7 +2,6 @@ title: 4608(S) Windows is starting up. description: Describes security event 4608(S) Windows is starting up. This event is logged when the LSASS.EXE process starts and the auditing subsystem is initialized. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4610.md b/windows/security/threat-protection/auditing/event-4610.md index d30d8aa1fe..a277e58ec7 100644 --- a/windows/security/threat-protection/auditing/event-4610.md +++ b/windows/security/threat-protection/auditing/event-4610.md @@ -2,7 +2,6 @@ title: 4610(S) An authentication package has been loaded by the Local Security Authority. description: Describes security event 4610(S) An authentication package has been loaded by the Local Security Authority. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4611.md b/windows/security/threat-protection/auditing/event-4611.md index 2730d51adc..27574efa40 100644 --- a/windows/security/threat-protection/auditing/event-4611.md +++ b/windows/security/threat-protection/auditing/event-4611.md @@ -2,7 +2,6 @@ title: 4611(S) A trusted logon process has been registered with the Local Security Authority. description: Describes security event 4611(S) A trusted logon process has been registered with the Local Security Authority. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4612.md b/windows/security/threat-protection/auditing/event-4612.md index 5be5bf7008..fba5b23479 100644 --- a/windows/security/threat-protection/auditing/event-4612.md +++ b/windows/security/threat-protection/auditing/event-4612.md @@ -2,7 +2,6 @@ title: 4612(S) Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. description: Describes security event 4612(S) Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4614.md b/windows/security/threat-protection/auditing/event-4614.md index 03a7376a53..7742a34ee9 100644 --- a/windows/security/threat-protection/auditing/event-4614.md +++ b/windows/security/threat-protection/auditing/event-4614.md @@ -2,7 +2,6 @@ title: 4614(S) A notification package has been loaded by the Security Account Manager. description: Describes security event 4614(S) A notification package has been loaded by the Security Account Manager. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4615.md b/windows/security/threat-protection/auditing/event-4615.md index 3032b10d53..c8a16371bd 100644 --- a/windows/security/threat-protection/auditing/event-4615.md +++ b/windows/security/threat-protection/auditing/event-4615.md @@ -2,7 +2,6 @@ title: 4615(S) Invalid use of LPC port. description: Describes security event 4615(S) Invalid use of LPC port. It appears that the Invalid use of LPC port event never occurs. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4616.md b/windows/security/threat-protection/auditing/event-4616.md index 62f34dc232..91890bb297 100644 --- a/windows/security/threat-protection/auditing/event-4616.md +++ b/windows/security/threat-protection/auditing/event-4616.md @@ -2,7 +2,6 @@ title: 4616(S) The system time was changed. description: Describes security event 4616(S) The system time was changed. This event is generated every time system time is changed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4618.md b/windows/security/threat-protection/auditing/event-4618.md index 0871962990..888ba46e90 100644 --- a/windows/security/threat-protection/auditing/event-4618.md +++ b/windows/security/threat-protection/auditing/event-4618.md @@ -2,7 +2,6 @@ title: 4618(S) A monitored security event pattern has occurred. description: Describes security event 4618(S) A monitored security event pattern has occurred. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4621.md b/windows/security/threat-protection/auditing/event-4621.md index 3d5e633672..23a502abad 100644 --- a/windows/security/threat-protection/auditing/event-4621.md +++ b/windows/security/threat-protection/auditing/event-4621.md @@ -2,7 +2,6 @@ title: 4621(S) Administrator recovered system from CrashOnAuditFail. description: Describes security event 4621(S) Administrator recovered system from CrashOnAuditFail. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4622.md b/windows/security/threat-protection/auditing/event-4622.md index 6fbd529f39..c55bf6a9b2 100644 --- a/windows/security/threat-protection/auditing/event-4622.md +++ b/windows/security/threat-protection/auditing/event-4622.md @@ -2,7 +2,6 @@ title: 4622(S) A security package has been loaded by the Local Security Authority. description: Describes security event 4622(S) A security package has been loaded by the Local Security Authority. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md index 244371e389..07fdf70e44 100644 --- a/windows/security/threat-protection/auditing/event-4624.md +++ b/windows/security/threat-protection/auditing/event-4624.md @@ -2,7 +2,6 @@ title: 4624(S) An account was successfully logged on. description: Describes security event 4624(S) An account was successfully logged on. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.collection: - highpri - tier3 @@ -252,6 +250,9 @@ This event generates when a logon session is created (on destination machine). I - **Source Port** [Type = UnicodeString]: source port which was used for logon attempt from remote machine. - 0 for interactive logons. + + > [!NOTE] + The fields for IP address/port and workstation name are populated depending on the authentication context and protocol used. LSASS will audit the information the authenticating service shares with LSASS. For example, network logons with Kerberos likely have no workstation information, and NTLM logons have no TCP/IP details. **Detailed Authentication Information:** diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md index 702684a0a3..0cb398d228 100644 --- a/windows/security/threat-protection/auditing/event-4625.md +++ b/windows/security/threat-protection/auditing/event-4625.md @@ -2,7 +2,6 @@ title: 4625(F) An account failed to log on. description: Describes security event 4625(F) An account failed to log on. This event is generated if an account logon attempt failed for a locked out account. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 01/03/2022 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.collection: - highpri - tier3 diff --git a/windows/security/threat-protection/auditing/event-4626.md b/windows/security/threat-protection/auditing/event-4626.md index fc6a96544c..3e4a81e7d5 100644 --- a/windows/security/threat-protection/auditing/event-4626.md +++ b/windows/security/threat-protection/auditing/event-4626.md @@ -2,7 +2,6 @@ title: 4626(S) User/Device claims information. description: Describes security event 4626(S) User/Device claims information. This event is generated for new account logons. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4627.md b/windows/security/threat-protection/auditing/event-4627.md index 739f621949..bb08d6bfd0 100644 --- a/windows/security/threat-protection/auditing/event-4627.md +++ b/windows/security/threat-protection/auditing/event-4627.md @@ -2,7 +2,6 @@ title: 4627(S) Group membership information. description: Describes security event 4627(S) Group membership information. This event is generated with event 4624(S) An account was successfully logged on. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4634.md b/windows/security/threat-protection/auditing/event-4634.md index 0c24208115..6d1dd284e6 100644 --- a/windows/security/threat-protection/auditing/event-4634.md +++ b/windows/security/threat-protection/auditing/event-4634.md @@ -2,7 +2,6 @@ title: 4634(S) An account was logged off. description: Describes security event 4634(S) An account was logged off. This event is generated when a logon session is terminated and no longer exists. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4647.md b/windows/security/threat-protection/auditing/event-4647.md index 6a346735b9..d7ba93610b 100644 --- a/windows/security/threat-protection/auditing/event-4647.md +++ b/windows/security/threat-protection/auditing/event-4647.md @@ -2,7 +2,6 @@ title: 4647(S) User initiated logoff. description: Describes security event 4647(S) User initiated logoff. This event is generated when a logoff is initiated. No further user-initiated activity can occur. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4648.md b/windows/security/threat-protection/auditing/event-4648.md index 57e38cffb9..bd172bb754 100644 --- a/windows/security/threat-protection/auditing/event-4648.md +++ b/windows/security/threat-protection/auditing/event-4648.md @@ -2,7 +2,6 @@ title: 4648(S) A logon was attempted using explicit credentials. description: Describes security event 4648(S) A logon was attempted using explicit credentials. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4649.md b/windows/security/threat-protection/auditing/event-4649.md index ab9f2ef58e..81ceab6ec4 100644 --- a/windows/security/threat-protection/auditing/event-4649.md +++ b/windows/security/threat-protection/auditing/event-4649.md @@ -2,7 +2,6 @@ title: 4649(S) A replay attack was detected. description: Describes security event 4649(S) A replay attack was detected. This event is generated when a KRB_AP_ERR_REPEAT Kerberos response is sent to the client. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4656.md b/windows/security/threat-protection/auditing/event-4656.md index d019e5e260..8441566c4f 100644 --- a/windows/security/threat-protection/auditing/event-4656.md +++ b/windows/security/threat-protection/auditing/event-4656.md @@ -2,7 +2,6 @@ title: 4656(S, F) A handle to an object was requested. description: Describes security event 4656(S, F) A handle to an object was requested. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4657.md b/windows/security/threat-protection/auditing/event-4657.md index 35f1a2be85..c6279c1fa1 100644 --- a/windows/security/threat-protection/auditing/event-4657.md +++ b/windows/security/threat-protection/auditing/event-4657.md @@ -2,7 +2,6 @@ title: 4657(S) A registry value was modified. description: Describes security event 4657(S) A registry value was modified. This event is generated when a registry key value is modified. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4658.md b/windows/security/threat-protection/auditing/event-4658.md index ed093c51b6..346730e603 100644 --- a/windows/security/threat-protection/auditing/event-4658.md +++ b/windows/security/threat-protection/auditing/event-4658.md @@ -2,7 +2,6 @@ title: 4658(S) The handle to an object was closed. description: Describes security event 4658(S) The handle to an object was closed. This event is generated when the handle to an object is closed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4660.md b/windows/security/threat-protection/auditing/event-4660.md index 8613c16cee..820e2eed6f 100644 --- a/windows/security/threat-protection/auditing/event-4660.md +++ b/windows/security/threat-protection/auditing/event-4660.md @@ -2,7 +2,6 @@ title: 4660(S) An object was deleted. description: Describes security event 4660(S) An object was deleted. This event is generated when an object is deleted. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4661.md b/windows/security/threat-protection/auditing/event-4661.md index ffd0495d6f..ea83c3bcec 100644 --- a/windows/security/threat-protection/auditing/event-4661.md +++ b/windows/security/threat-protection/auditing/event-4661.md @@ -2,7 +2,6 @@ title: 4661(S, F) A handle to an object was requested. description: Describes security event 4661(S, F) A handle to an object was requested. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4662.md b/windows/security/threat-protection/auditing/event-4662.md index 03c05ae001..13b91b7666 100644 --- a/windows/security/threat-protection/auditing/event-4662.md +++ b/windows/security/threat-protection/auditing/event-4662.md @@ -2,7 +2,6 @@ title: 4662(S, F) An operation was performed on an object. description: Describes security event 4662(S, F) An operation was performed on an object. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4663.md b/windows/security/threat-protection/auditing/event-4663.md index e6eb49e26e..3568c87841 100644 --- a/windows/security/threat-protection/auditing/event-4663.md +++ b/windows/security/threat-protection/auditing/event-4663.md @@ -2,7 +2,6 @@ title: 4663(S) An attempt was made to access an object. description: Describes security event 4663(S) An attempt was made to access an object. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4664.md b/windows/security/threat-protection/auditing/event-4664.md index 80106ccf42..79af8c22de 100644 --- a/windows/security/threat-protection/auditing/event-4664.md +++ b/windows/security/threat-protection/auditing/event-4664.md @@ -2,7 +2,6 @@ title: 4664(S) An attempt was made to create a hard link. description: Describes security event 4664(S) An attempt was made to create a hard link. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4670.md b/windows/security/threat-protection/auditing/event-4670.md index a2d1d9f284..45d44238be 100644 --- a/windows/security/threat-protection/auditing/event-4670.md +++ b/windows/security/threat-protection/auditing/event-4670.md @@ -2,7 +2,6 @@ title: 4670(S) Permissions on an object were changed. description: Describes security event 4670(S) Permissions on an object were changed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4671.md b/windows/security/threat-protection/auditing/event-4671.md index 3c078e977d..f027eb4094 100644 --- a/windows/security/threat-protection/auditing/event-4671.md +++ b/windows/security/threat-protection/auditing/event-4671.md @@ -2,7 +2,6 @@ title: 4671(-) An application attempted to access a blocked ordinal through the TBS. description: Describes security event 4671(-) An application attempted to access a blocked ordinal through the TBS. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4672.md b/windows/security/threat-protection/auditing/event-4672.md index 32e6c9eb6a..d1ea01797e 100644 --- a/windows/security/threat-protection/auditing/event-4672.md +++ b/windows/security/threat-protection/auditing/event-4672.md @@ -2,7 +2,6 @@ title: 4672(S) Special privileges assigned to new logon. description: Describes security event 4672(S) Special privileges assigned to new logon. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4673.md b/windows/security/threat-protection/auditing/event-4673.md index 7dc7f54208..492ddbcfe0 100644 --- a/windows/security/threat-protection/auditing/event-4673.md +++ b/windows/security/threat-protection/auditing/event-4673.md @@ -2,7 +2,6 @@ title: 4673(S, F) A privileged service was called. description: Describes security event 4673(S, F) A privileged service was called. This event is generated for an attempt to perform privileged system service operations. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4674.md b/windows/security/threat-protection/auditing/event-4674.md index 80a9614ae6..6f571b60ea 100644 --- a/windows/security/threat-protection/auditing/event-4674.md +++ b/windows/security/threat-protection/auditing/event-4674.md @@ -2,7 +2,6 @@ title: 4674(S, F) An operation was attempted on a privileged object. description: Describes security event 4674(S, F) An operation was attempted on a privileged object. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4675.md b/windows/security/threat-protection/auditing/event-4675.md index cdd97e8a9e..50f41a4220 100644 --- a/windows/security/threat-protection/auditing/event-4675.md +++ b/windows/security/threat-protection/auditing/event-4675.md @@ -2,7 +2,6 @@ title: 4675(S) SIDs were filtered. description: Describes security event 4675(S) SIDs were filtered. This event is generated when SIDs were filtered for a specific Active Directory trust. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md index d56ba5367b..3dd248ad3c 100644 --- a/windows/security/threat-protection/auditing/event-4688.md +++ b/windows/security/threat-protection/auditing/event-4688.md @@ -2,7 +2,6 @@ title: 4688(S) A new process has been created. description: Describes security event 4688(S) A new process has been created. This event is generated when a new process starts. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 01/24/2022 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4689.md b/windows/security/threat-protection/auditing/event-4689.md index c23269a82a..fdda28bf9a 100644 --- a/windows/security/threat-protection/auditing/event-4689.md +++ b/windows/security/threat-protection/auditing/event-4689.md @@ -2,7 +2,6 @@ title: 4689(S) A process has exited. description: Describes security event 4689(S) A process has exited. This event is generates when a process exits. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4690.md b/windows/security/threat-protection/auditing/event-4690.md index b1247baf18..7bb3a0ee1c 100644 --- a/windows/security/threat-protection/auditing/event-4690.md +++ b/windows/security/threat-protection/auditing/event-4690.md @@ -2,7 +2,6 @@ title: 4690(S) An attempt was made to duplicate a handle to an object. description: Describes security event 4690(S) An attempt was made to duplicate a handle to an object. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4691.md b/windows/security/threat-protection/auditing/event-4691.md index abc7e7224a..3d757a2f5d 100644 --- a/windows/security/threat-protection/auditing/event-4691.md +++ b/windows/security/threat-protection/auditing/event-4691.md @@ -2,7 +2,6 @@ title: 4691(S) Indirect access to an object was requested. description: Describes security event 4691(S) Indirect access to an object was requested. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4692.md b/windows/security/threat-protection/auditing/event-4692.md index fd2df12df7..bd3ed5f273 100644 --- a/windows/security/threat-protection/auditing/event-4692.md +++ b/windows/security/threat-protection/auditing/event-4692.md @@ -2,7 +2,6 @@ title: 4692(S, F) Backup of data protection master key was attempted. description: Describes security event 4692(S, F) Backup of data protection master key was attempted. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4693.md b/windows/security/threat-protection/auditing/event-4693.md index e8fd42218d..68957da33e 100644 --- a/windows/security/threat-protection/auditing/event-4693.md +++ b/windows/security/threat-protection/auditing/event-4693.md @@ -2,7 +2,6 @@ title: 4693(S, F) Recovery of data protection master key was attempted. description: Describes security event 4693(S, F) Recovery of data protection master key was attempted. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4694.md b/windows/security/threat-protection/auditing/event-4694.md index 18eed045ab..e26a1ff60f 100644 --- a/windows/security/threat-protection/auditing/event-4694.md +++ b/windows/security/threat-protection/auditing/event-4694.md @@ -2,7 +2,6 @@ title: 4694(S, F) Protection of auditable protected data was attempted. description: Describes security event 4694(S, F) Protection of auditable protected data was attempted. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4695.md b/windows/security/threat-protection/auditing/event-4695.md index 7093744387..a19d09bf9b 100644 --- a/windows/security/threat-protection/auditing/event-4695.md +++ b/windows/security/threat-protection/auditing/event-4695.md @@ -2,7 +2,6 @@ title: 4695(S, F) Unprotection of auditable protected data was attempted. description: Describes security event 4695(S, F) Unprotection of auditable protected data was attempted. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4696.md b/windows/security/threat-protection/auditing/event-4696.md index 38800c2bd2..570606c8de 100644 --- a/windows/security/threat-protection/auditing/event-4696.md +++ b/windows/security/threat-protection/auditing/event-4696.md @@ -2,7 +2,6 @@ title: 4696(S) A primary token was assigned to process. description: Describes security event 4696(S) A primary token was assigned to process. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4697.md b/windows/security/threat-protection/auditing/event-4697.md index 3775a7bda7..01e5df45ef 100644 --- a/windows/security/threat-protection/auditing/event-4697.md +++ b/windows/security/threat-protection/auditing/event-4697.md @@ -2,7 +2,6 @@ title: 4697(S) A service was installed in the system. description: Describes security event 4697(S) A service was installed in the system. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4698.md b/windows/security/threat-protection/auditing/event-4698.md index 2609217fd3..e270f187af 100644 --- a/windows/security/threat-protection/auditing/event-4698.md +++ b/windows/security/threat-protection/auditing/event-4698.md @@ -2,7 +2,6 @@ title: 4698(S) A scheduled task was created. description: Describes security event 4698(S) A scheduled task was created. This event is generated when a scheduled task is created. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4699.md b/windows/security/threat-protection/auditing/event-4699.md index 87a10ab8bf..ea206aba73 100644 --- a/windows/security/threat-protection/auditing/event-4699.md +++ b/windows/security/threat-protection/auditing/event-4699.md @@ -2,7 +2,6 @@ title: 4699(S) A scheduled task was deleted. description: Describes security event 4699(S) A scheduled task was deleted. This event is generated every time a scheduled task is deleted. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4700.md b/windows/security/threat-protection/auditing/event-4700.md index 0f8d3494fe..aae8e027d4 100644 --- a/windows/security/threat-protection/auditing/event-4700.md +++ b/windows/security/threat-protection/auditing/event-4700.md @@ -2,7 +2,6 @@ title: 4700(S) A scheduled task was enabled. description: Describes security event 4700(S) A scheduled task was enabled. This event is generated every time a scheduled task is enabled. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4701.md b/windows/security/threat-protection/auditing/event-4701.md index ecd015fbae..f47c7a3379 100644 --- a/windows/security/threat-protection/auditing/event-4701.md +++ b/windows/security/threat-protection/auditing/event-4701.md @@ -2,7 +2,6 @@ title: 4701(S) A scheduled task was disabled. description: Describes security event 4701(S) A scheduled task was disabled. This event is generated every time a scheduled task is disabled. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4702.md b/windows/security/threat-protection/auditing/event-4702.md index 68dfec7592..4bb86d53b2 100644 --- a/windows/security/threat-protection/auditing/event-4702.md +++ b/windows/security/threat-protection/auditing/event-4702.md @@ -2,7 +2,6 @@ title: 4702(S) A scheduled task was updated. description: Describes security event 4702(S) A scheduled task was updated. This event is generated when a scheduled task is updated/changed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4703.md b/windows/security/threat-protection/auditing/event-4703.md index effc1b4ddc..0abe8a8e60 100644 --- a/windows/security/threat-protection/auditing/event-4703.md +++ b/windows/security/threat-protection/auditing/event-4703.md @@ -2,7 +2,6 @@ title: 4703(S) A user right was adjusted. description: Describes security event 4703(S) A user right was adjusted. This event is generated when token privileges are enabled or disabled for a specific account. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4704.md b/windows/security/threat-protection/auditing/event-4704.md index 94bcdf96eb..9d80b0b5ba 100644 --- a/windows/security/threat-protection/auditing/event-4704.md +++ b/windows/security/threat-protection/auditing/event-4704.md @@ -2,7 +2,6 @@ title: 4704(S) A user right was assigned. description: Describes security event 4704(S) A user right was assigned. This event is generated when a user right is assigned to an account. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4705.md b/windows/security/threat-protection/auditing/event-4705.md index 1030f0b6b6..aa5fedab07 100644 --- a/windows/security/threat-protection/auditing/event-4705.md +++ b/windows/security/threat-protection/auditing/event-4705.md @@ -2,7 +2,6 @@ title: 4705(S) A user right was removed. description: Describes security event 4705(S) A user right was removed. This event is generated when a user right is removed from an account. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4706.md b/windows/security/threat-protection/auditing/event-4706.md index 7fdea8fb2c..d379640fbc 100644 --- a/windows/security/threat-protection/auditing/event-4706.md +++ b/windows/security/threat-protection/auditing/event-4706.md @@ -2,7 +2,6 @@ title: 4706(S) A new trust was created to a domain. description: Describes security event 4706(S) A new trust was created to a domain. This event is generated when a new trust is created for a domain. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4707.md b/windows/security/threat-protection/auditing/event-4707.md index e2a779b376..a7d7e7fab3 100644 --- a/windows/security/threat-protection/auditing/event-4707.md +++ b/windows/security/threat-protection/auditing/event-4707.md @@ -2,7 +2,6 @@ title: 4707(S) A trust to a domain was removed. description: Describes security event 4707(S) A trust to a domain was removed. This event is generated when a domain trust is removed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4713.md b/windows/security/threat-protection/auditing/event-4713.md index 49ad5eeca7..f83c8df8ce 100644 --- a/windows/security/threat-protection/auditing/event-4713.md +++ b/windows/security/threat-protection/auditing/event-4713.md @@ -2,7 +2,6 @@ title: 4713(S) Kerberos policy was changed. description: Describes security event 4713(S) Kerberos policy was changed. This event is generated when Kerberos policy is changed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4714.md b/windows/security/threat-protection/auditing/event-4714.md index 495cda1557..13f82a2f64 100644 --- a/windows/security/threat-protection/auditing/event-4714.md +++ b/windows/security/threat-protection/auditing/event-4714.md @@ -2,7 +2,6 @@ title: 4714(S) Encrypted data recovery policy was changed. description: Describes security event 4714(S) Encrypted data recovery policy was changed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4715.md b/windows/security/threat-protection/auditing/event-4715.md index 6a09b30ae2..b92a998c6d 100644 --- a/windows/security/threat-protection/auditing/event-4715.md +++ b/windows/security/threat-protection/auditing/event-4715.md @@ -2,7 +2,6 @@ title: 4715(S) The audit policy (SACL) on an object was changed. description: Describes security event 4715(S) The audit policy (SACL) on an object was changed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4716.md b/windows/security/threat-protection/auditing/event-4716.md index 12eafb94f3..42b0a6e238 100644 --- a/windows/security/threat-protection/auditing/event-4716.md +++ b/windows/security/threat-protection/auditing/event-4716.md @@ -2,7 +2,6 @@ title: 4716(S) Trusted domain information was modified. description: Describes security event 4716(S) Trusted domain information was modified. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4717.md b/windows/security/threat-protection/auditing/event-4717.md index b02eef2f90..c41a064781 100644 --- a/windows/security/threat-protection/auditing/event-4717.md +++ b/windows/security/threat-protection/auditing/event-4717.md @@ -2,7 +2,6 @@ title: 4717(S) System security access was granted to an account. description: Describes security event 4717(S) System security access was granted to an account. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4718.md b/windows/security/threat-protection/auditing/event-4718.md index 14707ab644..04e8efedd9 100644 --- a/windows/security/threat-protection/auditing/event-4718.md +++ b/windows/security/threat-protection/auditing/event-4718.md @@ -2,7 +2,6 @@ title: 4718(S) System security access was removed from an account. description: Describes security event 4718(S) System security access was removed from an account. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4719.md b/windows/security/threat-protection/auditing/event-4719.md index 4cf66c7350..6df41ebce4 100644 --- a/windows/security/threat-protection/auditing/event-4719.md +++ b/windows/security/threat-protection/auditing/event-4719.md @@ -2,7 +2,6 @@ title: 4719(S) System audit policy was changed. description: Describes security event 4719(S) System audit policy was changed. This event is generated when the computer audit policy changes. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4720.md b/windows/security/threat-protection/auditing/event-4720.md index 5ca11d5d60..6e107ff555 100644 --- a/windows/security/threat-protection/auditing/event-4720.md +++ b/windows/security/threat-protection/auditing/event-4720.md @@ -2,7 +2,6 @@ title: 4720(S) A user account was created. description: Describes security event 4720(S) A user account was created. This event is generated a user object is created. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4722.md b/windows/security/threat-protection/auditing/event-4722.md index add2d048cc..9cfac3ba8c 100644 --- a/windows/security/threat-protection/auditing/event-4722.md +++ b/windows/security/threat-protection/auditing/event-4722.md @@ -2,7 +2,6 @@ title: 4722(S) A user account was enabled. description: Describes security event 4722(S) A user account was enabled. This event is generated when a user or computer object is enabled. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4723.md b/windows/security/threat-protection/auditing/event-4723.md index 7aad069614..7793556fa9 100644 --- a/windows/security/threat-protection/auditing/event-4723.md +++ b/windows/security/threat-protection/auditing/event-4723.md @@ -2,7 +2,6 @@ title: 4723(S, F) An attempt was made to change an account's password. description: Describes security event 4723(S, F) An attempt was made to change an account's password. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4724.md b/windows/security/threat-protection/auditing/event-4724.md index 456ec46743..8ce482061b 100644 --- a/windows/security/threat-protection/auditing/event-4724.md +++ b/windows/security/threat-protection/auditing/event-4724.md @@ -2,7 +2,6 @@ title: 4724(S, F) An attempt was made to reset an account's password. description: Describes security event 4724(S, F) An attempt was made to reset an account's password. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4725.md b/windows/security/threat-protection/auditing/event-4725.md index 55cad0f2a1..5b0a882eac 100644 --- a/windows/security/threat-protection/auditing/event-4725.md +++ b/windows/security/threat-protection/auditing/event-4725.md @@ -2,7 +2,6 @@ title: 4725(S) A user account was disabled. description: Describes security event 4725(S) A user account was disabled. This event is generated when a user or computer object is disabled. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4726.md b/windows/security/threat-protection/auditing/event-4726.md index a947159c47..08c38bd0b8 100644 --- a/windows/security/threat-protection/auditing/event-4726.md +++ b/windows/security/threat-protection/auditing/event-4726.md @@ -2,7 +2,6 @@ title: 4726(S) A user account was deleted. description: Describes security event 4726(S) A user account was deleted. This event is generated when a user object is deleted. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4731.md b/windows/security/threat-protection/auditing/event-4731.md index 2c65171ef1..f932a95fbb 100644 --- a/windows/security/threat-protection/auditing/event-4731.md +++ b/windows/security/threat-protection/auditing/event-4731.md @@ -2,7 +2,6 @@ title: 4731(S) A security-enabled local group was created. description: Describes security event 4731(S) A security-enabled local group was created. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4732.md b/windows/security/threat-protection/auditing/event-4732.md index 00d16da21d..2256f550a0 100644 --- a/windows/security/threat-protection/auditing/event-4732.md +++ b/windows/security/threat-protection/auditing/event-4732.md @@ -2,7 +2,6 @@ title: 4732(S) A member was added to a security-enabled local group. description: Describes security event 4732(S) A member was added to a security-enabled local group. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4733.md b/windows/security/threat-protection/auditing/event-4733.md index 926066fb81..9dadc5c6bf 100644 --- a/windows/security/threat-protection/auditing/event-4733.md +++ b/windows/security/threat-protection/auditing/event-4733.md @@ -2,7 +2,6 @@ title: 4733(S) A member was removed from a security-enabled local group. description: Describes security event 4733(S) A member was removed from a security-enabled local group. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4734.md b/windows/security/threat-protection/auditing/event-4734.md index c2af62b2bc..ec84652e18 100644 --- a/windows/security/threat-protection/auditing/event-4734.md +++ b/windows/security/threat-protection/auditing/event-4734.md @@ -2,7 +2,6 @@ title: 4734(S) A security-enabled local group was deleted. description: Describes security event 4734(S) A security-enabled local group was deleted. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4735.md b/windows/security/threat-protection/auditing/event-4735.md index a08fb0391f..7aadb30077 100644 --- a/windows/security/threat-protection/auditing/event-4735.md +++ b/windows/security/threat-protection/auditing/event-4735.md @@ -2,7 +2,6 @@ title: 4735(S) A security-enabled local group was changed. description: Describes security event 4735(S) A security-enabled local group was changed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4738.md b/windows/security/threat-protection/auditing/event-4738.md index be3bf1a1e5..2bf505a3b7 100644 --- a/windows/security/threat-protection/auditing/event-4738.md +++ b/windows/security/threat-protection/auditing/event-4738.md @@ -2,7 +2,6 @@ title: 4738(S) A user account was changed. description: Describes security event 4738(S) A user account was changed. This event is generated when a user object is changed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4739.md b/windows/security/threat-protection/auditing/event-4739.md index 8b6090da8d..3aac4840a8 100644 --- a/windows/security/threat-protection/auditing/event-4739.md +++ b/windows/security/threat-protection/auditing/event-4739.md @@ -2,7 +2,6 @@ title: 4739(S) Domain Policy was changed. description: Describes security event 4739(S) Domain Policy was changed. This event is generated when certain changes are made to the local computer security policy. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4740.md b/windows/security/threat-protection/auditing/event-4740.md index 9fae037e5f..5447618950 100644 --- a/windows/security/threat-protection/auditing/event-4740.md +++ b/windows/security/threat-protection/auditing/event-4740.md @@ -2,7 +2,6 @@ title: 4740(S) A user account was locked out. description: Describes security event 4740(S) A user account was locked out. This event is generated every time a user account is locked out. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4741.md b/windows/security/threat-protection/auditing/event-4741.md index e26b0c96b3..37842d6609 100644 --- a/windows/security/threat-protection/auditing/event-4741.md +++ b/windows/security/threat-protection/auditing/event-4741.md @@ -2,7 +2,6 @@ title: 4741(S) A computer account was created. description: Describes security event 4741(S) A computer account was created. This event is generated every time a computer object is created. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4742.md b/windows/security/threat-protection/auditing/event-4742.md index 4a82933448..a397156de0 100644 --- a/windows/security/threat-protection/auditing/event-4742.md +++ b/windows/security/threat-protection/auditing/event-4742.md @@ -2,7 +2,6 @@ title: 4742(S) A computer account was changed. description: Describes security event 4742(S) A computer account was changed. This event is generated every time a computer object is changed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4743.md b/windows/security/threat-protection/auditing/event-4743.md index 4f3da1ff73..7761fa540b 100644 --- a/windows/security/threat-protection/auditing/event-4743.md +++ b/windows/security/threat-protection/auditing/event-4743.md @@ -2,7 +2,6 @@ title: 4743(S) A computer account was deleted. description: Describes security event 4743(S) A computer account was deleted. This event is generated every time a computer object is deleted. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4749.md b/windows/security/threat-protection/auditing/event-4749.md index 94f70a7eae..f0d009b637 100644 --- a/windows/security/threat-protection/auditing/event-4749.md +++ b/windows/security/threat-protection/auditing/event-4749.md @@ -2,7 +2,6 @@ title: 4749(S) A security-disabled global group was created. description: Describes security event 4749(S) A security-disabled global group was created. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4750.md b/windows/security/threat-protection/auditing/event-4750.md index 98025cf33c..3a7433f4de 100644 --- a/windows/security/threat-protection/auditing/event-4750.md +++ b/windows/security/threat-protection/auditing/event-4750.md @@ -2,7 +2,6 @@ title: 4750(S) A security-disabled global group was changed. description: Describes security event 4750(S) A security-disabled global group was changed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4751.md b/windows/security/threat-protection/auditing/event-4751.md index d28e5a4ace..cf6278c300 100644 --- a/windows/security/threat-protection/auditing/event-4751.md +++ b/windows/security/threat-protection/auditing/event-4751.md @@ -2,7 +2,6 @@ title: 4751(S) A member was added to a security-disabled global group. description: Describes security event 4751(S) A member was added to a security-disabled global group. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4752.md b/windows/security/threat-protection/auditing/event-4752.md index 937c2d5d78..e81f6a3046 100644 --- a/windows/security/threat-protection/auditing/event-4752.md +++ b/windows/security/threat-protection/auditing/event-4752.md @@ -2,7 +2,6 @@ title: 4752(S) A member was removed from a security-disabled global group. description: Describes security event 4752(S) A member was removed from a security-disabled global group. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4753.md b/windows/security/threat-protection/auditing/event-4753.md index e03d2dad24..ad1a890f3c 100644 --- a/windows/security/threat-protection/auditing/event-4753.md +++ b/windows/security/threat-protection/auditing/event-4753.md @@ -2,7 +2,6 @@ title: 4753(S) A security-disabled global group was deleted. description: Describes security event 4753(S) A security-disabled global group was deleted. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4764.md b/windows/security/threat-protection/auditing/event-4764.md index 28615743d5..7edbd2330a 100644 --- a/windows/security/threat-protection/auditing/event-4764.md +++ b/windows/security/threat-protection/auditing/event-4764.md @@ -2,7 +2,6 @@ title: 4764(S) A group's type was changed. description: Describes security event 4764(S) A group's type was changed. This event is generated when the type of a group is changed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4765.md b/windows/security/threat-protection/auditing/event-4765.md index b7e4d12932..6f98fc7e25 100644 --- a/windows/security/threat-protection/auditing/event-4765.md +++ b/windows/security/threat-protection/auditing/event-4765.md @@ -2,7 +2,6 @@ title: 4765(S) SID History was added to an account. description: Describes security event 4765(S) SID History was added to an account. This event is generated when SID History is added to an account. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4766.md b/windows/security/threat-protection/auditing/event-4766.md index 6ec2b6bbf3..59ca2a65fa 100644 --- a/windows/security/threat-protection/auditing/event-4766.md +++ b/windows/security/threat-protection/auditing/event-4766.md @@ -2,7 +2,6 @@ title: 4766(F) An attempt to add SID History to an account failed. description: Describes security event 4766(F) An attempt to add SID History to an account failed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4767.md b/windows/security/threat-protection/auditing/event-4767.md index e18080c9e3..8ef81340aa 100644 --- a/windows/security/threat-protection/auditing/event-4767.md +++ b/windows/security/threat-protection/auditing/event-4767.md @@ -2,7 +2,6 @@ title: 4767(S) A user account was unlocked. description: Describes security event 4767(S) A user account was unlocked. This event is generated every time a user account is unlocked. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4768.md b/windows/security/threat-protection/auditing/event-4768.md index 9af99fe83b..d0f63ca03a 100644 --- a/windows/security/threat-protection/auditing/event-4768.md +++ b/windows/security/threat-protection/auditing/event-4768.md @@ -2,7 +2,6 @@ title: 4768(S, F) A Kerberos authentication ticket (TGT) was requested. description: Describes security event 4768(S, F) A Kerberos authentication ticket (TGT) was requested. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 10/20/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md index 2605d404c9..dde7e668e1 100644 --- a/windows/security/threat-protection/auditing/event-4769.md +++ b/windows/security/threat-protection/auditing/event-4769.md @@ -2,7 +2,6 @@ title: 4769(S, F) A Kerberos service ticket was requested. description: Describes security event 4769(S, F) A Kerberos service ticket was requested. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4770.md b/windows/security/threat-protection/auditing/event-4770.md index e0206db3db..398468db3c 100644 --- a/windows/security/threat-protection/auditing/event-4770.md +++ b/windows/security/threat-protection/auditing/event-4770.md @@ -2,7 +2,6 @@ title: 4770(S) A Kerberos service ticket was renewed. description: Describes security event 4770(S) A Kerberos service ticket was renewed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md index bad7f21c77..cfe1bcfb82 100644 --- a/windows/security/threat-protection/auditing/event-4771.md +++ b/windows/security/threat-protection/auditing/event-4771.md @@ -2,7 +2,6 @@ title: 4771(F) Kerberos pre-authentication failed. description: Describes security event 4771(F) Kerberos pre-authentication failed. This event is generated when the Key Distribution Center fails to issue a Kerberos TGT. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.collection: - highpri - tier3 diff --git a/windows/security/threat-protection/auditing/event-4772.md b/windows/security/threat-protection/auditing/event-4772.md index 1bb81355f0..6222ece1bb 100644 --- a/windows/security/threat-protection/auditing/event-4772.md +++ b/windows/security/threat-protection/auditing/event-4772.md @@ -2,7 +2,6 @@ title: 4772(F) A Kerberos authentication ticket request failed. description: Describes security event 4772(F) A Kerberos authentication ticket request failed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4773.md b/windows/security/threat-protection/auditing/event-4773.md index a966cf2abd..3741a22b02 100644 --- a/windows/security/threat-protection/auditing/event-4773.md +++ b/windows/security/threat-protection/auditing/event-4773.md @@ -2,7 +2,6 @@ title: 4773(F) A Kerberos service ticket request failed. description: Describes security event 4773(F) A Kerberos service ticket request failed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4774.md b/windows/security/threat-protection/auditing/event-4774.md index 5c9253d51a..25e3fe2dab 100644 --- a/windows/security/threat-protection/auditing/event-4774.md +++ b/windows/security/threat-protection/auditing/event-4774.md @@ -2,7 +2,6 @@ title: 4774(S, F) An account was mapped for logon. description: Describes security event 4774(S, F) An account was mapped for logon. This event is generated when an account is mapped for logon. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4775.md b/windows/security/threat-protection/auditing/event-4775.md index 35264e2c50..2090c1e52e 100644 --- a/windows/security/threat-protection/auditing/event-4775.md +++ b/windows/security/threat-protection/auditing/event-4775.md @@ -2,7 +2,6 @@ title: 4775(F) An account could not be mapped for logon. description: Describes security event 4775(F) An account could not be mapped for logon. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4776.md b/windows/security/threat-protection/auditing/event-4776.md index 736a967ea4..7911aa31f0 100644 --- a/windows/security/threat-protection/auditing/event-4776.md +++ b/windows/security/threat-protection/auditing/event-4776.md @@ -2,7 +2,6 @@ title: 4776(S, F) The computer attempted to validate the credentials for an account. description: Describes security event 4776(S, F) The computer attempted to validate the credentials for an account. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/13/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.collection: - highpri - tier3 diff --git a/windows/security/threat-protection/auditing/event-4777.md b/windows/security/threat-protection/auditing/event-4777.md index f14f4b4a58..a24c5864eb 100644 --- a/windows/security/threat-protection/auditing/event-4777.md +++ b/windows/security/threat-protection/auditing/event-4777.md @@ -2,7 +2,6 @@ title: 4777(F) The domain controller failed to validate the credentials for an account. description: Describes security event 4777(F) The domain controller failed to validate the credentials for an account. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4778.md b/windows/security/threat-protection/auditing/event-4778.md index d9a5bd2d94..0399f1f5c4 100644 --- a/windows/security/threat-protection/auditing/event-4778.md +++ b/windows/security/threat-protection/auditing/event-4778.md @@ -2,7 +2,6 @@ title: 4778(S) A session was reconnected to a Window Station. description: Describes security event 4778(S) A session was reconnected to a Window Station. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4779.md b/windows/security/threat-protection/auditing/event-4779.md index 3ab94db6fb..5852da5e2a 100644 --- a/windows/security/threat-protection/auditing/event-4779.md +++ b/windows/security/threat-protection/auditing/event-4779.md @@ -2,7 +2,6 @@ title: 4779(S) A session was disconnected from a Window Station. description: Describes security event 4779(S) A session was disconnected from a Window Station. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4780.md b/windows/security/threat-protection/auditing/event-4780.md index 8bc11f4997..e7c43cf82e 100644 --- a/windows/security/threat-protection/auditing/event-4780.md +++ b/windows/security/threat-protection/auditing/event-4780.md @@ -2,7 +2,6 @@ title: 4780(S) The ACL was set on accounts which are members of administrators groups. description: Describes security event 4780(S) The ACL was set on accounts which are members of administrators groups. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4781.md b/windows/security/threat-protection/auditing/event-4781.md index 3918ee0ef1..96fd56086f 100644 --- a/windows/security/threat-protection/auditing/event-4781.md +++ b/windows/security/threat-protection/auditing/event-4781.md @@ -2,7 +2,6 @@ title: 4781(S) The name of an account was changed. description: Describes security event 4781(S) The name of an account was changed. This event is generated every time a user or computer account name is changed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4782.md b/windows/security/threat-protection/auditing/event-4782.md index 83020ee642..4f20ae39d6 100644 --- a/windows/security/threat-protection/auditing/event-4782.md +++ b/windows/security/threat-protection/auditing/event-4782.md @@ -2,7 +2,6 @@ title: 4782(S) The password hash of an account was accessed. description: Describes security event 4782(S) The password hash of an account was accessed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4793.md b/windows/security/threat-protection/auditing/event-4793.md index 4774459a71..713ca3f5de 100644 --- a/windows/security/threat-protection/auditing/event-4793.md +++ b/windows/security/threat-protection/auditing/event-4793.md @@ -2,7 +2,6 @@ title: 4793(S) The Password Policy Checking API was called. description: Describes security event 4793(S) The Password Policy Checking API was called. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4794.md b/windows/security/threat-protection/auditing/event-4794.md index ed8e9aebdc..29e851f761 100644 --- a/windows/security/threat-protection/auditing/event-4794.md +++ b/windows/security/threat-protection/auditing/event-4794.md @@ -2,7 +2,6 @@ title: 4794(S, F) An attempt was made to set the Directory Services Restore Mode administrator password. description: Describes security event 4794(S, F) An attempt was made to set the Directory Services Restore Mode administrator password. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4798.md b/windows/security/threat-protection/auditing/event-4798.md index 8c5e7d3c50..7a66f7461c 100644 --- a/windows/security/threat-protection/auditing/event-4798.md +++ b/windows/security/threat-protection/auditing/event-4798.md @@ -2,7 +2,6 @@ title: 4798(S) A user's local group membership was enumerated. description: Describes security event 4798(S) A user's local group membership was enumerated. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4799.md b/windows/security/threat-protection/auditing/event-4799.md index a089e448f4..7b4aead71c 100644 --- a/windows/security/threat-protection/auditing/event-4799.md +++ b/windows/security/threat-protection/auditing/event-4799.md @@ -2,7 +2,6 @@ title: 4799(S) A security-enabled local group membership was enumerated. description: Describes security event 4799(S) A security-enabled local group membership was enumerated. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4800.md b/windows/security/threat-protection/auditing/event-4800.md index fcacf65cb0..35f11545c6 100644 --- a/windows/security/threat-protection/auditing/event-4800.md +++ b/windows/security/threat-protection/auditing/event-4800.md @@ -2,7 +2,6 @@ title: 4800(S) The workstation was locked. description: Describes security event 4800(S) The workstation was locked. This event is generated when a workstation is locked. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4801.md b/windows/security/threat-protection/auditing/event-4801.md index 94d9dee683..348ba5fce6 100644 --- a/windows/security/threat-protection/auditing/event-4801.md +++ b/windows/security/threat-protection/auditing/event-4801.md @@ -2,7 +2,6 @@ title: 4801(S) The workstation was unlocked. description: Describes security event 4801(S) The workstation was unlocked. This event is generated when workstation is unlocked. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4802.md b/windows/security/threat-protection/auditing/event-4802.md index 82492616cc..9884000aae 100644 --- a/windows/security/threat-protection/auditing/event-4802.md +++ b/windows/security/threat-protection/auditing/event-4802.md @@ -2,7 +2,6 @@ title: 4802(S) The screen saver was invoked. description: Describes security event 4802(S) The screen saver was invoked. This event is generated when screen saver is invoked. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4803.md b/windows/security/threat-protection/auditing/event-4803.md index 497a3a8d07..8fae699b17 100644 --- a/windows/security/threat-protection/auditing/event-4803.md +++ b/windows/security/threat-protection/auditing/event-4803.md @@ -2,7 +2,6 @@ title: 4803(S) The screen saver was dismissed. description: Describes security event 4803(S) The screen saver was dismissed. This event is generated when screen saver is dismissed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4816.md b/windows/security/threat-protection/auditing/event-4816.md index be77d5a97c..3cfcc91bde 100644 --- a/windows/security/threat-protection/auditing/event-4816.md +++ b/windows/security/threat-protection/auditing/event-4816.md @@ -2,7 +2,6 @@ title: 4816(S) RPC detected an integrity violation while decrypting an incoming message. description: Describes security event 4816(S) RPC detected an integrity violation while decrypting an incoming message. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4817.md b/windows/security/threat-protection/auditing/event-4817.md index e166782510..685c9a0c84 100644 --- a/windows/security/threat-protection/auditing/event-4817.md +++ b/windows/security/threat-protection/auditing/event-4817.md @@ -2,7 +2,6 @@ title: 4817(S) Auditing settings on object were changed. description: Describes security event 4817(S) Auditing settings on object were changed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4818.md b/windows/security/threat-protection/auditing/event-4818.md index 127a71406e..b502dcb97b 100644 --- a/windows/security/threat-protection/auditing/event-4818.md +++ b/windows/security/threat-protection/auditing/event-4818.md @@ -2,7 +2,6 @@ title: 4818(S) Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy. description: Describes security event 4818(S) Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4819.md b/windows/security/threat-protection/auditing/event-4819.md index 0e479a57b1..b1b3d80845 100644 --- a/windows/security/threat-protection/auditing/event-4819.md +++ b/windows/security/threat-protection/auditing/event-4819.md @@ -2,7 +2,6 @@ title: 4819(S) Central Access Policies on the machine have been changed. description: Describes security event 4819(S) Central Access Policies on the machine have been changed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4826.md b/windows/security/threat-protection/auditing/event-4826.md index 2e79af5e64..d776cba974 100644 --- a/windows/security/threat-protection/auditing/event-4826.md +++ b/windows/security/threat-protection/auditing/event-4826.md @@ -2,7 +2,6 @@ title: 4826(S) Boot Configuration Data loaded. description: Describes security event 4826(S) Boot Configuration Data loaded. This event is generated every time system starts and loads Boot Configuration Data settings. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4864.md b/windows/security/threat-protection/auditing/event-4864.md index cbed773c60..3d52b57ab7 100644 --- a/windows/security/threat-protection/auditing/event-4864.md +++ b/windows/security/threat-protection/auditing/event-4864.md @@ -2,7 +2,6 @@ title: 4864(S) A namespace collision was detected. description: Describes security event 4864(S) A namespace collision was detected. This event is generated when a namespace collision is detected. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4865.md b/windows/security/threat-protection/auditing/event-4865.md index 8b792069f3..f98be7ebdc 100644 --- a/windows/security/threat-protection/auditing/event-4865.md +++ b/windows/security/threat-protection/auditing/event-4865.md @@ -2,7 +2,6 @@ title: 4865(S) A trusted forest information entry was added. description: Describes security event 4865(S) A trusted forest information entry was added. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4866.md b/windows/security/threat-protection/auditing/event-4866.md index 2ec48bdf4f..f138df2d0a 100644 --- a/windows/security/threat-protection/auditing/event-4866.md +++ b/windows/security/threat-protection/auditing/event-4866.md @@ -2,7 +2,6 @@ title: 4866(S) A trusted forest information entry was removed. description: Describes security event 4866(S) A trusted forest information entry was removed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4867.md b/windows/security/threat-protection/auditing/event-4867.md index b4affb0ff4..e86b7b7afe 100644 --- a/windows/security/threat-protection/auditing/event-4867.md +++ b/windows/security/threat-protection/auditing/event-4867.md @@ -2,7 +2,6 @@ title: 4867(S) A trusted forest information entry was modified. description: Describes security event 4867(S) A trusted forest information entry was modified. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4902.md b/windows/security/threat-protection/auditing/event-4902.md index a53fd03d58..0cd35ad40a 100644 --- a/windows/security/threat-protection/auditing/event-4902.md +++ b/windows/security/threat-protection/auditing/event-4902.md @@ -2,7 +2,6 @@ title: 4902(S) The Per-user audit policy table was created. description: Describes security event 4902(S) The Per-user audit policy table was created. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4904.md b/windows/security/threat-protection/auditing/event-4904.md index 1f7335e6da..0da52bcaf6 100644 --- a/windows/security/threat-protection/auditing/event-4904.md +++ b/windows/security/threat-protection/auditing/event-4904.md @@ -2,7 +2,6 @@ title: 4904(S) An attempt was made to register a security event source. description: Describes security event 4904(S) An attempt was made to register a security event source. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/07/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4905.md b/windows/security/threat-protection/auditing/event-4905.md index c710230070..bda5be072e 100644 --- a/windows/security/threat-protection/auditing/event-4905.md +++ b/windows/security/threat-protection/auditing/event-4905.md @@ -2,7 +2,6 @@ title: 4905(S) An attempt was made to unregister a security event source. description: Describes security event 4905(S) An attempt was made to unregister a security event source. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4906.md b/windows/security/threat-protection/auditing/event-4906.md index 2cdc197a9b..ba0d53e713 100644 --- a/windows/security/threat-protection/auditing/event-4906.md +++ b/windows/security/threat-protection/auditing/event-4906.md @@ -2,7 +2,6 @@ title: 4906(S) The CrashOnAuditFail value has changed. description: Describes security event 4906(S) The CrashOnAuditFail value has changed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4907.md b/windows/security/threat-protection/auditing/event-4907.md index 91ed3cfa75..413c994ac3 100644 --- a/windows/security/threat-protection/auditing/event-4907.md +++ b/windows/security/threat-protection/auditing/event-4907.md @@ -2,7 +2,6 @@ title: 4907(S) Auditing settings on object were changed. description: Describes security event 4907(S) Auditing settings on object were changed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4908.md b/windows/security/threat-protection/auditing/event-4908.md index 58d9d7331a..3f6c135f60 100644 --- a/windows/security/threat-protection/auditing/event-4908.md +++ b/windows/security/threat-protection/auditing/event-4908.md @@ -2,7 +2,6 @@ title: 4908(S) Special Groups Logon table modified. description: Describes security event 4908(S) Special Groups Logon table modified. This event is generated when the Special Groups Logon table is modified. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4909.md b/windows/security/threat-protection/auditing/event-4909.md index 6420bf04c1..d1a8711011 100644 --- a/windows/security/threat-protection/auditing/event-4909.md +++ b/windows/security/threat-protection/auditing/event-4909.md @@ -2,7 +2,6 @@ title: 4909(-) The local policy settings for the TBS were changed. description: Describes security event 4909(-) The local policy settings for the TBS were changed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4910.md b/windows/security/threat-protection/auditing/event-4910.md index a541352ac0..37f4293a84 100644 --- a/windows/security/threat-protection/auditing/event-4910.md +++ b/windows/security/threat-protection/auditing/event-4910.md @@ -2,7 +2,6 @@ title: 4910(-) The group policy settings for the TBS were changed. description: Describes security event 4910(-) The group policy settings for the TBS were changed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4911.md b/windows/security/threat-protection/auditing/event-4911.md index c31636a2f6..ea45660bc8 100644 --- a/windows/security/threat-protection/auditing/event-4911.md +++ b/windows/security/threat-protection/auditing/event-4911.md @@ -2,7 +2,6 @@ title: 4911(S) Resource attributes of the object were changed. description: Describes security event 4911(S) Resource attributes of the object were changed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4912.md b/windows/security/threat-protection/auditing/event-4912.md index 152e9607f3..8670490796 100644 --- a/windows/security/threat-protection/auditing/event-4912.md +++ b/windows/security/threat-protection/auditing/event-4912.md @@ -2,7 +2,6 @@ title: 4912(S) Per User Audit Policy was changed. description: Describes security event 4912(S) Per User Audit Policy was changed. This event is generated every time Per User Audit Policy is changed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4913.md b/windows/security/threat-protection/auditing/event-4913.md index 5da5f88ef9..279791472e 100644 --- a/windows/security/threat-protection/auditing/event-4913.md +++ b/windows/security/threat-protection/auditing/event-4913.md @@ -2,7 +2,6 @@ title: 4913(S) Central Access Policy on the object was changed. description: Describes security event 4913(S) Central Access Policy on the object was changed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4928.md b/windows/security/threat-protection/auditing/event-4928.md index 371f4689c7..370b7401c1 100644 --- a/windows/security/threat-protection/auditing/event-4928.md +++ b/windows/security/threat-protection/auditing/event-4928.md @@ -2,7 +2,6 @@ title: 4928(S, F) An Active Directory replica source naming context was established. description: Describes security event 4928(S, F) An Active Directory replica source naming context was established. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4929.md b/windows/security/threat-protection/auditing/event-4929.md index 288d0528f8..76891ca2a8 100644 --- a/windows/security/threat-protection/auditing/event-4929.md +++ b/windows/security/threat-protection/auditing/event-4929.md @@ -2,7 +2,6 @@ title: 4929(S, F) An Active Directory replica source naming context was removed. description: Describes security event 4929(S, F) An Active Directory replica source naming context was removed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4930.md b/windows/security/threat-protection/auditing/event-4930.md index ca6a21d07a..5b50e911b7 100644 --- a/windows/security/threat-protection/auditing/event-4930.md +++ b/windows/security/threat-protection/auditing/event-4930.md @@ -2,7 +2,6 @@ title: 4930(S, F) An Active Directory replica source naming context was modified. description: Describes security event 4930(S, F) An Active Directory replica source naming context was modified. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4931.md b/windows/security/threat-protection/auditing/event-4931.md index 0f1f2d11af..253625ddd5 100644 --- a/windows/security/threat-protection/auditing/event-4931.md +++ b/windows/security/threat-protection/auditing/event-4931.md @@ -2,7 +2,6 @@ title: 4931(S, F) An Active Directory replica destination naming context was modified. description: Describes security event 4931(S, F) An Active Directory replica destination naming context was modified. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4932.md b/windows/security/threat-protection/auditing/event-4932.md index 574e020321..94321a4fc3 100644 --- a/windows/security/threat-protection/auditing/event-4932.md +++ b/windows/security/threat-protection/auditing/event-4932.md @@ -2,7 +2,6 @@ title: 4932(S) Synchronization of a replica of an Active Directory naming context has begun. description: Describes security event 4932(S) Synchronization of a replica of an Active Directory naming context has begun. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4933.md b/windows/security/threat-protection/auditing/event-4933.md index 54e6d63dd5..7747d4c6e7 100644 --- a/windows/security/threat-protection/auditing/event-4933.md +++ b/windows/security/threat-protection/auditing/event-4933.md @@ -2,7 +2,6 @@ title: 4933(S, F) Synchronization of a replica of an Active Directory naming context has ended. description: Describes security event 4933(S, F) Synchronization of a replica of an Active Directory naming context has ended. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4934.md b/windows/security/threat-protection/auditing/event-4934.md index 363e2dea0f..52cfbf71f4 100644 --- a/windows/security/threat-protection/auditing/event-4934.md +++ b/windows/security/threat-protection/auditing/event-4934.md @@ -2,7 +2,6 @@ title: 4934(S) Attributes of an Active Directory object were replicated. description: Describes security event 4934(S) Attributes of an Active Directory object were replicated. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4935.md b/windows/security/threat-protection/auditing/event-4935.md index 04b067063a..cff9eedb80 100644 --- a/windows/security/threat-protection/auditing/event-4935.md +++ b/windows/security/threat-protection/auditing/event-4935.md @@ -2,7 +2,6 @@ title: 4935(F) Replication failure begins. description: Describes security event 4935(F) Replication failure begins. This event is generated when Active Directory replication failure begins. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4936.md b/windows/security/threat-protection/auditing/event-4936.md index 04fb5a689c..fb2ebfa921 100644 --- a/windows/security/threat-protection/auditing/event-4936.md +++ b/windows/security/threat-protection/auditing/event-4936.md @@ -2,7 +2,6 @@ title: 4936(S) Replication failure ends. description: Describes security event 4936(S) Replication failure ends. This event is generated when Active Directory replication failure ends. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4937.md b/windows/security/threat-protection/auditing/event-4937.md index ad871628bd..d368e3a4b5 100644 --- a/windows/security/threat-protection/auditing/event-4937.md +++ b/windows/security/threat-protection/auditing/event-4937.md @@ -2,7 +2,6 @@ title: 4937(S) A lingering object was removed from a replica. description: Describes security event 4937(S) A lingering object was removed from a replica. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4944.md b/windows/security/threat-protection/auditing/event-4944.md index d93811a130..44a42b082b 100644 --- a/windows/security/threat-protection/auditing/event-4944.md +++ b/windows/security/threat-protection/auditing/event-4944.md @@ -2,7 +2,6 @@ title: 4944(S) The following policy was active when the Windows Firewall started. description: Describes security event 4944(S) The following policy was active when the Windows Firewall started. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4945.md b/windows/security/threat-protection/auditing/event-4945.md index 8099cfeca6..446c3da541 100644 --- a/windows/security/threat-protection/auditing/event-4945.md +++ b/windows/security/threat-protection/auditing/event-4945.md @@ -2,7 +2,6 @@ title: 4945(S) A rule was listed when the Windows Firewall started. description: Describes security event 4945(S) A rule was listed when the Windows Firewall started. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4946.md b/windows/security/threat-protection/auditing/event-4946.md index 077de83d96..a823ec76fa 100644 --- a/windows/security/threat-protection/auditing/event-4946.md +++ b/windows/security/threat-protection/auditing/event-4946.md @@ -2,7 +2,6 @@ title: 4946(S) A change has been made to Windows Firewall exception list. A rule was added. description: Describes security event 4946(S) A change has been made to Windows Firewall exception list. A rule was added. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4947.md b/windows/security/threat-protection/auditing/event-4947.md index 7647e63929..0eff4491dc 100644 --- a/windows/security/threat-protection/auditing/event-4947.md +++ b/windows/security/threat-protection/auditing/event-4947.md @@ -2,7 +2,6 @@ title: 4947(S) A change has been made to Windows Firewall exception list. A rule was modified. description: Describes security event 4947(S) A change has been made to Windows Firewall exception list. A rule was modified. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4948.md b/windows/security/threat-protection/auditing/event-4948.md index 9000f97907..66e43ae5bd 100644 --- a/windows/security/threat-protection/auditing/event-4948.md +++ b/windows/security/threat-protection/auditing/event-4948.md @@ -2,7 +2,6 @@ title: 4948(S) A change has been made to Windows Firewall exception list. A rule was deleted. description: Describes security event 4948(S) A change has been made to Windows Firewall exception list. A rule was deleted. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4949.md b/windows/security/threat-protection/auditing/event-4949.md index 188a147179..c2ca64e36a 100644 --- a/windows/security/threat-protection/auditing/event-4949.md +++ b/windows/security/threat-protection/auditing/event-4949.md @@ -2,7 +2,6 @@ title: 4949(S) Windows Firewall settings were restored to the default values. description: Describes security event 4949(S) Windows Firewall settings were restored to the default values. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4950.md b/windows/security/threat-protection/auditing/event-4950.md index 4b7c3ef8da..fe1a3cacc8 100644 --- a/windows/security/threat-protection/auditing/event-4950.md +++ b/windows/security/threat-protection/auditing/event-4950.md @@ -2,7 +2,6 @@ title: 4950(S) A Windows Firewall setting has changed. description: Describes security event 4950(S) A Windows Firewall setting has changed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4951.md b/windows/security/threat-protection/auditing/event-4951.md index 3922a0d9bc..e83a14e571 100644 --- a/windows/security/threat-protection/auditing/event-4951.md +++ b/windows/security/threat-protection/auditing/event-4951.md @@ -2,7 +2,6 @@ title: 4951(F) A rule has been ignored because its major version number wasn't recognized by Windows Firewall. description: Describes security event 4951(F) A rule has been ignored because its major version number wasn't recognized by Windows Firewall. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4952.md b/windows/security/threat-protection/auditing/event-4952.md index 1b2c9a1677..d727a8f210 100644 --- a/windows/security/threat-protection/auditing/event-4952.md +++ b/windows/security/threat-protection/auditing/event-4952.md @@ -2,7 +2,6 @@ title: 4952(F) Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. description: Security event 4952(F) Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4953.md b/windows/security/threat-protection/auditing/event-4953.md index dcb48de16e..a729e5af8e 100644 --- a/windows/security/threat-protection/auditing/event-4953.md +++ b/windows/security/threat-protection/auditing/event-4953.md @@ -2,7 +2,6 @@ title: 4953(F) Windows Firewall ignored a rule because it couldn't be parsed. description: Describes security event 4953(F) Windows Firewall ignored a rule because it couldn't be parsed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4954.md b/windows/security/threat-protection/auditing/event-4954.md index 42e1732841..cdb31c5fbb 100644 --- a/windows/security/threat-protection/auditing/event-4954.md +++ b/windows/security/threat-protection/auditing/event-4954.md @@ -2,7 +2,6 @@ title: 4954(S) Windows Firewall Group Policy settings have changed. The new settings have been applied. description: Describes security event 4954(S) Windows Firewall Group Policy settings have changed. The new settings have been applied. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4956.md b/windows/security/threat-protection/auditing/event-4956.md index ab54b58db2..299e21d03c 100644 --- a/windows/security/threat-protection/auditing/event-4956.md +++ b/windows/security/threat-protection/auditing/event-4956.md @@ -2,7 +2,6 @@ title: 4956(S) Windows Firewall has changed the active profile. description: Describes security event 4956(S) Windows Firewall has changed the active profile. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4957.md b/windows/security/threat-protection/auditing/event-4957.md index 0049947eee..a2fd4fd1b8 100644 --- a/windows/security/threat-protection/auditing/event-4957.md +++ b/windows/security/threat-protection/auditing/event-4957.md @@ -2,7 +2,6 @@ title: 4957(F) Windows Firewall did not apply the following rule. description: Describes security event 4957(F) Windows Firewall didn't apply the following rule. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4958.md b/windows/security/threat-protection/auditing/event-4958.md index f1cbaa0f1d..b46bed82ca 100644 --- a/windows/security/threat-protection/auditing/event-4958.md +++ b/windows/security/threat-protection/auditing/event-4958.md @@ -2,7 +2,6 @@ title: 4958(F) Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. description: Describes security event 4958(F) Windows Firewall didn't apply the following rule because the rule referred to items not configured on this computer. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4964.md b/windows/security/threat-protection/auditing/event-4964.md index 5567fdf5b4..12b5bf4a9b 100644 --- a/windows/security/threat-protection/auditing/event-4964.md +++ b/windows/security/threat-protection/auditing/event-4964.md @@ -2,7 +2,6 @@ title: 4964(S) Special groups have been assigned to a new logon. description: Describes security event 4964(S) Special groups have been assigned to a new logon. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-4985.md b/windows/security/threat-protection/auditing/event-4985.md index 4caca31a8e..843551f1d1 100644 --- a/windows/security/threat-protection/auditing/event-4985.md +++ b/windows/security/threat-protection/auditing/event-4985.md @@ -2,7 +2,6 @@ title: 4985(S) The state of a transaction has changed. description: Describes security event 4985(S) The state of a transaction has changed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5024.md b/windows/security/threat-protection/auditing/event-5024.md index ff2c44088f..00353b46f9 100644 --- a/windows/security/threat-protection/auditing/event-5024.md +++ b/windows/security/threat-protection/auditing/event-5024.md @@ -2,7 +2,6 @@ title: 5024(S) The Windows Firewall Service has started successfully. description: Describes security event 5024(S) The Windows Firewall Service has started successfully. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5025.md b/windows/security/threat-protection/auditing/event-5025.md index 334431f02f..d13e773f3e 100644 --- a/windows/security/threat-protection/auditing/event-5025.md +++ b/windows/security/threat-protection/auditing/event-5025.md @@ -2,7 +2,6 @@ title: 5025(S) The Windows Firewall Service has been stopped. description: Describes security event 5025(S) The Windows Firewall Service has been stopped. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5027.md b/windows/security/threat-protection/auditing/event-5027.md index 1633648148..f9bd6770a1 100644 --- a/windows/security/threat-protection/auditing/event-5027.md +++ b/windows/security/threat-protection/auditing/event-5027.md @@ -2,7 +2,6 @@ title: 5027(F) The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. description: Details on security event 5027(F) The Windows Firewall Service was unable to retrieve the security policy from the local storage. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5028.md b/windows/security/threat-protection/auditing/event-5028.md index c83b0a955a..8c49e63b2b 100644 --- a/windows/security/threat-protection/auditing/event-5028.md +++ b/windows/security/threat-protection/auditing/event-5028.md @@ -2,7 +2,6 @@ title: 5028(F) The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. description: Describes security event 5028(F) The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5029.md b/windows/security/threat-protection/auditing/event-5029.md index 4050293075..dfa020140d 100644 --- a/windows/security/threat-protection/auditing/event-5029.md +++ b/windows/security/threat-protection/auditing/event-5029.md @@ -2,7 +2,6 @@ title: 5029(F) The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. description: Describes security event 5029(F) The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5030.md b/windows/security/threat-protection/auditing/event-5030.md index 19faefd2f3..145336f252 100644 --- a/windows/security/threat-protection/auditing/event-5030.md +++ b/windows/security/threat-protection/auditing/event-5030.md @@ -2,7 +2,6 @@ title: 5030(F) The Windows Firewall Service failed to start. description: Describes security event 5030(F) The Windows Firewall Service failed to start. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5031.md b/windows/security/threat-protection/auditing/event-5031.md index 1187494a86..c569dbc016 100644 --- a/windows/security/threat-protection/auditing/event-5031.md +++ b/windows/security/threat-protection/auditing/event-5031.md @@ -5,13 +5,11 @@ manager: aaroncz ms.author: vinpa description: Describes security event 5031(F) The Windows Firewall Service blocked an application from accepting incoming connections on the network. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low author: vinaypamnani-msft ms.date: 09/08/2021 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5032.md b/windows/security/threat-protection/auditing/event-5032.md index 369d590db9..f982635697 100644 --- a/windows/security/threat-protection/auditing/event-5032.md +++ b/windows/security/threat-protection/auditing/event-5032.md @@ -2,7 +2,6 @@ title: 5032(F) Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. description: Describes security event 5032(F) Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5033.md b/windows/security/threat-protection/auditing/event-5033.md index bd275a6463..65e7a2f819 100644 --- a/windows/security/threat-protection/auditing/event-5033.md +++ b/windows/security/threat-protection/auditing/event-5033.md @@ -2,7 +2,6 @@ title: 5033(S) The Windows Firewall Driver has started successfully. description: Describes security event 5033(S) The Windows Firewall Driver has started successfully. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5034.md b/windows/security/threat-protection/auditing/event-5034.md index bd017daa1f..604aaafc09 100644 --- a/windows/security/threat-protection/auditing/event-5034.md +++ b/windows/security/threat-protection/auditing/event-5034.md @@ -2,7 +2,6 @@ title: 5034(S) The Windows Firewall Driver was stopped. description: Describes security event 5034(S) The Windows Firewall Driver was stopped. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5035.md b/windows/security/threat-protection/auditing/event-5035.md index cda5f7ddc7..b0290be5fc 100644 --- a/windows/security/threat-protection/auditing/event-5035.md +++ b/windows/security/threat-protection/auditing/event-5035.md @@ -2,7 +2,6 @@ title: 5035(F) The Windows Firewall Driver failed to start. description: Describes security event 5035(F) The Windows Firewall Driver failed to start. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5037.md b/windows/security/threat-protection/auditing/event-5037.md index 6421be47c1..8f22210755 100644 --- a/windows/security/threat-protection/auditing/event-5037.md +++ b/windows/security/threat-protection/auditing/event-5037.md @@ -2,7 +2,6 @@ title: 5037(F) The Windows Firewall Driver detected critical runtime error. Terminating. description: Describes security event 5037(F) The Windows Firewall Driver detected critical runtime error. Terminating. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5038.md b/windows/security/threat-protection/auditing/event-5038.md index 865a9e7de3..84ad591d34 100644 --- a/windows/security/threat-protection/auditing/event-5038.md +++ b/windows/security/threat-protection/auditing/event-5038.md @@ -2,7 +2,6 @@ title: 5038(F) Code integrity determined that the image hash of a file is not valid. description: Describes security event 5038(F) Code integrity determined that the image hash of a file isn't valid. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5039.md b/windows/security/threat-protection/auditing/event-5039.md index 3d9ba6fd9a..a1b4dc60e2 100644 --- a/windows/security/threat-protection/auditing/event-5039.md +++ b/windows/security/threat-protection/auditing/event-5039.md @@ -2,7 +2,6 @@ title: 5039(-) A registry key was virtualized. description: Describes security event 5039(-) A registry key was virtualized. This event is generated when a registry key is virtualized using LUAFV. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5051.md b/windows/security/threat-protection/auditing/event-5051.md index 706e02d603..6ced4325e8 100644 --- a/windows/security/threat-protection/auditing/event-5051.md +++ b/windows/security/threat-protection/auditing/event-5051.md @@ -2,7 +2,6 @@ title: 5051(-) A file was virtualized. description: Describes security event 5051(-) A file was virtualized. This event is generated when a file is virtualized using LUAFV. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5056.md b/windows/security/threat-protection/auditing/event-5056.md index d67c948bf7..5130521799 100644 --- a/windows/security/threat-protection/auditing/event-5056.md +++ b/windows/security/threat-protection/auditing/event-5056.md @@ -2,7 +2,6 @@ title: 5056(S) A cryptographic self-test was performed. description: Describes security event 5056(S) A cryptographic self-test was performed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5057.md b/windows/security/threat-protection/auditing/event-5057.md index 9c4c3bbbc7..b45863a7f8 100644 --- a/windows/security/threat-protection/auditing/event-5057.md +++ b/windows/security/threat-protection/auditing/event-5057.md @@ -2,7 +2,6 @@ title: 5057(F) A cryptographic primitive operation failed. description: Describes security event 5057(F) A cryptographic primitive operation failed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5058.md b/windows/security/threat-protection/auditing/event-5058.md index b8f43fd22c..52e292db53 100644 --- a/windows/security/threat-protection/auditing/event-5058.md +++ b/windows/security/threat-protection/auditing/event-5058.md @@ -2,7 +2,6 @@ title: 5058(S, F) Key file operation. description: Describes security event 5058(S, F) Key file operation. This event is generated when an operation is performed on a file that contains a KSP key. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5059.md b/windows/security/threat-protection/auditing/event-5059.md index 80656eb84c..0631adf2e0 100644 --- a/windows/security/threat-protection/auditing/event-5059.md +++ b/windows/security/threat-protection/auditing/event-5059.md @@ -2,7 +2,6 @@ title: 5059(S, F) Key migration operation. description: Describes security event 5059(S, F) Key migration operation. This event is generated when a cryptographic key is exported/imported using a Key Storage Provider. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5060.md b/windows/security/threat-protection/auditing/event-5060.md index 95c791073a..fda2a9d82d 100644 --- a/windows/security/threat-protection/auditing/event-5060.md +++ b/windows/security/threat-protection/auditing/event-5060.md @@ -2,7 +2,6 @@ title: 5060(F) Verification operation failed. description: Describes security event 5060(F) Verification operation failed. This event is generated when the CNG verification operation fails. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5061.md b/windows/security/threat-protection/auditing/event-5061.md index 37ce0fe43d..7d05fab9d4 100644 --- a/windows/security/threat-protection/auditing/event-5061.md +++ b/windows/security/threat-protection/auditing/event-5061.md @@ -2,7 +2,6 @@ title: 5061(S, F) Cryptographic operation. description: Describes security event 5061(S, F) Cryptographic operation. This event is generated when a cryptographic operation is performed using a Key Storage Provider. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5062.md b/windows/security/threat-protection/auditing/event-5062.md index 8273fa0b06..50bb1114e2 100644 --- a/windows/security/threat-protection/auditing/event-5062.md +++ b/windows/security/threat-protection/auditing/event-5062.md @@ -2,7 +2,6 @@ title: 5062(S) A kernel-mode cryptographic self-test was performed. description: Describes security event 5062(S) A kernel-mode cryptographic self-test was performed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5063.md b/windows/security/threat-protection/auditing/event-5063.md index 111a1bebce..1d05f6f799 100644 --- a/windows/security/threat-protection/auditing/event-5063.md +++ b/windows/security/threat-protection/auditing/event-5063.md @@ -2,7 +2,6 @@ title: 5063(S, F) A cryptographic provider operation was attempted. description: Describes security event 5063(S, F) A cryptographic provider operation was attempted. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5064.md b/windows/security/threat-protection/auditing/event-5064.md index 3414385e9f..f727a5f6af 100644 --- a/windows/security/threat-protection/auditing/event-5064.md +++ b/windows/security/threat-protection/auditing/event-5064.md @@ -2,7 +2,6 @@ title: 5064(S, F) A cryptographic context operation was attempted. description: Describes security event 5064(S, F) A cryptographic context operation was attempted. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5065.md b/windows/security/threat-protection/auditing/event-5065.md index 2543372fd8..e94042c052 100644 --- a/windows/security/threat-protection/auditing/event-5065.md +++ b/windows/security/threat-protection/auditing/event-5065.md @@ -2,7 +2,6 @@ title: 5065(S, F) A cryptographic context modification was attempted. description: Describes security event 5065(S, F) A cryptographic context modification was attempted. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5066.md b/windows/security/threat-protection/auditing/event-5066.md index 6385f0488a..4aabb3e542 100644 --- a/windows/security/threat-protection/auditing/event-5066.md +++ b/windows/security/threat-protection/auditing/event-5066.md @@ -2,7 +2,6 @@ title: 5066(S, F) A cryptographic function operation was attempted. description: Describes security event 5066(S, F) A cryptographic function operation was attempted. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5067.md b/windows/security/threat-protection/auditing/event-5067.md index 16a2775d06..d7a4d6a6b2 100644 --- a/windows/security/threat-protection/auditing/event-5067.md +++ b/windows/security/threat-protection/auditing/event-5067.md @@ -2,7 +2,6 @@ title: 5067(S, F) A cryptographic function modification was attempted. description: Describes security event 5067(S, F) A cryptographic function modification was attempted. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5068.md b/windows/security/threat-protection/auditing/event-5068.md index 49659e38f5..a86f4345b5 100644 --- a/windows/security/threat-protection/auditing/event-5068.md +++ b/windows/security/threat-protection/auditing/event-5068.md @@ -2,7 +2,6 @@ title: 5068(S, F) A cryptographic function provider operation was attempted. description: Describes security event 5068(S, F) A cryptographic function provider operation was attempted. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5069.md b/windows/security/threat-protection/auditing/event-5069.md index ffcfb92ca9..15b6f1bbe3 100644 --- a/windows/security/threat-protection/auditing/event-5069.md +++ b/windows/security/threat-protection/auditing/event-5069.md @@ -2,7 +2,6 @@ title: 5069(S, F) A cryptographic function property operation was attempted. description: Describes security event 5069(S, F) A cryptographic function property operation was attempted. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5070.md b/windows/security/threat-protection/auditing/event-5070.md index 079cb18504..afdb292917 100644 --- a/windows/security/threat-protection/auditing/event-5070.md +++ b/windows/security/threat-protection/auditing/event-5070.md @@ -2,7 +2,6 @@ title: 5070(S, F) A cryptographic function property modification was attempted. description: Describes security event 5070(S, F) A cryptographic function property modification was attempted. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5136.md b/windows/security/threat-protection/auditing/event-5136.md index e71aa708cc..c4d5e84029 100644 --- a/windows/security/threat-protection/auditing/event-5136.md +++ b/windows/security/threat-protection/auditing/event-5136.md @@ -2,7 +2,6 @@ title: 5136(S) A directory service object was modified. description: Describes security event 5136(S) A directory service object was modified. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5137.md b/windows/security/threat-protection/auditing/event-5137.md index e7d10b0197..49ade1e081 100644 --- a/windows/security/threat-protection/auditing/event-5137.md +++ b/windows/security/threat-protection/auditing/event-5137.md @@ -2,7 +2,6 @@ title: 5137(S) A directory service object was created. description: Describes security event 5137(S) A directory service object was created. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5138.md b/windows/security/threat-protection/auditing/event-5138.md index 1120df1fc3..7dac9ef63f 100644 --- a/windows/security/threat-protection/auditing/event-5138.md +++ b/windows/security/threat-protection/auditing/event-5138.md @@ -2,7 +2,6 @@ title: 5138(S) A directory service object was undeleted. description: Describes security event 5138(S) A directory service object was undeleted. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5139.md b/windows/security/threat-protection/auditing/event-5139.md index 09ca54dca4..2b06e5309c 100644 --- a/windows/security/threat-protection/auditing/event-5139.md +++ b/windows/security/threat-protection/auditing/event-5139.md @@ -2,7 +2,6 @@ title: 5139(S) A directory service object was moved. description: Describes security event 5139(S) A directory service object was moved. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5140.md b/windows/security/threat-protection/auditing/event-5140.md index d79d99892e..e0afa21cd5 100644 --- a/windows/security/threat-protection/auditing/event-5140.md +++ b/windows/security/threat-protection/auditing/event-5140.md @@ -2,7 +2,6 @@ title: 5140(S, F) A network share object was accessed. description: Describes security event 5140(S, F) A network share object was accessed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5141.md b/windows/security/threat-protection/auditing/event-5141.md index e70a399593..dfdea7ca5f 100644 --- a/windows/security/threat-protection/auditing/event-5141.md +++ b/windows/security/threat-protection/auditing/event-5141.md @@ -2,7 +2,6 @@ title: 5141(S) A directory service object was deleted. description: Describes security event 5141(S) A directory service object was deleted. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5142.md b/windows/security/threat-protection/auditing/event-5142.md index 790b6ea8f0..4620f55d07 100644 --- a/windows/security/threat-protection/auditing/event-5142.md +++ b/windows/security/threat-protection/auditing/event-5142.md @@ -2,7 +2,6 @@ title: 5142(S) A network share object was added. description: Describes security event 5142(S) A network share object was added. This event is generated when a network share object is added. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5143.md b/windows/security/threat-protection/auditing/event-5143.md index e26f69e294..f7f04d6cf0 100644 --- a/windows/security/threat-protection/auditing/event-5143.md +++ b/windows/security/threat-protection/auditing/event-5143.md @@ -2,7 +2,6 @@ title: 5143(S) A network share object was modified. description: Describes security event 5143(S) A network share object was modified. This event is generated when a network share object is modified. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5144.md b/windows/security/threat-protection/auditing/event-5144.md index 6d6a16e1af..df41963e27 100644 --- a/windows/security/threat-protection/auditing/event-5144.md +++ b/windows/security/threat-protection/auditing/event-5144.md @@ -2,7 +2,6 @@ title: 5144(S) A network share object was deleted. description: Describes security event 5144(S) A network share object was deleted. This event is generated when a network share object is deleted. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5145.md b/windows/security/threat-protection/auditing/event-5145.md index 32fef4024d..783c17d59f 100644 --- a/windows/security/threat-protection/auditing/event-5145.md +++ b/windows/security/threat-protection/auditing/event-5145.md @@ -2,7 +2,6 @@ title: 5145(S, F) A network share object was checked to see whether client can be granted desired access. description: Describes security event 5145(S, F) A network share object was checked to see whether client can be granted desired access. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5148.md b/windows/security/threat-protection/auditing/event-5148.md index 291a541e11..9eb90940af 100644 --- a/windows/security/threat-protection/auditing/event-5148.md +++ b/windows/security/threat-protection/auditing/event-5148.md @@ -2,7 +2,6 @@ title: 5148(F) The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. description: Details on Security event 5148(F), The Windows Filtering Platform has detected a DoS attack and entered a defensive mode. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5149.md b/windows/security/threat-protection/auditing/event-5149.md index 0f37543acf..f1c753d3a9 100644 --- a/windows/security/threat-protection/auditing/event-5149.md +++ b/windows/security/threat-protection/auditing/event-5149.md @@ -2,7 +2,6 @@ title: 5149(F) The DoS attack has subsided and normal processing is being resumed. description: Describes security event 5149(F) The DoS attack has subsided and normal processing is being resumed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5150.md b/windows/security/threat-protection/auditing/event-5150.md index aa56f896dc..a5f3e3b184 100644 --- a/windows/security/threat-protection/auditing/event-5150.md +++ b/windows/security/threat-protection/auditing/event-5150.md @@ -2,7 +2,6 @@ title: 5150(-) The Windows Filtering Platform blocked a packet. description: Describes security event 5150(-) The Windows Filtering Platform blocked a packet. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5151.md b/windows/security/threat-protection/auditing/event-5151.md index 22dcd9a63e..92c88cdf47 100644 --- a/windows/security/threat-protection/auditing/event-5151.md +++ b/windows/security/threat-protection/auditing/event-5151.md @@ -2,7 +2,6 @@ title: 5151(-) A more restrictive Windows Filtering Platform filter has blocked a packet. description: Describes security event 5151(-) A more restrictive Windows Filtering Platform filter has blocked a packet. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5152.md b/windows/security/threat-protection/auditing/event-5152.md index 363a095741..0c38edef1f 100644 --- a/windows/security/threat-protection/auditing/event-5152.md +++ b/windows/security/threat-protection/auditing/event-5152.md @@ -2,7 +2,6 @@ title: 5152(F) The Windows Filtering Platform blocked a packet. description: Describes security event 5152(F) The Windows Filtering Platform blocked a packet. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5153.md b/windows/security/threat-protection/auditing/event-5153.md index a46227f056..0fe85f8e85 100644 --- a/windows/security/threat-protection/auditing/event-5153.md +++ b/windows/security/threat-protection/auditing/event-5153.md @@ -2,7 +2,6 @@ title: 5153(S) A more restrictive Windows Filtering Platform filter has blocked a packet. description: Describes security event 5153(S) A more restrictive Windows Filtering Platform filter has blocked a packet. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5154.md b/windows/security/threat-protection/auditing/event-5154.md index 76424d3ca5..d99a804e12 100644 --- a/windows/security/threat-protection/auditing/event-5154.md +++ b/windows/security/threat-protection/auditing/event-5154.md @@ -2,7 +2,6 @@ title: 5154(S) The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. description: Describes security event 5154(S) The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5155.md b/windows/security/threat-protection/auditing/event-5155.md index 89e206fdbb..883e22bd27 100644 --- a/windows/security/threat-protection/auditing/event-5155.md +++ b/windows/security/threat-protection/auditing/event-5155.md @@ -2,7 +2,6 @@ title: 5155(F) The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. description: Describes security event 5155(F) The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5156.md b/windows/security/threat-protection/auditing/event-5156.md index 95b20ccfcf..5c4dd19d0c 100644 --- a/windows/security/threat-protection/auditing/event-5156.md +++ b/windows/security/threat-protection/auditing/event-5156.md @@ -2,7 +2,6 @@ title: 5156(S) The Windows Filtering Platform has permitted a connection. description: Describes security event 5156(S) The Windows Filtering Platform has permitted a connection. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5157.md b/windows/security/threat-protection/auditing/event-5157.md index cce391d0d8..2042aa3cb3 100644 --- a/windows/security/threat-protection/auditing/event-5157.md +++ b/windows/security/threat-protection/auditing/event-5157.md @@ -2,7 +2,6 @@ title: 5157(F) The Windows Filtering Platform has blocked a connection. description: Describes security event 5157(F) The Windows Filtering Platform has blocked a connection. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5158.md b/windows/security/threat-protection/auditing/event-5158.md index 7152b22478..42d2e97dd8 100644 --- a/windows/security/threat-protection/auditing/event-5158.md +++ b/windows/security/threat-protection/auditing/event-5158.md @@ -2,7 +2,6 @@ title: 5158(S) The Windows Filtering Platform has permitted a bind to a local port. description: Describes security event 5158(S) The Windows Filtering Platform has permitted a bind to a local port. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5159.md b/windows/security/threat-protection/auditing/event-5159.md index 1c163b30dc..e73c67f9da 100644 --- a/windows/security/threat-protection/auditing/event-5159.md +++ b/windows/security/threat-protection/auditing/event-5159.md @@ -2,7 +2,6 @@ title: 5159(F) The Windows Filtering Platform has blocked a bind to a local port. description: Describes security event 5159(F) The Windows Filtering Platform has blocked a bind to a local port. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5168.md b/windows/security/threat-protection/auditing/event-5168.md index f961f15bab..f29c101e31 100644 --- a/windows/security/threat-protection/auditing/event-5168.md +++ b/windows/security/threat-protection/auditing/event-5168.md @@ -2,7 +2,6 @@ title: 5168(F) SPN check for SMB/SMB2 failed. description: Describes security event 5168(F) SPN check for SMB/SMB2 failed. This event is generated when an SMB SPN check fails. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5376.md b/windows/security/threat-protection/auditing/event-5376.md index 0f2be5a04a..ea9979f965 100644 --- a/windows/security/threat-protection/auditing/event-5376.md +++ b/windows/security/threat-protection/auditing/event-5376.md @@ -2,7 +2,6 @@ title: 5376(S) Credential Manager credentials were backed up. description: Describes security event 5376(S) Credential Manager credentials were backed up. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5377.md b/windows/security/threat-protection/auditing/event-5377.md index d5a1660220..e5a9be7063 100644 --- a/windows/security/threat-protection/auditing/event-5377.md +++ b/windows/security/threat-protection/auditing/event-5377.md @@ -2,7 +2,6 @@ title: 5377(S) Credential Manager credentials were restored from a backup. description: Describes security event 5377(S) Credential Manager credentials were restored from a backup. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5378.md b/windows/security/threat-protection/auditing/event-5378.md index 25c68deee6..6d1ac9a70f 100644 --- a/windows/security/threat-protection/auditing/event-5378.md +++ b/windows/security/threat-protection/auditing/event-5378.md @@ -2,7 +2,6 @@ title: 5378(F) The requested credentials delegation was disallowed by policy. description: Describes security event 5378(F) The requested credentials delegation was disallowed by policy. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5447.md b/windows/security/threat-protection/auditing/event-5447.md index d1ffd6b03d..a3065a4f0a 100644 --- a/windows/security/threat-protection/auditing/event-5447.md +++ b/windows/security/threat-protection/auditing/event-5447.md @@ -2,7 +2,6 @@ title: 5447(S) A Windows Filtering Platform filter has been changed. description: Describes security event 5447(S) A Windows Filtering Platform filter has been changed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5632.md b/windows/security/threat-protection/auditing/event-5632.md index 0815f5d12f..8b751f272e 100644 --- a/windows/security/threat-protection/auditing/event-5632.md +++ b/windows/security/threat-protection/auditing/event-5632.md @@ -2,7 +2,6 @@ title: 5632(S, F) A request was made to authenticate to a wireless network. description: Describes security event 5632(S, F) A request was made to authenticate to a wireless network. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5633.md b/windows/security/threat-protection/auditing/event-5633.md index bf786c1d2d..5c2c68695a 100644 --- a/windows/security/threat-protection/auditing/event-5633.md +++ b/windows/security/threat-protection/auditing/event-5633.md @@ -2,7 +2,6 @@ title: 5633(S, F) A request was made to authenticate to a wired network. description: Describes security event 5633(S, F) A request was made to authenticate to a wired network. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5712.md b/windows/security/threat-protection/auditing/event-5712.md index a7ec0a5e10..8fe2ad8714 100644 --- a/windows/security/threat-protection/auditing/event-5712.md +++ b/windows/security/threat-protection/auditing/event-5712.md @@ -2,7 +2,6 @@ title: 5712(S) A Remote Procedure Call (RPC) was attempted. description: Describes security event 5712(S) A Remote Procedure Call (RPC) was attempted. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5888.md b/windows/security/threat-protection/auditing/event-5888.md index 47bfb7e52c..7f06d1e907 100644 --- a/windows/security/threat-protection/auditing/event-5888.md +++ b/windows/security/threat-protection/auditing/event-5888.md @@ -2,7 +2,6 @@ title: 5888(S) An object in the COM+ Catalog was modified. description: Describes security event 5888(S) An object in the COM+ Catalog was modified. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5889.md b/windows/security/threat-protection/auditing/event-5889.md index 21bced3526..32bd5bffd8 100644 --- a/windows/security/threat-protection/auditing/event-5889.md +++ b/windows/security/threat-protection/auditing/event-5889.md @@ -2,7 +2,6 @@ title: 5889(S) An object was deleted from the COM+ Catalog. description: Describes security event 5889(S) An object was deleted from the COM+ Catalog. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-5890.md b/windows/security/threat-protection/auditing/event-5890.md index 652453190a..959e6fd3e4 100644 --- a/windows/security/threat-protection/auditing/event-5890.md +++ b/windows/security/threat-protection/auditing/event-5890.md @@ -2,7 +2,6 @@ title: 5890(S) An object was added to the COM+ Catalog. description: Describes security event 5890(S) An object was added to the COM+ Catalog. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-6144.md b/windows/security/threat-protection/auditing/event-6144.md index b58495dff5..826d274d51 100644 --- a/windows/security/threat-protection/auditing/event-6144.md +++ b/windows/security/threat-protection/auditing/event-6144.md @@ -2,7 +2,6 @@ title: 6144(S) Security policy in the group policy objects has been applied successfully. description: Describes security event 6144(S) Security policy in the group policy objects has been applied successfully. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-6145.md b/windows/security/threat-protection/auditing/event-6145.md index 690cca9856..a5e630ff72 100644 --- a/windows/security/threat-protection/auditing/event-6145.md +++ b/windows/security/threat-protection/auditing/event-6145.md @@ -2,7 +2,6 @@ title: 6145(F) One or more errors occurred while processing security policy in the group policy objects. description: Describes security event 6145(F) One or more errors occurred while processing security policy in the group policy objects. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/08/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-6281.md b/windows/security/threat-protection/auditing/event-6281.md index b740282ddf..307122724f 100644 --- a/windows/security/threat-protection/auditing/event-6281.md +++ b/windows/security/threat-protection/auditing/event-6281.md @@ -2,7 +2,6 @@ title: 6281(F) Code Integrity determined that the page hashes of an image file aren't valid. description: Describes security event 6281(F) Code Integrity determined that the page hashes of an image file aren't valid. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/09/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-6400.md b/windows/security/threat-protection/auditing/event-6400.md index 8ea567df22..0f1bdbe078 100644 --- a/windows/security/threat-protection/auditing/event-6400.md +++ b/windows/security/threat-protection/auditing/event-6400.md @@ -2,7 +2,6 @@ title: 6400(-) BranchCache Received an incorrectly formatted response while discovering availability of content. description: Describes security event 6400(-) BranchCache Received an incorrectly formatted response while discovering availability of content. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/09/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-6401.md b/windows/security/threat-protection/auditing/event-6401.md index 6216a8ab19..56a4cdce4c 100644 --- a/windows/security/threat-protection/auditing/event-6401.md +++ b/windows/security/threat-protection/auditing/event-6401.md @@ -2,7 +2,6 @@ title: 6401(-) BranchCache Received invalid data from a peer. Data discarded. description: Describes security event 6401(-) BranchCache Received invalid data from a peer. Data discarded. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/09/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-6402.md b/windows/security/threat-protection/auditing/event-6402.md index 6e00df66af..5e47ee6c4d 100644 --- a/windows/security/threat-protection/auditing/event-6402.md +++ b/windows/security/threat-protection/auditing/event-6402.md @@ -2,7 +2,6 @@ title: 6402(-) BranchCache The message to the hosted cache offering it data is incorrectly formatted. description: Describes security event 6402(-) BranchCache The message to the hosted cache offering it data is incorrectly formatted. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/09/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-6403.md b/windows/security/threat-protection/auditing/event-6403.md index 92b228cf4a..f442562eb5 100644 --- a/windows/security/threat-protection/auditing/event-6403.md +++ b/windows/security/threat-protection/auditing/event-6403.md @@ -2,7 +2,6 @@ title: 6403(-) BranchCache The hosted cache sent an incorrectly formatted response to the client. description: Describes security event 6403(-) BranchCache The hosted cache sent an incorrectly formatted response to the client. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/09/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-6404.md b/windows/security/threat-protection/auditing/event-6404.md index ef4073df30..387de30aa7 100644 --- a/windows/security/threat-protection/auditing/event-6404.md +++ b/windows/security/threat-protection/auditing/event-6404.md @@ -2,7 +2,6 @@ title: 6404(-) BranchCache Hosted cache could not be authenticated using the provisioned SSL certificate. description: Describes security event 6404(-) BranchCache Hosted cache could not be authenticated using the provisioned SSL certificate. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/09/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-6405.md b/windows/security/threat-protection/auditing/event-6405.md index 63fc073a30..50bb5a679b 100644 --- a/windows/security/threat-protection/auditing/event-6405.md +++ b/windows/security/threat-protection/auditing/event-6405.md @@ -2,7 +2,6 @@ title: 6405(-) BranchCache %2 instance(s) of event id %1 occurred. description: Describes security event 6405(-) BranchCache %2 instance(s) of event id %1 occurred. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/09/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-6406.md b/windows/security/threat-protection/auditing/event-6406.md index 057f4579b7..758b702bb1 100644 --- a/windows/security/threat-protection/auditing/event-6406.md +++ b/windows/security/threat-protection/auditing/event-6406.md @@ -2,7 +2,6 @@ title: 6406(-) %1 registered to Windows Firewall to control filtering for the following %2. description: Describes security event 6406(-) %1 registered to Windows Firewall to control filtering for the following %2. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/09/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-6407.md b/windows/security/threat-protection/auditing/event-6407.md index 40c5e05deb..7c1f4a4e30 100644 --- a/windows/security/threat-protection/auditing/event-6407.md +++ b/windows/security/threat-protection/auditing/event-6407.md @@ -2,7 +2,6 @@ title: 6407(-) 1%. description: Describes security event 6407(-) 1%. This event is a BranchCache event, which is outside the scope of this document. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/09/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-6408.md b/windows/security/threat-protection/auditing/event-6408.md index 6c5f475831..ccdc08387f 100644 --- a/windows/security/threat-protection/auditing/event-6408.md +++ b/windows/security/threat-protection/auditing/event-6408.md @@ -2,7 +2,6 @@ title: 6408(-) Registered product %1 failed and Windows Firewall is now controlling the filtering for %2. description: Describes security event 6408(-) Registered product %1 failed and Windows Firewall is now controlling the filtering for %2. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/09/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-6409.md b/windows/security/threat-protection/auditing/event-6409.md index c1fbba806a..8ad3091f3a 100644 --- a/windows/security/threat-protection/auditing/event-6409.md +++ b/windows/security/threat-protection/auditing/event-6409.md @@ -2,7 +2,6 @@ title: 6409(-) BranchCache A service connection point object could not be parsed. description: Describes security event 6409(-) BranchCache A service connection point object could not be parsed. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/09/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-6410.md b/windows/security/threat-protection/auditing/event-6410.md index a2b8474480..c9dc6f669c 100644 --- a/windows/security/threat-protection/auditing/event-6410.md +++ b/windows/security/threat-protection/auditing/event-6410.md @@ -2,7 +2,6 @@ title: 6410(F) Code integrity determined that a file doesn't meet the security requirements to load into a process. description: Describes security event 6410(F) Code integrity determined that a file doesn't meet the security requirements to load into a process. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/09/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-6416.md b/windows/security/threat-protection/auditing/event-6416.md index 352f1eabbb..8629acdd90 100644 --- a/windows/security/threat-protection/auditing/event-6416.md +++ b/windows/security/threat-protection/auditing/event-6416.md @@ -2,7 +2,6 @@ title: 6416(S) A new external device was recognized by the System. description: Describes security event 6416(S) A new external device was recognized by the System. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/09/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-6419.md b/windows/security/threat-protection/auditing/event-6419.md index e44f35c6ff..e5dfac4ae6 100644 --- a/windows/security/threat-protection/auditing/event-6419.md +++ b/windows/security/threat-protection/auditing/event-6419.md @@ -2,7 +2,6 @@ title: 6419(S) A request was made to disable a device. description: Describes security event 6419(S) A request was made to disable a device. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/09/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-6420.md b/windows/security/threat-protection/auditing/event-6420.md index 951cd5e25d..068cc2db0e 100644 --- a/windows/security/threat-protection/auditing/event-6420.md +++ b/windows/security/threat-protection/auditing/event-6420.md @@ -2,7 +2,6 @@ title: 6420(S) A device was disabled. description: Describes security event 6420(S) A device was disabled. This event is generated when a specific device is disabled. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/09/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-6421.md b/windows/security/threat-protection/auditing/event-6421.md index 866bdda53e..778380652b 100644 --- a/windows/security/threat-protection/auditing/event-6421.md +++ b/windows/security/threat-protection/auditing/event-6421.md @@ -2,7 +2,6 @@ title: 6421(S) A request was made to enable a device. description: Describes security event 6421(S) A request was made to enable a device. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/09/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-6422.md b/windows/security/threat-protection/auditing/event-6422.md index 7411ffa42b..5ff3f69b78 100644 --- a/windows/security/threat-protection/auditing/event-6422.md +++ b/windows/security/threat-protection/auditing/event-6422.md @@ -2,7 +2,6 @@ title: 6422(S) A device was enabled. description: Describes security event 6422(S) A device was enabled. This event is generated when a specific device is enabled. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/09/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-6423.md b/windows/security/threat-protection/auditing/event-6423.md index ebf46bad15..3aeaebb602 100644 --- a/windows/security/threat-protection/auditing/event-6423.md +++ b/windows/security/threat-protection/auditing/event-6423.md @@ -2,7 +2,6 @@ title: 6423(S) The installation of this device is forbidden by system policy. description: Describes security event 6423(S) The installation of this device is forbidden by system policy. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/09/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/event-6424.md b/windows/security/threat-protection/auditing/event-6424.md index ef8f789bd2..5d206fb5f9 100644 --- a/windows/security/threat-protection/auditing/event-6424.md +++ b/windows/security/threat-protection/auditing/event-6424.md @@ -2,7 +2,6 @@ title: 6424(S) The installation of this device was allowed, after having previously been forbidden by policy. description: Describes security event 6424(S) The installation of this device was allowed, after having previously been forbidden by policy. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: low @@ -11,7 +10,6 @@ ms.date: 09/09/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md b/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md index 9e83c5b9cc..ccbd578203 100644 --- a/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md +++ b/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md @@ -4,7 +4,6 @@ description: The policy setting, File System (Global Object Access Auditing), en ms.assetid: 4f215d61-0e23-46e4-9e58-08511105d25b ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 09/09/2021 -ms.technology: itpro-security --- # File System (Global Object Access Auditing) diff --git a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md index ba9bfd059d..0c2a17c7e0 100644 --- a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md +++ b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md @@ -1,7 +1,6 @@ --- title: How to get a list of XML data name elements in description: This reference article for the IT professional explains how to use PowerShell to get a list of XML data name elements that can appear in . -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -11,7 +10,6 @@ ms.date: 09/09/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md b/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md index 2f42573827..2db4bc7e3a 100644 --- a/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md +++ b/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md @@ -4,7 +4,6 @@ description: Learn how to use advanced security auditing options to monitor chan ms.assetid: 553f98a6-7606-4518-a3c5-347a33105130 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 09/09/2021 -ms.technology: itpro-security --- # Monitor central access policy and rule definitions diff --git a/windows/security/threat-protection/auditing/monitor-claim-types.md b/windows/security/threat-protection/auditing/monitor-claim-types.md index 60d4da3a45..13bd276728 100644 --- a/windows/security/threat-protection/auditing/monitor-claim-types.md +++ b/windows/security/threat-protection/auditing/monitor-claim-types.md @@ -4,7 +4,6 @@ description: Learn how to monitor changes to claim types that are associated wit ms.assetid: 426084da-4eef-44af-aeec-e7ab4d4e2439 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 09/09/2021 -ms.technology: itpro-security --- # Monitor claim types diff --git a/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md b/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md index 69a7d74967..0554f4f44d 100644 --- a/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md +++ b/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md @@ -4,7 +4,6 @@ description: Learn how to monitor changes to resource attribute definitions when ms.assetid: aace34b0-123a-4b83-9e09-f269220e79de ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 09/09/2021 -ms.technology: itpro-security --- # Monitor resource attribute definitions diff --git a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md index 19e11f0da4..0086d38798 100644 --- a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md +++ b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md @@ -4,7 +4,6 @@ description: Monitor changes to central access policies associated with files an ms.assetid: 2ea8fc23-b3ac-432f-87b0-6a16506e8eed ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 09/09/2021 -ms.technology: itpro-security --- # Monitor the central access policies associated with files and folders diff --git a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md index 84de3a7b3a..01731d7b6e 100644 --- a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md +++ b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md @@ -4,7 +4,6 @@ description: Learn how to monitor changes to the central access policies that ap ms.assetid: 126b051e-c20d-41f1-b42f-6cff24dcf20c ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 09/09/2021 -ms.technology: itpro-security --- # Monitor the central access policies that apply on a file server diff --git a/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md b/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md index 21f8121312..37a5df774a 100644 --- a/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md +++ b/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md @@ -4,7 +4,6 @@ description: Learn how to use advanced security auditing options to monitor atte ms.assetid: 4944097b-320f-44c7-88ed-bf55946a358b ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 09/09/2021 -ms.technology: itpro-security --- # Monitor the resource attributes on files and folders diff --git a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md index 26a826e404..4e187a67d2 100644 --- a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md +++ b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md @@ -4,7 +4,6 @@ description: Learn how advanced security auditing options can be used to monitor ms.assetid: b0a9e4a5-b7ff-41c6-96ff-0228d4ba5da8 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 09/09/2021 -ms.technology: itpro-security --- # Monitor the use of removable storage devices diff --git a/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md b/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md index 7fc2ba75cf..e4792764cf 100644 --- a/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md +++ b/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md @@ -4,7 +4,6 @@ description: Learn how to monitor user and device claims that are associated wit ms.assetid: 71796ea9-5fe4-4183-8475-805c3c1f319f ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 09/09/2021 -ms.technology: itpro-security --- # Monitor user and device claims during sign-in diff --git a/windows/security/threat-protection/auditing/other-events.md b/windows/security/threat-protection/auditing/other-events.md index 86ef4c8957..c4bdc43d1f 100644 --- a/windows/security/threat-protection/auditing/other-events.md +++ b/windows/security/threat-protection/auditing/other-events.md @@ -2,7 +2,6 @@ title: Other Events description: Describes the Other Events auditing subcategory, which includes events that are generated automatically and enabled by default. ms.pagetype: security -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: medium @@ -11,7 +10,6 @@ ms.date: 09/09/2021 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md index 35b3eb2d9c..3d589a1ec4 100644 --- a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md +++ b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md @@ -4,7 +4,6 @@ description: Learn to deploy an effective security audit policy in a network tha ms.assetid: 7428e1db-aba8-407b-a39e-509671e5a442 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 09/09/2021 -ms.technology: itpro-security --- # Plan and deploy advanced security audit policies diff --git a/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md b/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md index b82b7aa8de..e411afa653 100644 --- a/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md +++ b/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md @@ -4,7 +4,6 @@ description: The Advanced Security Audit policy setting, Registry (Global Object ms.assetid: 953bb1c1-3f76-43be-ba17-4aed2304f578 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 09/09/2021 -ms.technology: itpro-security --- # Registry (Global Object Access Auditing) diff --git a/windows/security/threat-protection/auditing/security-auditing-overview.md b/windows/security/threat-protection/auditing/security-auditing-overview.md index a4e0800569..250f523977 100644 --- a/windows/security/threat-protection/auditing/security-auditing-overview.md +++ b/windows/security/threat-protection/auditing/security-auditing-overview.md @@ -4,7 +4,6 @@ description: Learn about security auditing features in Windows, and how your org ms.assetid: 2d9b8142-49bd-4a33-b246-3f0c2a5f32d4 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 09/09/2021 -ms.technology: itpro-security --- # Security auditing diff --git a/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md b/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md index 076763b3d8..bc12d22422 100644 --- a/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md +++ b/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md @@ -4,7 +4,6 @@ description: Domain admins can set up advanced security audit options in Windows ms.assetid: 0d2c28ea-bdaf-47fd-bca2-a07dce5fed37 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 09/09/2021 -ms.technology: itpro-security --- # Using advanced security auditing options to monitor dynamic access control objects diff --git a/windows/security/threat-protection/auditing/view-the-security-event-log.md b/windows/security/threat-protection/auditing/view-the-security-event-log.md index 88b1438852..49c2f8a769 100644 --- a/windows/security/threat-protection/auditing/view-the-security-event-log.md +++ b/windows/security/threat-protection/auditing/view-the-security-event-log.md @@ -4,7 +4,6 @@ description: The security log records each event as defined by the audit policie ms.assetid: 20DD2ACD-241A-45C5-A92F-4BE0D9F198B9 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -17,7 +16,6 @@ ms.collection: - tier3 ms.topic: reference ms.date: 09/09/2021 -ms.technology: itpro-security --- # View the security event log diff --git a/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md b/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md index 2ede0f5748..543c3f0dbc 100644 --- a/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md +++ b/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md @@ -4,7 +4,6 @@ description: This reference topic for the IT professional describes which versio ms.assetid: 87c71cc5-522d-4771-ac78-34a2a0825f31 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 09/09/2021 -ms.technology: itpro-security --- # Which editions of Windows support advanced audit policy configuration diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index aafae23e17..5dd0c7c3f0 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -1,12 +1,10 @@ --- title: Windows threat protection description: Describes the security capabilities in Windows client focused on threat protection -ms.prod: windows-client author: aczechowski ms.author: aaroncz manager: aaroncz ms.topic: conceptual -ms.technology: itpro-security ms.date: 12/31/2017 --- diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md index 365c09f330..61a3073fa1 100644 --- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md +++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md @@ -1,12 +1,10 @@ --- title: Mitigate threats by using Windows 10 security features description: An overview of software and firmware threats faced in the current security landscape, and the mitigations that Windows 10 offers in response to these threats. -ms.prod: windows-client ms.localizationpriority: medium author: aczechowski ms.author: aaroncz manager: aaroncz -ms.technology: itpro-security ms.date: 12/31/2017 ms.topic: article --- diff --git a/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md b/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md index 81f50b4fda..61b895b145 100644 --- a/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md +++ b/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md @@ -4,7 +4,6 @@ description: Describes best practices, security considerations, and more for the ms.assetid: a51820d2-ca5b-47dd-8e9b-d7008603db88 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Access Credential Manager as a trusted caller diff --git a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md index f8a0e483fd..58ab435398 100644 --- a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md +++ b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: f6767bc2-83d1-45f1-847c-54f5362db022 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 06/11/2021 -ms.technology: itpro-security --- # Access this computer from the network - security policy setting diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md index ab6ba1901c..23acbe9b1c 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, and security consid ms.assetid: a4167bf4-27c3-4a9b-8ef0-04e3c6ec3aa4 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -17,7 +16,6 @@ ms.collection: - tier3 ms.topic: reference ms.date: 08/16/2021 -ms.technology: itpro-security --- # Account lockout duration diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md index 1872b25b41..25df645272 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md @@ -4,7 +4,6 @@ description: Describes the Account Lockout Policy settings and links to informat ms.assetid: eb968c28-17c5-405f-b413-50728cb7b724 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 10/11/2018 -ms.technology: itpro-security --- # Account Lockout Policy diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md index 2bae54f4e2..7902e5d1c9 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 4904bb40-a2bd-4fef-a102-260ba8d74e30 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -17,7 +16,6 @@ ms.collection: - tier3 ms.topic: reference ms.date: 11/02/2018 -ms.technology: itpro-security --- # Account lockout threshold diff --git a/windows/security/threat-protection/security-policy-settings/account-policies.md b/windows/security/threat-protection/security-policy-settings/account-policies.md index 4504d333df..979811c1da 100644 --- a/windows/security/threat-protection/security-policy-settings/account-policies.md +++ b/windows/security/threat-protection/security-policy-settings/account-policies.md @@ -4,7 +4,6 @@ description: An overview of account policies in Windows and provides links to po ms.assetid: 711b3797-b87a-4cd9-a2e3-1f8ef18688fb ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Account Policies diff --git a/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md b/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md index 179f5ba556..2525359221 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 71a3bd48-1014-49e0-a936-bfe9433af23e ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 08/01/2017 -ms.technology: itpro-security --- # Accounts: Administrator account status diff --git a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md index 1ac6245b9b..63a3b327b9 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, management, and sec ms.assetid: 94c76f45-057c-4d80-8d01-033cf28ef2f7 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 08/10/2017 -ms.technology: itpro-security --- # Accounts: Block Microsoft accounts diff --git a/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md b/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md index 6c768ad6d6..a61f1e0d49 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 07e53fc5-b495-4d02-ab42-5b245d10d0ce ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Accounts: Guest account status - security policy setting diff --git a/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md b/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md index 947a4c0f6f..a04536f260 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md @@ -4,7 +4,6 @@ description: Learn best practices, security considerations, and more for the pol ms.assetid: a1bfb58b-1ae8-4de9-832b-aa889a6e64bd ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Accounts: Limit local account use of blank passwords to console logon only diff --git a/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md b/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md index 44905ab096..3740084b0b 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md @@ -4,7 +4,6 @@ description: This security policy reference topic for the IT professional descri ms.assetid: d21308eb-7c60-4e48-8747-62b8109844f9 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Accounts: Rename administrator account diff --git a/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md b/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md index d034cdf835..1f3dd3b5f6 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 9b8052b4-bbb9-4cc1-bfee-ce25390db707 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Accounts: Rename guest account - security policy setting diff --git a/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md b/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md index 1bdbf787f1..cf116b92be 100644 --- a/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md +++ b/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: c1b7e084-a9f7-4377-b678-07cc913c8b0c ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Act as part of the operating system diff --git a/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md b/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md index fb594e8748..f73cdd251d 100644 --- a/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md +++ b/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md @@ -3,13 +3,11 @@ title: Add workstations to domain description: Describes the best practices, location, values, policy management and security considerations for the Add workstations to domain security policy setting. ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Add workstations to domain diff --git a/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md b/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md index 5c9b499b8b..6a963f20cf 100644 --- a/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md +++ b/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 6754a2c8-6d07-4567-9af3-335fd8dd7626 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Adjust memory quotas for a process diff --git a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md index 3a11417c5b..be7eb4d379 100644 --- a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md +++ b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md @@ -4,7 +4,6 @@ description: This article discusses different methods to administer security pol ms.assetid: 7617d885-9d28-437a-9371-171197407599 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Administer security policy settings diff --git a/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md b/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md index ec8dd1980d..0bb7fa0b5a 100644 --- a/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md +++ b/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: d9e5e1f3-3bff-4da7-a9a2-4bb3e0c79055 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Allow log on locally - security policy setting diff --git a/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md b/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md index b76363e1b5..1d44efc4b3 100644 --- a/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md +++ b/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md @@ -4,7 +4,6 @@ description: Best practices, location, values, policy management, and security c ms.assetid: 6267c376-8199-4f2b-ae56-9c5424e76798 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Allow log on through Remote Desktop Services diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md index 25ef7bc3d6..179941bc1c 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md +++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 20d40a79-ce89-45e6-9bb4-148f83958460 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Audit: Audit the access of global system objects diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md index 011e035679..05c570e013 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md +++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md @@ -4,7 +4,6 @@ description: "Describes the best practices, location, values, and security consi ms.assetid: f656a2bb-e8d6-447b-8902-53df3a7756c5 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/01/2019 -ms.technology: itpro-security --- # Audit: Audit the use of Backup and Restore privilege diff --git a/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md b/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md index 663cfb1d30..1d81955c37 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md +++ b/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md @@ -4,7 +4,6 @@ description: Learn more about the security policy setting, Audit Force audit pol ms.assetid: 8ddc06bc-b6d6-4bac-9051-e0d77035bd4e ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings diff --git a/windows/security/threat-protection/security-policy-settings/audit-policy.md b/windows/security/threat-protection/security-policy-settings/audit-policy.md index bf27ff18aa..72c1169cf3 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-policy.md +++ b/windows/security/threat-protection/security-policy-settings/audit-policy.md @@ -4,7 +4,6 @@ description: Provides information about basic audit policies that are available ms.assetid: 2e8ea400-e555-43e5-89d6-0898cb89da90 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Audit Policy diff --git a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md index da06353caf..4d0ab7c979 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md +++ b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md @@ -4,7 +4,6 @@ description: Best practices, security considerations, and more for the security ms.assetid: 2cd23cd9-0e44-4d0b-a1f1-39fc29303826 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Audit: Shut down system immediately if unable to log security audits diff --git a/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md b/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md index 3bd99b5590..1ba7777a2b 100644 --- a/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md +++ b/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md @@ -4,7 +4,6 @@ description: Describes the recommended practices, location, values, policy manag ms.assetid: 1cd6bdd5-1501-41f4-98b9-acf29ac173ae ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Back up files and directories - security policy setting diff --git a/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md b/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md index f4a8745518..153da82af0 100644 --- a/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md +++ b/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 1c828655-68d3-4140-aa0f-caa903a7087e ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Bypass traverse checking diff --git a/windows/security/threat-protection/security-policy-settings/change-the-system-time.md b/windows/security/threat-protection/security-policy-settings/change-the-system-time.md index d985a6eaf9..7c3ac55c23 100644 --- a/windows/security/threat-protection/security-policy-settings/change-the-system-time.md +++ b/windows/security/threat-protection/security-policy-settings/change-the-system-time.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: f2f6637d-acbc-4352-8ca3-ec563f918e65 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Change the system time - security policy setting diff --git a/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md b/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md index 3ac7b50a9c..0c3b2e17fd 100644 --- a/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md +++ b/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 3b1afae4-68bb-472f-a43e-49e300d73e50 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Change the time zone - security policy setting diff --git a/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md b/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md index a28a19a33f..4b5f9a7ed6 100644 --- a/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md +++ b/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: dc087897-459d-414b-abe0-cd86c8dccdea ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Create a pagefile - security policy setting diff --git a/windows/security/threat-protection/security-policy-settings/create-a-token-object.md b/windows/security/threat-protection/security-policy-settings/create-a-token-object.md index 6c50cc0ce0..e45a81f726 100644 --- a/windows/security/threat-protection/security-policy-settings/create-a-token-object.md +++ b/windows/security/threat-protection/security-policy-settings/create-a-token-object.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: bfbf52fc-6ba4-442a-9df7-bd277e55729c ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Create a token object diff --git a/windows/security/threat-protection/security-policy-settings/create-global-objects.md b/windows/security/threat-protection/security-policy-settings/create-global-objects.md index 18fb5d25ad..9c2e0740b7 100644 --- a/windows/security/threat-protection/security-policy-settings/create-global-objects.md +++ b/windows/security/threat-protection/security-policy-settings/create-global-objects.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 9cb6247b-44fc-4815-86f2-cb59b6f0221e ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Create global objects diff --git a/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md b/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md index e5d58fc80d..8e28020f73 100644 --- a/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md +++ b/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 6a58438d-65ca-4c4a-a584-450eed976649 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Create permanent shared objects diff --git a/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md b/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md index 970e2ddfd7..d0a05e5cde 100644 --- a/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md +++ b/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 882922b9-0ff8-4ee9-8afc-4475515ee3fd ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Create symbolic links diff --git a/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md index 6426a749bf..784e63d190 100644 --- a/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md +++ b/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md @@ -4,7 +4,6 @@ description: Learn about best practices and more for the syntax policy setting, ms.assetid: 0fe3521a-5252-44df-8a47-8d92cf936e7c ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax diff --git a/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md index 5accd3bbbc..6f20c35a59 100644 --- a/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md +++ b/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md @@ -4,7 +4,6 @@ description: Best practices and more for the security policy setting, DCOM Machi ms.assetid: 4b95d45f-dd62-4c34-ba32-43954528dabe ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax diff --git a/windows/security/threat-protection/security-policy-settings/debug-programs.md b/windows/security/threat-protection/security-policy-settings/debug-programs.md index c65db98a6f..f0d787d7a9 100644 --- a/windows/security/threat-protection/security-policy-settings/debug-programs.md +++ b/windows/security/threat-protection/security-policy-settings/debug-programs.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 594d9f2c-8ffc-444b-9522-75615ec87786 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Debug programs diff --git a/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md index 09c0633dea..446fad10ca 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md +++ b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md @@ -4,7 +4,6 @@ description: Best practices, location, values, policy management, and security c ms.assetid: 935e9f89-951b-4163-b186-fc325682bb0b ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 05/19/2021 -ms.technology: itpro-security --- # Deny access to this computer from the network diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md index c4bc52c008..49ad4d216d 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md +++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 0ac36ebd-5e28-4b6a-9b4e-8924c6ecf44b ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Deny log on as a batch job diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md index 7bdd2075ca..d2a042c022 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md +++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: f1114964-df86-4278-9b11-e35c66949794 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Deny log on as a service diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md index 263496c85d..709c72bee4 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md +++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 00150e88-ec9c-43e1-a70d-33bfe10434db ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Deny log on locally diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md index 24e896eb79..c6dfb97ab1 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md +++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md @@ -4,7 +4,6 @@ description: Best practices, location, values, policy management, and security c ms.assetid: 84bbb807-287c-4acc-a094-cf0ffdcbca67 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Deny log on through Remote Desktop Services diff --git a/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md b/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md index abbf2b5679..a2514e41a3 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md +++ b/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 1d403f5d-ad41-4bb4-9f4a-0779c1c14b8c ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Devices: Allow undock without having to log on diff --git a/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md b/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md index c2b35adf67..515856c7f7 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md +++ b/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, and security consid ms.assetid: d1b42425-7244-4ab1-9d46-d68de823459c ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Devices: Allowed to format and eject removable media diff --git a/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md b/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md index 9a909d447c..9590fbf54b 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md +++ b/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, and security consid ms.assetid: ab70a122-f7f9-47e0-ad8c-541f30a27ec3 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 01/05/2022 -ms.technology: itpro-security --- # Devices: Prevent users from installing printer drivers diff --git a/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md b/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md index 30a9097f46..5ccf446d9e 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md +++ b/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 8b8f44bb-84ce-4f18-af30-ab89910e234d ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Devices: Restrict CD-ROM access to locally logged-on user only diff --git a/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md b/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md index 0a4d6c2250..b4a13d2337 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md +++ b/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 92997910-da95-4c03-ae6f-832915423898 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Devices: Restrict floppy access to locally logged-on user only diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md b/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md index 8d5b95d46a..2757a09e31 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md +++ b/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md @@ -3,13 +3,11 @@ title: Domain controller Allow server operators to schedule tasks description: Describes the best practices, location, values, and security considerations for the Domain controller Allow server operators to schedule tasks security policy setting. ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Domain controller: Allow server operators to schedule tasks diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md index af6812e273..ecf16ca65c 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md @@ -3,13 +3,11 @@ title: Domain controller LDAP server channel binding token requirements description: Describes the best practices, location, values, and security considerations for the Domain controller LDAP server channel binding token requirements security policy setting. ms.reviewer: waynmc ms.author: waynmc -ms.prod: windows-client ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz ms.topic: reference ms.date: 04/26/2023 -ms.technology: itpro-security --- # Domain controller: LDAP server channel binding token requirements diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md index 0745e54ec3..b46d83e1d6 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md @@ -3,13 +3,11 @@ title: Domain controller LDAP server signing requirements description: Describes the best practices, location, values, and security considerations for the Domain controller LDAP server signing requirements security policy setting. ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Domain controller: LDAP server signing requirements diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md index dcc3e3be66..453dae2c04 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md +++ b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md @@ -3,12 +3,10 @@ title: Refuse machine account password changes policy description: Describes the best practices, location, values, and security considerations for the Domain controller Refuse machine account password changes security policy setting. ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz ms.topic: reference -ms.technology: itpro-security ms.date: 12/31/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md index 820c7facca..00874bb080 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md @@ -4,7 +4,6 @@ description: Best practices, location, values, and security considerations for t ms.assetid: 4480c7cb-adca-4f29-b4b8-06eb68d272bf ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Domain member: Digitally encrypt or sign secure channel data (always) diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md index 0086d01e2c..d66e753fe4 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md @@ -4,7 +4,6 @@ description: Best practices, security considerations, and more for the security ms.assetid: 73e6023e-0af3-4531-8238-82f0f0e4965b ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Domain member: Digitally encrypt secure channel data (when possible) diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md index cadfa2282e..07861eeed3 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md @@ -4,7 +4,6 @@ description: Best practices, location, values, and security considerations for t ms.assetid: a643e491-4f45-40ea-b12c-4dbe47e54f34 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Domain member: Digitally sign secure channel data (when possible) diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md b/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md index 324f36b008..83bc426b58 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 1f660300-a07a-4243-a09f-140aa1ab8867 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 06/27/2019 -ms.technology: itpro-security --- # Domain member: Disable machine account password changes diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md index 278f2854fa..b5f6a01f3e 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 0ec6f7c1-4d82-4339-94c0-debb2d1ac109 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 05/29/2020 -ms.technology: itpro-security --- # Domain member: Maximum machine account password age diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md b/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md index 5f03addc62..e0b22d6cf2 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md @@ -4,7 +4,6 @@ description: Best practices, location, values, and security considerations for t ms.assetid: 5ab8993c-5086-4f09-bc88-1b27454526bd ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Domain member: Require strong (Windows 2000 or later) session key diff --git a/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md b/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md index 2580f51ed8..ca2112846d 100644 --- a/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md +++ b/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md @@ -4,7 +4,6 @@ description: Learn about best practices, security considerations and more for th ms.assetid: 524062d4-1595-41f3-8ce1-9c85fd21497b ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Enable computer and user accounts to be trusted for delegation diff --git a/windows/security/threat-protection/security-policy-settings/enforce-password-history.md b/windows/security/threat-protection/security-policy-settings/enforce-password-history.md index b2b87b7314..ed174c38a8 100644 --- a/windows/security/threat-protection/security-policy-settings/enforce-password-history.md +++ b/windows/security/threat-protection/security-policy-settings/enforce-password-history.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 8b2ab871-3e52-4dd1-9776-68bb1e935442 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Enforce password history diff --git a/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md b/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md index faf39c7570..5879883e45 100644 --- a/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md +++ b/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 5891cb73-f1ec-48b9-b703-39249e48a29f ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Enforce user logon restrictions diff --git a/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md b/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md index fbf329985c..e2e2fbba6b 100644 --- a/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md +++ b/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 63129243-31ea-42a4-a598-c7064f48a3df ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Force shutdown from a remote system diff --git a/windows/security/threat-protection/security-policy-settings/generate-security-audits.md b/windows/security/threat-protection/security-policy-settings/generate-security-audits.md index 9b9ab36731..a9c54c538d 100644 --- a/windows/security/threat-protection/security-policy-settings/generate-security-audits.md +++ b/windows/security/threat-protection/security-policy-settings/generate-security-audits.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: c0e1cd80-840e-4c74-917c-5c2349de885f ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Generate security audits diff --git a/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md b/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md index 918c634443..59a5523281 100644 --- a/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md +++ b/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 4cd241e2-c680-4b43-8ed0-3b391925cec5 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Impersonate a client after authentication diff --git a/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md b/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md index b383d4e733..f65a5700dd 100644 --- a/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md +++ b/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: b742ad96-37f3-4686-b8f7-f2b48367105b ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Increase a process working set diff --git a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md index e0afba5ecc..156b06d265 100644 --- a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md +++ b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: fbec5973-d35e-4797-9626-d0d56061527f ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 2/6/2020 -ms.technology: itpro-security --- # Increase scheduling priority diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md index 6b6a223a3c..2f420b21cf 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md @@ -4,7 +4,6 @@ description: Best practices, security considerations, and more for the security ms.assetid: 9146aa3d-9b2f-47ba-ac03-ff43efb10530 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Interactive logon: Display user information when the session is locked diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md index 6d7880e8fe..66d276bacf 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md @@ -1,7 +1,6 @@ --- title: Interactive logon Don't display last signed-in description: Describes the best practices, location, values, and security considerations for the Interactive logon Don't display last user name security policy setting. -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,7 +12,6 @@ ms.topic: reference ms.date: 04/19/2017 ms.reviewer: ms.author: vinpa -ms.technology: itpro-security --- # Interactive logon: Don't display last signed-in diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md index a13d25cd15..ab27093a1c 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 04e2c000-2eb2-4d4b-8179-1e2cb4793e18 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Interactive logon: Do not require CTRL+ALT+DEL diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md index 85cca7c7f1..05151970da 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 98b24b03-95fe-4edc-8e97-cbdaa8e314fd ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Interactive logon: Don't display username at sign-in diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md index a9c3a468db..fba7a86ac4 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md @@ -4,7 +4,6 @@ description: Best practices, location, values, management, and security consider ms.assetid: ebbd8e22-2611-4ebe-9db9-d49344e631e4 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Interactive logon: Machine account lockout threshold diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md index 499c8ea921..93e24a9961 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, management, and sec ms.assetid: 7065b4a9-0d52-41d5-afc4-5aedfc4162b5 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -17,7 +16,6 @@ ms.collection: - tier3 ms.topic: reference ms.date: 09/18/2018 -ms.technology: itpro-security --- # Interactive logon: Machine inactivity limit diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md index 9ea2643a8c..cc406c3e45 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md @@ -4,7 +4,6 @@ description: Learn about best practices, security considerations and more for th ms.assetid: fcfe8a6d-ca65-4403-b9e6-2fa017a31c2e ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Interactive logon: Message text for users attempting to log on diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md index f97c4515e8..20776c7140 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md @@ -4,7 +4,6 @@ description: Best practices, security considerations, and more for the security ms.assetid: f2596470-4cc0-4ef1-849c-bef9dc3533c6 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Interactive logon: Message title for users attempting to log on diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md index 60159d1dd5..3817c2a334 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md @@ -4,7 +4,6 @@ description: Best practices and more for the security policy setting, Interactiv ms.assetid: 660e925e-cc3e-4098-a41e-eb8db8062d8d ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 08/27/2018 -ms.technology: itpro-security --- # Interactive logon: Number of previous logons to cache (in case domain controller is not available) diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md index 1c2bd90367..14eb3e7e3a 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md @@ -4,7 +4,6 @@ description: Best practices and security considerations for an interactive log-o ms.assetid: 8fe94781-40f7-4fbe-8cfd-5e116e6833e9 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Interactive log on: Prompt the user to change passwords before expiration diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md index 12c079fced..2249b7889f 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md @@ -4,7 +4,6 @@ description: Best practices security considerations, and more for the policy set ms.assetid: 97618ed3-e946-47db-a212-b5e7a4fc6ffc ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Interactive logon: Require Domain Controller authentication to unlock workstation diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md index 7175af2912..fab0a761f3 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md @@ -5,8 +5,6 @@ author: vinaypamnani-msft ms.author: vinpa manager: aaroncz ms.reviewer: -ms.prod: windows-client -ms.technology: itpro-security ms.localizationpriority: medium ms.topic: reference ms.date: 01/13/2023 diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md index 4ae503eb5d..3101ddf604 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md @@ -4,7 +4,6 @@ description: Best practices, location, values, policy management, and security c ms.assetid: 61487820-9d49-4979-b15d-c7e735999460 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Interactive logon: Smart card removal behavior diff --git a/windows/security/threat-protection/security-policy-settings/kerberos-policy.md b/windows/security/threat-protection/security-policy-settings/kerberos-policy.md index c8b07ad5e2..b2d778abd6 100644 --- a/windows/security/threat-protection/security-policy-settings/kerberos-policy.md +++ b/windows/security/threat-protection/security-policy-settings/kerberos-policy.md @@ -4,7 +4,6 @@ description: Describes the Kerberos Policy settings and provides links to policy ms.assetid: 94017dd9-b1a3-4624-af9f-b29161b4bf38 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Kerberos Policy diff --git a/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md b/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md index 7a97507fb3..f51292c134 100644 --- a/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md +++ b/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 66262532-c610-470c-9792-35ff4389430f ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Load and unload device drivers diff --git a/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md b/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md index 6be9e7a10f..8efc6d6d5e 100644 --- a/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md +++ b/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: cc724979-aec0-496d-be4e-7009aef660a3 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Lock pages in memory diff --git a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md index cd62546d27..9be27bb7d6 100644 --- a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md +++ b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 4eaddb51-0a18-470e-9d3d-5e7cd7970b41 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -17,7 +16,6 @@ ms.collection: - tier3 ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Log on as a batch job diff --git a/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md b/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md index f96d6aad98..b9d7dcc0af 100644 --- a/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md +++ b/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: acc9a9e0-fd88-4cda-ab54-503120ba1f42 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Log on as a service diff --git a/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md b/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md index 180e73d52d..eae4a7c4b6 100644 --- a/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md +++ b/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 4b946c0d-f904-43db-b2d5-7f0917575347 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Manage auditing and security log diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md index a750dcb65c..e7ac39b82a 100644 --- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md +++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 484bf05a-3858-47fc-bc02-6599ca860247 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Maximum lifetime for service ticket diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md index 6dc4d1607b..6d0137547d 100644 --- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md +++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: f88cd819-3dd1-4e38-b560-13fe6881b609 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Maximum lifetime for user ticket renewal diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md index 238e860228..3cc212c913 100644 --- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md +++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: bcb4ff59-334d-4c2f-99af-eca2b64011dc ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Maximum lifetime for user ticket diff --git a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md index a416e4543c..2bd4c4aa31 100644 --- a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md +++ b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 2d6e70e7-c8b0-44fb-8113-870c6120871d ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Maximum password age diff --git a/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md b/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md index fd26c1fd58..164df232e6 100644 --- a/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md +++ b/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md @@ -4,7 +4,6 @@ description: Best practices, location, values, policy management, and security c ms.assetid: ba2cf59e-d69d-469e-95e3-8e6a0ba643af ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Maximum tolerance for computer clock synchronization diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md index 687a39281d..658dc72de2 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md @@ -4,11 +4,9 @@ description: Best practices and security considerations for the Microsoft netwo ms.reviewer: manager: aaroncz ms.author: vinpa -ms.prod: windows-client ms.localizationpriority: medium author: vinaypamnani-msft ms.date: 01/13/2023 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md index a3d215db1a..de1a65cacc 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md @@ -4,7 +4,6 @@ description: Learn about best practices and more for the security policy setting ms.assetid: 97a76b93-afa7-4dd9-bb52-7c9e289b6017 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md index e79a912300..7add3c22bb 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md @@ -4,7 +4,6 @@ description: Best practices, security considerations, and more for the policy se ms.assetid: 8227842a-569d-480f-b43c-43450bbaa722 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Microsoft network server: Amount of idle time required before suspending session diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md index 8fcc7102c7..e9667f8aeb 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md @@ -4,7 +4,6 @@ description: Learn about the security policy setting, Microsoft network server A ms.assetid: e4508387-35ed-4a3f-a47c-27f8396adbba ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Microsoft network server: Attempt S4U2Self to obtain claim information diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md index 030123cf61..afe2dc3cac 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md @@ -5,8 +5,6 @@ author: vinaypamnani-msft ms.author: vinpa ms.reviewer: manager: aaroncz -ms.prod: windows-client -ms.technology: itpro-security ms.localizationpriority: medium ms.topic: reference ms.date: 01/13/2023 diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md index b7f738611b..f502ed6336 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md @@ -4,7 +4,6 @@ description: Best practices, location, values, and security considerations for t ms.assetid: 48b5c424-9ba8-416d-be7d-ccaabb3f49af ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Microsoft network server: Disconnect clients when sign-in hours expire diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md index c10cf64969..2d618461c5 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md @@ -4,7 +4,6 @@ description: Best practices, security considerations, and more for the security ms.assetid: 18337f78-eb45-42fd-bdbd-f8cd02c3e154 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Microsoft network server: Server SPN target name validation level diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md index 67cf3aac2e..4922c645e8 100644 --- a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md +++ b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md @@ -5,14 +5,12 @@ ms.assetid: 91915cb2-1b3f-4fb7-afa0-d03df95e8161 ms.reviewer: manager: aaroncz ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: vinaypamnani-msft ms.date: 11/13/2018 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md index d264ff4033..f6edea308a 100644 --- a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md +++ b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 3d22eb9a-859a-4b6f-82f5-c270c427e17e ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -17,7 +16,6 @@ ms.collection: - tier3 ms.topic: reference ms.date: 03/30/2022 -ms.technology: itpro-security --- # Minimum password length diff --git a/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md b/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md index e3f1d6decd..dbd4f943f7 100644 --- a/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md +++ b/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 3e5a97dd-d363-43a8-ae80-452e866ebfd5 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Modify an object label diff --git a/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md b/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md index 5a2d90eb2c..58d6be0e68 100644 --- a/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md +++ b/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 80bad5c4-d9eb-4e3a-a5dc-dcb742b83fca ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Modify firmware environment values diff --git a/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md b/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md index 16e357e6c1..e0d4fc62d5 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md @@ -4,7 +4,6 @@ description: Best practices, location, values, policy management and security co ms.assetid: 0144477f-22a6-4d06-b70a-9c9c2196e99e ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Network access: Allow anonymous SID/Name translation diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md index 9f3219cb41..50e1eddf2c 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md @@ -4,7 +4,6 @@ description: Learn about best practices and more for the security policy setting ms.assetid: 3686788d-4cc7-4222-9163-cbc7c3362d73 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Network access: Do not allow anonymous enumeration of SAM accounts and shares diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md index e737e440d1..4eb9c91bd1 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 6ee25b33-ad43-4097-b031-7be680f64c7c ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Network access: Do not allow anonymous enumeration of SAM accounts diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md index 07e8b5d1cb..2787a6af79 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md @@ -4,7 +4,6 @@ description: Learn about best practices and more for the security policy setting ms.assetid: b9b64360-36ea-40fa-b795-2d6558c46563 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 07/01/2021 -ms.technology: itpro-security --- # Network access: Do not allow storage of passwords and credentials for network authentication diff --git a/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md b/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md index 65f3d3d7c6..eba40fa8db 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md @@ -4,7 +4,6 @@ description: Learn about best practices, security considerations and more for th ms.assetid: cdbc5159-9173-497e-b46b-7325f4256353 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Network access: Let Everyone permissions apply to anonymous users diff --git a/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md b/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md index 311f70c3ef..c43a8bc781 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md @@ -4,7 +4,6 @@ description: Describes best practices, security considerations and more for the ms.assetid: 8897d2a4-813e-4d2b-8518-fcee71e1cf2c ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Network access: Named Pipes that can be accessed anonymously diff --git a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md index 12988a2e90..ca04da80eb 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md @@ -4,7 +4,6 @@ description: Describes best practices, location, values, and security considerat ms.assetid: 3fcbbf70-a002-4f85-8e86-8dabad21928e ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Network access: Remotely accessible registry paths and subpaths diff --git a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md index 3a1924da9a..b7cd9c9122 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md @@ -4,7 +4,6 @@ description: Best practices, location, values, policy management and security co ms.assetid: 977f86ea-864f-4f1b-9756-22220efce0bd ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Network access: Remotely accessible registry paths diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md index e45ad66787..048ad3f0b8 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md @@ -4,7 +4,6 @@ description: Best practices, security considerations, and more for the security ms.assetid: e66cd708-7322-4d49-9b57-1bf8ec7a4c10 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Network access: Restrict anonymous access to Named Pipes and Shares diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md index 587ae7e3a5..cf13b74c2e 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md @@ -1,8 +1,6 @@ --- title: Network access - Restrict clients allowed to make remote calls to SAM description: Security policy setting that controls which users can enumerate users and groups in the local Security Accounts Manager (SAM) database. -ms.prod: windows-client -ms.technology: itpro-security ms.localizationpriority: medium ms.date: 09/17/2018 author: vinaypamnani-msft diff --git a/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md b/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md index 57882060a6..d4d2161114 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md @@ -4,7 +4,6 @@ description: Learn about best practices, security considerations, and more for t ms.assetid: f3e4b919-8279-4972-b415-5f815e2f0a1a ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Network access: Shares that can be accessed anonymously diff --git a/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md b/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md index 9665aaaaf7..3e5ed1f57e 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md @@ -4,7 +4,6 @@ description: Best practices, security considerations, and more for the security ms.assetid: 0b3d703c-ea27-488f-8f59-b345af75b994 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Network access: Sharing and security model for local accounts diff --git a/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md b/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md index 04167671df..36e4ff299e 100644 --- a/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md +++ b/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md @@ -4,7 +4,6 @@ description: Network List Manager policies are security settings that configure ms.assetid: bd8109d4-b07c-4beb-a9a6-affae2ba2fda ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Network List Manager policies diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md index 509602f606..9d920c4925 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md @@ -4,7 +4,6 @@ description: Location, values, policy management, and security considerations fo ms.assetid: c46a658d-b7a4-4139-b7ea-b9268c240053 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 10/04/2021 -ms.technology: itpro-security --- # Network security: Allow Local System to use computer identity for NTLM diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md index 02d157f8db..db63f8cfbc 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 5b72edaa-bec7-4572-b6f0-648fc38f5395 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Network security: Allow LocalSystem NULL session fallback diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index 202d37d4e5..9ebd32dab8 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -4,7 +4,6 @@ description: Best practices for the Network Security Allow PKU2U authentication ms.assetid: e04a854e-d94d-4306-9fb3-56e9bd7bb926 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 01/03/2022 -ms.technology: itpro-security --- # Network security: Allow PKU2U authentication requests to this computer to use online identities diff --git a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md index 5e1c37d2b4..dddf04ec16 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md @@ -3,7 +3,6 @@ title: Network security Configure encryption types allowed for Kerberos description: Best practices, location, values and security considerations for the policy setting, Network security Configure encryption types allowed for Kerberos Win7 only. ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz @@ -12,7 +11,6 @@ ms.collection: - tier3 ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Network security: Configure encryption types allowed for Kerberos diff --git a/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md b/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md index c708a656d1..a421232bf4 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md @@ -4,7 +4,6 @@ description: Best practices, security considerations, and more for the security ms.assetid: 6452b268-e5ba-4889-9d38-db28f919af51 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Network security: Do not store LAN Manager hash value on next password change diff --git a/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md b/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md index 665eee915f..7af8f09acd 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md @@ -4,7 +4,6 @@ description: Best practices, location, values, policy management, and security c ms.assetid: 64d5dde4-58e4-4217-b2c4-73bd554ec926 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Network security: Force logoff when logon hours expire diff --git a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md index 57246a6f27..806700542f 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md @@ -4,7 +4,6 @@ description: Best practices, location, values, policy management and security co ms.assetid: bbe1a98c-420a-41e7-9d3c-3a2fe0f1843e ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -17,7 +16,6 @@ ms.collection: - tier3 ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Network security: LAN Manager authentication level diff --git a/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md b/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md index 2199e96b47..1c8757c3f8 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md @@ -4,7 +4,6 @@ description: Best practices, location, values, policy management and security co ms.assetid: 38b35489-eb5b-4035-bc87-df63de50509c ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Network security: LDAP client signing requirements diff --git a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md index 5bda79521f..5c12f9b876 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md @@ -4,7 +4,6 @@ description: Best practices and more for the security policy setting, Network se ms.assetid: 89903de8-23d0-4e0f-9bef-c00cb7aebf00 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 07/27/2017 -ms.technology: itpro-security --- # Network security: Minimum session security for NTLM SSP based (including secure RPC) clients diff --git a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md index ebae59999d..952c7a8873 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md @@ -4,7 +4,6 @@ description: Best practices and security considerations for the policy setting, ms.assetid: c6a60c1b-bc8d-4d02-9481-f847a411b4fc ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Network security: Minimum session security for NTLM SSP based (including secure RPC) servers diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md index b0e28dc0b1..bc6bb0004a 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md @@ -4,7 +4,6 @@ description: Best practices, security considerations, and more for the policy se ms.assetid: 9b017399-0a54-4580-bfae-614c2beda3a1 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md index b6aa571487..fe6fa9e00a 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md @@ -4,7 +4,6 @@ description: Best practices, security considerations, and more for the security ms.assetid: 2f981b68-6aa7-4dd9-b53d-d88551277cc0 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Network security: Restrict NTLM: Add server exceptions in this domain diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md index c81152a791..23ba1014a2 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md @@ -4,7 +4,6 @@ description: Best practices, security considerations and more for the security p ms.assetid: 37e380c2-22e1-44cd-9993-e12815b845cf ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Network security: Restrict NTLM: Audit incoming NTLM traffic diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md index f79dd47f62..533e169c84 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md @@ -3,13 +3,11 @@ title: Network security Restrict NTLM Audit NTLM authentication in this domain description: Best practices, security considerations, and more for the security policy setting, Network Security Restrict NTLM Audit NTLM authentication in this domain. ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Network security: Restrict NTLM: Audit NTLM authentication in this domain diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md index 5f964c33cc..9432404d9c 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md @@ -4,7 +4,6 @@ description: Best practices, security considerations, and more for the security ms.assetid: c0eff7d3-ed59-4004-908a-2205295fefb8 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Network security: Restrict NTLM: Incoming NTLM traffic diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md index 8b9e4f8973..039bfedb88 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md @@ -3,12 +3,10 @@ title: Network security Restrict NTLM in this domain description: Learn about best practices, security considerations and more for the security policy setting, Network Security Restrict NTLM NTLM authentication in this domain. ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.localizationpriority: medium author: vinaypamnani-msft manager: aaroncz ms.topic: reference -ms.technology: itpro-security ms.date: 12/31/2017 --- diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md index 4869db61ec..fe152c8d75 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md @@ -4,7 +4,6 @@ description: Learn about best practices, security considerations and more for th ms.assetid: 63437a90-764b-4f06-aed8-a4a26cf81bd1 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 06/15/2022 -ms.technology: itpro-security --- # Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers diff --git a/windows/security/threat-protection/security-policy-settings/password-policy.md b/windows/security/threat-protection/security-policy-settings/password-policy.md index 1d6e578b5c..c9050c5e21 100644 --- a/windows/security/threat-protection/security-policy-settings/password-policy.md +++ b/windows/security/threat-protection/security-policy-settings/password-policy.md @@ -4,7 +4,6 @@ description: An overview of password policies for Windows and links to informati ms.assetid: aec1220d-a875-4575-9050-f02f9c54a3b6 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -17,7 +16,6 @@ ms.collection: - tier3 ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Password Policy diff --git a/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md b/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md index 15ffdec99c..5f1bb7b6cd 100644 --- a/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md +++ b/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: b6990813-3898-43e2-8221-c9c06d893244 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Perform volume maintenance tasks diff --git a/windows/security/threat-protection/security-policy-settings/profile-single-process.md b/windows/security/threat-protection/security-policy-settings/profile-single-process.md index 2bdc87455f..565b612a6f 100644 --- a/windows/security/threat-protection/security-policy-settings/profile-single-process.md +++ b/windows/security/threat-protection/security-policy-settings/profile-single-process.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: c0963de4-4f5e-430e-bfcd-dfd68e66a075 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Profile single process diff --git a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md index 6be8f9269b..f0af56ab38 100644 --- a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md +++ b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md @@ -4,7 +4,6 @@ description: Best practices, location, values, policy management, and security c ms.assetid: ffabc3c5-9206-4105-94ea-84f597a54b2e ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Profile system performance diff --git a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md index 590b49f09b..55d2e7660d 100644 --- a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md +++ b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md @@ -4,7 +4,6 @@ description: Best practices, location, values, policy management, and security c ms.assetid: be2498fc-48f4-43f3-ad09-74664e45e596 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Recovery console: Allow automatic administrative logon diff --git a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md index 08ca6beb3f..10304c2de7 100644 --- a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md +++ b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md @@ -4,7 +4,6 @@ description: Best practices, security considerations, and more for the policy se ms.assetid: a5b4ac0c-f33d-42b5-a866-72afa7cbd0bd ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Recovery console: Allow floppy copy and access to all drives and folders diff --git a/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md b/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md index 253213f2c1..d7f19e7b40 100644 --- a/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md +++ b/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 229a385a-a862-4973-899a-413b1b5b6c30 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Remove computer from docking station - security policy setting diff --git a/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md b/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md index d180d2acea..139239d715 100644 --- a/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md +++ b/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 5add02db-6339-489e-ba21-ccc3ccbe8745 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Replace a process level token diff --git a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md index 44c6716d50..83a1004c87 100644 --- a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md +++ b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, and security consid ms.assetid: d5ccf6dd-5ba7-44a9-8e0b-c478d8b1442c ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 11/02/2018 -ms.technology: itpro-security --- # Reset account lockout counter after diff --git a/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md b/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md index f970ac8154..85b208bd22 100644 --- a/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md +++ b/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: c673c0fa-6f49-4edd-8c1f-c5e8513f701d ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Restore files and directories - security policy setting diff --git a/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md b/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md index 78ea3fcb09..ebfd260fab 100644 --- a/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md +++ b/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md @@ -4,7 +4,6 @@ description: Provides information about the advanced security audit policy setti ms.assetid: 6BF9A642-DBC3-4101-94A3-B2316C553CE3 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Advanced security audit policy settings for Windows 10 diff --git a/windows/security/threat-protection/security-policy-settings/security-options.md b/windows/security/threat-protection/security-policy-settings/security-options.md index de522cb6d3..2872bdad4b 100644 --- a/windows/security/threat-protection/security-policy-settings/security-options.md +++ b/windows/security/threat-protection/security-policy-settings/security-options.md @@ -4,11 +4,9 @@ description: Introduction to the Security Options settings of the local security ms.reviewer: manager: aaroncz ms.author: vinpa -ms.prod: windows-client ms.localizationpriority: medium author: vinaypamnani-msft ms.date: 01/13/2023 -ms.technology: itpro-security ms.topic: reference --- diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md index 9db7d59a20..a6167efac3 100644 --- a/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md +++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md @@ -4,7 +4,6 @@ description: This reference of security settings provides information about how ms.assetid: ef5a4579-15a8-4507-9a43-b7ccddcb0ed1 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Security policy settings reference diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md index 062aa06d3d..7c394d7e01 100644 --- a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md +++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md @@ -4,7 +4,6 @@ description: This reference topic describes the common scenarios, architecture, ms.assetid: e7ac5204-7f6c-4708-a9f6-6af712ca43b9 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -17,7 +16,6 @@ ms.collection: - tier3 ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Security policy settings diff --git a/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md b/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md index def26ab7ef..24628a2de8 100644 --- a/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md +++ b/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: c8e8f890-153a-401e-a957-ba6a130304bf ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Shut down the system - security policy setting diff --git a/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md b/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md index 672e91297b..86b9b4dfd8 100644 --- a/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md +++ b/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md @@ -4,7 +4,6 @@ description: Best practices, security considerations, and more for the security ms.assetid: f3964767-5377-4416-8eb3-e14d553a7315 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Shutdown: Allow system to be shut down without having to log on diff --git a/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md b/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md index b40140dc0f..da640b385d 100644 --- a/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md +++ b/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management a ms.assetid: 31400078-6c56-4891-a6df-6dfb403c4bc9 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 08/01/2017 -ms.technology: itpro-security --- # Shutdown: Clear virtual memory pagefile diff --git a/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md b/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md index 6b4584688f..30ba31a152 100644 --- a/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md +++ b/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 57f958c2-f1e9-48bf-871b-0a9b3299e238 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Store passwords using reversible encryption diff --git a/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md b/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md index 6744567fe3..b5cbe5f54e 100644 --- a/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md +++ b/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 97b0aaa4-674f-40f4-8974-b4bfb12c232c ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Synchronize directory service data diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md index 597b9027a0..b72384f5df 100644 --- a/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md +++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md @@ -4,7 +4,6 @@ description: Best practices, security considerations, and more for the policy se ms.assetid: 8cbff267-881e-4bf6-920d-b583a5ff7de0 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # System cryptography: Force strong key protection for user keys stored on the computer diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md index d660ac1952..2c4c5679ce 100644 --- a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md +++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md @@ -4,7 +4,6 @@ description: Best practices, security considerations, and more for the policy se ms.assetid: 83988865-dc0f-45eb-90d1-ee33495eb045 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 11/16/2018 -ms.technology: itpro-security --- # System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing diff --git a/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md b/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md index 3694fe2434..1f8e7eadab 100644 --- a/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md +++ b/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md @@ -4,7 +4,6 @@ description: Best practices, security considerations and more for the security p ms.assetid: 340d6769-8f33-4067-8470-1458978d1522 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # System objects: Require case insensitivity for non-Windows subsystems diff --git a/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md b/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md index 8358279b2d..2045194c25 100644 --- a/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md +++ b/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md @@ -4,7 +4,6 @@ description: Best practices and more for the security policy setting, System obj ms.assetid: 3a592097-9cf5-4fd0-a504-7cbfab050bb6 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # System objects: Strengthen default permissions of internal system objects (for example, Symbolic Links) diff --git a/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md b/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md index ef7ca4315a..b33abc4d19 100644 --- a/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md +++ b/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 5cb6519a-4f84-4b45-8072-e2aa8a72fb78 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # System settings: Optional subsystems diff --git a/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md b/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md index fee999b57a..61df619542 100644 --- a/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md +++ b/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md @@ -4,7 +4,6 @@ description: Best practices and more for the security policy setting, System set ms.assetid: 2380d93b-b553-4e56-a0c0-d1ef740d089c ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # System settings: Use certificate rules on Windows executables for Software Restriction Policies diff --git a/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md b/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md index 39152767a9..1563e3d995 100644 --- a/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md +++ b/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md @@ -4,7 +4,6 @@ description: Describes the best practices, location, values, policy management, ms.assetid: cb8595d1-74cc-4176-bb15-d97663eebb2d ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # Take ownership of files or other objects diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md b/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md index 58989112e3..1dbf68c41d 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md @@ -4,7 +4,6 @@ description: Best practices, security considerations, and more for the policy se ms.assetid: d465fc27-1cd2-498b-9cf6-7ad2276e5998 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 09/08/2017 -ms.technology: itpro-security --- # User Account Control: Admin Approval Mode for the Built-in Administrator account diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md b/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md index eb9a42ffeb..4452ee2e72 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md @@ -4,7 +4,6 @@ description: Best practices and more for the policy setting, User Account Contro ms.assetid: fce20472-3c93-449d-b520-13c4c74a9892 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md index 8acd28314d..ba2ac6f92a 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md @@ -4,7 +4,6 @@ description: Best practices and more for the security policy setting, User Accou ms.assetid: 46a3c3a2-1d2e-4a6f-b5e6-29f9592f535d ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 09/08/2017 -ms.technology: itpro-security --- # User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md index 6a471c51bb..f4ef816fc7 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md @@ -2,12 +2,10 @@ title: Behavior of the elevation prompt for standard users description: Learn about best practices, security considerations, and more for the policy setting, User Account Control Behavior of the elevation prompt for standard users. ms.author: vinpa -ms.prod: windows-client author: vinaypamnani-msft manager: aaroncz ms.topic: reference ms.date: 01/18/2023 -ms.technology: itpro-security --- # User Account Control: Behavior of the elevation prompt for standard users diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md b/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md index ea22f7f177..4456c3de17 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md @@ -4,7 +4,6 @@ description: Learn about best practices and more for the security policy setting ms.assetid: 3f8cb170-ba77-4c9f-abb3-c3ed1ef264fc ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # User Account Control: Detect application installations and prompt for elevation diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md index 92d124a4f7..ace44a281a 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md @@ -4,7 +4,6 @@ description: Best practices, security considerations, and more for the security ms.assetid: 64950a95-6985-4db6-9905-1db18557352d ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # User Account Control: Only elevate executables that are signed and validated diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md index 4aad366985..68167d5fe5 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md @@ -4,7 +4,6 @@ description: Learn about best practices and more for the policy setting, User Ac ms.assetid: 4333409e-a5be-4f2f-8808-618f53abd22c ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # User Account Control: Only elevate UIAccess applications that are installed in secure locations diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md index 97d8752204..f8aa1b8eec 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md @@ -4,7 +4,6 @@ description: Learn about best practices, security considerations and more for th ms.assetid: b838c561-7bfc-41ef-a7a5-55857259c7bf ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # User Account Control: Run all administrators in Admin Approval Mode diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md b/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md index 9059607fe2..97f904064a 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md @@ -4,7 +4,6 @@ description: Best practices, security considerations, and more for the policy se ms.assetid: 77a067db-c70d-4b02-9861-027503311b8b ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # User Account Control: Switch to the secure desktop when prompting for elevation diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md b/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md index adb9f83c7e..eb289356c6 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md @@ -4,7 +4,6 @@ description: Best practices, security considerations and more for the policy set ms.assetid: a7b47420-cc41-4b1c-b03e-f67a05221261 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +13,6 @@ manager: aaroncz audience: ITPro ms.topic: reference ms.date: 04/19/2017 -ms.technology: itpro-security --- # User Account Control: Virtualize file and registry write failures to per-user locations diff --git a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md index 3ca31c4fe8..0ce9074142 100644 --- a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md +++ b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md @@ -4,7 +4,6 @@ description: Provides an overview and links to information about the User Rights ms.assetid: 99340252-60be-4c79-b0a5-56fbe1a9b0c5 ms.reviewer: ms.author: vinpa -ms.prod: windows-client ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -17,7 +16,6 @@ ms.collection: - tier3 ms.topic: reference ms.date: 12/16/2021 -ms.technology: itpro-security --- # User Rights Assignment diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml index c40a04c723..7ad2200658 100644 --- a/windows/whats-new/TOC.yml +++ b/windows/whats-new/TOC.yml @@ -26,10 +26,6 @@ href: whats-new-windows-10-version-22H2.md - name: What's new in Windows 10, version 21H2 href: whats-new-windows-10-version-21H2.md - - name: What's new in Windows 10, version 21H1 - href: whats-new-windows-10-version-21H1.md - - name: What's new in Windows 10, version 20H2 - href: whats-new-windows-10-version-20H2.md - name: Windows commercial licensing overview href: windows-licensing.md - name: Deprecated and removed Windows features diff --git a/windows/whats-new/deprecated-features-resources.md b/windows/whats-new/deprecated-features-resources.md index 6b07079c0f..31d2f8b2ba 100644 --- a/windows/whats-new/deprecated-features-resources.md +++ b/windows/whats-new/deprecated-features-resources.md @@ -2,8 +2,8 @@ title: Resources for deprecated features in the Windows client description: Resources and details for deprecated features in the Windows client. ms.date: 10/09/2023 -ms.prod: windows-client -ms.technology: itpro-fundamentals +ms.service: windows-client +ms.subservice: itpro-fundamentals ms.localizationpriority: medium author: mestew ms.author: mstewart diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md index a612bfb38e..6a3a4809db 100644 --- a/windows/whats-new/deprecated-features.md +++ b/windows/whats-new/deprecated-features.md @@ -1,9 +1,9 @@ --- title: Deprecated features in the Windows client description: Review the list of features that Microsoft is no longer actively developing in Windows 10 and Windows 11. -ms.date: 12/20/2023 -ms.prod: windows-client -ms.technology: itpro-fundamentals +ms.date: 01/26/2024 +ms.service: windows-client +ms.subservice: itpro-fundamentals ms.localizationpriority: medium author: mestew ms.author: mstewart @@ -47,7 +47,7 @@ The features in this article are no longer being actively developed, and might b | Feature | Details and mitigation | Deprecation announced | |---|---|---| -| Windows Mixed Reality | [Windows Mixed Reality](/windows/mixed-reality/enthusiast-guide/before-you-start) is deprecated and will be removed in a future release of Windows. This deprecation includes the [Mixed Reality Portal](/windows/mixed-reality/enthusiast-guide/install-windows-mixed-reality) app, and [Windows Mixed Reality for SteamVR](/windows/mixed-reality/enthusiast-guide/using-steamvr-with-windows-mixed-reality) and Steam VR Beta. | December 2023 | +| Windows Mixed Reality | [Windows Mixed Reality](/windows/mixed-reality/enthusiast-guide/before-you-start) is deprecated and will be removed in a future release of Windows. This deprecation includes the [Mixed Reality Portal](/windows/mixed-reality/enthusiast-guide/install-windows-mixed-reality) app, and [Windows Mixed Reality for SteamVR](/windows/mixed-reality/enthusiast-guide/using-steamvr-with-windows-mixed-reality) and Steam VR Beta.

        As of November 1, 2026, for consumer editions of Windows and November 1, 2027 for commercial editions of Windows, Windows Mixed Reality will no longer be available for download via the Mixed Reality Portal app, Windows Mixed Reality for SteamVR, and Steam VR beta, and we'll discontinue support. At that time, Windows Mixed Reality will no longer receive security updates, nonsecurity updates, bug fixes, technical support, or online technical content updates. Existing Windows Mixed Reality devices will continue to work with Steam until users upgrade to a version of Windows that doesn't include Windows Mixed Reality.

        This deprecation doesn't impact HoloLens. We remain committed to HoloLens and our enterprise customers. | December 2023 | | Microsoft Defender Application Guard for Edge | [Microsoft Defender Application Guard](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview), including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is being deprecated for Microsoft Edge for Business and [will no longer be updated](feature-lifecycle.md). Please download the [Microsoft Edge For Business Security Whitepaper](https://edgestatic.azureedge.net/shared/cms/pdfs/Microsoft_Edge_Security_Whitepaper_v2.pdf) to learn more about Edge for Business security capabilities. | December 2023 | | Legacy console mode | The [legacy console mode](/windows/console/legacymode) is deprecated and no longer being updated. In future Windows releases, it will be available as an optional [Feature on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). This feature won't be installed by default. | December 2023 | | Windows speech recognition | [Windows speech recognition](https://support.microsoft.com/windows/83ff75bd-63eb-0b6c-18d4-6fae94050571) is deprecated and is no longer being developed. This feature is being replaced with [voice access](https://support.microsoft.com/topic/4dcd23ee-f1b9-4fd1-bacc-862ab611f55d). Voice access is available for Windows 11, version 22H2, or later devices. Currently, voice access supports five English locales: English - US, English - UK, English - India, English - New Zealand, English - Canada, and English - Australia. For more information, see [Setup voice access](https://support.microsoft.com/topic/set-up-voice-access-9fc44e29-12bf-4d86-bc4e-e9bb69df9a0e). | December 2023 | @@ -69,7 +69,7 @@ The features in this article are no longer being actively developed, and might b | Windows Information Protection | [Windows Information Protection](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) will no longer be developed in future versions of Windows. For more information, see [Announcing sunset of Windows Information Protection (WIP)](https://go.microsoft.com/fwlink/?linkid=2202124).

        For your data protection needs, Microsoft recommends that you use [Microsoft Purview Information Protection](/microsoft-365/compliance/information-protection) and [Microsoft Purview Data Loss Prevention](/microsoft-365/compliance/dlp-learn-about-dlp). | July 2022 | | BitLocker To Go Reader | **Note: BitLocker to Go as a feature is still supported.**
        Reading of BitLocker-protected removable drives ([BitLocker To Go](/windows/security/information-protection/bitlocker/bitlocker-to-go-faq)) from Windows XP or Windows Vista in later operating systems is deprecated and might be removed in a future release of Windows client.
        The following items might not be available in a future release of Windows client:
        - ADMX policy: **Allow access to BitLocker-protected removable data drives from earlier versions of Windows**
        - Command line parameter: [`manage-bde -DiscoveryVolumeType`](/windows-server/administration/windows-commands/manage-bde-on) (-dv)
        - Catalog file: **c:\windows\BitLockerDiscoveryVolumeContents**
        - BitLocker 2 Go Reader app: **bitlockertogo.exe** and associated files | 21H1 | | Personalization roaming | Roaming of Personalization settings (including wallpaper, slideshow, accent colors, and lock screen images) is no longer being developed and might be removed in a future release. | 21H1 | -| Windows Management Instrumentation Command line (WMIC) tool. | The WMIC tool is deprecated in Windows 10, version 21H1 and the 21H1 General Availability Channel release of Windows Server. This tool is superseded by [Windows PowerShell for WMI](/powershell/scripting/learn/ps101/07-working-with-wmi). Note: This deprecation only applies to the [command-line management tool](/windows/win32/wmisdk/wmic). WMI itself isn't affected. | 21H1 | +| Windows Management Instrumentation command-line (WMIC) utility. | The WMIC utility is deprecated in Windows 10, version 21H1 and the 21H1 General Availability Channel release of Windows Server. This utility is superseded by [Windows PowerShell for WMI](/powershell/scripting/learn/ps101/07-working-with-wmi). Note: This deprecation applies to only the [command-line management utility](/windows/win32/wmisdk/wmic). WMI itself isn't affected.

        **[Update - January 2024]**: Currently, WMIC is a Feature on Demand (FoD) that's [preinstalled by default](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod#wmic) in Windows 11, versions 23H2 and 22H2. In the next release of Windows, the WMIC FoD will be disabled by default. | 21H1 | | Timeline | Starting in July 2021, if you have your activity history synced across your devices through your Microsoft account (MSA), you can't upload new activity in Timeline. For more information, see [Get help with timeline](https://support.microsoft.com/windows/get-help-with-timeline-febc28db-034c-d2b0-3bbe-79aa0c501039).| 20H2 | | Microsoft Edge | The legacy version of Microsoft Edge is no longer being developed.| 2004 | | Companion Device Framework | The [Companion Device Framework](/windows-hardware/design/device-experiences/windows-hello-companion-device-framework) is no longer under active development.| 2004 | @@ -81,7 +81,6 @@ The features in this article are no longer being actively developed, and might b | XDDM-based remote display driver | The Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information on implementing remote display indirect display driver, check out [Updates for IddCx versions 1.4 and later](/windows-hardware/drivers/display/iddcx1.4-updates). | 1903 | | Taskbar settings roaming | Roaming of taskbar settings is no longer being developed and we plan to remove this capability in a future release. | 1903 | | Wi-Fi WEP and TKIP | Since the 1903 release, a warning message has appeared when connecting to Wi-Fi networks secured with WEP or TKIP (which aren't as secure as those using WPA2 or WPA3). In a future release, any connection to a Wi-Fi network using these old ciphers will be disallowed. Wi-Fi routers should be updated to use AES ciphers, available with WPA2 or WPA3. | 1903 | -| Windows To Go | Windows To Go is no longer being developed.

        The feature doesn't support feature updates and therefore doesn't enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.| 1903 | | Print 3D app | 3D Builder is the recommended 3D printing app. To 3D print objects on new Windows devices, customers must first install 3D Builder from the Store.| 1903 | |Companion device dynamic lock APIS|The companion device framework (CDF) APIs enable wearables and other devices to unlock a PC. In Windows 10, version 1709, we introduced [Dynamic Lock](/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock), including an inbox method using Bluetooth to detect whether a user is present and lock or unlock the PC. Because of this reason, and because non-Microsoft partners didn't adopt the CDF method, we're no longer developing CDF Dynamic Lock APIs.| 1809 | |OneSync service|The OneSync service synchronizes data for the Mail, Calendar, and People apps. We've added a sync engine to the Outlook app that provides the same synchronization.| 1809 | diff --git a/windows/whats-new/extended-security-updates.md b/windows/whats-new/extended-security-updates.md index 01fdfd6394..de53336b4b 100644 --- a/windows/whats-new/extended-security-updates.md +++ b/windows/whats-new/extended-security-updates.md @@ -1,8 +1,8 @@ --- title: Extended Security Updates (ESU) program for Windows 10 description: Learn about the Extended Security Updates (ESU) program for Windows 10. The ESU program gives customers the option to receive security updates for Windows 10. -ms.prod: windows-client -ms.technology: itpro-fundamentals +ms.service: windows-client +ms.subservice: itpro-fundamentals ms.author: mstewart author: mestew manager: aaroncz diff --git a/windows/whats-new/feature-lifecycle.md b/windows/whats-new/feature-lifecycle.md index 0c963dd3b4..9c928556e8 100644 --- a/windows/whats-new/feature-lifecycle.md +++ b/windows/whats-new/feature-lifecycle.md @@ -1,13 +1,13 @@ --- title: Windows client features lifecycle description: Learn about the lifecycle of Windows features, as well as features that are no longer developed, removed features, and terminology assigned to a feature. -ms.prod: windows-client +ms.service: windows-client ms.localizationpriority: medium author: mestew manager: aaroncz ms.author: mstewart ms.topic: conceptual -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals ms.date: 12/15/2023 ms.collection: - highpri diff --git a/windows/whats-new/images/1_AppBrowser.png b/windows/whats-new/images/1_AppBrowser.png deleted file mode 100644 index 6e1f32e389..0000000000 Binary files a/windows/whats-new/images/1_AppBrowser.png and /dev/null differ diff --git a/windows/whats-new/images/2_InstallWDAG.png b/windows/whats-new/images/2_InstallWDAG.png deleted file mode 100644 index e45f714a35..0000000000 Binary files a/windows/whats-new/images/2_InstallWDAG.png and /dev/null differ diff --git a/windows/whats-new/images/3_ChangeSettings.png b/windows/whats-new/images/3_ChangeSettings.png deleted file mode 100644 index 968eb0c3c0..0000000000 Binary files a/windows/whats-new/images/3_ChangeSettings.png and /dev/null differ diff --git a/windows/whats-new/images/4_ViewSettings.jpg b/windows/whats-new/images/4_ViewSettings.jpg deleted file mode 100644 index 72ee4db754..0000000000 Binary files a/windows/whats-new/images/4_ViewSettings.jpg and /dev/null differ diff --git a/windows/whats-new/images/Multi-app_kiosk_inFrame.png b/windows/whats-new/images/Multi-app_kiosk_inFrame.png deleted file mode 100644 index 9dd28db197..0000000000 Binary files a/windows/whats-new/images/Multi-app_kiosk_inFrame.png and /dev/null differ diff --git a/windows/whats-new/images/Normal_inFrame.png b/windows/whats-new/images/Normal_inFrame.png deleted file mode 100644 index 8d0559d0ee..0000000000 Binary files a/windows/whats-new/images/Normal_inFrame.png and /dev/null differ diff --git a/windows/whats-new/images/SingleApp_contosoHotel_inFrame@2x.png b/windows/whats-new/images/SingleApp_contosoHotel_inFrame@2x.png deleted file mode 100644 index a7b20a039c..0000000000 Binary files a/windows/whats-new/images/SingleApp_contosoHotel_inFrame@2x.png and /dev/null differ diff --git a/windows/whats-new/images/beaming.png b/windows/whats-new/images/beaming.png deleted file mode 100644 index 096c1d43f4..0000000000 Binary files a/windows/whats-new/images/beaming.png and /dev/null differ diff --git a/windows/whats-new/images/kiosk-mode.PNG b/windows/whats-new/images/kiosk-mode.PNG deleted file mode 100644 index 57c420a9c2..0000000000 Binary files a/windows/whats-new/images/kiosk-mode.PNG and /dev/null differ diff --git a/windows/whats-new/images/system-guard.png b/windows/whats-new/images/system-guard.png deleted file mode 100644 index 586f63d4da..0000000000 Binary files a/windows/whats-new/images/system-guard.png and /dev/null differ diff --git a/windows/whats-new/images/system-guard2.png b/windows/whats-new/images/system-guard2.png deleted file mode 100644 index 5505ffa78c..0000000000 Binary files a/windows/whats-new/images/system-guard2.png and /dev/null differ diff --git a/windows/whats-new/images/wcd-cleanpc.PNG b/windows/whats-new/images/wcd-cleanpc.PNG deleted file mode 100644 index 434eb55cb0..0000000000 Binary files a/windows/whats-new/images/wcd-cleanpc.PNG and /dev/null differ diff --git a/windows/whats-new/images/wcd-options.png b/windows/whats-new/images/wcd-options.png deleted file mode 100644 index b3d998ba1b..0000000000 Binary files a/windows/whats-new/images/wcd-options.png and /dev/null differ diff --git a/windows/whats-new/images/windows-11-whats-new/windows-11-taskbar-microsoft-teams.png b/windows/whats-new/images/windows-11-whats-new/windows-11-taskbar-microsoft-teams.png deleted file mode 100644 index 3d018c0bda..0000000000 Binary files a/windows/whats-new/images/windows-11-whats-new/windows-11-taskbar-microsoft-teams.png and /dev/null differ diff --git a/windows/whats-new/images/your-phone.png b/windows/whats-new/images/your-phone.png deleted file mode 100644 index 708c6c004a..0000000000 Binary files a/windows/whats-new/images/your-phone.png and /dev/null differ diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml index c34ac91e0d..4bb62bd59c 100644 --- a/windows/whats-new/index.yml +++ b/windows/whats-new/index.yml @@ -6,8 +6,8 @@ summary: Find out about new features and capabilities in the latest release of W metadata: title: What's new in Windows description: Find out about new features and capabilities in the latest release of Windows client for IT professionals. - ms.prod: windows-client - ms.technology: itpro-fundamentals + ms.service: windows-client + ms.subservice: itpro-fundamentals ms.topic: landing-page ms.collection: - highpri diff --git a/windows/whats-new/ltsc/index.yml b/windows/whats-new/ltsc/index.yml index aecd90e01a..64c7cef9df 100644 --- a/windows/whats-new/ltsc/index.yml +++ b/windows/whats-new/ltsc/index.yml @@ -6,8 +6,8 @@ summary: Find out about new features and capabilities in the latest release of W metadata: title: What's new in Windows 10 Enterprise LTSC description: Find out about new features and capabilities in the latest release of Windows 10 Enterprise LTSC for IT professionals. - ms.prod: windows-client - ms.technology: itpro-fundamentals + ms.service: windows-client + ms.subservice: itpro-fundamentals ms.topic: landing-page ms.collection: - highpri diff --git a/windows/whats-new/ltsc/overview.md b/windows/whats-new/ltsc/overview.md index 77fdc1e229..881b172f79 100644 --- a/windows/whats-new/ltsc/overview.md +++ b/windows/whats-new/ltsc/overview.md @@ -1,13 +1,13 @@ --- title: Windows 10 Enterprise LTSC overview description: An overview of the Windows 10 long-term servicing channel (LTSC). -ms.prod: windows-client +ms.service: windows-client author: mestew ms.author: mstewart manager: aaroncz ms.localizationpriority: low ms.topic: overview -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals ms.date: 12/18/2023 appliesto: - ✅ Windows 10 Enterprise LTSC diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2015.md b/windows/whats-new/ltsc/whats-new-windows-10-2015.md index 66b1088247..5679770b95 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2015.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2015.md @@ -3,11 +3,11 @@ title: What's new in Windows 10 Enterprise LTSC 2015 manager: aaroncz ms.author: mstewart description: New and updated IT pro content about new features in Windows 10 Enterprise LTSC 2015 (also known as Windows 10 Enterprise 2015 LTSB). -ms.prod: windows-client +ms.service: windows-client author: mestew ms.localizationpriority: low ms.topic: conceptual -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals ms.date: 12/18/2023 appliesto: - ✅ Windows 10 Enterprise LTSC 2015 diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2016.md b/windows/whats-new/ltsc/whats-new-windows-10-2016.md index 9a932a1ef1..fa69dc65cd 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2016.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2016.md @@ -3,11 +3,11 @@ title: What's new in Windows 10 Enterprise LTSC 2016 manager: aaroncz ms.author: mstewart description: New and updated IT pro content about new features in Windows 10 Enterprise LTSC 2016 (also known as Windows 10 Enterprise 2016 LTSB). -ms.prod: windows-client +ms.service: windows-client author: mestew ms.localizationpriority: low ms.topic: conceptual -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals ms.date: 12/18/2023 appliesto: - ✅ Windows 10 Enterprise LTSC 2016 diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index 2221b4ab44..b2e12eaf4c 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -3,11 +3,11 @@ title: What's new in Windows 10 Enterprise LTSC 2019 manager: aaroncz ms.author: mstewart description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2019 (also known as Windows 10 Enterprise 2019 LTSB). -ms.prod: windows-client +ms.service: windows-client author: mestew ms.localizationpriority: medium ms.topic: conceptual -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals ms.date: 12/18/2023 appliesto: - ✅ Windows 10 Enterprise LTSC 2019 diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md index ab677b2b33..b7f6c2c73f 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md @@ -3,11 +3,11 @@ title: What's new in Windows 10 Enterprise LTSC 2021 manager: aaroncz ms.author: mstewart description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2021. -ms.prod: windows-client +ms.service: windows-client author: mestew ms.localizationpriority: high ms.topic: conceptual -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals ms.date: 12/18/2023 appliesto: - ✅ Windows 10 Enterprise LTSC 2021 diff --git a/windows/whats-new/removed-features.md b/windows/whats-new/removed-features.md index d837c8fa8c..e9d3a16d2c 100644 --- a/windows/whats-new/removed-features.md +++ b/windows/whats-new/removed-features.md @@ -1,14 +1,14 @@ --- title: Features and functionality removed in Windows client description: In this article, learn about the features and functionality that have been removed or replaced in Windows client. -ms.prod: windows-client +ms.service: windows-client ms.localizationpriority: medium author: mestew ms.author: mstewart manager: aaroncz ms.topic: conceptual -ms.technology: itpro-fundamentals -ms.date: 01/05/2023 +ms.subservice: itpro-fundamentals +ms.date: 01/30/2024 ms.collection: - highpri - tier1 @@ -39,31 +39,31 @@ The following features and functionalities have been removed from the installed |Feature | Details and mitigation | Support removed | | ----------- | --------------------- | ------ | | Update Compliance | Update Compliance, a cloud-based service for the Windows client, is retired. This service has been replaced with [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview), which provides reporting on client compliance with Microsoft updates from the Azure portal. | March 31, 2023 | -| Store uploader tool | Support has been removed for the store uploader tool. This tool is included in the Windows SDK only. The endpoint for the tool has been removed from service and the files will be removed from the SDK in the next release. | November, 2022 | +| Store uploader tool | Support has been removed for the store uploader tool. This tool is included in the Windows SDK only. The endpoint for the tool has been removed from service and the files will be removed from the SDK in the next release. | November 2022 | | Internet Explorer 11 | The Internet Explorer 11 desktop application is [retired and out of support](https://aka.ms/IEJune15Blog) as of June 15, 2022 for certain versions of Windows 10. You can still access older, legacy sites that require Internet Explorer with Internet Explorer mode in Microsoft Edge. [Learn how](https://aka.ms/IEmodewebsite). The Internet Explorer 11 desktop application will progressively redirect to the faster, more secure Microsoft Edge browser, and will ultimately be disabled via Windows Update. [Disable IE today](/deployedge/edge-ie-disable-ie11). | June 15, 2022 | -| XDDM-based remote display driver | Support for Windows 2000 Display Driver Model (XDDM) based remote display drivers is removed in this release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information on implementing remote display indirect display driver, see [Updates for IddCx versions 1.4 and later](/windows-hardware/drivers/display/iddcx1.4-updates). | 21H1 | +| XDDM-based remote display driver | Support for Windows 2000 Display Driver Model (XDDM) based remote display drivers is removed in this release. Software publishers that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information on implementing remote display indirect display driver, see [Updates for IddCx versions 1.4 and later](/windows-hardware/drivers/display/iddcx1.4-updates). | 21H1 | |Microsoft Edge|The legacy version of Microsoft Edge is no longer supported after March 9, 2021. For more information, see [End of support reminder for Microsoft Edge Legacy](/lifecycle/announcements/edge-legacy-eos-details). | 21H1 | |MBAE service metadata|The MBAE app experience is replaced by an MO UWP app. Metadata for the MBAE service is removed. | 20H2 | | Connect app | The **Connect** app for wireless projection using Miracast is no longer installed by default, but is available as an optional feature. To install the app, select **Settings** > **Apps** > **Optional features** > **Add a feature**, and then install the **Wireless Display** app. | 2004 | | Rinna and Japanese Address suggestion | The Rinna and Japanese Address suggestion service for Microsoft Japanese Input Method Editor (IME) ended on August 13, 2020. For more information, see [Rinna and Japanese Address suggestion will no longer be offered](https://support.microsoft.com/help/4576767/windows-10-rinna-and-japanese-address-suggestion) | 2004 | | Cortana | Cortana has been updated and enhanced in the Windows 10 May 2020 Update. With [these changes](/windows/whats-new/whats-new-windows-10-version-2004#cortana), some previously available consumer skills such as music, connected home, and other non-Microsoft skills are no longer available. | 2004 | | Windows To Go | Windows To Go was announced as deprecated in Windows 10, version 1903 and is removed in this release. | 2004 | -| Mobile Plans and Messaging apps | Both apps are still supported, but are now distributed in a different way. OEMs can now include these apps in Windows images for cellular enabled devices. The apps are removed for non-cellular devices.| 2004 | -| PNRP APIs| ​The Peer Name Resolution Protocol (PNRP) cloud service was removed in Windows 10, version 1809. We're planning to complete the removal process by removing the corresponding APIs. | 1909 | +| Mobile Plans and Messaging apps | Both apps are still supported, but are now distributed in a different way. OEMs can now include these apps in Windows images for cellular enabled devices. The apps are removed for noncellular devices.| 2004 | +| PNRP APIs| The Peer Name Resolution Protocol (PNRP) cloud service was removed in Windows 10, version 1809. We're planning to complete the removal process by removing the corresponding APIs. | 1909 | | Taskbar settings roaming | Roaming of taskbar settings is removed in this release. This feature was announced as no longer being developed in Windows 10, version 1903. | 1909 | | Desktop messaging app doesn't offer messages sync | The messaging app on Desktop has a sync feature that can be used to sync SMS text messages received from Windows Mobile and keep a copy of them on the Desktop. The sync feature has been removed from all devices. Due to this change, you'll only be able to access messages from the device that received the message. | 1903 | -|Business Scanning, also called Distributed Scan Management (DSM)|We're removing this secure scanning and scanner management capability - there are no devices that support this feature.| 1809 | +|Business Scanning also called Distributed Scan Management (DSM)|We're removing this secure scanning and scanner management capability - there are no devices that support this feature.| 1809 | |[FontSmoothing setting](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-visualeffects-fontsmoothing) in unattend.xml|The FontSmoothing setting lets you specify the font antialiasing strategy to use across the system. We've changed Windows 10 to use [ClearType](/typography/cleartype/) by default, so we're removing this setting as it is no longer necessary. If you include this setting in the unattend.xml file, it will be ignored.| 1809 | |Hologram app|We've replaced the Hologram app with the [Mixed Reality Viewer](https://support.microsoft.com/help/4041156/windows-10-mixed-reality-help). If you would like to create 3D word art, you can still do that in Paint 3D and view your art in VR or HoloLens with the Mixed Reality Viewer.| 1809 | |limpet.exe|We're releasing the limpet.exe tool, used to access TPM for Azure connectivity, as open source.| 1809 | |Phone Companion|When you update to Windows 10, version 1809, the Phone Companion app will be removed from your PC. Use the **Phone** page in the Settings app to sync your mobile phone with your PC. It includes all the Phone Companion features.| 1809 | -|Future updates through [Windows Embedded Developer Update](/previous-versions/windows/embedded/ff770079(v=winembedded.60)) for Windows Embedded Standard 7-SP1 (WES7-SP1) and Windows Embedded Standard 8 (WES8)|We're no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx). [Learn how](https://techcommunity.microsoft.com/t5/Windows-Embedded/Change-to-the-Windows-Embedded-Developer-Update/ba-p/285704) to get updates from the catalog.| 1809 | +|Future updates through [Windows Embedded Developer Update](/previous-versions/windows/embedded/ff770079(v=winembedded.60)) for Windows Embedded Standard 7-SP1 (WES7-SP1) and Windows Embedded Standard 8 (WES8)|We're no longer publishing new updates to the WEDU server. Instead, download any new updates from the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx). [Learn how](https://techcommunity.microsoft.com/t5/Windows-Embedded/Change-to-the-Windows-Embedded-Developer-Update/ba-p/285704) to get updates from the catalog.| 1809 | |Groove Music Pass|[We ended the Groove streaming music service and music track sales through the Microsoft Store in 2017](https://support.microsoft.com/help/4046109/groove-music-and-spotify-faq). The Groove app is being updated to reflect this change. You can still use Groove Music to play the music on your PC. You can use Spotify or other music services to stream music on Windows 10, or to buy music to own.| 1803 | |People - Suggestions will no longer include unsaved contacts for non-Microsoft accounts|Manually save the contact details for people you send mail to or get mail from.| 1803 | |Language control in the Control Panel| Use the Settings app to change your language settings.| 1803 | |HomeGroup|We're removing [HomeGroup](https://support.microsoft.com/help/17145) but not your ability to share printers, files, and folders.

        When you update to Windows 10, version 1803, you won't see HomeGroup in File Explorer, the Control Panel, or Troubleshoot (**Settings > Update & Security > Troubleshoot**). Any printers, files, and folders that you shared using HomeGroup **will continue to be shared**.

        Instead of using HomeGroup, you can now share printers, files and folders by using features that are built into Windows 10:
        - [Share your network printer](https://www.bing.com/search?q=share+printer+windows+10)
        - [Share files in File Explorer](https://support.microsoft.com/help/4027674/windows-10-share-files-in-file-explorer) | 1803 | |**Connect to suggested open hotspots** option in Wi-Fi settings |We previously [disabled the **Connect to suggested open hotspots** option](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) and are now removing it from the Wi-Fi settings page. You can manually connect to free wireless hotspots with **Network & Internet** settings, from the taskbar or Control Panel, or by using Wi-Fi Settings (for mobile devices).| 1803 | -|XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image. If you have XPS Viewer and you update to Windows 10, version 1803, there's no action required. You'll still have XPS Viewer.

        However, if you install Windows 10, version 1803, on a new device (or as a clean installation), you may need to [install XPS Viewer from **Apps and Features** in the Settings app](/windows/application-management/add-apps-and-features) or through [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it.| 1803 | +|XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image. If you have XPS Viewer and you update to Windows 10, version 1803, there's no action required. You'll still have XPS Viewer.

        However, if you install Windows 10, version 1803, on a new device (or as a clean installation), you can [install XPS Viewer from **Apps and Features** in the Settings app](/windows/application-management/add-apps-and-features) or through [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it.| 1803 | |3D Builder app | No longer installed by default. Consider using Print 3D and Paint 3D in its place. However, 3D Builder is still available for download from the Windows Store.| 1709 | |Apndatabase.xml | For more information about the replacement database, see the following Hardware Dev Center articles:
        [MO Process to update COSA](/windows-hardware/drivers/mobilebroadband/planning-your-apn-database-submission)
        [COSA FAQ](/windows-hardware/drivers/mobilebroadband/cosa---faq) | 1709 | |Enhanced Mitigation Experience Toolkit (EMET) |Use of this feature will be blocked. Consider using [Exploit Protection](https://blogs.windows.com/windowsexperience/2017/06/28/) as a replacement. | 1709 | diff --git a/windows/whats-new/temporary-enterprise-feature-control.md b/windows/whats-new/temporary-enterprise-feature-control.md index ba0ca795c1..d79c353526 100644 --- a/windows/whats-new/temporary-enterprise-feature-control.md +++ b/windows/whats-new/temporary-enterprise-feature-control.md @@ -1,8 +1,8 @@ --- title: Enterprise feature control in Windows 11 description: Learn about the Windows 11 features behind temporary enterprise feature control and permanent feature control. -ms.prod: windows-client -ms.technology: itpro-fundamentals +ms.service: windows-client +ms.subservice: itpro-fundamentals ms.author: mstewart author: mestew manager: aaroncz diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md deleted file mode 100644 index 02ecc6cade..0000000000 --- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md +++ /dev/null @@ -1,355 +0,0 @@ ---- -title: What's new in Windows 10, versions 1507 and 1511 (Windows 10) -description: What's new in Windows 10 for Windows 10 (versions 1507 and 1511)? -ms.prod: windows-client -author: mestew -manager: aaroncz -ms.author: mstewart -ms.localizationpriority: medium -ms.topic: article -ROBOTS: NOINDEX -ms.technology: itpro-fundamentals -ms.date: 12/31/2017 ---- - -# What's new in Windows 10, versions 1507 and 1511 for IT Pros - -Below is a list of some of the new and updated features included in the initial release of Windows 10 (version 1507) and the Windows 10 update to version 1511. - ->[!NOTE] ->For release dates and servicing options for each version, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info). - - -## Deployment - -### Provisioning devices using Windows Imaging and Configuration Designer (ICD) - -With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. An IT administrator using Windows Provisioning can easily specify desired configuration and settings required to enroll the devices into management (through a wizard-driven user interface) and then apply that configuration to target devices in a matter of minutes. It's best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers. - -[Learn more about provisioning in Windows 10.](/windows/configuration/provisioning-packages/provisioning-packages) - - -## Security - -### AppLocker - -#### New AppLocker features in Windows 10, version 1507 - -- A new parameter was added to the [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this parameter, set the **ServiceEnforcement** to **Enabled**. -- A new [AppLocker](/windows/client-management/mdm/applocker-csp) configuration service provider was added to allow you to enable AppLocker rules by using an MDM server. - -[Learn how to manage AppLocker within your organization](/windows/device-security/applocker/applocker-overview). - -### BitLocker - -#### New BitLocker features in Windows 10, version 1511 - -- **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides extra protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys. - It provides the following benefits: - - The algorithm is FIPS-compliant. - - Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization. - -> [!NOTE] -> Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms. - -#### New BitLocker features in Windows 10, version 1507 - - - -- **Encrypt and recover your device with Azure Active Directory**. In addition to using a Microsoft Account, automatic [Device Encryption](/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10#device-encryption) can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This escrow will make it easier to recover your BitLocker key online. -- **DMA port protection**. You can use the [DataProtection/AllowDirectMemoryAccess](/windows/client-management/mdm/policy-configuration-service-provider#dataprotection-allowdirectmemoryaccess) MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on. -- **New Group Policy for configuring pre-boot recovery**. You can now configure the pre-boot recovery message and recover URL that is shown on the pre-boot recovery screen. For more info, see the [Configure pre-boot recovery message and URL](/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#bkmk-configurepreboot) section in "BitLocker Group Policy settings." - -[Learn how to deploy and manage BitLocker within your organization](/windows/device-security/bitlocker/bitlocker-overview). - -### Credential Guard - -#### New Credential Guard features in Windows 10, version 1511 - -- **Credential Manager support**. Credentials that are stored with Credential Manager, including domain credentials, are protected with Credential Guard with the following considerations: - - Credentials that are saved by the Remote Desktop Protocol can't be used. Employees in your organization can manually store credentials in Credential Manager as generic credentials. - - Applications that extract derived domain credentials using undocumented APIs from Credential Manager will no longer be able to use those saved derived credentials. - - You can't restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this backup before you enable Credential Guard. Otherwise, you won't be able to restore those credentials. -- **Enable Credential Guard without UEFI lock**. You can enable Credential Guard by using the registry. This setting allows you to disable Credential Guard remotely. However, we recommend that Credential Guard is enabled with UEFI lock. You can do this configuration by using Group Policy. -- **CredSSP/TsPkg credential delegation**. CredSSP/TsPkg can't delegate default credentials when Credential Guard is enabled. - -[Learn how to deploy and manage Credential Guard within your organization](/windows/access-protection/credential-guard/credential-guard). - -### Easier certificate management - - -For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Windows Hello for Business in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates. - -### Microsoft Passport - -In Windows 10, [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN. - -Microsoft Passport lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports Fast ID Online (FIDO) authentication. After an initial two-step verification during Microsoft Passport enrollment, a Microsoft Passport is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify identity; Windows then uses Microsoft Passport to authenticate users and help them to access protected resources and services. - -### Security auditing - -#### New Security auditing features in Windows 10, version 1511 - -- The [WindowsSecurityAuditing](/windows/client-management/mdm/windowssecurityauditing-csp) and [Reporting](/windows/client-management/mdm/reporting-csp) configuration service providers allow you to add security audit policies to mobile devices. - -#### New features in Windows 10, version 1507 - -In Windows 10, security auditing has added some improvements: -- [New audit subcategories](#bkmk-auditsubcat) -- [More info added to existing audit events](#bkmk-moreinfo) - -##### New audit subcategories - -In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events: -- [Audit Group Membership](/windows/device-security/auditing/audit-group-membership) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's sign-in token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the sign-in session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource. - When this setting is configured, one or more security audit events are generated for each successful sign-in. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information can't fit in a single security audit event. -- [Audit PNP Activity](/windows/security/threat-protection/auditing/audit-pnp-activity) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device. - Only Success audits are recorded for this category. If you don't configure this policy setting, no audit event is generated when an external device is detected by plug and play. - A PnP audit event can be used to track down changes in system hardware and will be logged on the PC where the change took place. A list of hardware vendor IDs are included in the event. - -##### More info added to existing audit events - -With Windows 10, version 1507, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events: -- [Changed the kernel default audit policy](#bkmk-kdal) -- [Added a default process SACL to LSASS.exe](#bkmk-lsass) -- [Added new fields in the sign-in event](#bkmk-logon) -- [Added new fields in the process creation event](#bkmk-logon) -- [Added new Security Account Manager events](#bkmk-sam) -- [Added new BCD events](#bkmk-bcd) -- [Added new PNP events](#bkmk-pnp) - -##### Changed the kernel default audit policy - -In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This setting results in better auditing of services that may start before LSA starts. - -##### Added a default process SACL to LSASS.exe - -In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is `L"S:(AU;SAFA;0x0010;;;WD)"`. You can enable this process under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**. -This process can help identify attacks that steal credentials from the memory of a process. - -##### New fields in the sign-in event - -The sign-in event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624: -1. **MachineLogon** String: yes or no - If the account that logged into the PC is a computer account, this field will be yes. Otherwise, the field is no. -2. **ElevatedToken** String: yes or no - If an account signed in to the PC through the "administrative sign-in" method, this field will be yes. Otherwise, the field is no. Additionally, if this field is part of a split token, the linked sign-in ID (LSAP\_LOGON\_SESSION) will also be shown. -3. **TargetOutboundUserName** String - **TargetOutboundUserDomain** String - The username and domain of the identity that was created by the LogonUser method for outbound traffic. -4. **VirtualAccount** String: yes or no - If the account that logged into the PC is a virtual account, this field will be yes. Otherwise, the field is no. -5. **GroupMembership** String - A list of all of the groups in the user's token. -6. **RestrictedAdminMode** String: yes or no - If the user logs into the PC in restricted admin mode with Remote Desktop, this field will be yes. - For more information about restricted admin mode, see [Restricted Admin mode for RDP](/archive/blogs/kfalde/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2). - -##### New fields in the process creation event - -The sign-in event ID 4688 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4688: -1. **TargetUserSid** String - The SID of the target principal. -2. **TargetUserName** String - The account name of the target user. -3. **TargetDomainName** String - The domain of the target user.. -4. **TargetLogonId** String - The sign-in ID of the target user. -5. **ParentProcessName** String - The name of the creator process. -6. **ParentProcessId** String - A pointer to the actual parent process if it's different from the creator process. - -##### New Security Account Manager events - -In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited: -- SamrEnumerateGroupsInDomain -- SamrEnumerateUsersInDomain -- SamrEnumerateAliasesInDomain -- SamrGetAliasMembership -- SamrLookupNamesInDomain -- SamrLookupIdsInDomain -- SamrQueryInformationUser -- SamrQueryInformationGroup -- SamrQueryInformationUserAlias -- SamrGetMembersInGroup -- SamrGetMembersInAlias -- SamrGetUserDomainPasswordInformation - -##### New BCD events - -Event ID 4826 has been added to track the following changes to the Boot Configuration Database (BCD): -- DEP/NEX settings -- Test signing -- PCAT SB simulation -- Debug -- Boot debug -- Integrity Services -- Disable Winload debugging menu - -##### New PNP events - -Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesn’t expect this type of action, such as a domain controller. - -[Learn how to manage your security audit policies within your organization](/windows/security/threat-protection/auditing/security-auditing-overview). - -### Trusted Platform Module - -#### New TPM features in Windows 10, version 1511 - -- Key Storage Providers (KSPs) and srvcrypt support elliptical curve cryptography (ECC). - -#### New TPM features in Windows 10, version 1507 - -The following sections describe the new and changed functionality in the TPM for Windows 10: -- [Device health attestation](#bkmk-dha) -- [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) support -- [Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) support -- [Credential Guard](/windows/access-protection/credential-guard/credential-guard) support - -### Device health attestation - -Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device health attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource. -Some things that you can check on the device are: -- Is Data Execution Prevention supported and enabled? -- Is BitLocker Drive Encryption supported and enabled? -- Is SecureBoot supported and enabled? - ->[!NOTE] ->The device must be running Windows 10 and it must support at least TPM 2.0. - -[Learn how to deploy and manage TPM within your organization](/windows/device-security/tpm//trusted-platform-module-overview). - -### User Account Control - -User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment. - -You shouldn't turn off UAC because this setting isn't supportive of devices running Windows 10. If you do turn off UAC, all Universal Windows Platform apps stop working. You must always set the **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA** registry value to 1. If you need to provide auto elevation for programmatic access or installation, you could set the **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin** registry value to 0, which is the same as setting the UAC slider Never Notify. This setting isn't recommended for devices running Windows 10. - -For more information about how to manage UAC, see [UAC Group Policy Settings and Registry Key Settings](/windows/access-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings). - -In Windows 10, User Account Control has added some improvements. - -#### New User Account Control features in Windows 10, version 1507 - -- **Integration with the Antimalware Scan Interface (AMSI)**. The [AMSI](/windows/win32/amsi/antimalware-scan-interface-portal) scans all UAC elevation requests for malware. If malware is detected, the admin privilege is blocked. - -[Learn how to manage User Account Control within your organization](/windows/access-protection/user-account-control/user-account-control-overview). - -### VPN profile options - -Windows 10 provides a set of VPN features that both increase enterprise security and provide an improved user experience, including: - -- Always-on auto connection behavior -- App=triggered VPN -- VPN traffic filters -- Lock down VPN -- Integration with Microsoft Passport for Work - -[Learn more about the VPN options in Windows 10.](/windows/access-protection/vpn/vpn-profile-options) - - -## Management - -Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices. - -### MDM support - -MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Microsoft Store, VPN configuration, and more. - -MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](https://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification. - -Corporate-owned devices can be enrolled automatically for enterprises using Azure AD. [Reference for Mobile device management for Windows 10](/windows/client-management/mdm/) - -### Unenrollment - - -When a person leaves your organization and you unenroll the user account or device from management, the enterprise-controlled configurations and apps are removed from the device. You can unenroll the device remotely or the person can unenroll by manually removing the account from the device. - -When a personal device is unenrolled, the user's data and apps are untouched, while enterprise information such as certificates, VPN profiles, and enterprise apps are removed. - -### Infrastructure - - -Enterprises have the following identity and management choices. - -| Area | Choices | -|---|---| -| Identity | Active Directory; Azure AD | -| Grouping | Domain join; Workgroup; Azure AD join | -| Device management | Group Policy; Microsoft Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) | - -> [!NOTE] -> With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](/lifecycle/). - - -### Device lockdown - - -Do you need a computer that can only do one thing? For example: - -- A device in the lobby that customers can use to view your product catalog. - -- A portable device that drivers can use to check a route on a map. - -- A device that a temporary worker uses to enter data. - -You can configure a persistent locked down state to [create a kiosk-type device](/windows/configuration/kiosk-methods). When the locked-down account is logged on, the device displays only the app that you select. - -You can also [configure a lockdown state](/windows/configuration/lock-down-windows-10-to-specific-apps) that takes effect when a given user account logs on. The lockdown restricts the user to only the apps that you specify. - -Lockdown settings can also be configured for device look and feel, such as a theme or a [custom layout on the Start screen](/windows/configuration/windows-10-start-layout-options-and-policies). - -### Customized Start layout - -A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Starting in Windows 10, version 1511, administrators can configure a *partial* Start layout, which applies specified tile groups while allowing users to create and customize their own tile groups. Learn how to [customize and export Start layout](/windows/configuration/customize-and-export-start-layout). - -Administrators can also use mobile device management (MDM) or Group Policy to disable the use of [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight). - -### Microsoft Store for Business -**New in Windows 10, version 1511** - -With the Microsoft Store for Business, organizations can make volume purchases of Windows apps. The Store for Business provides app purchases based on organizational identity, flexible distribution options, and the ability to reclaim or reuse licenses. Organizations can also use the Store for Business to create a private store for their employees that includes apps from the Store, as well private Line-of-Business (LOB) apps. - -For more information, see [Microsoft Store for Business overview](/microsoft-store/windows-store-for-business-overview). - - -## Updates - -Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service. - -By using [Group Policy Objects](/previous-versions/cc498727(v=msdn.10)), Windows Update for Business is an easily established and implemented system that enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing: - -- **Deployment and validation groups**; where administrators can specify which devices go first in an update wave, and which devices will come later (to ensure any quality bars are met). - -- **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth efficient. - -- **Use with existing tools** such as Microsoft Intune and the [Enterprise Mobility Suite](/enterprise-mobility-security). - -Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, and provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh852345(v=ws.11)) and [Microsoft Configuration Manager](/configmgr). - - -Learn more about [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb). - -For more information about updating Windows 10, see [Windows 10 servicing options for updates and upgrades](/windows/deployment/update/waas-servicing-strategy-windows-10-updates). - -## Microsoft Edge -Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana. - -- **Web Note.** Microsoft Edge lets you annotate, highlight, and call things out directly on webpages. -- **Reading view.** Microsoft Edge lets you enjoy and print online articles in a distraction-free layout that's optimized for your screen size. While in reading view, you can also save webpages or PDF files to your reading list, for later viewing. -- **Cortana.** Cortana is automatically enabled on Microsoft Edge. Microsoft Edge lets you highlight words for more info and gives you one-click access to things like restaurant reservations and reviews, without leaving the webpage. -- **Compatibility and security.** Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or that are included on your Enterprise Mode Site List. You must use IE11 to run older, less secure technology, such as ActiveX controls. - -### Enterprise guidance -Microsoft Edge is the default browser experience for Windows 10. However, if you're running web apps that need ActiveX controls, we recommend that you continue to use Internet Explorer 11 for them. If you don't have IE11 installed anymore, you can download it from the Microsoft Store or from the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956). - -We also recommend that you upgrade to IE11 if you're running any earlier versions of Internet Explorer. IE11 is supported on Windows 7, Windows 8.1, and Windows 10. So any legacy apps that work with IE11 will continue to work even as you migrate to Windows 10. - -[Learn more about using Microsoft Edge in the enterprise](/microsoft-edge/deploy/emie-to-improve-compatibility) - - -## Learn more - -- [Windows 10 release information](https://technet.microsoft.com/windows/release-info) diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md deleted file mode 100644 index d0b7cbda02..0000000000 --- a/windows/whats-new/whats-new-windows-10-version-1607.md +++ /dev/null @@ -1,156 +0,0 @@ ---- -title: What's new in Windows 10, version 1607 (Windows 10) -description: What's new in Windows 10 for Windows 10 (version 1607)? -ms.prod: windows-client -ms.localizationpriority: medium -author: mestew -manager: aaroncz -ms.author: mstewart -ms.topic: article -ROBOTS: NOINDEX -ms.technology: itpro-fundamentals -ms.date: 12/31/2017 ---- - -# What's new in Windows 10, version 1607 for IT Pros - -Below is a list of some of the new and updated features in Windows 10, version 1607 (also known as the Anniversary Update). - ->[!NOTE] ->For release dates and servicing options for each version, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info). - -## Deployment - -### Windows Imaging and Configuration Designer (ICD) - -In previous versions of the Windows 10 Assessment and Deployment Kit (ADK), you had to install more features for Windows ICD to run. Starting in version 1607, you can install just the configuration designer component independent of the rest of the imaging components. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) - -Windows ICD now includes simplified workflows for creating provisioning packages: - -- [Simple provisioning to set up common settings for Active Directory-joined devices](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment) -- [Advanced provisioning to deploy certificates and apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates) -- [School provisioning to set up classroom devices for Active Directory](/education/windows/set-up-students-pcs-to-join-domain) - -[Learn more about using provisioning packages in Windows 10.](/windows/configuration/provisioning-packages/provisioning-packages) - -### Windows Upgrade Readiness - -Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for more direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10. - -With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they're known to Microsoft. - -Use Upgrade Readiness to get: - -- A visual workflow that guides you from pilot to production -- Detailed computer and application inventory -- Powerful computer level search and drill-downs -- Guidance and insights into application and driver compatibility issues, with suggested fixes -- Data driven application rationalization tools -- Application usage information, allowing targeted validation; workflow to track validation progress and decisions -- Data export to commonly used software deployment tools - -The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are upgrade-ready. - -[Learn more about planning and managing Windows upgrades with Windows Upgrade Readiness.](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness) - -## Windows updates - -Windows 10, version 1607, provides administrators with increased control over updates by changing the update deferral increment from weeks to days. Other changes: - -- Quality Updates can be deferred up to 30 days and paused for 35 days -- Feature Updates can be deferred up to 180 days and paused for 60 days -- Update deferrals can be applied to both Current Branch (CB) and Current Branch for Business (CBB) -- Drivers can be excluded from updates - -## Security - -### Credential Guard and Device Guard - -Isolated User Mode is now included with Hyper-V so you don't have to install it separately. - -### Windows Hello for Business - -When Windows 10 was first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in Windows 10, version 1607. Customers who have already deployed Microsoft Passport for Work won't experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. - -Other changes for Windows Hello in Windows 10, version 1607: - -- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. -- Group Policy settings for managing Windows Hello for Business are now available for both **User Configuration** and **Computer Configuration**. -- Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**. - -[Learn more about Windows Hello for Business.](/windows/access-protection/hello-for-business/hello-identity-verification) - -### VPN - -- The VPN client can integrate with the Conditional Access Framework, a cloud-based policy engine built into Azure Active Directory, to provide a device compliance option for remote clients. -- The VPN client can integrate with Windows Information Protection (WIP) policy to provide extra security. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection. -- New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew_1607) -- Microsoft Intune: *VPN* profile template includes support for native VPN plug-ins. For more information, see [Create VPN profiles to connect to VPN servers in Intune](/mem/intune/configuration/vpn-settings-configure). - - -### Windows Information Protection (WIP), formerly known as enterprise data protection (EDP) -With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. - -Windows Information Protection (WIP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. - -- [Create a Windows Information Protection (WIP) policy](/windows/security/information-protection/windows-information-protection/overview-create-wip-policy) -- [General guidance and best practices for Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip) - -[Learn more about Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) - -### Windows Defender -Several new features and management options have been added to Windows Defender in Windows 10, version 1607. - -- [Windows Defender Offline in Windows 10](/microsoft-365/security/defender-endpoint/microsoft-defender-offline) can be run directly from within Windows, without having to create bootable media. -- [Use PowerShell cmdlets for Windows Defender](/microsoft-365/security/defender-endpoint/use-powershell-cmdlets-microsoft-defender-antivirus) to configure options and run scans. -- [Enable the Block at First Sight feature in Windows 10](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus) to use the Windows Defender cloud for near-instant protection against new malware. -- [Configure enhanced notifications for Windows Defender in Windows 10](/microsoft-365/security/defender-endpoint/configure-notifications-microsoft-defender-antivirus) to see more information about threat detections and removal. -- [Run a Windows Defender scan from the command line](/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus). -- [Detect and block Potentially Unwanted Applications with Windows Defender](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) during download and install times. - -### Microsoft Defender for Endpoint - -With the growing threat from more sophisticated targeted attacks, a new security solution is imperative in securing an increasingly complex network ecosystem. Microsoft Defender for Endpoint is a security service, built into Windows 10 that enables enterprise customers detect, investigate, and respond to advanced threats on their networks. - -[Learn more about Microsoft Defender for Endpoint](/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). - -## Management - -### Use Remote Desktop Connection for PCs joined to Azure Active Directory - -From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is joined to Azure Active Directory (Azure AD). [Learn about the requirements and supported configurations.](/windows/client-management/connect-to-remote-aadj-pc) - - -### Taskbar configuration - -Enterprise administrators can add and remove pinned apps from the taskbar. Users can pin apps, unpin apps, and change the order of pinned apps on the taskbar after the enterprise configuration is applied. [Learn how to configure the taskbar.](/windows/configuration/windows-10-start-layout-options-and-policies) - -### Mobile device management and configuration service providers (CSPs) - -Numerous settings have been added to the Windows 10 CSPs to expand MDM capabilities for managing devices. To learn more about the specific changes in MDM policies for Windows 10, version 1607, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew_1607). - -### Shared PC mode - -Windows 10, Version 1607, introduces shared PC mode, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Education, and Enterprise. [Learn how to set up a shared or guest PC.](/windows/configuration/set-up-shared-or-guest-pc) - -### Application Virtualization (App-V) for Windows 10 - -Application Virtualization (App-V) enables organizations to deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Microsoft Store, and interact with them as if they were installed locally. - -With the release of Windows 10, version 1607, App-V is included with the Windows 10 for Enterprise edition. If you're new to Windows 10 and App-V or if you're upgrading from a previous version of App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users. - -[Learn how to deliver virtual applications with App-V.](/windows/application-management/app-v/appv-getting-started) - -### User Experience Virtualization (UE-V) for Windows 10 - -Many users customize their settings for Windows and for specific applications. Customizable Windows settings include Microsoft Store appearance, language, background picture, font size, and accent colors. Customizable application settings include language, appearance, behavior, and user interface options. - -With User Experience Virtualization (UE-V), you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users sign in, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they sign in to. - -With the release of Windows 10, version 1607, UE-V is included with the Windows 10 for Enterprise edition. If you're new to Windows 10 and UE-V or upgrading from a previous version of UE-V, you’ll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices. - -[Learn how to synchronize user-customized settings with UE-V.](/windows/configuration/ue-v/uev-for-windows) - -## Learn more - -- [Windows 10 release information](https://technet.microsoft.com/windows/release-info) diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md deleted file mode 100644 index b62a1a7579..0000000000 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ /dev/null @@ -1,313 +0,0 @@ ---- -title: What's new in Windows 10, version 1703 -description: New and updated features in Windows 10, version 1703 (also known as the Creators Updated). -ms.prod: windows-client -ms.localizationpriority: medium -author: mestew -manager: aaroncz -ms.author: mstewart -ms.topic: article -ROBOTS: NOINDEX -ms.technology: itpro-fundamentals -ms.date: 12/31/2017 ---- - -# What's new in Windows 10, version 1703 for IT Pros - -Below is a list of some of what's new in Information Technology (IT) pro features in Windows 10, version 1703 (also known as the Creators Update). - -For more general info about Windows 10 features, see [Features available only on Windows 10](https://www.microsoft.com/windows/features). For info about previous versions of Windows 10, see [What's New in Windows 10](./index.yml). Also see this blog post: [What’s new for IT pros in the Windows 10 Creators Update}(https://blogs.technet.microsoft.com/windowsitpro/2017/04/05/whats-new-for-it-pros-in-the-windows-10-creators-update/). - ->[!NOTE] ->Windows 10, version 1703 contains all fixes included in previous cumulative updates to Windows 10, version 1607. For info about each version, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info). For a list of removed features, see [Features that are removed in Windows 10 Creators Update](removed-features.md). - -## Configuration - -### Windows Configuration Designer - -Previously known as *Windows Imaging and Configuration Designer (ICD)*, the tool for creating provisioning packages is renamed **Windows Configuration Designer**. The new Windows Configuration Designer is available in [Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22) as an app. To run Windows Configuration Designer on earlier versions of Windows, you can still install Windows Configuration Designer from the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). - -Windows Configuration Designer in Windows 10, version 1703, includes several new wizards to make it easier to create provisioning packages. - -![wizards for desktop, mobile, kiosk, Surface Hub.](images/wcd-options.png) - -Both the desktop and kiosk wizards include an option to remove pre-installed software, based on the new [CleanPC configuration service provider (CSP)](/windows/client-management/mdm/cleanpc-csp). - -![remove pre-installed software option.](images/wcd-cleanpc.png) - -[Learn more about Windows Configuration Designer.](/windows/configuration/provisioning-packages/provisioning-packages) - - -### Azure Active Directory join in bulk - -Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards. - - -### Windows Spotlight - -The following new Group Policy and mobile device management (MDM) settings are added to help you configure Windows Spotlight user experiences: - -- **Turn off the Windows Spotlight on Action Center** -- **Do not use diagnostic data for tailored experiences** -- **Turn off the Windows Welcome Experience** - -[Learn more about Windows Spotlight.](/windows/configuration/windows-spotlight) - - -### Start and taskbar layout - -Enterprises have been able to apply customized Start and taskbar layouts to devices running Windows 10 Enterprise and Education. In Windows 10, version 1703, customized Start and taskbar layout can also be applied to Windows 10 Pro. - -Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10, version 1703, adds support for customized taskbars to [MDM](/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management). - -[More MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include: - -- Settings for the User tile: [**Start/HideUserTile**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideusertile), [**Start/HideSwitchAccount**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideswitchaccount), [**Start/HideSignOut**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesignout), [**Start/HideLock**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidelock), and [**Start/HideChangeAccountSettings**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) -- Settings for Power: [**Start/HidePowerButton**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidepowerbutton), [**Start/HideHibernate**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidehibernate), [**Start/HideRestart**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderestart), [**Start/HideShutDown**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideshutdown), and [**Start/HideSleep**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesleep) -- Other new settings: [**Start/HideFrequentlyUsedApps**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](/windows/client-management/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](/windows/client-management/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideapplist). - -### Cortana at work - -Cortana is Microsoft’s personal digital assistant, who helps busy people get things done, even while at work. Cortana has powerful configuration options, optimized for your business. When your employees sign in with an Azure Active Directory (Azure AD) account, they can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work. - -Using Azure AD also means that you can remove an employee’s profile (for example, when an employee leaves your organization) while respecting Windows Information Protection (WIP) policies and ignoring enterprise content, such as emails, calendar items, and people lists that are marked as enterprise data. - -For more info about Cortana at work, see [Cortana integration in your business or enterprise](/windows/configuration/cortana-at-work/cortana-at-work-overview) - - -## Deployment - -### MBR2GPT.EXE - -MBR2GPT.EXE is a new command-line tool available in Windows 10 version 1703 and later versions. MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS). - -The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports other partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk. - -Other security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock. - -For details, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt). - -## Security - -### Microsoft Defender for Endpoint - -New features in Microsoft Defender for Endpoint for Windows 10, version 1703 include: -- **Detection**: Enhancements to the detection capabilities include: - - Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks - - Upgraded detections of ransomware and other advanced attacks - - Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed - -- **Investigation**: Enterprise customers can now take advantage of the entire Windows security stack with Microsoft Defender Antivirus detections and Device Guard blocks being surfaced in the Microsoft Defender for Endpoint portal. Other capabilities have been added to help you gain a holistic view on investigations. - - Other investigation enhancements include: - - [Investigate a user account](/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials. - - [Alert process tree](/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time. - - [Pull alerts using REST API](/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection) - Use REST API to pull alerts from Microsoft Defender for Endpoint. - -- **Response**: When an attack is detected, security response teams can now take immediate action to contain a breach: - - [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package. - - [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file. - - -- **Other features** - - [Check sensor health state](/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection) - Check an endpoint's ability to provide sensor data and communicate with the Microsoft Defender for Endpoint service and fix known issues. - -You can read more about ransomware mitigations and detection capability in Microsoft Defender for Endpoint in the blog: [Averting ransomware epidemics in corporate networks with Microsoft Defender for Endpoint](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/). - -Get a quick, but in-depth overview of Microsoft Defender for Endpoint for Windows 10 and the new capabilities in Windows 10, version 1703 see [Microsoft Defender for Endpoint for Windows 10 Creators Update](/windows/deployment/deploy-whats-new). - -### Microsoft Defender Antivirus -Windows Defender is now called Microsoft Defender Antivirus, and we've [increased the breadth of the documentation library for enterprise security admins](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows). - -The new library includes information on: -- [Deploying and enabling AV protection](/microsoft-365/security/defender-endpoint/deploy-microsoft-defender-antivirus) -- [Managing updates](/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus) -- [Reporting](/microsoft-365/security/defender-endpoint/report-monitor-microsoft-defender-antivirus) -- [Configuring features](/microsoft-365/security/defender-endpoint/configure-microsoft-defender-antivirus-features) -- [Troubleshooting](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus) - -Some of the highlights of the new library include: -- [Evaluation guide for Microsoft Defender AV](/microsoft-365/security/defender-endpoint/evaluate-microsoft-defender-antivirus) -- [Deployment guide for Microsoft Defender AV in a virtual desktop infrastructure environment](/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus) - -New features for Microsoft Defender AV in Windows 10, version 1703 include: - -- [Updates to how the Block at First Sight feature can be configured](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus) -- [The ability to specify the level of cloud-protection](/microsoft-365/security/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus) -- [Microsoft Defender Antivirus protection in the Windows Defender Security Center app](/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus) - - -In Windows 10, version 1607, we [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment in version 1703 with [updated behavior monitoring and always-on real-time protection](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus). - -You can read more about ransomware mitigations and detection capability in Microsoft Defender AV in the [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/). - -### Device Guard and Credential Guard - -More security qualifications for Device Guard and Credential Guard help protect vulnerabilities in UEFI runtime. -For more information, see [Device Guard Requirements](/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard) and [Credential Guard Security Considerations](/windows/access-protection/credential-guard/credential-guard-requirements#security-considerations). - -### Group Policy Security Options - -The security setting [**Interactive logon: Display user information when the session is locked**](/windows/device-security/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. - -A new security policy setting -[**Interactive logon: Don't display username at sign-in**](/windows/device-security/security-policy-settings/interactive-logon-dont-display-username-at-sign-in) has been introduced in Windows 10 version 1703. This security policy setting determines whether the username is displayed during sign-in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile. - -### Windows Hello for Business - -You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). - -For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. - -For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset). - -### Windows Information Protection (WIP) and Azure Active Directory (Azure AD) -Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune). - -You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For info, see the brand-new topic, [How to collect Windows Information Protection (WIP) audit event logs](/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs). - -## Update - -### Windows Update for Business - -The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy hasn't been configured. We've also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates). - - -Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferral periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details. - - -### Windows Insider for Business - -We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (Azure AD). By enrolling devices in Azure AD, you increase the visibility of feedback submitted by users in your organization, especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](/windows-insider/business/register). - -### Optimize update delivery - -With changes delivered in Windows 10, version 1703, [express updates](/windows/deployment/do/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with Microsoft Configuration Manager, starting with version 1702 of Configuration Manager, and with other third-party updating and management products that [implement this new functionality](/windows-server/administration/windows-server-update-services/deploy/express-update-delivery-isv-support). This support is in addition to current Express support on Windows Update, Windows Update for Business and WSUS. - ->[!NOTE] -> The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update. - -Delivery Optimization policies now enable you to configure more restrictions to have more control in various scenarios. - -Added policies include: -- [Allow uploads while the device is on battery while under set Battery level](/windows/deployment/update/waas-delivery-optimization#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) -- [Enable Peer Caching while the device connects via VPN](/windows/deployment/update/waas-delivery-optimization#enable-peer-caching-while-the-device-connects-via-vpn) -- [Minimum RAM (inclusive) allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-ram-allowed-to-use-peer-caching) -- [Minimum disk size allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-disk-size-allowed-to-use-peer-caching) -- [Minimum Peer Caching Content File Size](/windows/deployment/update/waas-delivery-optimization#minimum-peer-caching-content-file-size) - -To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](/windows/deployment/update/waas-delivery-optimization) - -### Uninstalled in-box apps no longer automatically reinstall - -Starting with Windows 10, version 1703, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process. - -Additionally, apps de-provisioned by admins on Windows 10, version 1703 machines will stay de-provisioned after future feature update installations. This condition won't apply to the update from Windows 10, version 1607 (or earlier) to version 1703. - -## Management - -### New MDM capabilities - -Windows 10, version 1703 adds many new [configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) that provide new capabilities for managing Windows 10 devices using MDM or provisioning packages. Among other things, these CSPs enable you to configure a few hundred of the most useful Group Policy settings via MDM - see [Policy CSP - ADMX-backed policies](/windows/client-management/mdm/policy-configuration-service-provider). - -Some of the other new CSPs are: - -- The [DynamicManagement CSP](/windows/client-management/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country/region to avoid roaming charges, or the wireless network can be disabled when the device isn't within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs. - -- The [CleanPC CSP](/windows/client-management/mdm/cleanpc-csp) allows removal of user-installed and pre-installed applications, with the option to persist user data. - -- The [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) is used to manage encryption of PCs and devices. For example, you can require storage card encryption on mobile devices, or require encryption for operating system drives. - -- The [NetworkProxy CSP](/windows/client-management/mdm/networkproxy-csp) is used to configure a proxy server for ethernet and Wi-Fi connections. - -- The [Office CSP](/windows/client-management/mdm/office-csp) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see [Configuration options for the Office Deployment Tool](/deployoffice/office-deployment-tool-configuration-options). - -- The [EnterpriseAppVManagement CSP](/windows/client-management/mdm/enterpriseappvmanagement-csp) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM. - - -[Learn more about new MDM capabilities.](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew10) - -### Mobile application management support for Windows 10 - -The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10, version 1703. - -For more info, see [Implement server-side support for mobile application management on Windows](/windows/client-management/mdm/implement-server-side-mobile-application-management). - -### MDM diagnostics - -In Windows 10, version 1703, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we're introducing [Microsoft Message Analyzer](/message-analyzer/microsoft-message-analyzer-operating-guide) as an extra tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost. - -### Application Virtualization for Windows (App-V) -Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10, version 1703 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically clean up your unpublished packages after a device restart. - -For more info, see the following topics: -- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-provision-a-vm) -- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-sequencing) -- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-updating) -- [Automatically clean up unpublished packages on the App-V client](/windows/application-management/app-v/appv-auto-clean-unpublished-packages) - -### Windows diagnostic data - -Learn more about the diagnostic data that's collected at the Basic level and some examples of the types of data that is collected at the Full level. - -- [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703) -- [Windows 10, version 1703 Diagnostic Data](/windows/configuration/windows-diagnostic-data-1703) - -### Group Policy spreadsheet - -Learn about the new Group Policies that were added in Windows 10, version 1703. - -- [Group Policy Settings Reference for Windows and Windows Server](https://www.microsoft.com/download/details.aspx?id=25250) - -## Miracast on existing wireless network or LAN - -In the Windows 10, version 1703, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](/openspecs/windows_protocols/ms-mice/9598ca72-d937-466c-95f6-70401bb10bdb). - -Miracast over Infrastructure offers many benefits: - -- Windows automatically detects when sending the video stream over this path is applicable. -- Windows will only choose this route if the connection is over Ethernet or a secure Wi-Fi network. -- Users don't have to change how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections. -- No changes to current wireless drivers or PC hardware are required. -- It works well with older wireless hardware that isn't optimized for Miracast over Wi-Fi Direct. -- It uses an existing connection that reduces the time to connect and provides a stable stream. - -### How it works - -Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, and via multicast DNS (mDNS). If the name isn't resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection. - -### Enabling Miracast over Infrastructure - -If you have a device that has been updated to Windows 10, version 1703, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following requirements are true within your deployment: - -- The device (PC or Surface Hub) needs to be running Windows 10, version 1703. -- A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows device can act as a Miracast over Infrastructure *source*. - - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (for example, using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself. - - As a Miracast source, the device must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. -- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this resolution by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname. -- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. - -It's important to note that Miracast over Infrastructure isn't a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method. - -## New features in related products -The following new features aren't part of Windows 10, but help you make the most of it. - -### Upgrade Readiness - -Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017. - -The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled. - -For more information about Upgrade Readiness, see the following topics: - -- [Windows Analytics blog](/archive/blogs/upgradeanalytics/) -- [Manage Windows upgrades with Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness) - - -### Update Compliance - -Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date. - -Update Compliance is a solution built using OMS Log Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues. - -For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](/windows/deployment/update/update-compliance-monitor). diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md deleted file mode 100644 index 4f608c1dd6..0000000000 --- a/windows/whats-new/whats-new-windows-10-version-1709.md +++ /dev/null @@ -1,152 +0,0 @@ ---- -title: What's new in Windows 10, version 1709 -description: New and updated features in Windows 10, version 1709 (also known as the Fall Creators Update). -ms.prod: windows-client -author: mestew -manager: aaroncz -ms.author: mstewart -ms.localizationpriority: medium -ms.topic: article -ROBOTS: NOINDEX -ms.technology: itpro-fundamentals -ms.date: 12/31/2017 ---- - -# What's new in Windows 10, version 1709 for IT Pros - -**Applies to** -- Windows 10, version 1709 - -Below is a list of some of the new and updated content that discusses IT Pro features in Windows 10, version 1709, also known as the Fall Creators Update. Windows 10, version 1709 also contains all features and fixes included in previous cumulative updates to Windows 10, version 1703. - -A brief description of new or updated features in this version of Windows 10 is provided, with links to content with more detailed information. The following 3-minute video summarizes these features. - -  - -> [!video https://www.microsoft.com/videoplayer/embed/43942201-bec9-4f8b-8ba7-2d9bfafa8bba?autoplay=false] - - -## Deployment - -### Windows Autopilot - -Windows Autopilot is a zero touch experience for deploying Windows 10 devices. Configuration profiles can now be applied at the hardware vendor with devices being shipped directly to employees. For more information, see [Overview of Windows Autopilot](/windows/deployment/windows-10-auto-pilot). - -You can also apply an Autopilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows Autopilot Deployment](/microsoft-store/add-profile-to-devices). - -### Windows 10 Subscription Activation - -Windows 10 Subscription Activation lets you deploy Windows 10 Enterprise in your organization with no keys and no reboots using a list of subscribed users. When a subscribed user signs in on their Windows 10 Pro device, features that are Enterprise-only are automatically enabled. For more information, see [Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation). - -### Autopilot Reset - -IT Pros can use Autopilot Reset to quickly remove personal files, apps, and settings. A custom sign-in screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Autopilot Reset](/education/windows/autopilot-reset). - - -## Update - -### Windows Update for Business - -Windows Update for Business now has more controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds). - -### Windows Insider Program for Business - -You can now register your Azure AD domains to the Windows Insider Program. For more information, see [Windows Insider Program for Business](https://insider.windows.com/for-business). - - -## Administration - -### Mobile Device Management (MDM) - -MDM has been expanded to include domain joined devices with Azure Active Directory registration. Group Policy can be used with Active Directory-joined devices to trigger auto-enrollment to MDM. For more information, see [Enroll a Windows 10 device automatically using Group Policy](/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy). - -Multiple new configuration items are also added. For more information, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1709). - - -## Application Management - -### Mixed Reality Apps - -This version of Windows 10 introduces [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/). Organizations that use WSUS must take action to enable Windows Mixed Reality. You can also prohibit use of Windows Mixed Reality by blocking installation of the Mixed Reality Portal. For more information, see [Enable or block Windows Mixed Reality apps in the enterprise](/windows/application-management/manage-windows-mixed-reality). - - -## Configuration - -### Kiosk Configuration - -The AssignedAccess CSP has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using a provisioning package. For more information, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps). - - -## Security - ->[!NOTE] ->Windows security features have been rebranded as Windows Defender security features, including Windows Defender Device Guard, Credential Guard, and Windows Defender Firewall. - -**Windows security baselines** have been updated for Windows 10. A [security baseline](/windows/device-security/windows-security-baselines) is a group of Microsoft-recommended configuration settings and explains their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](/windows/device-security/security-compliance-toolkit-10). - -### Microsoft Defender for Endpoint - -Microsoft Defender for Endpoint has been expanded with powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. For more information, see [View the Microsoft Defender for Endpoint Security analytics dashboard](/microsoft-365/security/defender-endpoint/tvm-microsoft-secure-score-devices). - -### Windows Defender Application Guard - -Windows Defender Application Guard hardens a favorite attacker entry-point by isolating malware and other threats away from your data, apps, and infrastructure. For more information, see [Windows Defender Application Guard overview](/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview). - -### Windows Defender Exploit Guard - -Window Defender Exploit Guard provides intrusion prevention capabilities to reduce the attack and exploit surface of applications. Exploit Guard has many of the threat mitigations that were available in Enhanced Mitigation Experience Toolkit (EMET) toolkit, a deprecated security download. These mitigations are now built into Windows and configurable with Exploit Guard. These mitigations include [Exploit protection](/microsoft-365/security/defender-endpoint/enable-exploit-protection), [Attack surface reduction protection](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction), [Controlled folder access](/microsoft-365/security/defender-endpoint/evaluate-controlled-folder-access), and [Network protection](/microsoft-365/security/defender-endpoint/enable-network-protection). - - -### Windows Defender Device Guard - -Configurable code integrity is being rebranded as Windows Defender Application Control. This rebranding is to help distinguish it as a standalone feature to control execution of applications. For more information about Device Guard, see Windows [Defender Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide). - -### Windows Information Protection - -Windows Information Protection is now designed to work with Microsoft Office and Azure Information Protection. For more information, see [Deploying and managing Windows Information Protection (WIP) with Azure Information Protection](https://myignite.microsoft.com/sessions/53660?source=sessions). - -### Windows Hello - -New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when you aren't present. More details about this feature will be available soon. For general information, see [Windows Hello for Business](/windows/access-protection/hello-for-business/hello-identity-verification). - -### BitLocker - -The minimum PIN length is being changed from 6 to 4, with a default of 6. For more information, see [BitLocker Group Policy settings](/windows/device-security/bitlocker/bitlocker-group-policy-settings#bkmk-unlockpol3). - -### Windows security baselines - -Microsoft has released new [Windows security baselines](/windows/device-security/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](/windows/device-security/security-compliance-toolkit-10). - -### SMBLoris vulnerability -An issue, known as _SMBLoris_, which could result in denial of service, has been addressed. - - -## Windows Analytics - -### Upgrade Readiness - -Upgrade Readiness provides insights into application and driver compatibility issues. New capabilities include better app coverage, post-upgrade health reports, and enhanced report filtering capabilities. For more information, see [Manage Windows upgrades with Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness). - -### Update Compliance - -New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates. For more information, see [Monitor Windows Updates and Microsoft Defender Antivirus with Update Compliance](/windows/deployment/update/update-compliance-monitor). - -### Device Health - -Maintaining devices is made easier with Device Health, a new, premium analytic tool that identifies devices and drivers that crash frequently and might need to be rebuilt or replaced. For more information, see [Monitor the health of devices with Device Health](/windows/deployment/update/device-health-monitor). - - -## Networking - -### Network stack - -Several network stack enhancements are available in this release. Some of these features were also available in Windows 10, version 1703. For more information, see [Core Network Stack Features in the Creators Update for Windows 10](https://blogs.technet.microsoft.com/networking/2017/07/13/core-network-stack-features-in-the-creators-update-for-windows-10/). - - -## See Also - -[Windows 10 Features](https://www.microsoft.com/windows/features): Review general information about Windows 10 features.
        -[What's New in Windows 10](./index.yml): See what’s new in other versions of Windows 10.
        -[What's new in Windows 10, version 1709](/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.
        -[Windows 10 Fall Creators Update Next Generation Security](https://www.youtube.com/watch?v=JDGMNFwyUg8): YouTube video about Microsoft Defender for Endpoint in Windows 10, version 1709. -[Threat protection on Windows 10](/windows/security/threat-protection/):Detects advanced attacks and data breaches, automates security incidents and improves security posture.
        diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md deleted file mode 100644 index 9c77663750..0000000000 --- a/windows/whats-new/whats-new-windows-10-version-1803.md +++ /dev/null @@ -1,233 +0,0 @@ ---- -title: What's new in Windows 10, version 1803 -description: New and updated features in Windows 10, version 1803 (also known as the Windows 10 April 2018 Update). -ms.prod: windows-client -author: mestew -manager: aaroncz -ms.author: mstewart -ms.localizationpriority: medium -ms.topic: article -ROBOTS: NOINDEX -ms.technology: itpro-fundamentals -ms.date: 12/31/2017 ---- - -# What's new in Windows 10, version 1803 for IT Pros - -**Applies to** -- Windows 10, version 1803 - -This article lists new and updated features and content that are of interest to IT Pros for Windows 10 version 1803, also known as the Windows 10 April 2018 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1709. - ->If you are not an IT Pro, see the following topics for information about what's new in Windows 10, version 1803 in [hardware](/windows-hardware/get-started/what-s-new-in-windows), for [developers](/windows/uwp/whats-new/windows-10-build-17134), and for [consumers](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update). - -The following 3-minute video summarizes some of the new features that are available for IT Pros in this release. - -> [!video https://www.microsoft.com/videoplayer/embed/RE21ada?autoplay=false] - -## Deployment - -### Windows Autopilot - -[Windows Autopilot](/windows/deployment/windows-autopilot/windows-10-autopilot) provides a modern device lifecycle management service powered by the cloud that delivers a zero touch experience for deploying Windows 10. - -With the help of Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly. - -Windows Autopilot is now available with Surface, Lenovo, and Dell. Other OEM partners such as HP, Toshiba, Panasonic, and Fujitsu will support Autopilot in coming months. Check back here later for more information. - -### Windows 10 in S mode - -Windows 10 in S mode is now available on both Windows 10 Home and Pro PCs, and commercial customers will be able to deploy Windows 10 Enterprise in S mode - by starting with Windows 10 Pro in S mode and then activating Windows 10 Enterprise on the computer. - -Some additional information about Windows 10 in S mode: - -- Microsoft-verified. All of your applications are verified by Microsoft for security and performance. -- Performance that lasts. Start-ups are quick, and S mode is built to keep them that way. -- Choice and flexibility. Save your files to your favorite cloud, like OneDrive or DropBox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps. -- S mode, on a range of modern devices. Enjoy all the great Windows multi-tasking features, like snapping Windows, task view and virtual desktops on a range of S mode enabled devices. - -If you want to switch out of S mode, you'll be able to do so at no charge, regardless of edition. Once you switch out of S mode, you can't switch back. - -For more information, see [Windows 10 Pro/Enterprise in S mode](/windows/deployment/windows-10-pro-in-s-mode). - -### Windows 10 kiosk and Kiosk Browser - -With this release, you can easily deploy and manage kiosk devices with Microsoft Intune in single- and multiple-app scenarios. These scenarios include the new Kiosk Browser available from the Microsoft Store. Kiosk Browser is great for delivering a reliable and custom-tailored browsing experience for scenarios such as retail and signage. A summary of new features is below. - -- Using Intune, you can deploy the Kiosk Browser from the Microsoft Store, configure start URL, allowed URLs, and enable/disable navigation buttons. -- Using Intune, you can deploy and configure shared devices and kiosks using assigned access to create a curated experience with the correct apps and configuration policies -- Support for multiple screens for digital signage use cases. -- The ability to ensure all MDM configurations are enforced on the device prior to entering assigned access using the Enrollment Status page. -- The ability to configure and run Shell Launcher in addition to existing UWP Store apps. -- A simplified process for creating and configuring an auto-logon kiosk account so that a public kiosk automatically enters a desired state after a reboot, a critical security requirement for public-facing use cases. -- For multi-user Firstline Worker kiosk devices, instead of specifying every user, it’s now possible to assign different assigned access configurations to Azure AD groups or Active Directory groups. -- To help with troubleshooting, you can now view error reports generated if an assigned access-configured app has issues. - -For more information, see: -- [Making IT simpler with a modern workplace](https://www.microsoft.com/microsoft-365/blog/2018/04/27/making-it-simpler-with-a-modern-workplace/) -- [Simplifying kiosk management for IT with Windows 10](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Simplifying-kiosk-management-for-IT-with-Windows-10/ba-p/187691) - -### Windows 10 Subscription Activation - -With this release, Subscription Activation supports Inherited Activation. Inherited Activation allows Windows 10 virtual machines to inherit activation state from their Windows 10 host. - -For more information, see [Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation#inherited-activation). - -### DISM - -The following new DISM commands have been added to manage feature updates: - -| Command | Description | -|---|---| -| `DISM /Online /Initiate-OSUninstall` | Initiates an OS uninstall to take the computer back to the previous installation of windows. | -| `DISM /Online /Remove-OSUninstall` | Removes the OS uninstall capability from the computer. | -| `DISM /Online /Get-OSUninstallWindow` | Displays the number of days after upgrade during which uninstall can be performed. | -| `DISM /Online /Set-OSUninstallWindow` | Sets the number of days after upgrade during which uninstall can be performed. | - - -For more information, see [DISM operating system uninstall command-line options](/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options). - -### Windows Setup - -You can now run your own custom actions or scripts in parallel with Windows Setup. Setup will also migrate your scripts to next feature release, so you only need to add them once. - -Prerequisites: -- Windows 10, version 1803 or later. -- Windows 10 Enterprise or Pro - -For more information, see [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions). - -It's also now possible to run a script if the user rolls back their version of Windows using the PostRollback option: - -`/PostRollback [\setuprollback.cmd] [/postrollback {system / admin}]` - -For more information, see [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#21) - -New command-line switches are also available to control BitLocker: - -| Command | Description | -|---|---| -| `Setup.exe /BitLocker AlwaysSuspend` | Always suspend BitLocker during upgrade. | -| `Setup.exe /BitLocker TryKeepActive` | Enable upgrade without suspending BitLocker, but if upgrade doesn't work, then suspend BitLocker and complete the upgrade. | -| `Setup.exe /BitLocker ForceKeepActive` | Enable upgrade without suspending BitLocker, but if upgrade doesn't work, fail the upgrade. | - -For more information, see [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#33) - -### SetupDiag - -[SetupDiag](/windows/deployment/upgrade/setupdiag) is a new command-line tool that can help diagnose why a Windows 10 update failed. - -SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 26 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. - -### Windows Update for Business - -Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune. For more information, see [Manage software updates in Intune](/intune/windows-update-for-business-configure). - -### Feature update improvements - -Portions of the work done during the offline phases of a Windows update have been moved to the online phase. This migration has resulted in a significant reduction of offline time when installing updates. For more information, see [We're listening to you](https://insider.windows.com/en-us/articles/were-listening-to-you/). - -## Configuration - -### Co-management - -**Intune** and **Microsoft Configuration Manager** policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management. - -For more information, see [What's New in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803) - -### OS uninstall period - -The OS uninstall period is a length of time that users are given when they can optionally roll back a Windows 10 update. With this release, administrators can use Intune or [DISM](#dism) to customize the length of the OS uninstall period. - -### Windows Hello for Business - -[Windows Hello](/windows/security/identity-protection/hello-for-business/hello-overview) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in the [Kiosk configuration](#windows-10-kiosk-and-kiosk-browser) section. - -- Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/). -- Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions. -- Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign-in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off. -- You can set up Windows Hello from lock screen for Microsoft accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options. -- New [public API](/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync#Windows_Security_Authentication_Web_Core_WebAuthenticationCoreManager_FindAllAccountsAsync_Windows_Security_Credentials_WebAccountProvider_) for secondary account SSO for a particular identity provider. -- It's easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: phone Bluetooth is off). - -For more information, see: [Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/#OdKBg3pwJQcEKCbJ.97) - -## Accessibility and Privacy - -### Accessibility - -"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](/windows/configuration/windows-accessibility-for-itpros). Also see the accessibility section in the [What’s new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/) blog post. - -### Privacy - -In the Feedback and Settings page under Privacy Settings, you can now delete the diagnostic data your device has sent to Microsoft. You can also view this diagnostic data using the [Diagnostic Data Viewer](/windows/configuration/diagnostic-data-viewer-overview) app. - -## Security - -### Security Baselines - -The new [security baseline for Windows 10 version 1803](/windows/security/threat-protection/security-compliance-toolkit-10) has been published. - -### Microsoft Defender Antivirus - -Microsoft Defender Antivirus now shares detection status between Microsoft 365 services and interoperates with Microsoft Defender for Endpoint. Other policies have also been implemented to enhance cloud-based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus). - -### Windows Defender Exploit Guard - -Windows Defender Exploit Guard enhanced attack surface area reduction, extended support to Microsoft Office applications, and now supports Windows Server. [Virtualization-based Security](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/Windows-Defender-System-Guard-Making-a-leap-forward-in-platform/m-p/167303) (VBS) and Hypervisor-protected code integrity (HVCI) can now be enabled across the Windows 10 ecosystem. These Exploit Guard features can now be enabled through the Windows Defender Security Center. - -For more information, see [Reduce attack surfaces](/microsoft-365/security/defender-endpoint/attack-surface-reduction). - -### Microsoft Defender for Endpoint - -[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/advanced-hunting-query-language) has been enhanced with many new capabilities. For more information, see the following topics: - -- [Query data using Advanced hunting in Microsoft Defender for Endpoint](/microsoft-365/security/defender/advanced-hunting-query-language) -- [Use Automated investigations to investigate and remediate threats](/microsoft-365/security/defender-endpoint/automated-investigations) -- [Enable conditional access to better protect users, devices, and data](/microsoft-365/security/defender-endpoint/conditional-access) - -Also see [New capabilities of Microsoft Defender for Endpoint further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97). - -### Windows Defender Application Guard - -Windows Defender Application Guard has added support for Edge. For more information, see [System requirements for Windows Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard#software-requirements). - -### Windows Defender Device Guard - -Configurable code integrity is being rebranded as Windows Defender Application Control. This rebranding is to help distinguish it as a standalone feature to control execution of applications. For more information about Device Guard, see Windows [Defender Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide). - -### Windows Information Protection - -This release enables support for WIP with Files on Demand, allows file encryption while the file is open in another app, and improves performance. For more information, see [OneDrive Files On-Demand For The Enterprise](https://techcommunity.microsoft.com/t5/OneDrive-Blog/OneDrive-Files-On-Demand-For-The-Enterprise/ba-p/117234). - -### Office 365 Ransomware Detection - -For Office 365 Home and Office 365 Personal subscribers, Ransomware Detection notifies you when your OneDrive files have been attacked and guides you through the process of restoring your files. For more information, see [Ransomware detection and recovering your files](https://support.office.com/en-us/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US). - -## Windows Analytics - -### Upgrade Readiness - -Upgrade Readiness has added the ability to assess Spectre and Meltdown protections on your devices. This addition allows you to see if your devices have Windows OS and firmware updates with Spectre and Meltdown mitigations installed, as well as whether your antivirus client is compatible with these updates. For more information, see [Upgrade Readiness now helps assess Spectre and Meltdown protections](/archive/blogs/upgradeanalytics/upgrade-readiness-now-helps-assess-spectre-and-meltdown-protections). - -### Update Compliance - -Update Compliance has added Delivery Optimization to assess the bandwidth consumption of Windows Updates. For more information, see [Delivery Optimization in Update Compliance](/windows/deployment/update/update-compliance-delivery-optimization). - -### Device Health - -Device Health’s new App Reliability reports enable you to see where app updates or configuration changes may be needed to reduce crashes. The Login Health reports reveal adoption, success rates, and errors for Windows Hello and for passwords—for a smooth migration to the password-less future. For more information, see [Using Device Health](/windows/deployment/update/device-health-using). - -## Microsoft Edge - -iOS and Android versions of Edge are now available. For more information, see [Microsoft Edge Tips](https://microsoftedgetips.microsoft.com/en-us?source=firstrunwip). - -Support in [Windows Defender Application Guard](#windows-defender-application-guard) is also improved. - - -## See Also - -- [Windows 10 Features](https://www.microsoft.com/windows/features): Review general information about Windows 10 features. -- [What's New in Windows 10](./index.yml): See what’s new in other versions of Windows 10. -- [What's new in Windows 10, version 1709](/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware. -- [Windows 10 Fall Creators Update Next Generation Security](https://www.youtube.com/watch?v=JDGMNFwyUg8): YouTube video about Microsoft Defender for Endpoint in Windows 10, version 1709. diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md deleted file mode 100644 index ad971e7d6a..0000000000 --- a/windows/whats-new/whats-new-windows-10-version-1809.md +++ /dev/null @@ -1,301 +0,0 @@ ---- -title: What's new in Windows 10, version 1809 -description: Learn about features for Windows 10, version 1809, including features and fixes included in previous cumulative updates to Windows 10, version 1803. -ms.prod: windows-client -author: mestew -manager: aaroncz -ms.author: mstewart -ms.localizationpriority: medium -ms.topic: article -ROBOTS: NOINDEX -ms.technology: itpro-fundamentals -ms.date: 01/31/2023 ---- - -# What's new in Windows 10, version 1809 for IT Pros - ->Applies To: Windows 10, version 1809 - -In this article, we describe new and updated features of interest to IT Pros for Windows 10, version 1809. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1803. - - - -## Deployment - -### Windows Autopilot self-deploying mode - -Windows Autopilot self-deploying mode enables a zero touch device provisioning experience. Simply power on the device, plug it into the Ethernet, and the device is fully configured automatically by Windows Autopilot. - -This self-deploying capability removes the current need to have an end user interact by pressing the “Next” button during the deployment process. - -You can utilize Windows Autopilot self-deploying mode to register the device to an Azure Active Directory tenant, enroll in your organization’s MDM provider, and provision policies and applications, all with no user authentication or user interaction required. - -To learn more about Autopilot self-deploying mode and to see step-by-step instructions to perform such a deployment, [Windows Autopilot self-deploying mode](/windows/deployment/windows-autopilot/self-deploying). - -### SetupDiag - -[SetupDiag](/windows/deployment/upgrade/setupdiag) version 1.4 is released. SetupDiag is a standalone diagnostic tool that can be used to troubleshoot issues when a Windows 10 upgrade is unsuccessful. - -## Security - -We’ve continued to work on the **Current threats** area in [Virus & threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: - -> [!div class="mx-imgBorder"] -> ![Virus & threat protection settings.](images/virus-and-threat-protection.png "Virus & threat protection settings") - -With controlled folder access, you can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether. - -When an app is blocked, it will appear in a recently blocked apps list, which you can get to by clicking **Manage settings** under the **Ransomware protection** heading. Click **Allow an app through Controlled folder access**. After the prompt, click the **+** button and choose **Recently blocked apps**. Select any of the apps to add them to the allowed list. You can also browse for an app from this page. - -We added a new assessment for the Windows time service to the **Device performance & health** section. If we detect that your device’s time isn't properly synced with our time servers and the time-syncing service is disabled, we’ll provide the option for you to turn it back on. - -We’re continuing to work on how other security apps you’ve installed show up in the **Windows Security** app. There’s a new page called **Security providers** that you can find in the **Settings** section of the app. Click **Manage providers** to see a list of all the other security providers (including antivirus, firewall, and web protection) that are running on your device. Here you can easily open the providers’ apps or get more information on how to resolve issues reported to you through **Windows Security**. - -This functionality also means you’ll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you’ll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks). - -### BitLocker - -#### Silent enforcement on fixed drives - -Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (AAD)-joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard Azure AD users, but this effect of the encryption still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don’t pass the HSTI. - -This new functionality is an update to the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp), which was introduced in Windows 10, version 1703, and used by Intune and others. - -This feature will soon be enabled on Olympia Corp as an optional feature. - -#### Delivering BitLocker policy to Autopilot devices during OOBE - -You can choose which encryption algorithm to apply to BitLocker encryption capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This option allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before BitLocker encryption begins. - -For example, you can choose the XTS-AES 256 encryption algorithm, and have it applied to devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE. - -To achieve this setting: - -1. Configure the [encryption method settings](/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm. - -2. [Assign the policy](/intune/device-profile-assign) to your Autopilot device group. - - > [!IMPORTANT] - > The encryption policy must be assigned to **devices** in the group, not users. - -3. Enable the Autopilot [Enrollment Status Page](/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices. - - > [!IMPORTANT] - > If the ESP is not enabled, the policy will not apply before encryption starts. - -For more information, see [Setting the BitLocker encryption algorithm for Autopilot devices](/windows/deployment/windows-autopilot/bitlocker). - -### Windows Defender Application Guard Improvements - -Windows Defender Application Guard (WDAG) introduced a new user interface inside **Windows Security** in this release. Standalone users can now install and configure their Windows Defender Application Guard settings in Windows Security without needing to change registry key settings. - -Additionally, users who are managed by enterprise policies will be able to check their settings to see what their administrators have configured for their machines to better understand the behavior of Windows Defender Application Guard. This new UI improves the overall experience for users while managing and checking their Windows Defender Application Guard settings. As long as devices meet the minimum requirements, these settings will appear in Windows Security. For more information, see [Windows Defender Application Guard inside Windows Security App](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/test/m-p/214102#M1709). - -To try this settings management, perform the following steps: - -1. Go to **Windows Security** and select **App & browser control**. - -2. Under **Isolated browsing**, select **Install Windows Defender Application Guard**, then install and restart the device. - -3. Select **Change Application Guard** settings. - -4. Configure or check Application Guard settings. - -See the following example: - -> [!div class="mx-imgBorder"] -> ![Security at a glance.](images/1_AppBrowser.png "app and browser control") - -> [!div class="mx-imgBorder"] -> ![Isolated browser.](images/2_InstallWDAG.png "isolated browsing") - -> [!div class="mx-imgBorder"] -> ![change WDAG settings.](images/3_ChangeSettings.png "change settings") - -> [!div class="mx-imgBorder"] -> ![view WDAG settings.](images/4_ViewSettings.jpg "view settings") - -### Windows Security Center - -Windows Defender Security Center is now called **Windows Security Center**. - -You can still get to the app in all the usual ways–ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Microsoft Defender Antivirus** and **Windows Defender Firewall**. - -The WSC service now requires antivirus products to run as a protected process to register. Products that haven't yet implemented this execution won't appear in the Windows Security Center user interface, and Microsoft Defender Antivirus will remain enabled side-by-side with these products. - -WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you've enabled that option in **Color Settings**. - -![alt text.](images/defender.png "Windows Security Center") - -### Windows Defender Firewall now supports Windows Subsystem for Linux (WSL) processes - -You can add specific rules for a WSL process in Windows Defender Firewall, just as you would for any Windows process. Also, Windows Defender Firewall now supports notifications for WSL processes. For example, when a Linux tool wants to allow access to a port from the outside (like SSH or a web server like nginx), Windows Defender Firewall will prompt to allow access just like it would for a Windows process when the port starts accepting connections. This support was first introduced in [Build 17627](/windows/wsl/release-notes#build-17618-skip-ahead). - -### Microsoft Edge Group Policies - -We introduced new group policies and Modern Device Management settings to manage Microsoft Edge. The new policies include enabling and disabling full-screen mode, printing, favorites bar, and saving history; preventing certificate error overrides; configuring the Home button and startup options; setting the New Tab page and Home button URL, and managing extensions. Learn more about the [new Microsoft Edge policies](/microsoft-edge/deploy/change-history-for-microsoft-edge). - -### Credential Guard is supported by default on 10S devices that are Azure Active Directory-joined - -Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It's designed to protect against well-known threats such as Pass-the-Hash and credential harvesting. - -Credential Guard has always been an optional feature, but Windows 10-S turns on this functionality by default when the machine has been Azure Active Directory-joined. This functionality provides an added level of security when connecting to domain resources not normally present on 10-S devices. Credential Guard is available only to S-Mode devices or Enterprise and Education Editions. - -### Windows 10 Pro S Mode requires a network connection - -A network connection is now required to set up a new device. As a result, we removed the “skip for now” option in the network setup page in Out Of Box Experience (OOBE). - -### Microsoft Defender for Endpoint - -[Microsoft Defender for Endpoint](/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) has been enhanced with many new capabilities. For more information, see the following topics: - -- [Threat analytics](/windows/security/threat-protection/windows-defender-atp/threat-analytics)
        -Threat Analytics is a set of interactive reports published by the Microsoft Defender for Endpoint research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provide recommended actions to contain, increase organizational resilience, and prevent specific threats. - -- [Custom detection](/microsoft-365/security/defender/custom-detections-overview)
        - With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This query creation can be done by using the power of Advanced hunting through the creation of custom detection rules. - -- [Managed security service provider (MSSP) support](/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection)
        -Microsoft Defender for Endpoint adds support for this scenario by providing MSSP integration. -The integration will allow MSSPs to take the following actions: -Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools. - -- [Integration with Azure Defender](/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center)
        -Microsoft Defender for Endpoint integrates with Azure Defender to provide a comprehensive server protection solution. With this integration, Azure Defender can use the power of Microsoft Defender for Endpoint to provide improved threat detection for Windows Servers. - -- [Integration with Microsoft Cloud App Security](/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration)
        -Microsoft Cloud App Security uses Microsoft Defender for Endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Microsoft Defender for Endpoint monitored machines. - -- [Onboard Windows Server 2019](/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019)
        -Microsoft Defender for Endpoint now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. - -- [Onboard previous versions of Windows](/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection)
        -Onboard supported versions of Windows machines so that they can send sensor data to the Microsoft Defender for Endpoint sensor - -## Cloud Clipboard - -Cloud clipboard helps users copy content between devices. It also manages the clipboard history so that you can paste your old copied data. You can access it by using **Windows+V**. Set up Cloud clipboard: - -1. Go to **Windows Settings** and select **Systems**. - -2. On the left menu, click on **Clipboard**. - -3. Turn on **Clipboard history**. - -4. Turn on **Sync across devices**. Choose whether or not to automatically sync copied text across your devices. - -## Kiosk setup experience - -We introduced a simplified assigned access configuration experience in **Settings** that allows device administrators to easily set up a PC as a kiosk or digital sign. A wizard experience walks you through kiosk setup including creating a kiosk account that will automatically sign in when a device starts. - -To use this feature, go to **Settings**, search for **assigned access**, and open the **Set up a kiosk** page. - -![set up a kiosk.](images/kiosk-mode.png "set up a kiosk") - -Microsoft Edge kiosk mode running in single-app assigned access has two kiosk types. - -1. **Digital / Interactive signage** that displays a specific website full-screen and runs InPrivate mode. - -2. **Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. Users can't minimize, close, or open new Microsoft Edge windows or customize them using Microsoft Edge Settings. Users can clear browsing data and downloads, and restart Microsoft Edge by clicking **End session**. Administrators can configure Microsoft Edge to restart after a period of inactivity. - -![single app assigned access.](images/SingleApp_contosoHotel_inFrame@2x.png "single app assigned access") - -Microsoft Edge kiosk mode running in multi-app assigned access has two kiosk types. - ->[!NOTE] ->The following Microsoft Edge kiosk mode types cannot be set up using the new simplified assigned access configuration wizard in Windows 10 Settings. - -**Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. In this configuration, Microsoft Edge can be one of many apps available. Users can close and open multiple InPrivate mode windows. - -![multi-app assigned access.](images/Multi-app_kiosk_inFrame.png "multi-app assigned access") - -**Normal mode** runs a full version of Microsoft Edge, although some features may not work depending on what apps are configured in assigned access. For example, if the Microsoft Store isn't set up, users can't get books. - -![normal mode.](images/Normal_inFrame.png "normal mode") - -Learn more about [Microsoft Edge kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy). - -## Registry editor improvements - -We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word. - -![Registry editor dropdown.](images/regeditor.png "Registry editor dropdown") - -## Faster sign-in to a Windows 10 shared pc - -Do you have shared devices deployed in your work place? **Fast sign-in** enables users to sign in to a shared Windows 10 PC in a flash! - -**To enable fast sign-in:** -1. Set up a shared or guest device with Windows 10, version 1809. - -2. Set the Policy CSP, and the Authentication and EnableFastFirstSignIn policies to enable fast sign-in. - -3. Sign-in to a shared PC with your account. You'll notice the difference! - - ![fast sign-in.](images/fastsignin.png "fast sign-in") - ->[!NOTE] ->This is a private preview feature and therefore not meant or recommended for production purposes. This setting is not currently supported at this time. - -## Web sign-in to Windows 10 - ->[!IMPORTANT] ->This is a private preview feature and therefore not meant or recommended for production purposes. This setting is not currently supported at this time. - -Until now, Windows sign-in only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We're introducing **web sign-in**, a new way of signing into your Windows PC. Web sign-in enables Windows sign-in support for credentials not available on Windows. Web sign-in is restricted to only support Azure AD temporary access pass. - -**To try out web sign-in:** -1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs). - -2. Set the Policy CSP, and the Authentication and EnableWebSignIn policies to enable web sign-in. - -3. On the lock screen, select web sign-in under sign-in options. - -4. Click the **Sign in** button to continue. - - > [!div class="mx-imgBorder"] - > ![Web sign-in.](images/websignin.png "web sign-in") - ->[!NOTE] ->This is a private preview feature and therefore not meant or recommended for production purposes. - -## Your Phone app - -Android phone users, you can finally stop emailing yourself photos. With Your Phone, you get instant access to your Android’s most recent photos on your PC. Drag and drop a photo from your phone onto your PC, then you can copy, edit, or ink on the photo. Try it out by opening the **Your Phone** app. You’ll receive a text with a link to download an app from Microsoft to your phone. Android 7.0+ devices with ethernet or Wi-Fi on unmetered networks are compatible with the **Your Phone** app. For PCs tied to the China region, **Your Phone** app services will be enabled in the future. - -For iPhone users, **Your Phone** app also helps you to link your phone to your PC. Surf the web on your phone, then send the webpage instantly to your computer to continue what you’re doing-read, watch, or browse-with all the benefits of a bigger screen. - -:::image type="content" source="images/your-phone.png" alt-text="Your phone."::: - -The desktop pin takes you directly to the **Your Phone** app for quicker access to your phone’s content. You can also go through the all apps list in Start, or use the Windows key and search for **Your Phone**. - -## Wireless projection experience - -One of the things we’ve heard from you is that it’s hard to know when you’re wirelessly projecting and how to disconnect your session when started from file explorer or from an app. In Windows 10, version 1809, you’ll see a control banner at the top of your screen when you’re in a session (just like you see when using remote desktop). The banner keeps you informed of the state of your connection, allows you to quickly disconnect or reconnect to the same sink, and allows you to tune the connection based on what you are doing. This tuning is done via **Settings**, which optimizes the screen-to-screen latency based on one of the three modes: - -* Game mode minimizes the screen-to-screen latency to make gaming over a wireless connection possible -* Video mode increases the screen-to-screen latency to ensure the video on the large screen plays back smoothly -* Productivity modes strike a balance between game mode and video mode; the screen-to screen-latency is responsive enough that typing feels natural, while ensuring videos don’t glitch as often. - -![wireless projection banner.](images/beaming.png "wireless projection banner") - -## Remote Desktop with Biometrics - -Windows Hello for Business supports using a certificate deployed to a Windows Hello for Business container as a supplied credential to establish a remote desktop connection to a server or another device. This feature takes advantage of the redirected smart card capabilities of the remote desktop protocol. -Users using earlier versions of Windows 10 could authenticate to a remote desktop using Windows Hello for Business but were limited to using their PIN as their authentication gesture. Windows 10, version 1809 introduces the ability for users to authenticate to a remote desktop session using their Windows Hello for Business biometric gesture. - -Azure Active Directory and Active Directory users using Windows Hello for Business in a certificate trust model, can use biometrics to authenticate to a remote desktop session. - -To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the device you want to connect to, and select **Connect**. Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also select **More choices** to choose alternate credentials. Windows uses biometrics to authenticate the RDP session to the Windows device. You can continue to use Windows Hello for Business in the remote session, but in the remote session you must use the PIN. - -See the following example: - -![Enter your credentials for Windows Hello.](images/RDPwBioTime.png "Windows Hello") -![Remote Desktop Connection.](images/RDPwBio2.png "Windows Hello personal") -![Microsoft Hyper-V Server 2016.](images/hyper-v.png "Microsoft Hyper-V Server 2016") diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md deleted file mode 100644 index c593f3baae..0000000000 --- a/windows/whats-new/whats-new-windows-10-version-1903.md +++ /dev/null @@ -1,148 +0,0 @@ ---- -title: What's new in Windows 10, version 1903 -description: New and updated features in Windows 10, version 1903 (also known as the Windows 10 May 2019 Update). -ms.prod: windows-client -author: mestew -ms.author: mstewart -manager: aaroncz -ms.localizationpriority: medium -ms.topic: article -ROBOTS: NOINDEX -ms.technology: itpro-fundamentals -ms.date: 11/17/2023 ---- - -# What's new in Windows 10, version 1903 for IT Pros - -**Applies to** -- Windows 10, version 1903. - -This article lists new and updated features and content that are of interest to IT Pros for Windows 10 version 1903, also known as the Windows 10 May 2019 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1809. - ->[!NOTE] -> ->New disk space requirement for Windows 10, version 1903 applies only to OEMs for the manufacture of new PCs. This new requirement does not apply to existing devices. PCs that don't meet new device disk space requirements will continue to receive updates and the 1903 update will require about the same amount of free disk space as previous updates. For more information, see [Reserved storage](#reserved-storage). - -## Deployment - -### Windows Autopilot - -[Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot) is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. The following Windows Autopilot features are available in Windows 10, version 1903 and later: - -- [Windows Autopilot for pre-provisioned deployment](/autopilot/pre-provision) is new in this version of Windows. Pre-provisioned deployment enables partners or IT staff to pre-provision devices so they're fully configured and business ready for your users. -- The Intune [enrollment status page](/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions. -- [Cortana voiceover](/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs. -- Windows Autopilot is self-updating during OOBE. From Windows 10, version 1903 Autopilot functional and critical updates begin downloading automatically during OOBE. -- Windows Autopilot sets the [diagnostics data](/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE. - -### SetupDiag - -[SetupDiag](/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the `rules.xml` file, which is extracted when SetupDiag is run. The `rules.xml` file are updated as new versions of SetupDiag are made available. - -### Reserved storage - -[**Reserved storage**](https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Windows-10-and-reserved-storage/ba-p/428327) sets aside disk space to be used by updates, apps, temporary files, and system caches. It improves the day-to-day function of your PC by ensuring critical OS functions always have access to disk space. Reserved storage is enabled automatically on new PCs with Windows 10, version 1903 or later pre-installed, and for clean installs. It isn't enabled when updating from a previous version of Windows 10. - -## Servicing - -- [**Delivery Optimization**](/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with [new policies](/windows/client-management/mdm/policy-csp-deliveryoptimization). These new policies now support Microsoft 365 Apps for enterprise updates and Intune content. -- [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows automatically signs in as the user and lock their device in order to complete the update. This automatic sign-in ensures that when the user returns and unlocks the device, the update is completed. -- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There's now a single, common start date for phased deployments (no more SAC-T designation). In addition, there's a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. -- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device backed up and run normally. -- **Pause updates**: The ability to pause updates for both feature and monthly updates is extended. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, the device needs to be updated before pausing again. -- **Improved update notifications**: When there's an update requiring you to restart your device, a colored dot appears on the Power button in the Start menu and on the Windows icon in your taskbar. -- **Intelligent active hours**: To further enhance active hours, users are now able to let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns. -- **Improved update orchestration to improve system responsiveness**: This feature improves system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions. - -## Security - -### Windows Information Protection - -With this release, Microsoft Defender for Endpoint extends discovery and protection of sensitive information with [Auto Labeling](/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels#how-wip-protects-automatically-classified-files). - -### Security configuration framework - -With this release of Windows 10, Microsoft is introducing a [new taxonomy for security configurations](https://github.com/microsoft/SecCon-Framework/blob/master/windows-security-configuration-framework.md), called the **SECCON framework**, comprised of 5 device security configurations. - -### Security baseline for Windows 10 and Windows Server - -The draft release of the [security configuration baseline settings](/archive/blogs/secguide/security-baseline-draft-for-windows-10-v1903-and-windows-server-v1903) for Windows 10, version 1903 and for Windows Server version 1903 is available. - -### Intune security baselines - -[Intune Security Baselines](/intune/security-baselines) (Preview): Now includes many settings supported by Intune that you can use to help secure and protect your users and devices. You can automatically set these settings to values recommended by security teams. - -### Microsoft Defender for Endpoint - -- [Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) - IT admins can configure devices with advanced web protection that enables them to define allowlists and blocklists for specific URLs and IP addresses. -- [Next generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) - Controls are extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage. - - Integrity enforcement capabilities - Enable remote runtime attestation of Windows 10 platform. - - Tamper-proofing capabilities - Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers. -- [Platform support](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) - In addition to Windows 10, Microsoft Defender for Endpoint's functionality are extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities. - -### Microsoft Defender for Endpoint next-gen protection technologies - -- **Advanced machine learning**: Improved with advanced machine learning and AI models that enable it to protect against apex attackers using innovative vulnerability exploit techniques, tools and malware. -- **Emergency outbreak protection**: Provides emergency outbreak protection that automatically updates devices with new intelligence when a new outbreak is detected. -- **Certified ISO 27001 compliance**: Ensures that the cloud service is analyzed for threats, vulnerabilities and impacts, and that risk management and security controls are in place. -- **Geolocation support**: Support geolocation and sovereignty of sample data and configurable retention policies. - -### Threat Protection - -- [Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849): Isolated desktop environment where you can run untrusted software without the fear of lasting impact to your device. -- [Microphone privacy settings](https://support.microsoft.com/windows/windows-camera-microphone-and-privacy-a83257bc-e990-d54a-d212-b5e41beba857): A microphone icon appears in the notification area letting you see which apps are using your microphone. - -- [Windows Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements: - - Standalone users can install and configure their Windows Defender Application Guard settings without needing to change Registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior. - - WDAG is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend WDAG’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the WDAG extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigation to the WDAG Edge browser. There's also a companion app to enable this feature in the Microsoft Store. Users can quickly launch WDAG from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates. - - To try this extension: - 1. Configure WDAG policies on your device. - 2. Go to the Chrome Web Store or Firefox Add-ons and search for Application Guard. Install the extension. - 3. Follow any of the other configuration steps on the extension setup page. - 4. Reboot the device. - 5. Navigate to an untrusted site in Chrome and Firefox. - - - WDAG allows dynamic navigation: Application Guard now allows users to navigate back to their default host browser from the WDAG Microsoft Edge. Previously, users browsing in WDAG Edge would see an error page when they try to go to a trusted site within the container browser. With this new feature, users are automatically redirected to their host default browser when they enter or select on a trusted site in WDAG Edge. This feature is also available in Windows 10, version 1803 or later with the latest updates. - -- [Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903, Windows Defender Application Control has many new features that light up key scenarios and provide feature parity with AppLocker. - - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): Windows Defender Application Control now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: - 1. Enforce and audit side-by-side. - 1. Simpler targeting for policies with different scope/intent. - 1. expanding a policy using a new supplemental policy. - - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, Windows Defender Application Control has an option that allows admins to enforce at runtime that only code from paths that aren't user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files are checked for write permissions for unknown admins. If a file is found to be user writeable, the system blocks the executable from running unless it receives authorization from a source other than a path rule, such as a signer or hash rule. - - This functionality brings WDAC to parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time. This capability isn't available with AppLocker. - - [Allow COM Object Registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, Windows Defender Application Control enforced a built-in allowlist for COM object registration. While this mechanism works for most common application usage scenarios, customers provided feedback that there are cases where more COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy. - -#### System Guard - -[System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) has a new feature in this version of Windows called **SMM Firmware Measurement**. This feature is built on top of [System Guard Secure Launch](/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to check that the System Management Mode (SMM) firmware on the device is operating in a healthy manner. Specifically, OS memory and secrets are protected from SMM. - -This new feature is displayed under the Device Security page with the string `Your device exceeds the requirements for enhanced hardware security` if configured properly: - -![System Guard.](images/system-guard.png "SMM Firmware Measurement") - -### Identity Protection - -- [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less sign-in for websites supporting FIDO2 authentication, such as Microsoft account and Microsoft Entra ID. -- [Streamlined Windows Hello PIN reset experience](/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience): Microsoft account users have a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web. -- Sign-in with [Password-less](/windows/security/identity-protection/hello-for-business/passwordless-strategy) Microsoft accounts: Sign in to Windows 10 with a phone number account. Then use Windows Hello for an even easier sign-in experience. -- [Remote Desktop with Biometrics](/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop#remote-desktop-with-biometrics): Microsoft Entra ID and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session. - -### Security management - -- [Windows Defender Firewall now supports Windows Subsystem for Linux (WSL)](https://blogs.windows.com/windowsexperience/2018/04/19/announcing-windows-10-insider-preview-build-17650-for-skip-ahead/#II14f7VlSBcZ0Gs4.97): Lets you add rules for WSL process, just like for Windows processes. -- [Windows Security app](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center) improvements now include Protection history, including detailed and easier to understand information about threats and available actions, Controlled Folder Access blocks are now in the Protection history, Windows Defender Offline Scanning tool actions, and any pending recommendations. -- [Tamper Protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) lets you prevent others from tampering with important security features. - -## Microsoft Edge - -Several new features are coming in the next version of Microsoft Edge. For more information, see the [news from Build 2019](https://blogs.windows.com/msedgedev/2019/05/06/edge-chromium-build-2019-pwa-ie-mode-devtools/#2QJF4u970WjQ2Sv7.97). - -## See Also - -- [What's New in Windows Server, version 1903](/windows-server/get-started/whats-new-in-windows-server-1903-1909): New and updated features in Windows Server. -- [Windows 10 Features](https://www.microsoft.com/windows/features): Review general information about Windows 10 features. -- [What's New in Windows 10](./index.yml): See what's new in other versions of Windows 10. -- [What's new in Windows 10](/windows-hardware/get-started/what-s-new-in-windows): See what's new in Windows 10 hardware. -- [What's new in Windows 10 for developers](https://blogs.windows.com/buildingapps/2019/04/18/start-developing-on-windows-10-may-2019-update-today/#2Lp8FUFQ3Jm8KVcq.97): New and updated features in Windows 10 that are of interest to developers. diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md deleted file mode 100644 index 5ab89168fd..0000000000 --- a/windows/whats-new/whats-new-windows-10-version-1909.md +++ /dev/null @@ -1,139 +0,0 @@ ---- -title: What's new in Windows 10, version 1909 -description: New and updated features in Windows 10, version 1909 (also known as the Windows 10 November 2019 Update). -ms.prod: windows-client -author: mestew -ms.author: mstewart -manager: aaroncz -ms.localizationpriority: medium -ms.topic: article -ROBOTS: NOINDEX -ms.technology: itpro-fundamentals -ms.date: 12/31/2017 ---- - -# What's new in Windows 10, version 1909 for IT Pros - -**Applies to** -- Windows 10, version 1909 - -This article lists new and updated features and content that are of interest to IT Pros for Windows 10, version 1909, also known as the Windows 10 November 2019 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1903. - -## Servicing - -Windows 10, version 1909 is a scoped set of features for select performance improvements, enterprise features and quality enhancements. - -To deliver these updates in an optimal fashion, we're providing this feature update in a new way: using servicing technology. Users that are already running Windows 10, version 1903 (the May 2019 Update) will receive this update similar to how they receive monthly updates. If you're running version 1903, then updating to the new release will have a much faster update experience because the update will install like a monthly update. - -If you're updating from an older version of Windows 10 (version 1809 or earlier), the process of updating to the current version will be the same as it has been for previous Windows 10 feature updates. For more information, see [Evolving Windows 10 servicing and quality: the next steps](https://blogs.windows.com/windowsexperience/2019/07/01/evolving-windows-10-servicing-and-quality-the-next-steps/#rl2G5ETPhkhMvDeX.97). - -**Note**: Devices running the Enterprise, IoT Enterprise, or Education editions of Windows 10, version 1909 receive 30 months of support. For more information about the Windows servicing lifecycle, see the [Windows lifecycle fact sheet](/lifecycle/faq/windows). - -### Windows Server Update Services (WSUS) - -Pre-release Windows 10 feature updates are now available to IT administrators using WSUS. Microsoft Configuration Manager version 1906 or later is required. For more information, see [Publishing pre-release Windows 10 feature updates to WSUS](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Publishing-pre-release-Windows-10-feature-updates-to-WSUS/ba-p/845054). - -The Windows 10, version 1909 enablement package will be available on WSUS as [KB4517245](https://support.microsoft.com/kb/4517245), which can be deployed on existing deployments of Windows 10, version 1903. - -### Windows Update for Business - -If you're using Windows Update for Business, you'll receive the Windows 10, version 1909 update in the same way that you have for prior feature updates, and as defined by your feature update deferral policy. - -## Security - -### Credential Guard - -[Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for extra protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X. - -### Microsoft BitLocker - -BitLocker and Mobile Device Management (MDM) with Azure Active Directory work together to protect your devices from accidental password disclosure. Now, a new key-rolling feature securely rotates recovery passwords on MDM managed devices. The feature is activated whenever Microsoft Intune/MDM tools or a recovery password is used to unlock a BitLocker protected drive. As a result, the recovery password will be better protected when users manually unlock a BitLocker drive. - -### Key-rolling and Key-rotation - -Windows 10, version 1909 also includes two new features called **Key-rolling** and **Key-rotation** enables secure rolling of Recovery passwords on MDM managed Azure Active Directory devices on demand from Microsoft Intune/MDM tools or when a recovery password is used to unlock the BitLocker protected drive. This feature will help prevent accidental recovery password disclosure as part of manual BitLocker drive unlock by users. - -### Transport Layer Security (TLS) - -An experimental implementation of TLS 1.3 is included in Windows 10, version 1909. TLS 1.3 is disabled by default system wide. If you enable TLS 1.3 on a device for testing, then it can also be enabled in Internet Explorer 11.0 and Microsoft Edge by using Internet Options. For beta versions of Microsoft Edge on Chromium, TLS 1.3 isn't built on the Windows TLS stack, and is instead configured independently, using the **Edge://flags** dialog. - ->[!NOTE] ->The experiental implementation of TLS 1.3 isn't supported. TLS 1.3 is only supported on Windows 11 and Server 2022. For more information, see [Protocols in TLS/SSL (Schannel SSP)](/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-). - -## Virtualization - -### Windows Sandbox - -[Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849) is an isolated desktop environment where you can install software without the fear of lasting impact to your device. This feature is available in Windows 10, version 1903. In Windows 10, version 1909 you have even more control over the level of isolation. - -## Windows Virtual Desktop - -[Windows Virtual Desktop](/azure/virtual-desktop/overview) (WVD) is now generally available globally! - -Windows Virtual Desktop is a comprehensive desktop and app virtualization service running in the cloud. It's the only virtual desktop infrastructure (VDI) that delivers simplified management, multi-session Windows 10, optimizations for Microsoft 365 Apps for enterprise, and support for Remote Desktop Services (RDS) environments. Deploy and scale your Windows desktops and apps on Azure in minutes, and get built-in security and compliance features. Windows Virtual Desktop requires a Microsoft E3 or E5 license, or a Microsoft 365 E3 or E5 license, and an Azure tenant. - -## Deployment - -### Microsoft Intune family of products - -Configuration Manager, Intune, Desktop Analytics, Co-Management, and the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) are now part of the [Microsoft endpoint management services](/mem/endpoint-manager-overview). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/). - -### Windows 10 Pro and Enterprise in S mode - - You can now deploy and run traditional Win32 (desktop) apps without leaving the security of S mode by configuring the Windows 10 in S mode policy to support Win32 apps, and deploy them with Mobile Device Management (MDM) software such as Microsoft Intune. For more information, see [Allow Line-of-Business Win32 Apps on Intune-Managed S Mode Devices](/windows/security/threat-protection/windows-defender-application-control/lob-win32-apps-on-s). - -### SetupDiag - -[SetupDiag](/windows/deployment/upgrade/setupdiag) version 1.6.0.42 is available. - -SetupDiag is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. - -### Windows Assessment and Deployment Toolkit (ADK) - -A new [Windows ADK](/windows-hardware/get-started/adk-install) will **not be released** for Windows 10, version 1909. You can use the Windows ADK for Windows 10, version 1903 to deploy Windows 10, version 1909. - -## Desktop Analytics - -[Desktop Analytics](/configmgr/desktop-analytics/overview) is now generally available globally! Desktop Analytics is a cloud-connected service, integrated with Configuration Manager, which gives you data-driven insights to the management of your Windows endpoints. It provides insight and intelligence that you can use to make more informed decisions about the update readiness of your Windows endpoints. Desktop Analytics requires a Windows E3 or E5 license, or a Microsoft 365 E3 or E5 license. - -## Microsoft Connected Cache - -Together with Delivery Optimization, [Microsoft Connected Cache](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Introducing-Microsoft-Connected-Cache-Microsoft-s-cloud-managed/ba-p/963898) installed on Windows Server or Linux can seamlessly offload your traffic to local sources, caching content efficiently at the byte range level. Connected Cache is configured as a "configure once and forget it" solution that transparently caches content that your devices on your network need. - -## Accessibility - -This release adds the ability for Narrator and other assistive technologies to read and learn where the FN key is located on keyboards and what state it is in (locked versus unlocked). - -## Processor requirements and enhancements - -### Requirements - -[Windows Processor Requirements](/windows-hardware/design/minimum/windows-processor-requirements) have been updated for this version of Windows. - -### Favored CPU Core Optimization - -This version of Windows 10 will include optimizations to how instructions are processed by the CPU in order to increase the performance and reliability of the operating system and its applications. - -When a CPU is manufactured, not all of the cores are created equal. Some of the cores may have slightly different voltage and power characteristics that could allow them to get a "boost" in performance. These cores are called "favored cores" as they can offer better performance than the other cores on the die. - -With Intel Turbo Boost Max Technology 3.0, an operating system will use information stored in the CPU to identify which cores are the fastest and then push more of the CPU intensive tasks to those cores. According to Intel, this technology "delivers more than 15% better single-threaded performance". - -### Debugging - -More debugging capabilities for newer Intel processors have been added in this release. These newly added capabilities are only relevant for hardware manufacturers. - -### Efficiency - -General battery life and power efficiency improvements for PCs with certain processors have been added in this release. - -## See Also - -[What's New in Windows Server](/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.
        -[Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.
        -[What's New in Windows 10](./index.yml): See what's new in other versions of Windows 10.
        -[What Windows 10, version 1909 Means for Developers](https://blogs.windows.com/windowsdeveloper/2019/10/16/what-windows-10-version-1909-means-for-developers/): New and updated features in Windows 10 that are of interest to developers.
        -[Features and functionality removed in Windows 10](removed-features.md): Removed features.
        -[Windows 10 features we're no longer developing](deprecated-features.md): Features that aren't being developed.
        -[How to get the Windows 10 November 2019 Update](https://aka.ms/how-to-get-1909): John Cable blog.
        -[How to get Windows 10, Version 1909: Enablement Mechanics](https://aka.ms/1909mechanics): Mechanics blog.
        -[What's new for IT pros in Windows 10, version 1909](https://aka.ms/whats-new-in-1909): Windows IT Pro blog.
        diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md deleted file mode 100644 index 22d328d14f..0000000000 --- a/windows/whats-new/whats-new-windows-10-version-2004.md +++ /dev/null @@ -1,267 +0,0 @@ ---- -title: What's new in Windows 10, version 2004 -description: New and updated features in Windows 10, version 2004 (also known as the Windows 10 May 2020 Update). -ms.prod: windows-client -author: mestew -ms.author: mstewart -manager: aaroncz -ms.localizationpriority: medium -ms.topic: article -ROBOTS: NOINDEX -ms.technology: itpro-fundamentals -ms.date: 12/31/2017 ---- - -# What's new in Windows 10, version 2004 for IT Pros - -**Applies to** -- Windows 10, version 2004 - -This article lists new and updated features and content that are of interest to IT Pros for Windows 10, version 2004, also known as the Windows 10 May 2020 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1909. - -To download and install Windows 10, version 2004, use Windows Update (**Settings > Update & Security > Windows Update**). For more information, see this [video](https://aka.ms/Windows-10-May-2020-Update). - -> [!NOTE] -> The month indicator for this release is 04 instead of 03 to avoid confusion with Windows releases in the year 2003. - -## Security - -### Windows Hello - -- Windows Hello is now supported as Fast Identity Online 2 (FIDO2) authenticator across all major browsers including Chrome and Firefox. - -- You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign-in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN. - -- Windows Hello PIN sign-in support is [added to Safe mode](/windows-insider/archive/new-in-20H1#windows-hello-pin-in-safe-mode-build-18995). - -- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (Microsoft account). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894). - -### Windows Defender System Guard - -In this release, [Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) enables an even *higher* level of [System Management Mode](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows#system-management-mode-smm-protection) (SMM) Firmware Protection that goes beyond checking the OS memory and secrets to other resources like registers and IO. - -With this improvement, the OS can detect a higher level of SMM compliance, enabling devices to be even more hardened against SMM exploits and vulnerabilities. This feature is forward-looking and currently requires new hardware available soon. - - ![System Guard.](images/system-guard2.png) - -### Windows Defender Application Guard - -[Windows Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard) has been available for Chromium-based Edge since early 2020. - -Note: [Application Guard for Office](https://support.office.com/article/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46) is coming soon. - -## Deployment - -### Windows Setup - -Windows Setup [answer files](/windows-hardware/manufacture/desktop/update-windows-settings-and-scripts-create-your-own-answer-file-sxs) (unattend.xml) have [improved language handling](https://oofhours.com/2020/06/01/new-in-windows-10-2004-better-language-handling/). - -Improvements in Windows Setup with this release also include: -- Reduced offline time during feature updates -- Improved controls for reserved storage -- Improved controls and diagnostics -- New recovery options - -For more information, see Windows Setup enhancements in the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/pilot-new-features-with-the-windows-insider-program-for-business/ba-p/1220464). - -### SetupDiag - -In Windows 10, version 2004, SetupDiag is now automatically installed. - -[SetupDiag](/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues. - -During the upgrade process, Windows Setup will extract all its sources files to the **%SystemDrive%\$Windows.~bt\Sources** directory. With Windows 10, version 2004 and later, Windows Setup now also installs SetupDiag.exe to this directory. If there's an issue with the upgrade, SetupDiag is automatically run to determine the cause of the failure. If the upgrade process proceeds normally, this directory is moved under %SystemDrive%\Windows.Old for cleanup. - -### Windows Autopilot - -With this release, you can configure [Windows Autopilot user-driven](/windows/deployment/windows-autopilot/user-driven) Hybrid Azure Active Directory join with VPN support. This support is also backported to Windows 10, version 1909 and 1903. - -If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios will now skip the language, locale, and keyboard pages. In previous versions, this skip was only supported with self-deploying profiles. - -### Microsoft Configuration Manager - -An in-place upgrade wizard is available in Configuration Manager. For more information, see [Simplifying Windows 10 deployment with Configuration Manager](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-windows-10-deployment-with-configuration-manager/ba-p/1214364). - -Also see [What's new in Microsoft Intune](/mem/intune/fundamentals/whats-new). - -### Windows Assessment and Deployment Toolkit (ADK) - -Download the Windows ADK and Windows PE add-on for Windows 10, version 2004 here: [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). - -For information about what's new in the ADK, see [What's new in the Windows ADK for Windows 10, version 2004](/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-2004). - -### Microsoft Deployment Toolkit (MDT) - -MDT version 8456 supports Windows 10, version 2004, but there's currently an issue that causes MDT to incorrectly detect that UEFI is present. There's an [update available](https://support.microsoft.com/help/4564442/windows-10-deployments-fail-with-microsoft-deployment-toolkit) for MDT to address this issue. - -For the latest information about MDT, see the [MDT release notes](/mem/configmgr/mdt/release-notes). - -## Servicing - -### Delivery Optimization - -Windows PowerShell cmdlets have been improved: - -- **Get-DeliveryOptimizationStatus** has added the **-PeerInfo** option for a real-time peek behind the scenes on peer-to-peer activity (for example the peer IP Address, bytes received / sent). -- **Get-DeliveryOptimizationLogAnalysis** is a new cmdlet that provides a summary of the activity in your DO log (# of downloads, downloads from peers, overall peer efficiency). Use the **-ListConnections** option to for in-depth look at peer-to-peer connections. -- **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to help in troubleshooting. - -Other improvements: -- Enterprise network [throttling is enhanced](/windows-insider/archive/new-in-20H1#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling. -- Automatic cloud-based congestion detection is available for PCs with cloud service support. - -The following [Delivery Optimization](/windows/deployment/update/waas-delivery-optimization) policies are removed in this release: - -- Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth) - - Reason: Replaced with separate policies for foreground and background. -- Max Upload Bandwidth (DOMaxUploadBandwidth) - - Reason: Impacts uploads to internet peers only, which isn't used in enterprises. -- Absolute max throttle (DOMaxDownloadBandwidth) - - Reason: Separated to foreground and background. - -### Windows Update for Business - -[Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb) enhancements in this release include: - -- Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy. - -- Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we've created a new policy that enables admins to opt devices out of the built-in safeguard holds. - -- Update less: Last year, we [changed update installation policies](https://blogs.windows.com/windowsexperience/2019/04/04/improving-the-windows-10-update-experience-with-control-quality-and-transparency/#l2jH7KMkOkfcWdBs.97) for Windows 10 to only target devices running a feature update version that is nearing end of service. As a result, many devices are only updating once a year. To enable all devices to make the most of this policy change, and to prevent confusion, we have removed deferrals from the Windows Update settings **Advanced Options** page starting on Windows 10, version 2004. If you wish to continue using deferrals, you can use local Group Policy (**Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview builds and Feature Updates are received** or **Select when Quality Updates are received**). For more information about this change, see [Simplified Windows Update settings for end users](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplified-windows-update-settings-for-end-users/ba-p/1497215). - -## Networking - -### Wi-Fi 6 and WPA3 - -Windows now supports the latest Wi-Fi standards with [Wi-Fi 6 and WPA3](https://support.microsoft.com/help/4562575/windows-10-faster-more-secure-wifi). Wi-Fi 6 gives you better wireless coverage and performance with added security. WPA3 provides improved Wi-Fi security and secures open networks. - -### TEAP - -In this release, Tunnel Extensible Authentication Protocol (TEAP) has been added as an authentication method to allow chaining together multiple credentials into a single EAP transaction. TEAP networks can be configured by [enterprise policy](/openspecs/windows_protocols/ms-gpwl/94cf6896-c28e-4865-b12a-d83ee38cd3ea). - -## Virtualization - -### Windows Sandbox - -[Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849) is an isolated desktop environment where you can install software without the fear of lasting impact to your device. This feature was released with Windows 10, version 1903. Windows 10, version 2004 includes bug fixes and enables even more control over configuration. - -[Windows Sandbox configuration](/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file) includes: -- MappedFolders now supports a destination folder. Previously no destination could be specified, it was always mapped to the Sandbox desktop. -- AudioInput/VideoInput settings now enable you to share their host microphone or webcam with the Sandbox. -- ProtectedClient is a new security setting that runs the connection to the Sandbox with extra security settings enabled. This setting is disabled by default due to issues with copy & paste. -- PrinterRedirection: You can now enable and disable host printer sharing with the Sandbox. -- ClipboardRedirection: You can now enable and disable host clipboard sharing with the Sandbox. -- MemoryInMB adds the ability to specify the maximum memory usage of the Sandbox. - -Windows Media Player is also added back to the Sandbox image in this release. - -Windows Sandbox also has improved accessibility in this release, including: -- Microphone support is available. -- Added functionality to configure the audio input device via the Windows Sandbox config file. -- A Shift + Alt + PrintScreen key sequence that activates the ease of access dialog for enabling high contrast mode. -- A ctrl + alt + break key sequence that allows entering/exiting fullscreen mode. - -### Windows Subsystem for Linux (WSL) - -With this release, memory that is no longer in use in a Linux VM will be freed back to Windows. Previously, a WSL VM's memory could grow, but wouldn't shrink when no longer needed. - -[WSL2](/windows/wsl/wsl2-index) support has been added for ARM64 devices if your device supports virtualization. - -For a full list of updates to WSL, see the [WSL release notes](/windows/wsl/release-notes). - -### Windows Virtual Desktop (WVD) - -Windows 10 is an integral part of WVD, and several enhancements are available in the Spring 2020 update. Check out [Windows Virtual Desktop documentation](/azure/virtual-desktop/) for the latest and greatest information, and the [WVD Virtual Event from March](https://aka.ms/wvdvirtualevent). - -## Microsoft Edge - -Read about plans for the new Microsoft Edge and other innovations announced at [Build 2020](https://blogs.windows.com/msedgedev/2020/05/19/microsoft-edge-news-developers-build-2020/) and [What's new at Microsoft Edge Insider](https://www.microsoftedgeinsider.com/whats-new). - -Also see information about the exciting new Edge browser [here](https://blogs.windows.com/windowsexperience/2020/01/15/new-year-new-browser-the-new-microsoft-edge-is-out-of-preview-and-now-available-for-download/). - -## Application settings - -This release enables explicit [Control over restarting apps at sign-in (Build 18965)](/windows-insider/archive/new-in-20H1#control-over-restarting-apps-at-sign-in-build-18965) that were open when you restart your PC. - -## Windows Shell - -Several enhancements to the Windows 10 user interface are implemented in this release: - -### Cortana - -[Cortana](https://www.microsoft.com/cortana) has been updated and enhanced in Windows 10, version 2004: - -- Productivity: chat-based UI gives you the ability to [interact with Cortana using typed or spoken natural language queries](https://support.microsoft.com/help/4557165) to easily get information across Microsoft 365 and stay on track. Productivity focused capabilities such as finding people profiles, checking schedules, joining meetings, and adding to lists in Microsoft To Do are currently available to English speakers in the US. - - - In the coming months, with regular app updates through the Microsoft Store, we'll enhance this experience to support wake word invocation and enable listening when you say "Cortana", offer more productivity capabilities such as surfacing relevant emails and documents to help you prepare for meetings, and expand supported capabilities for international users. - -- Security: tightened access to Cortana so that you must be securely logged in with your work or school account or your Microsoft account before using Cortana. Because of this tightened access, some consumer skills including music, connected home, and third-party skills will no longer be available. Additionally, users [get cloud-based assistance services that meet Office 365's enterprise-level privacy, security, and compliance promises](/microsoft-365/admin/misc/cortana-integration) as set out in the Online Services Terms. - -- Move the Cortana window: drag the Cortana window to a more convenient location on your desktop. - -For updated information, see the [Microsoft 365 blog](https://aka.ms/CortanaUpdatesMay2020). - -### Windows Search - -Windows Search is improved in several ways. For more information, see [Supercharging Windows Search](https://aka.ms/AA8kllm). - -### Virtual Desktops - -There's a new [Update on Virtual Desktop renaming (Build 18975)](/windows-insider/archive/new-in-20H1#update-on-virtual-desktop-renaming-build-18975), where, instead of getting stuck with the system-issued names like Desktop 1, you can now rename your virtual desktops more freely. - -### Bluetooth pairing - -Pairing Bluetooth devices with your computer will occur through notifications, so you won't need to go to the Settings app to finish pairing. Other improvements include faster pairing and device name display. For more information, see [Improving your Bluetooth pairing experience](/windows-insider/archive/new-in-20h1#improving-your-bluetooth-pairing-experience-build-18985). - -### Reset this PC - -The 'reset this PC' recovery function now includes a [cloud download](/windows-insider/archive/new-in-20H1#reset-your-pc-from-the-cloud-build-18970) option. - -### Task Manager - -The following items are added to Task Manager in this release: -- GPU Temperature is available on the Performance tab for devices with a dedicated GPU card. -- Disk type is now [listed for each disk on the Performance tab](/windows-insider/archive/new-in-20H1#disk-type-now-visible-in-task-manager-performance-tab-build-18898). - -## Graphics & display - -### DirectX - -[New DirectX 12 features](https://devblogs.microsoft.com/directx/dev-preview-of-new-directx-12-features/) are available in this release. - -### 2-in-1 PCs - -See [Introducing a new tablet experience for 2-in-1 convertible PCs! (Build 18970)](/windows-insider/archive/new-in-20H1#introducing-a-new-tablet-experience-for-2-in-1-convertible-pcs-build-18970) for details on a new tablet experience for two-in-one convertible PCs that is now available. The screen will be optimized for touch when you detach your two-in-one's keyboard, but you'll still keep the familiar look of your desktop without interruption. - -### Specialized displays - -With this update, devices running Windows 10 Enterprise or Windows 10 Pro for Workstations with multiple displays can be configured to prevent Windows from using a display, making it available for a specialized purpose. - -Examples include: -- Fixed-function arcade & gaming such as cockpit, driving, flight, and military simulators -- Medical imaging devices with custom panels, such as grayscale X-ray displays -- Video walls like those displayed in Microsoft Store -- Dedicated video monitoring -- Monitor panel testing and validation -- Independent Hardware Vendor (IHV) driver testing and validation - -To prevent Windows from using a display, choose Settings > Display and select Advanced display settings. Select a display to view or change, and then set the Remove display from desktop setting to On. The display will now be available for a specialized use. - -## Desktop Analytics - -[Desktop Analytics](/configmgr/desktop-analytics/overview) is a cloud-connected service, integrated with Configuration Manager that provides data-driven insights to the management of Windows endpoints in your organization. Desktop Analytics requires a Windows E3 or E5 license, or a Microsoft 365 E3 or E5 license. - -For information about Desktop Analytics and this release of Windows 10, see [What's new in Desktop Analytics](/mem/configmgr/desktop-analytics/whats-new). - -## See Also - -- [What's new for IT pros in Windows 10, version 2004](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-s-new-for-it-pros-in-windows-10-version-2004/ba-p/1419764): Windows IT Pro blog. -- [What's new in the Windows 10 May 2020 Update](https://blogs.windows.com/windowsexperience/2020/05/27/whats-new-in-the-windows-10-may-2020-update/): Windows Insider blog. -- [What's New in Windows Server](/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server. -- [Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features. -- [What's New in Windows 10](./index.yml): See what's new in other versions of Windows 10. -- [Start developing on Windows 10, version 2004 today](https://blogs.windows.com/windowsdeveloper/2020/05/12/start-developing-on-windows-10-version-2004-today/): New and updated features in Windows 10 that are of interest to developers. -- [What's new for business in Windows 10 Insider Preview Builds](/windows-insider/Active-Dev-Branch): A preview of new features for businesses. -- [What's new in Windows 10, version 2004 - Windows Insiders](/windows-insider/archive/new-in-20h1): This list also includes consumer focused new features. -- [Features and functionality removed in Windows 10](removed-features.md): Removed features. -- [Windows 10 features we're no longer developing](deprecated-features.md): Features that aren't being developed. diff --git a/windows/whats-new/whats-new-windows-10-version-20H2.md b/windows/whats-new/whats-new-windows-10-version-20H2.md deleted file mode 100644 index a433405b4e..0000000000 --- a/windows/whats-new/whats-new-windows-10-version-20H2.md +++ /dev/null @@ -1,152 +0,0 @@ ---- -title: What's new in Windows 10, version 20H2 -description: New and updated features in Windows 10, version 20H2 (also known as the Windows 10 October 2020 Update). -ms.prod: windows-client -author: mestew -ms.author: mstewart -manager: aaroncz -ms.localizationpriority: high -ms.topic: article -ms.collection: - - highpri - - tier2 -ms.technology: itpro-fundamentals -ms.date: 12/31/2017 -appliesto: - - ✅ Windows 10, version 20H2 ---- - -# What's new in Windows 10, version 20H2 for IT Pros - -This article lists new and updated features and content that is of interest to IT Pros for Windows 10, version 20H2, also known as the Windows 10 October 2020 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 2004. - -> [!NOTE] -> With this release and future releases, the Windows 10 release nomenclature is changing from a year and month pattern (YYMM) to a year and half-year pattern (YYH1, YYH2). - -As with previous fall releases, Windows 10, version 20H2 is a scoped set of features for select performance improvements, enterprise features, and quality enhancements. As an [H2-targeted release](/lifecycle/faq/windows), 20H2 is serviced for 30 months from the release date for devices running Windows 10 Enterprise or Windows 10 Education editions. - -To download and install Windows 10, version 20H2, use Windows Update (**Settings > Update & Security > Windows Update**). - -## Microsoft Edge - -This release automatically includes the new Chromium-based [Microsoft Edge](https://www.microsoft.com/edge/business) browser instead of the legacy version of Edge. For more information, see the [Microsoft Edge documentation](/microsoft-edge/). - -## Servicing - -### Windows Update - -There are several changes that help improve the security of devices that scan Windows Server Update Services (WSUS) for updates. For more information, see [Changes to improve security for Windows devices scanning WSUS](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/changes-to-improve-security-for-windows-devices-scanning-wsus/ba-p/1645547). - -Starting with Windows 10, version 20H2, LCUs and SSUs have been combined into a single cumulative monthly update, available via Microsoft Catalog or Windows Server Update Services. For more information, see [Simplifying on-premises deployment of servicing stack updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-on-premises-deployment-of-servicing-stack-updates/ba-p/1646039). - -## Deployment - -New guidance is available to help prepare a [servicing strategy](/windows/deployment/update/waas-servicing-strategy-windows-10-updates) and move your devices to the latest version of Windows 10 quickly and as seamlessly as possible. - -Activities are grouped into the following phases: **Plan** > **Prepare** > **Deploy**: - -**Plan** your deployment by evaluating and understanding essential activities: -- Create a [phased deployment plan](/windows/deployment/update/create-deployment-plan) -- Assign [roles and responsibilities](/windows/deployment/update/plan-define-readiness#process-manager) within your organization -- Set [criteria](/windows/deployment/update/plan-define-readiness#set-criteria-for-rating-apps) to establish readiness for the upgrade process -- Evaluate your [infrastructure and tools](/windows/deployment/update/eval-infra-tools) -- Determine [readiness](/windows/deployment/update/plan-determine-app-readiness) for your business applications -- Create an effective, schedule-based [servicing strategy](/windows/deployment/update/plan-define-strategy) - -**Prepare** your devices and environment for deployment by performing necessary actions: -- Update [infrastructure and tools](/windows/deployment/update/prepare-deploy-windows#prepare-infrastructure-and-environment) -- Ensure the needed [services](/windows/deployment/update/prepare-deploy-windows#prepare-applications-and-devices) are available -- Resolve issues with [unhealthy devices](/windows/deployment/update/prepare-deploy-windows#address-unhealthy-devices) -- Ensure that [users are ready](/windows/deployment/update/prepare-deploy-windows) for updates - -**Deploy** and manage Windows 10 strategically in your organization: -- Use [Windows Autopilot](/mem/autopilot/windows-autopilot) to streamline the setup, configuration, and delivery of new devices -- Use [Configuration Manager](/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager) or [MDT](/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt) to deploy new devices and update existing devices -- Use [Windows Update for Business](/windows/deployment/update/waas-configure-wufb) with Group Policy to [customize update settings](/windows/deployment/update/waas-wufb-group-policy) for your devices -- [Deploy Windows updates](/windows/deployment/update/waas-manage-updates-wsus) with Windows Server Update Services (WSUS) -- Manage bandwidth for updates with [Delivery Optimization](/windows/deployment/update/waas-delivery-optimization) -- [Monitor Windows Updates](/windows/deployment/update/update-compliance-monitor) with Update Compliance - -### Windows Autopilot - -Enhancements to Windows Autopilot since the last release of Windows 10 include: -- [Windows Autopilot for HoloLens](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-autopilot-for-hololens-2/ba-p/1371494): Set up HoloLens 2 devices with Windows Autopilot for HoloLens 2 self-deploying mode. -- [Windows Autopilot with co-management](/mem/configmgr/comanage/quickstart-autopilot): Co-management and Autopilot together can help you reduce cost and improve the end user experience. -- Enhancements to Windows Autopilot deployment reporting are in preview. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Monitor** and scroll down to the **Enrollment** section. Select **Autopilot deployment (preview)**. - -### Windows Assessment and Deployment Toolkit (ADK) - -There's no new ADK for Windows 10, version 20H2. The ADK for Windows 10, version 2004 will also work with Windows 10, version 20H2. For more information, see [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). - -## Device management - -Modern Device Management (MDM) policy is extended with new [Local Users and Groups settings](/windows/client-management/mdm/policy-csp-localusersandgroups) that match the options available for devices managed through Group Policy. - -For more information about what's new in MDM, see [What's new in mobile device enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management) - -## Security - -### Microsoft Defender for Endpoint - -This release includes improved support for non-ASCII file paths for Microsoft Defender Advanced Threat Protection (ATP) Auto Incident Response (IR). - -The [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) parameter is deprecated in this release. - -### Microsoft Defender Application Guard for Office - -Microsoft Defender Application Guard now supports Office: With [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/install-app-guard), you can launch untrusted Office documents (from outside the Enterprise) in an isolated container to prevent potentially malicious content from compromising your device. - -### Windows Hello - -With specialized hardware and software components available on devices shipping with Windows 10, version 20H2 configured out of factory, Windows Hello now offers added support for virtualization-based security with supporting fingerprint and face sensors. This feature isolates and secures a user's biometric authentication data. - -## Virtualization - -### Windows Sandbox - -New policies for [Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview) are available in this release. For more information, see [Policy CSP - WindowsSandbox](/windows/client-management/mdm/policy-csp-windowssandbox). - -### Windows Virtual Desktop (WVD) - -> **Note**: WVD is not tied directly to a Windows 10 release, but it is included here as an evolving capability of Windows. - -New capabilities in WVD were announced at Ignite 2020. For more information, see [Announcing new management, security, and monitoring capabilities in Windows Virtual Desktop](https://aka.ms/wvd-ignite2020-blogpost). - -In addition, [Windows Virtual Desktop is now generally available in the Azure Government cloud](https://azure.microsoft.com/updates/windows-virtual-desktop-is-now-generally-available-in-the-azure-government-cloud/). - -## Windows Shell - -Some enhancements to the Windows 10 user interface are implemented in this release: - -- With this release, the solid color behind tiles on the Start menu is replaced with a partially transparent background. Tiles are also theme-aware. -- Icons on the Start menu no longer have a square outline around each icon. -- Notifications are slightly updated in appearance. -- You can now change the monitor refresh rate on advanced display settings. -- Alt+Tab now shows Edge browser tabs by default. You can edit this setting under **Settings** > **System** > **Multitasking**: **Alt+Tab**. -- The System control panel under System and Security has been updated to the Settings > About page. Links to Device Manager, Remote desktop, System protection, Advanced system settings, and Rename this PC are moved to the About page. - -### 2-in-1 PCs - -On a 2-in-1 device, Windows will now automatically switch to tablet mode when you detach the screen. - -## Surface - -Windows 10 Pro and Enterprise are now [available on Surface Hub 2](https://techcommunity.microsoft.com/t5/surface-it-pro-blog/announcing-the-availability-of-windows-10-pro-and-enterprise-on/ba-p/1624107). For more information, see [What's new in Surface Hub 2S for IT admins](/surface-hub/surface-hub-2s-whats-new). - -## Desktop Analytics - -[Desktop Analytics](/configmgr/desktop-analytics/overview) is a cloud-connected service, integrated with Configuration Manager that provides data-driven insights to the management of Windows endpoints in your organization. Desktop Analytics requires a Windows E3 or E5 license, or a Microsoft 365 E3 or E5 license. - -For information about Desktop Analytics and this release of Windows 10, see [What's new in Desktop Analytics](/mem/configmgr/desktop-analytics/whats-new). - -## See Also - -[What’s new for IT pros in Windows 10, version 20H2](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-s-new-for-it-pros-in-windows-10-version-20h2/ba-p/1800132)
        -[Get started with the October 2020 update to Windows 10](https://www.linkedin.com/learning/windows-10-october-2020-update-new-features-2/get-started-with-the-october-2020-update-to-windows-10)
        -[Learn Windows 10 with the October 2020 Update](https://www.linkedin.com/learning/windows-10-october-2020-update-essential-training/learn-windows-10-with-the-october-2020-update)
        -[What's New in Windows Server](/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.
        -[Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.
        -[What's New in Windows 10](./index.yml): See what’s new in other versions of Windows 10.
        -[Announcing more ways we’re making app development easier on Windows](https://blogs.windows.com/windowsdeveloper/2020/09/22/kevin-gallo-microsoft-ignite-2020/): Simplifying app development in Windows.
        -[Features and functionality removed in Windows 10](removed-features.md): Removed features.
        -[Windows 10 features we're no longer developing](deprecated-features.md): Features that aren't being developed.
        diff --git a/windows/whats-new/whats-new-windows-10-version-21H1.md b/windows/whats-new/whats-new-windows-10-version-21H1.md deleted file mode 100644 index 4f1f8db731..0000000000 --- a/windows/whats-new/whats-new-windows-10-version-21H1.md +++ /dev/null @@ -1,139 +0,0 @@ ---- -title: What's new in Windows 10, version 21H1 -description: New and updated features in Windows 10, version 21H1 (also known as the Windows 10 May 2021 Update). -ms.prod: windows-client -author: mestew -ms.author: mstewart -manager: aaroncz -ms.localizationpriority: high -ms.topic: conceptual -ms.collection: - - highpri - - tier2 -ms.technology: itpro-fundamentals -ms.date: 12/31/2017 -appliesto: - - ✅ Windows 10, version 21H1 ---- - -# What's new in Windows 10, version 21H1 for IT Pros - -This article lists new and updated features and content that is of interest to IT Pros for Windows 10, version 21H1, also known as the **Windows 10 May 2021 Update**. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 20H2. - -Windows 10, version 21H1 is a scoped set of features for select performance improvements, enterprise features, and quality enhancements. As an [H1-targeted release](/lifecycle/faq/windows#what-is-the-servicing-timeline-for-a-version--feature-update--of-windows-10-), 21H1 is serviced for 18 months from the release date for devices running Windows 10 Enterprise or Windows 10 Education editions. - - -For details on how to update your device, or the devices in your organization, see [How to get the Windows 10 May 2021 Update](https://blogs.windows.com/windowsexperience/?p=175674). Devices running Windows 10, versions 2004 and 20H2, have the ability to update quickly to version 21H1 via an enablement package. For more information, see [Feature Update through Windows 10, version 21H1 Enablement Package](https://support.microsoft.com/help/5000736). - -## Servicing - -### Windows Update - -Starting with Windows 10, version 20H2 and including this release, Latest Cumulative Updates (LCUs) and Servicing Stack Updates (SSUs) have been combined into a single cumulative monthly update, available via Microsoft Catalog or Windows Server Update Services. For more information, see [Simplifying on-premises deployment of servicing stack updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-on-premises-deployment-of-servicing-stack-updates/ba-p/1646039). - -Also see [What's next for Windows 10 updates](https://blogs.windows.com/windowsexperience/2020/06/16/whats-next-for-windows-10-updates/). - -## Deployment - -### Windows Autopilot - -A new [resolved issues](/mem/autopilot/resolved-issues) article is available that includes several new fixes for Windows Autopilot deployment scenarios. - -A new Intune remote action: **Collect diagnostics**, lets you collect the logs from corporate devices without interrupting or waiting for the end user. For more information, see [Collect diagnostics remote action](/mem/intune/fundamentals/whats-new#collect-diagnostics-remote-action). - -Intune has also added capabilities to [Role-based access control](/mem/intune/fundamentals/whats-new#role-based-access-control) (RBAC) that can be used to further define profile settings for the Enrollment Status Page (ESP). For more information, see [Create Enrollment Status Page profile and assign to a group](/mem/intune/enrollment/windows-enrollment-status#create-enrollment-status-page-profile-and-assign-to-a-group). - -For a full list of what's new in Microsoft Intune, see [What's new in Microsoft Intune](/mem/intune/fundamentals/whats-new). - -### Windows Assessment and Deployment Toolkit (ADK) - -There's no new ADK for Windows 10, version 21H1. The ADK for Windows 10, version 2004 will also work with Windows 10, version 21H1. For more information, see [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). - -## Device management - -Windows Management Instrumentation (WMI) Group Policy Service (GPSVC) has a performance improvement to support remote work scenarios: -- An issue is fixed that caused changes by an Active Directory (AD) administrator to user or computer group memberships to propagate slowly. Although the access token eventually updates, these changes might not appear when the administrator uses gpresult /r or gpresult /h to create a report. - -## Security - -### Windows Defender Application Guard (WDAG) - -WDAG performance is improved with optimized document opening times: -- An issue is fixed that could cause a one minute or more delay when you open a Microsoft Defender Application Guard (WDAG) Office document. This can occur when you try to open a file using a Universal Naming Convention (UNC) path or Server Message Block (SMB) share link. -- A memory issue is fixed that could cause a WDAG container to use almost 1 GB of working set memory when the container is idle. -- The performance of Robocopy is improved when copying files over 400 MB in size. - -### Windows Hello - -Windows Hello multi-camera support is added, allowing users to choose an external camera priority when both external and internal Windows Hello-capable cameras are present. - -## Microsoft Edge - -The new Chromium-based [Microsoft Edge](https://www.microsoft.com/edge/business) browser is included with this release. For more information about what's new in Edge, see the [Microsoft Edge insider](https://www.microsoftedgeinsider.com/whats-new). - -## General fixes - -For more information on the general fixes, see the [Windows Insider blog](https://blogs.windows.com/windows-insider/2021/02/17/releasing-windows-10-build-19042-844-20h2-to-beta-and-release-preview-channels/). - -This release includes the following enhancements and issues fixed: - -- a memory leak in Internet Explorer 11 that occurs when you use the Chinese language pack. -- COM+ callout policies that cause a deadlock in certain applications. -- an issue that prevents certain Win32 apps from opening as a different user when you use the runas -- unexpected screens during the Windows Out of Box Experience (OOBE). -- an issue that might cause a deadlock when a COM server delivers an event to multiple subscribers in parallel. -- an issue in Advanced display settings that shows the incorrect refresh rates available for high dynamic range (HDR) displays. -- an issue that might prevent certain CAD applications from opening if those applications rely on OpenGL. -- an issue that might cause video playback to flicker when rendering on certain low-latency capable monitors. -- an issue that sometimes prevents the input of strings into the Input Method Editor (IME). -- an issue that exhausts resources because Desktop Windows Manager (DWM) leaks handles and virtual memory in Remote Desktop sessions. -- a stop error that occurs at the start. -- an issue that might delay a Windows Hello for Business (WHfB) Certificate Trust deployment when you open the Settings-> Accounts-> Sign-in Options page. -- an issue that might prevent some keyboard keys from working, such as the home, Ctrl, or left arrow keys when you set the Japanese IME input mode to Kana. -- removed the history of previously used pictures from a user account profile. -- wrong language displayed on a console after you change the system locale. -- host process of Windows Remote Management (WinRM) can stop working when it formats messages from a PowerShell plugin. -- Windows Management Instrumentation (WMI) service caused a heap leak each time security settings are applied to WMI namespace permissions. -- screen rendering after opening games with certain hardware configurations. -- startup times for applications that have roaming settings when User Experience Virtualization (UE-V) is turned on. -- a principal in a trusted MIT realm fails to obtain a Kerberos service ticket from Active Directory domain controllers (DC). This occurs on devices that installed Windows Updates that contain CVE-2020-17049 protections and configured PerfromTicketSignature to 1 or higher. These updates were released between November 10, 2020 and December 8, 2020. Ticket acquisition also fails with the error, "KRB_GENERIC_ERROR", if callers submit a PAC-less Ticket Granting Ticket (TGT) as an evidence ticket without providing the USER_NO_AUTH_DATA_REQUIRED flag. -- high memory and CPU utilization in Microsoft Defender for Endpoint. -- We enhanced data loss prevention and insider risk management solution functionalities in Microsoft 365 endpoints. -- an error when you attempt to open an untrusted webpage using Microsoft Edge or open an untrusted Microsoft Office document. The error is, "WDAG Report - Container: Error: 0x80070003, Ext error: 0x00000001". This issue occurs after installing the .NET update KB4565627. -- an issue that prevents wevtutil from parsing an XML file. -- failure to report an error when the Elliptic Curve Digital Signature Algorithm (ECDSA) generates invalid keys of 163 bytes instead of 165 bytes. -- We added support for using the new Chromium-based Microsoft Edge as the assigned access single kiosk app. Now, you can also customize a breakout key sequence for single app kiosks. For more information, see Configure Microsoft Edge kiosk mode. -- User Datagram Protocol (UDP) broadcast packets that are larger than the maximum transmission unit (MTU). Devices that receive these packets discard them because the checksum isn't valid. -- the WinHTTP AutoProxy service doesn't comply with the value set for the maximum Time To Live (TTL) on the Proxy Auto-Configuration (PAC) file. This prevents the cached file from updating dynamically. -- We improved the ability of the WinHTTP Web Proxy Auto-Discovery Service to ignore invalid Web Proxy Auto-Discovery Protocol (WPAD) URLs that the Dynamic Host Configuration Protocol (DHCP) server returns. -- We displayed the proper Envelope media type as a selectable output paper type for Universal Print queues. -- We ended the display of a random paper size for a printer when it uses the Microsoft Internet Printing Protocol (IPP) Class Driver. -- We enabled Windows to retrieve updated printer capabilities to ensure that users have the proper set of selectable print options. -- We updated support for hole punch and stapling locations for print jobs with long edge first paper feed direction on certain printers. -- an issue that might cause the IKEEXT service to stop working intermittently. -- an issue that might prevent a Non-Volatile Memory Express (NVMe) device from entering the proper power state. -- an issue that might cause stop error 7E in sys on servers running the Network File System (NFS) service. -- an issue that prevents the User Profile Service from detecting a slow or a fast link reliably. -- an issue that causes contention for a metadata lock when using Work Folders. -- We added a new dfslogkey:
        - Keypath: **HKEY_LOCAL_MACHINE/SOFTWARE/MICROSOFT/dfslog**
        - The **RootShareAcquireSuccessEvent** field has the following possible values: - * Default value = 1; enables the log. - * Value other than 1; disables the log. - - If this key doesn't exist, it will be created automatically. - To take effect, any change to **dfslog/RootShareAcquireSuccessEvent** in the registry requires that you restart the DFSN service. -- We updated the Open Mobile Alliance (OMA) Device Management (DM) sync protocol by adding a check-in reason for requests from the client to the server. The check-in reason will allow the mobile device management (MDM) service to make better decisions about sync sessions. With this change, the OMA-DM service must negotiate a protocol version of 4.0 with the Windows OMA-DM client. -- We turned off token binding by default in Windows Internet (WinINet). -- an issue that might prevent the correct Furigana characters from appearing in apps that automatically allow the input of Furigana characters. You might need to enter the Furigana characters manually. This issue occurs when using the Microsoft Japanese Input Method Editor (IME) to enter Kanji characters in these apps. - -## See Also - -[IT tools to support Windows 10, version 21H1](https://aka.ms/tools-for-21H1)
        -[Introducing the next feature update to Windows 10, version 21H1](https://blogs.windows.com/windowsexperience/2021/02/17/introducing-the-next-feature-update-to-windows-10-version-21h1/): Windows Experience Blog.
        -[What's New in Windows Server](/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.
        -[Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.
        -[What's New in Windows 10](./index.yml): See what's new in other versions of Windows 10.
        -[Announcing more ways we're making app development easier on Windows](https://blogs.windows.com/windowsdeveloper/2020/09/22/kevin-gallo-microsoft-ignite-2020/): Simplifying app development in Windows.
        -[Features and functionality removed in Windows 10](removed-features.md): Removed features.
        -[Windows 10 features we're no longer developing](deprecated-features.md): Features that aren't being developed.
        diff --git a/windows/whats-new/whats-new-windows-10-version-21H2.md b/windows/whats-new/whats-new-windows-10-version-21H2.md index 56b194f450..f23820ffe8 100644 --- a/windows/whats-new/whats-new-windows-10-version-21H2.md +++ b/windows/whats-new/whats-new-windows-10-version-21H2.md @@ -2,7 +2,7 @@ title: What's new in Windows 10, version 21H2 for IT pros description: Learn more about what's new in Windows 10 version 21H2, including servicing updates, Windows Subsystem for Linux, the latest CSPs, and more. manager: aaroncz -ms.prod: windows-client +ms.service: windows-client ms.author: mstewart author: mestew ms.localizationpriority: medium @@ -10,7 +10,7 @@ ms.topic: conceptual ms.collection: - highpri - tier2 -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals ms.date: 12/31/2017 appliesto: - ✅ Windows 10, version 21H2 diff --git a/windows/whats-new/whats-new-windows-10-version-22H2.md b/windows/whats-new/whats-new-windows-10-version-22H2.md index 5c158152d8..3ec8fdc763 100644 --- a/windows/whats-new/whats-new-windows-10-version-22H2.md +++ b/windows/whats-new/whats-new-windows-10-version-22H2.md @@ -1,8 +1,8 @@ --- title: What's new in Windows 10, version 22H2 for IT pros description: Learn more about what's new in Windows 10, version 22H2, including how to get it. -ms.prod: windows-client -ms.technology: itpro-fundamentals +ms.service: windows-client +ms.subservice: itpro-fundamentals ms.author: mstewart author: mestew manager: aaroncz diff --git a/windows/whats-new/whats-new-windows-11-version-22H2.md b/windows/whats-new/whats-new-windows-11-version-22H2.md index b09c1ab588..d2308ff620 100644 --- a/windows/whats-new/whats-new-windows-11-version-22H2.md +++ b/windows/whats-new/whats-new-windows-11-version-22H2.md @@ -2,7 +2,7 @@ title: What's new in Windows 11, version 22H2 for IT pros description: Learn more about what's new in Windows 11 version 21H2, including servicing updates, Windows Subsystem for Linux, the latest CSPs, and more. manager: aaroncz -ms.prod: windows-client +ms.service: windows-client ms.author: mstewart author: mestew ms.localizationpriority: medium @@ -10,7 +10,7 @@ ms.topic: conceptual ms.collection: - highpri - tier2 -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals ms.date: 08/11/2023 appliesto: - ✅ Windows 11, version 22H2 diff --git a/windows/whats-new/whats-new-windows-11-version-23h2.md b/windows/whats-new/whats-new-windows-11-version-23h2.md index 7a178b1852..421552f353 100644 --- a/windows/whats-new/whats-new-windows-11-version-23h2.md +++ b/windows/whats-new/whats-new-windows-11-version-23h2.md @@ -2,7 +2,7 @@ title: What's new in Windows 11, version 23H2 for IT pros description: Learn more about what's new in Windows 11 version 23H2, including servicing updates, Windows Subsystem for Linux, the latest CSPs, and more. manager: aaroncz -ms.prod: windows-client +ms.service: windows-client ms.author: mstewart author: mestew ms.localizationpriority: medium @@ -10,7 +10,7 @@ ms.topic: conceptual ms.collection: - highpri - tier2 -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals ms.date: 10/31/2023 appliesto: - ✅ Windows 11, version 23H2 diff --git a/windows/whats-new/windows-11-overview.md b/windows/whats-new/windows-11-overview.md index 2bab9205d6..bceae6230c 100644 --- a/windows/whats-new/windows-11-overview.md +++ b/windows/whats-new/windows-11-overview.md @@ -1,28 +1,29 @@ --- title: Windows 11 overview for administrators -description: Learn more about Windows 11. Read about the features IT professionals and administrators should know about Windows 11, including security, using apps, using Android apps, the new desktop, and deploying and servicing PCs. +description: Learn more about Windows 11. Read about the features IT professionals and administrators should know about Windows 11, including security, apps, the new desktop, and deploying and servicing PCs. manager: aaroncz author: mestew ms.author: mstewart -ms.prod: windows-client -ms.date: 09/20/2022 -ms.technology: itpro-fundamentals +ms.service: windows-client +ms.date: 01/31/2024 +ms.subservice: itpro-fundamentals ms.localizationpriority: medium ms.topic: overview ms.collection: - highpri - tier1 + - essentials-overview appliesto: - ✅ Windows 11 --- # Windows 11 overview -Windows 11 is the next client operating system, and includes features that organizations should know. Windows 11 is built on the same foundation as Windows 10. If you use Windows 10, then Windows 11 is a natural transition. It's an update to what you know, and what you're familiar with. +Windows 11 is a client operating system and includes features that organizations should know about. Windows 11 is built on the same foundation as Windows 10. If you use Windows 10, then Windows 11 is a natural transition. It's an update to what you know, and what you're familiar with. -It offers innovations focused on enhancing end-user productivity, and is designed to support today's hybrid work environment. +Windows 11 offers innovations focused on enhancing end-user productivity, and is designed to support today's hybrid work environment. -Your investments in update and device management are carried forward. For example, many of the same apps and tools can be used in Windows 11. Many of the same security settings and policies can be applied to Windows 11 devices, including PCs. You can use Windows Autopilot with a zero touch deployment to enroll your Windows devices in Microsoft Intune. You can also use newer features, such as Azure Virtual Desktop and Windows 365 on your Windows 11 devices. +Your investments in updates and device management are carried forward. For example, many of the same apps and tools can be used in Windows 11. Many of the same security settings and policies can be applied to Windows 11 devices, including PCs. You can use Windows Autopilot with a zero touch deployment to enroll your Windows devices in Microsoft Intune. You can also use newer features, such as Azure Virtual Desktop and Windows 365 on your Windows 11 devices. This article lists what's new, and some of the features & improvements. For more information on what's new for OEMs, see [What's new in manufacturing, customization, and design](/windows-hardware/get-started/what-s-new-in-windows). @@ -46,13 +47,13 @@ The security and privacy features in Windows 11 are similar to Windows 10. Secur - [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) - [Enforce compliance for Microsoft Defender for Endpoint](/mem/intune/protect/advanced-threat-protection) -- The Application Security features help prevent unwanted or malicious code from running, isolate untrusted websites & untrusted Office files, protect against phishing or malware websites, and more. +- The application security features help prevent unwanted or malicious code from running, isolate untrusted websites & untrusted Office files, protect against phishing or malware websites, and more. For more information, see [Windows application security](/windows/security/apps). - **Windows Hello for Business** helps protect users and identities. It replaces passwords, and uses a PIN or biometric that stays locally on the device. Device manufacturers are including more secure hardware features, such as IR cameras and TPM chips. These features are used with Windows Hello for Business to help protect user identities on your organization devices. - As an admin, going passwordless help secures user identities. The Windows OS, Azure AD, and Intune work together to remove passwords, create more secure policies, and help enforce compliance. + As an admin, going passwordless help secures user identities. The Windows OS, Microsoft Entra ID, and Intune work together to remove passwords, create more secure policies, and help enforce compliance. For more information, see: @@ -68,27 +69,20 @@ For more information on the security features you can configure, manage, and enf For more information, see [What is Windows 365 Enterprise?](/windows-365/overview). -- **Microsoft Teams** is included with the OS, and is automatically available on the taskbar. Users select the chat icon, sign in with their personal Microsoft account, and start a call: - - :::image type="content" source="./images/windows-11-whats-new/windows-11-taskbar-microsoft-teams.png" alt-text="On the Windows 11 taskbar, select the camera chat icon to start a Microsoft Teams call."::: - - This version of Microsoft Teams is for personal accounts. For organization accounts, such as `user@contoso.com`, you can deploy the Microsoft Teams app using MDM policy, such as Intune. For more information, see: +- **Microsoft 365 Apps** can be installed on Windows 11 clients using the device management tools you're already familiar with: - [What is Intune?](/mem/intune/fundamentals/what-is-intune) - [Add Microsoft 365 apps to Windows 10 devices with Microsoft Intune](/mem/intune/apps/apps-add-office365) - - [Install Microsoft Teams using Microsoft Configuration Manager](/microsoftteams/msi-deployment) + - [What is Microsoft Configuration Manager?](/mem/configmgr/core/understand/introduction) + - [Deploy Microsoft 365 Apps with Microsoft Configuration Manager](/deployoffice/deploy-microsoft-365-apps-configuration-manager) - Users can manage preinstalled apps using the **Settings** app > **Apps** > **Apps & Features**. Admins can [create a policy that pins apps, or removes the default pinned apps from the Taskbar](/windows/configuration/customize-taskbar-windows-11). - -- **Power Automate for desktop** is included with the OS. Your users can create flows with this low-code app to help them with everyday tasks. For example, users can create flows that save a message to OneNote, notify a team when there's a new Forms response, get notified when a file is added to SharePoint, and more. +- **Power Automate for desktop** allows your users to create flows in a low-code app to help them with everyday tasks. For example, users can create flows that save a message to OneNote, notify a team when there's a new Forms response, get notified when a file is added to SharePoint, and more. For more information, see [Getting started with Power Automate in Windows 11](/power-automate/desktop-flows/getting-started-windows-11). - Users can manage preinstalled apps using the **Settings** app > **Apps** > **Apps & Features**. - ## Customize the desktop experience -- **Snap Layouts, Snap Groups**: When you open an app, hover your mouse over the minimize/maximize option. When you do, you can select a different layout for the app: +- **Snap Layouts, Snap Groups**: When you open an app, hover your mouse over the minimize or maximize option. When you do, you can select a different layout for the app: :::image type="content" source="./images/windows-11-whats-new/windows-11-snap-layouts.png" alt-text="In Windows 11, use the minimize or maximize button on an app to see the available snap layouts."::: @@ -98,7 +92,7 @@ For more information on the security features you can configure, manage, and enf Users can manage some snap features using the **Settings** app > **System** > **Multitasking**. For more information on the end-user experience, see [Snap your windows](https://support.microsoft.com/windows/snap-your-windows-885a9b1e-a983-a3b1-16cd-c531795e6241). - You can also add Snap Layouts to apps your organization creates. For more information, see [Support snap layouts for desktop apps on Windows 11](/windows/apps/desktop/modernize/apply-snap-layout-menu). + You can also add Snap Layouts to apps your organization creates. For more information, see [Support snap layouts for desktop apps on Windows 11](/windows/apps/desktop/modernize/apply-snap-layout-menu). Starting in Windows 11, version 22H2, you can also activate snap layouts by dragging a window to the top of the screen. The feature is available for both mouse and touch. @@ -125,7 +119,9 @@ For more information on the security features you can configure, manage, and enf :::image type="content" source="./images/windows-11-whats-new/windows-11-taskbar-widgets.png" alt-text="On the Windows 11 taskbar, select the widgets icon to open and see the available widgets."::: - You can enable/disable this feature using the `Computer Configuration\Administrative Templates\Windows Components\widgets` Group Policy. You can also deploy a customized Taskbar to devices in your organization. For more information, see [Customize the Taskbar on Windows 11](/windows/configuration/customize-taskbar-windows-11). + You can enable or disable this feature using the following policy: + - **Group Policy**: Computer Configuration\Administrative Templates\Windows Components\widgets + - **MDM**: ./Device/Vendor/MSFT/Policy/Config/NewsAndInterests/[AllowNewsAndInterests](/windows/client-management/mdm/policy-csp-newsandinterests) For information on the end-user experience, see [Stay up to date with widgets](https://support.microsoft.com/windows/stay-up-to-date-with-widgets-7ba79aaa-dac6-4687-b460-ad16a06be6e4). @@ -150,7 +146,7 @@ For more information on the security features you can configure, manage, and enf - [Windows Subsystem for Android](https://support.microsoft.com/windows/abed2335-81bf-490a-92e5-fe01b66e5c48) - [Windows Subsystem for Android developer information](/windows/android/wsa) -- Your Windows 10 apps will also work on Windows 11. **[App Assure](https://www.microsoft.com/fasttrack/microsoft-365/app-assure)** is also available if there are some issues. +- Your Windows 10 apps also work on Windows 11. **[App Assure](https://www.microsoft.com/fasttrack/microsoft-365/app-assure)** is also available if there are some issues. You can continue to use **MSIX packages** for your UWP, Win32, WPF, and WinForm desktop application files. Continue to use **Windows Package Manager** to install Windows apps. You can create **Azure virtual desktops** that run Windows 11. Use **Azure Virtual desktop with MSIX app attach** to virtualize desktops and apps. For more information on these features, see [Overview of apps on Windows client devices](/windows/application-management/overview-windows-apps). @@ -164,7 +160,7 @@ For more information on the security features you can configure, manage, and enf - **Windows Terminal app**: This app is included with the OS. On previous Windows versions, it's a separate download in the Microsoft Store. For more information, see [What is Windows Terminal?](/windows/terminal/). - This app combines Windows PowerShell, a command prompt, and Azure Cloud Shell all within the same terminal window. You don't need to open separate apps to use these command-line applications. It has tabs. And when you open a new tab, you can choose your command-line application: + This app combines Windows PowerShell, a command prompt, and Azure Cloud Shell all within the same terminal window. You don't need to open separate apps to use these command-line applications. It has tabs. When you open a new tab, you can choose your command-line application: :::image type="content" source="./images/windows-11-whats-new/windows-terminal-app.png" alt-text="On Windows 11, open the Windows Terminal app to use Windows PowerShell, the command prompt, or Azure Cloud Shell to run commands."::: @@ -177,7 +173,7 @@ For more information on the security features you can configure, manage, and enf - [Get updates for apps and games in Microsoft Store](https://support.microsoft.com/account-billing/get-updates-for-apps-and-games-in-microsoft-store-a1fe19c0-532d-ec47-7035-d1c5a1dd464f) - [How to open Microsoft Store on Windows](https://support.microsoft.com/account-billing/how-to-open-microsoft-store-on-windows-10-e080b85a-7c9e-46a7-8d8b-3e9a42e32de6) -- The **Microsoft Edge** browser is included with the OS, and is the default browser. Internet Explorer (IE) isn't available in Windows 11. In Microsoft Edge, you can use IE Mode if a website needs Internet Explorer. Open Microsoft Edge, and enter `edge://settings/defaultBrowser` in the URL. +- The **Microsoft Edge** browser is included with the OS. Internet Explorer (IE) isn't available in Windows 11. In Microsoft Edge, you can use IE Mode if a website needs Internet Explorer. Open Microsoft Edge, and enter `edge://settings/defaultBrowser` in the URL. To save system resources, Microsoft Edge uses sleeping tabs. Users can configure these settings, and more, in `edge://settings/system`. @@ -185,13 +181,13 @@ For more information on the security features you can configure, manage, and enf ## Deployment and servicing -- **Install Windows 11**: The same methods you use to install Windows 10 can also be used to install Windows 11. For example, you can deploy Windows to your devices using Windows Autopilot, Microsoft Deployment Toolkit (MDT), Configuration Manager, and more. Windows 11 will be delivered as an upgrade to eligible devices running Windows 10. +- **Install Windows 11**: The same methods you use to install Windows 10 can also be used to install Windows 11. For example, you can deploy Windows to your devices using Windows Autopilot, Configuration Manager, and other methods. Windows 11 is delivered as an upgrade to eligible devices running Windows 10. For more information on getting started, see [Windows client deployment resources and documentation](/windows/deployment/) and [Plan for Windows 11](windows-11-plan.md). For more information on the end-user experience, see [Ways to install Windows 11](https://support.microsoft.com/windows/e0edbbfb-cfc5-4011-868b-2ce77ac7c70e). -- **Windows Autopilot**: If you're purchasing new devices, you can use Windows Autopilot to set up and pre-configure the devices. When users get the device, they sign in with their organization account (`user@contoso.com`). In the background, Autopilot gets them ready for use, and deploys any apps or policies you set. You can also use Windows Autopilot to reset, repurpose, and recover devices. Autopilot offers zero touch deployment for admins. +- **Windows Autopilot**: If you're purchasing new devices, you can use Windows Autopilot to set up and preconfigure the devices. When users get the device, they sign in with their organization account (`user@contoso.com`). In the background, Autopilot gets them ready for use, and deploys any apps or policies you set. You can also use Windows Autopilot to reset, repurpose, and recover devices. Autopilot offers zero touch deployment for admins. If you have a global or remote workforce, then Autopilot might be the right option to install the OS, and get it ready for use. For more information, see [Overview of Windows Autopilot](/mem/autopilot/windows-autopilot). @@ -201,7 +197,7 @@ For more information on the security features you can configure, manage, and enf - **Windows Updates and Delivery optimization** helps manage updates, and manage features on your devices. Starting with Windows 11, the OS feature updates are installed annually. For more information on servicing channels, and what they are, see [Servicing channels](/windows/deployment/update/waas-overview#servicing-channels). - Like Windows 10, Windows 11 will receive monthly quality updates. + Like Windows 10, Windows 11 receives monthly quality updates. You have options to install updates on your Windows devices, including Intune, Group Policy, Windows Server Update Services (WSUS), and more. For more information, see [Assign devices to servicing channels](/windows/deployment/update/waas-servicing-channels-windows-10-updates). @@ -216,7 +212,7 @@ For more information on the security features you can configure, manage, and enf ## Education and apps -Windows 11 SE is a new edition of Windows that's designed for education. It runs on low-cost devices, and runs essential apps, including Microsoft 365. For more information, see [Windows 11 SE for Education](/education/windows/windows-11-se-overview). +Windows 11 SE is a new edition of Windows designed for education. It runs on low-cost devices, and runs essential apps, including Microsoft 365. For more information, see [Windows 11 SE for Education](/education/windows/windows-11-se-overview). ## Next steps diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md index fa33976e89..39330b182a 100644 --- a/windows/whats-new/windows-11-plan.md +++ b/windows/whats-new/windows-11-plan.md @@ -1,7 +1,7 @@ --- title: Plan for Windows 11 description: Windows 11 deployment planning, IT Pro content. -ms.prod: windows-client +ms.service: windows-client author: mestew ms.author: mstewart manager: aaroncz @@ -10,7 +10,7 @@ ms.topic: conceptual ms.collection: - highpri - tier1 -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals ms.date: 08/11/2023 appliesto: - ✅ Windows 11 diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md index fb11714e70..e5852e8ce3 100644 --- a/windows/whats-new/windows-11-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -1,7 +1,7 @@ --- title: Prepare for Windows 11 description: Prepare your infrastructure and tools to deploy Windows 11, IT Pro content. -ms.prod: windows-client +ms.service: windows-client author: mestew ms.author: mstewart manager: aaroncz @@ -10,7 +10,7 @@ ms.topic: conceptual ms.collection: - highpri - tier1 -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals ms.date: 12/31/2017 appliesto: - ✅ Windows 11 diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md index f596c4e962..ececec3d96 100644 --- a/windows/whats-new/windows-11-requirements.md +++ b/windows/whats-new/windows-11-requirements.md @@ -4,13 +4,13 @@ description: Hardware requirements to deploy Windows 11. manager: aaroncz author: mestew ms.author: mstewart -ms.prod: windows-client +ms.service: windows-client ms.localizationpriority: medium ms.topic: conceptual ms.collection: - highpri - tier1 -ms.technology: itpro-fundamentals +ms.subservice: itpro-fundamentals ms.date: 02/13/2023 appliesto: - ✅ Windows 11 diff --git a/windows/whats-new/windows-licensing.md b/windows/whats-new/windows-licensing.md index d6f384c4f5..d4ac767421 100644 --- a/windows/whats-new/windows-licensing.md +++ b/windows/whats-new/windows-licensing.md @@ -1,7 +1,7 @@ --- title: Windows commercial licensing overview description: Learn about products and use rights available through Windows commercial licensing. -ms.prod: windows-client +ms.subservice: itpro-security author: paolomatarazzo ms.author: paoloma manager: aaroncz @@ -11,7 +11,7 @@ ms.topic: overview ms.date: 05/04/2023 appliesto: - ✅ Windows 11 -ms.technology: itpro-security +ms.service: windows-client --- # Windows Commercial Licensing overview