From 25da8c447f81b6a397eff89b336c46435744d480 Mon Sep 17 00:00:00 2001 From: Sriraman M S <45987684+msbemba@users.noreply.github.com> Date: Tue, 8 Nov 2022 22:29:24 +0530 Subject: [PATCH 01/37] Update wds-boot-support.md Updated the document to represent OS deployed vs boot image version as per the table Per issue#https://github.com/MicrosoftDocs/windows-itpro-docs/issues/10973 --- windows/deployment/wds-boot-support.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/wds-boot-support.md b/windows/deployment/wds-boot-support.md index dfab934f9d..8685f727fd 100644 --- a/windows/deployment/wds-boot-support.md +++ b/windows/deployment/wds-boot-support.md @@ -26,7 +26,7 @@ When you PXE-boot from a WDS server that uses the **boot.wim** file from install ## Deployment scenarios affected -The table below provides support details for specific deployment scenarios (Boot Image Version). +The table below provides support details for specific deployment scenarios (The table represents OS Deployed (vertical) and Boot Image Version(Horizontal) ). ||Windows 10|Windows Server 2016|Windows Server 2019|Windows Server 2022|Windows 11| |--- |--- |--- |--- |--- |--- | From 89be3fd385c05e2662114425f7450d618bd2c771 Mon Sep 17 00:00:00 2001 From: Sriraman M S <45987684+msbemba@users.noreply.github.com> Date: Wed, 9 Nov 2022 11:19:44 +0530 Subject: [PATCH 02/37] Update windows/deployment/wds-boot-support.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/deployment/wds-boot-support.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/wds-boot-support.md b/windows/deployment/wds-boot-support.md index 8685f727fd..55b2a11be1 100644 --- a/windows/deployment/wds-boot-support.md +++ b/windows/deployment/wds-boot-support.md @@ -26,7 +26,7 @@ When you PXE-boot from a WDS server that uses the **boot.wim** file from install ## Deployment scenarios affected -The table below provides support details for specific deployment scenarios (The table represents OS Deployed (vertical) and Boot Image Version(Horizontal) ). +The table below provides support details for specific deployment scenarios. The table represents OS Deployed (vertical) and Boot Image Version (horizontal). ||Windows 10|Windows Server 2016|Windows Server 2019|Windows Server 2022|Windows 11| |--- |--- |--- |--- |--- |--- | From 232b954a954a867348a388d045384059564ff4d6 Mon Sep 17 00:00:00 2001 From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com> Date: Tue, 22 Nov 2022 12:28:21 -0800 Subject: [PATCH 03/37] Added 22H2 Known Issues Section Bulk of 22H2 update, added a unified 22H2 SSO breakage section to the "Known Issues" page, which can be linked to by other comms. --- .../credential-guard-known-issues.md | 115 +++++++++++++----- 1 file changed, 84 insertions(+), 31 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md index 2c5fe11327..517b038409 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md @@ -5,7 +5,7 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo ms.author: paoloma -ms.reviewer: erikdau +ms.reviewer: zwhittington manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article @@ -22,45 +22,56 @@ ms.technology: itpro-security Windows Defender Credential Guard has certain application requirements. Windows Defender Credential Guard blocks specific authentication capabilities. So applications that require such capabilities won't function when it's enabled. For more information, see [Application requirements](credential-guard-requirements.md#application-requirements). -The following known issues have been fixed in the [Cumulative Security Update for November 2017](https://support.microsoft.com/topic/november-27-2017-kb4051033-os-build-14393-1914-447b6b88-e75d-0a24-9ab9-5dcda687aaf4): +## Known Issue: Single Sign-On (SSO) for Network services breaks after upgrading to **Windows 11, version 22H2** -- Scheduled tasks with domain user-stored credentials fail to run when Credential Guard is enabled. The task fails and reports Event ID 104 with the following message: +### Affected devices: +Any device that enables Windows Defender Credential Guard may encounter this issue. As part of the Windows 11, version 22H2 update, eligible devices which had not previously explicitly disabled Windows Defender Credential Guard had it enabled by default. This affected all devices on Enterprise (E3 and E5) and Education licenses, as well as some Pro licenses*, as long as they met the [minimum hardware requirements](credential-guard-requirements.md#hardware-and-software-requirements). + +\* All Pro devices which previously ran Windows Defender Credential Guard on an eligible license and later downgraded to Pro, and which still meet the [minimum hardware requirements](credential-guard-requirements.md#hardware-and-software-requirements), will receive default enablement. - ```console - Task Scheduler failed to log on '\Test'. - Failure occurred in 'LogonUserExEx'. - User Action: Ensure the credentials for the task are correctly specified. - Additional Data: Error Value: 2147943726. 2147943726: ERROR\_LOGON\_FAILURE (The user name or password is incorrect). - ``` +> [!TIP] +> To determine if your Pro device will receive default enablement when upgraded to **Windows 11, version 22H2**, do the following **before** upgrading: +> Check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`. If it is present, the device will have Windows Defender Credential Guard enabled after upgrading. Note that Windows Defender Credential Guard can be disabled after upgrade by following the [disablement instructions](credential-guard-manage#disable-windows-defender-credential-guard). -- When you enable NTLM audit on the domain controller, an Event ID 8004 with an indecipherable username format is logged. You also get a similar user name in a user logon failure event 4625 with error 0xC0000064 on the machine itself. For example: +### Symptoms of the issue: +Devices that use 802.1x wireless or wired network, RDP, or VPN connections that rely on insecure protocols with password-based authentication will be unable to use SSO to login and will be forced to manually re-authenticate in every new Windows session. - ```console - Log Name: Microsoft-Windows-NTLM/Operational - Source: Microsoft-Windows-Security-Netlogon - Event ID: 8004 - Task Category: Auditing NTLM - Level: Information - Description: - Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller. - Secure Channel name: - User name: - @@CyBAAAAUBQYAMHArBwUAMGAoBQZAQGA1BAbAUGAyBgOAQFAhBwcAsGA6AweAgDA2AQQAMEAwAANAgDA1AQLAIEADBQRAADAtAANAYEA1AwQA0CA5AAOAMEAyAQLAYDAxAwQAEDAEBwMAMEAwAgMAMDACBgRA0HA - Domain name: NULL - ``` +### Why this is happening: +Applications and services are affected by this issue when they rely on insecure protocols that use password-based authentication. Windows Defender Credential Guard blocks the use of these insecure protocols by design. Affected procols include: + - Kerberos unconstrained delegation (both SSO and supplied credentials are blocked) + - Kerberos when PKINIT uses RSA encryption instead of Diffie-Hellman (both SSO and supplied credentials are blocked) + - WDigest (only SSO is blocked) + - NTLM v1 (only SSO is blocked) + - MS-CHAP (only SSO is blocked) - - This event stems from a scheduled task running under local user context with the [Cumulative Security Update for November 2017](https://support.microsoft.com/topic/november-27-2017-kb4051033-os-build-14393-1914-447b6b88-e75d-0a24-9ab9-5dcda687aaf4) or later and happens when Credential Guard is enabled. - - The username appears in an unusual format because local accounts aren't protected by Credential Guard. The task also fails to execute. - - As a workaround, run the scheduled task under a domain user or the computer's SYSTEM account. +### Options to fix the issue: -The following known issues have been fixed by servicing releases made available in the Cumulative Security Updates for April 2017: +Microsoft recommends that organizations move away from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS. Windows Defender Credential Guard will not block certificate-based authentication. -- [KB4015217 Windows Defender Credential Guard generates double bad password count on Active Directory domain-joined Windows machines](https://support.microsoft.com/topic/april-11-2017-kb4015217-os-build-14393-1066-and-14393-1083-b5f79067-98bd-b4ec-8b81-5d858d7dc722) +For a more immediate but less secure fix, simply [disable Windows Defender Credential Guard](credential-guard-manage#disable-windows-defender-credential-guard). Note that Windows Defender Credential Guard does not have per-protocol or per-application policies, and must either be completely on or off. Disabling Windows Defender Credential Guard will leave some stored domain credentials vulnerable to theft. Windows Defender Credential Guard can be disabled after it has already been enabled, or it can be explicitly disabled prior to updating to Windows 11, version 22H2, which will prevent default enablement from occurring. - This issue can potentially lead to unexpected account lockouts. For more information, see the following support articles: +> [!TIP] +> To _prevent_ default enablement, [use Group Policy to explicitly disable Windows Defender Credential Guard](credential-guard-manage#disabling-windows-defender-credential-guard-using-group-policy) before installing the Windows 11, version 22H2 update. If the GPO value is not configured (it typically is not configured by default), the device will receive default enablement after updating, if eligible. If the GPO value is set to "disabled", it will not be enabled after updating. - - [KB4015219](https://support.microsoft.com/topic/april-11-2017-kb4015219-os-build-10586-873-68b8e379-aafa-ea6c-6b29-56d19785e657) - - [KB4015221](https://support.microsoft.com/topic/april-11-2017-kb4015221-os-build-10240-17354-743f52bc-a484-d23f-71f5-b9957cbae0e6) +> [!NOTE] +> MS-CHAP and NTLMv1 are particularly relevant to the observed SSO breakage after the Windows 11, version 22H2 update. To confirm whether Windows Defender Credential Guard is blocking either of these protocols, check the NTLM event logs for the following warning and/or error: + > + > **Event ID 4013** (Warning) + > ``` + > id="NTLMv1BlockedByCredGuard" + > value="Attempt to use NTLMv1 failed. + > Target server: %1%nSupplied user: %2%nSupplied domain: %3%nPID of client process: %4%nName of client process: %5%nLUID of client process: %6%nUser identity of client process: %7%nDomain name of user identity of client process: %8%nMechanism OID: %9%n%nThis device does not support NTLMv1. For more information, see https://go.microsoft.com/fwlink/?linkid=856826." + > /> + > ``` + > + > **Event ID 4014** (Error) + > ``` + > id="NTLMGetCredentialKeyBlockedByCredGuard" + > value="Attempt to get credential key by call package blocked by Credential Guard.%n%nCalling Process Name: %1%nService Host Tag: %2" + > /> + > ``` ## Known issues involving third-party applications @@ -112,3 +123,45 @@ Windows Defender Credential Guard isn't supported by the following products, pro This list isn't comprehensive. Check whether your product vendor, product version, or computer system supports Windows Defender Credential Guard on systems that run Windows or specific versions of Windows. Specific computer system models may be incompatible with Windows Defender Credential Guard. Microsoft encourages third-party vendors to contribute to this page by providing relevant product support information and by adding links to their own product support statements. + +## Previous known issues that have been fixed + +The following known issues have been fixed in the [Cumulative Security Update for November 2017](https://support.microsoft.com/topic/november-27-2017-kb4051033-os-build-14393-1914-447b6b88-e75d-0a24-9ab9-5dcda687aaf4): + +- Scheduled tasks with domain user-stored credentials fail to run when Credential Guard is enabled. The task fails and reports Event ID 104 with the following message: + + ```console + Task Scheduler failed to log on '\Test'. + Failure occurred in 'LogonUserExEx'. + User Action: Ensure the credentials for the task are correctly specified. + Additional Data: Error Value: 2147943726. 2147943726: ERROR\_LOGON\_FAILURE (The user name or password is incorrect). + ``` + +- When you enable NTLM audit on the domain controller, an Event ID 8004 with an indecipherable username format is logged. You also get a similar user name in a user logon failure event 4625 with error 0xC0000064 on the machine itself. For example: + + ```console + Log Name: Microsoft-Windows-NTLM/Operational + Source: Microsoft-Windows-Security-Netlogon + Event ID: 8004 + Task Category: Auditing NTLM + Level: Information + Description: + Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller. + Secure Channel name: + User name: + @@CyBAAAAUBQYAMHArBwUAMGAoBQZAQGA1BAbAUGAyBgOAQFAhBwcAsGA6AweAgDA2AQQAMEAwAANAgDA1AQLAIEADBQRAADAtAANAYEA1AwQA0CA5AAOAMEAyAQLAYDAxAwQAEDAEBwMAMEAwAgMAMDACBgRA0HA + Domain name: NULL + ``` + + - This event stems from a scheduled task running under local user context with the [Cumulative Security Update for November 2017](https://support.microsoft.com/topic/november-27-2017-kb4051033-os-build-14393-1914-447b6b88-e75d-0a24-9ab9-5dcda687aaf4) or later and happens when Credential Guard is enabled. + - The username appears in an unusual format because local accounts aren't protected by Credential Guard. The task also fails to execute. + - As a workaround, run the scheduled task under a domain user or the computer's SYSTEM account. + +The following known issues have been fixed by servicing releases made available in the Cumulative Security Updates for April 2017: + +- [KB4015217 Windows Defender Credential Guard generates double bad password count on Active Directory domain-joined Windows machines](https://support.microsoft.com/topic/april-11-2017-kb4015217-os-build-14393-1066-and-14393-1083-b5f79067-98bd-b4ec-8b81-5d858d7dc722) + + This issue can potentially lead to unexpected account lockouts. For more information, see the following support articles: + + - [KB4015219](https://support.microsoft.com/topic/april-11-2017-kb4015219-os-build-10586-873-68b8e379-aafa-ea6c-6b29-56d19785e657) + - [KB4015221](https://support.microsoft.com/topic/april-11-2017-kb4015221-os-build-10240-17354-743f52bc-a484-d23f-71f5-b9957cbae0e6) From d2d667cda31534c2d4d1645eaa2efe1aa3aa027b Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 28 Nov 2022 14:38:19 -0500 Subject: [PATCH 04/37] Update windows/security/identity-protection/credential-guard/credential-guard-known-issues.md Co-authored-by: mapalko <20977663+mapalko@users.noreply.github.com> --- .../credential-guard/credential-guard-known-issues.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md index 517b038409..962ea3db39 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md @@ -51,7 +51,7 @@ Microsoft recommends that organizations move away from MSCHAPv2-based connection For a more immediate but less secure fix, simply [disable Windows Defender Credential Guard](credential-guard-manage#disable-windows-defender-credential-guard). Note that Windows Defender Credential Guard does not have per-protocol or per-application policies, and must either be completely on or off. Disabling Windows Defender Credential Guard will leave some stored domain credentials vulnerable to theft. Windows Defender Credential Guard can be disabled after it has already been enabled, or it can be explicitly disabled prior to updating to Windows 11, version 22H2, which will prevent default enablement from occurring. > [!TIP] -> To _prevent_ default enablement, [use Group Policy to explicitly disable Windows Defender Credential Guard](credential-guard-manage#disabling-windows-defender-credential-guard-using-group-policy) before installing the Windows 11, version 22H2 update. If the GPO value is not configured (it typically is not configured by default), the device will receive default enablement after updating, if eligible. If the GPO value is set to "disabled", it will not be enabled after updating. +> To _prevent_ default enablement, [use Group Policy to explicitly disable Windows Defender Credential Guard](credential-guard-manage#disabling-windows-defender-credential-guard-using-group-policy) before updating to Windows 11, version 22H2. If the GPO value is not configured (it typically is not configured by default), the device will receive default enablement after updating, if eligible. If the GPO value is set to "disabled", it will not be enabled after updating. > [!NOTE] > MS-CHAP and NTLMv1 are particularly relevant to the observed SSO breakage after the Windows 11, version 22H2 update. To confirm whether Windows Defender Credential Guard is blocking either of these protocols, check the NTLM event logs for the following warning and/or error: From 2e513a20104d0a12af300f252d1b92981d5dc879 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 28 Nov 2022 14:39:56 -0500 Subject: [PATCH 05/37] Update credential-guard-known-issues.md --- .../credential-guard/credential-guard-known-issues.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md index 962ea3db39..d863d5b342 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md @@ -9,7 +9,7 @@ ms.reviewer: zwhittington manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article -ms.date: 01/26/2022 +ms.date: 11/28/2022 appliesto: - ✅ Windows 10 - ✅ Windows 11 From 7a5ef481ae0e7789c43b13c032ecd9ba8cca30a6 Mon Sep 17 00:00:00 2001 From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com> Date: Wed, 30 Nov 2022 16:35:21 -0800 Subject: [PATCH 06/37] Addressed a few draft comments - Moved "symptoms" above "affected devices" - Added "when CG is running" explicitly to end of "symptoms" section - Added security reasoning to "Why this is happening" section - Explicitly specified that supplied credentials are allowed for MSCHAP, NTLMv1 and WDigest - Added note about MDM management alongside GP management --- .../credential-guard-known-issues.md | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md index d863d5b342..7d7195e1e0 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md @@ -24,6 +24,9 @@ Windows Defender Credential Guard has certain application requirements. Windows ## Known Issue: Single Sign-On (SSO) for Network services breaks after upgrading to **Windows 11, version 22H2** +### Symptoms of the issue: +Devices that use 802.1x wireless or wired network, RDP, or VPN connections that rely on insecure protocols with password-based authentication will be unable to use SSO to login and will be forced to manually re-authenticate in every new Windows session when Windows Defender Credential Guard is running. + ### Affected devices: Any device that enables Windows Defender Credential Guard may encounter this issue. As part of the Windows 11, version 22H2 update, eligible devices which had not previously explicitly disabled Windows Defender Credential Guard had it enabled by default. This affected all devices on Enterprise (E3 and E5) and Education licenses, as well as some Pro licenses*, as long as they met the [minimum hardware requirements](credential-guard-requirements.md#hardware-and-software-requirements). @@ -33,16 +36,15 @@ Any device that enables Windows Defender Credential Guard may encounter this iss > To determine if your Pro device will receive default enablement when upgraded to **Windows 11, version 22H2**, do the following **before** upgrading: > Check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`. If it is present, the device will have Windows Defender Credential Guard enabled after upgrading. Note that Windows Defender Credential Guard can be disabled after upgrade by following the [disablement instructions](credential-guard-manage#disable-windows-defender-credential-guard). -### Symptoms of the issue: -Devices that use 802.1x wireless or wired network, RDP, or VPN connections that rely on insecure protocols with password-based authentication will be unable to use SSO to login and will be forced to manually re-authenticate in every new Windows session. - ### Why this is happening: -Applications and services are affected by this issue when they rely on insecure protocols that use password-based authentication. Windows Defender Credential Guard blocks the use of these insecure protocols by design. Affected procols include: +Applications and services are affected by this issue when they rely on insecure protocols that use password-based authentication. Windows Defender Credential Guard blocks the use of these insecure protocols by design. These protocols are considered insecure because they can lead to password disclosure on the client and the server, which is in direct contradiction to the goals of Windows Defender Credential Guard. Affected procols include: - Kerberos unconstrained delegation (both SSO and supplied credentials are blocked) - Kerberos when PKINIT uses RSA encryption instead of Diffie-Hellman (both SSO and supplied credentials are blocked) - - WDigest (only SSO is blocked) - - NTLM v1 (only SSO is blocked) - MS-CHAP (only SSO is blocked) + - WDigest (only SSO is blocked) + - NTLM v1 (only SSO is blocked) + +Since only SSO is blocked for MS-CHAP, WDigest, and NTLM v1, these protocols can still be used by prompting the user to supply credentials. ### Options to fix the issue: @@ -51,7 +53,7 @@ Microsoft recommends that organizations move away from MSCHAPv2-based connection For a more immediate but less secure fix, simply [disable Windows Defender Credential Guard](credential-guard-manage#disable-windows-defender-credential-guard). Note that Windows Defender Credential Guard does not have per-protocol or per-application policies, and must either be completely on or off. Disabling Windows Defender Credential Guard will leave some stored domain credentials vulnerable to theft. Windows Defender Credential Guard can be disabled after it has already been enabled, or it can be explicitly disabled prior to updating to Windows 11, version 22H2, which will prevent default enablement from occurring. > [!TIP] -> To _prevent_ default enablement, [use Group Policy to explicitly disable Windows Defender Credential Guard](credential-guard-manage#disabling-windows-defender-credential-guard-using-group-policy) before updating to Windows 11, version 22H2. If the GPO value is not configured (it typically is not configured by default), the device will receive default enablement after updating, if eligible. If the GPO value is set to "disabled", it will not be enabled after updating. +> To _prevent_ default enablement, [use Group Policy to explicitly disable Windows Defender Credential Guard](credential-guard-manage#disabling-windows-defender-credential-guard-using-group-policy) before updating to Windows 11, version 22H2. If the GPO value is not configured (it typically is not configured by default), the device will receive default enablement after updating, if eligible. If the GPO value is set to "disabled", it will not be enabled after updating. This process can also be done via Mobile Device Management (MDM) policy rather than Group Policy if the devices are currently being managed by MDM. > [!NOTE] > MS-CHAP and NTLMv1 are particularly relevant to the observed SSO breakage after the Windows 11, version 22H2 update. To confirm whether Windows Defender Credential Guard is blocking either of these protocols, check the NTLM event logs for the following warning and/or error: From 4ccee6c3cb1f4189af1d56b1ae226e3ef4765221 Mon Sep 17 00:00:00 2001 From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com> Date: Wed, 30 Nov 2022 17:00:01 -0800 Subject: [PATCH 07/37] Fixed links and updated NTLM event - Fixed the broken credential-guard-manage.md links - Moved the Event Viewer events and added the event path --- .../credential-guard-known-issues.md | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md index 7d7195e1e0..68d5b6cc09 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md @@ -34,7 +34,7 @@ Any device that enables Windows Defender Credential Guard may encounter this iss > [!TIP] > To determine if your Pro device will receive default enablement when upgraded to **Windows 11, version 22H2**, do the following **before** upgrading: -> Check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`. If it is present, the device will have Windows Defender Credential Guard enabled after upgrading. Note that Windows Defender Credential Guard can be disabled after upgrade by following the [disablement instructions](credential-guard-manage#disable-windows-defender-credential-guard). +> Check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`. If it is present, the device will have Windows Defender Credential Guard enabled after upgrading. Note that Windows Defender Credential Guard can be disabled after upgrade by following the [disablement instructions](credential-guard-manage.md#disable-windows-defender-credential-guard). ### Why this is happening: Applications and services are affected by this issue when they rely on insecure protocols that use password-based authentication. Windows Defender Credential Guard blocks the use of these insecure protocols by design. These protocols are considered insecure because they can lead to password disclosure on the client and the server, which is in direct contradiction to the goals of Windows Defender Credential Guard. Affected procols include: @@ -44,19 +44,10 @@ Applications and services are affected by this issue when they rely on insecure - WDigest (only SSO is blocked) - NTLM v1 (only SSO is blocked) -Since only SSO is blocked for MS-CHAP, WDigest, and NTLM v1, these protocols can still be used by prompting the user to supply credentials. - -### Options to fix the issue: - -Microsoft recommends that organizations move away from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS. Windows Defender Credential Guard will not block certificate-based authentication. - -For a more immediate but less secure fix, simply [disable Windows Defender Credential Guard](credential-guard-manage#disable-windows-defender-credential-guard). Note that Windows Defender Credential Guard does not have per-protocol or per-application policies, and must either be completely on or off. Disabling Windows Defender Credential Guard will leave some stored domain credentials vulnerable to theft. Windows Defender Credential Guard can be disabled after it has already been enabled, or it can be explicitly disabled prior to updating to Windows 11, version 22H2, which will prevent default enablement from occurring. - -> [!TIP] -> To _prevent_ default enablement, [use Group Policy to explicitly disable Windows Defender Credential Guard](credential-guard-manage#disabling-windows-defender-credential-guard-using-group-policy) before updating to Windows 11, version 22H2. If the GPO value is not configured (it typically is not configured by default), the device will receive default enablement after updating, if eligible. If the GPO value is set to "disabled", it will not be enabled after updating. This process can also be done via Mobile Device Management (MDM) policy rather than Group Policy if the devices are currently being managed by MDM. +Since only SSO is blocked for MS-CHAP, WDigest, and NTLM v1, these protocols can still be used by prompting the user to supply credentials. > [!NOTE] -> MS-CHAP and NTLMv1 are particularly relevant to the observed SSO breakage after the Windows 11, version 22H2 update. To confirm whether Windows Defender Credential Guard is blocking either of these protocols, check the NTLM event logs for the following warning and/or error: +> MS-CHAP and NTLMv1 are particularly relevant to the observed SSO breakage after the Windows 11, version 22H2 update. To confirm whether Windows Defender Credential Guard is blocking either of these protocols, check the NTLM event logs in Event Viewer at `Application and Services Logs\Microsoft\Windows\NTLM\Operational` for the following warning and/or error: > > **Event ID 4013** (Warning) > ``` @@ -75,6 +66,15 @@ For a more immediate but less secure fix, simply [disable Windows Defender Crede > /> > ``` +### Options to fix the issue: + +Microsoft recommends that organizations move away from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS. Windows Defender Credential Guard will not block certificate-based authentication. + +For a more immediate but less secure fix, simply [disable Windows Defender Credential Guard](credential-guard-manage.md#disable-windows-defender-credential-guard). Note that Windows Defender Credential Guard does not have per-protocol or per-application policies, and must either be completely on or off. Disabling Windows Defender Credential Guard will leave some stored domain credentials vulnerable to theft. Windows Defender Credential Guard can be disabled after it has already been enabled, or it can be explicitly disabled prior to updating to Windows 11, version 22H2, which will prevent default enablement from occurring. + +> [!TIP] +> To _prevent_ default enablement, [use Group Policy to explicitly disable Windows Defender Credential Guard](credential-guard-manage.md#disabling-windows-defender-credential-guard-using-group-policy) before updating to Windows 11, version 22H2. If the GPO value is not configured (it typically is not configured by default), the device will receive default enablement after updating, if eligible. If the GPO value is set to "disabled", it will not be enabled after updating. This process can also be done via Mobile Device Management (MDM) policy rather than Group Policy if the devices are currently being managed by MDM. + ## Known issues involving third-party applications The following issue affects MSCHAPv2: From ff9f6bcff0512074e781ab8c53d3270a497b7a6e Mon Sep 17 00:00:00 2001 From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com> Date: Wed, 30 Nov 2022 17:17:09 -0800 Subject: [PATCH 08/37] Updated CredGuard root - Added default enablement announcement and link - Added link to Known Issues - Changed article author --- .../identity-protection/credential-guard/credential-guard.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard.md b/windows/security/identity-protection/credential-guard/credential-guard.md index 950eb3a95c..aa1ffc29b1 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard.md +++ b/windows/security/identity-protection/credential-guard/credential-guard.md @@ -5,7 +5,7 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo ms.author: paoloma -ms.reviewer: erikdau +ms.reviewer: zwhittington manager: aaroncz ms.collection: - M365-identity-device-management @@ -31,6 +31,9 @@ By enabling Windows Defender Credential Guard, the following features and soluti - **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system. - **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Windows Defender Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate other security strategies and architectures. +> [!NOTE] +> As of Windows 11, version 22H2, Windows Defender Credential Guard has been enabled by default on all devices which meet the minimum requirements as specified in the [Default Enablement](credential-guard-manage.md#default-enablement) section. For information about known issues related to default enablement, see [Credential Guard: Known Issues](credential-guard-known-issues.md#known-issue-single-sign-on-sso-for-network-services-breaks-after-upgrading-to-windows-11-version-22h2). +   ## Related topics From 3b01ef45ad357a74a5c5a78254473186112074e6 Mon Sep 17 00:00:00 2001 From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com> Date: Wed, 30 Nov 2022 17:21:02 -0800 Subject: [PATCH 09/37] Added link to Known Issues --- .../credential-guard/credential-guard-manage.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index 33cab5403d..f7d645071d 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -26,7 +26,9 @@ ms.technology: itpro-security ## Default Enablement -Starting in **Windows 11 Enterprise, version 22H2** and **Windows 11 Education, version 22H2**, compatible systems have Windows Defender Credential Guard turned on by default. This feature changes the default state of the feature in Windows, though system administrators can still modify this enablement state. Windows Defender Credential Guard can still be manually [enabled](#enable-windows-defender-credential-guard) or [disabled](#disable-windows-defender-credential-guard) via the methods documented below. +Starting in **Windows 11 Enterprise, version 22H2** and **Windows 11 Education, version 22H2**, compatible systems have Windows Defender Credential Guard turned on by default. This feature changes the default state of the feature in Windows, though system administrators can still modify this enablement state. Windows Defender Credential Guard can still be manually [enabled](#enable-windows-defender-credential-guard) or [disabled](#disable-windows-defender-credential-guard) via the methods documented below. + +Known issues arising from default enablement are documented in [Windows Defender Credential Guard: Known issues](credential-guard-known-issues.md#known-issue-single-sign-on-sso-for-network-services-breaks-after-upgrading-to-windows-11-version-22h2). ### Requirements for automatic enablement From 7fe332cd9148e4206147aa2e3a37dfe793a80b1d Mon Sep 17 00:00:00 2001 From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com> Date: Wed, 30 Nov 2022 17:22:09 -0800 Subject: [PATCH 10/37] Updated feature owner --- .../credential-guard/credential-guard-scripts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md index 8b39b99573..11caa36d86 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md @@ -5,7 +5,7 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo ms.author: paoloma -ms.reviewer: erikdau +ms.reviewer: zwhittington manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article From a2c8a6d9426a267b9487daf128614b05b6144686 Mon Sep 17 00:00:00 2001 From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com> Date: Wed, 30 Nov 2022 17:23:25 -0800 Subject: [PATCH 11/37] Updated feature owner --- .../credential-guard/credential-guard-protection-limits.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md index 6444af7ea5..ef9f6a2bce 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md @@ -5,7 +5,7 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo ms.author: paoloma -ms.reviewer: erikdau +ms.reviewer: zwhittington manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article From d188996f9d0b74e2f86ee853d55088674bf9f34a Mon Sep 17 00:00:00 2001 From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com> Date: Wed, 30 Nov 2022 17:24:05 -0800 Subject: [PATCH 12/37] Updated feature owner --- .../credential-guard-not-protected-scenarios.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md index 5ff4d5dadc..0f780be28b 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md @@ -4,7 +4,7 @@ description: Scenarios not protected by Windows Defender Credential Guard in Win ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo -ms.author: paoloma +ms.author: zwhittington ms.reviewer: erikdau manager: aaroncz ms.collection: M365-identity-device-management @@ -644,4 +644,4 @@ write-host $tmp -Foreground Red **Deep Dive into Windows Defender Credential Guard: Related videos** -[Protecting privileged users with Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474) \ No newline at end of file +[Protecting privileged users with Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474) From b0908439e5864151bd969c2d9765636a28bb3026 Mon Sep 17 00:00:00 2001 From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com> Date: Wed, 30 Nov 2022 17:25:03 -0800 Subject: [PATCH 13/37] Fixed mistake updating feature owner --- .../credential-guard-not-protected-scenarios.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md index 0f780be28b..51ecf3c661 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md @@ -4,8 +4,8 @@ description: Scenarios not protected by Windows Defender Credential Guard in Win ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo -ms.author: zwhittington -ms.reviewer: erikdau +ms.author: paoloma +ms.reviewer: zwhittington manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article From 9da8123b5eceda801b7ff8aeedd3cde304d4be07 Mon Sep 17 00:00:00 2001 From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com> Date: Wed, 30 Nov 2022 17:25:44 -0800 Subject: [PATCH 14/37] Updated feature owner --- .../credential-guard/credential-guard-how-it-works.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md index 55fe9628bb..48360ee775 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md @@ -5,7 +5,7 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo ms.author: paoloma -ms.reviewer: erikdau +ms.reviewer: zwhittington manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article From 322dc1ed748302397ed21975237792565926501a Mon Sep 17 00:00:00 2001 From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com> Date: Wed, 30 Nov 2022 17:26:32 -0800 Subject: [PATCH 15/37] Updated feature owner --- .../credential-guard/credential-guard-considerations.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md index 69d69300a1..b041c61076 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md @@ -5,7 +5,7 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo ms.author: paoloma -ms.reviewer: erikdau +ms.reviewer: zwhittington manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article @@ -97,4 +97,4 @@ When data protected with user DPAPI is unusable, then the user loses access to a **Related videos** -[What is virtualization-based security?](https://www.linkedin.com/learning/microsoft-cybersecurity-stack-advanced-identity-and-endpoint-protection/what-is-virtualization-based-security) \ No newline at end of file +[What is virtualization-based security?](https://www.linkedin.com/learning/microsoft-cybersecurity-stack-advanced-identity-and-endpoint-protection/what-is-virtualization-based-security) From ca0405658bd8c35c244506381b0a78b1d9edb2a7 Mon Sep 17 00:00:00 2001 From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com> Date: Wed, 30 Nov 2022 17:27:29 -0800 Subject: [PATCH 16/37] Updated feature owner --- .../credential-guard/additional-mitigations.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md index 92b3296a71..3fd8405edf 100644 --- a/windows/security/identity-protection/credential-guard/additional-mitigations.md +++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md @@ -5,7 +5,7 @@ ms.prod: windows-client ms.localizationpriority: medium author: paolomatarazzo ms.author: paoloma -ms.reviewer: erikdau +ms.reviewer: zwhittington manager: aaroncz ms.collection: M365-identity-device-management ms.topic: article @@ -607,4 +607,4 @@ write-host $tmp -Foreground Red ``` > [!NOTE] -> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter. \ No newline at end of file +> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter. From 5889bd53a9ecfa5bff87c467f3b64553b1afcbc3 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Thu, 1 Dec 2022 14:08:00 -0800 Subject: [PATCH 17/37] Update to Device configuration policy. MDM Wins Over GP. --- .../references/windows-autopatch-changes-to-tenant.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index f14ae95741..d21cecbbe8 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -1,7 +1,7 @@ --- title: Changes made at tenant enrollment description: This reference article details the changes made to your tenant when enrolling into Windows Autopatch -ms.date: 11/02/2022 +ms.date: 12/01/2022 ms.prod: windows-client ms.technology: itpro-updates ms.topic: reference @@ -60,7 +60,7 @@ Windows Autopatch will create Azure Active Directory groups that are required to | Policy name | Policy description | Properties | Value | | ----- | ----- | ----- | ----- | -| Windows Autopatch - Set MDM to Win Over GPO | Sets mobile device management (MDM) to win over GPO

Assigned to:

  • Modern Workplace Devices-Windows Autopatch-Test
  • Modern Workplace Devices-Windows Autopatch-First
  • Modern Workplace Devices-Windows Autopatch-Fast
  • Modern Workplace Devices-Windows Autopatch-Broad
| | | +| Windows Autopatch - Set MDM to Win Over GPO | Sets mobile device management (MDM) to win over GPO

Assigned to:

  • Modern Workplace Devices-Windows Autopatch-Test
  • Modern Workplace Devices-Windows Autopatch-First
  • Modern Workplace Devices-Windows Autopatch-Fast
  • Modern Workplace Devices-Windows Autopatch-Broad
| [MDM Wins Over GP ](/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-MDMWinsOverGP) | The MDM policy is used and the GP policy is blocked | | Windows Autopatch - Data Collection | Allows diagnostic data from this device to be processed by Microsoft Managed Desktop and Telemetry settings for Windows devices.

Assigned to:

  • Modern Workplace Devices-Windows Autopatch-Test
  • Modern Workplace Devices-Windows Autopatch-First
  • Modern Workplace Devices-Windows Autopatch-Fast
  • Modern Workplace Devices-Windows Autopatch-Broad
|
  • [./Device/Vendor/MSFT/Policy/Config/System/AllowTelemetry ](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)
  • [./Device/Vendor/MSFT/Policy/Config/System/LimitEnhancedDiagnosticDataWindowsAnalytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics)
  • [./Device/Vendor/MSFT/Policy/Config/System/LimitDumpCollection](/windows/client-management/mdm/policy-csp-system#system-limitdumpcollection)
  • [./Device/Vendor/MSFT/Policy/Config/System/LimitDiagnosticLogCollection](/windows/client-management/mdm/policy-csp-system#system-limitdiagnosticlogcollection)
|
  • Full
  • 1
  • 1
  • 1
    • | | Windows Autopatch - Windows Update Detection Frequency | Sets Windows update detection frequency

    Assigned to:

    • Modern Workplace Devices-Windows Autopatch-Test
    • Modern Workplace Devices-Windows Autopatch-First
    • Modern Workplace Devices-Windows Autopatch-Fast
    • Modern Workplace Devices-Windows Autopatch-Broad
    | [./Vendor/MSFT/Policy/Config/Update/DetectionFrequency](/windows/client-management/mdm/policy-csp-update#update-detectionfrequency)| 4 | From 8e1c778f6fe149153232faadf079f539358794d7 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Thu, 1 Dec 2022 14:12:48 -0800 Subject: [PATCH 18/37] Tweak. --- .../references/windows-autopatch-changes-to-tenant.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index d21cecbbe8..cd7796eee2 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -60,7 +60,7 @@ Windows Autopatch will create Azure Active Directory groups that are required to | Policy name | Policy description | Properties | Value | | ----- | ----- | ----- | ----- | -| Windows Autopatch - Set MDM to Win Over GPO | Sets mobile device management (MDM) to win over GPO

    Assigned to:

    • Modern Workplace Devices-Windows Autopatch-Test
    • Modern Workplace Devices-Windows Autopatch-First
    • Modern Workplace Devices-Windows Autopatch-Fast
    • Modern Workplace Devices-Windows Autopatch-Broad
    | [MDM Wins Over GP ](/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-MDMWinsOverGP) | The MDM policy is used and the GP policy is blocked | +| Windows Autopatch - Set MDM to Win Over GPO | Sets mobile device management (MDM) to win over GPO

    Assigned to:

    • Modern Workplace Devices-Windows Autopatch-Test
    • Modern Workplace Devices-Windows Autopatch-First
    • Modern Workplace Devices-Windows Autopatch-Fast
    • Modern Workplace Devices-Windows Autopatch-Broad
    |
  • [MDM Wins Over GP ](/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-MDMWinsOverGP)
    • |
  • The MDM policy is used and the GP policy is blocked
    • | | Windows Autopatch - Data Collection | Allows diagnostic data from this device to be processed by Microsoft Managed Desktop and Telemetry settings for Windows devices.

    Assigned to:

    • Modern Workplace Devices-Windows Autopatch-Test
    • Modern Workplace Devices-Windows Autopatch-First
    • Modern Workplace Devices-Windows Autopatch-Fast
    • Modern Workplace Devices-Windows Autopatch-Broad
    |
    • [./Device/Vendor/MSFT/Policy/Config/System/AllowTelemetry ](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)
    • [./Device/Vendor/MSFT/Policy/Config/System/LimitEnhancedDiagnosticDataWindowsAnalytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics)
    • [./Device/Vendor/MSFT/Policy/Config/System/LimitDumpCollection](/windows/client-management/mdm/policy-csp-system#system-limitdumpcollection)
    • [./Device/Vendor/MSFT/Policy/Config/System/LimitDiagnosticLogCollection](/windows/client-management/mdm/policy-csp-system#system-limitdiagnosticlogcollection)
    |
    • Full
    • 1
    • 1
    • 1
      • | | Windows Autopatch - Windows Update Detection Frequency | Sets Windows update detection frequency

      Assigned to:

      • Modern Workplace Devices-Windows Autopatch-Test
      • Modern Workplace Devices-Windows Autopatch-First
      • Modern Workplace Devices-Windows Autopatch-Fast
      • Modern Workplace Devices-Windows Autopatch-Broad
      | [./Vendor/MSFT/Policy/Config/Update/DetectionFrequency](/windows/client-management/mdm/policy-csp-update#update-detectionfrequency)| 4 | From 715438cf28ed11e1af7b3ac5cfd77c8452950514 Mon Sep 17 00:00:00 2001 From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com> Date: Thu, 1 Dec 2022 15:54:03 -0800 Subject: [PATCH 19/37] Some minor wording fixes --- .../credential-guard/credential-guard-known-issues.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md index 68d5b6cc09..7c0013e9a3 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md @@ -70,10 +70,10 @@ Since only SSO is blocked for MS-CHAP, WDigest, and NTLM v1, these protocols can Microsoft recommends that organizations move away from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS. Windows Defender Credential Guard will not block certificate-based authentication. -For a more immediate but less secure fix, simply [disable Windows Defender Credential Guard](credential-guard-manage.md#disable-windows-defender-credential-guard). Note that Windows Defender Credential Guard does not have per-protocol or per-application policies, and must either be completely on or off. Disabling Windows Defender Credential Guard will leave some stored domain credentials vulnerable to theft. Windows Defender Credential Guard can be disabled after it has already been enabled, or it can be explicitly disabled prior to updating to Windows 11, version 22H2, which will prevent default enablement from occurring. +For a more immediate but less secure fix, [disable Windows Defender Credential Guard](credential-guard-manage.md#disable-windows-defender-credential-guard). Note that Windows Defender Credential Guard does not have per-protocol or per-application policies, and must either be completely on or off. Disabling Windows Defender Credential Guard will leave some stored domain credentials vulnerable to theft. Windows Defender Credential Guard can be disabled after it has already been enabled, or it can be explicitly disabled prior to updating to Windows 11, version 22H2, which will prevent default enablement from occurring. > [!TIP] -> To _prevent_ default enablement, [use Group Policy to explicitly disable Windows Defender Credential Guard](credential-guard-manage.md#disabling-windows-defender-credential-guard-using-group-policy) before updating to Windows 11, version 22H2. If the GPO value is not configured (it typically is not configured by default), the device will receive default enablement after updating, if eligible. If the GPO value is set to "disabled", it will not be enabled after updating. This process can also be done via Mobile Device Management (MDM) policy rather than Group Policy if the devices are currently being managed by MDM. +> To _prevent_ default enablement, [use Group Policy to explicitly disable Windows Defender Credential Guard](credential-guard-manage.md#disabling-windows-defender-credential-guard-using-group-policy) before updating to Windows 11, version 22H2. If the GPO value is not configured (which is the default state), the device will receive default enablement after updating, if eligible. If the GPO value is set to "disabled", it will not be enabled after updating. This process can also be done via Mobile Device Management (MDM) policy rather than Group Policy if the devices are currently being managed by MDM. ## Known issues involving third-party applications From fccda84df85f93b16648f7a32974fc31446c47cb Mon Sep 17 00:00:00 2001 From: rekhanr <40372231+rekhanr@users.noreply.github.com> Date: Thu, 1 Dec 2022 16:18:56 -0800 Subject: [PATCH 20/37] Update windows-autopatch-changes-to-tenant.md @tiaraquan made changes to the Office and Edge sections too. This needs better formatting though --- .../windows-autopatch-changes-to-tenant.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index f14ae95741..dca65d2e74 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -96,7 +96,7 @@ Windows Autopatch will create Azure Active Directory groups that are required to ## Microsoft Office update policies -- Windows Autopatch - Office Configuration v5 +- Windows Autopatch - Office Configuration - Windows Autopatch - Office Update Configuration [Test] - Windows Autopatch - Office Update Configuration [First] - Windows Autopatch - Office Update Configuration [Fast] @@ -104,11 +104,11 @@ Windows Autopatch will create Azure Active Directory groups that are required to | Policy name | Policy description | Properties | Value | | ----- | ----- | ----- | ----- | -| Windows Autopatch - Office Configuration v5 | Sets Office Update Channel to the Monthly Enterprise servicing branch.

      Assigned to:

      • Modern Workplace Devices-Windows Autopatch-Test
      • Modern Workplace Devices-Windows Autopatch-First
      • Modern Workplace Devices-Windows Autopatch-Fast
      • Modern Workplace Devices-Windows Autopatch-Broad
      | | | -| Windows Autopatch - Office Update Configuration [Test] | Sets the Office update deadline

      Assigned to:

      • Modern Workplace Devices-Windows Autopatch-Test
      |
      • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`
      • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`
      |
    • Enabled; L_UpdateDeadlineID == 7
    • Enabled; L_DeferUpdateDaysID == 0
      • | -| Windows Autopatch - Office Update Configuration [First] | Sets the Office update deadline

      Assigned to:

      • Modern Workplace Devices-Windows Autopatch-First
      |
      • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`
      • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`
      |
    • Enabled; L_UpdateDeadlineID == 7
    • Enabled; L_DeferUpdateDaysID == 0
      • | -| Windows Autopatch - Office Update Configuration [Fast] | Sets the Office update deadline

      Assigned to:

      • Modern Workplace Devices-Windows Autopatch-Fast
      |
      • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`
      • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`
      |
    • Enabled; L_UpdateDeadlineID == 7
    • Enabled; L_DeferUpdateDaysID == 3
      • | -| Windows Autopatch - Office Update Configuration [Broad] | Sets the Office update deadline
      Assigned to:
      • Modern Workplace Devices-Windows Autopatch-Broad
        • |
        • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`
        • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`
        |
      • Enabled; L_UpdateDeadlineID == 7
      • Enabled; L_DeferUpdateDaysID == 7
        • | +| Windows Autopatch - Office Configuration | Sets Office Update Channel to the Monthly Enterprise servicing branch.

        Assigned to:

        • Modern Workplace Devices-Windows Autopatch-Test
        • Modern Workplace Devices-Windows Autopatch-First
        • Modern Workplace Devices-Windows Autopatch-Fast
        • Modern Workplace Devices-Windows Autopatch-Broad
        |
        • Enable Automatic Updates
        • Hide option to enable or disable updates
        • Update Channel
        • Channel Name (Device)
        • Hide Update Notifications
        • Update Path
        |
        • Enabled
        • Enabled
        • Enabled
        • Monthly Enterprise Channel
        • Enabled
        | +| Windows Autopatch - Office Update Configuration [Test] | Sets the Office update deadline

        Assigned to:

        • Modern Workplace Devices-Windows Autopatch-Test
        |
        • Delay downloading and installing updates for Office
        • Update Deadline
        |
      • Enabled;Days(Device) == 0 days
      • Enabled;Update Deadline(Device) == 7 days
        • | +| Windows Autopatch - Office Update Configuration [First] | Sets the Office update deadline

        Assigned to:

        • Modern Workplace Devices-Windows Autopatch-First
        |
        • Delay downloading and installing updates for Office
        • Update Deadline
        |
      • Enabled;Days(Device) == 0 days
      • Enabled;Update Deadline(Device) == 7 days
        • | +| Windows Autopatch - Office Update Configuration [Fast] | Sets the Office update deadline

        Assigned to:

        • Modern Workplace Devices-Windows Autopatch-Fast
        |
        • Delay downloading and installing updates for Office
        • Update Deadline
        |
      • Enabled;Days(Device) == 3 days
      • Enabled;Update Deadline(Device) == 7 days
        • | +| Windows Autopatch - Office Update Configuration [Broad] | Sets the Office update deadline
        Assigned to:
        • Modern Workplace Devices-Windows Autopatch-Broad
          • |
          • Delay downloading and installing updates for Office
          • Update Deadline
          |
        • Enabled;Days(Device) == 7 days
        • Enabled;Update Deadline(Device) == 7 days
          • | ## Microsoft Edge update policies @@ -117,8 +117,8 @@ Windows Autopatch will create Azure Active Directory groups that are required to | Policy name | Policy description | Properties | Value | | ----- | ----- | ----- | ----- | -| Windows Autopatch - Edge Update Channel Stable | Deploys updates via the Edge Stable Channel

          Assigned to:

          • Modern Workplace Devices-Windows Autopatch-First
          • Modern Workplace Devices-Windows Autopatch-Fast
          • Modern Workplace Devices-Windows Autopatch-Broad
          | `./Device/Vendor/MSFT/Policy/Config/MicrosoftEdgeUpdate~Policy~Cat_EdgeUpdate~Cat_Applications~Cat_MicrosoftEdge/Pol_TargetChannelMicrosoftEdge` | Enabled | -| Windows Autopatch - Edge Update Channel Beta | Deploys updates via the Edge Beta Channel

          Assigned to:

          • Modern Workplace Devices-Windows Autopatch-Test
          | `./Device/Vendor/MSFT/Policy/Config/MicrosoftEdgeUpdate~Policy~Cat_EdgeUpdate~Cat_Applications~Cat_MicrosoftEdge/Pol_TargetChannelMicrosoftEdge` | Enabled | +| Windows Autopatch - Edge Update Channel Stable | Deploys updates via the Edge Stable Channel

          Assigned to:

          • Modern Workplace Devices-Windows Autopatch-First
          • Modern Workplace Devices-Windows Autopatch-Fast
            • Modern Workplace Devices-Windows Autopatch-Broad
            |
            • Target Channel Override
            • Target Channel (Device)
            |
            • Enabled
            • Stable
            | +| Windows Autopatch - Edge Update Channel Beta | Deploys updates via the Edge Beta Channel

            Assigned to:

            • Modern Workplace Devices-Windows Autopatch-Test
            |
            • Target Channel Override
            • Target Channel (Device)
            |
            • Enabled
            • Beta
            | ## PowerShell scripts From 02b5908ec3d8bdb69a44088ed0b091bc94b34edd Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Thu, 1 Dec 2022 17:25:21 -0800 Subject: [PATCH 21/37] Update windows-autopatch-changes-to-tenant.md Formatting. --- .../windows-autopatch-changes-to-tenant.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index dca65d2e74..2338ae3d7e 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -104,11 +104,11 @@ Windows Autopatch will create Azure Active Directory groups that are required to | Policy name | Policy description | Properties | Value | | ----- | ----- | ----- | ----- | -| Windows Autopatch - Office Configuration | Sets Office Update Channel to the Monthly Enterprise servicing branch.

            Assigned to:

            • Modern Workplace Devices-Windows Autopatch-Test
            • Modern Workplace Devices-Windows Autopatch-First
            • Modern Workplace Devices-Windows Autopatch-Fast
            • Modern Workplace Devices-Windows Autopatch-Broad
            |
            • Enable Automatic Updates
            • Hide option to enable or disable updates
            • Update Channel
            • Channel Name (Device)
            • Hide Update Notifications
            • Update Path
            |
            • Enabled
            • Enabled
            • Enabled
            • Monthly Enterprise Channel
            • Enabled
            | -| Windows Autopatch - Office Update Configuration [Test] | Sets the Office update deadline

            Assigned to:

            • Modern Workplace Devices-Windows Autopatch-Test
            |
            • Delay downloading and installing updates for Office
            • Update Deadline
            |
          • Enabled;Days(Device) == 0 days
          • Enabled;Update Deadline(Device) == 7 days
            • | -| Windows Autopatch - Office Update Configuration [First] | Sets the Office update deadline

            Assigned to:

            • Modern Workplace Devices-Windows Autopatch-First
            |
            • Delay downloading and installing updates for Office
            • Update Deadline
            |
          • Enabled;Days(Device) == 0 days
          • Enabled;Update Deadline(Device) == 7 days
            • | -| Windows Autopatch - Office Update Configuration [Fast] | Sets the Office update deadline

            Assigned to:

            • Modern Workplace Devices-Windows Autopatch-Fast
            |
            • Delay downloading and installing updates for Office
            • Update Deadline
            |
          • Enabled;Days(Device) == 3 days
          • Enabled;Update Deadline(Device) == 7 days
            • | -| Windows Autopatch - Office Update Configuration [Broad] | Sets the Office update deadline
            Assigned to:
            • Modern Workplace Devices-Windows Autopatch-Broad
              • |
              • Delay downloading and installing updates for Office
              • Update Deadline
              |
            • Enabled;Days(Device) == 7 days
            • Enabled;Update Deadline(Device) == 7 days
              • | +| Windows Autopatch - Office Configuration | Sets Office Update Channel to the Monthly Enterprise servicing branch.

              Assigned to:

              1. Modern Workplace Devices-Windows Autopatch-Test
              2. Modern Workplace Devices-Windows Autopatch-First
              3. Modern Workplace Devices-Windows Autopatch-Fast
              4. Modern Workplace Devices-Windows Autopatch-Broad
              |
              1. Enable Automatic Updates
              2. Hide option to enable or disable updates
              3. Update Channel
              4. Channel Name (Device)
              5. Hide Update Notifications
              6. Update Path
              |
              1. Enabled
              2. Enabled
              3. Enabled
              4. Monthly Enterprise Channel
              5. Enabled
              | +| Windows Autopatch - Office Update Configuration [Test] | Sets the Office update deadline

              Assigned to:

              1. Modern Workplace Devices-Windows Autopatch-Test
              |
              1. Delay downloading and installing updates for Office
              2. Update Deadline
              |
            • Enabled;Days(Device) == 0 days
            • Enabled;Update Deadline(Device) == 7 days
              • | +| Windows Autopatch - Office Update Configuration [First] | Sets the Office update deadline

              Assigned to:

              1. Modern Workplace Devices-Windows Autopatch-First
              |
              1. Delay downloading and installing updates for Office
              2. Update Deadline
              |
            • Enabled;Days(Device) == 0 days
            • Enabled;Update Deadline(Device) == 7 days
              • | +| Windows Autopatch - Office Update Configuration [Fast] | Sets the Office update deadline

              Assigned to:

              1. Modern Workplace Devices-Windows Autopatch-Fast
              |
              1. Delay downloading and installing updates for Office
              2. Update Deadline
              |
            • Enabled;Days(Device) == 3 days
            • Enabled;Update Deadline(Device) == 7 days
              • | +| Windows Autopatch - Office Update Configuration [Broad] | Sets the Office update deadline
              Assigned to:
              1. Modern Workplace Devices-Windows Autopatch-Broad
                2. |
                1. Delay downloading and installing updates for Office
                2. Update Deadline
                |
              2. Enabled;Days(Device) == 7 days
              3. Enabled;Update Deadline(Device) == 7 days
                4. | ## Microsoft Edge update policies @@ -117,8 +117,8 @@ Windows Autopatch will create Azure Active Directory groups that are required to | Policy name | Policy description | Properties | Value | | ----- | ----- | ----- | ----- | -| Windows Autopatch - Edge Update Channel Stable | Deploys updates via the Edge Stable Channel

                Assigned to:

                • Modern Workplace Devices-Windows Autopatch-First
                • Modern Workplace Devices-Windows Autopatch-Fast
                  • Modern Workplace Devices-Windows Autopatch-Broad
                  |
                  • Target Channel Override
                  • Target Channel (Device)
                  |
                  • Enabled
                  • Stable
                  | -| Windows Autopatch - Edge Update Channel Beta | Deploys updates via the Edge Beta Channel

                  Assigned to:

                  • Modern Workplace Devices-Windows Autopatch-Test
                  |
                  • Target Channel Override
                  • Target Channel (Device)
                  |
                  • Enabled
                  • Beta
                  | +| Windows Autopatch - Edge Update Channel Stable | Deploys updates via the Edge Stable Channel

                  Assigned to:

                  1. Modern Workplace Devices-Windows Autopatch-First
                  2. Modern Workplace Devices-Windows Autopatch-Fast
                    1. Modern Workplace Devices-Windows Autopatch-Broad
                    |
                    1. Target Channel Override
                    2. Target Channel (Device)
                    |
                    1. Enabled
                    2. Stable
                    | +| Windows Autopatch - Edge Update Channel Beta | Deploys updates via the Edge Beta Channel

                    Assigned to:

                    1. Modern Workplace Devices-Windows Autopatch-Test
                    |
                    1. Target Channel Override
                    2. Target Channel (Device)
                    |
                    1. Enabled
                    2. Beta
                    | ## PowerShell scripts From 9c8a7de26b1ed49ab701d27721f5f260d918f00b Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Thu, 1 Dec 2022 17:38:10 -0800 Subject: [PATCH 22/37] Update windows-autopatch-changes-to-tenant.md Tweaks. --- .../references/windows-autopatch-changes-to-tenant.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index 2338ae3d7e..174b01998c 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -104,11 +104,11 @@ Windows Autopatch will create Azure Active Directory groups that are required to | Policy name | Policy description | Properties | Value | | ----- | ----- | ----- | ----- | -| Windows Autopatch - Office Configuration | Sets Office Update Channel to the Monthly Enterprise servicing branch.

                    Assigned to:

                    1. Modern Workplace Devices-Windows Autopatch-Test
                    2. Modern Workplace Devices-Windows Autopatch-First
                    3. Modern Workplace Devices-Windows Autopatch-Fast
                    4. Modern Workplace Devices-Windows Autopatch-Broad
                    |
                    1. Enable Automatic Updates
                    2. Hide option to enable or disable updates
                    3. Update Channel
                    4. Channel Name (Device)
                    5. Hide Update Notifications
                    6. Update Path
                    |
                    1. Enabled
                    2. Enabled
                    3. Enabled
                    4. Monthly Enterprise Channel
                    5. Enabled
                    | -| Windows Autopatch - Office Update Configuration [Test] | Sets the Office update deadline

                    Assigned to:

                    1. Modern Workplace Devices-Windows Autopatch-Test
                    |
                    1. Delay downloading and installing updates for Office
                    2. Update Deadline
                    |
                  3. Enabled;Days(Device) == 0 days
                  4. Enabled;Update Deadline(Device) == 7 days
                    5. | -| Windows Autopatch - Office Update Configuration [First] | Sets the Office update deadline

                    Assigned to:

                    1. Modern Workplace Devices-Windows Autopatch-First
                    |
                    1. Delay downloading and installing updates for Office
                    2. Update Deadline
                    |
                  5. Enabled;Days(Device) == 0 days
                  6. Enabled;Update Deadline(Device) == 7 days
                    7. | -| Windows Autopatch - Office Update Configuration [Fast] | Sets the Office update deadline

                    Assigned to:

                    1. Modern Workplace Devices-Windows Autopatch-Fast
                    |
                    1. Delay downloading and installing updates for Office
                    2. Update Deadline
                    |
                  7. Enabled;Days(Device) == 3 days
                  8. Enabled;Update Deadline(Device) == 7 days
                    9. | -| Windows Autopatch - Office Update Configuration [Broad] | Sets the Office update deadline
                    Assigned to:
                    1. Modern Workplace Devices-Windows Autopatch-Broad
                      2. |
                      1. Delay downloading and installing updates for Office
                      2. Update Deadline
                      |
                    2. Enabled;Days(Device) == 7 days
                    3. Enabled;Update Deadline(Device) == 7 days
                      4. | +| Windows Autopatch - Office Configuration | Sets Office Update Channel to the Monthly Enterprise servicing branch.

                      Assigned to:

                      1. Modern Workplace Devices-Windows Autopatch-Test
                      2. Modern Workplace Devices-Windows Autopatch-First
                      3. Modern Workplace Devices-Windows Autopatch-Fast
                      4. Modern Workplace Devices-Windows Autopatch-Broad
                      |
                      1. Enable Automatic Updates
                      2. Hide option to enable or disable updates
                      3. Update Channel
                      4. Channel Name (Device)
                      5. Hide Update Notifications
                      6. Update Path
                      |
                      1. Enabled
                      2. Enabled
                      3. Enabled
                      4. Monthly Enterprise Channel
                      5. Disabled>
                        6. Enabled
                      | +| Windows Autopatch - Office Update Configuration [Test] | Sets the Office update deadline

                      Assigned to:

                      1. Modern Workplace Devices-Windows Autopatch-Test
                      |
                      1. Delay downloading and installing updates for Office
                      2. Update Deadline
                      |
                    4. Enabled;Days(Device) == 0 days
                    5. Enabled;Update Deadline(Device) == 7 days
                    | +| Windows Autopatch - Office Update Configuration [First] | Sets the Office update deadline

                    Assigned to:

                    1. Modern Workplace Devices-Windows Autopatch-First
                    |
                    1. Delay downloading and installing updates for Office
                    2. Update Deadline
                    |
                  9. Enabled;Days(Device) == 0 days
                  10. Enabled;Update Deadline(Device) == 7 days
                  | +| Windows Autopatch - Office Update Configuration [Fast] | Sets the Office update deadline

                  Assigned to:

                  1. Modern Workplace Devices-Windows Autopatch-Fast
                  |
                  1. Delay downloading and installing updates for Office
                  2. Update Deadline
                  |
                • Enabled;Days(Device) == 3 days
                • Enabled;Update Deadline(Device) == 7 days
              | +| Windows Autopatch - Office Update Configuration [Broad] | Sets the Office update deadline
              Assigned to:
              1. Modern Workplace Devices-Windows Autopatch-Broad
                2. |
                1. Delay downloading and installing updates for Office
                2. Update Deadline
                |
              2. Enabled;Days(Device) == 7 days
              3. Enabled;Update Deadline(Device) == 7 days
              | ## Microsoft Edge update policies From 6b249d7206da9654b919620033dbb30bb30d6ad4 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Thu, 1 Dec 2022 17:41:25 -0800 Subject: [PATCH 23/37] Update windows-autopatch-changes-to-tenant.md --- .../references/windows-autopatch-changes-to-tenant.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index 174b01998c..4dce20b4e2 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -105,10 +105,10 @@ Windows Autopatch will create Azure Active Directory groups that are required to | Policy name | Policy description | Properties | Value | | ----- | ----- | ----- | ----- | | Windows Autopatch - Office Configuration | Sets Office Update Channel to the Monthly Enterprise servicing branch.

              Assigned to:

              1. Modern Workplace Devices-Windows Autopatch-Test
              2. Modern Workplace Devices-Windows Autopatch-First
              3. Modern Workplace Devices-Windows Autopatch-Fast
              4. Modern Workplace Devices-Windows Autopatch-Broad
              |
              1. Enable Automatic Updates
              2. Hide option to enable or disable updates
              3. Update Channel
              4. Channel Name (Device)
              5. Hide Update Notifications
              6. Update Path
              |
              1. Enabled
              2. Enabled
              3. Enabled
              4. Monthly Enterprise Channel
              5. Disabled>
                6. Enabled
              | -| Windows Autopatch - Office Update Configuration [Test] | Sets the Office update deadline

              Assigned to:

              1. Modern Workplace Devices-Windows Autopatch-Test
              |
              1. Delay downloading and installing updates for Office
              2. Update Deadline
              |
            • Enabled;Days(Device) == 0 days
            • Enabled;Update Deadline(Device) == 7 days
              • | -| Windows Autopatch - Office Update Configuration [First] | Sets the Office update deadline

              Assigned to:

              1. Modern Workplace Devices-Windows Autopatch-First
              |
              1. Delay downloading and installing updates for Office
              2. Update Deadline
              |
            • Enabled;Days(Device) == 0 days
            • Enabled;Update Deadline(Device) == 7 days
              • | -| Windows Autopatch - Office Update Configuration [Fast] | Sets the Office update deadline

              Assigned to:

              1. Modern Workplace Devices-Windows Autopatch-Fast
              |
              1. Delay downloading and installing updates for Office
              2. Update Deadline
              |
            • Enabled;Days(Device) == 3 days
            • Enabled;Update Deadline(Device) == 7 days
              • | -| Windows Autopatch - Office Update Configuration [Broad] | Sets the Office update deadline
              Assigned to:
              1. Modern Workplace Devices-Windows Autopatch-Broad
                2. |
                1. Delay downloading and installing updates for Office
                2. Update Deadline
                |
              2. Enabled;Days(Device) == 7 days
              3. Enabled;Update Deadline(Device) == 7 days
              | +| Windows Autopatch - Office Update Configuration [Test] | Sets the Office update deadline

              Assigned to:

              1. Modern Workplace Devices-Windows Autopatch-Test
              |
              1. Delay downloading and installing updates for Office
              2. Update Deadline
              |
              1. Enabled;Days(Device) == 0 days
              2. Enabled;Update Deadline(Device) == 7 days
              | +| Windows Autopatch - Office Update Configuration [First] | Sets the Office update deadline

              Assigned to:

              1. Modern Workplace Devices-Windows Autopatch-First
              |
              1. Delay downloading and installing updates for Office
              2. Update Deadline
              |
              1. Enabled;Days(Device) == 0 days
              2. Enabled;Update Deadline(Device) == 7 days
              | +| Windows Autopatch - Office Update Configuration [Fast] | Sets the Office update deadline

              Assigned to:

              1. Modern Workplace Devices-Windows Autopatch-Fast
              |
              1. Delay downloading and installing updates for Office
              2. Update Deadline
              |
              1. Enabled;Days(Device) == 3 days
              2. Enabled;Update Deadline(Device) == 7 days
              | +| Windows Autopatch - Office Update Configuration [Broad] | Sets the Office update deadline
              Assigned to:
              1. Modern Workplace Devices-Windows Autopatch-Broad
                2. |
                1. Delay downloading and installing updates for Office
                2. Update Deadline
                |
                1. Enabled;Days(Device) == 7 days
                2. Enabled;Update Deadline(Device) == 7 days
                | ## Microsoft Edge update policies @@ -118,7 +118,7 @@ Windows Autopatch will create Azure Active Directory groups that are required to | Policy name | Policy description | Properties | Value | | ----- | ----- | ----- | ----- | | Windows Autopatch - Edge Update Channel Stable | Deploys updates via the Edge Stable Channel

                Assigned to:

                1. Modern Workplace Devices-Windows Autopatch-First
                2. Modern Workplace Devices-Windows Autopatch-Fast
                  1. Modern Workplace Devices-Windows Autopatch-Broad
                  |
                  1. Target Channel Override
                  2. Target Channel (Device)
                  |
                  1. Enabled
                  2. Stable
                  | -| Windows Autopatch - Edge Update Channel Beta | Deploys updates via the Edge Beta Channel

                  Assigned to:

                  1. Modern Workplace Devices-Windows Autopatch-Test
                  |
                  1. Target Channel Override
                  2. Target Channel (Device)
                  |
                  1. Enabled
                  2. Beta
                  | +| Windows Autopatch - Edge Update Channel Beta | Deploys updates via the Edge Beta Channel

                  Assigned to:

                  1. Modern Workplace Devices-Windows Autopatch-Test
                  |
                  1. Target Channel Override
                  2. Target Channel (Device)
                  |
                  1. Enabled
                  2. Beta
                  | ## PowerShell scripts From 89e20de3e776df65f31f6ee557956e6d4f7f145b Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Thu, 1 Dec 2022 17:43:57 -0800 Subject: [PATCH 24/37] Update windows-autopatch-changes-to-tenant.md --- .../references/windows-autopatch-changes-to-tenant.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index 4dce20b4e2..e2c64ede2d 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -104,7 +104,7 @@ Windows Autopatch will create Azure Active Directory groups that are required to | Policy name | Policy description | Properties | Value | | ----- | ----- | ----- | ----- | -| Windows Autopatch - Office Configuration | Sets Office Update Channel to the Monthly Enterprise servicing branch.

                  Assigned to:

                  1. Modern Workplace Devices-Windows Autopatch-Test
                  2. Modern Workplace Devices-Windows Autopatch-First
                  3. Modern Workplace Devices-Windows Autopatch-Fast
                  4. Modern Workplace Devices-Windows Autopatch-Broad
                  |
                  1. Enable Automatic Updates
                  2. Hide option to enable or disable updates
                  3. Update Channel
                  4. Channel Name (Device)
                  5. Hide Update Notifications
                  6. Update Path
                  |
                  1. Enabled
                  2. Enabled
                  3. Enabled
                  4. Monthly Enterprise Channel
                  5. Disabled>
                    6. Enabled
                  | +| Windows Autopatch - Office Configuration | Sets Office Update Channel to the Monthly Enterprise servicing branch.

                  Assigned to:

                  1. Modern Workplace Devices-Windows Autopatch-Test
                  2. Modern Workplace Devices-Windows Autopatch-First
                  3. Modern Workplace Devices-Windows Autopatch-Fast
                  4. Modern Workplace Devices-Windows Autopatch-Broad
                  |
                  1. Enable Automatic Updates
                  2. Hide option to enable or disable updates
                  3. Update Channel
                  4. Channel Name (Device)
                  5. Hide Update Notifications
                  6. Update Path
                  |
                  1. Enabled
                  2. Enabled
                  3. Enabled
                  4. Monthly Enterprise Channel
                  5. Disabled
                  6. Enabled
                  | | Windows Autopatch - Office Update Configuration [Test] | Sets the Office update deadline

                  Assigned to:

                  1. Modern Workplace Devices-Windows Autopatch-Test
                  |
                  1. Delay downloading and installing updates for Office
                  2. Update Deadline
                  |
                  1. Enabled;Days(Device) == 0 days
                  2. Enabled;Update Deadline(Device) == 7 days
                  | | Windows Autopatch - Office Update Configuration [First] | Sets the Office update deadline

                  Assigned to:

                  1. Modern Workplace Devices-Windows Autopatch-First
                  |
                  1. Delay downloading and installing updates for Office
                  2. Update Deadline
                  |
                  1. Enabled;Days(Device) == 0 days
                  2. Enabled;Update Deadline(Device) == 7 days
                  | | Windows Autopatch - Office Update Configuration [Fast] | Sets the Office update deadline

                  Assigned to:

                  1. Modern Workplace Devices-Windows Autopatch-Fast
                  |
                  1. Delay downloading and installing updates for Office
                  2. Update Deadline
                  |
                  1. Enabled;Days(Device) == 3 days
                  2. Enabled;Update Deadline(Device) == 7 days
                  | From e4689f5baf02c78c8ad9c05a5ab0efa7a997d709 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Thu, 1 Dec 2022 20:55:13 -0500 Subject: [PATCH 25/37] Updating table headers Updating table headers to better clarify meaning for table --- windows/deployment/wds-boot-support.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/wds-boot-support.md b/windows/deployment/wds-boot-support.md index 55b2a11be1..bbe4786161 100644 --- a/windows/deployment/wds-boot-support.md +++ b/windows/deployment/wds-boot-support.md @@ -26,9 +26,9 @@ When you PXE-boot from a WDS server that uses the **boot.wim** file from install ## Deployment scenarios affected -The table below provides support details for specific deployment scenarios. The table represents OS Deployed (vertical) and Boot Image Version (horizontal). +The table below provides support details for specific deployment scenarios. Boot.wim is the `boot.wim` file obtained from the Windows source files for each specified version of Windows. -||Windows 10|Windows Server 2016|Windows Server 2019|Windows Server 2022|Windows 11| +|Windows Version Being Deployed |Boot.wim from Windows 10|Boot.wim from Windows Server 2016|Boot.wim from Windows Server 2019|Boot.wim from Windows Server 2022|Boot.wim from Windows 11| |--- |--- |--- |--- |--- |--- | |**Windows 10**|Supported, using a boot image from matching or newer version.|Supported, using a boot image from Windows 10, version 1607 or later.|Supported, using a boot image from Windows 10, version 1809 or later.|Not supported.|Not supported.| |**Windows Server 2016**|Supported, using a boot image from Windows 10, version 1607 or later.|Supported.|Not supported.|Not supported.|Not supported.| From ff1d11a2f1ff4126e85a04df51fa3ddf048ffe10 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Thu, 1 Dec 2022 19:38:38 -0800 Subject: [PATCH 26/37] Tweaks. --- .../references/windows-autopatch-changes-to-tenant.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index cd7796eee2..e2a7484563 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -61,7 +61,7 @@ Windows Autopatch will create Azure Active Directory groups that are required to | Policy name | Policy description | Properties | Value | | ----- | ----- | ----- | ----- | | Windows Autopatch - Set MDM to Win Over GPO | Sets mobile device management (MDM) to win over GPO

                  Assigned to:

                  • Modern Workplace Devices-Windows Autopatch-Test
                  • Modern Workplace Devices-Windows Autopatch-First
                  • Modern Workplace Devices-Windows Autopatch-Fast
                  • Modern Workplace Devices-Windows Autopatch-Broad
                  |
                3. [MDM Wins Over GP ](/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-MDMWinsOverGP)
                  4. |
                4. The MDM policy is used and the GP policy is blocked
                  5. | -| Windows Autopatch - Data Collection | Allows diagnostic data from this device to be processed by Microsoft Managed Desktop and Telemetry settings for Windows devices.

                  Assigned to:

                  • Modern Workplace Devices-Windows Autopatch-Test
                  • Modern Workplace Devices-Windows Autopatch-First
                  • Modern Workplace Devices-Windows Autopatch-Fast
                  • Modern Workplace Devices-Windows Autopatch-Broad
                  |
                  • [./Device/Vendor/MSFT/Policy/Config/System/AllowTelemetry ](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)
                  • [./Device/Vendor/MSFT/Policy/Config/System/LimitEnhancedDiagnosticDataWindowsAnalytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics)
                  • [./Device/Vendor/MSFT/Policy/Config/System/LimitDumpCollection](/windows/client-management/mdm/policy-csp-system#system-limitdumpcollection)
                  • [./Device/Vendor/MSFT/Policy/Config/System/LimitDiagnosticLogCollection](/windows/client-management/mdm/policy-csp-system#system-limitdiagnosticlogcollection)
                  |
                  • Full
                  • 1
                  • 1
                  • 1
                    • | +| Windows Autopatch - Data Collection | Allows diagnostic data from this device to be processed by Microsoft Managed Desktop and Telemetry settings for Windows devices.

                    Assigned to:

                    • Modern Workplace Devices-Windows Autopatch-Test
                    • Modern Workplace Devices-Windows Autopatch-First
                    • Modern Workplace Devices-Windows Autopatch-Fast
                    • Modern Workplace Devices-Windows Autopatch-Broad
                    |
                    • [Configure Telemetry Opt In Change Notification](/windows/client-management/mdm/policy-csp-system#system-ConfigureTelemetryOptInChangeNotification)
                    • [Configure Telemetry Opt In Settings Ux](/windows/client-management/mdm/policy-csp-system#ConfigureTelemetryOptInSettingsUx)
                    • [Allow Telemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)
                    • [Limit Enhanced Diagnostic Data Windows Analytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics)
                    • [Limit Dump Collection](/windows/client-management/mdm/policy-csp-system#system-limitdumpcollection)
                    • [Limit Diagnostic Log Collection](/windows/client-management/mdm/policy-csp-system#system-limitdiagnosticlogcollection)
                    |
                    • Enable telemetry change notifications
                    • Enable Telemetry opt-in Settings
                    • Full
                    • Enabled
                    • Enabled
                    • Enabled
                      • | | Windows Autopatch - Windows Update Detection Frequency | Sets Windows update detection frequency

                      Assigned to:

                      • Modern Workplace Devices-Windows Autopatch-Test
                      • Modern Workplace Devices-Windows Autopatch-First
                      • Modern Workplace Devices-Windows Autopatch-Fast
                      • Modern Workplace Devices-Windows Autopatch-Broad
                      | [./Vendor/MSFT/Policy/Config/Update/DetectionFrequency](/windows/client-management/mdm/policy-csp-update#update-detectionfrequency)| 4 | ## Update rings for Windows 10 and later From c6990ec8883d713b0a7cd2ba2affbd84eef3f61f Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Thu, 1 Dec 2022 19:41:52 -0800 Subject: [PATCH 27/37] Tweak. --- .../references/windows-autopatch-changes-to-tenant.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index e2a7484563..ab710fde73 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -61,7 +61,7 @@ Windows Autopatch will create Azure Active Directory groups that are required to | Policy name | Policy description | Properties | Value | | ----- | ----- | ----- | ----- | | Windows Autopatch - Set MDM to Win Over GPO | Sets mobile device management (MDM) to win over GPO

                      Assigned to:

                      • Modern Workplace Devices-Windows Autopatch-Test
                      • Modern Workplace Devices-Windows Autopatch-First
                      • Modern Workplace Devices-Windows Autopatch-Fast
                      • Modern Workplace Devices-Windows Autopatch-Broad
                      |
                    • [MDM Wins Over GP ](/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-MDMWinsOverGP)
                      • |
                    • The MDM policy is used and the GP policy is blocked
                      • | -| Windows Autopatch - Data Collection | Allows diagnostic data from this device to be processed by Microsoft Managed Desktop and Telemetry settings for Windows devices.

                      Assigned to:

                      • Modern Workplace Devices-Windows Autopatch-Test
                      • Modern Workplace Devices-Windows Autopatch-First
                      • Modern Workplace Devices-Windows Autopatch-Fast
                      • Modern Workplace Devices-Windows Autopatch-Broad
                      |
                      • [Configure Telemetry Opt In Change Notification](/windows/client-management/mdm/policy-csp-system#system-ConfigureTelemetryOptInChangeNotification)
                      • [Configure Telemetry Opt In Settings Ux](/windows/client-management/mdm/policy-csp-system#ConfigureTelemetryOptInSettingsUx)
                      • [Allow Telemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)
                      • [Limit Enhanced Diagnostic Data Windows Analytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics)
                      • [Limit Dump Collection](/windows/client-management/mdm/policy-csp-system#system-limitdumpcollection)
                      • [Limit Diagnostic Log Collection](/windows/client-management/mdm/policy-csp-system#system-limitdiagnosticlogcollection)
                      |
                      • Enable telemetry change notifications
                      • Enable Telemetry opt-in Settings
                      • Full
                      • Enabled
                      • Enabled
                      • Enabled
                        • | +| Windows Autopatch - Data Collection | Allows diagnostic data from this device to be processed by Microsoft Managed Desktop and Telemetry settings for Windows devices.

                        Assigned to:

                        • Modern Workplace Devices-Windows Autopatch-Test
                        • Modern Workplace Devices-Windows Autopatch-First
                        • Modern Workplace Devices-Windows Autopatch-Fast
                        • Modern Workplace Devices-Windows Autopatch-Broad
                        |
                        1. [Configure Telemetry Opt In Change Notification](/windows/client-management/mdm/policy-csp-system#system-ConfigureTelemetryOptInChangeNotification)
                        2. [Configure Telemetry Opt In Settings Ux](/windows/client-management/mdm/policy-csp-system#ConfigureTelemetryOptInSettingsUx)
                        3. [Allow Telemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)
                        4. [Limit Enhanced Diagnostic Data Windows Analytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics)
                        5. [Limit Dump Collection](/windows/client-management/mdm/policy-csp-system#system-limitdumpcollection)
                        6. [Limit Diagnostic Log Collection](/windows/client-management/mdm/policy-csp-system#system-limitdiagnosticlogcollection)
                        |
                        1. Enable telemetry change notifications
                        2. Enable Telemetry opt-in Settings
                        3. Full
                        4. Enabled
                        5. Enabled
                        6. Enabled
                        | | Windows Autopatch - Windows Update Detection Frequency | Sets Windows update detection frequency

                        Assigned to:

                        • Modern Workplace Devices-Windows Autopatch-Test
                        • Modern Workplace Devices-Windows Autopatch-First
                        • Modern Workplace Devices-Windows Autopatch-Fast
                        • Modern Workplace Devices-Windows Autopatch-Broad
                        | [./Vendor/MSFT/Policy/Config/Update/DetectionFrequency](/windows/client-management/mdm/policy-csp-update#update-detectionfrequency)| 4 | ## Update rings for Windows 10 and later From 78f178850f289d213ce3d10f4eb763327a814319 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 2 Dec 2022 09:31:44 -0500 Subject: [PATCH 28/37] fixed typo --- .../windows-firewall/basic-firewall-policy-design.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md index 73e20f347d..011af27334 100644 --- a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md @@ -53,7 +53,7 @@ By default, in new installations, Windows Defender Firewall with Advanced Securi If you turn off the Windows Defender Firewall service you lose other benefits provided by the service, such as the ability to use IPsec connection security rules, Windows Service Hardening, and network protection from forms of attacks that use network fingerprinting. -Compatible third-party firewall software can programmatically disable only the parts of Windows Defender Firewall that might need to be disabled for compatibility. This approach is the recommended one for third-party firewalls to coexist with the Windows Defender Firewall; third-party party firewalls that comply with this recommendation have the certified logo from Microsoft.  +Compatible third-party firewall software can programmatically disable only the parts of Windows Defender Firewall that might need to be disabled for compatibility. This approach is the recommended one for third-party firewalls to coexist with the Windows Defender Firewall; third-party firewalls that comply with this recommendation have the certified logo from Microsoft. An organization typically uses this design as a first step toward a more comprehensive Windows Defender Firewall design that adds server isolation and domain isolation. From 9999a48c5a39199ee194494c073c9e92a0e0ec97 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Fri, 2 Dec 2022 10:16:14 -0500 Subject: [PATCH 29/37] Fix USMT example --- windows/deployment/usmt/usmt-migrate-user-accounts.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/usmt/usmt-migrate-user-accounts.md b/windows/deployment/usmt/usmt-migrate-user-accounts.md index b0b1ba2611..518b93c468 100644 --- a/windows/deployment/usmt/usmt-migrate-user-accounts.md +++ b/windows/deployment/usmt/usmt-migrate-user-accounts.md @@ -66,7 +66,7 @@ Links to detailed explanations of commands are available in the [Related article LoadState.exe \\server\share\migration\mystore /i:MigDocs.xml /i:MigApp.xml ``` -## To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain +## To migrate two domain accounts (User1 and User2) and move both accounts from the Contoso domain to the Fabrikam domain Links to detailed explanations of commands are available in the [Related articles](#related-articles) section. @@ -83,7 +83,7 @@ Links to detailed explanations of commands are available in the [Related article 4. Enter the following `LoadState.exe ` command line in a command prompt window: ```cmd - LoadState.exe \\server\share\migration\mystore /mu:contoso\user1:fabrikam\user2 /i:MigDocs.xml /i:MigApp.xml + LoadState.exe \\server\share\migration\mystore /mu:contoso\user1:fabrikam\user1 /mu:contoso\user2:fabrikam\user2 /i:MigDocs.xml /i:MigApp.xml ``` ## Related articles From ebd5666bc58af68320250e1df8dc2bebf7090a56 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Fri, 2 Dec 2022 07:49:05 -0800 Subject: [PATCH 30/37] Update windows-autopatch-changes-to-tenant.md --- .../references/windows-autopatch-changes-to-tenant.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index ab710fde73..96fdef2444 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -60,7 +60,7 @@ Windows Autopatch will create Azure Active Directory groups that are required to | Policy name | Policy description | Properties | Value | | ----- | ----- | ----- | ----- | -| Windows Autopatch - Set MDM to Win Over GPO | Sets mobile device management (MDM) to win over GPO

                        Assigned to:

                        • Modern Workplace Devices-Windows Autopatch-Test
                        • Modern Workplace Devices-Windows Autopatch-First
                        • Modern Workplace Devices-Windows Autopatch-Fast
                        • Modern Workplace Devices-Windows Autopatch-Broad
                        |
                      • [MDM Wins Over GP ](/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-MDMWinsOverGP)
                        • |
                      • The MDM policy is used and the GP policy is blocked
                        • | +| Windows Autopatch - Set MDM to Win Over GPO | Sets mobile device management (MDM) to win over GPO

                        Assigned to:

                        • Modern Workplace Devices-Windows Autopatch-Test
                        • Modern Workplace Devices-Windows Autopatch-First
                        • Modern Workplace Devices-Windows Autopatch-Fast
                        • Modern Workplace Devices-Windows Autopatch-Broad
                        | [MDM Wins Over GP ](/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-MDMWinsOverGP) | The MDM policy is used and the GP policy is blocked | | Windows Autopatch - Data Collection | Allows diagnostic data from this device to be processed by Microsoft Managed Desktop and Telemetry settings for Windows devices.

                        Assigned to:

                        • Modern Workplace Devices-Windows Autopatch-Test
                        • Modern Workplace Devices-Windows Autopatch-First
                        • Modern Workplace Devices-Windows Autopatch-Fast
                        • Modern Workplace Devices-Windows Autopatch-Broad
                        |
                        1. [Configure Telemetry Opt In Change Notification](/windows/client-management/mdm/policy-csp-system#system-ConfigureTelemetryOptInChangeNotification)
                        2. [Configure Telemetry Opt In Settings Ux](/windows/client-management/mdm/policy-csp-system#ConfigureTelemetryOptInSettingsUx)
                        3. [Allow Telemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)
                        4. [Limit Enhanced Diagnostic Data Windows Analytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics)
                        5. [Limit Dump Collection](/windows/client-management/mdm/policy-csp-system#system-limitdumpcollection)
                        6. [Limit Diagnostic Log Collection](/windows/client-management/mdm/policy-csp-system#system-limitdiagnosticlogcollection)
                        |
                        1. Enable telemetry change notifications
                        2. Enable Telemetry opt-in Settings
                        3. Full
                        4. Enabled
                        5. Enabled
                        6. Enabled
                        | | Windows Autopatch - Windows Update Detection Frequency | Sets Windows update detection frequency

                        Assigned to:

                        • Modern Workplace Devices-Windows Autopatch-Test
                        • Modern Workplace Devices-Windows Autopatch-First
                        • Modern Workplace Devices-Windows Autopatch-Fast
                        • Modern Workplace Devices-Windows Autopatch-Broad
                        | [./Vendor/MSFT/Policy/Config/Update/DetectionFrequency](/windows/client-management/mdm/policy-csp-update#update-detectionfrequency)| 4 | From 9535a262a590f41e38f93293155623eb416e537f Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Fri, 2 Dec 2022 08:19:57 -0800 Subject: [PATCH 31/37] Updating What's new with Rekha and Adam N's changes. --- .../operate/windows-autopatch-fu-overview.md | 2 +- .../operate/windows-autopatch-wqu-overview.md | 2 +- .../windows-autopatch-wqu-unsupported-policies.md | 11 ++++++----- .../whats-new/windows-autopatch-whats-new-2022.md | 3 +++ 4 files changed, 11 insertions(+), 7 deletions(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md index 023003d400..fbf827b7a7 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md @@ -31,7 +31,7 @@ For a device to be eligible for Windows feature updates as a part of Windows Aut | Internet connectivity | Devices must have a steady internet connection, and access to Windows [update endpoints](../prepare/windows-autopatch-configure-network.md). | | Windows edition | Devices must be on a Windows edition supported by Windows Autopatch. For more information, see [Prerequisites](../prepare/windows-autopatch-prerequisites.md). | | Mobile device management (MDM) policy conflict | Devices must not have deployed any policies that would prevent device management. For more information, see [Conflicting and unsupported policies](../operate/windows-autopatch-wqu-unsupported-policies.md). | -| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](windows-autopatch-wqu-unsupported-policies.md#group-policy) | +| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](windows-autopatch-wqu-unsupported-policies.md#group-policy-and-other-policy-managers) | ## Windows feature update releases diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md index d922d4a3cc..f2d4f477af 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md @@ -31,7 +31,7 @@ For a device to be eligible for Windows quality updates as a part of Windows Aut | Internet connectivity | Devices must have a steady internet connection, and access to Windows [update endpoints](../prepare/windows-autopatch-configure-network.md). | | Windows edition | Devices must be on a Windows edition supported by Windows Autopatch. For more information, see [Prerequisites](../prepare/windows-autopatch-prerequisites.md). | | Mobile device management (MDM) policy conflict | Devices must not have deployed any policies that would prevent device management. For more information, see [Conflicting and unsupported policies](../operate/windows-autopatch-wqu-unsupported-policies.md). | -| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](windows-autopatch-wqu-unsupported-policies.md#group-policy) | +| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](windows-autopatch-wqu-unsupported-policies.md#group-policy-and-other-policy-managers) | ## Windows quality update releases diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md index 667c755524..1c19a4bac4 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md @@ -1,7 +1,7 @@ --- title: Windows update policies description: This article explains Windows update policies in Windows Autopatch -ms.date: 07/07/2022 +ms.date: 12/02/2022 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: hathind +msreviewer: adnich --- # Windows update policies @@ -109,8 +109,9 @@ Window Autopatch deploys mobile device management (MDM) policies to configure de | [Active hours end](/windows/client-management/mdm/policy-csp-update#update-activehoursend) | Update/ActiveHoursEnd | This policy controls the end of the protected window where devices won't reboot.

                        Supported values are from zero through to 23, where zero is 12∶00AM, representing the hours of the day in local time on that device. This value can be no more than 12 hours after the time set in active hours start. | | [Active hours max range](/windows/client-management/mdm/policy-csp-update#update-activehoursmaxrange) | Update/ActiveHoursMaxRange | Allows the IT admin to specify the max active hours range.

                        This value sets the maximum number of active hours from the start time. Supported values are from eight through to 18. | -### Group policy +### Group policy and other policy managers -Group policy takes precedence over mobile device management (MDM) policies. For Windows quality updates, if any group policies are detected which modify the following hive in the registry, the device will be ineligible for management: +Group policy as well as other policy managers can take precedence over mobile device management (MDM) policies. For Windows quality updates, if any policies or configurations are detected which modify the following hives in the registry, the device could become ineligible for management: -`Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState` +- `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState` +- `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate` diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md index b4a98ff888..ba4c088925 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md @@ -24,6 +24,9 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | Article | Description | | ----- | ----- | +| [Unsupported policies](../operate/windows-autopatch-wqu-unsupported-policies.md) | Updated to include other policy managers in the Group policy section. | +| [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) | Updated the Device configuration, Microsoft Office and Edge policies | +| [Windows quality update reports](../operate/windows-autopatch-wqu-reports-overview.md) | Added Windows quality update reports. | | [What's new](../whats-new/windows-autopatch-whats-new-2022.md) | Added the What's new article | ## November 2022 From b46df945d78bc904ecd636c5c701d53e720686ed Mon Sep 17 00:00:00 2001 From: Stephanie Savell <101299710+v-stsavell@users.noreply.github.com> Date: Fri, 2 Dec 2022 10:21:27 -0600 Subject: [PATCH 32/37] Update windows/security/identity-protection/credential-guard/credential-guard-known-issues.md Acro: login -> log in --- .../credential-guard/credential-guard-known-issues.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md index 7c0013e9a3..cb1b52ff54 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md @@ -25,7 +25,7 @@ Windows Defender Credential Guard has certain application requirements. Windows ## Known Issue: Single Sign-On (SSO) for Network services breaks after upgrading to **Windows 11, version 22H2** ### Symptoms of the issue: -Devices that use 802.1x wireless or wired network, RDP, or VPN connections that rely on insecure protocols with password-based authentication will be unable to use SSO to login and will be forced to manually re-authenticate in every new Windows session when Windows Defender Credential Guard is running. +Devices that use 802.1x wireless or wired network, RDP, or VPN connections that rely on insecure protocols with password-based authentication will be unable to use SSO to log in and will be forced to manually re-authenticate in every new Windows session when Windows Defender Credential Guard is running. ### Affected devices: Any device that enables Windows Defender Credential Guard may encounter this issue. As part of the Windows 11, version 22H2 update, eligible devices which had not previously explicitly disabled Windows Defender Credential Guard had it enabled by default. This affected all devices on Enterprise (E3 and E5) and Education licenses, as well as some Pro licenses*, as long as they met the [minimum hardware requirements](credential-guard-requirements.md#hardware-and-software-requirements). From 92ff119b660a49fffa984710538cfff08e51a933 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Fri, 2 Dec 2022 08:21:55 -0800 Subject: [PATCH 33/37] Date. --- .../whats-new/windows-autopatch-whats-new-2022.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md index ba4c088925..c27ffe990e 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md @@ -1,7 +1,7 @@ --- title: What's new description: This article lists the new feature releases and any corresponding Message center post numbers. -ms.date: 12/01/2022 +ms.date: 12/02/2022 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to From 86b9cb8c7a57afacc89059629e821740a8601df2 Mon Sep 17 00:00:00 2001 From: Tarun Maganur <104856032+Tarun-Edu@users.noreply.github.com> Date: Fri, 2 Dec 2022 08:28:32 -0800 Subject: [PATCH 34/37] Update windows-11-se-overview.md Removed the below as its not yet live | Smoothwall monitor | 2.8.0 | Win32 | Smoothwall Ltd | --- education/windows/windows-11-se-overview.md | 1 - 1 file changed, 1 deletion(-) diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index f7ea182a40..654b8d7eca 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -134,7 +134,6 @@ The following applications can also run on Windows 11 SE, and can be deployed us | Respondus Lockdown Browser | 2.0.9.00 | Win32 | Respondus | | Safe Exam Browser | 3.3.2.413 | Win32 | Safe Exam Browser | | Senso.Cloud | 2021.11.15.0 | Win32 | Senso.Cloud | -| Smoothwall monitor | 2.8.0 | Win32 | Smoothwall Ltd | | SuperNova Magnifier & Screen Reader | 21.02 | Win32 | Dolphin Computer Access | | SuperNova Magnifier & Speech | 21.02 | Win32 | Dolphin Computer Access | | VitalSourceBookShelf | 10.2.26.0 | Win32 | VitalSource Technologies Inc | From 52a4e71fc3f4305687c03e6d5c3f4a6cce947c3d Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Fri, 2 Dec 2022 08:34:50 -0800 Subject: [PATCH 35/37] Update windows-autopatch-whats-new-2022.md --- .../whats-new/windows-autopatch-whats-new-2022.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md index c27ffe990e..ae6debb7a1 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md @@ -20,7 +20,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed. ## December 2022 -### December feature release +### December feature releases or updates | Article | Description | | ----- | ----- | @@ -31,7 +31,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed. ## November 2022 -### November feature releases +### November feature releases or updates | Article | Description | | ----- | ----- | @@ -48,7 +48,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed. ## October 2022 -### October feature releases +### October feature releases or updates | Article | Description | | ----- | ----- | @@ -63,7 +63,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed. ## September 2022 -### September feature release +### September feature releases or updates | Article | Description | | ----- | ----- | @@ -71,7 +71,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed. ## August 2022 -### August feature release +### August feature releases or updates | Article | Description | | ----- | ----- | @@ -85,7 +85,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed. ## July 2022 -### July feature releases +### July feature releases or updates | Article | Description | | ----- | ----- | From f7644c8e18eef37f0cce0c6527f1ea4ead1c455b Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Fri, 2 Dec 2022 08:39:36 -0800 Subject: [PATCH 36/37] Update windows-autopatch-whats-new-2022.md --- .../whats-new/windows-autopatch-whats-new-2022.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md index ae6debb7a1..a00b6e9669 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md @@ -24,9 +24,9 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | Article | Description | | ----- | ----- | -| [Unsupported policies](../operate/windows-autopatch-wqu-unsupported-policies.md) | Updated to include other policy managers in the Group policy section. | +| [Unsupported policies](../operate/windows-autopatch-wqu-unsupported-policies.md) | Updated to include other policy managers in the Group policy section | | [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) | Updated the Device configuration, Microsoft Office and Edge policies | -| [Windows quality update reports](../operate/windows-autopatch-wqu-reports-overview.md) | Added Windows quality update reports. | +| [Windows quality update reports](../operate/windows-autopatch-wqu-reports-overview.md) | Added Windows quality update reports | | [What's new](../whats-new/windows-autopatch-whats-new-2022.md) | Added the What's new article | ## November 2022 From 48886dc3769bdabb593679fb7aae12fbb2d05929 Mon Sep 17 00:00:00 2001 From: Jeff Borsecnik <36546697+jborsecnik@users.noreply.github.com> Date: Fri, 2 Dec 2022 08:40:23 -0800 Subject: [PATCH 37/37] Update wds-boot-support.md --- windows/deployment/wds-boot-support.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/wds-boot-support.md b/windows/deployment/wds-boot-support.md index 5b399f6f4e..32807ff581 100644 --- a/windows/deployment/wds-boot-support.md +++ b/windows/deployment/wds-boot-support.md @@ -29,7 +29,7 @@ When you PXE-boot from a WDS server that uses the **boot.wim** file from install The table below provides support details for specific deployment scenarios. Boot.wim is the `boot.wim` file obtained from the Windows source files for each specified version of Windows. -|Windows Version Being Deployed |Boot.wim from Windows 10|Boot.wim from Windows Server 2016|Boot.wim from Windows Server 2019|Boot.wim from Windows Server 2022|Boot.wim from Windows 11| +|Windows Version being deployed |Boot.wim from Windows 10|Boot.wim from Windows Server 2016|Boot.wim from Windows Server 2019|Boot.wim from Windows Server 2022|Boot.wim from Windows 11| |--- |--- |--- |--- |--- |--- | |**Windows 10**|Supported, using a boot image from matching or newer version.|Supported, using a boot image from Windows 10, version 1607 or later.|Supported, using a boot image from Windows 10, version 1809 or later.|Not supported.|Not supported.| |**Windows Server 2016**|Supported, using a boot image from Windows 10, version 1607 or later.|Supported.|Not supported.|Not supported.|Not supported.|