diff --git a/.openpublishing.redirection.education.json b/.openpublishing.redirection.education.json index 7e028ba6b7..e27a545a00 100644 --- a/.openpublishing.redirection.education.json +++ b/.openpublishing.redirection.education.json @@ -229,6 +229,11 @@ "source_path": "education/windows/windows-editions-for-education-customers.md", "redirect_url": "/education/windows", "redirect_document_id": false + }, + { + "source_path": "education/windows/configure-windows-for-education.md", + "redirect_url": "/education/windows", + "redirect_document_id": false } ] } \ No newline at end of file diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md deleted file mode 100644 index d9b96510a0..0000000000 --- a/education/windows/configure-windows-for-education.md +++ /dev/null @@ -1,159 +0,0 @@ ---- -title: Windows 10 configuration recommendations for education customers -description: Learn how to configure the OS diagnostic data, consumer experiences, Cortana, search, and some of the preinstalled apps, so that Windows is ready for your school. -ms.topic: how-to -ms.date: 08/10/2022 -appliesto: - - ✅ Windows 10 ---- -# Windows 10 configuration recommendations for education customers - -Privacy is important to us, we want to provide you with ways to customize the OS diagnostic data, consumer experiences, Cortana, search, and some of the preinstalled apps, for usage with [education editions of Windows 10](windows-editions-for-education-customers.md) in education environments. These features work on all Windows 10 editions, but education editions of Windows 10 have the settings preconfigured. We recommend that all Windows 10 devices in an education setting be configured with **[SetEduPolicies](#setedupolicies)** enabled. For more information, see the following table. To learn more about Microsoft's commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305). - -We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store, and use devices running Windows 10 S, will be able to configure the device at no extra charge to Windows 10 Pro Education. To learn more about the steps to configure this device, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md). - -In Windows 10, version 1703 (Creators Update), it's straightforward to configure Windows to be education ready. - -| Area | How to configure | What this area does | Windows 10 Education | Windows 10 Pro Education | Windows 10 S | -| --- | --- | --- | --- | --- | --- | -| **Diagnostic Data** | **AllowTelemetry** | Sets Diagnostic Data to [Basic](/windows/configuration/configure-windows-telemetry-in-your-organization) | This feature is already set | This feature is already set | The policy must be set | -| **Microsoft consumer experiences** | **SetEduPolicies** | Disables suggested content from Windows such as app recommendations | This feature is already set | This feature is already set | The policy must be set | -| **Cortana** | **AllowCortana** | Disables Cortana

* Cortana is enabled by default on all editions in Windows 10, version 1703 | If using Windows 10 Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana.

See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | If using Windows 10 Pro Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana.

See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | -| **Safe search** | **SetEduPolicies** | Locks Bing safe search to Strict in Microsoft Edge | This feature is already set | This feature is already set | The policy must be set | -| **Bing search advertising** | Ad free search with Bing | Disables ads when searching the internet with Bing in Microsoft Edge. See [Ad-free search with Bing](#ad-free-search-with-bing | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | -| **Apps** | **SetEduPolicies** | Preinstalled apps like Microsoft Edge, Movies & TV, Groove, and Skype become education ready

* Any app can detect Windows is running in an education ready configuration through [IsEducationEnvironment](/uwp/api/windows.system.profile.educationsettings) | This feature is already set | This feature is already set | The policy must be set | - - -## Recommended configuration -It's easy to be education ready when using Microsoft products. We recommend the following configuration: - -1. Use an Office 365 Education tenant. - - With Office 365, you also have Microsoft Entra ID. To learn more about Office 365 Education features and pricing, see [Office 365 Education plans and pricing](https://products.office.com/en-us/academic/compare-office-365-education-plans). - -2. Activate Intune for Education in your tenant. - - You can [sign up to learn more about Intune for Education](https://info.microsoft.com/US-WNDWS-CNTNT-FY17-01Jan-17-IntuneforEducationlandingpageandnurture292531_01Registration-ForminBody.html). - -3. On PCs running Windows 10, version 1703: - 1. Provision the PC using one of these methods: - * [Provision PCs with the Set up School PCs app](use-set-up-school-pcs-app.md) - The usage of this method will automatically set both **SetEduPolicies** to True and **AllowCortana** to False. - * [Provision PCs with a custom package created with Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) - Make sure to set both **SetEduPolicies** to True and **AllowCortana** to False. - 2. Join the PC to Microsoft Entra ID. - * Use Set up School PCs or Windows Configuration Designer to bulk enroll to Microsoft Entra ID. - * Manually Microsoft Entra join the PC during the Windows device setup experience. - 3. Enroll the PCs in MDM. - * If you've activated Intune for Education in your Microsoft Entra tenant, enrollment will happen automatically when the PC is joined to Microsoft Entra ID. Intune for Education will automatically set **SetEduPolicies** to True and **AllowCortana** to False. - 4. Ensure that needed assistive technology apps can be used. - * If you've students or school personnel who rely on assistive technology apps that aren't available in the Microsoft Store, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) for more info. - -4. Distribute the PCs to students. - - Students sign in with their Azure AD/Office 365 identity, which enables single sign-on to Bing in Microsoft Edge, enabling an ad-free search experience with Bing in Microsoft Edge. - -5. Ongoing management through Intune for Education. - - You can set many policies through Intune for Education, including **SetEduPolicies** and **AllowCortana**, for ongoing management of the PCs. - -## Configuring Windows -You can configure Windows through provisioning or management tools including industry standard MDM. -- Provisioning - A one-time setup process. -- Management - A one-time and/or ongoing management of a PC by setting policies. - -You can set all the education compliance areas through both provisioning and management tools. Additionally, these Microsoft education tools will ensure PCs that you set up are education ready: -- [Set up School PCs](use-set-up-school-pcs-app.md) -- [Intune for Education](/intune-education/available-settings) - -## AllowCortana -**AllowCortana** is a policy that enables or disables Cortana. It's a policy node in the Policy configuration service provider, [AllowCortana](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcortana). - -> [!NOTE] -> See the [Recommended configuration](#recommended-configuration) section for recommended Cortana settings. - -Use one of these methods to set this policy. - -### MDM -- Intune for Education automatically sets this policy in the **All devices** group policy configuration. -- If you're using an MDM provider other than Intune for Education, check your MDM provider documentation on how to set this policy. - - If your MDM provider doesn't explicitly support this policy, you can manually set this policy if your MDM provider allows specific OMA-URIs to be manually set. - - For example, in Intune, create a new configuration policy and add an OMA-URI. - - OMA-URI: ./Vendor/MSFT/Policy/Config/Experience/AllowCortana - - Data type: Integer - - Value: 0 - -### Group Policy -Set **Computer Configuration > Administrative Templates > Windows Components > Search > AllowCortana** to **Disabled**. - -### Provisioning tools -- [Set up School PCs](use-set-up-school-pcs-app.md) always sets this policy in provisioning packages it creates. -- [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) - - Under **Runtime settings**, click the **Policies** settings group, set **Experience > Cortana** to **No**. - -## SetEduPolicies -**SetEduPolicies** is a policy that applies a set of configuration behaviors to Windows. It's a policy node in the [SharedPC configuration service provider](/windows/client-management/mdm/sharedpc-csp). - -Use one of these methods to set this policy. - -### MDM -- Intune for Education automatically sets this policy in the **All devices** group policy configuration. -- If you're using an MDM provider other than Intune for Education, check your MDM provider documentation on how to set this policy. - - If your MDM provider doesn't explicitly support this policy, you can manually set this policy if your MDM provider allows specific OMA-URIs to be manually set. - - For example, in Intune, create a new configuration policy and add an OMA-URI. - - OMA-URI: ./Vendor/MSFT/SharedPC/SetEduPolicies - - Data type: Boolean - - Value: true - - ![Create an OMA URI for SetEduPolices.](images/setedupolicies_omauri.png) - -### Group Policy -**SetEduPolicies** isn't natively supported in Group Policy. Instead, use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to set the policy in [MDM SharedPC](/windows/win32/dmwmibridgeprov/mdm-sharedpc). - -For example: - -- Open PowerShell as an administrator and enter the following: - - ``` - $sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC" - - $sharedPC.SetEduPolicies = $True - - Set-CimInstance -CimInstance $sharedPC - - Get-CimInstance -Namespace $namespaceName -ClassName $MDM_SharedPCClass - ``` - -### Provisioning tools -- [Set up School PCs](use-set-up-school-pcs-app.md) always sets this policy in provisioning packages it creates. -- [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) - - Under **Runtime settings**, click the **SharedPC** settings group, set **PolicyCustomization > SetEduPolicies** to **True**. - - ![Set SetEduPolicies to True in Windows Configuration Designer.](images/wcd/setedupolicies.png) - -## Ad-free search with Bing -Provide an ad-free experience that is a safer, more private search option for K–12 education institutions in the United States. - -### Configurations - - - -#### Microsoft Entra ID and Office 365 Education tenant -To suppress ads when searching with Bing on Microsoft Edge on any network, follow these steps: - -1. Ensure your Office 365 tenant is registered as an education tenant. For more information, see [Verify your Office 365 domain to prove education status](https://support.office.com/article/Verify-your-Office-365-domain-to-prove-ownership-nonprofit-or-education-status-or-to-activate-viva-engage-87d1844e-aa47-4dc0-a61b-1b773fd4e590). -2. Domain join the Windows 10 PCs to your Microsoft Entra tenant (this tenant is the same as your Office 365 tenant). -3. Configure **SetEduPolicies** according to one of the methods described in the previous sections in this topic. -4. Have students sign in with their Microsoft Entra identity, which is the same as your Office 365 identity, to use the PC. -> [!NOTE] -> If you are verifying your Office 365 domain to prove education status (step 1 above), you may need to wait up to 7 days for the ad-free experience to take effect. Microsoft recommends not to roll out the browser to your students until that time. - -#### Office 365 sign-in to Bing -To suppress ads only when the student signs into Bing with their Office 365 account in Microsoft Edge, follow these steps: - -1. Configure **SetEduPolicies** according to one of the methods described in the previous sections in this topic. -2. Have students sign into Bing with their Office 365 account. - - -## Related topics -[Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) diff --git a/education/windows/images/setedupolicies_omauri.png b/education/windows/images/setedupolicies_omauri.png deleted file mode 100644 index eb3d9e216c..0000000000 Binary files a/education/windows/images/setedupolicies_omauri.png and /dev/null differ diff --git a/education/windows/images/wcd/setedupolicies.png b/education/windows/images/wcd/setedupolicies.png deleted file mode 100644 index e240063f68..0000000000 Binary files a/education/windows/images/wcd/setedupolicies.png and /dev/null differ diff --git a/education/windows/images/wcd/wcd_settings_assignedaccess.png b/education/windows/images/wcd/wcd_settings_assignedaccess.png deleted file mode 100644 index 443a5d0688..0000000000 Binary files a/education/windows/images/wcd/wcd_settings_assignedaccess.png and /dev/null differ diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index eec8f909f1..56477ff62e 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -102,10 +102,10 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `ContentKeeper Cloud` | 9.01.45 | `Win32` | `ContentKeeper Technologies` | | `DigiExam` | 14.1.0 | `Win32` | `Digiexam` | | `Digital Secure testing browser` | 15.0.0 | `Win32` | `Digiexam` | -| `Dolphin Guide Connect` | 1.25 | `Win32` | `Dolphin Guide Connect` | +| `Dolphin Guide Connect` | 1.27 | `Win32` | `Dolphin Guide Connect` | | `Dragon Professional Individual` | 15.00.100 | `Win32` | `Nuance Communications` | | `DRC INSIGHT Online Assessments` | 14.0.0.0 | `Store` | `Data recognition Corporation` | -| `Duo from Cisco` | 3.0.0 | `Win32` | `Cisco` | +| `Duo from Cisco` | 6.3.0 | `Win32` | `Cisco` | | `Dyknow` | 7.9.13.7 | `Win32` | `Dyknow` | | `e-Speaking Voice and Speech recognition` | 4.4.0.11 | `Win32` | `e-speaking` | | `EasyReader` | 10.0.4.498 | `Win32` | `Dolphin Computer Access` | @@ -114,7 +114,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `ESET Endpoint Security` | 10.1.2046.0 | `Win32` | `ESET` | | `ESET Remote Administrator Agent` | 10.0.1126.0 | `Win32` | `ESET` | | `eTests` | 4.0.25 | `Win32` | `CASAS` | -| `Exam Writepad` | 23.2.4.2338 | `Win32` | `Sheldnet` | +| `Exam Writepad` | 23.12.10.1200 | `Win32` | `Sheldnet` | | `FirstVoices Keyboard` | 15.0.270 | `Win32` | `SIL International` | | `FortiClient` | 7.2.0.4034+ | `Win32` | `Fortinet` | | `Free NaturalReader` | 16.1.2 | `Win32` | `Natural Soft` | @@ -126,8 +126,10 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `Immunet` | 7.5.8.21178 | `Win32` | `Immunet` | | `Impero Backdrop Client` | 5.0.151 | `Win32` | `Impero Software` | | `IMT Lazarus` | 2.86.0 | `Win32` | `IMTLazarus` | +| `Inprint` | 3.7.6 | `Win32` | `Inprint` | | `Inspiration 10` | 10.11 | `Win32` | `TechEdology Ltd` | -| `JAWS for Windows` | 2023.2307.37 | `Win32` | `Freedom Scientific` | +| `Instashare` | 1.3.13.0 | `Win32` | `Instashare` | +| `JAWS for Windows` | 2024.2312.53 | `Win32` | `Freedom Scientific` | | `Kite Student Portal` | 9.0.0.0 | `Win32` | `Dynamic Learning Maps` | | `Keyman` | 16.0.142 | `Win32` | `SIL International` | | `Kortext` | 2.3.433.0 | `Store` | `Kortext` | @@ -155,7 +157,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `NetSupport School` | 14.00.0012 | `Win32` | `NetSupport` | | `NextUp Talker` | 1.0.49 | `Win32` | `NextUp Technologies` | | `Netsweeper Workstation Agent` | 4.50.54.54 | `Win32` | `Netsweeper` | -| `NonVisual Desktop Access` | 2023.1. | `Win32` | `NV Access` | +| `NonVisual Desktop Access` | 2023.3 | `Win32` | `NV Access` | | `NWEA Secure Testing Browser` | 5.4.387.0 | `Win32` | `NWEA` | | `PC Talker Neo` | 2209 | `Win32` | `Kochi System Development` | | `PC Talker Neo Plus` | 2209 | `Win32` | `Kochi System Development` | @@ -166,7 +168,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `ReadAndWriteForWindows` | 12.0.78 | `Win32` | `Texthelp Ltd.` | | `Remote Desktop client (MSRDC)` | 1.2.4487.0 | `Win32` | `Microsoft` | | `Remote Help` | 5.0.1311.0 | `Win32` | `Microsoft` | -| `Respondus Lockdown Browser` | 2.0.9.03 | `Win32` | `Respondus` | +| `Respondus Lockdown Browser` | 2.1.1.05 | `Win32` | `Respondus` | | `Safe Exam Browser` | 3.5.0.544 | `Win32` | `Safe Exam Browser` | |`SchoolYear` | 3.5.4 | `Win32` |`SchoolYear` | |`School Manager` | 3.6.10-1149 | `Win32` |`Linewize` | @@ -175,9 +177,10 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `Senso.Cloud` |2021.11.15.0 | `Win32` | `Senso.Cloud` | | `Skoolnext` | 2.19 | `Win32` | `Skool.net` | | `Smoothwall Monitor` | 2.9.2 | `Win32` | `Smoothwall Ltd` | -| `SuperNova Magnifier & Screen Reader` | 22.03 | `Win32` | `Dolphin Computer Access` | +| `SuperNova Magnifier & Screen Reader` | 22.04 | `Win32` | `Dolphin Computer Access` | | `SuperNova Magnifier & Speech` | 21.03 | `Win32` | `Dolphin Computer Access` | -|`TX Secure Browser` | 15.0.0 | `Win32` | `Cambium Development` | +| `Snapplify` | 6.9.7 | `Win32` | `Snapplify` | +|`TX Secure Browser` | 16.0.0 | `Win32` | `Cambium Development` | | `VitalSourceBookShelf` | 10.2.26.0 | `Win32` | `VitalSource Technologies Inc` | |`WA Secure Browser` | 16.0.0 | `Win32` | `Cambium Development` | | `Winbird` | 19 | `Win32` | `Winbird Co., Ltd.` | @@ -185,8 +188,8 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `Windows SEB` | 3.4.0 | `Win32` | `Illinois Stateboard of Education` | | `Windows Notepad` | 12.0.78 | `Store` | `Microsoft Corporation` | | `Zoom` | 5.12.8 (10232) | `Win32` | `Zoom` | -| `ZoomText Fusion` | 2023.2307.7.400 | `Win32` | `Freedom Scientific` | -| `ZoomText Magnifier/Reader` | 2023.2307.29.400 | `Win32` | `Freedom Scientific` | +| `ZoomText Fusion` | 2024.2310.13.400 | `Win32` | `Freedom Scientific` | +| `ZoomText Magnifier/Reader` | 2024.2312.26.400 | `Win32` | `Freedom Scientific` | ## Add your own applications @@ -224,4 +227,4 @@ For more information on Intune requirements for adding education apps, see [Conf [EDUWIN-1]: /education/windows/tutorial-school-deployment/configure-device-apps [EDUWIN-2]: /education/windows/tutorial-school-deployment/ -[WIN-1]: /windows/whats-new/windows-11-requirements \ No newline at end of file +[WIN-1]: /windows/whats-new/windows-11-requirements diff --git a/windows/client-management/client-tools/quick-assist.md b/windows/client-management/client-tools/quick-assist.md index f902b92204..6239626e67 100644 --- a/windows/client-management/client-tools/quick-assist.md +++ b/windows/client-management/client-tools/quick-assist.md @@ -11,7 +11,7 @@ ms.collection: # Use Quick Assist to help users -Quick Assist is a Microsoft Store application that enables a person to share their device with another person over a remote connection. Your support staff can use it to remotely connect to a user's device and then view its display, make annotations, or take full control. In this way, they can troubleshoot, diagnose technological issues, and provide instructions to users directly on their devices. +Quick Assist is an application that enables a person to share their [Windows](#install-quick-assist-on-windows) or [macOS](#install-quick-assist-on-macos) device with another person over a remote connection. Your support staff can use it to remotely connect to a user's device and then view its display, make annotations, or take full control. In this way, they can troubleshoot, diagnose technological issues, and provide instructions to users directly on their devices. ## Before you begin @@ -89,7 +89,7 @@ Microsoft logs a small amount of session data to monitor the health of the Quick In some scenarios, the helper does require the sharer to respond to application permission prompts (User Account Control), but otherwise the helper has the same permissions as the sharer on the device. -## Install Quick Assist +## Install Quick Assist on Windows ### Install Quick Assist from the Microsoft Store @@ -127,7 +127,7 @@ To install Quick Assist offline, you need to download your APPXBUNDLE and unenco 1. Run the following command to install Quick Assist: `Add-AppxProvisionedPackage -Online -PackagePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe.AppxBundle" -LicensePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe_4bc27046-84c5-8679-dcc7-d44c77a47dd0.xml"` 1. After Quick Assist has installed, run this command to confirm that Quick Assist is installed for the user: `Get-AppxPackage *QuickAssist* -AllUsers` -## Microsoft Edge WebView2 +### Microsoft Edge WebView2 The Microsoft Edge WebView2 is a development control that uses Microsoft Edge as the rendering engine to display web content in native apps. The new Quick Assist application has been developed using this control, making it a necessary component for the app to function. @@ -136,6 +136,13 @@ The Microsoft Edge WebView2 is a development control that uses Microsoft Edg For more information on distributing and installing Microsoft Edge WebView2, visit [Distribute your app and the WebView2 Runtime](/microsoft-edge/webview2/concepts/distribution) +## Install Quick Assist on macOS + +Quick Assist for macOS is available for interactions with Microsoft Support. If Microsoft products on your macOS device are not working as expected, contact [Microsoft Support](https://support.microsoft.com/contactus) for assistance. Your Microsoft Support agent will guide you through the process of downloading and installing it on your device. + +> [!NOTE] +> Quick Assist for macOS is not available outside of Microsoft Support interactions. + ## Next steps If you have any problems, questions, or suggestions for Quick Assist, contact us by using the [Feedback Hub app](https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332). diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index d52bea489c..e8dfe5371f 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1,7 +1,7 @@ --- title: Update Policy CSP description: Learn more about the Update Area in Policy CSP. -ms.date: 02/14/2024 +ms.date: 02/14/2024 --- @@ -1556,7 +1556,8 @@ Configure this policy to specify whether to receive **Windows Feature Updates** - SetPolicyDrivenUpdateSourceForOtherUpdates > [!NOTE] -> If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect. +> - If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect. +> - If you're also using the **Specify settings for optional component installation and component repair** ([ADMX_Servicing](policy-csp-admx-servicing.md)) policy to enable content for FoDs and language packs, see [How to make Features on Demand and language packs available when you're using WSUS or Configuration Manager](/windows/deployment/update/fod-and-lang-packs) to verify your policy configuration. @@ -1694,7 +1695,8 @@ Configure this policy to specify whether to receive **Windows Quality Updates** - SetPolicyDrivenUpdateSourceForOtherUpdates > [!NOTE] -> If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect. +> - If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect. +> - If you're also using the **Specify settings for optional component installation and component repair** ([ADMX_Servicing](policy-csp-admx-servicing.md)) policy to enable content for FoDs and language packs, see [How to make Features on Demand and language packs available when you're using WSUS or Configuration Manager](/windows/deployment/update/fod-and-lang-packs) to verify your policy configuration. diff --git a/windows/configuration/cellular/provisioning-apn.md b/windows/configuration/cellular/provisioning-apn.md index 88c77810eb..8fcf389cf7 100644 --- a/windows/configuration/cellular/provisioning-apn.md +++ b/windows/configuration/cellular/provisioning-apn.md @@ -1,47 +1,44 @@ --- -title: Configure cellular settings for tablets and PCs -description: Enterprises can provision cellular settings for tablets and PC with built-in cellular modems or plug-in USB modem dongles. +title: Configure cellular settings +description: Learn how to provision cellular settings for devices with built-in modems or plug-in USB modem dongles. ms.topic: concept-article -ms.date: 04/13/2018 +ms.date: 04/23/2024 --- -# Configure cellular settings for tablets and PCs +# Configure cellular settings ->**Looking for consumer information?** See [Cellular settings in Windows 10](https://support.microsoft.com/help/10739/windows-10-cellular-settings) +This article describes how to configure cellular settings for devices that have a cellular modem using a [provisioning package](../provisioning-packages/provisioning-packages.md). After the devices are configured, users are automatically connected using the access point name (APN) defined in the provisioning package, without needing to connect manually. -Enterprises can configure cellular settings for tablets and PC that have built-in cellular modems or plug-in USB modem dongles and apply the settings in a [provisioning package](../provisioning-packages/provisioning-packages.md). After the devices are configured, users are automatically connected using the access point name (APN) defined by the enterprise without needing to manually connect. - -For users who work in different locations, you can configure one APN to connect when the users are at work and a different APN when the users are traveling. +For users who work in different locations, you can configure one APN to connect when the users are at work, and a different APN when the users are traveling. ## Prerequisites -- Windows 10, version 1703, desktop editions (Home, Pro, Enterprise, Education) -- Tablet or PC with built-in cellular modem or plug-in USB modem dongle +- Device with built-in cellular modem or plug-in USB modem dongle - [Windows Configuration Designer](../provisioning-packages/provisioning-install-icd.md) -- APN (the address that your PC uses to connect to the Internet when using the cellular data connection) +- APN (the address that the device uses to connect to the Internet when using the cellular data connection) ## How to configure cellular settings in a provisioning package -1. In Windows Configuration Designer, [start a new project](../provisioning-packages/provisioning-create-package.md) using the **Advanced provisioning** option. -1. Enter a name for your project, and then click **Next**. -1. Select **All Windows desktop editions**, click **Next**, and then click **Finish**. -1. Go to **Runtime settings > Connections > EnterpriseAPN**. -1. Enter a name for the connection, and then click **Add**. +1. In Windows Configuration Designer, [start a new project](../provisioning-packages/provisioning-create-package.md) using the **Advanced provisioning** option +1. Enter a name for your project, and then select **Next** +1. Select **All Windows desktop editions**, select **Next**, and then select **Finish** +1. Go to **Runtime settings > Connections > EnterpriseAPN** +1. Enter a name for the connection, and then select **Add** ![Example of APN connection name.](images/apn-add.png) -1. The connection appears in the **Available customizations** pane. Select it to view the settings that you can configure for the connection. +1. The connection appears in the **Available customizations** pane. Select it to view the settings that you can configure for the connection ![settings for new connection.](images/apn-add-details.png) -1. The following table describes the settings available for the connection. +1. The following table describes the settings available for the connection | Setting | Description | | --- | --- | - | AlwaysOn | By default, the Connection Manager will automatically attempt to connect to the APN when a connection is available. You can disable this setting. | + | AlwaysOn | By default, the Connection Manager automatically attempts to connect to the APN when a connection is available. You can disable the setting. | | APNName | Enter the name of the APN. | | AuthType | You can select **None** (the default), or specify **Auto**, **PAP**, **CHAP**, or **MSCHAPv2** authentication. If you select PAP, CHAP, or MSCHAPv2 authentication, you must also enter a user name and password. | - | ClassId | This is a GUID that defines the APN class to the modem. This is only required when **IsAttachAPN** is **true** and the attach APN is not only used as the Internet APN. | + | ClassId | This is a GUID that defines the APN class to the modem. This is only required when **IsAttachAPN** is **true** and the attached APN isn't only used as the Internet APN. | | Enabled | By default, the connection is enabled. You can change this setting. | | IccId | This is the Integrated Circuit Card ID (ICCID) associated with the cellular connection profile. | | IPType | By default, the connection can use IPv4 and IPv6 concurrently. You can change this setting to only IPv4, only IPv6, or IPv6 with IPv4 provided by 46xlat. | @@ -55,22 +52,22 @@ For users who work in different locations, you can configure one APN to connect ## Confirm the settings -After you apply the provisioning package, you can confirm that the settings have been applied. +After you apply the provisioning package, you can confirm that the settings are applied. -1. On the configured device, open a command prompt as an administrator. +1. On the configured device, open a command prompt as an administrator 1. Run the following command: ```cmd netsh mbn show profiles ``` -1. The command will list the mobile broadband profiles. Using the "Name" for the listed mobile broadband profile, run: +1. The command lists the mobile broadband profiles. Using the **Name** for the listed mobile broadband profile, run: ```cmd netsh mbn show profiles name="name" ``` - This command will list details for that profile, including Access Point Name. + This command lists the details for that profile, including Access Point Name. Alternatively, you can also use the command: @@ -84,4 +81,4 @@ From the results of that command, get the name of the cellular/mobile broadband netsh mbn show connection interface="name" ``` -The result of that command will show details for the cellular interface, including Access Point Name. +The result of that command shows the details for the cellular interface, including Access Point Name. diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 5defe8d8ca..f6033a422c 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -372,6 +372,8 @@ href: update/update-other-microsoft-products.md - name: Delivery Optimization reference href: do/waas-delivery-optimization-reference.md?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json + - name: FoD and language packs for WSUS and Configuration Manager + href: update/fod-and-lang-packs.md - name: Windows client in S mode href: s-mode.md - name: Switch to Windows client Pro or Enterprise from S mode diff --git a/windows/deployment/update/fod-and-lang-packs.md b/windows/deployment/update/fod-and-lang-packs.md index f7968c1ebc..87d5304815 100644 --- a/windows/deployment/update/fod-and-lang-packs.md +++ b/windows/deployment/update/fod-and-lang-packs.md @@ -3,7 +3,7 @@ title: FoD and language packs for WSUS and Configuration Manager description: Learn how to make FoD and language packs available to clients when you're using WSUS or Configuration Manager. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: reference ms.author: mstewart author: mestew ms.localizationpriority: medium @@ -13,28 +13,44 @@ appliesto: - ✅ Windows 10 - ✅ Microsoft Configuration Manager - ✅ WSUS -ms.date: 03/13/2019 +ms.date: 04/22/2024 --- # How to make Features on Demand and language packs available when you're using WSUS or Configuration Manager + +This reference article describes how to make Features on Demand (FoDs) and language packs available when you're using Windows Server Update Services (WSUS) or Configuration Manager for specific versions of Windows. -This article describes how to make Features on Demand and language packs available when you're using WSUS or Configuration Manager for specific versions of Windows. +## High-level changes affecting Features on Demand and language pack content -## Version information for Features on Demand and language packs +The following changes for FoD and language pack content affected how client policy needs to be configured: + +- Starting in Windows 10 version 1709, you can't use WSUS to host [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) (FoDs) locally. +- Starting with Windows 10 version 1803, language packs can no longer be hosted on WSUS. -In Windows 10 version 21H2 and later, non-Administrator user accounts can add both a display language and its corresponding language features. +Due to these changes, the **Specify settings for optional component installation and component repair** ([ADMX_Servicing](/windows/client-management/mdm/policy-csp-admx-servicing)) policy, located under `Computer Configuration\Administrative Templates\System` was used to specify alternate ways to acquire FoDs and language packs, along with content for corruption repair. This policy allows specifying one alternate location. It's important to note the policy behaves differently across OS versions. For more information, see the [Version specific information for Features on Demand and language packs](#version-specific-information-for-features-on-demand-and-language-packs) section. -As of Windows 10 version 1709, you can't use Windows Server Update Services (WSUS) to host [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) (FODs) locally. Starting with Windows 10 version 1803, language packs can no longer be hosted on WSUS. +The introduction of the **Specify source service for specific classes of Windows Updates** ([SetPolicyDrivenUpdateSourceFor](/windows/client-management/mdm/policy-csp-update#setpolicydrivenupdatesourceforfeatureupdates)) policy in Windows 10, version 2004 further complicated configuring settings for FoD and language pack content. -The **Specify settings for optional component installation and component repair** policy, located under `Computer Configuration\Administrative Templates\System` in the Group Policy Editor, can be used to specify alternate ways to acquire FOD packages, language packages, and content for corruption repair. However, it's important to note this policy only allows specifying one alternate location and behaves differently across OS versions. +Starting in Windows 11, version 22H2, on-premises Unified Update Platform (UUP) updates were introduced. FoDs and language packs are available from WSUS again. It's no longer necessary to use the **Specify settings for optional component installation and component repair** policy for FoD and language pack content. -In Windows 10 versions 1709 and 1803, changing the **Specify settings for optional component installation and component repair** policy to download content from Windows Update enables acquisition of FOD packages while also enabling corruption repair. Specifying a network location works for either, depending on the content is found at that location. Changing this policy on these OS versions doesn't influence how language packs are acquired. +## Version specific information for Features on Demand and language packs -In Windows 10 version 1809 and beyond, changing the **Specify settings for optional component installation and component repair** policy also influences how language packs are acquired, however language packs can only be acquired directly from Windows Update. It's currently not possible to acquire them from a network share. Specifying a network location works for FOD packages or corruption repair, depending on the content at that location. +Windows 11, version 22H2, and later clients use on-premises Unified Update Platform (UUP) updates with WSUS and Microsoft Configuration Manager. These clients don't need to use **Specify settings for optional component installation and component repair** for FoDs and language packs since the content is available in WSUS due to on-premises UUP. + +For Windows 10, version 2004 through Windows 11, version 21H2, clients can't download FoDs or language packs when **Specify settings for optional component installation and component repair** is set to Windows Update and **Specify source service for specific classes of Windows Updates** ([SetPolicyDrivenUpdateSourceFor](/windows/client-management/mdm/policy-csp-update#setpolicydrivenupdatesourceforfeatureupdates)) for either feature or quality updates is set to WSUS. If you need this content, you can set **Specify settings for optional component installation and component repair** to Windows Update and then either: +- Change the source selection for feature and quality updates to Windows Update +- Allow all classes of updates to come from WSUS by not configuring any source selections + +> [!Note] +> In Windows 10 version 21H2 and later, non-Administrator user accounts can add both a display language and its corresponding language features. + +In Windows 10 version 1809 and later, changing the **Specify settings for optional component installation and component repair** policy also influences how language packs are acquired, however language packs can only be acquired directly from Windows Update (until Windows 11 version 22H2). It's currently not possible to acquire them from a network share. Specifying a network location works for FoD packages or corruption repair, depending on the content at that location. + +In Windows 10 versions 1709 and 1803, changing the **Specify settings for optional component installation and component repair** policy to download content from Windows Update enables acquisition of FoD packages while also enabling corruption repair. Specifying a network location works for either, depending on the content is found at that location. Changing this policy on these OS versions doesn't influence how language packs are acquired. For all OS versions, changing the **Specify settings for optional component installation and component repair** policy doesn't affect how OS updates are distributed. They continue to come from WSUS, Configuration Manager, or other sources as you have scheduled them, even while optional content is sourced from Windows Update or a network location. -Learn about other client management options, including using Group Policy and administrative templates, in [Manage clients in Windows 10](/windows/client-management/). +Learn about other client management options, including using Group Policy and administrative templates, in [Manage Windows clients](/windows/client-management/). ## More resources diff --git a/windows/deployment/update/optional-content.md b/windows/deployment/update/optional-content.md index 7f6fffc7b4..9984fc897b 100644 --- a/windows/deployment/update/optional-content.md +++ b/windows/deployment/update/optional-content.md @@ -11,11 +11,11 @@ ms.localizationpriority: medium appliesto: - ✅ Windows 11 - ✅ Windows 10 -ms.date: 03/15/2023 +ms.date: 04/22/2024 --- # Migrating and acquiring optional Windows content during updates - + This article provides some background on the problem of keeping language resources and Features on Demand during operating system updates and offers guidance to help you move forward in the short term and prepare for the long term. When you update the operating system, it's critical to keep language resources and Features on Demand (FODs). Many commercial organizations use Configuration Manager or other management tools to distribute and orchestrate Windows client setup using a local Windows image or WIM file (a *media-based* or *task-sequence-based* update). Others do in-place updates using an approved Windows client feature update by using Windows Server Update Services (WSUS), Configuration Manager, or equivalent tools (a *servicing-based* update). @@ -28,7 +28,8 @@ Optional content includes the following items: - General Features on Demand also referred to as FODs (for example, Windows Mixed Reality) - Language-based and regional FODs (for example, Language.Basic~~~ja-jp~0.0.1.0) -- Local Experience Packs +- Local Experience Packs +- Language packs Optional content isn't included by default in the Windows image file that is part of the operating system media available in the Volume Licensing Service Center (VLSC). Instead, it's released as an additional ISO file on VLSC. Shipping these features out of the operating system media and shipping them separately reduces the disk footprint of Windows. This approach provides more space for user's data. It also reduces the time needed to service the operating system, whether installing a monthly quality update or upgrading to a newer version. A smaller default Windows image also means less data to transmit over the network. @@ -137,7 +138,8 @@ Several of the options address ways to address optional content migration issues - This setting doesn't support installing language packs from an alternate source file path, only Features on Demand. If the policy is configured to acquire content from Windows Update, language packs will be acquired. - If this setting isn't configured or disabled, files are downloaded from the default Windows Update location, for example Windows Update for Business or WSUS. -For more information, see [Configure a Windows Repair Source](/windows-hardware/manufacture/desktop/configure-a-windows-repair-source). + +For more information, see [Configure a Windows Repair Source](/windows-hardware/manufacture/desktop/configure-a-windows-repair-source) and [How to make Features on Demand and language packs available when you're using WSUS or Configuration Manager](fod-and-lang-packs.md). ## More resources diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md index 6506f11e90..548b26fb85 100644 --- a/windows/deployment/update/waas-manage-updates-wsus.md +++ b/windows/deployment/update/waas-manage-updates-wsus.md @@ -15,11 +15,11 @@ appliesto: - ✅ Windows 11 - ✅ Windows 10 - ✅ WSUS -ms.date: 12/31/2017 +ms.date: 04/22/2024 --- # Deploy Windows client updates using Windows Server Update Services (WSUS) - + > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) diff --git a/windows/deployment/update/wufb-wsus.md b/windows/deployment/update/wufb-wsus.md index 5f5374ac96..6062716b60 100644 --- a/windows/deployment/update/wufb-wsus.md +++ b/windows/deployment/update/wufb-wsus.md @@ -11,10 +11,10 @@ ms.localizationpriority: medium appliesto: - ✅ Windows 11 - ✅ Windows 10 -ms.date: 01/13/2022 +ms.date: 04/22/2024 --- -# Use Windows Update for Business and WSUS together +# Use Windows Update for Business and WSUS together > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) @@ -69,7 +69,8 @@ The policy can be configured using the following two methods: > [!NOTE] > - You should configure **all** of these policies if you are using CSPs. -> - Editing the registry to change the behavior of update policies isn't recommended. Use Group Policy or the Configuration Service Provider (CSP) policy instead of directly writing to the registry. However, if you choose to edit the registry, ensure you've configured the `UseUpdateClassPolicySource` registry key too, or the scan source won't be altered. +> - Editing the registry to change the behavior of update policies isn't recommended. Use Group Policy or the Configuration Service Provider (CSP) policy instead of directly writing to the registry. However, if you choose to edit the registry, ensure you've configured the `UseUpdateClassPolicySource` registry key too, or the scan source won't be altered. +> - If you're also using the **Specify settings for optional component installation and component repair** policy to enable content for FoDs and language packs, see [How to make Features on Demand and language packs available when you're using WSUS or Configuration Manager](fod-and-lang-packs.md) to verify your policy configuration. - [Update/SetPolicyDrivenUpdateSourceForDriverUpdates](/windows/client-management/mdm/policy-csp-update#update-setpolicydrivenupdatesourcefordriver) - [Update/SetPolicyDrivenUpdateSourceForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-setpolicydrivenupdatesourceforfeature) diff --git a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md index f27e7c4961..386320c5f8 100644 --- a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md +++ b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md @@ -32,7 +32,7 @@ The following methodology was used to derive the network endpoints: > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. -## Windows 11 Family +## Windows 11 Home | **Area** | **Description** | **Protocol** | **Destination** | |-----------|--------------- |------------- |-----------------| diff --git a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md index b4736b74ce..aebe78e618 100644 --- a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md @@ -32,7 +32,7 @@ We used the following methodology to derive these network endpoints: > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. -## Windows 10 Family +## Windows 10 Home | **Destination** | **Protocol** | **Description** | | --- | --- | --- | diff --git a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md index b558fc1c1e..3640d0e89a 100644 --- a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md @@ -36,7 +36,7 @@ The following methodology was used to derive the network endpoints: > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. -## Windows 10 Family +## Windows 10 Home | Destination | Protocol | Description | | ----------- | -------- | ----------- | diff --git a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md index a0bfa21291..efebab8e60 100644 --- a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md @@ -34,7 +34,7 @@ The following methodology was used to derive the network endpoints: > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. -## Windows 10 Family +## Windows 10 Home | **Destination** | **Protocol** | **Description** | | --- | --- | --- | diff --git a/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md b/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md index c8f28f8ea4..8836b64032 100644 --- a/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md @@ -35,7 +35,7 @@ The following methodology was used to derive the network endpoints: > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. -## Windows 10 Family +## Windows 10 Home | **Destination** | **Protocol** | **Description** | | --- | --- | --- | diff --git a/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md b/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md index f41413a60a..c57c257926 100644 --- a/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md @@ -34,7 +34,7 @@ The following methodology was used to derive the network endpoints: > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. -## Windows 10 Family +## Windows 10 Home | **Area** | **Description** | **Protocol** | **Destination** | |-----------|--------------- |------------- |-----------------| diff --git a/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md b/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md index ae92428145..01a9f50103 100644 --- a/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md @@ -34,7 +34,7 @@ The following methodology was used to derive the network endpoints: > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. -## Windows 10 Family +## Windows 10 Home | **Area** | **Description** | **Protocol** | **Destination** | |-----------|--------------- |------------- |-----------------| diff --git a/windows/security/cloud-security/index.md b/windows/security/cloud-security/index.md index b31f712e0f..9fde8b8939 100644 --- a/windows/security/cloud-security/index.md +++ b/windows/security/cloud-security/index.md @@ -1,6 +1,6 @@ --- title: Windows and cloud security -description: Get an overview of cloud security features in Windows +description: Get an overview of cloud security features in Windows. ms.date: 08/02/2023 ms.topic: overview author: paolomatarazzo @@ -9,7 +9,7 @@ ms.author: paoloma # Windows and cloud security -Today's workforce has more freedom and mobility than ever before, and the risk of data exposure is also at its highest. We are focused on getting customers to the cloud to benefit from modern hybrid workstyles while improving security management. Built on zero-trust principles, Windows works with Microsoft cloud services to safeguard sensitive information while controlling access and mitigating threats. +Today's workforce has more freedom and mobility than ever before, and the risk of data exposure is also at its highest. We're focused on getting customers to the cloud to benefit from modern hybrid workstyles while improving security management. Built on zero-trust principles, Windows works with Microsoft cloud services to safeguard sensitive information while controlling access and mitigating threats. From identity and device management to Office apps and data storage, Windows and integrated cloud services can help improve productivity, security, and resilience anywhere. diff --git a/windows/security/identity-protection/hello-for-business/configure.md b/windows/security/identity-protection/hello-for-business/configure.md index b4d14a1882..008110433e 100644 --- a/windows/security/identity-protection/hello-for-business/configure.md +++ b/windows/security/identity-protection/hello-for-business/configure.md @@ -2,7 +2,7 @@ title: Configure Windows Hello for Business description: Learn about the configuration options for Windows Hello for Business and how to implement them in your organization. ms.topic: how-to -ms.date: 01/03/2024 +ms.date: 04/23/2024 --- # Configure Windows Hello for Business diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md index 5fe562311d..e1845d9363 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md @@ -1,7 +1,7 @@ --- title: Dynamic lock description: Learn how to configure dynamic lock on Windows devices via group policies. This feature locks a device when a Bluetooth signal falls below a set value. -ms.date: 02/29/2024 +ms.date: 04/23/2024 ms.topic: how-to --- diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 1b1ad680bf..ff9bf8c522 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -5,7 +5,7 @@ ms.date: 08/19/2018 ms.topic: how-to --- -# Using Certificates for AADJ On-premises Single-sign On +# Using Certificates for Microsoft Entra joined on-premises single-sign on [!INCLUDE [apply-to-hybrid-cert-trust-entra](deploy/includes/apply-to-hybrid-cert-trust-entra.md)] @@ -16,34 +16,35 @@ If you plan to use certificates for on-premises single-sign on, then follow thes Steps you'll perform include: -- [Prepare Microsoft Entra Connect](#prepare-microsoft-entra-connect) -- [Prepare the Network Device Enrollment Services Service Account](#prepare-the-network-device-enrollment-services-ndes-service-account) -- [Prepare Active Directory Certificate Services](#prepare-active-directory-certificate-authority) -- [Install the Network Device Enrollment Services Role](#install-and-configure-the-ndes-role) -- [Configure Network Device Enrollment Services to work with Microsoft Intune](#configure-network-device-enrollment-services-to-work-with-microsoft-intune) -- [Download, Install and Configure the Intune Certificate Connector](#download-install-and-configure-the-intune-certificate-connector) -- [Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile](#create-and-assign-a-simple-certificate-enrollment-protocol-scep-certificate-profile) +> [!div class="checklist"] +> - [Prepare Microsoft Entra Connect](#prepare-microsoft-entra-connect) +> - [Prepare the Network Device Enrollment Services Service Account](#prepare-the-network-device-enrollment-services-ndes-service-account) +> - [Prepare Active Directory Certificate Services](#prepare-active-directory-certificate-authority) +> - [Install the Network Device Enrollment Services Role](#install-and-configure-the-ndes-role) +> - [Configure Network Device Enrollment Services to work with Microsoft Intune](#configure-network-device-enrollment-services-to-work-with-microsoft-intune) +> - [Download, Install and Configure the Intune Certificate Connector](#download-install-and-configure-the-intune-certificate-connector) +> - [Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile](#create-and-assign-a-simple-certificate-enrollment-protocol-scep-certificate-profile) ## Requirements -You need to install and configure additional infrastructure to provide Microsoft Entra joined devices with on-premises single-sign on. +You must install and configure additional infrastructure to provide Microsoft Entra joined devices with on-premises single-sign on. -- An existing Windows Server 2012 R2 or later Enterprise Certificate Authority -- A Windows Server 2012 R2 domain joined server that hosts the Network Device Enrollment Services role +- An existing Windows Server Enterprise Certificate Authority +- A domain joined Windows Server that hosts the Network Device Enrollment Services (NDES) role ### High Availability -The Network Device Enrollment Services (NDES) server role acts as a certificate registration authority. Certificate registration servers enroll certificates on behalf of the user. Users request certificates from the NDES service rather than directly from the issuing certificate authority. +The NDES server role acts as a certificate registration authority (CRA). Certificate registration servers enroll certificates on behalf of the user. Users request certificates from the NDES service rather than directly from the issuing certificate authority. -The architecture of the NDES server prevents it from being clustered or load balanced for high availability. To provide high availability, you need to install more than one identically configured NDES servers, and use Microsoft Intune to load balance then (in round-robin fashion). +The architecture of the NDES server prevents it from being clustered or load balanced for high availability. To provide high availability, you need to install more than one identically configured NDES servers, and use Microsoft Intune to load balance then (in round-robin fashion). -The Network Device Enrollment Service (NDES) server role can issue up to three unique certificate templates. The server role accomplishes this by mapping the purpose of the certificate request to a configured certificate template. The certificate request purpose has three options: +The Network Device Enrollment Service (NDES) server role can issue up to three unique certificate templates. The server role accomplishes this by mapping the purpose of the certificate request to a configured certificate template. The certificate request purpose has three options: - Signature - Encryption - Signature and Encryption -If you need to deploy more than three types of certificates to the Microsoft Entra joined device, you need additional NDES servers. Alternatively, consider consolidating certificate templates to reduce the number of certificate templates. +If you need to deploy more than three types of certificates to the Microsoft Entra joined device, you need additional NDES servers. Alternatively, consider consolidating certificate templates to reduce the number of certificate templates. ### Network Requirements @@ -51,36 +52,31 @@ All communication occurs securely over port 443. ## Prepare Microsoft Entra Connect -Successful authentication to on-premises resources using a certificate requires the certificate to provide a hint about the on-premises domain. The hint can be the user's Active Directory distinguished name as the subject of the certificate, or the hint can be the user's user principal name where the suffix matches the Active Directory domain name. +Successful authentication to on-premises resources using a certificate requires the certificate to provide a hint about the on-premises domain. The hint can be the user's Active Directory distinguished name as the subject of the certificate, or the hint can be the user's user principal name where the suffix matches the Active Directory domain name. -Most environments change the user principal name suffix to match the organization's external domain name (or vanity domain), which prevents the user principal name as a hint to locate a domain controller. Therefore, the certificate needs the user's on-premises distinguished name in the subject to properly locate a domain controller. +Most environments change the user principal name suffix to match the organization's external domain name (or vanity domain), which prevents the user principal name as a hint to locate a domain controller. Therefore, the certificate needs the user's on-premises distinguished name in the subject to properly locate a domain controller. -To include the on-premises distinguished name in the certificate's subject, Microsoft Entra Connect must replicate the Active Directory **distinguishedName** attribute to the Microsoft Entra ID **onPremisesDistinguishedName** attribute. Microsoft Entra Connect version 1.1.819 includes the proper synchronization rules needed for these attributes. +To include the on-premises distinguished name in the certificate's subject, Microsoft Entra Connect must replicate the Active Directory **distinguishedName** attribute to the Microsoft Entra ID **onPremisesDistinguishedName** attribute. Microsoft Entra Connect version 1.1.819 includes the proper synchronization rules needed for these attributes. ### Verify Microsoft Entra Connect version -Sign-in to computer running Microsoft Entra Connect with access equivalent to _local administrator_. +Sign-in to computer running Microsoft Entra Connect with access equivalent to *local administrator*. -1. Open **Synchronization Services** from the **Microsoft Entra Connect** folder. - -2. In the **Synchronization Service Manager**, select **Help** and then select **About**. - -3. If the version number isn't **1.1.819** or later, then upgrade Microsoft Entra Connect to the latest version. +1. Open **Synchronization Services** from the **Microsoft Entra Connect** folder +1. In the **Synchronization Service Manager**, select **Help** and then select **About** +1. If the version number isn't **1.1.819** or later, then upgrade Microsoft Entra Connect to the latest version ### Verify the onPremisesDistinguishedName attribute is synchronized The easiest way to verify that the onPremisesDistingushedNamne attribute is synchronized is to use the Graph Explorer for Microsoft Graph. -1. Open a web browser and navigate to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer). - -2. Select **Sign in to Graph Explorer** and provide Azure credentials. +1. Open a web browser and navigate to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) +1. Select **Sign in to Graph Explorer** and provide Azure credentials > [!NOTE] - > To successfully query the Graph API, adequate [permissions](/graph/api/user-get?) must be granted. - -3. Select **Modify permissions (Preview)**. Scroll down and locate **User.Read.All** (or any other required permission) and select **Consent**. You'll now be prompted for delegated permissions consent. - -4. In the Graph Explorer URL, enter `https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName`, where **[userid]** is the user principal name of a user in Microsoft Entra ID. Select **Run query**. + > To successfully query the Graph API, adequate [permissions](/graph/api/user-get?) must be granted +1. Select **Modify permissions (Preview)**. Scroll down and locate **User.Read.All** (or any other required permission) and select **Consent**. You'll now be prompted for delegated permissions consent +1. In the Graph Explorer URL, enter `https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName`, where **[userid]** is the user principal name of a user in Microsoft Entra ID. Select **Run query** > [!NOTE] > Because the v1.0 endpoint of the Graph API only provides a limited set of parameters, we will use the $select [Optional OData query parameter](/graph/api/user-get?). For convenience, it is possible to switch the API version selector from **v1.0** to **beta** before performing the query. This will provide all available user information, but remember, **beta** endpoint queries should not be used in production scenarios. @@ -95,7 +91,7 @@ The easiest way to verify that the onPremisesDistingushedNamne attribute is sync GET https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}?$select=displayName,userPrincipalName,onPremisesDistinguishedName ``` -5. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and that the value is accurate for the given user. If the **onPremisesDistinguishedName** attribute isn't synchronized the value will be **null**. +1. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and that the value is accurate for the given user. If the **onPremisesDistinguishedName** attribute isn't synchronized the value will be **null** #### Response