From 61b4543f5934f3eb6ea4ae6bb294367a26cba67b Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Fri, 15 Jul 2022 02:09:46 +0530 Subject: [PATCH 01/77] Update hello-faq.yml --- .../hello-for-business/hello-faq.yml | 20 ++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 66e88ee1a6..dde0048337 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -144,7 +144,25 @@ sections: - question: Is Windows Hello for Business multi-factor authentication? answer: | Windows Hello for Business is two-factor authentication based on the observed authentication factors of: something you have, something you know, and something that's part of you. Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. By using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor". - + + - question: Where is Windows Hello biometrics data stored? + answer: | + When you enroll in Windows Hello, a representation of your face called an enrollment profile is created (more information can be found on this page). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn’t roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details see Windows Hello biometrics in the enterprise (Windows) - Windows security | Microsoft Docs. + + - question: What is the format used to store Windows Hello biometrics data on the device? + answer: | + Windows Hello biometrics data is stored on the device as an encrypted template database. The data from the biometrics sensor (e.g., face camera or fingerprint reader) creates a data representation—or graph—that is then encrypted before it’s stored on the device. Each biometrics sensor on the device which is used by Windows Hello (face or fingerprint) will have its own biometric database file where template data is stored. Each biometrics database file is encrypted with unique, randomly generated key that is encrypted to the system using AES encryption producing a SHA256 hash. + + - question: Who has access on Windows Hello biometrics data? + answer: | + Since Windows Hello biometrics data is stored in encrypted format, no user, or any process other than Windows Hello has access to it. + + - question: When is Windows Hello biometrics database file created? How is a user enrolled into Windows Hello face or fingerprint authentication? + answer: | + Windows Hello biometrics template database file is created on the device only when a user is enrolled into Windows Hello biometrics-based authentication. Your workplace or IT administrator may have turned certain authentication functionality, but it is always your choice if you want to use WH/WHfB or an alternative method (e.g. pin). Users can check their current enrollment into Windows Hello biometrics by going to sign-in options on their device. Go to Start > Settings > Accounts > Sign-in options. Or just click on Go to Sign-in options. To enroll into Windows Hello, user can go to **Start** > **Settings** > **Accounts** > **Sign-in** options, select the Windows Hello method that they want to set up, and then select Set up. If you don't see Windows Hello in Sign-in options, then it may not be available for your device or blocked by admin via policy. Admins can by policy request users to enroll into WHFB during autopilot or during initial setup of the device. Admins can disallow users to enroll into biometrics via Windows hello for business policy configurations. However, when allowed via policy configurations, enrollment into Windows hello biometrics is always optional for users. + + + - question: What are the biometric requirements for Windows Hello for Business? answer: | Read [Windows Hello biometric requirements](/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) for more information. From 965f2b766190e2737d5b6cf14cc935ab144a5da7 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Fri, 15 Jul 2022 10:49:15 +0530 Subject: [PATCH 02/77] Update hello-faq.yml --- .../hello-for-business/hello-faq.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index dde0048337..3f039f4dfa 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -159,10 +159,16 @@ sections: - question: When is Windows Hello biometrics database file created? How is a user enrolled into Windows Hello face or fingerprint authentication? answer: | - Windows Hello biometrics template database file is created on the device only when a user is enrolled into Windows Hello biometrics-based authentication. Your workplace or IT administrator may have turned certain authentication functionality, but it is always your choice if you want to use WH/WHfB or an alternative method (e.g. pin). Users can check their current enrollment into Windows Hello biometrics by going to sign-in options on their device. Go to Start > Settings > Accounts > Sign-in options. Or just click on Go to Sign-in options. To enroll into Windows Hello, user can go to **Start** > **Settings** > **Accounts** > **Sign-in** options, select the Windows Hello method that they want to set up, and then select Set up. If you don't see Windows Hello in Sign-in options, then it may not be available for your device or blocked by admin via policy. Admins can by policy request users to enroll into WHFB during autopilot or during initial setup of the device. Admins can disallow users to enroll into biometrics via Windows hello for business policy configurations. However, when allowed via policy configurations, enrollment into Windows hello biometrics is always optional for users. - + Windows Hello biometrics template database file is created on the device only when a user is enrolled into Windows Hello biometrics-based authentication. Your workplace or IT administrator may have turned certain authentication functionality, however, it is always your choice if you want to use WH/WHfB or an alternative method (e.g. pin). Users can check their current enrollment into Windows Hello biometrics by going to sign-in options on their device. Go to **Start** > **Settings** > **Accounts** > **Sign-in** options. Or just click on Go to Sign-in options. To enroll into Windows Hello, user can go to **Start** > **Settings** > **Accounts** > **Sign-in** options, select the Windows Hello method that they want to set up, and then select **Set up**. If you don't see Windows Hello in Sign-in options, then it may not be available for your device or blocked by admin via policy. Admins can by policy request users to enroll into WHFB during autopilot or during initial setup of the device. Admins can disallow users to enroll into biometrics via Windows hello for business policy configurations. However, when allowed via policy configurations, enrollment into Windows Hello biometrics is always optional for users. + - question: When is Windows Hello biometrics database file deleted? How can a user be unenrolled from Windows Hello face or fingerprint authentication? + answer: | + To remove Windows Hello and any associated biometric identification data from the device, user can go to Start > Settings > Accounts > Sign-in options. Select the Windows Hello biometrics authentication method you want to remove, and then select Remove. This will unenroll the user from Windows Hello biometrics auth and will also delete the associated biometrics template database file. For more details see Windows sign-in options and account protection (microsoft.com). + - question: What about any diagnostic data coming out when WHFB is enabled? + answer: | + To help us keep things working properly, to help detect and prevent fraud, and to continue improving Windows Hello, we collect diagnostic data about how people use Windows Hello. For example, data about whether people sign in with their face, iris, fingerprint, or PIN; the number of times they use it; and whether it works or not is all valuable information that helps us build a better product. The data is pseudonymized, does not include biometric information, and is encrypted before it is transmitted to Microsoft. You can choose to stop sending diagnostic data to Microsoft at any time. Learn more about https://support.microsoft.com/en-us/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319. + - question: What are the biometric requirements for Windows Hello for Business? answer: | Read [Windows Hello biometric requirements](/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) for more information. From 540384e80ef520d8d6d2a680cfcbf985e19b61db Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Fri, 15 Jul 2022 10:53:45 +0530 Subject: [PATCH 03/77] Update hello-faq.yml --- .../identity-protection/hello-for-business/hello-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 3f039f4dfa..a4af51bae4 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -167,7 +167,7 @@ sections: - question: What about any diagnostic data coming out when WHFB is enabled? answer: | - To help us keep things working properly, to help detect and prevent fraud, and to continue improving Windows Hello, we collect diagnostic data about how people use Windows Hello. For example, data about whether people sign in with their face, iris, fingerprint, or PIN; the number of times they use it; and whether it works or not is all valuable information that helps us build a better product. The data is pseudonymized, does not include biometric information, and is encrypted before it is transmitted to Microsoft. You can choose to stop sending diagnostic data to Microsoft at any time. Learn more about https://support.microsoft.com/en-us/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319. + To help us keep things working properly, to help detect and prevent fraud, and to continue improving Windows Hello, we collect diagnostic data about how people use Windows Hello. For example, data about whether people sign in with their face, iris, fingerprint, or PIN; the number of times they use it; and whether it works or not is all valuable information that helps us build a better product. The data is pseudonymized, does not include biometric information, and is encrypted before it is transmitted to Microsoft. You can choose to stop sending diagnostic data to Microsoft at any time. Learn more about [Learn more about diagnostic data in Windows](https://support.microsoft.com/en-us/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319. - question: What are the biometric requirements for Windows Hello for Business? answer: | From b92ad157c84bc632ccce28fd663d95e55cb7417a Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Fri, 15 Jul 2022 10:54:18 +0530 Subject: [PATCH 04/77] Update hello-faq.yml --- .../identity-protection/hello-for-business/hello-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index a4af51bae4..18e9e0288a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -167,7 +167,7 @@ sections: - question: What about any diagnostic data coming out when WHFB is enabled? answer: | - To help us keep things working properly, to help detect and prevent fraud, and to continue improving Windows Hello, we collect diagnostic data about how people use Windows Hello. For example, data about whether people sign in with their face, iris, fingerprint, or PIN; the number of times they use it; and whether it works or not is all valuable information that helps us build a better product. The data is pseudonymized, does not include biometric information, and is encrypted before it is transmitted to Microsoft. You can choose to stop sending diagnostic data to Microsoft at any time. Learn more about [Learn more about diagnostic data in Windows](https://support.microsoft.com/en-us/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319. + To help us keep things working properly, to help detect and prevent fraud, and to continue improving Windows Hello, we collect diagnostic data about how people use Windows Hello. For example, data about whether people sign in with their face, iris, fingerprint, or PIN; the number of times they use it; and whether it works or not is all valuable information that helps us build a better product. The data is pseudonymized, does not include biometric information, and is encrypted before it is transmitted to Microsoft. You can choose to stop sending diagnostic data to Microsoft at any time. [Learn more about diagnostic data in Windows](https://support.microsoft.com/en-us/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319. - question: What are the biometric requirements for Windows Hello for Business? answer: | From 89c6dc99234d52d4c0f4b0e9cfef7fa8e19156e1 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Fri, 15 Jul 2022 11:02:50 +0530 Subject: [PATCH 05/77] Update hello-faq.yml --- .../identity-protection/hello-for-business/hello-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 18e9e0288a..aea58baf8c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -167,7 +167,7 @@ sections: - question: What about any diagnostic data coming out when WHFB is enabled? answer: | - To help us keep things working properly, to help detect and prevent fraud, and to continue improving Windows Hello, we collect diagnostic data about how people use Windows Hello. For example, data about whether people sign in with their face, iris, fingerprint, or PIN; the number of times they use it; and whether it works or not is all valuable information that helps us build a better product. The data is pseudonymized, does not include biometric information, and is encrypted before it is transmitted to Microsoft. You can choose to stop sending diagnostic data to Microsoft at any time. [Learn more about diagnostic data in Windows](https://support.microsoft.com/en-us/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319. + To help us keep things working properly, to help detect and prevent fraud, and to continue improving Windows Hello, we collect diagnostic data about how people use Windows Hello. For example, data about whether people sign in with their face, iris, fingerprint, or PIN; the number of times they use it; and whether it works or not is all valuable information that helps us build a better product. The data is pseudonymized, does not include biometric information, and is encrypted before it is transmitted to Microsoft. You can choose to stop sending diagnostic data to Microsoft at any time. [Learn more about diagnostic data in Windows](https://support.microsoft.com/en-us/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319). - question: What are the biometric requirements for Windows Hello for Business? answer: | From f15d46a13323ef960c3fb5340c2f0a3d6190bf71 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Fri, 15 Jul 2022 17:37:40 +0530 Subject: [PATCH 06/77] Update hello-faq.yml --- .../identity-protection/hello-for-business/hello-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index aea58baf8c..cd4177b9c1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -147,7 +147,7 @@ sections: - question: Where is Windows Hello biometrics data stored? answer: | - When you enroll in Windows Hello, a representation of your face called an enrollment profile is created (more information can be found on this page). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn’t roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details see Windows Hello biometrics in the enterprise (Windows) - Windows security | Microsoft Docs. + When you enroll in Windows Hello, a representation of your face called an enrollment profile is created (more information can be found on this page). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn’t roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details see [Windows Hello biometrics in the enterprise (Windows) - Windows security | Microsoft Docs] (https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored). - question: What is the format used to store Windows Hello biometrics data on the device? answer: | From e0831683d5bb787d5964f317e446d14a95607c9a Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Fri, 15 Jul 2022 17:40:20 +0530 Subject: [PATCH 07/77] Update hello-faq.yml --- .../identity-protection/hello-for-business/hello-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index cd4177b9c1..579a253058 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -147,7 +147,7 @@ sections: - question: Where is Windows Hello biometrics data stored? answer: | - When you enroll in Windows Hello, a representation of your face called an enrollment profile is created (more information can be found on this page). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn’t roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details see [Windows Hello biometrics in the enterprise (Windows) - Windows security | Microsoft Docs] (https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored). + When you enroll in Windows Hello, a representation of your face called an enrollment profile is created (more information can be found on this page). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn’t roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details see [Windows Hello biometrics in the enterprise] (https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored). - question: What is the format used to store Windows Hello biometrics data on the device? answer: | From dc31beae915debd4d20e9e16c66dbf3299d65a0f Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Fri, 15 Jul 2022 17:58:53 +0530 Subject: [PATCH 08/77] Update hello-faq.yml --- .../identity-protection/hello-for-business/hello-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 579a253058..0c0b86d802 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -147,7 +147,7 @@ sections: - question: Where is Windows Hello biometrics data stored? answer: | - When you enroll in Windows Hello, a representation of your face called an enrollment profile is created (more information can be found on this page). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn’t roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details see [Windows Hello biometrics in the enterprise] (https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored). + When you enroll in Windows Hello, a representation of your face called an enrollment profile is created (more information can be found on this page). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn’t roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details see [Windows Hello biometrics in the enterprise](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored). - question: What is the format used to store Windows Hello biometrics data on the device? answer: | From c242cebcb3318a8c2c424661376e54583a6f6428 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 20 Jul 2022 23:05:42 +0530 Subject: [PATCH 09/77] Update hello-faq.yml --- .../identity-protection/hello-for-business/hello-faq.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 0c0b86d802..0bf1eb6155 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -159,11 +159,11 @@ sections: - question: When is Windows Hello biometrics database file created? How is a user enrolled into Windows Hello face or fingerprint authentication? answer: | - Windows Hello biometrics template database file is created on the device only when a user is enrolled into Windows Hello biometrics-based authentication. Your workplace or IT administrator may have turned certain authentication functionality, however, it is always your choice if you want to use WH/WHfB or an alternative method (e.g. pin). Users can check their current enrollment into Windows Hello biometrics by going to sign-in options on their device. Go to **Start** > **Settings** > **Accounts** > **Sign-in** options. Or just click on Go to Sign-in options. To enroll into Windows Hello, user can go to **Start** > **Settings** > **Accounts** > **Sign-in** options, select the Windows Hello method that they want to set up, and then select **Set up**. If you don't see Windows Hello in Sign-in options, then it may not be available for your device or blocked by admin via policy. Admins can by policy request users to enroll into WHFB during autopilot or during initial setup of the device. Admins can disallow users to enroll into biometrics via Windows hello for business policy configurations. However, when allowed via policy configurations, enrollment into Windows Hello biometrics is always optional for users. + Windows Hello biometrics template database file is created on the device only when a user is enrolled into Windows Hello biometrics-based authentication. Your workplace or IT administrator may have turned certain authentication functionality, however, it is always your choice if you want to use Windows Hello or an alternative method (e.g. pin). Users can check their current enrollment into Windows Hello biometrics by going to sign-in options on their device. Go to **Start** > **Settings** > **Accounts** > **Sign-in** options. Or just click on **Go to Sign-in options**. To enroll into Windows Hello, user can go to **Start** > **Settings** > **Accounts** > **Sign-in** options, select the Windows Hello method that they want to set up, and then select **Set up**. If you don't see Windows Hello in Sign-in options, then it may not be available for your device or blocked by admin via policy. Admins can by policy request users to enroll into Windows Hello during autopilot or during initial setup of the device. Admins can disallow users to enroll into biometrics via Windows hello for business policy configurations. However, when allowed via policy configurations, enrollment into Windows Hello biometrics is always optional for users. - question: When is Windows Hello biometrics database file deleted? How can a user be unenrolled from Windows Hello face or fingerprint authentication? answer: | - To remove Windows Hello and any associated biometric identification data from the device, user can go to Start > Settings > Accounts > Sign-in options. Select the Windows Hello biometrics authentication method you want to remove, and then select Remove. This will unenroll the user from Windows Hello biometrics auth and will also delete the associated biometrics template database file. For more details see Windows sign-in options and account protection (microsoft.com). + To remove Windows Hello and any associated biometric identification data from the device, user can go to **Start** > **Settings** > **Accounts** > **Sign-in options**. Select the Windows Hello biometrics authentication method you want to remove, and then select **Remove**. This will unenroll the user from Windows Hello biometrics auth and will also delete the associated biometrics template database file. For more details see Windows sign-in options and account protection (microsoft.com). - question: What about any diagnostic data coming out when WHFB is enabled? answer: | From 3b03b6395ed1ccc36ee8a1fa0d27ecd37d2c94ca Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Thu, 21 Jul 2022 08:38:14 +0530 Subject: [PATCH 10/77] Update hello-faq.yml --- .../hello-for-business/hello-faq.yml | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 0bf1eb6155..675be3c944 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -28,11 +28,11 @@ sections: questions: - question: What is Windows Hello for Business cloud trust? answer: | - Windows Hello for Business cloud trust is a new trust model that is planned to be introduced in early 2022. This trust model will enable Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available. + Windows Hello for Business cloud trust is a new trust model that is planned to be introduced in early 2022. This trust model will enable Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it's generally available. - question: What about virtual smart cards? answer: | - Windows Hello for Business is the modern, two-factor credential for Windows 10. Microsoft will be deprecating virtual smart cards in the future, but no date is set at this time. Customers using Windows 10 and virtual smart cards should move to Windows Hello for Business. Microsoft will publish the date early to ensure customers have adequate lead time to move to Windows Hello for Business. Microsoft recommends that new Windows 10 deployments use Windows Hello for Business. Virtual smart card remain supported for Windows 7 and Windows 8. + Windows Hello for Business is the modern, two-factor credential for Windows 10. Microsoft will be deprecating virtual smart cards in the future, but no date is set at this time. Customers using Windows 10 and virtual smart cards should move to Windows Hello for Business. Microsoft will publish the date early to ensure customers have adequate lead time to move to Windows Hello for Business. Microsoft recommends that new Windows 10 deployments use Windows Hello for Business. Virtual smart cards remain supported for Windows 7 and Windows 8. - question: What about convenience PIN? answer: | @@ -40,7 +40,7 @@ sections: - question: Can I use Windows Hello for Business key trust and RDP? answer: | - Remote Desktop Protocol (RDP) does not currently support using key-based authentication and self-signed certificates as supplied credentials. RDP with supplied credentials is currently only supported with certificate-based deployments. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md). + Remote Desktop Protocol (RDP) doesn't currently support using key-based authentication and self-signed certificates as supplied credentials. RDP with supplied credentials is currently only supported with certificate-based deployments. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md). - question: Can I deploy Windows Hello for Business by using Microsoft Endpoint Configuration Manager? answer: | @@ -48,11 +48,11 @@ sections: - question: How many users can enroll for Windows Hello for Business on a single Windows 10 computer? answer: | - The maximum number of supported enrollments on a single Windows 10 computer is 10. This lets 10 users each enroll their face and up to 10 fingerprints. While we support 10 enrollments, we will strongly encourage the use of Windows Hello security keys for the shared computer scenario when they become available. + The maximum number of supported enrollments on a single Windows 10 computer is 10. This lets 10 users each enroll their face and up to 10 fingerprints. While we support 10 enrollments, we'll strongly encourage the use of Windows Hello security keys for the shared computer scenario when they become available. - question: How can a PIN be more secure than a password? answer: | - When using Windows Hello for Business, the PIN is not a symmetric key, whereas the password is a symmetric key. With passwords, there's a server that has some representation of the password. With Windows Hello for Business, the PIN is user-provided entropy used to load the private key in the Trusted Platform Module (TPM). The server does not have a copy of the PIN. For that matter, the Windows client does not have a copy of the current PIN either. The user must provide the entropy, the TPM-protected key, and the TPM that generated that key in order to successfully access the private key. + When using Windows Hello for Business, the PIN isn't a symmetric key, whereas the password is a symmetric key. With passwords, there's a server that has some representation of the password. With Windows Hello for Business, the PIN is user-provided entropy used to load the private key in the Trusted Platform Module (TPM). The server doesn't have a copy of the PIN. For that matter, the Windows client doesn't have a copy of the current PIN either. The user must provide the entropy, the TPM-protected key, and the TPM that generated that key in order to successfully access the private key. The statement "PIN is stronger than Password" is not directed at the strength of the entropy used by the PIN. It's about the difference between providing entropy versus continuing the use of a symmetric key (the password). The TPM has anti-hammering features that thwart brute-force PIN attacks (an attacker's continuous attempt to try all combination of PINs). Some organizations may worry about shoulder surfing. For those organizations, rather than increase the complexity of the PIN, implement the [Multifactor Unlock](feature-multifactor-unlock.md) feature. @@ -163,7 +163,7 @@ sections: - question: When is Windows Hello biometrics database file deleted? How can a user be unenrolled from Windows Hello face or fingerprint authentication? answer: | - To remove Windows Hello and any associated biometric identification data from the device, user can go to **Start** > **Settings** > **Accounts** > **Sign-in options**. Select the Windows Hello biometrics authentication method you want to remove, and then select **Remove**. This will unenroll the user from Windows Hello biometrics auth and will also delete the associated biometrics template database file. For more details see Windows sign-in options and account protection (microsoft.com). + To remove Windows Hello and any associated biometric identification data from the device, user can go to **Start** > **Settings** > **Accounts** > **Sign-in options**. Select the Windows Hello biometrics authentication method you want to remove, and then select **Remove**. This will unenroll the user from Windows Hello biometrics auth and will also delete the associated biometrics template database file. For more details see [Windows sign-in options and account protection (microsoft.com)](https://support.microsoft.com/en-us/windows/windows-sign-in-options-and-account-protection-7b34d4cf-794f-f6bd-ddcc-e73cdf1a6fbf#bkmk_helloandprivacy). - question: What about any diagnostic data coming out when WHFB is enabled? answer: | @@ -223,13 +223,13 @@ sections: - question: How are keys protected? answer: | - Wherever possible, Windows Hello for Business takes advantage of Trusted Platform Module (TPM) 2.0 hardware to generate and protect keys. However, Windows Hello and Windows Hello for Business do not require a TPM. Administrators can choose to allow key operations in software. + Wherever possible, Windows Hello for Business takes advantage of Trusted Platform Module (TPM) 2.0 hardware to generate and protect keys. However, Windows Hello and Windows Hello for Business don't require a TPM. Administrators can choose to allow key operations in software. - Whenever possible, Microsoft strongly recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will need to reset the PIN (which means they'll need to use MFA to re-authenticate to the IDP before the IDP allows them to re-register). + Whenever possible, Microsoft strongly recommends the use of TPM hardware. The TPM protects against various known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will need to reset the PIN (which means they'll need to use MFA to reauthenticate to the IDP before the IDP allows them to re-register). - question: Can Windows Hello for Business work in air-gapped environments? answer: | - Yes. You can use the on-premises Windows Hello for Business deployment and combine it with a third-party MFA provider that does not require internet connectivity to achieve an air-gapped Windows Hello for Business deployment. + Yes. You can use the on-premises Windows Hello for Business deployment and combine it with a third-party MFA provider that doesn't require internet connectivity to achieve an air-gapped Windows Hello for Business deployment. - question: Can I use third-party authentication providers with Windows Hello for Business? answer: | @@ -242,16 +242,16 @@ sections: | Protocol | Description | | :---: | :--- | | [[MS-KPP]: Key Provisioning Protocol](/openspecs/windows_protocols/ms-kpp/25ff7bd8-50e3-4769-af23-bcfd0b4d4567) | Specifies the Key Provisioning Protocol, which defines a mechanism for a client to register a set of cryptographic keys on a user and device pair. | - | [[MS-OAPX]: OAuth 2.0 Protocol Extensions](/openspecs/windows_protocols/ms-oapx/7612efd4-f4c8-43c3-aed6-f5c5ce359da2)| Specifies the OAuth 2.0 Protocol Extensions, which are used to extend the OAuth 2.0 Authorization Framework. These extensions enable authorization features such as resource specification, request identifiers, and login hints. | + | [[MS-OAPX]: OAuth 2.0 Protocol Extensions](/openspecs/windows_protocols/ms-oapx/7612efd4-f4c8-43c3-aed6-f5c5ce359da2)| Specifies the OAuth 2.0 Protocol Extensions, which are used to extend the OAuth 2.0 Authorization Framework. These extensions enable authorization features such as resource specification, request identifiers, and log in hints. | | [[MS-OAPXBC]: OAuth 2.0 Protocol Extensions for Broker Clients](/openspecs/windows_protocols/ms-oapxbc/2f7d8875-0383-4058-956d-2fb216b44706) | Specifies the OAuth 2.0 Protocol Extensions for Broker Clients, extensions to RFC6749 (the OAuth 2.0 Authorization Framework) that allow a broker client to obtain access tokens on behalf of calling clients. | - | [[MS-OIDCE]: OpenID Connect 1.0 Protocol Extensions](/openspecs/windows_protocols/ms-oidce/718379cf-8bc1-487e-962d-208aeb8e70ee) | Specifies the OpenID Connect 1.0 Protocol Extensions. These extensions define additional claims to carry information about the user, including the user principal name, a locally unique identifier, a time for password expiration, and a URL for password change. These extensions also define additional provider meta-data that enables the discovery of the issuer of access tokens and gives additional information about provider capabilities. | + | [[MS-OIDCE]: OpenID Connect 1.0 Protocol Extensions](/openspecs/windows_protocols/ms-oidce/718379cf-8bc1-487e-962d-208aeb8e70ee) | Specifies the OpenID Connect 1.0 Protocol Extensions. These extensions define other claims to carry information about the user, including the user principal name, a locally unique identifier, a time for password expiration, and a URL for password change. These extensions also define more provider meta-data that enables the discovery of the issuer of access tokens and gives additional information about provider capabilities. | - question: Does Windows Hello for Business work with Mac and Linux clients? answer: | - Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms. However, Microsoft is open to third-parties who are interested in moving these platforms away from passwords. Interested third-parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration). - Windows Hello for Business is a feature of the Windows platform. At this time, Microsoft is not developing clients for other platforms. + Windows Hello for Business is a feature of Windows 10. At this time, Microsoft isn't developing clients for other platforms. However, Microsoft is open to third-parties who are interested in moving these platforms away from passwords. Interested third-parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration). + Windows Hello for Business is a feature of the Windows platform. At this time, Microsoft isn't developing clients for other platforms. - question: Does Windows Hello for Business work with Azure Active Directory Domain Services (Azure AD DS) clients? answer: | - No, Azure AD DS is a separately managed environment in Azure, and hybrid device registration with cloud Azure AD is not available for it via Azure AD Connect. Hence, Windows Hello for Business does not work with Azure AD. + No, Azure AD DS is a separately managed environment in Azure, and hybrid device registration with cloud Azure AD isn't available for it via Azure AD Connect. Hence, Windows Hello for Business doesn't work with Azure AD. From 6acf7000150a93ce7d44a12e6471755f57d01725 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Thu, 21 Jul 2022 08:48:31 +0530 Subject: [PATCH 11/77] Update hello-faq.yml --- .../identity-protection/hello-for-business/hello-faq.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 675be3c944..5628595051 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -53,7 +53,6 @@ sections: - question: How can a PIN be more secure than a password? answer: | When using Windows Hello for Business, the PIN isn't a symmetric key, whereas the password is a symmetric key. With passwords, there's a server that has some representation of the password. With Windows Hello for Business, the PIN is user-provided entropy used to load the private key in the Trusted Platform Module (TPM). The server doesn't have a copy of the PIN. For that matter, the Windows client doesn't have a copy of the current PIN either. The user must provide the entropy, the TPM-protected key, and the TPM that generated that key in order to successfully access the private key. - The statement "PIN is stronger than Password" is not directed at the strength of the entropy used by the PIN. It's about the difference between providing entropy versus continuing the use of a symmetric key (the password). The TPM has anti-hammering features that thwart brute-force PIN attacks (an attacker's continuous attempt to try all combination of PINs). Some organizations may worry about shoulder surfing. For those organizations, rather than increase the complexity of the PIN, implement the [Multifactor Unlock](feature-multifactor-unlock.md) feature. - question: How does Windows Hello for Business work with Azure AD registered devices? From 5b2d81c57e5da5ae8b7d91a06c4cfa01729d450b Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 27 Jul 2022 12:40:25 +0530 Subject: [PATCH 12/77] Updated --- .../hello-for-business/hello-faq.yml | 4 +-- .../hello-feature-pin-reset.md | 36 ++++++++++++------- 2 files changed, 26 insertions(+), 14 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 10889efea1..a5f33821a1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -128,9 +128,9 @@ sections: - question: What's the difference between non-destructive and destructive PIN reset? answer: | - Windows Hello for Business has two types of PIN reset: non-destructive and destructive. Organizations running Windows 10 Enterprise and Azure Active Directory can take advantage of the Microsoft PIN Reset service. Once on-boarded to a tenant and deployed to computers, users who have forgotten their PINs can authenticate to Azure, provide a second factor of authentication, and reset their PIN without reprovisioning a new Windows Hello for Business enrollment. This flow is a non-destructive PIN reset because the user doesn't delete the current credential and obtain a new one. For more information, see [PIN Reset](hello-feature-pin-reset.md). + Windows Hello for Business has two types of PIN reset: non-destructive and destructive. Organizations running Windows 10 version 1903 and later and Azure Active Directory can take advantage of the Microsoft PIN Reset service. Once on-boarded to a tenant and deployed to computers, users who have forgotten their PINs can authenticate to Azure, provide a second factor of authentication, and reset their PIN without reprovisioning a new Windows Hello for Business enrollment. This flow is a non-destructive PIN reset because the user doesn't delete the current credential and obtain a new one. For more information, see [PIN Reset](hello-feature-pin-reset.md). - Organizations that have the on-premises deployment of Windows Hello for Business, or those not using Windows 10 Enterprise can use destructive PIN reset. With destructive PIN reset, users that have forgotten their PIN can authenticate by using their password and then performing a second factor of authentication to reprovision their Windows Hello for Business credential. Reprovisioning deletes the old credential and requests a new credential and certificate. On-premises deployments need network connectivity to their domain controllers, Active Directory Federation Services, and their issuing certificate authority to perform a destructive PIN reset. For hybrid deployments, destructive PIN reset is only supported with the certificate trust model and the latest updates to Active Directory Federation Services. + Organizations that have the on-premises deployment of Windows Hello for Business, or those not using Windows 10 version 1903 and later can use destructive PIN reset. With destructive PIN reset, users that have forgotten their PIN can authenticate by using their password and then performing a second factor of authentication to reprovision their Windows Hello for Business credential. Reprovisioning deletes the old credential and requests a new credential and certificate. On-premises deployments need network connectivity to their domain controllers, Active Directory Federation Services, and their issuing certificate authority to perform a destructive PIN reset. For hybrid Azure Active Directory joined devices, destructive PIN reset is only supported with the certificate trust model and the latest updates to Active Directory Federation Services. - question: | Which is better or more secure, key trust or certificate trust? diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 2ee149c236..25e1d6870c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -1,6 +1,6 @@ --- title: Pin Reset -description: Learn how Microsoft PIN reset services enables you to help users recover who have forgotten their PIN. +description: Learn how Microsoft PIN reset services enable you to help users recover who have forgotten their PIN. ms.prod: m365-security author: GitPrakhar13 ms.author: prsriva @@ -22,16 +22,16 @@ ms.date: 5/3/2021 Windows Hello for Business provides the capability for users to reset forgotten PINs using the "I forgot my PIN link" from the Sign-in options page in Settings or from above the lock screen. User's are required to authenticate and complete multifactor authentication to reset their PIN. -There are two forms of PIN reset called destructive and non-destructive. Destructive PIN reset is the default and does not require configuration. During a destructive PIN reset, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned. For non-destructive PIN reset, you must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed. +There are two forms of PIN reset called destructive and non-destructive. Destructive PIN reset is the default and doesn't require configuration. During a destructive PIN reset, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned. For non-destructive PIN reset, you must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed. ## Using PIN Reset **Requirements** -- Reset from settings - Windows 10, version 1703 -- Reset above Lock - Windows 10, version 1709 +- Reset from settings - Windows 10, version 1703 or later, Windows 11 +- Reset above Lock - Windows 10, version 1709 or later, Windows 11 -Destructive and non-destructive PIN reset use the same entry points for initiating a PIN reset. If a user has forgotten their PIN, but has an alternate logon method, they can navigate to Sign-in options in Settings and initiate a PIN reset from the PIN options. If they do not have an alternate way to sign into their device, PIN reset can also be initiated from above the lock screen in the PIN credential provider. +Destructive and non-destructive PIN reset use the same entry points for initiating a PIN reset. If a user has forgotten their PIN, but has an alternate logon method, they can navigate to Sign-in options in Settings and initiate a PIN reset from the PIN options. If they don't have an alternate way to sign into their device, PIN reset can also be initiated from above the lock screen in the PIN credential provider. >[!IMPORTANT] >For hybrid Azure AD-joined devices, users must have corporate network connectivity to domain controllers to complete destructive PIN reset. If AD FS is being used for certificate trust or for on-premises only deployments, users must also have corporate network connectivity to federation services to reset their PIN. @@ -39,14 +39,14 @@ Destructive and non-destructive PIN reset use the same entry points for initiati ### Reset PIN from Settings 1. Sign-in to Windows 10, version 1703 or later using an alternate credential. -2. Open **Settings**, click **Accounts**, click **Sign-in options**. +2. Open **Settings**, click **Accounts**, select **Sign-in options**. 3. Under **PIN**, click **I forgot my PIN** and follow the instructions. ### Reset PIN above the Lock Screen For Azure AD-joined devices: -1. If the PIN credential provider is not selected, expand the **Sign-in options** link, and select the PIN pad icon. +1. If the PIN credential provider isn't selected, expand the **Sign-in options** link, and select the PIN pad icon. 1. Click **I forgot my PIN** from the PIN credential provider. 1. Select an authentication option from the list of presented options. This list will be based on the different authentication methods enabled in your tenant (i.e., Password, PIN, Security key). 1. Follow the instructions provided by the provisioning process. @@ -72,8 +72,8 @@ Visit the [Windows Hello for Business Videos](./hello-videos.md) page and watch **Requirements:** - Azure Active Directory -- Hybrid Windows Hello for Business deployment -- Azure AD registered, Azure AD joined, and Hybrid Azure AD joined +- Hybrid Azure Active Directory joined Windows Hello for Business deployment +- Azure Active Directory AD registered, Azure Active Directory joined Azure AD joined, and Hybrid Azure Active Directory AD joined - Windows 10, version 1709 to 1809, **Enterprise Edition**. There is no licensing requirement for this feature since version 1903. When non-destructive PIN reset is enabled on a client, a 256-bit AES key is generated locally and added to a user's Windows Hello for Business container and keys as the PIN reset protector. This PIN reset protector is encrypted using a public key retrieved from the Microsoft PIN reset service and then stored on the client for later use during PIN reset. After a user initiates a PIN reset, completes authentication to Azure, and completes multifactor authentication, the encrypted PIN reset protector is sent to the Microsoft PIN reset service, decrypted, and returned to the client. The decrypted PIN reset protector is used to change the PIN used to authorize Windows Hello for Business keys and it is then cleared from memory. @@ -81,9 +81,21 @@ When non-destructive PIN reset is enabled on a client, a 256-bit AES key is gene Using Group Policy, Microsoft Intune or a compatible MDM, you can configure Windows devices to securely use the Microsoft PIN reset service that enables users to reset their forgotten PIN through settings or above the lock screen without requiring re-enrollment. >[!IMPORTANT] -> The Microsoft PIN Reset service only works with **Enterprise Edition** for Windows 10, version 1709 to 1809. The feature works with **Enterprise Edition** and **Pro** edition with Windows 10, version 1903 and newer. +> The Microsoft PIN Reset service only works with **Enterprise Edition** for Windows 10, version 1709 to 1809 and later, and Windows 11. The feature works with **Enterprise Edition** and **Pro** edition with Windows 10, version 1903 and later, Windows 11. > The Microsoft PIN Reset service is not currently available in Azure Government. +### Summary + +|Category|Destructive PIN Reset|Non-Destructive PIN Reset| +|--- |--- |--- | +|**Functionality**|The user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned.|You must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. For more information on how to deploy the Microsoft PIN reset service and client policy, see [Connect Azure Active Directory with the PIN reset service](hello-feature-pin-reset.md). During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.| +|**Windows editions and versions**|Reset from settings - Windows 10, version 1703 or later, Windows 11. Reset above Lock - Windows 10, version 1709 or later, Windows 11.|Windows 10, version 1709 to 1809, Enterprise Edition. There is no licensing requirement for this feature since version 1903. Enterprise Edition and Pro edition with Windows 10, version 1903 and newer Windows 11.| +|**Azure Active Directory Joined**|Cert Trust, Key Trust, and Cloud Trust|Cert Trust, Key Trust, and Cloud Trust| +|**Hybrid Azure Active Directory Joined**|Cert Trust and Cloud Trust for both settings and above the lock support destructive PIN reset. Key Trust doesn't support this from above the lock screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. It does support from the settings page and the users must have a corporate network connectivity to the DC. |Cert Trust, Key Trust, and Cloud Trust for both settings and above the lock support non-destructive PIN reset. No network connection is required for the DC.| +|**On Premises**|If ADFS is being used for on premises deployments, users must have a corporate network connectivity to federation services. |The PIN reset service relies on Azure Active Directory identities, so it is only available for Hybrid Azure Active Directory Joined and Azure Active Directory Joined devices.| +|**Additional Configuration required**|Supported by default and doesn't require configuration|Deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature On-board the Microsoft PIN reset service to respective Azure Active Directory tenant Configure Windows devices to use PIN reset using Group *Policy\MDM*.| +|**MSA/Enterprise**|MSA and Enterprise|Enterprise only.| + ### Onboarding the Microsoft PIN reset service to your Intune tenant Before you can remotely reset PINs, you must on-board the Microsoft PIN reset service to your Azure Active Directory tenant, and configure devices you manage. @@ -210,11 +222,11 @@ The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-au :::image type="content" alt-text="Custom Configuration for ConfigureWebSignInAllowedUrls policy." source="images/pinreset/allowlist.png" lightbox="images/pinreset/allowlist.png"::: -1. Click the Save button to save the custom configuration. +1. Click the **Save** button to save the custom configuration. 1. On the Assignments page, use the Included groups and Excluded groups sections to define the groups of users or devices that should receive this policy. Once you have completed configuring groups click the Next button. -1. On the Applicability rules page, click Next. +1. On the Applicability rules page, click **Next**. 1. Review the configuration that is shown on the Review + create page to make sure that it is accurate. Click create to save the profile and apply it to the configured groups. From 15517fac7ddb06860ef466aa8498cb057e44574b Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Thu, 28 Jul 2022 01:14:25 +0530 Subject: [PATCH 13/77] Update hello-faq.yml --- .../identity-protection/hello-for-business/hello-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index a5f33821a1..7653afe938 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -157,7 +157,7 @@ sections: - question: Where is Windows Hello biometrics data stored? answer: | - When you enroll in Windows Hello, a representation of your face called an enrollment profile is created (more information can be found on this page). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn’t roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details see [Windows Hello biometrics in the enterprise](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored). + When you enroll in Windows Hello, a representation of your face called an enrollment profile is created (more information can be found on (Windows Hello face authentication | Microsoft Docs)[https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-face-authentication.md]. This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn’t roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details see [Windows Hello biometrics in the enterprise](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored). - question: What is the format used to store Windows Hello biometrics data on the device? answer: | From 3ffbbedb8a2d9f0887e2bb154d446d6a8087870b Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Thu, 28 Jul 2022 01:22:49 +0530 Subject: [PATCH 14/77] Update hello-faq.yml --- .../identity-protection/hello-for-business/hello-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 7653afe938..283a663404 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -157,7 +157,7 @@ sections: - question: Where is Windows Hello biometrics data stored? answer: | - When you enroll in Windows Hello, a representation of your face called an enrollment profile is created (more information can be found on (Windows Hello face authentication | Microsoft Docs)[https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-face-authentication.md]. This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn’t roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details see [Windows Hello biometrics in the enterprise](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored). + When you enroll in Windows Hello, a representation of your face called an enrollment profile is created more information can be found on [Windows Hello face authentication] (https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-face-authentication). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn’t roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details see [Windows Hello biometrics in the enterprise](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored). - question: What is the format used to store Windows Hello biometrics data on the device? answer: | From a329f119f1aba46eb662daef5057eead6e130b75 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Thu, 28 Jul 2022 01:25:39 +0530 Subject: [PATCH 15/77] Update hello-faq.yml --- .../identity-protection/hello-for-business/hello-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 283a663404..6ba424654d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -157,7 +157,7 @@ sections: - question: Where is Windows Hello biometrics data stored? answer: | - When you enroll in Windows Hello, a representation of your face called an enrollment profile is created more information can be found on [Windows Hello face authentication] (https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-face-authentication). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn’t roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details see [Windows Hello biometrics in the enterprise](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored). + When you enroll in Windows Hello, a representation of your face called an enrollment profile is created more information can be found on [Windows Hello face authentication] (https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-face-authentication.md). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn’t roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details see [Windows Hello biometrics in the enterprise](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored). - question: What is the format used to store Windows Hello biometrics data on the device? answer: | From 4943e64ad8c07f399fda846ce5af57848170a94c Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Thu, 28 Jul 2022 01:28:13 +0530 Subject: [PATCH 16/77] Update hello-faq.yml --- .../identity-protection/hello-for-business/hello-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 6ba424654d..07147cdfb9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -157,7 +157,7 @@ sections: - question: Where is Windows Hello biometrics data stored? answer: | - When you enroll in Windows Hello, a representation of your face called an enrollment profile is created more information can be found on [Windows Hello face authentication] (https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-face-authentication.md). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn’t roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details see [Windows Hello biometrics in the enterprise](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored). + When you enroll in Windows Hello, a representation of your face called an enrollment profile is created more information can be found on [Windows Hello face authentication](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-face-authentication.md). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn’t roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details see [Windows Hello biometrics in the enterprise](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored). - question: What is the format used to store Windows Hello biometrics data on the device? answer: | From 6f10c57f3d162b2f0d8da33751413a9e2d102a0e Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Thu, 28 Jul 2022 01:31:24 +0530 Subject: [PATCH 17/77] Update hello-faq.yml --- .../identity-protection/hello-for-business/hello-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 07147cdfb9..9dcd4dbfbd 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -157,7 +157,7 @@ sections: - question: Where is Windows Hello biometrics data stored? answer: | - When you enroll in Windows Hello, a representation of your face called an enrollment profile is created more information can be found on [Windows Hello face authentication](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-face-authentication.md). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn’t roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details see [Windows Hello biometrics in the enterprise](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored). + When you enroll in Windows Hello, a representation of your face called an enrollment profile is created more information can be found on [Windows Hello face authentication](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-face-authentication). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn’t roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details see [Windows Hello biometrics in the enterprise](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored). - question: What is the format used to store Windows Hello biometrics data on the device? answer: | From 438636aa6e64942f8afb9978c68200db23b68c89 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Thu, 28 Jul 2022 14:05:07 +0530 Subject: [PATCH 18/77] Update hello-feature-pin-reset.md --- .../hello-for-business/hello-feature-pin-reset.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 25e1d6870c..31b75be5b4 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -73,8 +73,8 @@ Visit the [Windows Hello for Business Videos](./hello-videos.md) page and watch - Azure Active Directory - Hybrid Azure Active Directory joined Windows Hello for Business deployment -- Azure Active Directory AD registered, Azure Active Directory joined Azure AD joined, and Hybrid Azure Active Directory AD joined -- Windows 10, version 1709 to 1809, **Enterprise Edition**. There is no licensing requirement for this feature since version 1903. +- Azure Active Directory registered, Azure Active Directory joined, and Hybrid Azure Active Directory joined. +- Windows 10, version 1709 to 1809, Enterprise Edition. There is no licensing requirement for this feature since version 1903. When non-destructive PIN reset is enabled on a client, a 256-bit AES key is generated locally and added to a user's Windows Hello for Business container and keys as the PIN reset protector. This PIN reset protector is encrypted using a public key retrieved from the Microsoft PIN reset service and then stored on the client for later use during PIN reset. After a user initiates a PIN reset, completes authentication to Azure, and completes multifactor authentication, the encrypted PIN reset protector is sent to the Microsoft PIN reset service, decrypted, and returned to the client. The decrypted PIN reset protector is used to change the PIN used to authorize Windows Hello for Business keys and it is then cleared from memory. @@ -88,7 +88,7 @@ Using Group Policy, Microsoft Intune or a compatible MDM, you can configure Wind |Category|Destructive PIN Reset|Non-Destructive PIN Reset| |--- |--- |--- | -|**Functionality**|The user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned.|You must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. For more information on how to deploy the Microsoft PIN reset service and client policy, see [Connect Azure Active Directory with the PIN reset service](hello-feature-pin-reset.md). During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.| +|**Functionality**|The user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned.|You must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. For more information on how to deploy the Microsoft PIN reset service and client policy, see [Connect Azure Active Directory with the PIN reset service](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset#onboarding-the-microsoft-pin-reset-service-to-your-intune-tenant). During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.| |**Windows editions and versions**|Reset from settings - Windows 10, version 1703 or later, Windows 11. Reset above Lock - Windows 10, version 1709 or later, Windows 11.|Windows 10, version 1709 to 1809, Enterprise Edition. There is no licensing requirement for this feature since version 1903. Enterprise Edition and Pro edition with Windows 10, version 1903 and newer Windows 11.| |**Azure Active Directory Joined**|Cert Trust, Key Trust, and Cloud Trust|Cert Trust, Key Trust, and Cloud Trust| |**Hybrid Azure Active Directory Joined**|Cert Trust and Cloud Trust for both settings and above the lock support destructive PIN reset. Key Trust doesn't support this from above the lock screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. It does support from the settings page and the users must have a corporate network connectivity to the DC. |Cert Trust, Key Trust, and Cloud Trust for both settings and above the lock support non-destructive PIN reset. No network connection is required for the DC.| From 5cec028b5ba1c4f2771b0d5dbed968f0e9b81b78 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Thu, 28 Jul 2022 14:11:53 +0530 Subject: [PATCH 19/77] Update hello-feature-pin-reset.md --- .../hello-for-business/hello-feature-pin-reset.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 31b75be5b4..6a7ae26f87 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -88,7 +88,7 @@ Using Group Policy, Microsoft Intune or a compatible MDM, you can configure Wind |Category|Destructive PIN Reset|Non-Destructive PIN Reset| |--- |--- |--- | -|**Functionality**|The user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned.|You must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. For more information on how to deploy the Microsoft PIN reset service and client policy, see [Connect Azure Active Directory with the PIN reset service](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset#onboarding-the-microsoft-pin-reset-service-to-your-intune-tenant). During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.| +|**Functionality**|The user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned.|You must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. For more information on how to deploy the Microsoft PIN reset service and client policy, see [Connect Azure Active Directory with the PIN reset service](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset#onboarding-the-microsoft-pin-reset-service-to-your-intune-tenant.md). During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.| |**Windows editions and versions**|Reset from settings - Windows 10, version 1703 or later, Windows 11. Reset above Lock - Windows 10, version 1709 or later, Windows 11.|Windows 10, version 1709 to 1809, Enterprise Edition. There is no licensing requirement for this feature since version 1903. Enterprise Edition and Pro edition with Windows 10, version 1903 and newer Windows 11.| |**Azure Active Directory Joined**|Cert Trust, Key Trust, and Cloud Trust|Cert Trust, Key Trust, and Cloud Trust| |**Hybrid Azure Active Directory Joined**|Cert Trust and Cloud Trust for both settings and above the lock support destructive PIN reset. Key Trust doesn't support this from above the lock screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. It does support from the settings page and the users must have a corporate network connectivity to the DC. |Cert Trust, Key Trust, and Cloud Trust for both settings and above the lock support non-destructive PIN reset. No network connection is required for the DC.| From c974319c341f2a8d24f2d50653dd7c9fb793e532 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Fri, 29 Jul 2022 10:19:55 +0530 Subject: [PATCH 20/77] Update hello-feature-pin-reset.md --- .../hello-for-business/hello-feature-pin-reset.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 6a7ae26f87..2b4c89e9d0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -88,7 +88,7 @@ Using Group Policy, Microsoft Intune or a compatible MDM, you can configure Wind |Category|Destructive PIN Reset|Non-Destructive PIN Reset| |--- |--- |--- | -|**Functionality**|The user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned.|You must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. For more information on how to deploy the Microsoft PIN reset service and client policy, see [Connect Azure Active Directory with the PIN reset service](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset#onboarding-the-microsoft-pin-reset-service-to-your-intune-tenant.md). During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.| +|**Functionality**|The user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned.|You must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. For more information on how to deploy the Microsoft PIN reset service and client policy, see [Connect Azure Active Directory with the PIN reset service](#connect-azure-active-directory-with-the-pin-reset-service). During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.| |**Windows editions and versions**|Reset from settings - Windows 10, version 1703 or later, Windows 11. Reset above Lock - Windows 10, version 1709 or later, Windows 11.|Windows 10, version 1709 to 1809, Enterprise Edition. There is no licensing requirement for this feature since version 1903. Enterprise Edition and Pro edition with Windows 10, version 1903 and newer Windows 11.| |**Azure Active Directory Joined**|Cert Trust, Key Trust, and Cloud Trust|Cert Trust, Key Trust, and Cloud Trust| |**Hybrid Azure Active Directory Joined**|Cert Trust and Cloud Trust for both settings and above the lock support destructive PIN reset. Key Trust doesn't support this from above the lock screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. It does support from the settings page and the users must have a corporate network connectivity to the DC. |Cert Trust, Key Trust, and Cloud Trust for both settings and above the lock support non-destructive PIN reset. No network connection is required for the DC.| From cce13d6a47c9f5f106bb53576b3d764307217cd3 Mon Sep 17 00:00:00 2001 From: Jitin Mathew Date: Thu, 4 Aug 2022 05:35:44 +0530 Subject: [PATCH 21/77] Updated-6247330 Converted DO FAQ to YAML and added to the TOC. --- windows/deployment/do/TOC.yml | 4 +- ... => waas-delivery-optimization-faq-old.md} | 0 .../update/waas-delivery-optimization-faq.yml | 105 ++++++++++++++++++ 3 files changed, 108 insertions(+), 1 deletion(-) rename windows/deployment/update/{waas-delivery-optimization-faq.md => waas-delivery-optimization-faq-old.md} (100%) create mode 100644 windows/deployment/update/waas-delivery-optimization-faq.yml diff --git a/windows/deployment/do/TOC.yml b/windows/deployment/do/TOC.yml index ba824d08fb..5a0793025d 100644 --- a/windows/deployment/do/TOC.yml +++ b/windows/deployment/do/TOC.yml @@ -7,7 +7,9 @@ href: waas-delivery-optimization.md - name: What's new href: whats-new-do.md - + - name: Delivery Optimization Frequently Asked Questions + href: waas-delivery-optimization-faq.yml + - name: Configure Delivery Optimization diff --git a/windows/deployment/update/waas-delivery-optimization-faq.md b/windows/deployment/update/waas-delivery-optimization-faq-old.md similarity index 100% rename from windows/deployment/update/waas-delivery-optimization-faq.md rename to windows/deployment/update/waas-delivery-optimization-faq-old.md diff --git a/windows/deployment/update/waas-delivery-optimization-faq.yml b/windows/deployment/update/waas-delivery-optimization-faq.yml new file mode 100644 index 0000000000..956bf2799c --- /dev/null +++ b/windows/deployment/update/waas-delivery-optimization-faq.yml @@ -0,0 +1,105 @@ +### YamlMime:FAQ +metadata: + title: Delivery Optimization Frequently Asked Questions + description: The following is a list of frequently asked questions for Delivery Optimization. + ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee + ms.reviewer: aaroncz + ms.prod: m365-security + ms.mktglfcycl: explore + ms.sitesec: library + ms.pagetype: security + ms.localizationpriority: medium + author: carmenf + ms.author: carmenf + manager: dougeby + audience: ITPro + ms.collection: + - M365-security-compliance + - highpri + ms.topic: faq + ms.date: 08/04/2022 + ms.custom: seo-marvel-apr2020 +title: Delivery Optimization Frequently Asked Questions +summary: | + **Applies to** + - Windows 10 + - Windows 11 + + +sections: + - name: Ignored + questions: + - question: Does Delivery Optimization work with WSUS? + answer: Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination. + + - question: Which ports does Delivery Optimization use? + answer: Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device. The port must be set to accept inbound traffic through your firewall. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data). + + Delivery Optimization will use Teredo to create peer groups, which include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets). For this to work, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up. + + Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80. + + - question: What are the requirements if I use a proxy? + answer: For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](../do/delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](/windows/deployment/update/windows-update-troubleshooting). + + - question: What hostnames should I allow through my firewall to support Delivery Optimization? + answer: | + **For communication between clients and the Delivery Optimization cloud service**: + + - `*.do.dsp.mp.microsoft.com` + + **For Delivery Optimization metadata**: + + - `*.dl.delivery.mp.microsoft.com` + - `*.emdl.ws.microsoft.com` + + **For the payloads (optional)**: + + - `*.download.windowsupdate.com` + - `*.windowsupdate.com` + + **For group peers across multiple NATs (Teredo)**: + + - `win1910.ipv6.microsoft.com` + + - question: Does Delivery Optimization use multicast? + answer: No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP. + + - question: How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN? + answer: Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more information, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819). + + - question: How does Delivery Optimization handle VPNs? + answer: | + Delivery Optimization attempts to identify VPNs by checking the network adapter type and details. A connection will be treated as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure." + + If the connection is identified as a VPN, Delivery Optimization will suspend uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](../do/waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy. + + If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the [DownloadMode](../do/waas-delivery-optimization-reference.md#download-mode) policy to 0 for that boundary group, to ensure that there will be no peer-to-peer activity over the VPN. When the device is not connected using a VPN, it can still use peer-to-peer with the default of LAN. + + With split tunneling, make sure to allow direct access to these endpoints: + + Delivery Optimization service endpoint: + + - `https://*.prod.do.dsp.mp.microsoft.com` + + Delivery Optimization metadata: + + - `http://emdl.ws.microsoft.com` + - `http://*.dl.delivery.mp.microsoft.com` + + Windows Update and Microsoft Store backend services and Windows Update and Microsoft Store payloads + + - `http://*.windowsupdate.com` + - `https://*.delivery.mp.microsoft.com` + - `https://*.update.microsoft.com` + - `https://tsfe.trafficshaping.dsp.mp.microsoft.com` + + For more information about remote work if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444). + + - question: How does Delivery Optimization handle networks where a public IP address is used in place of a private IP address? + answer: | + Starting with Windows 10, version 1903 or later, Delivery Optimization no longer restricts connections between LAN peers to those using private IP addresses. If you use public IP addresses instead of private IP addresses, you can use Delivery Optimization in LAN mode. + + > [!NOTE] + > If you use public IP addresses instead of private in LAN mode, the bytes downloaded from or uploaded to LAN peers with public IP addresses might be reported as coming from Internet peers. + From 79fd24833da09dc0a528b0761fda5e98dc1db312 Mon Sep 17 00:00:00 2001 From: Jitin Mathew Date: Thu, 4 Aug 2022 05:43:38 +0530 Subject: [PATCH 22/77] Updated-6247330 File path updated. --- .../deployment/{update => do}/waas-delivery-optimization-faq.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename windows/deployment/{update => do}/waas-delivery-optimization-faq.yml (100%) diff --git a/windows/deployment/update/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml similarity index 100% rename from windows/deployment/update/waas-delivery-optimization-faq.yml rename to windows/deployment/do/waas-delivery-optimization-faq.yml From c31abe9f41b951afc2dc1995aabf55c657bb4242 Mon Sep 17 00:00:00 2001 From: Jitin Mathew Date: Thu, 4 Aug 2022 06:01:01 +0530 Subject: [PATCH 23/77] Updated-6247330 Updated links to address PR Warnings. --- windows/deployment/do/TOC.yml | 2 +- windows/deployment/do/delivery-optimization-endpoints.md | 2 +- windows/deployment/do/index.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/do/TOC.yml b/windows/deployment/do/TOC.yml index 30533f66b8..72ef0f8a71 100644 --- a/windows/deployment/do/TOC.yml +++ b/windows/deployment/do/TOC.yml @@ -19,7 +19,7 @@ - name: Windows Delivery Optimization settings href: waas-delivery-optimization-setup.md#recommended-delivery-optimization-settings - name: Windows Delivery Optimization Frequently Asked Questions - href: ../update/waas-delivery-optimization-faq.md + href: ../do/waas-delivery-optimization-faq.yml - name: Configure Microsoft Endpoint Manager items: - name: Delivery Optimization settings in Microsoft Intune diff --git a/windows/deployment/do/delivery-optimization-endpoints.md b/windows/deployment/do/delivery-optimization-endpoints.md index da591eeadd..984e7fd026 100644 --- a/windows/deployment/do/delivery-optimization-endpoints.md +++ b/windows/deployment/do/delivery-optimization-endpoints.md @@ -33,5 +33,5 @@ This article lists the endpoints that need to be allowed through the firewall to | *.statics.teams.cdn.office.net | HTTP / 80
HTTPs / 443 | Teams | | Microsoft Endpoint Configuration Manager Distribution Point | | *.assets1.xboxlive.com, *.assets2.xboxlive.com, *.dlassets.xboxlive.com, *.dlassets2.xboxlive.com, *.d1.xboxlive.com, *.d2.xboxlive.com, *.assets.xbox.com, *.xbl-dlassets-origin.xboxlive.com, *.assets-origin.xboxlive.com, *.xvcb1.xboxlive.com, *.xvcb2.xboxlive.com, *.xvcf1.xboxlive.com, *.xvcf2.xboxlive.com | HTTP / 80 | Xbox | | Microsoft Endpoint Configuration Manager Distribution Point | | *.tlu.dl.adu.microsoft.com, *.nlu.dl.adu.microsoft.com, *.dcsfe.prod.adu.microsoft.com | HTTP / 80 | Device Update | [Complete list](/azure/iot-hub-device-update/) of endpoints for Device Update updates. | Microsoft Endpoint Configuration Manager Distribution Point | -| *.do.dsp.mp.microsoft.com | HTTP / 80
HTTPs / 443 | Microsoft Connected Cache -> Delivery Optimization Services communication | [Complete list](../update/waas-delivery-optimization-faq.md#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization) of endpoints for Delivery Optimization only. | Microsoft Connected Cache Managed in Azure | +| *.do.dsp.mp.microsoft.com | HTTP / 80
HTTPs / 443 | Microsoft Connected Cache -> Delivery Optimization Services communication | [Complete list](../do/waas-delivery-optimization-faq.yml) of endpoints for Delivery Optimization only. | Microsoft Connected Cache Managed in Azure | | *.azure-devices.net, *.global.azure-devices-provisioning.net, *.azurecr.io, *.blob.core.windows.net, *.mcr.microsoft.com | AMQP / 5671
MQTT / 8883
HTTPs / 443 | IoT Edge / IoT Hub communication| [Complete list](/azure/iot-hub/iot-hub-devguide-protocols) of Azure IoT Hub communication protocols and ports. [Azure IoT Guide](/azure/iot-hub/iot-hub-devguide-endpoints) to understanding Azure IoT Hub endpoints. | Microsoft Connected Cache Managed in Azure | diff --git a/windows/deployment/do/index.yml b/windows/deployment/do/index.yml index a2db6aedca..85d6ee2703 100644 --- a/windows/deployment/do/index.yml +++ b/windows/deployment/do/index.yml @@ -49,7 +49,7 @@ landingContent: - text: Troubleshoot Delivery Optimization url: waas-delivery-optimization-setup.md#troubleshooting - text: Delivery Optimization Frequently Asked Questions - url: ../update/waas-delivery-optimization-faq.md + url: ../do/waas-delivery-optimization-faq.yml - text: Submit feedback url: https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332 From e0a893a2d91929c1107e89b73a5b5e71c9bfc231 Mon Sep 17 00:00:00 2001 From: Jitin Mathew Date: Thu, 4 Aug 2022 06:14:25 +0530 Subject: [PATCH 24/77] Updated-6247330 Indentation changes made to separate sentences in the paragraph. --- windows/deployment/do/waas-delivery-optimization-faq.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml index 956bf2799c..0fe613a87a 100644 --- a/windows/deployment/do/waas-delivery-optimization-faq.yml +++ b/windows/deployment/do/waas-delivery-optimization-faq.yml @@ -33,11 +33,12 @@ sections: answer: Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination. - question: Which ports does Delivery Optimization use? - answer: Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device. The port must be set to accept inbound traffic through your firewall. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data). + answer: | + Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device. The port must be set to accept inbound traffic through your firewall. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data). - Delivery Optimization will use Teredo to create peer groups, which include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets). For this to work, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up. + Delivery Optimization will use Teredo to create peer groups, which include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets). For this to work, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up. - Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80. + Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80. - question: What are the requirements if I use a proxy? answer: For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](../do/delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](/windows/deployment/update/windows-update-troubleshooting). @@ -62,6 +63,8 @@ sections: - `win1910.ipv6.microsoft.com` + For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache](../do/delivery-optimization-endpoints.md) for a list of all content endpoints needed. + - question: Does Delivery Optimization use multicast? answer: No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP. From 32faa3e016f2c2d0d4e4b72e3d4c51edf71cf8d4 Mon Sep 17 00:00:00 2001 From: Jitin Mathew Date: Fri, 5 Aug 2022 02:01:44 +0530 Subject: [PATCH 25/77] Updated-6247330 Redirection file updated. --- .openpublishing.redirection.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 798ab55b18..46855dc966 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -19589,6 +19589,11 @@ "source_path": "windows/whats-new/contribute-to-a-topic.md", "redirect_url": "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/CONTRIBUTING.md#editing-windows-it-professional-documentation", "redirect_document_id": false + }, + { + "source_path": "windows/deployment/update/waas-delivery-optimization-faq.md", + "redirect_url": "/windows/deployment/do/waas-delivery-optimization-faq", + "redirect_document_id": false } ] } From f0cfa7f2509fc65e0d784e46e4541d2dd7d767ca Mon Sep 17 00:00:00 2001 From: Jitin Mathew Date: Fri, 5 Aug 2022 02:20:54 +0530 Subject: [PATCH 26/77] Updated-6247330 Deleting the old file. --- .../waas-delivery-optimization-faq-old.md | 101 ------------------ 1 file changed, 101 deletions(-) delete mode 100644 windows/deployment/update/waas-delivery-optimization-faq-old.md diff --git a/windows/deployment/update/waas-delivery-optimization-faq-old.md b/windows/deployment/update/waas-delivery-optimization-faq-old.md deleted file mode 100644 index e7787d0b50..0000000000 --- a/windows/deployment/update/waas-delivery-optimization-faq-old.md +++ /dev/null @@ -1,101 +0,0 @@ ---- -title: Delivery Optimization Frequently Asked Questions -ms.reviewer: aaroncz -manager: dougeby -description: The following is a list of frequently asked questions for Delivery Optimization. -ms.prod: w10 -author: carmenf -ms.localizationpriority: medium -ms.author: carmenf -ms.collection: M365-modern-desktop -ms.topic: article -ms.custom: seo-marvel-apr2020 ---- - -# Delivery Optimization Frequently Asked Questions - -**Applies to** - -- Windows 10 -- Windows 11 - -## Does Delivery Optimization work with WSUS? - -Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination. - -## Which ports does Delivery Optimization use? - -Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device. The port must be set to accept inbound traffic through your firewall. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data). - -Delivery Optimization will use Teredo to create peer groups, which include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets). For this to work, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up. - -Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80. - -## What are the requirements if I use a proxy? - -For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](../do/delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](/windows/deployment/update/windows-update-troubleshooting). - -## What hostnames should I allow through my firewall to support Delivery Optimization? - -**For communication between clients and the Delivery Optimization cloud service**: - -- `*.do.dsp.mp.microsoft.com` - -**For Delivery Optimization metadata**: - -- `*.dl.delivery.mp.microsoft.com` -- `*.emdl.ws.microsoft.com` - -**For the payloads (optional)**: - -- `*.download.windowsupdate.com` -- `*.windowsupdate.com` - -**For group peers across multiple NATs (Teredo)**: - -- `win1910.ipv6.microsoft.com` - -For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache](../do/delivery-optimization-endpoints.md) for a list of all content endpoints needed. - -## Does Delivery Optimization use multicast? - -No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP. - -## How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN? - -Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more information, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819). - -## How does Delivery Optimization handle VPNs? - -Delivery Optimization attempts to identify VPNs by checking the network adapter type and details. A connection will be treated as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure." - -If the connection is identified as a VPN, Delivery Optimization will suspend uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](../do/waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy. - -If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the [DownloadMode](../do/waas-delivery-optimization-reference.md#download-mode) policy to 0 for that boundary group, to ensure that there will be no peer-to-peer activity over the VPN. When the device is not connected using a VPN, it can still use peer-to-peer with the default of LAN. - -With split tunneling, make sure to allow direct access to these endpoints: - -Delivery Optimization service endpoint: - -- `https://*.prod.do.dsp.mp.microsoft.com` - -Delivery Optimization metadata: - -- `http://emdl.ws.microsoft.com` -- `http://*.dl.delivery.mp.microsoft.com` - -Windows Update and Microsoft Store backend services and Windows Update and Microsoft Store payloads - -- `http://*.windowsupdate.com` -- `https://*.delivery.mp.microsoft.com` -- `https://*.update.microsoft.com` -- `https://tsfe.trafficshaping.dsp.mp.microsoft.com` - -For more information about remote work if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444). - -## How does Delivery Optimization handle networks where a public IP address is used in place of a private IP address? - -Starting with Windows 10, version 1903 or later, Delivery Optimization no longer restricts connections between LAN peers to those using private IP addresses. If you use public IP addresses instead of private IP addresses, you can use Delivery Optimization in LAN mode. - -> [!NOTE] -> If you use public IP addresses instead of private in LAN mode, the bytes downloaded from or uploaded to LAN peers with public IP addresses might be reported as coming from Internet peers. From 7d5a767df347a85b9d530a2ccc1d52121b567c22 Mon Sep 17 00:00:00 2001 From: Jitin Mathew Date: Fri, 5 Aug 2022 02:29:29 +0530 Subject: [PATCH 27/77] Updated-6247330 Adding the file again and renaming it to its original name so that we can delete it in the next update to match the redirection entry. --- .../update/waas-delivery-optimization-faq.md | 101 ++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 windows/deployment/update/waas-delivery-optimization-faq.md diff --git a/windows/deployment/update/waas-delivery-optimization-faq.md b/windows/deployment/update/waas-delivery-optimization-faq.md new file mode 100644 index 0000000000..e7787d0b50 --- /dev/null +++ b/windows/deployment/update/waas-delivery-optimization-faq.md @@ -0,0 +1,101 @@ +--- +title: Delivery Optimization Frequently Asked Questions +ms.reviewer: aaroncz +manager: dougeby +description: The following is a list of frequently asked questions for Delivery Optimization. +ms.prod: w10 +author: carmenf +ms.localizationpriority: medium +ms.author: carmenf +ms.collection: M365-modern-desktop +ms.topic: article +ms.custom: seo-marvel-apr2020 +--- + +# Delivery Optimization Frequently Asked Questions + +**Applies to** + +- Windows 10 +- Windows 11 + +## Does Delivery Optimization work with WSUS? + +Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination. + +## Which ports does Delivery Optimization use? + +Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device. The port must be set to accept inbound traffic through your firewall. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data). + +Delivery Optimization will use Teredo to create peer groups, which include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets). For this to work, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up. + +Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80. + +## What are the requirements if I use a proxy? + +For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](../do/delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](/windows/deployment/update/windows-update-troubleshooting). + +## What hostnames should I allow through my firewall to support Delivery Optimization? + +**For communication between clients and the Delivery Optimization cloud service**: + +- `*.do.dsp.mp.microsoft.com` + +**For Delivery Optimization metadata**: + +- `*.dl.delivery.mp.microsoft.com` +- `*.emdl.ws.microsoft.com` + +**For the payloads (optional)**: + +- `*.download.windowsupdate.com` +- `*.windowsupdate.com` + +**For group peers across multiple NATs (Teredo)**: + +- `win1910.ipv6.microsoft.com` + +For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache](../do/delivery-optimization-endpoints.md) for a list of all content endpoints needed. + +## Does Delivery Optimization use multicast? + +No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP. + +## How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN? + +Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more information, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819). + +## How does Delivery Optimization handle VPNs? + +Delivery Optimization attempts to identify VPNs by checking the network adapter type and details. A connection will be treated as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure." + +If the connection is identified as a VPN, Delivery Optimization will suspend uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](../do/waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy. + +If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the [DownloadMode](../do/waas-delivery-optimization-reference.md#download-mode) policy to 0 for that boundary group, to ensure that there will be no peer-to-peer activity over the VPN. When the device is not connected using a VPN, it can still use peer-to-peer with the default of LAN. + +With split tunneling, make sure to allow direct access to these endpoints: + +Delivery Optimization service endpoint: + +- `https://*.prod.do.dsp.mp.microsoft.com` + +Delivery Optimization metadata: + +- `http://emdl.ws.microsoft.com` +- `http://*.dl.delivery.mp.microsoft.com` + +Windows Update and Microsoft Store backend services and Windows Update and Microsoft Store payloads + +- `http://*.windowsupdate.com` +- `https://*.delivery.mp.microsoft.com` +- `https://*.update.microsoft.com` +- `https://tsfe.trafficshaping.dsp.mp.microsoft.com` + +For more information about remote work if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444). + +## How does Delivery Optimization handle networks where a public IP address is used in place of a private IP address? + +Starting with Windows 10, version 1903 or later, Delivery Optimization no longer restricts connections between LAN peers to those using private IP addresses. If you use public IP addresses instead of private IP addresses, you can use Delivery Optimization in LAN mode. + +> [!NOTE] +> If you use public IP addresses instead of private in LAN mode, the bytes downloaded from or uploaded to LAN peers with public IP addresses might be reported as coming from Internet peers. From feff2389e3919fd4a89a9429d514975595707ca4 Mon Sep 17 00:00:00 2001 From: Jitin Mathew Date: Fri, 5 Aug 2022 02:34:49 +0530 Subject: [PATCH 28/77] Updated-6247330 Deleted the original file to align with the redirection entry. --- .../update/waas-delivery-optimization-faq.md | 101 ------------------ 1 file changed, 101 deletions(-) delete mode 100644 windows/deployment/update/waas-delivery-optimization-faq.md diff --git a/windows/deployment/update/waas-delivery-optimization-faq.md b/windows/deployment/update/waas-delivery-optimization-faq.md deleted file mode 100644 index e7787d0b50..0000000000 --- a/windows/deployment/update/waas-delivery-optimization-faq.md +++ /dev/null @@ -1,101 +0,0 @@ ---- -title: Delivery Optimization Frequently Asked Questions -ms.reviewer: aaroncz -manager: dougeby -description: The following is a list of frequently asked questions for Delivery Optimization. -ms.prod: w10 -author: carmenf -ms.localizationpriority: medium -ms.author: carmenf -ms.collection: M365-modern-desktop -ms.topic: article -ms.custom: seo-marvel-apr2020 ---- - -# Delivery Optimization Frequently Asked Questions - -**Applies to** - -- Windows 10 -- Windows 11 - -## Does Delivery Optimization work with WSUS? - -Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination. - -## Which ports does Delivery Optimization use? - -Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device. The port must be set to accept inbound traffic through your firewall. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data). - -Delivery Optimization will use Teredo to create peer groups, which include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets). For this to work, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up. - -Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80. - -## What are the requirements if I use a proxy? - -For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](../do/delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](/windows/deployment/update/windows-update-troubleshooting). - -## What hostnames should I allow through my firewall to support Delivery Optimization? - -**For communication between clients and the Delivery Optimization cloud service**: - -- `*.do.dsp.mp.microsoft.com` - -**For Delivery Optimization metadata**: - -- `*.dl.delivery.mp.microsoft.com` -- `*.emdl.ws.microsoft.com` - -**For the payloads (optional)**: - -- `*.download.windowsupdate.com` -- `*.windowsupdate.com` - -**For group peers across multiple NATs (Teredo)**: - -- `win1910.ipv6.microsoft.com` - -For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache](../do/delivery-optimization-endpoints.md) for a list of all content endpoints needed. - -## Does Delivery Optimization use multicast? - -No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP. - -## How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN? - -Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more information, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819). - -## How does Delivery Optimization handle VPNs? - -Delivery Optimization attempts to identify VPNs by checking the network adapter type and details. A connection will be treated as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure." - -If the connection is identified as a VPN, Delivery Optimization will suspend uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](../do/waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy. - -If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the [DownloadMode](../do/waas-delivery-optimization-reference.md#download-mode) policy to 0 for that boundary group, to ensure that there will be no peer-to-peer activity over the VPN. When the device is not connected using a VPN, it can still use peer-to-peer with the default of LAN. - -With split tunneling, make sure to allow direct access to these endpoints: - -Delivery Optimization service endpoint: - -- `https://*.prod.do.dsp.mp.microsoft.com` - -Delivery Optimization metadata: - -- `http://emdl.ws.microsoft.com` -- `http://*.dl.delivery.mp.microsoft.com` - -Windows Update and Microsoft Store backend services and Windows Update and Microsoft Store payloads - -- `http://*.windowsupdate.com` -- `https://*.delivery.mp.microsoft.com` -- `https://*.update.microsoft.com` -- `https://tsfe.trafficshaping.dsp.mp.microsoft.com` - -For more information about remote work if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444). - -## How does Delivery Optimization handle networks where a public IP address is used in place of a private IP address? - -Starting with Windows 10, version 1903 or later, Delivery Optimization no longer restricts connections between LAN peers to those using private IP addresses. If you use public IP addresses instead of private IP addresses, you can use Delivery Optimization in LAN mode. - -> [!NOTE] -> If you use public IP addresses instead of private in LAN mode, the bytes downloaded from or uploaded to LAN peers with public IP addresses might be reported as coming from Internet peers. From 6a789018bb12fb6daab49519f031d7367184b683 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Thu, 4 Aug 2022 17:40:04 -0400 Subject: [PATCH 29/77] 4246040 AD Remove Redirect --- .openpublishing.redirection.json | 44 +- windows/security/TOC.yml | 16 - .../active-directory-accounts.md | 621 ------- .../active-directory-security-groups.md | 1431 ----------------- .../access-control/dynamic-access-control.md | 140 -- .../access-control/microsoft-accounts.md | 186 --- .../access-control/security-identifiers.md | 331 ---- .../access-control/security-principals.md | 148 -- .../access-control/service-accounts.md | 112 -- .../access-control/special-identities.md | 448 ------ 10 files changed, 42 insertions(+), 3435 deletions(-) delete mode 100644 windows/security/identity-protection/access-control/active-directory-accounts.md delete mode 100644 windows/security/identity-protection/access-control/active-directory-security-groups.md delete mode 100644 windows/security/identity-protection/access-control/dynamic-access-control.md delete mode 100644 windows/security/identity-protection/access-control/microsoft-accounts.md delete mode 100644 windows/security/identity-protection/access-control/security-identifiers.md delete mode 100644 windows/security/identity-protection/access-control/security-principals.md delete mode 100644 windows/security/identity-protection/access-control/service-accounts.md delete mode 100644 windows/security/identity-protection/access-control/special-identities.md diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 798ab55b18..3acf52720e 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -6507,8 +6507,8 @@ }, { "source_path": "windows/access-protection/access-control/dynamic-access-control.md", - "redirect_url": "/windows/security/identity-protection/access-control/dynamic-access-control", - "redirect_document_id": false + "redirect_url": "/windows-server/identity/solution-guides/dynamic-access-control-overview", + "redirect_document_id": true }, { "source_path": "windows/access-protection/access-control/local-accounts.md", @@ -19589,6 +19589,46 @@ "source_path": "windows/whats-new/contribute-to-a-topic.md", "redirect_url": "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/CONTRIBUTING.md#editing-windows-it-professional-documentation", "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/access-control/security-identifiers.md", + "redirect_url": "/windows-server/identity/ad-ds/manage/understand-security-identifiers", + "redirect_document_id": true + }, + { + "source_path": "windows/security/identity-protection/access-control/security-principals.md", + "redirect_url": "/windows-server/identity/ad-ds/manage/understand-security-principals", + "redirect_document_id": true + }, + { + "source_path": "windows/security/identity-protection/access-control/active-directory-accounts.md", + "redirect_url": "/windows-server/identity/ad-ds/manage/understand-default-user-accounts", + "redirect_document_id": true + }, + { + "source_path": "windows/security/identity-protection/access-control/microsoft-accounts.md", + "redirect_url": "/windows-server/identity/ad-ds/manage/understand-microsoft-accounts", + "redirect_document_id": true + }, + { + "source_path": "windows/security/identity-protection/access-control/service-accounts.md", + "redirect_url": "/windows-server/identity/ad-ds/manage/understand-service-accounts", + "redirect_document_id": true + }, + { + "source_path": "windows/security/identity-protection/access-control/active-directory-security-groups.md", + "redirect_url": "/windows-server/identity/ad-ds/manage/understand-security-groups", + "redirect_document_id": true + }, + { + "source_path": "windows/security/identity-protection/access-control/special-identities.md", + "redirect_url": "/windows-server/identity/ad-ds/manage/understand-special-identities-groups", + "redirect_document_id": true + }, + { + "source_path": "windows/security/identity-protection/access-control/dynamic-access-control.md", + "redirect_url": "/windows-server/identity/solution-guides/dynamic-access-control-overview", + "redirect_document_id": true } ] } diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index aa38fc4f08..be054e388b 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -323,24 +323,8 @@ - name: Access Control Overview href: identity-protection/access-control/access-control.md items: - - name: Dynamic Access Control Overview - href: identity-protection/access-control/dynamic-access-control.md - - name: Security identifiers - href: identity-protection/access-control/security-identifiers.md - - name: Security Principals - href: identity-protection/access-control/security-principals.md - name: Local Accounts href: identity-protection/access-control/local-accounts.md - - name: Active Directory Accounts - href: identity-protection/access-control/active-directory-accounts.md - - name: Microsoft Accounts - href: identity-protection/access-control/microsoft-accounts.md - - name: Service Accounts - href: identity-protection/access-control/service-accounts.md - - name: Active Directory Security Groups - href: identity-protection/access-control/active-directory-security-groups.md - - name: Special Identities - href: identity-protection/access-control/special-identities.md - name: User Account Control href: identity-protection/user-account-control/user-account-control-overview.md items: diff --git a/windows/security/identity-protection/access-control/active-directory-accounts.md b/windows/security/identity-protection/access-control/active-directory-accounts.md deleted file mode 100644 index 404f1abb50..0000000000 --- a/windows/security/identity-protection/access-control/active-directory-accounts.md +++ /dev/null @@ -1,621 +0,0 @@ ---- -title: Active Directory Accounts (Windows 10) -description: Active Directory Accounts -ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: - - M365-identity-device-management - - highpri -ms.topic: article -ms.localizationpriority: medium -ms.date: 08/23/2019 ---- - -# Active Directory Accounts - -**Applies to** -- Windows Server 2016 - -Windows Server operating systems are installed with default local accounts. In addition, you can create user accounts to meet the requirements of your organization. This reference topic for the IT professional describes the Windows Server default local accounts that are stored locally on the domain controller and are used in Active Directory. - -This reference topic does not describe default local user accounts for a member or standalone server or for a Windows client. For more information, see [Local Accounts](local-accounts.md). - -## About this topic - - -This topic describes the following: - -- [Default local accounts in Active Directory](#sec-ad-default-accounts) - - - [Administrator account](#sec-administrator) - - - [Guest account](#sec-guest) - - - [HelpAssistant account (installed with a Remote Assistance session)](#sec-helpassistant) - - - [KRBTGT account](#sec-krbtgt) - -- [Settings for default local accounts in Active Directory](#sec-account-settings) - -- [Manage default local accounts in Active Directory](#sec-manage-local-accounts) - -- [Restrict and protect sensitive domain accounts](#sec-restrict-protect-accounts) - - - [Separate administrator accounts from user accounts](#task1-separate-admin-accounts) - - - [Create dedicated workstation hosts without Internet and email access](#task2-admin-workstations) - - - [Restrict administrator logon access to servers and workstations](#task3-restrict-admin-logon) - - - [Disable the account delegation right for administrator accounts](#task4-disable-account-delegation) - -- [Secure and manage domain controllers](#sec-secure-manage-dcs) - -## Default local accounts in Active Directory - - -Default local accounts are built-in accounts that are created automatically when a Windows Server domain controller is installed and the domain is created. These default local accounts have counterparts in Active Directory. These accounts also have domain-wide access and are completely separate from the default local user accounts for a member or standalone server. - -You can assign rights and permissions to default local accounts on a particular domain controller, and only on that domain controller. These accounts are local to the domain. After the default local accounts are installed, they are stored in the Users container in Active Directory Users and Computers. It is a best practice to keep the default local accounts in the User container and not attempt to move these accounts, for example, to a different organizational unit (OU). - -The default local accounts in the Users container include: Administrator, Guest, and KRBTGT. The HelpAssistant account is installed when a Remote Assistance session is established. The following sections describe the default local accounts and their use in Active Directory. - -Primarily, default local accounts do the following: - -- Let the domain represent, identify, and authenticate the identity of the user that is assigned to the account by using unique credentials (user name and password). It is a best practice to assign each user to a single account to ensure maximum security. Multiple users are not allowed to share one account. A user account lets a user sign in to computers, networks, and domains with a unique identifier that can be authenticated by the computer, network, or domain. - -- Authorize (grant or deny) access to resources. After a user’s credentials have been authenticated, the user is authorized to access the network and domain resources based on the user’s explicitly assigned rights on the resource. - -- Audit the actions that are carried out on a user account. - -In Active Directory, default local accounts are used by administrators to manage domain and member servers directly and from dedicated administrative workstations. Active Directory accounts provide access to network resources. Active Directory User accounts and Computer accounts can represent a physical entity, such as a computer or person, or act as dedicated service accounts for some applications. - -Each default local account is automatically assigned to a security group that is preconfigured with the appropriate rights and permissions to perform specific tasks. Active Directory security groups collect user accounts, computer accounts, and other groups into manageable units. For more information, see [Active Directory Security Groups](active-directory-security-groups.md). - -On an Active Directory domain controller, each default local account is referred to as a security principal. A security principal is a directory object that is used to secure and manage Active Directory services that provide access to domain controller resources. A security principal includes objects such as user accounts, computer accounts, security groups, or the threads or processes that run in the security context of a user or computer account. For more information, see [Security Principals](security-principals.md). - -A security principal is represented by a unique security identifier (SID).The SIDs that are related to each of the default local accounts in Active Directory are described in the sections below. - -Some of the default local accounts are protected by a background process that periodically checks and applies a specific security descriptor. A security descriptor is a data structure that contains security information that is associated with a protected object. This process ensures that any successful unauthorized attempt to modify the security descriptor on one of the default local accounts or groups is overwritten with the protected settings. - -This security descriptor is present on the AdminSDHolder object. If you want to modify the permissions on one of the service administrator groups or on any of its member accounts, you must modify the security descriptor on the AdminSDHolder object to ensure that it is applied consistently. Be careful when making these modifications, because you are also changing the default settings that are applied to all of your protected accounts. - -## Administrator account - - -The Administrator account is a default account that is used in all versions of the Windows operating system on every computer and device. The Administrator account is used by the system administrator for tasks that require administrative credentials. This account cannot be deleted or locked out, but the account can be renamed or disabled. - -The Administrator account gives the user complete access (Full Control permissions) of the files, directories, services, and other resources that are on that local server. The Administrator account can be used to create local users, and assign user rights and access control permissions. Administrator can also be used to take control of local resources at any time simply by changing the user rights and permissions. Although files and directories can be protected from the Administrator account temporarily, the Administrator account can take control of these resources at any time by changing the access permissions. - -**Account group membership** - -The Administrator account has membership in the default security groups as described in the Administrator account attributes table later in this topic. - -The security groups ensure that you can control administrator rights without having to change each Administrator account. In most instances, you do not have to change the basic settings for this account. However, you might have to change its advanced settings, such as membership in particular groups. - -**Security considerations** - -After installation of the server operating system, your first task is to set up the Administrator account properties securely. This includes setting up an especially long, strong password, and securing the Remote control and Remote Desktop Services profile settings. - -The Administrator account can also be disabled when it is not required. Renaming or disabling the Administrator account makes it more difficult for malicious users to try to gain access to the account. However, even when the Administrator account is disabled, it can still be used to gain access to a domain controller by using safe mode. - -On a domain controller, the Administrator account becomes the Domain Admin account. The Domain Admin account is used to sign in to the domain controller and this account requires a strong password. The Domain Admin account gives you access to domain resources. - -> [!NOTE] -> When the domain controller is initially installed, you can sign in and use Server Manager to set up a local Administrator account, with the rights and permissions you want to assign. For example, you can use a local Administrator account to manage the operating system when you first install it. By using this approach, you can set up the operating system without getting locked out. Generally, you do not need to use the account after installation. You can only create local user accounts on the domain controller, before Active Directory Domain Services is installed, and not afterwards. - -When Active Directory is installed on the first domain controller in the domain, the Administrator account is created for Active Directory. The Administrator account is the most powerful account in the domain. It is given domain-wide access and administrative rights to administer the computer and the domain, and it has the most extensive rights and permissions over the domain. The person who installs Active Directory Domain Services on the computer creates the password for this account during the installation. - -**Administrator account attributes** - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-``-500| -|Type|User| -|Default container|CN=Users, DC=``, DC=| -|Default members|N/A| -|Default member of|Administrators, Domain Admins, Enterprise Administrators, Domain Users. Note that the Primary Group ID of all user accounts is Domain Users.

Group Policy Creator Owners, and Schema Admins in Active Directory

Domain Users group| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|Yes| -|Safe to delegate management of this group to non-service administrators?|No| - -## Guest account - - -The Guest account is a default local account that has limited access to the computer and is disabled by default. By default, the Guest account password is left blank. A blank password allows the Guest account to be accessed without requiring the user to enter a password. - -The Guest account enables occasional or one-time users, who do not have an individual account on the computer, to sign in to the local server or domain with restricted rights and permissions. The Guest account can be enabled, and the password can be set up if needed, but only by a member of the Administrator group on the domain. - -**Account group membership** - -The Guest account has membership in the default security groups that are described in the following Guest account attributes table. By default, the Guest account is the only member of the default Guests group, which lets a user sign in to a server, and the Domain Guests global group, which lets a user sign in to a domain. - -A member of the Administrators group or Domain Admins group can set up a user with a Guest account on one or more computers. - -**Security considerations** - -Because the Guest account can provide anonymous access, it is a security risk. It also has a well-known SID. For this reason, it is a best practice to leave the Guest account disabled, unless its use is required and then only with restricted rights and permissions for a very limited period of time. - -When the Guest account is required, an Administrator on the domain controller is required to enable the Guest account. The Guest account can be enabled without requiring a password, or it can be enabled with a strong password. The Administrator also grants restricted rights and permissions for the Guest account. To help prevent unauthorized access: - -- Do not grant the Guest account the [Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system) user right. When a computer is shutting down or starting up, it is possible that a Guest user or anyone with local access, such as a malicious user, could gain unauthorized access to the computer. - -- Do not provide the Guest account with the ability to view the event logs. After the Guest account is enabled, it is a best practice to monitor this account frequently to ensure that other users cannot use services and other resources, such as resources that were unintentionally left available by a previous user. - -- Do not use the Guest account when the server has external network access or access to other computers. - -If you decide to enable the Guest account, be sure to restrict its use and to change the password regularly. As with the Administrator account, you might want to rename the account as an added security precaution. - -In addition, an administrator is responsible for managing the Guest account. The administrator monitors the Guest account, disables the Guest account when it is no longer in use, and changes or removes the password as needed. - -For details about the Guest account attributes, see the following table. - -**Guest account attributes** - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-``-501| -|Type|User| -|Default container|CN=Users, DC=``, DC=| -|Default members|None| -|Default member of|Guests, Domain Guests| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Can be moved out, but we do not recommend it.| -|Safe to delegate management of this group to non-Service admins?|No| - -## HelpAssistant account (installed with a Remote Assistance session) - - -The HelpAssistant account is a default local account that is enabled when a Remote Assistance session is run. This account is automatically disabled when no Remote Assistance requests are pending. - -HelpAssistant is the primary account that is used to establish a Remote Assistance session. The Remote Assistance session is used to connect to another computer running the Windows operating system, and it is initiated by invitation. For solicited remote assistance, a user sends an invitation from their computer, through e-mail or as a file, to a person who can provide assistance. After the user’s invitation for a Remote Assistance session is accepted, the default HelpAssistant account is automatically created to give the person who provides assistance limited access to the computer. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service. - -**Security considerations** - -The SIDs that pertain to the default HelpAssistant account include: - -- SID: S-1-5-``-13, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled. Note that, in Windows Server 2008, Remote Desktop Services are called Terminal Services. - -- SID: S-1-5-``-14, display name Remote Interactive Logon. This group includes all users who connect to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID. - -For the Windows Server operating system, Remote Assistance is an optional component that is not installed by default. You must install Remote Assistance before it can be used. - -For details about the HelpAssistant account attributes, see the following table. - -**HelpAssistant account attributes** - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-``-13 (Terminal Server User), S-1-5-``-14 (Remote Interactive Logon)| -|Type|User| -|Default container|CN=Users, DC=``, DC=| -|Default members|None| -|Default member of|Domain Guests

Guests| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Can be moved out, but we do not recommend it.| -|Safe to delegate management of this group to non-Service admins?|No| - - - -## KRBTGT account - - -The KRBTGT account is a local default account that acts as a service account for the Key Distribution Center (KDC) service. This account cannot be deleted, and the account name cannot be changed. The KRBTGT account cannot be enabled in Active Directory. - -KRBTGT is also the security principal name used by the KDC for a Windows Server domain, as specified by RFC 4120. The KRBTGT account is the entity for the KRBTGT security principal, and it is created automatically when a new domain is created. - -Windows Server Kerberos authentication is achieved by the use of a special Kerberos ticket-granting ticket (TGT) enciphered with a symmetric key. This key is derived from the password of the server or service to which access is requested. The TGT password of the KRBTGT account is known only by the Kerberos service. In order to request a session ticket, the TGT must be presented to the KDC. The TGT is issued to the Kerberos client from the KDC. - -### KRBTGT account maintenance considerations - -A strong password is assigned to the KRBTGT and trust accounts automatically. Like any privileged service accounts, organizations should change these passwords on a regular schedule. The password for the KDC account is used to derive a secret key for encrypting and decrypting the TGT requests that are issued. The password for a domain trust account is used to derive an inter-realm key for encrypting referral tickets. - -Resetting the password requires you either to be a member of the Domain Admins group, or to have been delegated with the appropriate authority. In addition, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority. - -After you reset the KRBTGT password, ensure that event ID 9 in the (Kerberos) Key-Distribution-Center event source is written to the System event log. - -### Security considerations - -It is also a best practice to reset the KRBTGT account password to ensure that a newly restored domain controller does not replicate with a compromised domain controller. In this case, in a large forest recovery that is spread across multiple locations, you cannot guarantee that all domain controllers are shut down, and if they are shut down, they cannot be rebooted again before all of the appropriate recovery steps have been undertaken. After you reset the KRBTGT account, another domain controller cannot replicate this account password by using an old password. - -An organization suspecting domain compromise of the KRBTGT account should consider the use of professional incident response services. The impact to restore the ownership of the account is domain-wide and labor intensive an should be undertaken as part of a larger recovery effort. - -The KRBTGT password is the key from which all trust in Kerberos chains up to. Resetting the KRBTGT password is similar to renewing the root CA certificate with a new key and immediately not trusting the old key, resulting in almost all subsequent Kerberos operations will be affected. - -For all account types (users, computers, and services) - -- All the TGTs that are already issued and distributed will be invalid because the DCs will reject them. These tickets are encrypted with the KRBTGT so any DC can validate them. When the password changes, the tickets become invalid. - -- All currently authenticated sessions that logged on users have established (based on their service tickets) to a resource (such as a file share, SharePoint site, or Exchange server) are good until the service ticket is required to re-authenticate. - -- NTLM authenticated connections are not affected - -Because it is impossible to predict the specific errors that will occur for any given user in a production operating environment, you must assume all computers and users will be affected. - -> [!IMPORTANT] -> Rebooting a computer is the only reliable way to recover functionality as this will cause both the computer account and user accounts to log back in again. Logging in again will request new TGTs that are valid with the new KRBTGT, correcting any KRBTGT related operational issues on that computer. - -For information about how to help mitigate the risks associated with a potentially compromised KRBTGT account, see [KRBTGT Account Password Reset Scripts now available for customers](https://blogs.microsoft.com/cybertrust/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/). - -### Read-only domain controllers and the KRBTGT account - -Windows Server 2008 introduced the read-only domain controller (RODC). The RODC is advertised as the Key Distribution Center (KDC) for the branch office. The RODC uses a different KRBTGT account and password than the KDC on a writable domain controller when it signs or encrypts ticket-granting ticket (TGT) requests. After an account is successfully authenticated, the RODC determines if a user's credentials or a computer's credentials can be replicated from the writable domain controller to the RODC by using the Password Replication Policy. - -After the credentials are cached on the RODC, the RODC can accept that user's sign-in requests until the credentials change. When a TGT is signed with the KRBTGT account of the RODC, the RODC recognizes that it has a cached copy of the credentials. If another domain controller signs the TGT, the RODC forwards requests to a writable domain controller. - -### KRBTGT account attributes - -For details about the KRBTGT account attributes, see the following table. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-``-502| -|Type|User| -|Default container|CN=Users, DC=``, DC=| -|Default members|None| -|Default member of|Domain Users group. Note that the Primary Group ID of all user accounts is Domain Users.| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|Can be moved out, but we do not recommend it.| -|Safe to delegate management of this group to non-Service admins?|No| - -## Settings for default local accounts in Active Directory - - -Each default local account in Active Directory has a number of account settings that you can use to configure password settings and security-specific information, as described in the following table. - -**Settings for default local accounts in Active Directory** - -|Account settings|Description| -|--- |--- | -|User must change password at next logon|Forces a password change the next time that the user logs signs in to the network. Use this option when you want to ensure that the user is the only person to know his or her password.| -|User cannot change password|Prevents the user from changing the password. Use this option when you want to maintain control over a user account, such as for a Guest or temporary account.| -|Password never expires|Prevents a user password from expiring. It is a best practice to enable this option with service accounts and to use strong passwords.| -|Store passwords using reversible encryption|Provides support for applications that use protocols requiring knowledge of the plaintext form of the user’s password for authentication purposes.

This option is required when using Challenge Handshake Authentication Protocol (CHAP) in Internet Authentication Services (IAS), and when using digest authentication in Internet Information Services (IIS).| -|Account is disabled|Prevents the user from signing in with the selected account. As an administrator, you can use disabled accounts as templates for common user accounts.| -|Smart card is required for interactive logon|Requires that a user has a smart card to sign on to the network interactively. The user must also have a smart card reader attached to their computer and a valid personal identification number (PIN) for the smart card.

When this attribute is applied on the account, the effect is as follows:

  • The attribute only restricts initial authentication for interactive logon and Remote Desktop logon. When interactive or Remote Desktop logon requires a subsequent network logon, such as with a domain credential, an NT Hash provided by the domain controller is used to complete the smartcard authentication process
  • Each time the attribute is enabled on an account, the account’s current password hash value is replaced with a 128-bit random number. This invalidates the use of any previously configured passwords for the account. The value does not change after that unless a new password is set or the attribute is disabled and re-enabled.
  • Accounts with this attribute cannot be used to start services or run scheduled tasks.| -|Account is trusted for delegation|Lets a service running under this account perform operations on behalf of other user accounts on the network. A service running under a user account (also known as a service account) that is trusted for delegation can impersonate a client to gain access to resources, either on the computer where the service is running or on other computers. For example, in a forest that is set to the Windows Server 2003 functional level, this setting is found on the Delegation tab. It is available only for accounts that have been assigned service principal names (SPNs), which are set by using the setspn command from Windows Support Tools. This setting is security-sensitive and should be assigned cautiously.| -|Account is sensitive and cannot be delegated|Gives control over a user account, such as for a Guest account or a temporary account. This option can be used if this account cannot be assigned for delegation by another account.| -|Use DES encryption types for this account|Provides support for the Data Encryption Standard (DES). DES supports multiple levels of encryption, including Microsoft Point-to-Point Encryption (MPPE) Standard (40-bit and 56-bit), MPPE standard (56-bit), MPPE Strong (128-bit), Internet Protocol security (IPSec) DES (40-bit), IPSec 56-bit DES, and IPSec Triple DES (3DES).
    **Note:** DES is not enabled by default in Windows Server operating systems starting with Windows Server 2008 R2, nor in Windows client operating systems starting with Windows 7. For these operating systems, computers will not use DES-CBC-MD5 or DES-CBC-CRC cipher suites by default. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. For more information, see [Hunting down DES in order to securely deploy Kerberos](/archive/blogs/askds/hunting-down-des-in-order-to-securely-deploy-kerberos)
    | -|Do not require Kerberos preauthentication|Provides support for alternate implementations of the Kerberos protocol. Because preauthentication provides additional security, use caution when enabling this option. Note that domain controllers running Windows 2000 or Windows Server 2003 can use other mechanisms to synchronize time.| - - - -## Manage default local accounts in Active Directory - - -After the default local accounts are installed, these accounts reside in the Users container in Active Directory Users and Computers. Default local accounts can be created, disabled, reset, and deleted by using the Active Directory Users and Computers Microsoft Management Console (MMC) and by using command-line tools. - -You can use Active Directory Users and Computers to assign rights and permissions on a given local domain controller, and that domain controller only, to limit the ability of local users and groups to perform certain actions. A right authorizes a user to perform certain actions on a computer, such as backing up files and folders or shutting down a computer. In contrast, an access permission is a rule that is associated with an object, usually a file, folder, or printer, that regulates which users can have access to the object and in what manner. - -For more information about creating and managing local user accounts in Active Directory, see [Manage Local Users](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731899(v=ws.11)). - -You can also use Active Directory Users and Computers on a domain controller to target remote computers that are not domain controllers on the network. - -You can obtain recommendations from Microsoft for domain controller configurations that you can distribute by using the Security Compliance Manager (SCM) tool. For more information, see [Microsoft Security Compliance Manager](/previous-versions/tn-archive/cc677002(v=technet.10)). - -Some of the default local user accounts are protected by a background process that periodically checks and applies a specific security descriptor, which is a data structure that contains security information that is associated with a protected object. This security descriptor is present on the AdminSDHolder object. - -This means, when you want to modify the permissions on a service administrator group or on any of its member accounts, you are also required to modify the security descriptor on the AdminSDHolder object. This approach ensures that the permissions are applied consistently. Be careful when you make these modifications, because this action can also affect the default settings that are applied to all of your protected administrative accounts. - -## Restrict and protect sensitive domain accounts - - -Restricting and protecting domain accounts in your domain environment requires you to adopt and implement the following best practices approach: - -- Strictly limit membership to the Administrators, Domain Admins, and Enterprise Admins groups. - -- Stringently control where and how domain accounts are used. - -Member accounts in the Administrators, Domain Admins, and Enterprise Admins groups in a domain or forest are high-value targets for malicious users. It is a best practice to strictly limit membership to these administrator groups to the smallest number of accounts in order to limit any exposure. Restricting membership in these groups reduces the possibility that an administrator might unintentionally misuse these credentials and create a vulnerability that malicious users can exploit. - -Moreover, it is a best practice to stringently control where and how sensitive domain accounts are used. Restrict the use of Domain Admins accounts and other administrator accounts to prevent them from being used to sign in to management systems and workstations that are secured at the same level as the managed systems. When administrator accounts are not restricted in this manner, each workstation from which a domain administrator signs in provides another location that malicious users can exploit. - -Implementing these best practices is separated into the following tasks: - -- [Separate administrator accounts from user accounts](#task1-separate-admin-accounts) - -- [Create dedicated workstation hosts for administrators](#task2-admin-workstations) - -- [Restrict administrator logon access to servers and workstations](#task3-restrict-admin-logon) - -- [Disable the account delegation right for administrator accounts](#task4-disable-account-delegation) - -Note that, to provide for instances where integration challenges with the domain environment are expected, each task is described according to the requirements for a minimum, better, and ideal implementation. As with all significant changes to a production environment, ensure that you test these changes thoroughly before you implement and deploy them. Then stage the deployment in a manner that allows for a rollback of the change in case technical issues occur. - -### Separate administrator accounts from user accounts - -Restrict Domain Admins accounts and other sensitive accounts to prevent them from being used to sign in to lower trust servers and workstations. Restrict and protect administrator accounts by segregating administrator accounts from standard user accounts, by separating administrative duties from other tasks, and by limiting the use of these accounts. Create dedicated accounts for administrative personnel who require administrator credentials to perform specific administrative tasks, and then create separate accounts for other standard user tasks, according to the following guidelines: - -- **Privileged account**. Allocate administrator accounts to perform the following administrative duties only: - - - **Minimum**. Create separate accounts for domain administrators, enterprise administrators, or the equivalent with appropriate administrator rights in the domain or forest. Use accounts that have been granted sensitive administrator rights only to administer domain data and domain controllers. - - - **Better**. Create separate accounts for administrators that have reduced administrative rights, such as accounts for workstation administrators, and accounts with user rights over designated Active Directory organizational units (OUs). - - - **Ideal**. Create multiple, separate accounts for an administrator who has a variety of job responsibilities that require different trust levels. Set up each administrator account with significantly different user rights, such as for workstation administration, server administration and domain administration, to let the administrator sign in to given workstations, servers and domain controllers based strictly on his or her job responsibilities. - -- **Standard user account**. Grant standard user rights for standard user tasks, such as email, web browsing, and using line-of-business (LOB) applications. These accounts should not be granted administrator rights. - -> [!IMPORTANT] -> Ensure that sensitive administrator accounts cannot access email or browse the Internet as described in the following section. - - - -### Create dedicated workstation hosts without Internet and email access - -Administrators need to manage job responsibilities that require sensitive administrator rights from a dedicated workstation because they do not have easy physical access to the servers. A workstation that is connected to the Internet and has email and web browsing access is regularly exposed to compromise through phishing, downloading, and other types of Internet attacks. Because of these threats, it is a best practice to set these administrators up by using workstations that are dedicated to administrative duties only, and not provide access to the Internet, including email and web browsing. For more information, see [Separate administrator accounts from user accounts](#task1-separate-admin-accounts). - -> [!NOTE] -> If the administrators in your environment can sign in locally to managed servers and perform all tasks without elevated rights or domain rights from their workstation, you can skip this task. - - - -- **Minimum**. Build dedicated administrative workstations and block Internet access on those workstations including web browsing and email. Use the following ways to block Internet access: - - - Configure authenticating boundary proxy services, if they are deployed, to disallow administrator accounts from accessing the Internet. - - - Configure boundary firewall or proxy services to disallow Internet access for the IP addresses that are assigned to dedicated administrative workstations. - - - Block outbound access to the boundary proxy servers in the Windows Firewall. - - The instructions for meeting this minimum requirement are described in the following procedure. - -- **Better**. Do not grant administrators membership in the local Administrator group on the computer in order to restrict the administrator from bypassing these protections. - -- **Ideal**. Restrict workstations from having any network connectivity, except for the domain controllers and servers that the administrator accounts are used to manage. Alternately, use AppLocker application control policies to restrict all applications from running, except for the operating system and approved administrative tools and applications. For more information about AppLocker, see [AppLocker](/windows/device-security/applocker/applocker-overview). - -The following procedure describes how to block Internet access by creating a Group Policy Object (GPO) that configures an invalid proxy address on administrative workstations. These instructions apply only to computers running Internet Explorer and other Windows components that use these proxy settings. - -> [!NOTE] -> In this procedure, the workstations are dedicated to domain administrators. By simply modifying the administrator accounts to grant permission to administrators to sign in locally, you can create additional OUs to manage administrators that have fewer administrative rights to use the instructions described in the following procedure. - -**To install administrative workstations in a domain and block Internet and email access (minimum)** - -1. As a domain administrator on a domain controller, open Active Directory Users and Computers, and create a new OU for administrative workstations. - -2. Create computer accounts for the new workstations. - - > [!NOTE] - > You might have to delegate permissions to join computers to the domain if the account that joins the workstations to the domain does not already have them. For more information, see [Delegation of Administration in Active Directory](https://social.technet.microsoft.com/wiki/contents/articles/20292.delegation-of-administration-in-active-directory.aspx). - - ![Active Directory local accounts](images/adlocalaccounts-proc1-sample1.gif) - -3. Close Active Directory Users and Computers. - -4. Start the **Group Policy Management** Console (GPMC). - -5. Right-click the new OU, and > **Create a GPO in this domain, and Link it here**. - - ![Active Directory's local accounts](images/adlocalaccounts-proc1-sample2.png) - -6. Name the GPO, and > **OK**. - -7. Expand the GPO, right-click the new GPO, and > **Edit**. - - ![Active Directory (AD) local accounts](images/adlocalaccounts-proc1-sample3.png) - -8. Configure which members of accounts can log on locally to these administrative workstations as follows: - - 1. Navigate to Computer Configuration\\Policies\\Windows Settings\\Local Policies, and then click **User Rights Assignment**. - - 2. Double-click **Allow log on locally**, and then select the **Define these policy settings** check box. - - 3. Click **Add User or Group** > **Browse**, type **Enterprise Admins**, and > **OK**. - - 4. Click **Add User or Group** > **Browse**, type **Domain Admins**, and > **OK**. - - > [!IMPORTANT] - > These instructions assume that the workstation is to be dedicated to domain administrators. - - - - 5. Click **Add User or Group**, type **Administrators**, and > **OK**. - - ![AD local accounts](images/adlocalaccounts-proc1-sample4.png) - -9. Configure the proxy configuration: - - 1. Navigate to User Configuration\\Policies\\Windows Settings\\Internet Explorer, and > **Connection**. - - 2. Double-click **Proxy Settings**, select the **Enable proxy settings** check box, type **127.0.0.1** (the network Loopback IP address) as the proxy address, and > **OK**. - - ![AD's local accounts](images/adlocalaccounts-proc1-sample5.png) - -10. Configure the loopback processing mode to enable the user Group Policy proxy setting to apply to all users on the computer as follows: - - 1. Navigate to Computer Configuration\\Policies\\Administrative Templates\\System, and > **Group Policy**. - - 2. Double-click **User Group Policy loopback policy processing mode**, and > **Enabled**. - - 3. Select **Merge Mode**, and > **OK**. - -11. Configure software updates as follows: - - 1. Navigate to Computer Configuration\\Policies\\Administrative Templates\\Windows Components, and then click **Windows Update**. - - 2. Configure Windows Update settings as described in the following table. - - |Windows Update Setting|Configuration| - |--- |--- | - |Allow Automatic Updates immediate installation|Enabled| - |Configure Automatic Updates|Enabled4 - Auto download and schedule the installation0 - Every day 03:00| - |Enable Windows Update Power Management to automatically wake up the system to install scheduled updates|Enabled| - |Specify intranet Microsoft Update service location|Enabled `http:// http://` Where `` is the DNS name or IP address of the Windows Server Update Services (WSUS) in the environment.| - |Automatic Updates detection frequency|6 hours| - |Re-prompt for restart with scheduled installations|1 minute| - |Delay restart for scheduled installations|5 minutes| - - > [!NOTE] - > This step assumes that Windows Server Update Services (WSUS) is installed and configured in the environment. You can skip this step if you use another tool to deploy software updates. Also, if the public Microsoft Windows Update service only is used on the Internet, then these administrative workstations no longer receive updates. - -12. Configure the inbound firewall to block all connections as follows: - - 1. Right-click **Windows Firewall with Advanced Security LDAP://path**, and > **Properties**. - - ![Local accounts for Active Directory](images/adlocalaccounts-proc1-sample6.png) - - 2. On each profile, ensure that the firewall is enabled and that inbound connections are set to **Block all connections**. - - ![Local accounts for an AD](images/adlocalaccounts-proc1-sample7.png) - - 3. Click **OK** to complete the configuration. - -13. Close the Group Policy Management Console. - -14. Install the Windows operating system on the workstations, give each workstation the same names as the computer accounts assigned to them, and then join them to the domain. - -### Restrict administrator logon access to servers and workstations - -It is a best practice to restrict administrators from using sensitive administrator accounts to sign in to lower-trust servers and workstations. This restriction prevents administrators from inadvertently increasing the risk of credential theft by signing in to a lower-trust computer. - -> [!IMPORTANT] -> Ensure that you either have local access to the domain controller or that you have built at least one dedicated administrative workstation. - - - -Restrict logon access to lower-trust servers and workstations by using the following guidelines: - -- **Minimum**. Restrict domain administrators from having logon access to servers and workstations. Before starting this procedure, identify all OUs in the domain that contain workstations and servers. Any computers in OUs that are not identified will not restrict administrators with sensitive accounts from signing-in to them. - -- **Better**. Restrict domain administrators from non-domain controller servers and workstations. - -- **Ideal**. Restrict server administrators from signing in to workstations, in addition to domain administrators. - -> [!NOTE] -> For this procedure, do not link accounts to the OU that contain workstations for administrators that perform administration duties only, and do not provide Internet or email access. For more information, see [Create dedicated workstation hosts for administrators](#task2-admin-workstations) - - - -**To restrict domain administrators from workstations (minimum)** - -1. As a domain administrator, open the Group Policy Management Console (GPMC). - -2. Open **Group Policy Management**, and expand *<forest>*\\Domains\\``, and then expand to **Group Policy Objects**. - -3. Right-click **Group Policy Objects**, and > **New**. - - ![Local account's representation - Active Directory](images/adlocalaccounts-proc2-sample1.png) - -4. In the **New GPO** dialog box, name the GPO that restricts administrators from signing in to workstations, and > **OK**. - - ![Local account's representation - AD](images/adlocalaccounts-proc2-sample2.png) - -5. Right-click **New GPO**, and > **Edit**. - -6. Configure user rights to deny logon locally for domain administrators. - -7. Navigate to Computer Configuration\\Policies\\Windows Settings\\Local Policies, and then click **User Rights Assignment**, and perform the following: - - 1. Double-click **Deny logon locally**, and > **Define these policy settings**. - - 2. Click **Add User or Group**, click **Browse**, type **Enterprise Admins**, and > **OK**. - - 3. Click **Add User or Group**, click **Browse**, type **Domain Admins**, and > **OK**. - - ![An Active Directory's local accounts](images/adlocalaccounts-proc2-sample3.png) - - > [!NOTE] - > You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations. - - - - 4. Click **OK** to complete the configuration. - -8. Configure the user rights to deny batch and service logon rights for domain administrators as follows: - - > [!NOTE] - > Completing this step might cause issues with administrator tasks that run as scheduled tasks or services with accounts in the Domain Admins group. The practice of using domain administrator accounts to run services and tasks on workstations creates a significant risk of credential theft attacks and therefore should be replaced with alternative means to run scheduled tasks or services. - - - - 1. Double-click **Deny logon as a batch job**, and > **Define these policy settings**. - - 2. Click **Add User or Group** > **Browse**, type **Enterprise Admins**, and > **OK**. - - 3. Click **Add User or Group** > **Browse**, type **Domain Admins**, and > **OK**. - - ![An AD's local accounts](images/adlocalaccounts-proc2-sample4.png) - - > [!NOTE] - > You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations. - - - - 4. Double-click **Deny logon as a service**, and > **Define these policy settings**. - - 5. Click **Add User or Group** > **Browse**, type **Enterprise Admins**, and > **OK**. - - 6. Click **Add User or Group** > **Browse**, type **Domain Admins**, and > **OK**. - - ![Local accounts for AD](images/adlocalaccounts-proc2-sample5.png) - - > [!NOTE] - > You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations. - - - -9. Link the GPO to the first Workstations OU. - - Navigate to the *<forest>*\\Domains\\``\\OU Path, and then: - - 1. Right-click the workstation OU, and then > **Link an Existing GPO**. - - ![Local accounts representation for an Active Directory](images/adlocalaccounts-proc2-sample6.png) - - 2. Select the GPO that you just created, and > **OK**. - - ![Active Directory's local accounts' presentation](images/adlocalaccounts-proc2-sample7.png) -======= - ![Active Directory local accounts 13](images/adlocalaccounts-proc2-sample6.png) - - 2. Select the GPO that you just created, and > **OK**. - - ![Active Directory local accounts 14](images/adlocalaccounts-proc2-sample7.png) - -10. Test the functionality of enterprise applications on workstations in the first OU and resolve any issues caused by the new policy. - -11. Link all other OUs that contain workstations. - - However, do not create a link to the Administrative Workstation OU if it is created for administrative workstations that are dedicated to administration duties only, and that are without Internet or email access. For more information, see [Create dedicated workstation hosts for administrators](#task2-admin-workstations). - - > [!IMPORTANT] - > If you later extend this solution, do not deny logon rights for the **Domain Users** group. The **Domain Users** group includes all user accounts in the domain, including Users, Domain Administrators, and Enterprise Administrators. - - - -### Disable the account delegation right for sensitive administrator accounts - -Although user accounts are not marked for delegation by default, accounts in an Active Directory domain can be trusted for delegation. This means that a service or a computer that is trusted for delegation can impersonate an account that authenticates to them to access other resources across the network. - -For sensitive accounts, such as those belonging to members of the Administrators, Domain Admins, or Enterprise Admins groups in Active Directory, delegation can present a substantial risk of rights escalation. For example, if an account in the Domain Admins group is used to sign in to a compromised member server that is trusted for delegation, that server can request access to resources in the context of the Domain Admins account, and escalate the compromise of that member server to a domain compromise. - -It is a best practice to configure the user objects for all sensitive accounts in Active Directory by selecting the **Account is sensitive and cannot be delegated** check box under **Account options** to prevent these accounts from being delegated. For more information, see [Setting for default local accounts in Active Directory](#sec-account-settings). - -As with any configuration change, test this enabled setting fully to ensure that it performs correctly before you implement it. - -![An Active Directory local accounts' presentation](images/adlocalaccounts-proc3-sample1.png) - -## Secure and manage domain controllers - - -It is a best practice to strictly enforce restrictions on the domain controllers in your environment. This ensures that the domain controllers: - -1. Run only required software - -2. Required software is regularly updated - -3. Are configured with the appropriate security settings - -One aspect of securing and managing domain controllers is to ensure that the default local user accounts are fully protected. It is of primary importance to restrict and secure all sensitive domain accounts, as described in the preceding sections. - -Because domain controllers store credential password hashes of all accounts in the domain, they are high-value targets for malicious users. When domain controllers are not well managed and secured by using restrictions that are strictly enforced, they can be compromised by malicious users. For example, a malicious user could steal sensitive domain administrator credentials from one domain controller, and then use these credentials to attack the domain and forest. - -In addition, installed applications and management agents on domain controllers might provide a path for escalating rights that malicious users can use to compromise the management service or administrators of that service. The management tools and services, which your organization uses to manage domain controllers and their administrators, are equally important to the security of the domain controllers and the domain administrator accounts. Ensure that these services and administrators are fully secured with equal effort. - -## See also - -- [Security Principals](security-principals.md) - -- [Access Control Overview](access-control.md) diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md deleted file mode 100644 index 7a469d0fc0..0000000000 --- a/windows/security/identity-protection/access-control/active-directory-security-groups.md +++ /dev/null @@ -1,1431 +0,0 @@ ---- -title: Active Directory Security Groups -description: Active Directory Security Groups -ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: - - M365-identity-device-management - - highpri -ms.topic: article -ms.localizationpriority: medium -ms.date: 09/21/2021 ---- - -# Active Directory Security Groups - -**Applies to** -- Windows Server 2016 or later -- Windows 10 or later - -This reference topic for the IT professional describes the default Active Directory security groups. - -## - - -There are two forms of common security principals in Active Directory: user accounts and computer accounts. These accounts represent a physical entity (a person or a computer). User accounts can also be used as dedicated service accounts for some applications. Security groups are used to collect user accounts, computer accounts, and other groups into manageable units. - -In the Windows Server operating system, there are several built-in accounts and security groups that are preconfigured with the appropriate rights and permissions to perform specific tasks. For Active Directory, there are two types of administrative responsibilities: - -- **Service administrators**   Responsible for maintaining and delivering Active Directory Domain Services (AD DS), including managing domain controllers and configuring the AD DS. - -- **Data administrators**   Responsible for maintaining the data that is stored in AD DS and on domain member servers and workstations. - -## About Active Directory groups - - -Groups are used to collect user accounts, computer accounts, and other groups into manageable units. Working with groups instead of with individual users helps simplify network maintenance and administration. - -There are two types of groups in Active Directory: - -- **Distribution groups** Used to create email distribution lists. - -- **Security groups** Used to assign permissions to shared resources. - -### Distribution groups - -Distribution groups can be used only with email applications (such as Exchange Server) to send email to collections of users. Distribution groups are not security enabled, which means that they cannot be listed in discretionary access control lists (DACLs). - -### Security groups - -Security groups can provide an efficient way to assign access to resources on your network. By using security groups, you can: - -- Assign user rights to security groups in Active Directory. - - User rights are assigned to a security group to determine what members of that group can do within the scope of a domain or forest. User rights are automatically assigned to some security groups when Active Directory is installed to help administrators define a person’s administrative role in the domain. - - For example, a user who is added to the Backup Operators group in Active Directory has the ability to back up and restore files and directories that are located on each domain controller in the domain. This is possible because, by default, the user rights **Backup files and directories** and **Restore files and directories** are automatically assigned to the Backup Operators group. Therefore, members of this group inherit the user rights that are assigned to that group. - - You can use Group Policy to assign user rights to security groups to delegate specific tasks. For more information about using Group Policy, see [User Rights Assignment](/windows/device-security/security-policy-settings/user-rights-assignment). - -- Assign permissions to security groups for resources. - - Permissions are different than user rights. Permissions are assigned to the security group for the shared resource. Permissions determine who can access the resource and the level of access, such as Full Control. Some permissions that are set on domain objects are automatically assigned to allow various levels of access to default security groups, such as the Account Operators group or the Domain Admins group. - - Security groups are listed in DACLs that define permissions on resources and objects. When assigning permissions for resources (file shares, printers, and so on), administrators should assign those permissions to a security group rather than to individual users. The permissions are assigned once to the group, instead of several times to each individual user. Each account that is added to a group receives the rights that are assigned to that group in Active Directory, and the user receives the permissions that are defined for that group. - -Like distribution groups, security groups can be used as an email entity. Sending an email message to the group sends the message to all the members of the group. - -### Group scope - -Groups are characterized by a scope that identifies the extent to which the group is applied in the domain tree or forest. The scope of the group defines where the group can be granted permissions. The following three group scopes are defined by Active Directory: - -- Universal - -- Global - -- Domain Local - -> [!NOTE] -> In addition to these three scopes, the default groups in the **Builtin** container have a group scope of Builtin Local. This group scope and group type cannot be changed. - - - -The following table lists the three group scopes and more information about each scope for a security group. - -**Group scopes** - -|Scope|Possible Members|Scope Conversion|Can Grant Permissions|Possible Member of| -|--- |--- |--- |--- |--- | -|Universal|Accounts from any domain in the same forest

    Global groups from any domain in the same forest

    Other Universal groups from any domain in the same forest|Can be converted to

    Domain Local scope if the group is not a member of any other Universal groups

    Can be converted to Global scope if the group does not contain any other Universal groups|On any domain in the same forest or trusting forests|Other Universal groups in the same forest

    Domain

    Local groups in the same forest or trusting forests

    Local groups on computers in the same forest or trusting forests| -|Global|Accounts from the same domain

    Other Global groups from the same domain|Can be converted to Universal scope if the group is not a member of any other global group|On any domain in the same forest, or trusting domains or forests|Universal groups from any domain in the same forest

    Other Global groups from the same domain

    Domain Local groups from any domain in the same forest, or from any trusting domain| -|Domain Local|Accounts from any domain or any trusted domain

    Global groups from any domain or any trusted domain

    Universal groups from any domain in the same forest

    Other Domain Local groups from the same domain

    Accounts, Global groups, and Universal groups from other forests and from external domains|Can be converted to Universal scope if the group does not contain any other Domain Local groups|Within the same domain|Other Domain Local groups from the same domain

    Local groups on computers in the same domain, excluding built-in groups that have well-known SIDs| - -### Special identity groups - -Special identities are generally referred to as groups. Special identity groups do not have specific memberships that can be modified, but they can represent different users at different times, depending on the circumstances. Some of these groups include Creator Owner, Batch, and Authenticated User. - -For information about all the special identity groups, see [Special Identities](special-identities.md). - -## Default security groups - - -Default groups, such as the Domain Admins group, are security groups that are created automatically when you create an Active Directory domain. You can use these predefined groups to help control access to shared resources and to delegate specific domain-wide administrative roles. - -Many default groups are automatically assigned a set of user rights that authorize members of the group to perform specific actions in a domain, such as logging on to a local system or backing up files and folders. For example, a member of the Backup Operators group has the right to perform backup operations for all domain controllers in the domain. - -When you add a user to a group, the user receives all the user rights that are assigned to the group and all the permissions that are assigned to the group for any shared resources. - -Default groups are located in the **Builtin** container and in the **Users** container in Active Directory Users and Computers. The **Builtin** container includes groups that are defined with the Domain Local scope. The **Users** includes contains groups that are defined with Global scope and groups that are defined with Domain Local scope. You can move groups that are located in these containers to other groups or organizational units (OU) within the domain, but you cannot move them to other domains. - -Some of the administrative groups that are listed in this topic and all members of these groups are protected by a background process that periodically checks for and applies a specific security descriptor. This descriptor is a data structure that contains security information associated with a protected object. This process ensures that any successful unauthorized attempt to modify the security descriptor on one of the administrative accounts or groups will be overwritten with the protected settings. - -The security descriptor is present on the **AdminSDHolder** object. This means that if you want to modify the permissions on one of the service administrator groups or on any of its member accounts, you must modify the security descriptor on the **AdminSDHolder** object so that it will be applied consistently. Be careful when you make these modifications because you are also changing the default settings that will be applied to all of your protected administrative accounts. - -### Active Directory default security groups by operating system version - -The following tables provide descriptions of the default groups that are located in the **Builtin** and **Users** containers in each operating system. - -|Default Security Group|Windows Server 2016|Windows Server 2012 R2|Windows Server 2012|Windows Server 2008 R2| -|--- |--- |--- |--- |--- | -|[Access Control Assistance Operators](#bkmk-acasstops)|Yes|Yes|Yes|| -|[Account Operators](#bkmk-accountoperators)|Yes|Yes|Yes|Yes| -|[Administrators](#bkmk-admins)|Yes|Yes|Yes|Yes| -|[Allowed RODC Password Replication Group](#bkmk-allowedrodcpwdrepl)|Yes|Yes|Yes|Yes| -|[Backup Operators](#bkmk-backupoperators)|Yes|Yes|Yes|Yes| -|[Certificate Service DCOM Access](#bkmk-certificateservicedcomaccess)|Yes|Yes|Yes|Yes| -|[Cert Publishers](#bkmk-certpublishers)|Yes|Yes|Yes|Yes| -|[Cloneable Domain Controllers](#bkmk-cloneabledomaincontrollers)|Yes|Yes|Yes|| -|[Cryptographic Operators](#bkmk-cryptographicoperators)|Yes|Yes|Yes|Yes| -|[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)|Yes|Yes|Yes|Yes| -|[Device Owners](#bkmk-device-owners)|Yes|Yes|Yes|Yes| -|[Distributed COM Users](#bkmk-distributedcomusers)|Yes|Yes|Yes|Yes| -|[DnsUpdateProxy](#bkmk-dnsupdateproxy)|Yes|Yes|Yes|Yes| -|[DnsAdmins](#bkmk-dnsadmins)|Yes|Yes|Yes|Yes| -|[Domain Admins](#bkmk-domainadmins)|Yes|Yes|Yes|Yes| -|[Domain Computers](#bkmk-domaincomputers)|Yes|Yes|Yes|Yes| -|[Domain Controllers](#bkmk-domaincontrollers)|Yes|Yes|Yes|Yes| -|[Domain Guests](#bkmk-domainguests)|Yes|Yes|Yes|Yes| -|[Domain Users](#bkmk-domainusers)|Yes|Yes|Yes|Yes| -|[Enterprise Admins](#bkmk-entadmins)|Yes|Yes|Yes|Yes| -|[Enterprise Key Admins](#enterprise-key-admins)|Yes|||| -|[Enterprise Read-only Domain Controllers](#bkmk-entrodc)|Yes|Yes|Yes|Yes| -|[Event Log Readers](#bkmk-eventlogreaders)|Yes|Yes|Yes|Yes| -|[Group Policy Creator Owners](#bkmk-gpcreatorsowners)|Yes|Yes|Yes|Yes| -|[Guests](#bkmk-guests)|Yes|Yes|Yes|Yes| -|[Hyper-V Administrators](#bkmk-hypervadministrators)|Yes|Yes|Yes|| -|[IIS_IUSRS](#bkmk-iis-iusrs)|Yes|Yes|Yes|Yes| -|[Incoming Forest Trust Builders](#bkmk-inforesttrustbldrs)|Yes|Yes|Yes|Yes| -|[Key Admins](#key-admins)|Yes|||| -|[Network Configuration Operators](#bkmk-networkcfgoperators)|Yes|Yes|Yes|Yes| -|[Performance Log Users](#bkmk-perflogusers)|Yes|Yes|Yes|Yes| -|[Performance Monitor Users](#bkmk-perfmonitorusers)|Yes|Yes|Yes|Yes| -|[Pre–Windows 2000 Compatible Access](#bkmk-pre-ws2kcompataccess)|Yes|Yes|Yes|Yes| -|[Print Operators](#bkmk-printoperators)|Yes|Yes|Yes|Yes| -|[Protected Users](#bkmk-protectedusers)|Yes|Yes||| -|[RAS and IAS Servers](#bkmk-rasandias)|Yes|Yes|Yes|Yes| -|[RDS Endpoint Servers](#bkmk-rdsendpointservers)|Yes|Yes|Yes|| -|[RDS Management Servers](#bkmk-rdsmanagementservers)|Yes|Yes|Yes|| -|[RDS Remote Access Servers](#bkmk-rdsremoteaccessservers)|Yes|Yes|Yes|| -|[Read-only Domain Controllers](#bkmk-rodc)|Yes|Yes|Yes|Yes| -|[Remote Desktop Users](#bkmk-remotedesktopusers)|Yes|Yes|Yes|Yes| -|[Remote Management Users](#bkmk-remotemanagementusers)|Yes|Yes|Yes|| -|[Replicator](#bkmk-replicator)|Yes|Yes|Yes|Yes| -|[Schema Admins](#bkmk-schemaadmins)|Yes|Yes|Yes|Yes| -|[Server Operators](#bkmk-serveroperators)|Yes|Yes|Yes|Yes| -|[Storage Replica Administrators](#storage-replica-administrators)|Yes|||| -|[System Managed Accounts Group](#system-managed-accounts-group)|Yes|||| -|[Terminal Server License Servers](#bkmk-terminalserverlic)|Yes|Yes|Yes|Yes| -|[Users](#bkmk-users)|Yes|Yes|Yes|Yes| -|[Windows Authorization Access Group](#bkmk-winauthaccess)|Yes|Yes|Yes|Yes| -|[WinRMRemoteWMIUsers_](#bkmk-winrmremotewmiusers-)||Yes|Yes|| - -### Access Control Assistance Operators - -Members of this group can remotely query authorization attributes and permissions for resources on the computer. - -The Access Control Assistance Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-579| -|Type|Builtin Local| -|Default container|CN=BuiltIn, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### Account Operators - -The Account Operators group grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including those of users, local groups, and global groups, and members can log in locally to domain controllers. - -Members of the Account Operators group cannot manage the Administrator user account, the user accounts of administrators, or the [Administrators](#bkmk-admins), [Server Operators](#bkmk-serveroperators), [Account Operators](#bkmk-accountoperators), [Backup Operators](#bkmk-backupoperators), or [Print Operators](#bkmk-printoperators) groups. Members of this group cannot modify user rights. - -The Account Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -> [!NOTE] -> By default, this built-in group has no members, and it can create and manage users and groups in the domain, including its own membership and that of the Server Operators group. This group is considered a service administrator group because it can modify Server Operators, which in turn can modify domain controller settings. As a best practice, leave the membership of this group empty, and do not use it for any delegated administration. This group cannot be renamed, deleted, or moved. - - - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-548| -|Type|Builtin Local| -|Default container|CN=BuiltIn, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight| - - - -### Administrators - -Members of the Administrators group have complete and unrestricted access to the computer, or if the computer is promoted to a domain controller, members have unrestricted access to the domain. - -The Administrators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -> [!NOTE] -> The Administrators group has built-in capabilities that give its members full control over the system. This group cannot be renamed, deleted, or moved. This built-in group controls access to all the domain controllers in its domain, and it can change the membership of all administrative groups. - -Membership can be modified by members of the following groups: the default service Administrators, Domain Admins in the domain, or Enterprise Admins. This group has the special privilege to take ownership of any object in the directory or any resource on a domain controller. This account is considered a service administrator group because its members have full access to the domain controllers in the domain. - - - -This security group includes the following changes since Windows Server 2008: - -- Default user rights changes: **Allow log on through Terminal Services** existed in Windows Server 2008, and it was replaced by [Allow log on through Remote Desktop Services](/windows/device-security/security-policy-settings/allow-log-on-through-remote-desktop-services). - -- [Remove computer from docking station](/windows/device-security/security-policy-settings/remove-computer-from-docking-station) was removed in Windows Server 2012 R2. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-544| -|Type|Builtin Local| -|Default container|CN=BuiltIn, DC=<domain>, DC=| -|Default members|Administrator, Domain Admins, Enterprise Admins| -|Default member of|None| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|[Adjust memory quotas for a process](/windows/device-security/security-policy-settings/adjust-memory-quotas-for-a-process): SeIncreaseQuotaPrivilege

    [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight

    [Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight

    [Allow log on through Remote Desktop Services](/windows/device-security/security-policy-settings/allow-log-on-through-remote-desktop-services): SeRemoteInteractiveLogonRight

    [Back up files and directories](/windows/device-security/security-policy-settings/back-up-files-and-directories): SeBackupPrivilege

    [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege

    [Change the system time](/windows/device-security/security-policy-settings/change-the-system-time): SeSystemTimePrivilege

    [Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege

    [Create a pagefile](/windows/device-security/security-policy-settings/create-a-pagefile): SeCreatePagefilePrivilege

    [Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege

    [Create symbolic links](/windows/device-security/security-policy-settings/create-symbolic-links): SeCreateSymbolicLinkPrivilege

    [Debug programs](/windows/device-security/security-policy-settings/debug-programs): SeDebugPrivilege

    [Enable computer and user accounts to be trusted for delegation](/windows/device-security/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation): SeEnableDelegationPrivilege

    [Force shutdown from a remote system](/windows/device-security/security-policy-settings/force-shutdown-from-a-remote-system): SeRemoteShutdownPrivilege

    [Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege

    [Increase scheduling priority](/windows/device-security/security-policy-settings/increase-scheduling-priority): SeIncreaseBasePriorityPrivilege

    [Load and unload device drivers](/windows/device-security/security-policy-settings/load-and-unload-device-drivers): SeLoadDriverPrivilege

    [Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job): SeBatchLogonRight

    [Manage auditing and security log](/windows/device-security/security-policy-settings/manage-auditing-and-security-log): SeSecurityPrivilege

    [Modify firmware environment values](/windows/device-security/security-policy-settings/modify-firmware-environment-values): SeSystemEnvironmentPrivilege

    [Perform volume maintenance tasks](/windows/device-security/security-policy-settings/perform-volume-maintenance-tasks): SeManageVolumePrivilege

    [Profile system performance](/windows/device-security/security-policy-settings/profile-system-performance): SeSystemProfilePrivilege

    [Profile single process](/windows/device-security/security-policy-settings/profile-single-process): SeProfileSingleProcessPrivilege

    [Remove computer from docking station](/windows/device-security/security-policy-settings/remove-computer-from-docking-station): SeUndockPrivilege

    [Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): SeRestorePrivilege

    [Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system): SeShutdownPrivilege

    [Take ownership of files or other objects](/windows/device-security/security-policy-settings/take-ownership-of-files-or-other-objects): SeTakeOwnershipPrivilege| - -### Allowed RODC Password Replication Group - -The purpose of this security group is to manage a RODC password replication policy. This group has no members by default, and it results in the condition that new Read-only domain controllers do not cache user credentials. The [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl) group contains a variety of high-privilege accounts and security groups. The Denied RODC Password Replication group supersedes the Allowed RODC Password Replication group. - -The Allowed RODC Password Replication group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-571| -|Type|Domain local| -|Default container|CN=Users DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### Backup Operators - -Members of the Backup Operators group can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to and shut down the computer. This group cannot be renamed, deleted, or moved. By default, this built-in group has no members, and it can perform backup and restore operations on domain controllers. Its membership can be modified by the following groups: default service Administrators, Domain Admins in the domain, or Enterprise Admins. It cannot modify the membership of any administrative groups. While members of this group cannot change server settings or modify the configuration of the directory, they do have the permissions needed to replace files (including operating system files) on domain controllers. Because of this, members of this group are considered service administrators. - -The Backup Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-551| -|Type|Builtin Local| -|Default container|CN=BuiltIn, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight

    [Back up files and directories](/windows/device-security/security-policy-settings/back-up-files-and-directories): SeBackupPrivilege

    [Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job): SeBatchLogonRight

    [Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): SeRestorePrivilege

    [Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system): SeShutdownPrivilege| - - - -### Certificate Service DCOM Access - -Members of this group are allowed to connect to certification authorities in the enterprise. - -The Certificate Service DCOM Access group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-<domain>-574| -|Type|Domain Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - - -### Cert Publishers - -Members of the Cert Publishers group are authorized to publish certificates for User objects in Active Directory. - -The Cert Publishers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-517| -|Type|Domain Local| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|None| -|Default member of|[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|None| - -### Cloneable Domain Controllers - -Members of the Cloneable Domain Controllers group that are domain controllers may be cloned. In Windows Server 2012 R2 and Windows Server 2012, you can deploy domain controllers by copying an existing virtual domain controller. In a virtual environment, you no longer have to repeatedly deploy a server image that is prepared by using sysprep.exe, promote the server to a domain controller, and then complete additional configuration requirements for deploying each domain controller (including adding the virtual domain controller to this security group). - -For more information, see [Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100)](/windows-server/identity/ad-ds/introduction-to-active-directory-domain-services-ad-ds-virtualization-level-100). - -This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-522| -|Type|Global| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### Cryptographic Operators - -Members of this group are authorized to perform cryptographic operations. This security group was added in Windows Vista Service Pack 1 (SP1) to configure Windows Firewall for IPsec in Common Criteria mode. - -The Cryptographic Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group was introduced in Windows Vista Service Pack 1, and it has not changed in subsequent versions. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-569| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - - - -### Denied RODC Password Replication Group - -Members of the Denied RODC Password Replication group cannot have their passwords replicated to any Read-only domain controller. - -The purpose of this security group is to manage a RODC password replication policy. This group contains a variety of high-privilege accounts and security groups. The Denied RODC Password Replication Group supersedes the [Allowed RODC Password Replication Group](#bkmk-allowedrodcpwdrepl). - -This security group includes the following changes since Windows Server 2008: - -- Windows Server 2012 changed the default members to include [Cert Publishers](#bkmk-certpublishers). - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-572| -|Type|Domain local| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|[Cert Publishers](#bkmk-certpublishers)

    [Domain Admins](#bkmk-domainadmins)

    [Domain Controllers](#bkmk-domaincontrollers)

    [Enterprise Admins](#bkmk-entadmins)

    Group Policy Creator Owners

    [Read-only Domain Controllers](#bkmk-rodc)

    [Schema Admins](#bkmk-schemaadmins)| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - - -### Device Owners -This group is not currently used in Windows. - -Microsoft does not recommend changing the default configuration where this security group has zero members. Changing the default configuration could hinder future scenarios that rely on this group. - -The Device Owners group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-583| -|Type|Builtin Local| -|Default container|CN=BuiltIn, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Can be moved out but it is not recommended| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight

    [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight

    [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege

    [Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege| - -### Distributed COM Users - -Members of the Distributed COM Users group are allowed to launch, activate, and use Distributed COM objects on the computer. Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. Distributed Component Object Model (DCOM) allows applications to be distributed across locations that make the most sense to you and to the application. This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). - -The Distributed COM Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-562| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### DnsUpdateProxy - -Members of the DnsUpdateProxy group are DNS clients. They are permitted to perform dynamic updates on behalf of other clients (such as DHCP servers). A DNS server can develop stale resource records when a DHCP server is configured to dynamically register host (A) and pointer (PTR) resource records on behalf of DHCP clients by using dynamic update. Adding clients to this security group mitigates this scenario. - -However, to protect against unsecured records or to permit members of the DnsUpdateProxy group to register records in zones that allow only secured dynamic updates, you must create a dedicated user account and configure DHCP servers to perform DNS dynamic updates by using the credentials of this account (user name, password, and domain). Multiple DHCP servers can use the credentials of one dedicated user account. This group exists only if the DNS server role is or was once installed on a domain controller in the domain. - -For information, see [DNS Record Ownership and the DnsUpdateProxy Group](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd334715(v=ws.10)). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-<variable RI>| -|Type|Global| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Yes| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### DnsAdmins - -Members of DNSAdmins group have access to network DNS information. The default permissions are as follows: Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions. This group exists only if the DNS server role is or was once installed on a domain controller in the domain. - -For more information about security and DNS, see [DNSSEC in Windows Server 2012](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn593694(v=ws.11)). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-<variable RI>| -|Type|Builtin Local| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Yes| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### Domain Admins - -Members of the Domain Admins security group are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. The Domain Admins group is the default owner of any object that is created in Active Directory for the domain by any member of the group. If members of the group create other objects, such as files, the default owner is the Administrators group. - -The Domain Admins group controls access to all domain controllers in a domain, and it can modify the membership of all administrative accounts in the domain. Membership can be modified by members of the service administrator groups in its domain (Administrators and Domain Admins), and by members of the Enterprise Admins group. This is considered a service administrator account because its members have full access to the domain controllers in a domain. - -The Domain Admins group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-512| -|Type|Global| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|Administrator| -|Default member of|[Administrators](#bkmk-admins)

    [Denied RODC Password ReplicationGroup](#bkmk-deniedrodcpwdrepl)| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|Yes| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|See [Administrators](#bkmk-admins)

    See [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)| - - - -### Domain Computers - -This group can include all computers and servers that have joined the domain, excluding domain controllers. By default, any computer account that is created automatically becomes a member of this group. - -The Domain Computers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-515| -|Type|Global| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|All computers joined to the domain, excluding domain controllers| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Yes (but not required)| -|Safe to delegate management of this group to non-Service admins?|Yes| -|Default User Rights|None| - -### Domain Controllers - -The Domain Controllers group can include all domain controllers in the domain. New domain controllers are automatically added to this group. - -The Domain Controllers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-516| -|Type|Global| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|Computer accounts for all domain controllers of the domain| -|Default member of|[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|No| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|None| - -### Domain Guests - -The Domain Guests group includes the domain’s built-in Guest account. When members of this group sign in as local guests on a domain-joined computer, a domain profile is created on the local computer. - -The Domain Guests group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-514| -|Type|Global| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|Guest| -|Default member of|[Guests](#bkmk-guests)| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|Can be moved out but it is not recommended| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|See [Guests](#bkmk-guests)| - -### Domain Users - -The Domain Users group includes all user accounts in a domain. When you create a user account in a domain, it is automatically added to this group. - -By default, any user account that is created in the domain automatically becomes a member of this group. This group can be used to represent all users in the domain. For example, if you want all domain users to have access to a printer, you can assign permissions for the printer to this group (or add the Domain Users group to a local group on the print server that has permissions for the printer). - -The Domain Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-513| -|Type|Global| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|Administrator -krbtgt| -|Default member of|[Users](#bkmk-users)| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Yes| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|See [Users](#bkmk-users)| - -### Enterprise Admins - -The Enterprise Admins group exists only in the root domain of an Active Directory forest of domains. It is a Universal group if the domain is in native mode; it is a Global group if the domain is in mixed mode. Members of this group are authorized to make forest-wide changes in Active Directory, such as adding child domains. - -By default, the only member of the group is the Administrator account for the forest root domain. This group is automatically added to the Administrators group in every domain in the forest, and it provides complete access for configuring all domain controllers. Members in this group can modify the membership of all administrative groups. Membership can be modified only by the default service administrator groups in the root domain. This is considered a service administrator account. - -The Enterprise Admins group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<root domain>-519| -|Type|Universal (if Domain is in Native-Mode) else Global| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|Administrator| -|Default member of|[Administrators](#bkmk-admins) -[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|Yes| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|See [Administrators](#bkmk-admins)

    See [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)| - -### Enterprise Key Admins - -Members of this group can perform administrative actions on key objects within the forest. - -The Enterprise Key Admins group was introduced in Windows Server 2016. - -| Attribute | Value | -|-----------|-------| -| Well-Known SID/RID | S-1-5-21-<domain>-527 | -| Type | Global | -| Default container | CN=Users, DC=<domain>, DC= | -| Default members | None | -| Default member of | None | -| Protected by ADMINSDHOLDER? | Yes | -| Safe to move out of default container? | Yes | -| Safe to delegate management of this group to non-Service admins? | No | -| Default User Rights | None | - - -### Enterprise Read-Only Domain Controllers - -Members of this group are Read-Only Domain Controllers in the enterprise. Except for account passwords, a Read-only domain controller holds all the Active Directory objects and attributes that a writable domain controller holds. However, changes cannot be made to the database that is stored on the Read-only domain controller. Changes must be made on a writable domain controller and then replicated to the Read-only domain controller. - -Read-only domain controllers address some of the issues that are commonly found in branch offices. These locations might not have a domain controller. Or, they might have a writable domain controller, but not the physical security, network bandwidth, or local expertise to support it. - -For more information, see [What Is an RODC?](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771030(v=ws.10)). - -The Enterprise Read-Only Domain Controllers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<root domain>-498| -|Type|Universal| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### Event Log Readers - -Members of this group can read event logs from local computers. The group is created when the server is promoted to a domain controller. - -The Event Log Readers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-573| -|Type|Domain Local| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### Group Policy Creator Owners - -This group is authorized to create, edit, or delete Group Policy Objects in the domain. By default, the only member of the group is Administrator. - -For information about other features you can use with this security group, see [Group Policy Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831791(v=ws.11)). - -The Group Policy Creator Owners group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-520| -|Type|Global| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|Administrator| -|Default member of|[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|No| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|See [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)| - -### Guests - -Members of the Guests group have the same access as members of the Users group by default, except that the Guest account has further restrictions. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to sign in with limited privileges to a computer’s built-in Guest account. - -When a member of the Guests group signs out, the entire profile is deleted. This includes everything that is stored in the **%userprofile%** directory, including the user's registry hive information, custom desktop icons, and other user-specific settings. This implies that a guest must use a temporary profile to sign in to the system. This security group interacts with the Group Policy setting **Do not logon users with temporary profiles** when it is enabled. This setting is located under the following path: - -Computer Configuration\\Administrative Templates\\System\\User Profiles - -> [!NOTE] -> A Guest account is a default member of the Guests security group. People who do not have an actual account in the domain can use the Guest account. A user whose account is disabled (but not deleted) can also use the Guest account. - -The Guest account does not require a password. You can set rights and permissions for the Guest account as in any user account. By default, the Guest account is a member of the built-in Guests group and the Domain Guests global group, which allows a user to sign in to a domain. The Guest account is disabled by default, and we recommend that it stay disabled. - -The Guests group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-546| -|Type|Builtin Local| -|Default container|CN=BuiltIn, DC=<domain>, DC=| -|Default members|[Domain Guests](#bkmk-domainguests)| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|None| - - -### Hyper-V Administrators - -Members of the Hyper-V Administrators group have complete and unrestricted access to all the features in Hyper-V. Adding members to this group helps reduce the number of members required in the Administrators group, and further separates access. - -> [!NOTE] -> Prior to Windows Server 2012, access to features in Hyper-V was controlled in part by membership in the Administrators group. - - - -This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-578| -|Type|Builtin Local| -|Default container|CN=BuiltIn, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### IIS\_IUSRS - -IIS\_IUSRS is a built-in group that is used by Internet Information Services beginning with IIS 7.0. A built-in account and group are guaranteed by the operating system to always have a unique SID. IIS 7.0 replaces the IUSR\_MachineName account and the IIS\_WPG group with the IIS\_IUSRS group to ensure that the actual names that are used by the new account and group will never be localized. For example, regardless of the language of the Windows operating system that you install, the IIS account name will always be IUSR, and the group name will be IIS\_IUSRS. - -For more information, see [Understanding Built-In User and Group Accounts in IIS 7](/iis/get-started/planning-for-security/understanding-built-in-user-and-group-accounts-in-iis). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-568| -|Type|Builtin Local| -|Default container|CN=BuiltIn, DC=<domain>, DC=| -|Default members|IUSR| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### Incoming Forest Trust Builders - -Members of the Incoming Forest Trust Builders group can create incoming, one-way trusts to this forest. Active Directory provides security across multiple domains or forests through domain and forest trust relationships. Before authentication can occur across trusts, Windows must determine whether the domain being requested by a user, computer, or service has a trust relationship with the logon domain of the requesting account. - -To make this determination, the Windows security system computes a trust path between the domain controller for the server that receives the request and a domain controller in the domain of the requesting account. A secured channel extends to other Active Directory domains through interdomain trust relationships. This secured channel is used to obtain and verify security information, including security identifiers (SIDs) for users and groups. - -> [!NOTE] -> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). - - - -For more information, see [How Domain and Forest Trusts Work: Domain and Forest Trusts](/previous-versions/windows/it-pro/windows-server-2003/cc773178(v=ws.10)). - -The Incoming Forest Trust Builders group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -> [!NOTE] -> This group cannot be renamed, deleted, or moved. - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-557| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|None| - -### Key Admins - -Members of this group can perform administrative actions on key objects within the domain. - -The Key Admins group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -| Attribute | Value | -|-----------|-------| -| Well-Known SID/RID | S-1-5-21-<domain>-526 | -| Type | Global | -| Default container | CN=Users, DC=<domain>, DC= | -| Default members | None | -| Default member of | None | -| Protected by ADMINSDHOLDER? | Yes | -| Safe to move out of default container? | Yes | -| Safe to delegate management of this group to non-Service admins? | No | -| Default User Rights | None | - - - -### Network Configuration Operators - -Members of the Network Configuration Operators group can have the following administrative privileges to manage configuration of networking features: - -- Modify the Transmission Control Protocol/Internet Protocol (TCP/IP) properties for a local area network (LAN) connection, which includes the IP address, the subnet mask, the default gateway, and the name servers. - -- Rename the LAN connections or remote access connections that are available to all the users. - -- Enable or disable a LAN connection. - -- Modify the properties of all of remote access connections of users. - -- Delete all the remote access connections of users. - -- Rename all the remote access connections of users. - -- Issue **ipconfig**, **ipconfig /release**, or **ipconfig /renew** commands. - -- Enter the PIN unblock key (PUK) for mobile broadband devices that support a SIM card. - -> [!NOTE] -> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). - - -The Network Configuration Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -> [!NOTE] -> This group cannot be renamed, deleted, or moved. - - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-556| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|Yes| -|Default User Rights|None| - -### Performance Log Users - -Members of the Performance Log Users group can manage performance counters, logs, and alerts locally on the server and from remote clients without being a member of the Administrators group. Specifically, members of this security group: - -- Can use all the features that are available to the Performance Monitor Users group. - -- Can create and modify Data Collector Sets after the group is assigned the [Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job) user right. - - > [!WARNING] - > If you are a member of the Performance Log Users group, you must configure Data Collector Sets that you create to run under your credentials. - - > [!NOTE] - > In Windows Server 2016 or later, Data Collector Sets cannot be created by a member of the Performance Log Users group. - > If a member of the Performance Log Users group tries to create Data Collector Sets, they cannot complete creation because access will be denied. - -- Cannot use the Windows Kernel Trace event provider in Data Collector Sets. - -For members of the Performance Log Users group to initiate data logging or modify Data Collector Sets, the group must first be assigned the [Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job) user right. To assign this user right, use the Local Security Policy snap-in in Microsoft Management Console. - -> [!NOTE] -> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). - - -The Performance Log Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -> [!NOTE] -> This account cannot be renamed, deleted, or moved. - - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-559| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|Yes| -|Default User Rights|[Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job): SeBatchLogonRight| - - - -### Performance Monitor Users - -Members of this group can monitor performance counters on domain controllers in the domain, locally and from remote clients, without being a member of the Administrators or Performance Log Users groups. The Windows Performance Monitor is a Microsoft Management Console (MMC) snap-in that provides tools for analyzing system performance. From a single console, you can monitor application and hardware performance, customize what data you want to collect in logs, define thresholds for alerts and automatic actions, generate reports, and view past performance data in a variety of ways. - -Specifically, members of this security group: - -- Can use all the features that are available to the Users group. - -- Can view real-time performance data in Performance Monitor. - - Can change the Performance Monitor display properties while viewing data. - -- Cannot create or modify Data Collector Sets. - - > [!WARNING] - > You cannot configure a Data Collector Set to run as a member of the Performance Monitor Users group. - - - -> [!NOTE] -> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). This group cannot be renamed, deleted, or moved. - - - -The Performance Monitor Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-558| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|Yes| -|Default User Rights|None| - - -### Pre–Windows 2000 Compatible Access - -Members of the Pre–Windows 2000 Compatible Access group have Read access for all users and groups in the domain. This group is provided for backward compatibility for computers running Windows NT 4.0 and earlier. By default, the special identity group, Everyone, is a member of this group. Add users to this group only if they are running Windows NT 4.0 or earlier. - -> [!WARNING] -> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). - - -The Pre–Windows 2000 Compatible Access group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-554| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|If you choose the Pre–Windows 2000 Compatible Permissions mode, Everyone and Anonymous are members, and if you choose the Windows 2000-only permissions mode, Authenticated Users are members.| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|[Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight

    [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege| - - - -### Print Operators - -Members of this group can manage, create, share, and delete printers that are connected to domain controllers in the domain. They can also manage Active Directory printer objects in the domain. Members of this group can locally sign in to and shut down domain controllers in the domain. - -This group has no default members. Because members of this group can load and unload device drivers on all domain controllers in the domain, add users with caution. This group cannot be renamed, deleted, or moved. - -The Print Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. However, in Windows Server 2008 R2, functionality was added to manage print administration. For more information, see [Assign Delegated Print Administrator and Printer Permission Settings in Windows Server 2012](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj190062(v=ws.11)). - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-550| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight

    [Load and unload device drivers](/windows/device-security/security-policy-settings/load-and-unload-device-drivers): SeLoadDriverPrivilege

    [Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system): SeShutdownPrivilege| - -### Protected Users - -Members of the Protected Users group are afforded additional protection against the compromise of credentials during authentication processes. - -This security group is designed as part of a strategy to effectively protect and manage credentials within the enterprise. Members of this group automatically have non-configurable protection applied to their accounts. Membership in the Protected Users group is meant to be restrictive and proactively secure by default. The only method to modify the protection for an account is to remove the account from the security group. - -This domain-related, global group triggers non-configurable protection on devices and host computers, starting with the Windows Server 2012 R2 and Windows 8.1 operating systems. It also triggers non-configurable protection on domain controllers in domains with a primary domain controller running Windows Server 2012 R2 or Windows Server 2016. This greatly reduces the memory footprint of credentials when users sign in to computers on the network from a non-compromised computer. - -Depending on the account’s domain functional level, members of the Protected Users group are further protected due to behavior changes in the authentication methods that are supported in Windows. - -- Members of the Protected Users group cannot authenticate by using the following Security Support Providers (SSPs): NTLM, Digest Authentication, or CredSSP. Passwords are not cached on a device running Windows 8.1 or Windows 10, so the device fails to authenticate to a domain when the account is a member of the Protected User group. - -- The Kerberos protocol will not use the weaker DES or RC4 encryption types in the preauthentication process. This means that the domain must be configured to support at least the AES cipher suite. - -- The user’s account cannot be delegated with Kerberos constrained or unconstrained delegation. This means that former connections to other systems may fail if the user is a member of the Protected Users group. - -- The default Kerberos ticket-granting tickets (TGTs) lifetime setting of four hours is configurable by using Authentication Policies and Silos, which can be accessed through the Active Directory Administrative Center. This means that when four hours has passed, the user must authenticate again. - -The Protected Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This group was introduced in Windows Server 2012 R2. For more information about how this group works, see [Protected Users Security Group](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn466518(v=ws.11)). - -The following table specifies the properties of the Protected Users group. - -|Attribute|Value| -|--- |--- | -|Well-known SID/RID|S-1-5-21-<domain>-525| -|Type|Global| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Yes| -|Safe to delegate management of this group to non-service admins?|No| -|Default user rights|None| - -### RAS and IAS Servers - -Computers that are members of the RAS and IAS Servers group, when properly configured, are allowed to use remote access services. By default, this group has no members. Computers that are running the Routing and Remote Access service are added to the group automatically, such as IAS servers and Network Policy Servers. Members of this group have access to certain properties of User objects, such as Read Account Restrictions, Read Logon Information, and Read Remote Access Information. - -The RAS and IAS Servers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-553| -|Type|Builtin Local| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Yes| -|Safe to delegate management of this group to non-Service admins?|Yes| -|Default User Rights|None| - -### RDS Endpoint Servers - -Servers that are members in the RDS Endpoint Servers group can run virtual machines and host sessions where user RemoteApp programs and personal virtual desktops run. This group needs to be populated on servers running RD Connection Broker. Session Host servers and RD Virtualization Host servers used in the deployment need to be in this group. - -For information about Remote Desktop Services, see [Host desktops and apps in Remote Desktop Services](/windows-server/remote/remote-desktop-services/welcome-to-rds). - -This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-576| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - - -### RDS Management Servers - -Servers that are members in the RDS Management Servers group can be used to perform routine administrative actions on servers running Remote Desktop Services. This group needs to be populated on all servers in a Remote Desktop Services deployment. The servers running the RDS Central Management service must be included in this group. - -This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-577| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### RDS Remote Access Servers - -Servers in the RDS Remote Access Servers group provide users with access to RemoteApp programs and personal virtual desktops. In Internet facing deployments, these servers are typically deployed in an edge network. This group needs to be populated on servers running RD Connection Broker. RD Gateway servers and RD Web Access servers that are used in the deployment need to be in this group. - -For more information, see [Host desktops and apps in Remote Desktop Services](/windows-server/remote/remote-desktop-services/welcome-to-rds). - -This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-575| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### Read-Only Domain Controllers - -This group is comprised of the Read-only domain controllers in the domain. A Read-only domain controller makes it possible for organizations to easily deploy a domain controller in scenarios where physical security cannot be guaranteed, such as branch office locations, or in scenarios where local storage of all domain passwords is considered a primary threat, such as in an extranet or in an application-facing role. - -Because administration of a Read-only domain controller can be delegated to a domain user or security group, an Read-only domain controller is well suited for a site that should not have a user who is a member of the Domain Admins group. A Read-only domain controller encompasses the following functionality: - -- Read-only AD DS database - -- Unidirectional replication - -- Credential caching - -- Administrator role separation - -- Read-only Domain Name System (DNS) - -For information about deploying a Read-only domain controller, see [Understanding Planning and Deployment for Read-Only Domain Controllers](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754719(v=ws.10)). - -This security group was introduced in Windows Server 2008, and it has not changed in subsequent versions. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-521| -|Type|Global| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|None| -|Default member of|[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|Yes| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|See [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)| - -### Remote Desktop Users - -The Remote Desktop Users group on an RD Session Host server is used to grant users and groups permissions to remotely connect to an RD Session Host server. This group cannot be renamed, deleted, or moved. It appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). - -The Remote Desktop Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-555| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|Yes| -|Default User Rights|None| - - - - -### Remote Management Users - -Members of the Remote Management Users group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user. - -The Remote Management Users group is generally used to allow users to manage servers through the Server Manager console, whereas the [WinRMRemoteWMIUsers\_](#bkmk-winrmremotewmiusers-) group is allows remotely running Windows PowerShell commands. - -For more information, see [What's New in MI?](/previous-versions/windows/desktop/wmi_v2/what-s-new-in-mi) and [About WMI](/windows/win32/wmisdk/about-wmi). - -This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-580| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### Replicator - -Computers that are members of the Replicator group support file replication in a domain. Windows Server operating systems use the File Replication service (FRS) to replicate system policies and logon scripts stored in the System Volume (SYSVOL). Each domain controller keeps a copy of SYSVOL for network clients to access. FRS can also replicate data for the Distributed File System (DFS), synchronizing the content of each member in a replica set as defined by DFS. FRS can copy and maintain shared files and folders on multiple servers simultaneously. When changes occur, content is synchronized immediately within sites and by a schedule between sites. - -> [!WARNING] -> In Windows Server 2008 R2, FRS cannot be used for replicating DFS folders or custom (non-SYSVOL) data. A Windows Server 2008 R2 domain controller can still use FRS to replicate the contents of a SYSVOL shared resource in a domain that uses FRS for replicating the SYSVOL shared resource between domain controllers. - -However, Windows Server 2008 R2 servers cannot use FRS to replicate the contents of any replica set apart from the SYSVOL shared resource. The DFS Replication service is a replacement for FRS, and it can be used to replicate the contents of a SYSVOL shared resource, DFS folders, and other custom (non-SYSVOL) data. You should migrate all non-SYSVOL FRS replica sets to DFS Replication. For more information, see: - -- [File Replication Service (FRS) Is Deprecated in Windows Server 2008 R2 (Windows)](/windows/win32/win7appqual/file-replication-service--frs--is-deprecated-in-windows-server-2008-r2) -- [DFS Namespaces and DFS Replication Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127250(v=ws.11)) - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-552| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### Schema Admins - -Members of the Schema Admins group can modify the Active Directory schema. This group exists only in the root domain of an Active Directory forest of domains. It is a Universal group if the domain is in native mode; it is a Global group if the domain is in mixed mode. - -The group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain. This group has full administrative access to the schema. - -The membership of this group can be modified by any of the service administrator groups in the root domain. This is considered a service administrator account because its members can modify the schema, which governs the structure and content of the entire directory. - -For more information, see [What Is the Active Directory Schema?: Active Directory](/previous-versions/windows/it-pro/windows-server-2003/cc784826(v=ws.10)). - -The Schema Admins group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<root domain>-518| -|Type|Universal (if Domain is in Native-Mode) else Global| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|Administrator| -|Default member of|[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|Yes| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|See [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)| - -### Server Operators - -Members in the Server Operators group can administer domain controllers. This group exists only on domain controllers. By default, the group has no members. Members of the Server Operators group can sign in to a server interactively, create and delete network shared resources, start and stop services, back up and restore files, format the hard disk drive of the computer, and shut down the computer. This group cannot be renamed, deleted, or moved. - -By default, this built-in group has no members, and it has access to server configuration options on domain controllers. Its membership is controlled by the service administrator groups Administrators and Domain Admins in the domain, and the Enterprise Admins group in the forest root domain. Members in this group cannot change any administrative group memberships. This is considered a service administrator account because its members have physical access to domain controllers, they can perform maintenance tasks (such as backup and restore), and they have the ability to change binaries that are installed on the domain controllers. Note the default user rights in the following table. - -The Server Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-549| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight

    [Back up files and directories](/windows/device-security/security-policy-settings/back-up-files-and-directories): SeBackupPrivilege

    [Change the system time](/windows/device-security/security-policy-settings/change-the-system-time): SeSystemTimePrivilege

    [Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege

    [Force shutdown from a remote system](/windows/device-security/security-policy-settings/force-shutdown-from-a-remote-system): SeRemoteShutdownPrivilege

    [Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): Restore files and directories SeRestorePrivilege

    [Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system): SeShutdownPrivilege| - -### Storage Replica Administrators - -Members of this group have complete and unrestricted access to all features of Storage Replica. - -The Storage Replica Administrators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -| Attribute | Value | -|-----------|-------| -| Well-Known SID/RID | S-1-5-32-582 | -| Type | Builtin Local | -| Default container | CN=BuiltIn, DC=<domain>, DC= | -| Default members | None | -| Default member of | None | -| Protected by ADMINSDHOLDER? | No | -| Safe to move out of default container? | Yes | -| Safe to delegate management of this group to non-Service admins? | No | -| Default User Rights | None | - - - -### System Managed Accounts Group - -Members of this group are managed by the system. - -The System Managed Accounts group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - - -| Attribute | Value | -|-----------|-------| -| Well-Known SID/RID | S-1-5-32-581 | -| Type | Builtin Local | -| Default container | CN=BuiltIn, DC=<domain>, DC= | -| Default members | Users | -| Default member of | None | -| Protected by ADMINSDHOLDER? | No | -| Safe to move out of default container? | Yes | -| Safe to delegate management of this group to non-Service admins? | No | -| Default User Rights | None | - - - -### Terminal Server License Servers - -Members of the Terminal Server License Servers group can update user accounts in Active Directory with information about license issuance. This is used to track and report TS Per User CAL usage. A TS Per User CAL gives one user the right to access a Terminal Server from an unlimited number of client computers or devices. This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). - -For more information about this security group, see [Terminal Services License Server Security Group Configuration](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc775331(v=ws.10)). - -The Terminal Server License Servers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -> [!NOTE] -> This group cannot be renamed, deleted, or moved. - - - -This security group only applies to Windows Server 2003 and Windows Server 2008 because Terminal Services was replaced by Remote Desktop Services in Windows Server 2008 R2. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-561| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Safe to move out of default container?|Cannot be moved| -|Protected by ADMINSDHOLDER?|No| -|Safe to delegate management of this group to non-Service admins?|Yes| -|Default User Rights|None| - -### Users - -Members of the Users group are prevented from making accidental or intentional system-wide changes, and they can run most applications. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer. - -Users can perform tasks such as running applications, using local and network printers, shutting down the computer, and locking the computer. Users can install applications that only they are allowed to use if the installation program of the application supports per-user installation. This group cannot be renamed, deleted, or moved. - -The Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group includes the following changes since Windows Server 2008: - -- In Windows Server 2008 R2, INTERACTIVE was added to the default members list. - -- In Windows Server 2012, the default **Member Of** list changed from Domain Users to none. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-545| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|Authenticated Users

    [Domain Users](#bkmk-domainusers)

    INTERACTIVE| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|None| - -### Windows Authorization Access Group - -Members of this group have access to the computed token GroupsGlobalAndUniversal attribute on User objects. Some applications have features that read the token-groups-global-and-universal (TGGAU) attribute on user account objects or on computer account objects in Active Directory Domain Services. Some Win32 functions make it easier to read the TGGAU attribute. Applications that read this attribute or that call an API (referred to as a function) that reads this attribute do not succeed if the calling security context does not have access to the attribute. This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). - -The Windows Authorization Access group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -> [!NOTE] -> This group cannot be renamed, deleted, or moved. - - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-560| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|Enterprise Domain Controllers| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|Yes| -|Default user rights|None| - -### WinRMRemoteWMIUsers\_ - -In Windows 8 and in Windows Server 2012, a **Share** tab was added to the Advanced Security Settings user interface. This tab displays the security properties of a remote file share. To view this information, you must have the following permissions and memberships, as appropriate for the version of Windows Server that the file server is running. - -The WinRMRemoteWMIUsers\_ group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -- If the file share is hosted on a server that is running a supported version of the operating system: - - - You must be a member of the WinRMRemoteWMIUsers\_\_ group or the BUILTIN\\Administrators group. - - - You must have Read permissions to the file share. - -- If the file share is hosted on a server that is running a version of Windows Server that is earlier than Windows Server 2012: - - - You must be a member of the BUILTIN\\Administrators group. - - - You must have Read permissions to the file share. - -In Windows Server 2012, the Access Denied Assistance functionality adds the Authenticated Users group to the local WinRMRemoteWMIUsers\_\_ group. Therefore, when the Access Denied Assistance functionality is enabled, all authenticated users who have Read permissions to the file share can view the file share permissions. - -> [!NOTE] -> The WinRMRemoteWMIUsers\_ group allows running Windows PowerShell commands remotely whereas the [Remote Management Users](#bkmk-remotemanagementusers) group is generally used to allow users to manage servers by using the Server Manager console. - - - -This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-<variable RI>| -|Type|Domain local| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Yes| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - - -## See also - -- [Security Principals](security-principals.md) - -- [Special Identities](special-identities.md) - -- [Access Control Overview](access-control.md) diff --git a/windows/security/identity-protection/access-control/dynamic-access-control.md b/windows/security/identity-protection/access-control/dynamic-access-control.md deleted file mode 100644 index b19feb4975..0000000000 --- a/windows/security/identity-protection/access-control/dynamic-access-control.md +++ /dev/null @@ -1,140 +0,0 @@ ---- -title: Dynamic Access Control Overview (Windows 10) -description: Learn about Dynamic Access Control and its associated elements, which were introduced in Windows Server 2012 and Windows 8. -ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: M365-identity-device-management -ms.topic: article -ms.localizationpriority: medium -ms.date: 04/19/2017 -ms.reviewer: ---- - -# Dynamic Access Control Overview - -**Applies to** -- Windows Server 2016 - -This overview topic for the IT professional describes Dynamic Access Control and its associated elements, which were introduced in Windows Server 2012 and Windows 8. - -Domain-based Dynamic Access Control enables administrators to apply access-control permissions and restrictions based on well-defined rules that can include the sensitivity of the resources, the job or role of the user, and the configuration of the device that is used to access these resources. - -For example, a user might have different permissions when they access a resource from their office computer versus when they are using a portable computer over a virtual private network. Or access may be allowed only if a device meets the security requirements that are defined by the network administrators. When Dynamic Access Control is used, a user’s permissions change dynamically without additional administrator intervention if the user’s job or role changes (resulting in changes to the user’s account attributes in AD DS). For more detailed examples of Dynamic Access Control in use, see the scenarios described in [Dynamic Access Control: Scenario Overview](/windows-server/identity/solution-guides/dynamic-access-control--scenario-overview). - -Dynamic Access Control is not supported in Windows operating systems prior to Windows Server 2012 and Windows 8. When Dynamic Access Control is configured in environments with supported and non-supported versions of Windows, only the supported versions will implement the changes. - -Features and concepts associated with Dynamic Access Control include: - -- [Central access rules](#bkmk-rules) - -- [Central access policies](#bkmk-policies) - -- [Claims](#bkmk-claims) - -- [Expressions](#bkmk-expressions2) - -- [Proposed permissions](#bkmk-permissions2) - -### Central access rules - -A central access rule is an expression of authorization rules that can include one or more conditions involving user groups, user claims, device claims, and resource properties. Multiple central access rules can be combined into a central access policy. - -If one or more central access rules have been defined for a domain, file share administrators can match specific rules to specific resources and business requirements. - -### Central access policies - -Central access policies are authorization policies that include conditional expressions. For example, let’s say an organization has a business requirement to restrict access to personally identifiable information (PII) in files to only the file owner and members of the human resources (HR) department who are allowed to view PII information. This represents an organization-wide policy that applies to PII files wherever they are located on file servers across the organization. To implement this policy, an organization needs to be able to: - -- Identify and mark the files that contain the PII. - -- Identify the group of HR members who are allowed to view the PII information. - -- Add the central access policy to a central access rule, and apply the central access rule to all files that contain the PII, wherever they are located amongst the file servers across the organization. - -Central access policies act as security umbrellas that an organization applies across its servers. These policies are in addition to (but do not replace) the local access policies or discretionary access control lists (DACLs) that are applied to files and folders. - -### Claims - -A claim is a unique piece of information about a user, device, or resource that has been published by a domain controller. The user’s title, the department classification of a file, or the health state of a computer are valid examples of a claim. An entity can involve more than one claim, and any combination of claims can be used to authorize access to resources. The following types of claims are available in the supported versions of Windows: - -- **User claims**   Active Directory attributes that are associated with a specific user. - -- **Device claims**   Active Directory attributes that are associated with a specific computer object. - -- **Resource attributes**  Global resource properties that are marked for use in authorization decisions and published in Active Directory. - -Claims make it possible for administrators to make precise organization- or enterprise-wide statements about users, devices, and resources that can be incorporated in expressions, rules, and policies. - -### Expressions - -Conditional expressions are an enhancement to access control management that allow or deny access to resources only when certain conditions are met, for example, group membership, location, or the security state of the device. Expressions are managed through the Advanced Security Settings dialog box of the ACL Editor or the Central Access Rule Editor in the Active Directory Administrative Center (ADAC). - -Expressions help administrators manage access to sensitive resources with flexible conditions in increasingly complex business environments. - -### Proposed permissions - -Proposed permissions enable an administrator to more accurately model the impact of potential changes to access control settings without actually changing them. - -Predicting the effective access to a resource helps you plan and configure permissions for those resources before implementing those changes. - -## Additional changes - - -Additional enhancements in the supported versions of Windows that support Dynamic Access Control include: - -### Support in the Kerberos authentication protocol to reliably provide user claims, device claims, and device groups. - -By default, devices running any of the supported versions of Windows are able to process Dynamic Access Control-related Kerberos tickets, which include data needed for compound authentication. Domain controllers are able to issue and respond to Kerberos tickets with compound authentication-related information. When a domain is configured to recognize Dynamic Access Control, devices receive claims from domain controllers during initial authentication, and they receive compound authentication tickets when submitting service ticket requests. Compound authentication results in an access token that includes the identity of the user and the device on the resources that recognize Dynamic Access Control. - -### Support for using the Key Distribution Center (KDC) Group Policy setting to enable Dynamic Access Control for a domain. - -Every domain controller needs to have the same Administrative Template policy setting, which is located at **Computer Configuration\\Policies\\Administrative Templates\\System\\KDC\\Support Dynamic Access Control and Kerberos armoring**. - -### Support in Active Directory to store user and device claims, resource properties, and central access policy objects. - -### Support for using Group Policy to deploy central access policy objects. - -The following Group Policy setting enables you to deploy central access policy objects to file servers in your organization: **Computer Configuration\\Policies\\ Windows Settings\\Security Settings\\File System\\Central Access Policy**. - -### Support for claims-based file authorization and auditing for file systems by using Group Policy and Global Object Access Auditing - -You must enable staged central access policy auditing to audit the effective access of central access policy by using proposed permissions. You configure this setting for the computer under **Advanced Audit Policy Configuration** in the **Security Settings** of a Group Policy Object (GPO). After you configure the security setting in the GPO, you can deploy the GPO to computers in your network. - -### Support for transforming or filtering claim policy objects that traverse Active Directory forest trusts - -You can filter or transform incoming and outgoing claims that traverse a forest trust. There are three basic scenarios for filtering and transforming claims: - -- **Value-based filtering**  Filters can be based on the value of a claim. This allows the trusted forest to prevent claims with certain values from being sent to the trusting forest. Domain controllers in trusting forests can use value-based filtering to guard against an elevation-of-privilege attack by filtering the incoming claims with specific values from the trusted forest. - -- **Claim type-based filtering**  Filters are based on the type of claim, rather than the value of the claim. You identify the claim type by the name of the claim. You use claim type-based filtering in the trusted forest, and it prevents Windows from sending claims that disclose information to the trusting forest. - -- **Claim type-based transformation**  Manipulates a claim before sending it to the intended target. You use claim type-based transformation in the trusted forest to generalize a known claim that contains specific information. You can use transformations to generalize the claim-type, the claim value, or both. - -## Software requirements - - -Because claims and compound authentication for Dynamic Access Control require Kerberos authentication extensions, any domain that supports Dynamic Access Control must have enough domain controllers running the supported versions of Windows to support authentication from Dynamic Access Control-aware Kerberos clients. By default, devices must use domain controllers in other sites. If no such domain controllers are available, authentication will fail. Therefore, you must support one of the following conditions: - -- Every domain that supports Dynamic Access Control must have enough domain controllers running the supported versions of Windows Server to support authentication from all devices running the supported versions of Windows or Windows Server. - -- Devices running the supported versions of Windows or that do not protect resources by using claims or compound identity, should disable Kerberos protocol support for Dynamic Access Control. - -For domains that support user claims, every domain controller running the supported versions of Windows server must be configured with the appropriate setting to support claims and compound authentication, and to provide Kerberos armoring. Configure settings in the KDC Administrative Template policy as follows: - -- **Always provide claims**   Use this setting if all domain controllers are running the supported versions of Windows Server. In addition, set the domain functional level to Windows Server 2012 or higher. - -- **Supported**   When you use this setting, monitor domain controllers to ensure that the number of domain controllers running the supported versions of Windows Server is sufficient for the number of client computers that need to access resources protected by Dynamic Access Control. - -If the user domain and file server domain are in different forests, all domain controllers in the file server’s forest root must be set at the Windows Server 2012 or higher functional level. - -If clients do not recognize Dynamic Access Control, there must be a two-way trust relationship between the two forests. - -If claims are transformed when they leave a forest, all domain controllers in the user’s forest root must be set at the Windows Server 2012 or higher functional level. - -A file server running a server operating system that supports Dyamic Access Control must have a Group Policy setting that specifies whether it needs to get user claims for user tokens that do not carry claims. This setting is set by default to **Automatic**, which results in this Group Policy setting to be turned **On** if there is a central policy that contains user or device claims for that file server. If the file server contains discretionary ACLs that include user claims, you need to set this Group Policy to **On** so that the server knows to request claims on behalf of users that do not provide claims when they access the server. - -## See also - -- [Access control overview](access-control.md) \ No newline at end of file diff --git a/windows/security/identity-protection/access-control/microsoft-accounts.md b/windows/security/identity-protection/access-control/microsoft-accounts.md deleted file mode 100644 index 7d9575a8f4..0000000000 --- a/windows/security/identity-protection/access-control/microsoft-accounts.md +++ /dev/null @@ -1,186 +0,0 @@ ---- -title: Microsoft Accounts (Windows 10) -description: Microsoft Accounts -ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: M365-identity-device-management -ms.topic: article -ms.localizationpriority: medium -ms.date: 10/13/2017 -ms.reviewer: ---- - -# Microsoft Accounts - -**Applies to** -- Windows 10 - -This topic for the IT professional explains how a Microsoft account works to enhance security and privacy for users, and how you can manage this consumer account type in your organization. - -Microsoft sites, services, and properties, as well as computers running Windows 10, can use a Microsoft account as a means of identifying a user. Microsoft account was previously called Windows Live ID. It has user-defined secrets, and consists of a unique email address and a password. - -When a user signs in with a Microsoft account, the device is connected to cloud services. Many of the user's settings, preferences, and apps can be shared across devices. - -## How a Microsoft account works - -The Microsoft account allows users to sign in to websites that support this service by using a single set of credentials. Users' credentials are validated by a Microsoft account authentication server that is associated with a website. The Microsoft Store is an example of this association. When new users sign in to websites that are enabled to use Microsoft accounts, they are redirected to the nearest authentication server, which asks for a user name and password. Windows uses the Schannel Security Support Provider to open a Transport Level Security/Secure Sockets Layer (TLS/SSL) connection for this function. Users then have the option to use Credential Manager to store their credentials. - -When users sign in to websites that are enabled to use a Microsoft account, a time-limited cookie is installed on their computers, which includes a triple DES encrypted ID tag. This encrypted ID tag has been agreed upon between the authentication server and the website. This ID tag is sent to the website, and the website plants another time-limited encrypted HTTP cookie on the user’s computer. When these cookies are valid, users are not required to supply a user name and password. If a user actively signs out of their Microsoft account, these cookies are removed. - -**Important**   -Local Windows account functionality has not been removed, and it is still an option to use in managed environments. - -### How Microsoft accounts are created - -To prevent fraud, the Microsoft system verifies the IP address when a user creates an account. A user who tries to create multiple Microsoft accounts with the same IP address is stopped. - -Microsoft accounts are not designed to be created in batches, such as for a group of domain users within your enterprise. - -There are two methods for creating a Microsoft account: - -- **Use an existing email address**. - - Users are able to use their valid email addresses to sign up for Microsoft accounts. The service turns the requesting user's email address into a Microsoft account. Users can also choose their personal passwords. - -- **Sign up for a Microsoft email address**. - - Users can sign up for an email account with Microsoft's webmail services. This account can be used to sign in to websites that are enabled to use Microsoft accounts. - -### How the Microsoft account information is safeguarded - -Credential information is encrypted twice. The first encryption is based on the account’s password. Credentials are encrypted again when they are sent across the Internet. The data that is stored is not available to other Microsoft or non-Microsoft services. - -- **Strong password is required**. - - Blank passwords are not allowed. - - For more information, see [How to help keep your Microsoft account safe and secure](https://support.microsoft.com/account-billing/how-to-help-keep-your-microsoft-account-safe-and-secure-628538c2-7006-33bb-5ef4-c917657362b9). - -- **Secondary proof of identity is required**. - - Before user profile information and settings can be accessed on a second supported Windows computer for the first time, trust must established for that device by providing secondary proof of identity. This can be accomplished by providing Windows with a code that is sent to a mobile phone number or by following the instructions that are sent to an alternate email address that a user specifies in the account settings. - -- **All user profile data is encrypted on the client before it is transmitted to the cloud**. - - User data does not roam over a wireless wide area network (WWAN) by default, thereby protecting profile data. All data and settings that leave a device are transmitted through the TLS/SSL protocol. - -**Microsoft account security information is added**. - -Users can add security information to their Microsoft accounts through the **Accounts** interface on computers running the supported versions of Windows. This feature allows the user to update the security information that they provided when they created their accounts. This security information includes an alternate email address or phone number so if their password is compromised or forgotten, a verification code can be sent to verify their identity. Users can potentially use their Microsoft accounts to store corporate data on a personal OneDrive or email app, so it is safe practice for the account owner to keep this security information up-to-date. - -## The Microsoft account in the enterprise - - -Although the Microsoft account was designed to serve consumers, you might find situations where your domain users can benefit by using their personal Microsoft account in your enterprise. The following list describes some advantages. - -- **Download Microsoft Store apps**: - - If your enterprise chooses to distribute software through the Microsoft Store, your users can use their Microsoft accounts to download and use them on up to five devices running any version of Windows 10, Windows 8.1, Windows 8, or Windows RT. - -- **Single sign-on**: - - Your users can use Microsoft account credentials to sign in to devices running Windows 10, Windows 8.1, Windows 8 or Windows RT. When they do this, Windows works with your Microsoft Store app to provide authenticated experiences for them. Users can associate a Microsoft account with their sign-in credentials for Microsoft Store apps or websites, so that these credentials roam across any devices running these supported versions. - -- **Personalized settings synchronization**: - - Users can associate their most commonly used operating-system settings with a Microsoft account. These settings are available whenever a user signs in with that account on any device that is running a supported version of Windows and is connected to the cloud. After a user signs in, the device automatically attempts to get the user's settings from the cloud and apply them to the device. - -- **App synchronization**: - - Microsoft Store apps can store user-specific settings so that these settings are available to any device. As with operating system settings, these user-specific app settings are available whenever the user signs in with the same Microsoft account on any device that is running a supported version of Windows and is connected to the cloud. After the user signs in, that device automatically downloads the settings from the cloud and applies them when the app is installed. - -- **Integrated social media services**: - - Contact information and status for your users’ friends and associates automatically stay up-to-date from sites such as Hotmail, Outlook, Facebook, Twitter, and LinkedIn. Users can also access and share photos, documents, and other files from sites such as OneDrive, Facebook, and Flickr. - -### Managing the Microsoft account in the domain - -Depending on your IT and business models, introducing Microsoft accounts into your enterprise might add complexity or it might provide solutions. You should address the following considerations before you allow the use of these account types in your enterprise: - -- [Restrict the use of the Microsoft account](#bkmk-restrictuse) - -- [Configure connected accounts](#bkmk-cfgconnectedaccounts) - -- [Provision Microsoft accounts in the enterprise](#bkmk-provisionaccounts) - -- [Audit account activity](#bkmk-audit) - -- [Perform password resets](#bkmk-passwordresets) - -- [Restrict app installation and usage](#bkmk-restrictappinstallationandusage) - -### Restrict the use of the Microsoft account - -The following Group Policy settings help control the use of Microsoft accounts in the enterprise: - -- [Block all consumer Microsoft account user authentication](#block-all-consumer-microsoft-account-user-authentication) -- [Accounts: Block Microsoft accounts](#accounts-block-microsoft-accounts) - -#### Block all consumer Microsoft account user authentication - -This setting controls whether users can provide Microsoft accounts for authentication for applications or services. - -If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication. -This applies both to existing users of a device and new users who may be added. - -However, any application or service that has already authenticated a user will not be affected by enabling this setting until the authentication cache expires. -It is recommended to enable this setting before any user signs in to a device to prevent cached tokens from being present. - -If this setting is disabled or not configured, applications and services can use Microsoft accounts for authentication. -By default, this setting is **Disabled**. - -This setting does not affect whether users can sign in to devices by using Microsoft accounts, or the ability for users to provide Microsoft accounts via the browser for authentication with web-based applications. - -The path to this setting is: - -Computer Configuration\Administrative Templates\Windows Components\Microsoft account - -#### Accounts: Block Microsoft accounts - -This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services. - -There are two options if this setting is enabled: - -- **Users can’t add Microsoft accounts** means that existing connected accounts can still sign in to the device (and appear on the Sign in screen). However, users cannot use the **Settings** app to add new connected accounts (or connect local accounts to Microsoft accounts). -- **Users can’t add or log on with Microsoft accounts** means that users cannot add new connected accounts (or connect local accounts to Microsoft accounts) or use existing connected accounts through **Settings**. - -This setting does not affect adding a Microsoft account for application authentication. For example, if this setting is enabled, a user can still provide a Microsoft account for authentication with an application such as **Mail**, but the user cannot use the Microsoft account for single sign-on authentication for other applications or services (in other words, the user will be prompted to authenticate for other applications or services). - -By default, this setting is **Not defined**. - -The path to this setting is: - -Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options - -### Configure connected accounts - -Users can connect a Microsoft account to their domain account and synchronize the settings and preferences between them. This enables users to see the same desktop background, app settings, browser history and favorites, and other Microsoft account settings on their other devices. - -Users can disconnect a Microsoft account from their domain account at any time as follows: In **PC settings**, tap or click **Users**, tap or click **Disconnect**, and then tap or click **Finish**. - -**Note**   -Connecting Microsoft accounts with domain accounts can limit access to some high-privileged tasks in Windows. For example, Task Scheduler will evaluate the connected Microsoft account for access and fail. In these situations, the account owner should disconnect the account. - -### Provision Microsoft accounts in the enterprise - -Microsoft accounts are private user accounts. There are no methods provided by Microsoft to provision Microsoft accounts for an enterprise. Enterprises should use domain accounts. - -### Audit account activity - -Because Microsoft accounts are Internet-based, Windows does not have a mechanism to audit their use until the account is associated with a domain account. But this association does not restrict the user from disconnecting the account or disjoining from the domain. It is not possible to audit the activity of accounts that are not associated with your domain. - -### Perform password resets - -Only the owner of the Microsoft account can change the password. Passwords can be changed in the [Microsoft account sign-in portal](https://login.live.com). - -### Restrict app installation and usage - -Within your organization, you can set application control policies to regulate app installation and usage for Microsoft accounts. For more information, see [AppLocker](/windows/device-security/applocker/applocker-overview) and [Packaged Apps and Packaged App Installer Rules in AppLocker](/windows/device-security/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker). - -## See also - -- [Managing Privacy: Using a Microsoft Account to Logon and Resulting Internet Communication](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj884082(v=ws.11)) - -- [Access Control Overview](access-control.md) \ No newline at end of file diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md deleted file mode 100644 index eebc241c56..0000000000 --- a/windows/security/identity-protection/access-control/security-identifiers.md +++ /dev/null @@ -1,331 +0,0 @@ ---- -title: Security identifiers (Windows 10) -description: Security identifiers -ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: - - M365-identity-device-management - - highpri -ms.topic: article -ms.localizationpriority: medium -ms.date: 04/19/2017 ---- - -# Security identifiers - -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 -- Windows Server 2019 - -This topic for the IT professional describes security identifiers and how they work in regards to accounts and groups in the Windows operating system. - -## What are security identifiers? - -A security identifier (SID) is used to uniquely identify a security principal or security group. Security principals can represent any entity that can be authenticated by the operating system, such as a user account, a computer account, or a thread or process that runs in the security context of a user or computer account. - -Each account or group, or process running in the security context of the account, has a unique SID that is issued by an authority, such as a Windows domain controller. It is stored in a security database. The system generates the SID that identifies a particular account or group at the time the account or group is created. When a SID has been used as the unique identifier for a user or group, it can never be used again to identify another user or group. - -Each time a user signs in, the system creates an access token for that user. The access token contains the user's SID, user rights, and the SIDs for any groups the user belongs to. This token provides the security context for whatever actions the user performs on that computer. - -In addition to the uniquely created, domain-specific SIDs that are assigned to specific users and groups, there are well-known SIDs that identify generic groups and generic users. For example, the Everyone and World SIDs identify a group that includes all users. Well-known SIDs have values that remain constant across all operating systems. - -SIDs are a fundamental building block of the Windows security model. They work with specific components of the authorization and access control technologies in the security infrastructure of the Windows Server operating systems. This helps protect access to network resources and provides a more secure computing environment. - -The content in this topic applies to computers that are running the supported versions of the Windows operating system as designated in the **Applies To** list at the beginning of this topic. - -## How security identifiers work - -Users refer to accounts by using the account name, but the operating system internally refers to accounts and processes that run in the security context of the account by using their security identifiers (SIDs). For domain accounts, the SID of a security principal is created by concatenating the SID of the domain with a relative identifier (RID) for the account. SIDs are unique within their scope (domain or local), and they are never reused. - -The operating system generates a SID that identifies a particular account or group at the time the account or group is created. The SID for a local account or group is generated by the Local Security Authority (LSA) on the computer, and it is stored with other account information in a secure area of the registry. The SID for a domain account or group is generated by the domain security authority, and it is stored as an attribute of the User or Group object in Active Directory Domain Services. - -For every local account and group, the SID is unique for the computer where it was created. No two accounts or groups on the computer ever share the same SID. Likewise, for every domain account and group, the SID is unique within an enterprise. This means that the SID for an account or group that is created in one domain will never match the SID for an account or group created in any other domain in the enterprise. - -SIDs always remain unique. Security authorities never issue the same SID twice, and they never reuse SIDs for deleted accounts. For example, if a user with a user account in a Windows domain leaves her job, an administrator deletes her Active Directory account, including the SID that identifies the account. If she later returns to a different job at the same company, an administrator creates a new account, and the Windows Server operating system generates a new SID. The new SID does not match the old one; so none of the user's access from her old account is transferred to the new account. Her two accounts represent two completely different security principals. - -## Security identifier architecture - -A security identifier is a data structure in binary format that contains a variable number of values. The first values in the structure contain information about the SID structure. The remaining values are arranged in a hierarchy (similar to a telephone number), and they identify the SID-issuing authority (for example, “NT Authority”), the SID-issuing domain, and a particular security principal or group. The following image illustrates the structure of a SID. - -![Security identifier architecture.](images/security-identifider-architecture.jpg) - -The individual values of a SID are described in the following table. - -| Comment | Description | -| - | - | -| Revision | Indicates the version of the SID structure that is used in a particular SID. | -| Identifier authority | Identifies the highest level of authority that can issue SIDs for a particular type of security principal. For example, the identifier authority value in the SID for the Everyone group is 1 (World Authority). The identifier authority value in the SID for a specific Windows Server account or group is 5 (NT Authority). | -| Subauthorities | >Holds the most important information in a SID, which is contained in a series of one or more subauthority values. All values up to, but not including, the last value in the series collectively identify a domain in an enterprise. This part of the series is called the domain identifier. The last value in the series, which is called the relative identifier (RID), identifies a particular account or group relative to a domain. | - -The components of a SID are easier to visualize when SIDs are converted from a binary to a string format by using standard notation: -``` -S-R-X-Y1-Y2-Yn-1-Yn -``` - -In this notation, the components of a SID are represented as shown in the following table. - -| Comment | Description | -| - | - | -| S | Indicates that the string is a SID | -| R | Indicates the revision level | -| X | Indicates the identifier authority value | -| Y | Represents a series of subauthority values, where *n* is the number of values | - -The SID's most important information is contained in the series of subauthority values. The first part of the series (-Y1-Y2-Y*n*-1) is the domain identifier. This element of the SID becomes significant in an enterprise with several domains, because the domain identifier differentiates SIDs that are issued by one domain from SIDs that are issued by all other domains in the enterprise. No two domains in an enterprise share the same domain identifier. - -The last item in the series of subauthority values (-Y*n*) is the relative identifier. It distinguishes one account or group from all other accounts and groups in the domain. No two accounts or groups in any domain share the same relative identifier. - -For example, the SID for the built-in Administrators group is represented in standardized SID notation as the following string: - -``` -S-1-5-32-544 -``` - -This SID has four components: - -- A revision level (1) - -- An identifier authority value (5, NT Authority) - -- A domain identifier (32, Builtin) - -- A relative identifier (544, Administrators) - -SIDs for built-in accounts and groups always have the same domain identifier value: 32. This value identifies the domain **Builtin**, which exists on every computer that is running a version of the Windows Server operating system. It is never necessary to distinguish one computer's built-in accounts and groups from another computer's built-in accounts and groups because they are local in scope. They are local to a single computer, or in the case of domain controllers for a network domain, they are local to several computers that are acting as one. - -Built-in accounts and groups need to be distinguished from one another within the scope of the **Builtin** domain. Therefore, the SID for each account and group has a unique relative identifier. A relative identifier value of 544 is unique to the built-in Administrators group. No other account or group in the **Builtin** domain has a SID with a final value of 544. - -In another example, consider the SID for the global group, Domain Admins. Every domain in an enterprise has a Domain Admins group, and the SID for each group is different. The following example represents the SID for the Domain Admins group in the Contoso, Ltd. domain (Contoso\\Domain Admins): - -``` -S-1-5-21-1004336348-1177238915-682003330-512 -``` - -The SID for Contoso\\Domain Admins has: - -- A revision level (1) - -- An identifier authority (5, NT Authority) - -- A domain identifier (21-1004336348-1177238915-682003330, Contoso) - -- A relative identifier (512, Domain Admins) - -The SID for Contoso\\Domain Admins is distinguished from the SIDs for other Domain Admins groups in the same enterprise by its domain identifier: 21-1004336348-1177238915-682003330. No other domain in the enterprise uses this value as its domain identifier. The SID for Contoso\\Domain Admins is distinguished from the SIDs for other accounts and groups that are created in the Contoso domain by its relative identifier, 512. No other account or group in the domain has a SID with a final value of 512. - -## Relative identifier allocation - -When accounts and groups are stored in an account database that is managed by a local Security Accounts Manager (SAM), it is fairly easy for the system to generate a unique relative identifier for each account and in a group that it creates on a stand-alone computer. The SAM on a stand-alone computer can track the relative identifier values that it has used before and make sure that it never uses them again. - -In a network domain, however, generating unique relative identifiers is a more complex process. Windows Server network domains can have several domain controllers. Each domain controller stores Active Directory account information. This means that, in a network domain, there are as many copies of the account database as there are domain controllers. In addition to this, every copy of the account database is a master copy. New accounts and groups can be created on any domain controller. Changes that are made to Active Directory on one domain controller are replicated to all other domain controllers in the domain. The process of replicating changes in one master copy of the account database to all other master copies is called a multimaster operation. - -The process of generating unique relative identifiers is a single-master operation. One domain controller is assigned the role of relative identifier (RID) master, and it allocates a sequence of relative identifiers to each domain controller in the domain. When a new domain account or group is created in one domain controller's replica of Active Directory, it is assigned a SID. The relative identifier for the new SID is taken from the domain controller's allocation of relative identifiers. When its supply of relative identifiers begins to run low, the domain controller requests another block from the RID master. - -Each domain controller uses each value in a block of relative identifiers only once. The RID master allocates each block of relative identifier values only once. This process assures that every account and group created in the domain has a unique relative identifier. - -## Security identifiers and globally unique identifiers - -When a new domain user or group account is created, Active Directory stores the account's SID in the **ObjectSID** property of a User or Group object. It also assigns the new object a globally unique identifier (GUID), which is a 128-bit value that is unique not only in the enterprise, but also across the world. GUIDs are assigned to every object that is created by Active Directory, not only User and Group objects. Each object's GUID is stored in its **ObjectGUID** property. - -Active Directory uses GUIDs internally to identify objects. For example, the GUID is one of an object's properties that is published in the global catalog. Searching the global catalog for a User object GUID produces results if the user has an account somewhere in the enterprise. In fact, searching for any object by **ObjectGUID** might be the most reliable way of finding the object you want to locate. The values of other object properties can change, but the **ObjectGUID** property never changes. When an object is assigned a GUID, it keeps that value for life. - -If a user moves from one domain to another, the user gets a new SID. The SID for a group object does not change because groups stay in the domain where they were created. However, if people move, their accounts can move with them. If an employee moves from North America to Europe, but stays in the same company, an administrator for the enterprise can move the employee's User object from, for example, Contoso\\NoAm to Contoso\\Europe. If the administrator does this, the User object for the account needs a new SID. The domain identifier portion of a SID that is issued in NoAm is unique to NoAm; so the SID for the user's account in Europe has a different domain identifier. The relative identifier portion of a SID is unique relative to the domain; so if the domain changes, the relative identifier also changes. - -When a User object moves from one domain to another, a new SID must be generated for the user account and stored in the **ObjectSID** property. Before the new value is written to the property, the previous value is copied to another property of a User object, **SIDHistory**. This property can hold multiple values. Each time a User object moves to another domain, a new SID is generated and stored in the **ObjectSID** property, and another value is added to the list of old SIDs in **SIDHistory**. When a user signs in and is successfully authenticated, the domain authentication service queries Active Directory for all the SIDs that are associated with the user, including the user's current SID, the user's old SIDs, and the SIDs for the user's groups. All these SIDs are returned to the authentication client, and they are included in the user's access token. When the user tries to gain access to a resource, any one of the SIDs in the access token (including one of the SIDs in **SIDHistory**), can allow or deny the user access. - -If you allow or deny users' access to a resource based on their jobs, you should allow or deny access to a group, not to an individual. That way, when users change jobs or move to other departments, you can easily adjust their access by removing them from certain groups and adding them to others. - -However, if you allow or deny an individual user access to resources, you probably want that user's access to remain the same no matter how many times the user's account domain changes. The **SIDHistory** property makes this possible. When a user changes domains, there is no need to change the access control list (ACL) on any resource. If an ACL has the user's old SID, but not the new one, the old SID is still in the user's access token. It is listed among the SIDs for the user's groups, and the user is granted or denied access based on the old SID. - -## Well-known SIDs - -The values of certain SIDs are constant across all systems. They are created when the operating system or domain is installed. They are called well-known SIDs because they identify generic users or generic groups. - -There are universal well-known SIDs that are meaningful on all secure systems that use this security model, including operating systems other than Windows. In addition, there are well-known SIDs that are meaningful only on Windows operating systems. - -The following table lists the universal well-known SIDs. - -| Value | Universal Well-Known SID | Identifies | -| - | - | - | -| S-1-0-0 | Null SID | A group with no members. This is often used when a SID value is not known.| -| S-1-1-0 | World | A group that includes all users. | -| S-1-2-0 | Local | Users who log on to terminals that are locally (physically) connected to the system. | -| S-1-2-1 | Console Logon | A group that includes users who are logged on to the physical console. | -| S-1-3-0 | Creator Owner ID | A security identifier to be replaced by the security identifier of the user who created a new object. This SID is used in inheritable ACEs. | -| S-1-3-1 | Creator Group ID | A security identifier to be replaced by the primary-group SID of the user who created a new object. Use this SID in inheritable ACEs. | -| S-1-3-2 | Creator Owner Server | | -| S-1-3-3 | Creator Group Server | | -| S-1-3-4 | Owner Rights | A group that represents the current owner of the object. When an ACE that carries this SID is applied to an object, the system ignores the implicit READ_CONTROL and WRITE_DAC permissions for the object owner. | -| S-1-4 | Non-unique Authority | A SID that represents an identifier authority. | -| S-1-5 | NT Authority | A SID that represents an identifier authority. | -| S-1-5-80-0 | All Services | A group that includes all service processes configured on the system. Membership is controlled by the operating system.| - -The following table lists the predefined identifier authority constants. The first four values are used with universal well-known SIDs, and the rest of the values are used with well-known SIDs in Windows operating systems designated in the **Applies To** list. - -| Identifier Authority | Value | SID String Prefix | -| - | - | - | -| SECURITY_NULL_SID_AUTHORITY | 0 | S-1-0 | -| SECURITY_WORLD_SID_AUTHORITY | 1 | S-1-1 | -| SECURITY_LOCAL_SID_AUTHORITY | 2 | S-1-2 | -| SECURITY_CREATOR_SID_AUTHORITY | 3 | S-1-3 | -| SECURITY_NT_AUTHORITY | 5 | S-1-5 | -| SECURITY_AUTHENTICATION_AUTHORITY | 18 | S-1-18 | - -The following RID values are used with universal well-known SIDs. The Identifier authority column shows the prefix of the identifier authority with which you can combine the RID to create a universal well-known SID. - -| Relative Identifier Authority | Value | Identifier Authority | -| - | - | - | -| SECURITY_NULL_RID | 0 | S-1-0 | -| SECURITY_WORLD_RID | 0 | S-1-1 | -| SECURITY_LOCAL_RID | 0 | S-1-2 | -| SECURITY_CREATOR_OWNER_RID | 0 | S-1-3 | -| SECURITY_CREATOR_GROUP_RID | 1 | S-1-3 | - -The SECURITY\_NT\_AUTHORITY (S-1-5) predefined identifier authority produces SIDs that are not universal and are meaningful only in installations of the Windows operating systems that are designated in the **Applies To** list at the beginning of this topic. The following table lists the well-known SIDs. - -| SID | Display Name | Description | -| - | - | - | -| S-1-5-1 | Dialup | A group that includes all users who are logged on to the system by means of a dial-up connection.| -| S-1-5-113 | Local account| You can use this SID when restricting network logon to local accounts instead of "administrator" or equivalent. This SID can be effective in blocking network logon for local users and groups by account type regardless of what they are actually named.| -| S-1-5-114| Local account and member of Administrators group | You can use this SID when restricting network logon to local accounts instead of "administrator" or equivalent. This SID can be effective in blocking network logon for local users and groups by account type regardless of what they are actually named. | -| S-1-5-2 | Network | A group that includes all users who are logged on by means of a network connection. Access tokens for interactive users do not contain the Network SID.| -| S-1-5-3 | Batch | A group that includes all users who have logged on by means of a batch queue facility, such as task scheduler jobs.| -| S-1-5-4 | Interactive| A group that includes all users who log on interactively. A user can start an interactive logon session by logging on directly at the keyboard, by opening a Remote Desktop Services connection from a remote computer, or by using a remote shell such as Telnet. In each case, the user's access token contains the Interactive SID. If the user signs in by using a Remote Desktop Services connection, the user's access token also contains the Remote Interactive Logon SID.| -| S-1-5-5- *X*-*Y* | Logon Session| The *X* and *Y* values for these SIDs uniquely identify a particular logon session.| -| S-1-5-6 | Service| A group that includes all security principals that have signed in as a service.| -| S-1-5-7 | Anonymous Logon| A user who has connected to the computer without supplying a user name and password.
    The Anonymous Logon identity is different from the identity that is used by Internet Information Services (IIS) for anonymous web access. IIS uses an actual account—by default, IUSR_ *ComputerName*, for anonymous access to resources on a website. Strictly speaking, such access is not anonymous because the security principal is known even though unidentified people are using the account. IUSR_ *ComputerName* (or whatever you name the account) has a password, and IIS logs on the account when the service starts. As a result, the IIS "anonymous" user is a member of Authenticated Users but Anonymous Logon is not.| -| S-1-5-8| Proxy| Does not currently apply: this SID is not used.| -| S-1-5-9 | Enterprise Domain Controllers| A group that includes all domain controllers in a forest of domains.| -| S-1-5-10 | Self| A placeholder in an ACE for a user, group, or computer object in Active Directory. When you grant permissions to Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Self with the SID for the security principal that is represented by the object.| -| S-1-5-11 | Authenticated Users| A group that includes all users and computers with identities that have been authenticated. Authenticated Users does not include Guest even if the Guest account has a password.
    This group includes authenticated security principals from any trusted domain, not only the current domain.| -| S-1-5-12 | Restricted Code| An identity that is used by a process that is running in a restricted security context. In Windows and Windows Server operating systems, a software restriction policy can assign one of three security levels to code: unrestricted, restricted, or disallowed. When code runs at the restricted security level, the Restricted SID is added to the user's access token.| -| S-1-5-13 | Terminal Server User| A group that includes all users who sign in to a server with Remote Desktop Services enabled.| -| S-1-5-14 | Remote Interactive Logon| A group that includes all users who log on to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.| -| S-1-5-15| This Organization| A group that includes all users from the same organization. Only included with Active Directory accounts and only added by a domain controller.| -| S-1-5-17 | IUSR| An account that is used by the default Internet Information Services (IIS) user.| -| S-1-5-18 | System (or LocalSystem)| An identity that is used locally by the operating system and by services that are configured to sign in as LocalSystem.
    System is a hidden member of Administrators. That is, any process running as System has the SID for the built-in Administrators group in its access token.
    When a process that is running locally as System accesses network resources, it does so by using the computer's domain identity. Its access token on the remote computer includes the SID for the local computer's domain account plus SIDs for security groups that the computer is a member of, such as Domain Computers and Authenticated Users.| -| S-1-5-19 | NT Authority (LocalService)| An identity that is used by services that are local to the computer, have no need for extensive local access, and do not need authenticated network access. Services that run as LocalService access local resources as ordinary users, and they access network resources as anonymous users. As a result, a service that runs as LocalService has significantly less authority than a service that runs as LocalSystem locally and on the network.| -| S-1-5-20 | Network Service| An identity that is used by services that have no need for extensive local access but do need authenticated network access. Services running as NetworkService access local resources as ordinary users and access network resources by using the computer's identity. As a result, a service that runs as NetworkService has the same network access as a service that runs as LocalSystem, but it has significantly reduced local access.| -| S-1-5-*domain*-500 | Administrator| A user account for the system administrator. Every computer has a local Administrator account and every domain has a domain Administrator account.
    The Administrator account is the first account created during operating system installation. The account cannot be deleted, disabled, or locked out, but it can be renamed.
    By default, the Administrator account is a member of the Administrators group, and it cannot be removed from that group.| -| S-1-5-*domain*-501 | Guest| A user account for people who do not have individual accounts. Every computer has a local Guest account, and every domain has a domain Guest account.
    By default, Guest is a member of the Everyone and the Guests groups. The domain Guest account is also a member of the Domain Guests and Domain Users groups.
    Unlike Anonymous Logon, Guest is a real account, and it can be used to log on interactively. The Guest account does not require a password, but it can have one.| -| S-1-5-*domain*-502| krbtgt| A user account that is used by the Key Distribution Center (KDC) service. The account exists only on domain controllers.| -| S-1-5-*domain*-512| Domain Admins| A global group with members that are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined the domain, including domain controllers.
    Domain Admins is the default owner of any object that is created in the domain's Active Directory by any member of the group. If members of the group create other objects, such as files, the default owner is the Administrators group.| -| S-1-5-*domain*-513| Domain Users| A global group that includes all users in a domain. When you create a new User object in Active Directory, the user is automatically added to this group.| -| S-1-5-*domain*-514| Domain Guests| A global group, which by default, has only one member: the domain's built-in Guest account.| -| S-1-5-*domain*-515 | Domain Computers| A global group that includes all computers that have joined the domain, excluding domain controllers.| -| S-1-5-*domain*-516| Domain Controllers| A global group that includes all domain controllers in the domain. New domain controllers are added to this group automatically.| -| S-1-5-*domain*-517 | Cert Publishers| A global group that includes all computers that host an enterprise certification authority.
    Cert Publishers are authorized to publish certificates for User objects in Active Directory.| -| S-1-5-*root domain*-518| Schema Admins| A group that exists only in the forest root domain. It is a universal group if the domain is in native mode, and it is a global group if the domain is in mixed mode. The Schema Admins group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain.| -| S-1-5-*root domain*-519| Enterprise Admins| A group that exists only in the forest root domain. It is a universal group if the domain is in native mode, and it is a global group if the domain is in mixed mode.
    The Enterprise Admins group is authorized to make changes to the forest infrastructure, such as adding child domains, configuring sites, authorizing DHCP servers, and installing enterprise certification authorities.
    By default, the only member of Enterprise Admins is the Administrator account for the forest root domain. The group is a default member of every Domain Admins group in the forest. | -| S-1-5-*domain*-520| Group Policy Creator Owners| A global group that is authorized to create new Group Policy Objects in Active Directory. By default, the only member of the group is Administrator.
    Objects that are created by members of Group Policy Creator Owners are owned by the individual user who creates them. In this way, the Group Policy Creator Owners group is unlike other administrative groups (such as Administrators and Domain Admins). Objects that are created by members of these groups are owned by the group rather than by the individual.| -| S-1-5-*domain*-553| RAS and IAS Servers| A local domain group. By default, this group has no members. Computers that are running the Routing and Remote Access service are added to the group automatically.
    Members of this group have access to certain properties of User objects, such as Read Account Restrictions, Read Logon Information, and Read Remote Access Information.| -| S-1-5-32-544 | Administrators| A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group.| -| S-1-5-32-545 | Users| A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group.| -| S-1-5-32-546 | Guests| A built-in group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer's built-in Guest account.| -| S-1-5-32-547 | Power Users| A built-in group. By default, the group has no members. Power users can create local users and groups; modify and delete accounts that they have created; and remove users from the Power Users, Users, and Guests groups. Power users also can install programs; create, manage, and delete local printers; and create and delete file shares. | -| S-1-5-32-548| Account Operators| A built-in group that exists only on domain controllers. By default, the group has no members. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups.| -| S-1-5-32-549| Server Operators| Description: A built-in group that exists only on domain controllers. By default, the group has no members. Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer.| -| S-1-5-32-550 | Print Operators| A built-in group that exists only on domain controllers. By default, the only member is the Domain Users group. Print Operators can manage printers and document queues.| -| S-1-5-32-551 | Backup Operators| A built-in group. By default, the group has no members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down.| -| S-1-5-32-552 | Replicators | A built-in group that is used by the File Replication service on domain controllers. By default, the group has no members. Do not add users to this group.| -|S-1-5-32-554|Builtin\Pre-Windows 2000 Compatible Access|An alias added by Windows 2000. A backward compatibility group that allows read access on all users and groups in the domain.| -|S-1-5-32-555|Builtin\Remote Desktop Users|An alias. Members in this group are granted the right to log on remotely.| -|S-1-5-32-556|Builtin\Network Configuration Operators|An alias. Members in this group can have some administrative privileges to manage configuration of networking features.| -|S-1-5-32-557|Builtin\Incoming Forest Trust Builders|An alias. Members of this group can create incoming, one-way trusts to this forest.| -|S-1-5-32-558|Builtin\Performance Monitor Users|An alias. Members of this group have remote access to monitor this computer.| -|S-1-5-32-559|Builtin\Performance Log Users|An alias. Members of this group have remote access to schedule logging of performance counters on this computer.| -|S-1-5-32-560|Builtin\Windows Authorization Access Group|An alias. Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects.| -|S-1-5-32-561|Builtin\Terminal Server License Servers|An alias. A group for Terminal Server License Servers. When Windows Server 2003 Service Pack 1 is installed, a new local group is created.| -|S-1-5-32-562|Builtin\Distributed COM Users|An alias. A group for COM to provide computer-wide access controls that govern access to all call, activation, or launch requests on the computer.| -|S-1-5-32-568|Builtin\IIS_IUSRS|An alias. A built-in group account for IIS users.| -|S-1-5-32-569|Builtin\Cryptographic Operators|A built-in local group. Members are authorized to perform cryptographic operations.| -|S-1-5-32-573|Builtin\Event Log Readers|A built-in local group. Members of this group can read event logs from local computer.| -|S-1-5-32-574|Builtin\Certificate Service DCOM Access|A built-in local group. Members of this group are allowed to connect to Certification Authorities in the enterprise.| -|S-1-5-32-575|Builtin\RDS Remote Access Servers|A built-in local group. Servers in this group enable users of RemoteApp programs and personal virtual desktops access to these resources. In Internet-facing deployments, these servers are typically deployed in an edge network. This group needs to be populated on servers running RD Connection Broker. RD Gateway servers and RD Web Access servers used in the deployment need to be in this group.| -|S-1-5-32-576|Builtin\RDS Endpoint Servers|A built-in local group. Servers in this group run virtual machines and host sessions where users RemoteApp programs and personal virtual desktops run. This group needs to be populated on servers running RD Connection Broker. RD Session Host servers and RD Virtualization Host servers used in the deployment need to be in this group.| -|S-1-5-32-577|Builtin\RDS Management Servers|A builtin local group. Servers in this group can perform routine administrative actions on servers running Remote Desktop Services. This group needs to be populated on all servers in a Remote Desktop Services deployment. The servers running the RDS Central Management service must be included in this group.| -|S-1-5-32-578|Builtin\Hyper-V Administrators|A built-in local group. Members of this group have complete and unrestricted access to all features of Hyper-V.| -|S-1-5-32-579|Builtin\Access Control Assistance Operators|A built-in local group. Members of this group can remotely query authorization attributes and permissions for resources on this computer.| -|S-1-5-32-580|Builtin\Remote Management Users|A built-in local group. Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.| -| S-1-5-64-10| NTLM Authentication| A SID that is used when the NTLM authentication package authenticated the client| -| S-1-5-64-14 | SChannel Authentication| A SID that is used when the SChannel authentication package authenticated the client.| -| S-1-5-64-21 | Digest Authentication| A SID that is used when the Digest authentication package authenticated the client.| -| S-1-5-80 | NT Service | A SID that is used as an NT Service account prefix.| -| S-1-5-80-0 | All Services| A group that includes all service processes that are configured on the system. Membership is controlled by the operating system. SID S-1-5-80-0 equals NT SERVICES\ALL SERVICES. This SID was introduced in Windows Server 2008 R2.| -| S-1-5-83-0| NT VIRTUAL MACHINE\Virtual Machines| A built-in group. The group is created when the Hyper-V role is installed. Membership in the group is maintained by the Hyper-V Management Service (VMMS). This group requires the **Create Symbolic Links** right (SeCreateSymbolicLinkPrivilege), and also the **Log on as a Service** right (SeServiceLogonRight). | - -The following RIDs are relative to each domain. - -| RID |Decimal value| Identifies | -| - | - | - | -| DOMAIN_USER_RID_ADMIN | 500 | The administrative user account in a domain. | -| DOMAIN_USER_RID_GUEST| 501 | The guest-user account in a domain. Users who do not have an account can automatically sign in to this account.| -| DOMAIN_GROUP_RID_USERS | 513 | A group that contains all user accounts in a domain. All users are automatically added to this group.| -| DOMAIN_GROUP_RID_GUESTS | 514 | The group Guest account in a domain.| -| DOMAIN_GROUP_RID_COMPUTERS | 515 | The Domain Computer group. All computers in the domain are members of this group.| -| DOMAIN_GROUP_RID_CONTROLLERS | 516 | The Domain Controller group. All domain controllers in the domain are members of this group.| -| DOMAIN_GROUP_RID_CERT_ADMINS | 517 | The certificate publishers' group. Computers running Active Directory Certificate Services are members of this group.| -| DOMAIN_GROUP_RID_SCHEMA_ADMINS | 518 | The schema administrators' group. Members of this group can modify the Active Directory schema.| -| DOMAIN_GROUP_RID_ENTERPRISE_ADMINS | 519 | The enterprise administrators' group. Members of this group have full access to all domains in the Active Directory forest. Enterprise administrators are responsible for forest-level operations such as adding or removing new domains.| -| DOMAIN_GROUP_RID_POLICY_ADMINS| 520 | The policy administrators' group.| - -The following table provides examples of domain-relative RIDs that are used to form well-known SIDs for local groups. - -| RID | Decimal value | Identifies | -| - | - | - | -| DOMAIN_ALIAS_RID_ADMINS | 544 | Administrators of the domain.| -| DOMAIN_ALIAS_RID_USERS | 545 | All users in the domain.| -| DOMAIN_ALIAS_RID_GUESTS | 546 | Guests of the domain.| -| DOMAIN_ALIAS_RID_POWER_USERS | 547 | A user or a set of users who expect to treat a system as if it were their personal computer rather than as a workstation for multiple users.| -| DOMAIN_ALIAS_RID_BACKUP_OPS | 551 | A local group that is used to control the assignment of file backup-and-restore user rights.| -| DOMAIN_ALIAS_RID_REPLICATOR | 552 | A local group that is responsible for copying security databases from the primary domain controller to the backup domain controllers. These accounts are used only by the system.| -| DOMAIN_ALIAS_RID_RAS_SERVERS | 553 | A local group that represents remote access and servers running Internet Authentication Service (IAS). This group permits access to various attributes of User objects.| - -## Changes in security identifier's functionality - -The following table describes changes in SID implementation in the Windows operating systems that are designated in the list. - -| Change | Operating system version | Description and resources | -| - | - | - | -| Most of the operating system files are owned by the TrustedInstaller security identifier (SID)| Windows Server 2008, Windows Vista| The purpose of this change is to prevent a process that is running as an administrator or under the LocalSystem account from automatically replacing the operating system files. | -| Restricted SID checks are implemented| Windows Server 2008, Windows Vista| When restricting SIDs are present, Windows performs two access checks. The first is the normal access check, and the second is the same access check against the restricting SIDs in the token. Both access checks must pass to allow the process to access the object. | - -## Capability SIDs - -Capability Security Identifiers (SIDs) are used to uniquely and immutably identify capabilities. Capabilities represent an unforgeable token of authority that grants access to resources (Examples: documents, camera, locations etc...) to Universal Windows Applications. An App that “has” a capability is granted access to the resource the capability is associated with, and one that “does not have” a capability is denied access to the resource. - -All Capability SIDs that the operating system is aware of are stored in the Windows Registry in the path `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities'. Any Capability SID added to Windows by first or third-party applications will be added to this location. - -## Examples of registry keys taken from Windows 10, version 1909, 64-bit Enterprise edition - -You may see the following registry keys under AllCachedCapabilities: - -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock_Internal -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Enterprise -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_General -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Restricted -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Windows - -All Capability SIDs are prefixed by S-1-15-3 - -## Examples of registry keys taken from Windows 11, version 21H2, 64-bit Enterprise edition - -You may see the following registry keys under AllCachedCapabilities: - -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock_Internal -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Enterprise -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_General -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Restricted -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Windows - -All Capability SIDs are prefixed by S-1-15-3 - -## See also - -- [Access Control Overview](access-control.md) diff --git a/windows/security/identity-protection/access-control/security-principals.md b/windows/security/identity-protection/access-control/security-principals.md deleted file mode 100644 index 3120899040..0000000000 --- a/windows/security/identity-protection/access-control/security-principals.md +++ /dev/null @@ -1,148 +0,0 @@ ---- -title: Security Principals (Windows 10) -description: Security Principals -ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: M365-identity-device-management -ms.topic: article -ms.localizationpriority: medium -ms.date: 04/19/2017 -ms.reviewer: ---- - -# Security Principals - -**Applies to** -- Windows 10 -- Windows Server 2016 - -This reference topic for the IT professional describes security principals in regards to Windows accounts and security groups, in addition to security technologies that are related to security principals. - -## What are security principals? - - -Security principals are any entity that can be authenticated by the operating system, such as a user account, a computer account, or a thread or process that runs in the security context of a user or computer account, or the security groups for these accounts. Security principals have long been a foundation for controlling access to securable resources on Windows computers. Each security principal is represented in the operating system by a unique security identifier (SID). - -The following content applies to the versions of Windows that are designated in the **Applies To** list at the beginning of this topic. - -## How security principals work - - -Security principals that are created in an Active Directory domain are Active Directory objects, which can be used to manage access to domain resources. Each security principal is assigned a unique identifier, which it retains for its entire lifetime. Local user accounts and security groups are created on a local computer, and they can be used to manage access to resources on that computer. Local user accounts and security groups are managed by the Security Accounts Manager (SAM) on the local computer. - -### Authorization and access control components - -The following diagram illustrates the Windows authorization and access control process. In this diagram, the subject (a process that is initiated by a user) attempts to access an object, such as a shared folder. The information in the user’s access token is compared to the access control entries (ACEs) in the object’s security descriptor, and the access decision is made. The SIDs of security principals are used in the user’s access token and in the ACEs in the object’s security descriptor. - -**Authorization and access control process** - -![authorization and access control process.](images/authorizationandaccesscontrolprocess.gif) - -Security principals are closely related to the following components and technologies: - -- [Security identifiers](#bkmk-sids) - -- [Access tokens](#bkmk-accesstokens) - -- [Security descriptors and access control lists](#bkmk-sdandacls) - -- [Permissions](#bkmk-permissions) - -### Security identifiers - -Security identifiers (SIDs) provide a fundamental building block of the Windows security model. They work with specific components of the authorization and access control technologies in the security infrastructure of the Windows Server operating systems. This helps protect access to network resources and provides a more secure computing environment. - -A SID is a value of variable length that is used to uniquely identify a security principal that represents any entity that can be authenticated by the system. These entities include a user account, a computer account, or a thread or process that runs in the security context of a user or computer account. Each security principal is automatically assigned a SID when it is created. The SID is stored in a security database. When a SID is used as the unique identifier for a user or group, it can never be used to identify another user or group. - -Each time a user signs in, the system creates an access token for that user. The access token contains the user’s SID, user rights, and the SIDs for groups that the user belongs to. This token provides the security context for whatever actions the user performs on that computer. - -In addition to the uniquely created, domain-specific SIDs that are assigned to specific users and groups, there are well-known SIDs that identify generic groups and generic users. For example, the Everyone and the World SIDs identify groups that includes all users. Well-known SIDs have values that remain constant across all operating systems. - -### Access tokens - -An access token is a protected object that contains information about the identity and user rights that are associated with a user account. - -When a user signs in interactively or tries to make a network connection to a computer running Windows, the sign-in process authenticates the user’s credentials. If authentication is successful, the process returns a SID for the user and a list of SIDs for the user’s security groups. The Local Security Authority (LSA) on the computer uses this information to create an access token (in this case, the primary access token). This includes the SIDs that are returned by the sign-in process and a list of user rights that are assigned by the local security policy to the user and to the user’s security groups. - -After the LSA creates the primary access token, a copy of the access token is attached to every thread and process that executes on the user’s behalf. Whenever a thread or process interacts with a securable object or tries to perform a system task that requires user rights, the operating system checks the access token that is associated with the thread to determine the level of authorization. - -There are two kinds of access tokens, primary and impersonation. Every process has a primary token that describes the security context of the user account that is associated with the process. A primary access token is typically assigned to a process to represent the default security information for that process. Impersonation tokens, on the other hand, are usually used for client and server scenarios. Impersonation tokens enable a thread to run in a security context that differs from the security context of the process that owns the thread. - -### Security descriptors and access control lists - -A security descriptor is a data structure that is associated with each securable object. All objects in Active Directory and all securable objects on a local computer or on the network have security descriptors to help control access to the objects. Security descriptors include information about who owns an object, who can access it and in what way, and what types of access are audited. Security descriptors contain the access control list (ACL) of an object, which includes all of the security permissions that apply to that object. An object’s security descriptor can contain two types of ACLs: - -- A discretionary access control list (DACL), which identifies the users and groups who are allowed or denied access - -- A system access control list (SACL), which controls how access is audited - -You can use this access control model to individually secure objects and attributes such as files and folders, Active Directory objects, registry keys, printers, devices, ports, services, processes, and threads. Because of this individual control, you can adjust the security of objects to meet the needs of your organization, delegate authority over objects or attributes, and create custom objects or attributes that require unique security protections to be defined. - -### Permissions - -Permissions enable the owner of each securable object, such as a file, Active Directory object, or registry key, to control who can perform an operation or a set of operations on the object or object property. Permissions are expressed in the security architecture as access control entries (ACEs). Because access to an object is at the discretion of the object’s owner, the type of access control that is used in Windows is called discretionary access control. - -Permissions are different from user rights in that permissions are attached to objects, and user rights apply to user accounts. Administrators can assign user rights to groups or users. These rights authorize users to perform specific actions, such as signing in to a system interactively or backing up files and directories. - -On computers, user rights enable administrators to control who has the authority to perform operations that affect an entire computer, rather than a particular object. Administrators assign user rights to individual users or groups as part of the security settings for the computer. Although user rights can be managed centrally through Group Policy, they are applied locally. Users can (and usually do) have different user rights on different computers. - -For information about which user rights are available and how they can be implemented, see [User Rights Assignment](/windows/device-security/security-policy-settings/user-rights-assignment). - -### Security context in authentication - -A user account enables a user to sign in to computers, networks, and domains with an identity that can be authenticated by the computer, network, or domain. - -In Windows, any user, service, group, or computer that can initiate action is a security principal. Security principals have accounts, which can be local to a computer or domain-based. For example, domain-joined Windows client computers can participate in a network domain by communicating with a domain controller, even when no user is signed in. - -To initiate communications, the computer must have an active account in the domain. Before accepting communications from the computer, the Local Security Authority on the domain controller authenticates the computer’s identity and then defines the computer’s security context just as it would for a user’s security principal. - -This security context defines the identity and capabilities of a user or service on a particular computer, or of a user, service, group or computer on a network. For example, it defines the resources (such as a file share or printer) that can be accessed and the actions (such as Read, Write, or Modify) that can be performed by a user, service, or computer on that resource. - -The security context of a user or computer can vary from one computer to another, such as when a user authenticates to a server or a workstation other than the user’s primary workstation. It can also vary from one session to another, such as when an administrator modifies the user’s rights and permissions. In addition, the security context is usually different when a user or computer is operating on a stand-alone basis, in a mixed network domain, or as part of an Active Directory domain. - -## Accounts and security groups - - -Accounts and security groups that are created in an Active Directory domain are stored in the Active Directory database and managed by using Active Directory tools. These security principals are directory objects, and they can be used to manage access to domain resources. - -Local user accounts and security groups are created on a local computer, and they can be used to manage access to resources on that computer. Local user accounts and security groups are stored in and managed by the Security Accounts Manager (SAM) on the local computer. - -### User accounts - -A user account uniquely identifies a person who is using a computer system. The account signals the system to enforce the appropriate authorization to allow or deny that user access to resources. User accounts can be created in Active Directory and on local computers, and administrators use them to: - -- Represent, identify, and authenticate the identity of a user. A user account enables a user to sign in to computers, networks, and domains with a unique identifier that can be authenticated by the computer, network, or domain. - -- Authorize (grant or deny) access to resources. After a user has been authenticated, the user is authorized access to resources based on the permissions that are assigned to that user for the resource. - -- Audit the actions that are carried out on a user account. - -Windows and the Windows Server operating systems have built-in user accounts, or you can create user accounts to meet the requirements of your organization. - -### Security groups - -A security group is a collection of user accounts, computer accounts, and other groups of accounts that can be managed as a single unit from a security perspective. In Windows operating systems, there are several built-in security groups that are preconfigured with the appropriate rights and permissions for performing specific tasks. Additionally, you can (and, typically, will) create a security group for each unique combination of security requirements that applies to multiple users in your organization. - -Groups can be Active Directory-based or local to a particular computer: - -- Active Directory security groups are used to manage rights and permissions to domain resources. - -- Local groups exist in the SAM database on local computers (on all Windows-based computers) except domain controllers. You use local groups to manage rights and permissions only to resources on the local computer. - -By using security groups to manage access control, you can: - -- Simplify administration. You can assign a common set of rights, a common set of permissions, or both to many accounts at one time, rather than assigning them to each account individually. Also, when users transfer jobs or leave the organization, permissions are not tied to their user accounts, making permission reassignment or removal easier. - -- Implement a role-based access-control model. You can use this model to grant permissions by using groups with different scopes for appropriate purposes. Scopes that are available in Windows include local, global, domain local, and universal. - -- Minimize the size of access control lists (ACLs) and speed security checking. A security group has its own SID; therefore, the group SID can be used to specify permissions for a resource. In an environment with more than a few thousand users, if the SIDs of individual user accounts are used to specify access to a resource, the ACL of that resource can become unmanageably large, and the time that is needed for the system to check permissions to the resource can become unacceptable. - -For descriptions and settings information about the domain security groups that are defined in Active Directory, see [Active Directory Security Groups](active-directory-security-groups.md). - -For descriptions and settings information about the Special Identities group, see [Special Identities](special-identities.md). - -## See also - -- [Access Control Overview](access-control.md) diff --git a/windows/security/identity-protection/access-control/service-accounts.md b/windows/security/identity-protection/access-control/service-accounts.md deleted file mode 100644 index cd6db0f4f7..0000000000 --- a/windows/security/identity-protection/access-control/service-accounts.md +++ /dev/null @@ -1,112 +0,0 @@ ---- -title: Service Accounts (Windows 10) -description: Service Accounts -ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: - - M365-identity-device-management - - highpri -ms.topic: article -ms.localizationpriority: medium -ms.date: 11/19/2021 ---- - -# Service Accounts - -**Applies to** -- Windows 10 -- Windows Server 2016 - -This topic for the IT professional explains group and standalone managed service accounts, and the computer-specific virtual computer account, and it points to resources about these service accounts. - -## Overview - -A service account is a user account that is created explicitly to provide a security context for services running on Windows Server operating systems. The security context determines the service's ability to access local and network resources. The Windows operating systems rely on services to run various features. These services can be configured through the applications, the Services snap-in, or Task Manager, or by using Windows PowerShell. - -This topic contains information about the following types of service accounts: - -- [Standalone managed service accounts](#bkmk-standalonemanagedserviceaccounts) - -- [Group-managed service accounts](#bkmk-groupmanagedserviceaccounts) - -- [Virtual accounts](#bkmk-virtualserviceaccounts) - -### Standalone managed service accounts - -A managed service account is designed to isolate domain accounts in crucial applications, such as Internet Information Services (IIS), and eliminate the need for an administrator to manually administer the service principal name (SPN) and credentials for the accounts. - -To use managed service accounts, the server on which the application or service is installed must be running at least Windows Server 2008 R2. One managed service account can be used for services on a single computer. Managed service accounts cannot be shared between multiple computers, and they cannot be used in server clusters where a service is replicated on multiple cluster nodes. For this scenario, you must use a group-managed service account. For more information, see [Group-Managed Service Accounts Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831782(v=ws.11)). - -In addition to the enhanced security that is provided by having individual accounts for critical services, there are four important administrative benefits associated with managed service accounts: - -- You can create a class of domain accounts that can be used to manage and maintain services on local computers. - -- Unlike domain accounts in which administrators must manually reset passwords, the network passwords for these accounts are automatically reset. - -- You do not have to complete complex SPN management tasks to use managed service accounts. -- You don't have to complete complex SPN management tasks to use managed service accounts. -- Administrative tasks for managed service accounts can be delegated to non-administrators. - -### Software requirements - -Managed service accounts apply to the Windows operating systems that are designated in the **Applies To** list at the beginning of this topic. - -### Group-managed service accounts - -Group-managed service accounts are an extension of the standalone-managed service accounts, which were introduced in Windows Server 2008 R2. These accounts are managed domain accounts that provide automatic password management and simplified service principal name (SPN) management, including delegation of management to other administrators. - -The group-managed service account provides the same functionality as a standalone managed service account within the domain, but it extends that functionality over multiple servers. When connecting to a service that is hosted on a server farm, such as Network Load Balancing, the authentication protocols that support mutual authentication require all instances of the services to use the same principal. When group-managed service accounts are used as service principals, the Windows Server operating system manages the password for the account instead of relying on the administrator to manage the password. - -The Microsoft Key Distribution Service (kdssvc.dll) provides the mechanism to securely obtain the latest key or a specific key with a key identifier for an Active Directory account. This service was introduced in Windows Server 2012, and it does not run on previous versions of the Windows Server operating system. The Key Distribution Service shares a secret, which is used to create keys for the account. These keys are periodically changed. For a group-managed service account, the domain controller computes the password on the key that is provided by the Key Distribution Services, in addition to other attributes of the group-managed service account. - -### Practical applications - -Group-managed service accounts provide a single identity solution for services running on a server farm, or on systems that use Network Load Balancing. By providing a group-managed service account solution, services can be configured for the group-managed service account principal, and the password management is handled by the operating system. - -By using a group-managed service account, service administrators do not need to manage password synchronization between service instances. The group-managed service account supports hosts that are kept offline for an extended time period and the management of member hosts for all instances of a service. This provision means that you can deploy a server farm that supports a single identity to which existing client computers can authenticate without knowing the instance of the service to which they are connecting. - -Failover clusters do not support group-managed service accounts. However, services that run on top of the Cluster service can use a group-managed service account or a standalone managed service account if they are a Windows service, an App pool, a scheduled task, or if they natively support group-managed service account or standalone managed service accounts. - -### Software requirements - -Group-managed service accounts can only be configured and administered on computers running at least Windows Server 2012, but they can be deployed as a single service identity solution in domains that still have domain controllers running operating systems earlier than Windows Server 2012. There are no domain or forest functional level requirements. - -A 64-bit architecture is required to run the Windows PowerShell commands that are used to administer group-managed service accounts. - -A managed service account is dependent on encryption types supported by Kerberos. When a client computer authenticates to a server by using Kerberos protocol, the domain controller creates a Kerberos service ticket that is protected with encryption that the domain controller and the server support. The domain controller uses the account’s **msDS-SupportedEncryptionTypes** attribute to determine what encryption the server supports, and if there is no attribute, it assumes that the client computer does not support stronger encryption types. The Advanced Encryption Standard (AES) must always be configured for managed service accounts. If computers that host the managed service account are configured to not support RC4, authentication will always fail. - -**Note**   -Introduced in Windows Server 2008 R2, the Data Encryption Standard (DES) is disabled by default. For more information about supported encryption types, see [Changes in Kerberos Authentication](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd560670(v=ws.10)). - -Group-managed service accounts are not applicable in Windows operating systems prior to Windows Server 2012. - -### Virtual accounts - -Virtual accounts were introduced in Windows Server 2008 R2 and Windows 7, and are managed local accounts that provide the following features to simplify service administration: - -- The virtual account is automatically managed. - -- The virtual account can access the network in a domain environment. - -- No password management is required. For example, if the default value is used for the service accounts during SQL Server setup on Windows Server 2008 R2, a virtual account that uses the instance name as the service name is established in the format NT SERVICE\\<SERVICENAME>. - -Services that run as virtual accounts access network resources by using the credentials of the computer account in the format <domain\_name>\\<computer\_name>$. - -For information about how to configure and use virtual service accounts, see [Service Accounts Step-by-Step Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd548356(v=ws.10)). - -### Software requirements - -Virtual accounts apply to the Windows operating systems that are designated in the **Applies To** list at the beginning of this topic. - -## See also - - -The following table provides links to other resources that are related to standalone managed service accounts, group-managed service accounts, and virtual accounts. - -| Content type | References | -|---------------|-------------| -| **Product evaluation** | [What's New for Managed Service Accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831451(v=ws.11))
    [Getting Started with Group Managed Service Accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj128431(v=ws.11)) | -| **Deployment** | [Windows Server 2012: Group Managed Service Accounts - Ask Premier Field Engineering (PFE) Platforms - Site Home - TechNet Blogs](https://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx) | -| **Related technologies** | [Security Principals](security-principals.md)
    [What's new in Active Directory Domain Services](/windows-server/identity/whats-new-active-directory-domain-services) | diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md deleted file mode 100644 index 995d23b020..0000000000 --- a/windows/security/identity-protection/access-control/special-identities.md +++ /dev/null @@ -1,448 +0,0 @@ ---- -title: Special Identities (Windows 10) -description: Special Identities -ms.prod: m365-security -ms.technology: windows-sec -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: M365-identity-device-management -ms.topic: article -ms.localizationpriority: medium -ms.date: 12/21/2021 -ms.reviewer: ---- - -# Special Identities - -**Applies to** - -- Windows Server 2016 or later - -This reference topic for the IT professional describes the special identity groups (which are sometimes referred to as security groups) that are used in Windows access control. - -Special identity groups are similar to Active Directory security groups as listed in the users and built-in containers. Special identity groups can provide an efficient way to assign access to resources in your network. By using special identity groups, you can: - -- Assign user rights to security groups in Active Directory. -- Assign permissions to security groups for the purpose of accessing resources. - -Servers that are running the supported Windows Server operating systems designated in the **Applies To** list at the beginning of this topic include several special identity groups. These special identity groups do not have specific memberships that can be modified, but they can represent different users at different times, depending on the circumstances. - -Although the special identity groups can be assigned rights and permissions to resources, the memberships cannot be modified or viewed. Group scopes do not apply to special identity groups. Users are automatically assigned to these special identity groups whenever they sign in or access a particular resource. - -For information about security groups and group scope, see [Active Directory Security Groups](active-directory-security-groups.md). - -The special identity groups are described in the following tables: - -- [Anonymous Logon](#anonymous-logon) -- [Attested Key Property](#attested-key-property) -- [Authenticated Users](#authenticated-users) -- [Authentication Authority Asserted Identity](#authentication-authority-asserted-identity) -- [Batch](#batch) -- [Console Logon](#console-logon) -- [Creator Group](#creator-group) -- [Creator Owner](#creator-owner) -- [Dialup](#dialup) -- [Digest Authentication](#digest-authentication) -- [Enterprise Domain Controllers](#enterprise-domain-controllers) -- [Everyone](#everyone) -- [Fresh Public Key Identity](#fresh-public-key-identity) -- [Interactive](#interactive) -- [IUSR](#iusr) -- [Key Trust](#key-trust) -- [Local Service](#local-service) -- [LocalSystem](#localsystem) -- [MFA Key Property](#mfa-key-property) -- [Network](#network) -- [Network Service](#network-service) -- [NTLM Authentication](#ntlm-authentication) -- [Other Organization](#other-organization) -- [Owner Rights](#owner-rights) -- [Principal Self](#principal-self) -- [Proxy](#proxy) -- [Remote Interactive Logon](#remote-interactive-logon) -- [Restricted](#restricted) -- [SChannel Authentication](#schannel-authentication) -- [Service](#service) -- [Service Asserted Identity](#service-asserted-identity) -- [Terminal Server User](#terminal-server-user) -- [This Organization](#this-organization) -- [Window Manager\\Window Manager Group](#window-managerwindow-manager-group) - -## Anonymous Logon - -Any user who accesses the system through an anonymous logon has the Anonymous Logon identity. This identity allows anonymous access to resources, such as a web page that is published on corporate servers. The Anonymous Logon group is not a member of the Everyone group by default. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-7 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights|None| - -## Attested Key Property - -A SID that means the key trust object had the attestation property. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-18-6 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights|None| - -## Authenticated Users - -Any user who accesses the system through a sign-in process has the Authenticated Users identity. This identity allows access to shared resources within the domain, such as files in a shared folder that should be accessible to all the workers in the organization. Membership is controlled by the operating system. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-11 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight
    [Add workstations to domain](/windows/device-security/security-policy-settings/add-workstations-to-domain): SeMachineAccountPrivilege
    [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege| - -## Authentication Authority Asserted Identity - -A SID that means the client's identity is asserted by an authentication authority based on proof of possession of client credentials. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-18-1 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights|None| - -## Batch - -Any user or process that accesses the system as a batch job (or through the batch queue) has the Batch identity. This identity allows batch jobs to run scheduled tasks, such as a nightly cleanup job that deletes temporary files. Membership is controlled by the operating system. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-3 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| none| - -## Console Logon - -A group that includes users who are logged on to the physical console. This SID can be used to implement security policies that grant different rights based on whether a user has been granted physical access to the console. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-2-1 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights|None| - -## Creator Group - -The person who created the file or the directory is a member of this special identity group. Windows Server operating systems use this identity to automatically grant access permissions to the creator of a file or directory. - -A placeholder security identifier (SID) is created in an inheritable access control entry (ACE). When the ACE is inherited, the system replaces this SID with the SID for the primary group of the object’s current owner. The primary group is used only by the Portable Operating System Interface for UNIX (POSIX) subsystem. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-3-1 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| none| - -## Creator Owner - -The person who created the file or the directory is a member of this special identity group. Windows Server operating systems use this identity to automatically grant access permissions to the creator of a file or directory. A placeholder SID is created in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID for the object’s current owner. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-3-0 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| none| - -## Dialup - -Any user who accesses the system through a dial-up connection has the Dial-Up identity. This identity distinguishes dial-up users from other types of authenticated users. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-1 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| none| - -## Digest Authentication - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-64-21 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| none| - -## Enterprise Domain Controllers - -This group includes all domain controllers in an Active Directory forest. Domain controllers with enterprise-wide roles and responsibilities have the Enterprise Domain Controllers identity. This identity allows them to perform certain tasks in the enterprise by using transitive trusts. Membership is controlled by the operating system. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-9 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight
    [Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight| - -## Everyone - -All interactive, network, dial-up, and authenticated users are members of the Everyone group. This special identity group gives wide access to system resources. Whenever a user logs on to the network, the user is automatically added to the Everyone group. - -On computers running Windows 2000 and earlier, the Everyone group included the Anonymous Logon group as a default member, but as of Windows Server 2003, the Everyone group contains only Authenticated Users and Guest; and it no longer includes Anonymous Logon by default (although this can be changed, using Registry Editor, by going to the **Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa** key and setting the value of **everyoneincludesanonymous** DWORD to 1). - -Membership is controlled by the operating system. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-1-0 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight
    [Act as part of the operating system](/windows/device-security/security-policy-settings/act-as-part-of-the-operating-system): SeTcbPrivilege
    [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege| - -## Fresh Public Key Identity - -A SID that means the client's identity is asserted by an authentication authority based on proof of current possession of client public key credentials. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-18-3 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights|None| - -## Interactive - -Any user who is logged on to the local system has the Interactive identity. This identity allows only local users to access a resource. Whenever a user accesses a given resource on the computer to which they are currently logged on, the user is automatically added to the Interactive group. Membership is controlled by the operating system. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-4 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| None| - -## IUSR - -Internet Information Services (IIS) uses this account by default whenever anonymous authentication is enabled. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-17 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights|None| - -## Key Trust - -A SID that means the client's identity is based on proof of possession of public key credentials using the key trust object. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-18-4 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights|None| - -## Local Service - -The Local Service account is similar to an Authenticated User account. The Local Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null session with anonymous credentials. The name of the account is NT AUTHORITY\\LocalService. This account does not have a password. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-19 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| [Adjust memory quotas for a process](/windows/device-security/security-policy-settings/adjust-memory-quotas-for-a-process): SeIncreaseQuotaPrivilege
    [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege
    [Change the system time](/windows/device-security/security-policy-settings/change-the-system-time): SeSystemtimePrivilege
    [Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege
    [Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege
    [Generate security audits](/windows/device-security/security-policy-settings/generate-security-audits): SeAuditPrivilege
    [Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege
    [Replace a process level token](/windows/device-security/security-policy-settings/replace-a-process-level-token): SeAssignPrimaryTokenPrivilege
    | - -## LocalSystem - -This is a service account that is used by the operating system. The LocalSystem account is a powerful account that has full access to the system and acts as the computer on the network. If a service logs on to the LocalSystem account on a domain controller, that service has access to the entire domain. Some services are configured by default to log on to the LocalSystem account. Do not change the default service setting. The name of the account is LocalSystem. This account does not have a password. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-18 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights|None| - -## MFA Key Property - -A SID that means the key trust object had the multifactor authentication (MFA) property. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-18-5 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights|None| - -## Network - -This group implicitly includes all users who are logged on through a network connection. Any user who accesses the system through a network has the Network identity. This identity allows only remote users to access a resource. Whenever a user accesses a given resource over the network, the user is automatically added to the Network group. Membership is controlled by the operating system. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-2 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights|None| - -## Network Service - -The Network Service account is similar to an Authenticated User account. The Network Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Network Service account access network resources by using the credentials of the computer account. The name of the account is NT AUTHORITY\\NetworkService. This account does not have a password. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-20 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| [Adjust memory quotas for a process](/windows/device-security/security-policy-settings/adjust-memory-quotas-for-a-process): SeIncreaseQuotaPrivilege
    [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege
    [Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege
    [Generate security audits](/windows/device-security/security-policy-settings/generate-security-audits): SeAuditPrivilege
    [Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege
    [Replace a process level token](/windows/device-security/security-policy-settings/replace-a-process-level-token): SeAssignPrimaryTokenPrivilege
    | - -## NTLM Authentication - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-64-10 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| None| - -## Other Organization - -This group implicitly includes all users who are logged on to the system through a dial-up connection. Membership is controlled by the operating system. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-1000 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| None | - -## Owner Rights - -A group that represents the current owner of the object. When an ACE that carries this SID is applied to an object, the system ignores the implicit READ_CONTROL and WRITE_DAC permissions for the object owner. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-3-4 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights|None| - -## Principal Self - -This identity is a placeholder in an ACE on a user, group, or computer object in Active Directory. When you grant permissions to Principal Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal that is represented by the object. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-10 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| None | - -## Proxy - -Identifies a SECURITY_NT_AUTHORITY Proxy. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-8 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights|None| - -## Remote Interactive Logon - -This identity represents all users who are currently logged on to a computer by using a Remote Desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-14| -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| None | - -## Restricted - -Users and computers with restricted capabilities have the Restricted identity. This identity group is used by a process that is running in a restricted security context, such as running an application with the RunAs service. When code runs at the Restricted security level, the Restricted SID is added to the user’s access token. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-12 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| None | - -## SChannel Authentication - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-64-14 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| None | - -## Service - -Any service that accesses the system has the Service identity. This identity group includes all security principals that are signed in as a service. This identity grants access to processes that are being run by Windows Server services. Membership is controlled by the operating system. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-6 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| [Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege
    [Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege
    | - -## Service Asserted Identity - -A SID that means the client's identity is asserted by a service. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-18-2 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights|None| - -## Terminal Server User - -Any user accessing the system through Terminal Services has the Terminal Server User identity. This identity allows users to access Terminal Server applications and to perform other necessary tasks with Terminal Server services. Membership is controlled by the operating system. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-13 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| None | - -## This Organization - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-15 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| None | - -## Window Manager\\Window Manager Group - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-90 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege
    [Increase a process working set](/windows/device-security/security-policy-settings/increase-a-process-working-set): SeIncreaseWorkingSetPrivilege
    | - -## See also - -- [Active Directory Security Groups](active-directory-security-groups.md) - -- [Security Principals](security-principals.md) - -- [Access Control Overview](access-control.md) From b209dcefe4f639da68fd0d944c237c747b0b6d3e Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Thu, 4 Aug 2022 18:00:31 -0400 Subject: [PATCH 30/77] 4246040 change redirect to false --- .openpublishing.redirection.json | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 3acf52720e..c702618554 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -19593,42 +19593,42 @@ { "source_path": "windows/security/identity-protection/access-control/security-identifiers.md", "redirect_url": "/windows-server/identity/ad-ds/manage/understand-security-identifiers", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/security/identity-protection/access-control/security-principals.md", "redirect_url": "/windows-server/identity/ad-ds/manage/understand-security-principals", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/security/identity-protection/access-control/active-directory-accounts.md", "redirect_url": "/windows-server/identity/ad-ds/manage/understand-default-user-accounts", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/security/identity-protection/access-control/microsoft-accounts.md", "redirect_url": "/windows-server/identity/ad-ds/manage/understand-microsoft-accounts", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/security/identity-protection/access-control/service-accounts.md", "redirect_url": "/windows-server/identity/ad-ds/manage/understand-service-accounts", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/security/identity-protection/access-control/active-directory-security-groups.md", "redirect_url": "/windows-server/identity/ad-ds/manage/understand-security-groups", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/security/identity-protection/access-control/special-identities.md", "redirect_url": "/windows-server/identity/ad-ds/manage/understand-special-identities-groups", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/security/identity-protection/access-control/dynamic-access-control.md", "redirect_url": "/windows-server/identity/solution-guides/dynamic-access-control-overview", - "redirect_document_id": true + "redirect_document_id": false } ] } From 412ffd4d3df98b97f93df77e17c07f9fad57afac Mon Sep 17 00:00:00 2001 From: Andre Della Monica Date: Thu, 4 Aug 2022 23:51:25 -0500 Subject: [PATCH 31/77] More changes --- .../deploy/windows-autopatch-register-devices.md | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index fbe99bc055..ad03c51333 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -28,7 +28,7 @@ Windows Autopatch can take over software update management of supported devices ### About the use of an Azure AD group to register devices -You must choose what devices to manage with Windows Autopatch by either adding them through direct membership or by nesting other Azure AD dynamic/assigned groups into the **Windows Autopatch Device Registration** Azure AD assigned group. Windows Autopatch automatically runs every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices. +You must choose what devices to manage with Windows Autopatch by either adding them through direct membership or by nesting other Azure AD dynamic/assigned groups into the **Windows Autopatch Device Registration** Azure AD assigned group. Windows Autopatch automatically runs every hour its discover devices function to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices. > [!NOTE] > Devices that are intended to be managed by the Windows Autopatch service **must** be added into the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can only be added to this group if they have an Azure AD device ID. Windows Autopatch scans the Azure AD group hourly to discover newly added devices to be registered. You can also use the **Discover devices** button in either the Ready or Not ready tab to register devices on demand. @@ -49,7 +49,7 @@ Azure AD groups synced up from: > The **Windows Autopatch Device Registration** Azure AD group only supports one level of Azure AD nested groups. > [!TIP] -> You can also use the **Discover Devices** button in either the Ready or Not ready tab to discover devices from the Windows Autopatch Device Registration Azure AD group on demand. +> You can also use the **Discover Devices** button in either the Ready or Not ready tab to discover devices from the **Windows Autopatch Device Registration** Azure AD group on demand. ### Clean up dual state of Hybrid Azure AD joined and Azure registered devices in your Azure AD tenant @@ -112,9 +112,7 @@ Registering your devices in Windows Autopatch does the following: ## Steps to register devices -### Physical devices - -Any device (either physical or virtual) that contains an Azure AD device ID can be added into the Windows Autopatch Device Registration Azure AD group to be registered with Windows Autopatch. +Any device (either physical or virtual) that contains an Azure AD device ID can be added into the **Windows Autopatch Device Registration** Azure AD group to be registered with Windows Autopatch. **To register physical devices into Windows Autopatch:** @@ -131,7 +129,7 @@ Once devices or Azure AD groups containing devices are added to the **Windows Au ### Windows Autopatch on Windows 365 Enterprise Workloads -With Windows 365 Enterprise, IT admins are given the option to register devices with the Windows Autopatch service as part of the Windows 365 provisioning policy creation. This option provides a seamless experience for admins and users to ensure your Cloud PCs are always up to date. When IT admins decide to manage their Windows 365 Cloud PCs with Windows Autopatch, the Windows 365 provisioning policy process calls the Windows Autopatch device registration APIs to register devices on behalf of the IT admin. +With Windows 365 Enterprise, IT admins are given the option to register devices with the Windows Autopatch service as part of the Windows 365 provisioning policy creation. This option provides a seamless experience for admins and users to ensure your Cloud PCs are always up to date. When IT admins decide to manage their Windows 365 Cloud PCs with Windows Autopatch, the Windows 365 provisioning policy creation process calls Windows Autopatch device registration APIs to register devices on behalf of the IT admin. **To deploy Windows Autopatch on a Windows 365 Provisioning Policy:** @@ -152,9 +150,9 @@ For general guidance, see [Create a Windows 365 Provisioning Policy](/windows-36 All your existing Windows 365 Enterprise workloads can be registered into Windows Autopatch by leveraging the same method for any other physical or virtual device. See [steps to register devices](#steps-to-register-devices) for more details. -### Contact support +### Contact support for device registration-related incidents -Support is available either through Windows 365, or Windows Autopatch for update related incidents. +Support is available either through Windows 365, or the Windows Autopatch Service Engineering team for device registration-related incidents. - For Windows 365 support, see [Get support](/mem/get-support). - For Windows Autopatch support, see [Submit a support request](/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request). From 92eff309b5eab23af933429bbbc6b4cfa6a83a23 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Fri, 5 Aug 2022 08:07:01 -0700 Subject: [PATCH 32/77] Update windows-autopatch-register-devices.md Fixed wording --- .../deploy/windows-autopatch-register-devices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index ad03c51333..649f4f674b 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -28,7 +28,7 @@ Windows Autopatch can take over software update management of supported devices ### About the use of an Azure AD group to register devices -You must choose what devices to manage with Windows Autopatch by either adding them through direct membership or by nesting other Azure AD dynamic/assigned groups into the **Windows Autopatch Device Registration** Azure AD assigned group. Windows Autopatch automatically runs every hour its discover devices function to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices. +You must choose what devices to manage with Windows Autopatch by either adding them through direct membership or by nesting other Azure AD dynamic/assigned groups into the **Windows Autopatch Device Registration** Azure AD assigned group. Windows Autopatch automatically runs its discover devices function every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices. > [!NOTE] > Devices that are intended to be managed by the Windows Autopatch service **must** be added into the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can only be added to this group if they have an Azure AD device ID. Windows Autopatch scans the Azure AD group hourly to discover newly added devices to be registered. You can also use the **Discover devices** button in either the Ready or Not ready tab to register devices on demand. From 303c0d6e3b286248e10024f907fe1a5f82a3b9d1 Mon Sep 17 00:00:00 2001 From: Nagappan Veerappan Date: Fri, 5 Aug 2022 11:56:54 -0700 Subject: [PATCH 33/77] 0xC00000BB -included for KDC support error 0xC00000BB -included for KDC support error --- .../hello-for-business/hello-errors-during-pin-creation.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index 631d982e36..592e53bc19 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -70,6 +70,8 @@ If the error occurs again, check the error code against the following table to s | 0x801C044D | Authorization token does not contain device ID. | Unjoin the device from Azure AD and rejoin. | | | Unable to obtain user token. | Sign out and then sign in again. Check network and credentials. | | 0x801C044E | Failed to receive user credentials input. | Sign out and then sign in again. | +| 0xC00000BB | Something went wrong and you PIN isn’t available. Or That option is temporarily unavailable. For now, please use a different method to sign in. | Destination domain controller doesn't support the login, most likely KDC service dont have proper certificate to support the login.| + ## Errors with unknown mitigation From 2cd104786fe314676895586e3c5050ad934dea04 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Fri, 5 Aug 2022 12:59:38 -0700 Subject: [PATCH 34/77] New Changes made at tenant enrollment. --- windows/deployment/windows-autopatch/TOC.yml | 2 + .../windows-autopatch-enroll-tenant.md | 3 + .../windows-autopatch-changes-to-tenant.md | 161 ++++++++++++++++++ 3 files changed, 166 insertions(+) create mode 100644 windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml index c6e175c270..b61273493f 100644 --- a/windows/deployment/windows-autopatch/TOC.yml +++ b/windows/deployment/windows-autopatch/TOC.yml @@ -79,6 +79,8 @@ href: operate/windows-autopatch-wqu-unsupported-policies.md - name: Microsoft 365 Apps for enterprise update policies href: references/windows-autopatch-microsoft-365-policies.md + - name: Changes made at tenant enrollment + href: references/windows-autopatch-changes-to-tenant.md - name: Privacy href: references/windows-autopatch-privacy.md - name: Windows Autopatch preview addendum diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md index 99940fe13f..7ff9f212c0 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md @@ -99,6 +99,9 @@ Within the Readiness assessment tool, you'll now see the **Enroll** button. By s Once these actions are complete, you've now successfully enrolled your tenant. +> [!NOTE] +> For more information about changes made to your tenant, see [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). + ### Delete data collected from the Readiness assessment tool You can choose to delete the data we collect directly within the Readiness assessment tool. diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md new file mode 100644 index 0000000000..c6f60baec9 --- /dev/null +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -0,0 +1,161 @@ +--- +title: Changes made at tenant enrollment +description: This reference article details the changes made to your tenant when enrolling into Windows Autopatch +ms.date: 08/04/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: reference +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# Changes made at tenant enrollment + +## Service principal + +Windows Autopatch will create a service principal in your tenant allowing the service to establish an identity and restrict access to what resources the service has access to within the tenant. For more information, see [Application and service principal objects in Azure Active Directory](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object). The service principal created by Windows Autopatch is: + +- Modern Workplace Customer APIs + +## Azure Active Directory groups + +Windows Autopatch will create Azure Active Directory groups that are required to operate the service. The following groups are used for targeting Windows Autopatch configurations to devices and management of the service by our service accounts. + +| Group name | Description | +| ----- | ----- | +| Modern Workplace-All | All Modern Workplace users | +| Modern Workplace - Windows 11 Pre-Release Test Devices | Device group for Windows 11 Pre-Release testing. | +| Modern Workplace Devices-All | All Modern Workplace devices | +| Modern Workplace Devices-Windows Autopatch-Test | Immediate ring for device rollout | +| Modern Workplace Devices-Windows Autopatch-First | First production ring for early adopters | +| Modern Workplace Devices-Windows Autopatch-Fast | Fast ring for quick rollout and adoption | +| Modern Workplace Devices-Windows Autopatch-Broad | Final ring for broad rollout into an organization | +| Modern Workplace Devices Dynamic - Windows 10 | Microsoft Managed Desktop Devices with Windows 10

    Group Rule:

    • `(device.devicePhysicalIds -any _ -startsWith \"[OrderID]:Microsoft365Managed_\")`
    • `(device.deviceOSVersion -notStartsWith \"10.0.22000\")`

    Exclusions:
    • Modern Workplace - Telemetry Settings for Windows 11
    | +| Modern Workplace Devices Dynamic - Windows 11 | Microsoft Managed Desktop Devices with Windows 11

    Group Rule:

    • `(device.devicePhysicalIds -any _ -startsWith \"[OrderID]:Microsoft365Managed_\")`
    • `(device.deviceOSVersion -startsWith \"10.0.22000\")`

    Exclusions:
    • Modern Workplace - Telemetry Settings for Windows 10
    | +| Modern Workplace Roles - Service Administrator | All users granted access to Modern Workplace Service Administrator Role | +| Modern Workplace Roles - Service Reader | All users granted access to Modern Workplace Service Reader Role | +| Modern Workplace Service - Intune Admin All | Group for Intune Admins

    Assigned to:

    • Modern Workplace Service Accounts
    | +| Modern Workplace Service - Intune Reader All | Group for Intune readers

    Assigned to:

    • Modern Workplace Service Accounts
    | +| Modern Workplace Service - Intune Reader MMD | Group for Intune readers of MMD devices and users

    Assigned to:

    • Modern Workplace Service Accounts
    | +| Modern Workplace Service Accounts | Group for Windows Autopatch service accounts | +| Windows Autopatch Device Registration | Group for automatic device registration for Windows Autopatch | + +## Windows Autopatch enterprise applications + +Enterprise applications are applications (software) that a business uses to do its work. + +Windows Autopatch creates an enterprise application in your tenant. This enterprise application is a first party application used to run the Windows Autopatch service. + +| Enterprise application name | Usage | Permissions | +| ----- | ------ | ----- | +| Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This account is used to manage the service, publish baseline configuration updates, and maintain overall service health. |
    • DeviceManagementApps.ReadWrite.All
    • DeviceManagementConfiguration.ReadWrite.All
    • DeviceManagementManagedDevices.PriviligedOperation.All
    • DeviceManagementManagedDevices.ReadWrite.All
    • DeviceManagementRBAC.ReadWrite.All
    • DeviceManagementServiceConfig.ReadWrite.All
    • Directory.Read.All
    • Group.Create
    • Policy.Read.All
    • WindowsUpdates.Read.Write.All
    | + +> [!NOTE] +> Enterprise application authentication is only available on tenants enrolled after July 9th, 2022. For tenants enrolled before this date, Enterprise Application authentication will be made available for enrollment soon. + +## Windows Autopatch cloud service accounts + +Windows Autopatch will create three cloud service accounts in your tenant. These accounts are used to run the service and all need to be excluded from any multi-factor authentication controls. + +> [!NOTE] +> Effective Aug 15th, 2022, these accounts will no longer be added to newly enrolled tenants, and existing tenants will be provided an option to migrate to enterprise application-based authentication. These accounts will be removed with that transition. + +| Cloud service account name | Usage | Mitigating controls | +| ----- | ----- | ------ | +| MsAdmin@tenantDomain.onmicrosoft.com |
    • This account is a limited-service account with administrator privileges. This account is used as an Intune and User administrator to define and configure the tenant for Microsoft Modern desktop devices.
    • This account doesn't have interactive sign-in permissions.  The account performs operations only through the service.
    | Audited sign-ins | +| MsAdminInt@tenantDomain.onmicrosoft.com |
    • This account is an Intune and User administrator account used to define and configure the tenant for Modern Workplace devices.
    • This account is used for interactive sign-in to the customers’ tenant.
    • The use of this account is extremely limited as most operations are exclusively through msadmin (non-interactive).
      • |
      • Restricted to be accessed only from defined secure access workstations (SAWs) through the Modern Workplace - Secure Workstation conditional access policy.
      • Audited sign-ins
      | +| MsTest@tenantDomain.onmicrosoft.com | This is a standard account used as a validation account for initial configuration and roll out of policy, application, and device compliance settings. | Audited sign-ins | + +## Device configuration policies + +- Modern Workplace - Set MDM to Win Over GPO +- Modern Workplace - Telemetry Settings for Windows 10 +- Modern Workplace - Telemetry Settings for Windows 11 +- Modern Workplace-Window Update Detection Frequency +- Modern Workplace - Data Collection + +| Policy name | Policy description | OMA | Value | +| ----- | ----- | ----- | ----- | +| Modern Workplace - Set MDM to Win Over GPO | Sets mobile device management (MDM) to win over GPO

      Assigned to:

      • Modern Workplace Devices-Windows Autopatch-Test
      • Modern Workplace Devices-Windows Autopatch-First
      • Modern Workplace Devices-Windows Autopatch-Fast
      • Modern Workplace Devices-Windows Autopatch-Broad
      | | | +| Modern Workplace - Telemetry Settings for Windows 10 | Telemetry settings for Windows 10

      Assigned to:

      • Modern Workplace Devices-Windows Autopatch-Test
      • Modern Workplace Devices-Windows Autopatch-First
      • Modern Workplace Devices-Windows Autopatch-Fast
      • Modern Workplace Devices-Windows Autopatch-Broad
      |[./Device/Vendor/MSFT/Policy/Config/System/AllowTelemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | 2 | +| Modern Workplace - Telemetry Settings for Windows 11 | Telemetry settings for Windows 11

      Assigned to:

      • Modern Workplace Devices-Windows Autopatch-Test
      • Modern Workplace Devices-Windows Autopatch-First
      • Modern Workplace Devices-Windows Autopatch-Fast
      • Modern Workplace Devices-Windows Autopatch-Broad
      |
      • [./Device/Vendor/MSFT/Policy/Config/System/AllowTelemetry ](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)
      • [./Device/Vendor/MSFT/Policy/Config/System/LimitEnhancedDiagnosticDataWindowsAnalytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics)
      • [./Device/Vendor/MSFT/Policy/Config/System/LimitDumpCollection](/windows/client-management/mdm/policy-csp-system#system-limitdumpcollection)
      • [./Device/Vendor/MSFT/Policy/Config/System/LimitDiagnosticLogCollection](/windows/client-management/mdm/policy-csp-system#system-limitdiagnosticlogcollection)
      |
      • 3
      • 1
      • 1
      • 1
        • | +| Modern Workplace - Windows Update Detection Frequency | Sets Windows update detection frequency

        Assigned to:

        • Modern Workplace Devices-Windows Autopatch-Test
        • Modern Workplace Devices-Windows Autopatch-First
        • Modern Workplace Devices-Windows Autopatch-Fast
        • Modern Workplace Devices-Windows Autopatch-Broad
        | [./Vendor/MSFT/Policy/Config/Update/DetectionFrequency](/windows/client-management/mdm/policy-csp-update#update-detectionfrequency)| 4 | +| Modern Workplace - Data Collection | Allows diagnostic data from this device to be processed by Microsoft Managed Desktop.

        Assigned to:

        • Modern Workplace Devices-Windows Autopatch-Test
        • Modern Workplace Devices-Windows Autopatch-First
        • Modern Workplace Devices-Windows Autopatch-Fast
        • Modern Workplace Devices-Windows Autopatch-Broad
        | | | + +## Update rings for Windows 10 and later + +- Modern Workplace Update Policy [Test]-[Windows Autopatch] +- Modern Workplace Update Policy [First]-[Windows Autopatch] +- Modern Workplace Update Policy [Fast]-[Windows Autopatch] +- Modern Workplace Update Policy [Broad]-[Windows Autopatch] + +| Policy name | Policy description | OMA | Value | +| ----- | ----- | ----- | ----- | +| Modern Workplace Update Policy [Test]-[Windows Autopatch | Windows Update for Business Configuration for the Test Ring

        Assigned to:

        • Modern Workplace Devices-Windows Autopatch-Test
        |
        • QualityUpdatesDeferralPeriodInDays
        • FeatureUpdatesDeferralPeriodInDays
        • FeatureUpdatesRollbackWindowInDays
        • BusinessReadyUpdatesOnly
        • AutomaticUpdateMode
        • InstallTime
        • DeadlineForFeatureUpdatesInDays
        • DeadlineForQualityUpdatesInDays
        • DeadlineGracePeriodInDays
        • PostponeRebootUntilAfterDeadline
        • DriversExcluded
        |
        • 0
        • 0
        • 30
        • All
        • WindowsDefault
        • 3
        • 5
        • 0
        • 0
        • False
        • False
          • | +| Modern Workplace Update Policy [First]-[Windows Autopatch] | Windows Update for Business Configuration for the First Ring

          Assigned to:

          • Modern Workplace Devices-Windows Autopatch-First
          |
          • QualityUpdatesDeferralPeriodInDays
          • FeatureUpdatesDeferralPeriodInDays
          • FeatureUpdatesRollbackWindowInDays
          • BusinessReadyUpdatesOnly
          • AutomaticUpdateMode
          • InstallTime
          • DeadlineForFeatureUpdatesInDays
          • DeadlineForQualityUpdatesInDays
          • DeadlineGracePeriodInDays
          • PostponeRebootUntilAfterDeadline
          • DriversExcluded
          |
          • 1
          • 0
          • 30
          • All
          • WindowsDefault
          • 3
          • 5
          • 2
          • 2
          • False
          • False
            • | +| Modern Workplace Update Policy [Fast]-[Windows Autopatch] | Windows Update for Business Configuration for the Fast Ring

            Assigned to:

            • Modern Workplace Devices-Windows Autopatch-Fast
            |
            • QualityUpdatesDeferralPeriodInDays
            • FeatureUpdatesDeferralPeriodInDays
            • FeatureUpdatesRollbackWindowInDays
            • BusinessReadyUpdatesOnly
            • AutomaticUpdateMode
            • InstallTime
            • DeadlineForFeatureUpdatesInDays
            • DeadlineForQualityUpdatesInDays
            • DeadlineGracePeriodInDays
            • PostponeRebootUntilAfterDeadline
            • DriversExcluded
            |
            • 6
            • 0
            • 30
            • All
            • WindowsDefault
            • 3
            • 5
            • 2
            • 2
            • False
            • False
              • | +| Modern Workplace Update Policy [Broad]-[Windows Autopatch] | Windows Update for Business Configuration for the Broad Ring

              Assigned to:

              • Modern Workplace Devices-Windows Autopatch-Broad
              |
              • QualityUpdatesDeferralPeriodInDays
              • FeatureUpdatesDeferralPeriodInDays
              • FeatureUpdatesRollbackWindowInDays
              • BusinessReadyUpdatesOnly
              • AutomaticUpdateMode
              • InstallTime
              • DeadlineForFeatureUpdatesInDays
              • DeadlineForQualityUpdatesInDays
              • DeadlineGracePeriodInDays
              • PostponeRebootUntilAfterDeadline
              • DriversExcluded
              |
              • 9
              • 0
              • 30
              • All
              • WindowsDefault
              • 3
              • 5
              • 5
              • 2
              • False
              • False
                • | + +## Feature update policies + +- Modern Workplace DSS Policy [Test] +- Modern Workplace DSS Policy [First] +- Modern Workplace DSS Policy [Fast] +- Modern Workplace DSS Policy [Broad] +- Modern Workplace DSS Policy [Windows 11] + +| Policy name | Policy description | OMA | Value | +| ----- | ----- | ----- | ----- | +| Modern Workplace DSS Policy [Test] | DSS policy for Test device group | | Assigned to:
                • Modern Workplace Devices-Windows Autopatch-Test

                Exclude from:
                • Modern Workplace - Windows 11 Pre-Release Test Devices
                | +| Modern Workplace DSS Policy [First] | DSS policy for First device group | | Assigned to:
                • Modern Workplace Devices-Windows Autopatch-First
                • Modern Workplace - Windows 11 Pre-Release Test Devices
                  • | +| Modern Workplace DSS Policy [Fast] | DSS policy for Fast device group | | Assigned to:
                  • Modern Workplace Devices-Windows Autopatch-Fast

                  Exclude from:
                  • Modern Workplace - Windows 11 Pre-Release Test Devices
                  | +| Modern Workplace DSS Policy [Broad] | DSS policy for Broad device group | | Assigned to:
                  • Modern Workplace Devices-Windows Autopatch-Broad

                  Exclude from:
                  • Modern Workplace - Windows 11 Pre-Release Test Devices
                  | +| Modern Workplace DSS Policy [Windows 11] | Windows 11 DSS policy | | Assigned to:
                  • Modern Workplace - Windows 11 Pre-Release Test Devices
                  | + +## Microsoft Office update policies + +- Modern Workplace - Office ADMX Deployment +- Modern Workplace - Office Configuration v5 +- Modern Workplace - Office Update Configuration [Test] +- Modern Workplace - Office Update Configuration [First] +- Modern Workplace - Office Update Configuration [Fast] +- Modern Workplace - Office Update Configuration [Broad] + +| Policy name | Policy description | OMA | Value | +| ----- | ----- | ----- | ----- | +| Modern Workplace - Office ADMX Deployment | ADMX file for Office

                  Assigned to:

                  • Modern Workplace Devices-Windows Autopatch-Test
                  • Modern Workplace Devices-Windows Autopatch-First
                  • Modern Workplace Devices-Windows Autopatch-Fast
                  • Modern Workplace Devices-Windows Autopatch-Broad
                  | | | +| Modern Workplace - Office Configuration v5 | Sets Office Update Channel to the Monthly Enterprise servicing branch.

                  Assigned to:

                  • Modern Workplace Devices-Windows Autopatch-Test
                  • Modern Workplace Devices-Windows Autopatch-First
                  • Modern Workplace Devices-Windows Autopatch-Fast
                  • Modern Workplace Devices-Windows Autopatch-Broad
                  | | | +| Modern Workplace - Office Update Configuration [Test] | Sets the Office update deadline

                  Assigned to:

                  • Modern Workplace Devices-Windows Autopatch-Test
                  |
                  • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline
                  • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays
                  |
                • Enabled; L_UpdateDeadlineID == 7
                • Enabled; L_DeferUpdateDaysID == 0
                  • | +| Modern Workplace - Office Update Configuration [First] | Sets the Office update deadline

                  Assigned to:

                  • Modern Workplace Devices-Windows Autopatch-First
                  |
                  • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline
                  • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays
                  |
                • Enabled; L_UpdateDeadlineID == 7
                • Enabled; L_DeferUpdateDaysID == 0
                  • | +| Modern Workplace - Office Update Configuration [Fast] | Sets the Office update deadline

                  Assigned to:

                  • Modern Workplace Devices-Windows Autopatch-Fast
                  |
                  • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline
                  • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays
                  |
                • Enabled; L_UpdateDeadlineID == 7
                • Enabled; L_DeferUpdateDaysID == 3
                  • | +| Modern Workplace - Office Update Configuration [Broad] | Sets the Office update deadline
                  Assigned to:
                  • Modern Workplace Devices-Windows Autopatch-Broad
                    • |
                    • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline
                    • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays
                    |
                  • Enabled; L_UpdateDeadlineID == 7
                  • Enabled; L_DeferUpdateDaysID == 7
                    • | + +## Microsoft Edge update policies + +- Modern Workplace - Edge Update ADMX Deployment +- Modern Workplace - Edge Update Channel Stable +- Modern Workplace - Edge Update Channel Beta + +| Policy name | Policy description | OMA | Value | +| ----- | ----- | ----- | ----- | +| Modern Workplace - Edge Update ADMX Deployment | Deploys ADMX update policy for Edge

                    Assigned to:

                    • Modern Workplace Devices-Windows Autopatch-Test
                    • Modern Workplace Devices-Windows Autopatch-First
                    • Modern Workplace Devices-Windows Autopatch-Fast
                    • Modern Workplace Devices-Windows Autopatch-Broad
                    | | | +| Modern Workplace - Edge Update Channel Stable | Deploys updates via the Edge Stable Channel

                    Assigned to:

                    • Modern Workplace Devices-Windows Autopatch-First
                    • Modern Workplace Devices-Windows Autopatch-Fast
                    • Modern Workplace Devices-Windows Autopatch-Broad
                    | ./Device/Vendor/MSFT/Policy/Config/MicrosoftEdgeUpdate~Policy~Cat_EdgeUpdate~Cat_Applications~Cat_MicrosoftEdge/Pol_TargetChannelMicrosoftEdge | Enabled | +| Modern Workplace - Edge Update Channel Beta | Deploys updates via the Edge Beta Channel

                    Assigned to:

                    • Modern Workplace Devices-Windows Autopatch-Test
                    | ./Device/Vendor/MSFT/Policy/Config/MicrosoftEdgeUpdate~Policy~Cat_EdgeUpdate~Cat_Applications~Cat_MicrosoftEdge/Pol_TargetChannelMicrosoftEdge | Enabled | + +## Conditional access policies + +> [!NOTE] +> Effective Aug 15, 2022, the following policy will no longer be added to newly enrolled tenants, and existing tenants will be provided an option to migrate to enterprise application-based authentication. This policy will be removed with that transition. + +| Conditional access policy | Description | +| ----- | ----- | +| Modern Workplace - Secure Workstation | This policy is targeted to only the Windows Autopatch cloud service accounts. The policy blocks access to the tenant unless the user is accessing the tenant from a Microsoft authorized location. | + +## PowerShell scripts + +| Script | Description | +| ----- | ----- | +| Modern Workplace - Autopatch Client Setup | Installs necessary client components for the Windows Autopatch service | From f7abc21ecd6e321673444fa36a8bddbfa52050c5 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Fri, 5 Aug 2022 13:05:25 -0700 Subject: [PATCH 35/77] Updated date. --- .../references/windows-autopatch-changes-to-tenant.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index c6f60baec9..e9941f8432 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -1,7 +1,7 @@ --- title: Changes made at tenant enrollment description: This reference article details the changes made to your tenant when enrolling into Windows Autopatch -ms.date: 08/04/2022 +ms.date: 08/08/2022 ms.prod: w11 ms.technology: windows ms.topic: reference From a6a4c4d22188d334582043dd061c49b608fbb032 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Fri, 5 Aug 2022 13:13:03 -0700 Subject: [PATCH 36/77] Removed OMA column from Feature updates section. --- .../windows-autopatch-changes-to-tenant.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index e9941f8432..d6571ae47a 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -107,13 +107,13 @@ Windows Autopatch will create three cloud service accounts in your tenant. These - Modern Workplace DSS Policy [Broad] - Modern Workplace DSS Policy [Windows 11] -| Policy name | Policy description | OMA | Value | -| ----- | ----- | ----- | ----- | -| Modern Workplace DSS Policy [Test] | DSS policy for Test device group | | Assigned to:
                    • Modern Workplace Devices-Windows Autopatch-Test

                    Exclude from:
                    • Modern Workplace - Windows 11 Pre-Release Test Devices
                    | -| Modern Workplace DSS Policy [First] | DSS policy for First device group | | Assigned to:
                    • Modern Workplace Devices-Windows Autopatch-First
                    • Modern Workplace - Windows 11 Pre-Release Test Devices
                      • | -| Modern Workplace DSS Policy [Fast] | DSS policy for Fast device group | | Assigned to:
                      • Modern Workplace Devices-Windows Autopatch-Fast

                      Exclude from:
                      • Modern Workplace - Windows 11 Pre-Release Test Devices
                      | -| Modern Workplace DSS Policy [Broad] | DSS policy for Broad device group | | Assigned to:
                      • Modern Workplace Devices-Windows Autopatch-Broad

                      Exclude from:
                      • Modern Workplace - Windows 11 Pre-Release Test Devices
                      | -| Modern Workplace DSS Policy [Windows 11] | Windows 11 DSS policy | | Assigned to:
                      • Modern Workplace - Windows 11 Pre-Release Test Devices
                      | +| Policy name | Policy description | Value | +| ----- | ----- | ----- | +| Modern Workplace DSS Policy [Test] | DSS policy for Test device group | Assigned to:
                      • Modern Workplace Devices-Windows Autopatch-Test

                      Exclude from:
                      • Modern Workplace - Windows 11 Pre-Release Test Devices
                      | +| Modern Workplace DSS Policy [First] | DSS policy for First device group | Assigned to:
                      • Modern Workplace Devices-Windows Autopatch-First
                      • Modern Workplace - Windows 11 Pre-Release Test Devices
                        • | +| Modern Workplace DSS Policy [Fast] | DSS policy for Fast device group | Assigned to:
                        • Modern Workplace Devices-Windows Autopatch-Fast

                        Exclude from:
                        • Modern Workplace - Windows 11 Pre-Release Test Devices
                        | +| Modern Workplace DSS Policy [Broad] | DSS policy for Broad device group | Assigned to:
                        • Modern Workplace Devices-Windows Autopatch-Broad

                        Exclude from:
                        • Modern Workplace - Windows 11 Pre-Release Test Devices
                        | +| Modern Workplace DSS Policy [Windows 11] | Windows 11 DSS policy | Assigned to:
                        • Modern Workplace - Windows 11 Pre-Release Test Devices
                        | ## Microsoft Office update policies From aff5e19ba964adffdf0adf63b487e4a84b26c427 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Fri, 5 Aug 2022 13:28:44 -0700 Subject: [PATCH 37/77] Getting rid of the strikethrough because of the double tilde. --- .../windows-autopatch-changes-to-tenant.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index d6571ae47a..62a9d46a41 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -128,10 +128,10 @@ Windows Autopatch will create three cloud service accounts in your tenant. These | ----- | ----- | ----- | ----- | | Modern Workplace - Office ADMX Deployment | ADMX file for Office

                        Assigned to:

                        • Modern Workplace Devices-Windows Autopatch-Test
                        • Modern Workplace Devices-Windows Autopatch-First
                        • Modern Workplace Devices-Windows Autopatch-Fast
                        • Modern Workplace Devices-Windows Autopatch-Broad
                        | | | | Modern Workplace - Office Configuration v5 | Sets Office Update Channel to the Monthly Enterprise servicing branch.

                        Assigned to:

                        • Modern Workplace Devices-Windows Autopatch-Test
                        • Modern Workplace Devices-Windows Autopatch-First
                        • Modern Workplace Devices-Windows Autopatch-Fast
                        • Modern Workplace Devices-Windows Autopatch-Broad
                        | | | -| Modern Workplace - Office Update Configuration [Test] | Sets the Office update deadline

                        Assigned to:

                        • Modern Workplace Devices-Windows Autopatch-Test
                        |
                        • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline
                        • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays
                        |
                      • Enabled; L_UpdateDeadlineID == 7
                      • Enabled; L_DeferUpdateDaysID == 0
                        • | -| Modern Workplace - Office Update Configuration [First] | Sets the Office update deadline

                        Assigned to:

                        • Modern Workplace Devices-Windows Autopatch-First
                        |
                        • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline
                        • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays
                        |
                      • Enabled; L_UpdateDeadlineID == 7
                      • Enabled; L_DeferUpdateDaysID == 0
                        • | -| Modern Workplace - Office Update Configuration [Fast] | Sets the Office update deadline

                        Assigned to:

                        • Modern Workplace Devices-Windows Autopatch-Fast
                        |
                        • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline
                        • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays
                        |
                      • Enabled; L_UpdateDeadlineID == 7
                      • Enabled; L_DeferUpdateDaysID == 3
                        • | -| Modern Workplace - Office Update Configuration [Broad] | Sets the Office update deadline
                        Assigned to:
                        • Modern Workplace Devices-Windows Autopatch-Broad
                          • |
                          • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline
                          • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays
                          |
                        • Enabled; L_UpdateDeadlineID == 7
                        • Enabled; L_DeferUpdateDaysID == 7
                          • | +| Modern Workplace - Office Update Configuration [Test] | Sets the Office update deadline

                          Assigned to:

                          • Modern Workplace Devices-Windows Autopatch-Test
                          |
                          • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`
                          • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`
                          |
                        • Enabled; L_UpdateDeadlineID == 7
                        • Enabled; L_DeferUpdateDaysID == 0
                          • | +| Modern Workplace - Office Update Configuration [First] | Sets the Office update deadline

                          Assigned to:

                          • Modern Workplace Devices-Windows Autopatch-First
                          |
                          • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`
                          • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`
                          |
                        • Enabled; L_UpdateDeadlineID == 7
                        • Enabled; L_DeferUpdateDaysID == 0
                          • | +| Modern Workplace - Office Update Configuration [Fast] | Sets the Office update deadline

                          Assigned to:

                          • Modern Workplace Devices-Windows Autopatch-Fast
                          |
                          • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`
                          • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`
                          |
                        • Enabled; L_UpdateDeadlineID == 7
                        • Enabled; L_DeferUpdateDaysID == 3
                          • | +| Modern Workplace - Office Update Configuration [Broad] | Sets the Office update deadline
                          Assigned to:
                          • Modern Workplace Devices-Windows Autopatch-Broad
                            • |
                            • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`
                            • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`
                            |
                          • Enabled; L_UpdateDeadlineID == 7
                          • Enabled; L_DeferUpdateDaysID == 7
                            • | ## Microsoft Edge update policies @@ -142,8 +142,8 @@ Windows Autopatch will create three cloud service accounts in your tenant. These | Policy name | Policy description | OMA | Value | | ----- | ----- | ----- | ----- | | Modern Workplace - Edge Update ADMX Deployment | Deploys ADMX update policy for Edge

                            Assigned to:

                            • Modern Workplace Devices-Windows Autopatch-Test
                            • Modern Workplace Devices-Windows Autopatch-First
                            • Modern Workplace Devices-Windows Autopatch-Fast
                            • Modern Workplace Devices-Windows Autopatch-Broad
                            | | | -| Modern Workplace - Edge Update Channel Stable | Deploys updates via the Edge Stable Channel

                            Assigned to:

                            • Modern Workplace Devices-Windows Autopatch-First
                            • Modern Workplace Devices-Windows Autopatch-Fast
                            • Modern Workplace Devices-Windows Autopatch-Broad
                            | ./Device/Vendor/MSFT/Policy/Config/MicrosoftEdgeUpdate~Policy~Cat_EdgeUpdate~Cat_Applications~Cat_MicrosoftEdge/Pol_TargetChannelMicrosoftEdge | Enabled | -| Modern Workplace - Edge Update Channel Beta | Deploys updates via the Edge Beta Channel

                            Assigned to:

                            • Modern Workplace Devices-Windows Autopatch-Test
                            | ./Device/Vendor/MSFT/Policy/Config/MicrosoftEdgeUpdate~Policy~Cat_EdgeUpdate~Cat_Applications~Cat_MicrosoftEdge/Pol_TargetChannelMicrosoftEdge | Enabled | +| Modern Workplace - Edge Update Channel Stable | Deploys updates via the Edge Stable Channel

                            Assigned to:

                            • Modern Workplace Devices-Windows Autopatch-First
                            • Modern Workplace Devices-Windows Autopatch-Fast
                            • Modern Workplace Devices-Windows Autopatch-Broad
                            | `./Device/Vendor/MSFT/Policy/Config/MicrosoftEdgeUpdate~Policy~Cat_EdgeUpdate~Cat_Applications~Cat_MicrosoftEdge/Pol_TargetChannelMicrosoftEdge` | Enabled | +| Modern Workplace - Edge Update Channel Beta | Deploys updates via the Edge Beta Channel

                            Assigned to:

                            • Modern Workplace Devices-Windows Autopatch-Test
                            | `./Device/Vendor/MSFT/Policy/Config/MicrosoftEdgeUpdate~Policy~Cat_EdgeUpdate~Cat_Applications~Cat_MicrosoftEdge/Pol_TargetChannelMicrosoftEdge` | Enabled | ## Conditional access policies From 61ae725da30c3a8d91f8b47dbf5115e8eb771682 Mon Sep 17 00:00:00 2001 From: Andre Della Monica Date: Fri, 5 Aug 2022 17:04:24 -0500 Subject: [PATCH 38/77] Several changes including deployment ring updates --- .../windows-autopatch-register-devices.md | 41 +++++---- .../windows-autopatch-update-management.md | 83 ++++++++++++------- 2 files changed, 74 insertions(+), 50 deletions(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index 649f4f674b..7635a6185b 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -1,7 +1,7 @@ --- title: Register your devices description: This article details how to register devices in Autopatch -ms.date: 08/04/2022 +ms.date: 08/05/2022 ms.prod: w11 ms.technology: windows ms.topic: how-to @@ -18,7 +18,7 @@ Before Microsoft can manage your devices in Windows Autopatch, you must have dev ## Before you begin -Windows Autopatch can take over software update management of supported devices as soon as an IT admin decides to have their tenant managed by the service. The Windows Autopatch software update management scope includes: +Windows Autopatch can take over software update management control of devices that meet software-based pre-requisittes as soon as an IT admin decides to have their tenant managed by the service. The Windows Autopatch software update management scope includes the following software update workloads: - [Windows quality updates](../operate/windows-autopatch-wqu-overview.md) - [Windows feature updates](../operate/windows-autopatch-fu-overview.md) @@ -31,7 +31,7 @@ Windows Autopatch can take over software update management of supported devices You must choose what devices to manage with Windows Autopatch by either adding them through direct membership or by nesting other Azure AD dynamic/assigned groups into the **Windows Autopatch Device Registration** Azure AD assigned group. Windows Autopatch automatically runs its discover devices function every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices. > [!NOTE] -> Devices that are intended to be managed by the Windows Autopatch service **must** be added into the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can only be added to this group if they have an Azure AD device ID. Windows Autopatch scans the Azure AD group hourly to discover newly added devices to be registered. You can also use the **Discover devices** button in either the Ready or Not ready tab to register devices on demand. +> Devices that are intended to be managed by the Windows Autopatch service **must** be added into the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can only be added to this group if they have an Azure AD device ID. Windows Autopatch scans the Azure AD group hourly to discover newly added devices to be registered. You can also use the **Discover devices** button in either the **Ready** or **Not ready** tab to register devices on demand. #### Supported scenarios when nesting other Azure AD groups @@ -48,9 +48,6 @@ Azure AD groups synced up from: > [!IMPORTANT] > The **Windows Autopatch Device Registration** Azure AD group only supports one level of Azure AD nested groups. -> [!TIP] -> You can also use the **Discover Devices** button in either the Ready or Not ready tab to discover devices from the **Windows Autopatch Device Registration** Azure AD group on demand. - ### Clean up dual state of Hybrid Azure AD joined and Azure registered devices in your Azure AD tenant An [Azure AD dual state](/azure/active-directory/devices/hybrid-azuread-join-plan#handling-devices-with-azure-ad-registered-state) occurs when a device is initially connected to Azure AD as an [Azure AD Registered](/azure/active-directory/devices/concept-azure-ad-register) device. However, when you enable Hybrid Azure AD join, the same device is connected twice to Azure AD but as a [Hybrid Azure AD device](/azure/active-directory/devices/concept-azure-ad-join-hybrid). @@ -66,7 +63,7 @@ It's recommended to detect and clean up stale devices in Azure AD before registe To be eligible for Windows Autopatch management, devices must meet a minimum set of required software-based prerequisites: -- Windows 10 (1809+)/11 Enterprise and Professional edition versions (only x64 architecture). +- Windows 10 (1809+)/11 Enterprise or Professional editions (only x64 architecture). - Either [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid) (personal devices aren't supported). - Managed by Microsoft Endpoint Manager. - [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) and/or [Configuration Manager Co-management](/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites#configuration-manager-co-management-requirements). @@ -105,33 +102,39 @@ For more information, see [Azure AD built-in roles](/azure/active-directory/role ## Details about the device registration process -Registering your devices in Windows Autopatch does the following: +Registering your devices with Windows Autopatch does the following: 1. Makes a record of devices in the service. -2. Assign devices into the deployment ring groups and other groups required for software updates management. +2. Assign devices to the [deployment rings](../operate/windows-autopatch-update-management.md) and other groups required for software updates management. + +See [Device Registration Overview](../deploy/windows-autopatch-device-registration-overview.md) for more details. ## Steps to register devices -Any device (either physical or virtual) that contains an Azure AD device ID can be added into the **Windows Autopatch Device Registration** Azure AD group to be registered with Windows Autopatch. +Any device (either physical or virtual) that contains an Azure AD device ID can be added into the **Windows Autopatch Device Registration** Azure AD group through either direct membership or by being part of another Azure AD group (either dynamic or assigned) that's nested to this group, so it can be registered with Windows Autopatch. The only exception is new Windows 365 Cloud PCs, as these virtual devices must be registered with Windows Autopatch from the Windows 365 provisioning policy. See [Windows Autopatch on WIndows 365 Enterprise Workloads](#windows-autopatch-on-windows-365-enterprise-workloads) for details. +Since existing Windows 365 Cloud PCs already have an existing Azure AD device ID, these devices can be added into the **Windows Autopatch Device Registration** Azure group through either direct membership or by being part of another Azure AD group (either dynamic or assigned) that's nested to this group. -**To register physical devices into Windows Autopatch:** +**To register devices with Windows Autopatch:** 1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). 2. Select **Windows Autopatch** from the left navigation menu. 3. Select **Devices**. -4. Select the **Ready** tab, then select the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens. -5. Add either devices through direct membership, or other Azure Active Directory dynamic or assigned groups as nested groups in the **Windows Autopatch Device Registration** group. +4. Select either the **Ready** or the **Not ready** tab, then click on the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens. +5. Add either devices through direct membership, or other Azure AD dynamic or assigned groups as nested groups in the **Windows Autopatch Device Registration** group. > [!NOTE] > The **Windows Autopatch Device Registration** hyperlink is in the center of the Ready tab when there's no devices registered with the Windows Autopatch service. Once you have one or more devices registered with the Windows Autopatch service, the **Windows Autopatch Device registration** hyperlink is at the top of both Ready and Not ready tabs. -Once devices or Azure AD groups containing devices are added to the **Windows Autopatch Device Registration** group, Windows Autopatch discovers these devices, and runs software-based prerequisite checks to try to register them with its service. +Once devices or other Azure AD groups (either dynamic or assigned) containing devices are added to the **Windows Autopatch Device Registration** group, Windows Autopatch's device discovery hourly function discovers these devices, and runs software-based prerequisite checks to try to register them with its service. + +> [!TIP] +> You can also use the **Discover Devices** button in either the **Ready** or **Not ready** tab to discover devices from the **Windows Autopatch Device Registration** Azure AD group on demand. ### Windows Autopatch on Windows 365 Enterprise Workloads -With Windows 365 Enterprise, IT admins are given the option to register devices with the Windows Autopatch service as part of the Windows 365 provisioning policy creation. This option provides a seamless experience for admins and users to ensure your Cloud PCs are always up to date. When IT admins decide to manage their Windows 365 Cloud PCs with Windows Autopatch, the Windows 365 provisioning policy creation process calls Windows Autopatch device registration APIs to register devices on behalf of the IT admin. +Windows 365 Enterprise gives IT admins the option to register devices with the Windows Autopatch service as part of the Windows 365 provisioning policy creation. This option provides a seamless experience for admins and users to ensure your Cloud PCs are always up to date. When IT admins decide to manage their Windows 365 Cloud PCs with Windows Autopatch, the Windows 365 provisioning policy creation process calls Windows Autopatch device registration APIs to register devices on behalf of the IT admin. -**To deploy Windows Autopatch on a Windows 365 Provisioning Policy:** +**To register new Windows 365 Cloud PC devices with Windows Autopatch from the Windows 365 Provisioning Policy:** 1. Go to the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) admin center. 1. In the left pane, select **Devices**. @@ -144,11 +147,7 @@ With Windows 365 Enterprise, IT admins are given the option to register devices 1. Assign your policy accordingly and select **Next**. 1. Select **Create**. Now your newly provisioned Windows 365 Enterprise Cloud PCs will automatically be enrolled and managed by Windows Autopatch. -For general guidance, see [Create a Windows 365 Provisioning Policy](/windows-365/enterprise/create-provisioning-policy). - -#### Deploy Autopatch on Windows 365 for existing Cloud PC - -All your existing Windows 365 Enterprise workloads can be registered into Windows Autopatch by leveraging the same method for any other physical or virtual device. See [steps to register devices](#steps-to-register-devices) for more details. +See [Create a Windows 365 Provisioning Policy](/windows-365/enterprise/create-provisioning-policy) for more information. ### Contact support for device registration-related incidents diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md index 04bdc38aae..ca4f999c9d 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md @@ -1,7 +1,7 @@ --- title: Update management description: This article provides an overview of how updates are handled in Autopatch -ms.date: 05/30/2022 +ms.date: 08/05/2022 ms.prod: w11 ms.technology: windows ms.topic: overview @@ -9,16 +9,16 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: hathind +msreviewer: andredm7 --- -# Update management +# Software updates management -Keeping your devices up to date is a balance of speed and stability. Windows Autopatch connects all devices to a modern cloud-based infrastructure to manage updates. +Keeping your devices up to date is a balance of speed and stability. Windows Autopatch connects all devices to a modern cloud-based infrastructure to manage updates on your behalf. -## Update types +## Software update workloads -| Update type | Description | +| Software update workload | Description | | ----- | ----- | | Windows quality update | Windows Autopatch uses four update rings to manage Windows quality updates. For more detailed information, see [Windows quality updates](../operate/windows-autopatch-wqu-overview.md). | | Windows feature update | Windows Autopatch uses four update rings to manage Windows feature updates. For more detailed information, see [Windows feature updates](windows-autopatch-fu-overview.md). @@ -27,44 +27,69 @@ Keeping your devices up to date is a balance of speed and stability. Windows Aut | Microsoft Edge | For more information, see [Microsoft Edge](../operate/windows-autopatch-edge.md). | | Microsoft Teams | For more information, see [Microsoft Teams](../operate/windows-autopatch-teams.md). | -## Update rings +## Windows Autopatch deployment rings + +During the [tenant enrollment process](../prepare/windows-autopatch-enroll-tenant.md), Windows Autopatch creates four Azure AD assigned groups that are used to segment devices into its deployment rings: + +1. **Modern Workplace Devices-Windows Autopatch-Test** + 1. Deployment ring for testing update deployments prior production rollout. +2. **Modern Workplace Devices-Windows Autopatch-First** + 1. First production deployment ring for early adopters. +3. **Modern Workplace Devices-Windows Autopatch-Fast** + 1. Fast deployment ring for quick rollout and adoption. +4. **Modern Workplace Devices-Windows Autopatch-Broad** + 1. Final deployment ring for broad rollout into the organization. + +Each deployment ring has a different set of update deployment policies to control the updates rollout. + +> [!IMPORTANT] +> Windows Autopatch device registration does not assign devices to its test deployment ring (**Modern Workplace Devices-Windows Autopatch-Test**). This is intended to prevent having mission critical devices or devices that are used by executives in the organization from receiving early software update deployments. + +Also, during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md), Windows Autopatch assigns each device being registered to one of its deployment rings so that the service have the proper representation of the device diversity across the organization in each deployment ring. The deployment ring distribution is designed to release software update deployments to as few devices as possible to get the signals needed to make a quality evaluation of a given update deployment. > [!NOTE] -> Update rings only apply to Windows quality updates. +> Windows Autopatch deployment rings only apply to Windows quality updates. Additionally, you can't create additional deployment rings or use your own for devices managed by the Windows Autopatch service. -During enrollment, Windows Autopatch creates four Azure Active Directory groups that are used to segment devices into update rings: +### Deployment ring calculation logic -1. Modern Workplace Devices - Test -2. Modern Workplace Devices - First -3. Modern Workplace Devices - Fast -4. Modern Workplace Devices - Broad +The Windows Autopatch deployment ring calculation happens during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md) and it works as follows: -Each of the update rings has a different purpose and assigned a set of policies to control the rollout of updates in each management area. +- If the Windows Autopatch tenant’s existing managed device size is **≤ 200**, the deployment ring assignment is First **(5%)**, Fast **(15%)**, remaining devices go to the Broad ring **(80%)**. +- If the Windows Autopatch tenant’s existing managed device size is **>200**, the deployment ring assignment will be First **(1%)**, Fast **(9%)**, remaining devices go to the Broad ring **(90%)**. -When a device is enrolled into the Windows Autopatch service, the device is assigned to an update ring so that we have the right distributions across your estate. The distribution of each ring is designed to release to as few devices as possible to get the signals needed to make a quality evaluation of a given release. -> [!NOTE] -> You can't create additional rings for managed devices and must use the four rings provided by Windows Autopatch. - -| Ring | Default device count | Description +| Deployment ring | Default device balancing percentage | Description | ----- | ----- | ----- | -| Test | zero | Windows Autopatch doesn't automatically add devices to this ring. You must manually add devices to the Test ring. The recommended number of devices in this ring, based upon your environment size, is as follows:
                            • 0–500 devices: minimum one device
                            • 500–5000 devices: minimum five devices
                            • 5000+ devices: min 50 devices
                            Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. | -| First | 1% | The First ring is the first group of production users to receive a change.

                            This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all customers. For example, we can generate a statistically significant signal saying that critical errors are trending up in a specific release for all customers but can't be confident that it's doing so in your environment.

                            Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this ring might experience outages if there are scenarios that weren't covered during testing in the Test ring.| -| Fast | 9% | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.

                            The goal with this ring is to cross the 500-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.

                            | -| Broad | 90% | The Broad ring is the last group of users to receive changes. Since it contains most of the devices enrolled in Windows Autopatch, it favors stability over speed in deployment.| +| Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring. The recommended number of devices in this ring, based upon your environment size, is as follows:
                            • **0–500** devices: minimum **one** device.
                            • **500–5000** devices: minimum **five** devices.
                            • **5000+** devices: minimum **50** devices.
                            Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. | +| First | **1%** | The First ring is the first group of production users to receive a change.

                            This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization.

                            Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.| +| Fast | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.

                            The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.

                            | +| Broad | Either **80%** or **90%** | The Broad ring is the last group of users to receive software update deployments. Since it contains most of the devices registered with Windows Autopatch, it favors stability over speed in an software update deployment.| -## Moving devices between rings +## Moving devices in between deployment rings -If you want to move separate devices to different rings, repeat the following steps for each device: +If you want to move separate devices to different deployment rings, after Windows Autopatch's deployment ring assignment, you can repeat the following steps for one or more devices from the **Ready** tab: 1. In Microsoft Endpoint Manager, select **Devices** in the left pane. 2. In the **Windows Autopatch** section, select **Devices**. -3. Select the devices you want to assign. All selected devices will be assigned to the ring you specify. +3. In the **Ready** tab, select one or more devices you want to assign. All selected devices will be assigned to the deployment ring you specify. 4. Select **Device actions** from the menu. 5. Select **Assign device to ring**. A fly-in opens. -6. Use the dropdown menu to select the ring to move devices to, and then select **Save**. The **Ring assigned by** column will change to **Pending**. +6. Use the dropdown menu to select the deployment ring to move devices to, and then select **Save**. The **Ring assigned by** column will change to **Pending**. -When the assignment is complete, the **Ring assigned by** column will change to Admin (indicates that you made the change) and the **Ring** column will show the new ring assignment. +When the assignment is complete, the **Ring assigned by** column changes to **Admin** (which indicates that you made the change) and the **Ring** column shows the new deployment ring assignment. > [!NOTE] -> You can't move devices to other rings if they're in the "error" or "pending" registration state.

                            If a device hasn't been properly removed, it could show a status of "ready." If you move such a device, it's possible that the move won't be complete. If you don't see the **Ring assigned by column** change to **Pending** in Step 5, check that the device is available by searching for it in Intune. For more information, see [Device details in Intune](/mem/intune/remote-actions/device-inventory). +> You can only move devices to other deployment rings when they're in an active state in the **Ready** tab.

                            If you don't see the **Ring assigned by column** change to **Pending** in Step 5, check to see whether the device exists in Microsoft Endpoint Manager-Intune or not by searching for it in its device blade. For more information, see [Device details in Intune](/mem/intune/remote-actions/device-inventory). + +## Automated deployment ring remediation functions + +Windows Autopatch monitors device membership in its deployment rings (all but the **Modern Workplace Devices-Windows Autopatch-Test**) to provide automated deployment ring remediation functions to mitigate the risk of not having its managed devices being part of one of its deployment rings. +These automated functions help mitigate risk of potentially having devices in a vulnerable state, and exposed to security threats in case they're not receiving update deployments due to either changes performed by the IT admin on objects created by the Windows Autopatch tenant enrollment process or in case an issue occurred which prevented devices from getting a deployment rings assigned during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md). + +There are two automated deployment ring remediation functions, they work as follows: + +- **Check Device Deployment Ring Membership:** Every hour, Windows Autopatch checks to see if its managed devices are not part of one of the deployment rings. When for some reason, a device is not part of a deployment ring, Windows Autopatch randomly assigns the device to one of its deployment rings (all but the **Modern Workplace Devices-Windows Autopatch-Test**). +- **Multi-deployment ring device remediator:** Every hour, Windows Autopatch checks to see if its managed devices are part of multiple deployment rings (all but the **Modern Workplace Devices-Windows Autopatch-Test**). When for some reason, a device is part of multiple deployment rings, Windows Autopatch randomly removes device of one or more deployment rings until the device is only part of one deployment ring. + +> [!IMPORTANT] +> Windows Autopatch automated deployment ring functions do not assign/remove devices to/from its test deployment ring (**Modern Workplace Devices-Windows Autopatch-Test**). \ No newline at end of file From 7bcd1ae5f8bdd8cd333f2096bef4a16d0ff20eef Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Fri, 5 Aug 2022 15:09:59 -0700 Subject: [PATCH 39/77] Update windows-autopatch-register-devices.md --- .../deploy/windows-autopatch-register-devices.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index 7635a6185b..ffe221e0e8 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -107,7 +107,7 @@ Registering your devices with Windows Autopatch does the following: 1. Makes a record of devices in the service. 2. Assign devices to the [deployment rings](../operate/windows-autopatch-update-management.md) and other groups required for software updates management. -See [Device Registration Overview](../deploy/windows-autopatch-device-registration-overview.md) for more details. +For more information, see [Device registration overview](../deploy/windows-autopatch-device-registration-overview.md). ## Steps to register devices @@ -119,11 +119,11 @@ Since existing Windows 365 Cloud PCs already have an existing Azure AD device ID 1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). 2. Select **Windows Autopatch** from the left navigation menu. 3. Select **Devices**. -4. Select either the **Ready** or the **Not ready** tab, then click on the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens. +4. Select either the **Ready** or the **Not ready** tab, then select the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens. 5. Add either devices through direct membership, or other Azure AD dynamic or assigned groups as nested groups in the **Windows Autopatch Device Registration** group. > [!NOTE] -> The **Windows Autopatch Device Registration** hyperlink is in the center of the Ready tab when there's no devices registered with the Windows Autopatch service. Once you have one or more devices registered with the Windows Autopatch service, the **Windows Autopatch Device registration** hyperlink is at the top of both Ready and Not ready tabs. +> The **Windows Autopatch Device Registration** hyperlink is in the center of the Ready tab when there's no devices registered with the Windows Autopatch service. Once you have one or more devices registered with the Windows Autopatch service, the **Windows Autopatch Device registration** hyperlink is at the top of both **Ready** and **Not ready** tabs. Once devices or other Azure AD groups (either dynamic or assigned) containing devices are added to the **Windows Autopatch Device Registration** group, Windows Autopatch's device discovery hourly function discovers these devices, and runs software-based prerequisite checks to try to register them with its service. From 72d02f12dd522d6a190ff395d8f103264dab7e6e Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Fri, 5 Aug 2022 15:10:29 -0700 Subject: [PATCH 40/77] Update windows-autopatch-register-devices.md --- .../deploy/windows-autopatch-register-devices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index ffe221e0e8..3e9c580eab 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -18,7 +18,7 @@ Before Microsoft can manage your devices in Windows Autopatch, you must have dev ## Before you begin -Windows Autopatch can take over software update management control of devices that meet software-based pre-requisittes as soon as an IT admin decides to have their tenant managed by the service. The Windows Autopatch software update management scope includes the following software update workloads: +Windows Autopatch can take over software update management control of devices that meet software-based prerequisites as soon as an IT admin decides to have their tenant managed by the service. The Windows Autopatch software update management scope includes the following software update workloads: - [Windows quality updates](../operate/windows-autopatch-wqu-overview.md) - [Windows feature updates](../operate/windows-autopatch-fu-overview.md) From 5f95b79e4267daaf7085bfce4f64a01c85210b0d Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Fri, 5 Aug 2022 15:12:22 -0700 Subject: [PATCH 41/77] Update windows-autopatch-register-devices.md --- .../deploy/windows-autopatch-register-devices.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index 3e9c580eab..8882798bf0 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -111,7 +111,7 @@ For more information, see [Device registration overview](../deploy/windows-autop ## Steps to register devices -Any device (either physical or virtual) that contains an Azure AD device ID can be added into the **Windows Autopatch Device Registration** Azure AD group through either direct membership or by being part of another Azure AD group (either dynamic or assigned) that's nested to this group, so it can be registered with Windows Autopatch. The only exception is new Windows 365 Cloud PCs, as these virtual devices must be registered with Windows Autopatch from the Windows 365 provisioning policy. See [Windows Autopatch on WIndows 365 Enterprise Workloads](#windows-autopatch-on-windows-365-enterprise-workloads) for details. +Any device (either physical or virtual) that contains an Azure AD device ID can be added into the **Windows Autopatch Device Registration** Azure AD group through either direct membership or by being part of another Azure AD group (either dynamic or assigned) that's nested to this group, so it can be registered with Windows Autopatch. The only exception is new Windows 365 Cloud PCs, as these virtual devices must be registered with Windows Autopatch from the Windows 365 provisioning policy. For more information, see [Windows Autopatch on WIndows 365 Enterprise Workloads](#windows-autopatch-on-windows-365-enterprise-workloads). Since existing Windows 365 Cloud PCs already have an existing Azure AD device ID, these devices can be added into the **Windows Autopatch Device Registration** Azure group through either direct membership or by being part of another Azure AD group (either dynamic or assigned) that's nested to this group. **To register devices with Windows Autopatch:** @@ -147,8 +147,7 @@ Windows 365 Enterprise gives IT admins the option to register devices with the W 1. Assign your policy accordingly and select **Next**. 1. Select **Create**. Now your newly provisioned Windows 365 Enterprise Cloud PCs will automatically be enrolled and managed by Windows Autopatch. -See [Create a Windows 365 Provisioning Policy](/windows-365/enterprise/create-provisioning-policy) for more information. - +For more information, see [Create a Windows 365 Provisioning Policy](/windows-365/enterprise/create-provisioning-policy). ### Contact support for device registration-related incidents Support is available either through Windows 365, or the Windows Autopatch Service Engineering team for device registration-related incidents. From a43223bdb1a463ce9509227fc07d11139b49f1be Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Fri, 5 Aug 2022 15:16:18 -0700 Subject: [PATCH 42/77] Update windows-autopatch-register-devices.md --- .../deploy/windows-autopatch-register-devices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index 8882798bf0..d9c1c1b737 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -111,7 +111,7 @@ For more information, see [Device registration overview](../deploy/windows-autop ## Steps to register devices -Any device (either physical or virtual) that contains an Azure AD device ID can be added into the **Windows Autopatch Device Registration** Azure AD group through either direct membership or by being part of another Azure AD group (either dynamic or assigned) that's nested to this group, so it can be registered with Windows Autopatch. The only exception is new Windows 365 Cloud PCs, as these virtual devices must be registered with Windows Autopatch from the Windows 365 provisioning policy. For more information, see [Windows Autopatch on WIndows 365 Enterprise Workloads](#windows-autopatch-on-windows-365-enterprise-workloads). +Any device (either physical or virtual) that contains an Azure AD device ID, can be added into the **Windows Autopatch Device Registration** Azure AD group through either direct membership or by being part of another Azure AD group (either dynamic or assigned) that's nested to this group, so it can be registered with Windows Autopatch. The only exception is new Windows 365 Cloud PCs, as these virtual devices must be registered with Windows Autopatch from the Windows 365 provisioning policy. For more information, see [Windows Autopatch on Windows 365 Enterprise Workloads](#windows-autopatch-on-windows-365-enterprise-workloads). Since existing Windows 365 Cloud PCs already have an existing Azure AD device ID, these devices can be added into the **Windows Autopatch Device Registration** Azure group through either direct membership or by being part of another Azure AD group (either dynamic or assigned) that's nested to this group. **To register devices with Windows Autopatch:** From 7087f64faccad2a8f988b5afcb2dc184f3c9efde Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Fri, 5 Aug 2022 15:16:59 -0700 Subject: [PATCH 43/77] Update windows-autopatch-register-devices.md --- .../deploy/windows-autopatch-register-devices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index d9c1c1b737..b39a0022a6 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -105,7 +105,7 @@ For more information, see [Azure AD built-in roles](/azure/active-directory/role Registering your devices with Windows Autopatch does the following: 1. Makes a record of devices in the service. -2. Assign devices to the [deployment rings](../operate/windows-autopatch-update-management.md) and other groups required for software updates management. +2. Assign devices to the [deployment rings](../operate/windows-autopatch-update-management.md) and other groups required for software update management. For more information, see [Device registration overview](../deploy/windows-autopatch-device-registration-overview.md). From aa0bc31fd3445b60c92c0975841f3bbe32fcea38 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Fri, 5 Aug 2022 20:35:05 -0700 Subject: [PATCH 44/77] Update windows-autopatch-register-devices.md --- .../deploy/windows-autopatch-register-devices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index b39a0022a6..61a5e35dfe 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -1,7 +1,7 @@ --- title: Register your devices description: This article details how to register devices in Autopatch -ms.date: 08/05/2022 +ms.date: 08/08/2022 ms.prod: w11 ms.technology: windows ms.topic: how-to From a4b05ba7654e076d0935000a8dd646a75b8b3294 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Fri, 5 Aug 2022 20:48:56 -0700 Subject: [PATCH 45/77] Update windows-autopatch-update-management.md Reviewed. --- .../windows-autopatch-update-management.md | 48 ++++++++++--------- 1 file changed, 26 insertions(+), 22 deletions(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md index ca4f999c9d..983a41a940 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md @@ -1,7 +1,7 @@ --- -title: Update management +title: Software update management description: This article provides an overview of how updates are handled in Autopatch -ms.date: 08/05/2022 +ms.date: 08/08/2022 ms.prod: w11 ms.technology: windows ms.topic: overview @@ -12,7 +12,7 @@ manager: dougeby msreviewer: andredm7 --- -# Software updates management +# Software update management Keeping your devices up to date is a balance of speed and stability. Windows Autopatch connects all devices to a modern cloud-based infrastructure to manage updates on your behalf. @@ -31,21 +31,19 @@ Keeping your devices up to date is a balance of speed and stability. Windows Aut During the [tenant enrollment process](../prepare/windows-autopatch-enroll-tenant.md), Windows Autopatch creates four Azure AD assigned groups that are used to segment devices into its deployment rings: -1. **Modern Workplace Devices-Windows Autopatch-Test** - 1. Deployment ring for testing update deployments prior production rollout. -2. **Modern Workplace Devices-Windows Autopatch-First** - 1. First production deployment ring for early adopters. -3. **Modern Workplace Devices-Windows Autopatch-Fast** - 1. Fast deployment ring for quick rollout and adoption. -4. **Modern Workplace Devices-Windows Autopatch-Broad** - 1. Final deployment ring for broad rollout into the organization. +| Ring | Description | +| ----- | ----- | +| **Modern Workplace Devices-Windows Autopatch-Test** | Deployment ring for testing update deployments prior production rollout.| +| **Modern Workplace Devices-Windows Autopatch-First** | First production deployment ring for early adopters.| +| **Modern Workplace Devices-Windows Autopatch-Fast** | Fast deployment ring for quick rollout and adoption. | +| **Modern Workplace Devices-Windows Autopatch-Broad** | Final deployment ring for broad rollout into the organization. | Each deployment ring has a different set of update deployment policies to control the updates rollout. > [!IMPORTANT] -> Windows Autopatch device registration does not assign devices to its test deployment ring (**Modern Workplace Devices-Windows Autopatch-Test**). This is intended to prevent having mission critical devices or devices that are used by executives in the organization from receiving early software update deployments. +> Windows Autopatch device registration doesn't assign devices to its test deployment ring (**Modern Workplace Devices-Windows Autopatch-Test**). This is intended to prevent devices that are essential to a business from being affected or devices that are used by executives from receiving early software update deployments. -Also, during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md), Windows Autopatch assigns each device being registered to one of its deployment rings so that the service have the proper representation of the device diversity across the organization in each deployment ring. The deployment ring distribution is designed to release software update deployments to as few devices as possible to get the signals needed to make a quality evaluation of a given update deployment. +Also, during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md), Windows Autopatch assigns each device being registered to one of its deployment rings so that the service has the proper representation of the device diversity across the organization in each deployment ring. The deployment ring distribution is designed to release software update deployments to as few devices as possible to get the signals needed to make a quality evaluation of a given update deployment. > [!NOTE] > Windows Autopatch deployment rings only apply to Windows quality updates. Additionally, you can't create additional deployment rings or use your own for devices managed by the Windows Autopatch service. @@ -58,16 +56,18 @@ The Windows Autopatch deployment ring calculation happens during the [device reg - If the Windows Autopatch tenant’s existing managed device size is **>200**, the deployment ring assignment will be First **(1%)**, Fast **(9%)**, remaining devices go to the Broad ring **(90%)**. -| Deployment ring | Default device balancing percentage | Description +| Deployment ring | Default device balancing percentage | Description | | ----- | ----- | ----- | -| Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring. The recommended number of devices in this ring, based upon your environment size, is as follows:

                            • **0–500** devices: minimum **one** device.
                            • **500–5000** devices: minimum **five** devices.
                            • **5000+** devices: minimum **50** devices.
                            Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. | +| Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring. The recommended number of devices in this ring, based upon your environment size, is as follows:
                            • **0–500** devices: minimum **one** device.
                            • **500–5000** devices: minimum **five** devices.
                            • **5000+** devices: minimum **50** devices.
                            Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. | | First | **1%** | The First ring is the first group of production users to receive a change.

                            This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization.

                            Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.| | Fast | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.

                            The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.

                            | | Broad | Either **80%** or **90%** | The Broad ring is the last group of users to receive software update deployments. Since it contains most of the devices registered with Windows Autopatch, it favors stability over speed in an software update deployment.| ## Moving devices in between deployment rings -If you want to move separate devices to different deployment rings, after Windows Autopatch's deployment ring assignment, you can repeat the following steps for one or more devices from the **Ready** tab: +If you want to move separate devices to different deployment rings, after Windows Autopatch's deployment ring assignment, you can repeat the following steps for one or more devices from the **Ready** tab. + +**To move devices in between deployment rings:** 1. In Microsoft Endpoint Manager, select **Devices** in the left pane. 2. In the **Windows Autopatch** section, select **Devices**. @@ -83,13 +83,17 @@ When the assignment is complete, the **Ring assigned by** column changes to **Ad ## Automated deployment ring remediation functions -Windows Autopatch monitors device membership in its deployment rings (all but the **Modern Workplace Devices-Windows Autopatch-Test**) to provide automated deployment ring remediation functions to mitigate the risk of not having its managed devices being part of one of its deployment rings. -These automated functions help mitigate risk of potentially having devices in a vulnerable state, and exposed to security threats in case they're not receiving update deployments due to either changes performed by the IT admin on objects created by the Windows Autopatch tenant enrollment process or in case an issue occurred which prevented devices from getting a deployment rings assigned during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md). +Windows Autopatch monitors device membership in its deployment rings, except for the **Modern Workplace Devices-Windows Autopatch-Test** ring, to provide automated deployment ring remediation functions to mitigate the risk of not having its managed devices being part of one of its deployment rings. These automated functions help mitigate risk of potentially having devices in a vulnerable state, and exposed to security threats in case they're not receiving update deployments due to either: -There are two automated deployment ring remediation functions, they work as follows: +- Changes performed by the IT admin on objects created by the Windows Autopatch tenant enrollment process, or +- An issue occurred which prevented devices from getting a deployment rings assigned during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md). -- **Check Device Deployment Ring Membership:** Every hour, Windows Autopatch checks to see if its managed devices are not part of one of the deployment rings. When for some reason, a device is not part of a deployment ring, Windows Autopatch randomly assigns the device to one of its deployment rings (all but the **Modern Workplace Devices-Windows Autopatch-Test**). -- **Multi-deployment ring device remediator:** Every hour, Windows Autopatch checks to see if its managed devices are part of multiple deployment rings (all but the **Modern Workplace Devices-Windows Autopatch-Test**). When for some reason, a device is part of multiple deployment rings, Windows Autopatch randomly removes device of one or more deployment rings until the device is only part of one deployment ring. +There are two automated deployment ring remediation functions: + +| Function | Description | +| ----- | ----- | +| **Check Device Deployment Ring Membership** | Every hour, Windows Autopatch checks to see if any of its managed devices aren't part of one of the deployment rings. If, for some reason, a device isn't part of a deployment ring, Windows Autopatch randomly assigns the device to one of its deployment rings (except for the **Modern Workplace Devices-Windows Autopatch-Test** ring). | +| **Multi-deployment ring device remediator:**| Every hour, Windows Autopatch checks to see if any of its managed devices are part of multiple deployment rings (except for the **Modern Workplace Devices-Windows Autopatch-Test** ring). If, for some reason, a device is part of multiple deployment rings, Windows Autopatch randomly removes device of one or more deployment rings until the device is only part of one deployment ring.| > [!IMPORTANT] -> Windows Autopatch automated deployment ring functions do not assign/remove devices to/from its test deployment ring (**Modern Workplace Devices-Windows Autopatch-Test**). \ No newline at end of file +> Windows Autopatch automated deployment ring functions doesn't assign or remove devices to or from the **Modern Workplace Devices-Windows Autopatch-Test** ring. From 2edc2aae659d6088babeda5d468b0280ceb2727b Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Sat, 6 Aug 2022 19:53:43 -0700 Subject: [PATCH 46/77] Update windows-autopatch-microsoft-365-apps-enterprise.md Fixing broken link. --- .../windows-autopatch-microsoft-365-apps-enterprise.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md index 8f286647f4..ddefb5977c 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md @@ -1,7 +1,7 @@ --- title: Microsoft 365 Apps for enterprise description: This article explains how Microsoft 365 Apps for enterprise updates are managed in Windows Autopatch -ms.date: 05/30/2022 +ms.date: 08/08/2022 ms.prod: w11 ms.technology: windows ms.topic: conceptual @@ -88,7 +88,7 @@ Since quality updates are bundled together into a single release in the [Monthly A [service profile](/deployoffice/admincenter/servicing-profile#compatibility-with-other-management-tools) takes precedence over other management tools, such as Microsoft Endpoint Manager or the Office Deployment Tool. This means that the servicing profile will affect all devices that meet the [device eligibility requirements](#device-eligibility) regardless of existing management tools in your environment. So, if you're targeting a managed device with a servicing profile it will be ineligible for Microsoft 365 App update management. -However, the device may still be eligible for other managed updates. For more information about a device's eligibility for a given [update type](windows-autopatch-update-management.md#update-types), see the Device eligibility section of each respective update type. +However, the device may still be eligible for other managed updates. For more information about a device's eligibility for a given [software update workload](windows-autopatch-update-management.md#software-update-workloads), see the Device eligibility section of each respective software update workload. ## Incidents and outages From 32cad8f28805da1542b526280d8eadf52cb76a35 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Sat, 6 Aug 2022 19:55:26 -0700 Subject: [PATCH 47/77] Update windows-autopatch-wqu-overview.md Fixing broken link. --- .../operate/windows-autopatch-wqu-overview.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md index e58e36cbfd..c7c96c2575 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md @@ -1,7 +1,7 @@ --- title: Windows quality updates description: This article explains how Windows quality updates are managed in Autopatch -ms.date: 05/30/2022 +ms.date: 08/08/2022 ms.prod: w11 ms.technology: windows ms.topic: conceptual @@ -37,7 +37,7 @@ For a device to be eligible for Windows quality updates as a part of Windows Aut Windows Autopatch deploys the [B release of Windows quality updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385) that are released on the second Tuesday of each month. -To release updates to devices in a gradual manner, Windows Autopatch deploys a set of mobile device management (MDM) policies to each update ring to control the rollout. There are three primary policies that are used to control Windows quality updates: +To release updates to devices in a gradual manner, Windows Autopatch deploys a set of mobile device management (MDM) policies to each update deployment ring to control the rollout. There are three primary policies that are used to control Windows quality updates: | Policy | Description | | ----- | ----- | @@ -48,7 +48,7 @@ To release updates to devices in a gradual manner, Windows Autopatch deploys a s > [!IMPORTANT] > Deploying deferral, deadline, or grace period policies which conflict with Autopatch's policies will cause a device to be considered ineligible for management, it will still receive policies from Windows Autopatch that are not in conflict, but may not function as designed. These devices will be marked as ineligible in our device reporting and will not count towards our [service level objective](#service-level-objective). -Windows Autopatch configures these policies differently across update rings to gradually release the update to devices in your estate. Devices in the Test ring receive changes first and devices in the Broad ring receive changes last. For more information, see [Update rings](../operate/windows-autopatch-update-management.md#update-rings). +Windows Autopatch configures these policies differently across update rings to gradually release the update to devices in your estate. Devices in the Test ring receive changes first and devices in the Broad ring receive changes last. For more information, see [Windows Autopatch deployment rings](../operate/windows-autopatch-update-management.md#windows-autopatch-deployment-rings). :::image type="content" source="../media/release-process-timeline.png" alt-text="Release process timeline"::: From 48431f0f1ffed90af3bc486422e73c5fac76d16c Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Sat, 6 Aug 2022 19:56:57 -0700 Subject: [PATCH 48/77] Update windows-autopatch-faq.yml Fixing broken link. --- .../windows-autopatch/overview/windows-autopatch-faq.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml index 29d2234dde..e31bd34de9 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml @@ -96,9 +96,9 @@ sections: - question: Can you customize the scheduling of an update rollout to only install on certain days and times? answer: | No, you can't customize update scheduling. However, you can specify [active hours](../operate/windows-autopatch-wqu-end-user-exp.md#servicing-window) to prevent users from updating during business hours. - - question: Does Autopatch support include and exclude groups, or dynamic groups to define ring membership? + - question: Does Autopatch support include and exclude groups, or dynamic groups to define deployment ring membership? answer: | - Windows autopatch doesn't support managing update ring membership using your Azure AD groups. For more information, see [Move devices between rings](../operate/windows-autopatch-update-management.md#moving-devices-between-rings). + Windows autopatch doesn't support managing update deployment ring membership using your Azure AD groups. For more information, see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-rings). - question: Does Autopatch have two release cadences per update or are there two release cadences per-ring? answer: | The release cadences are defined based on the update type. For example, a [regular cadence](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases) (for a Windows quality update would be a gradual rollout from the Test ring to the Broad ring over 14 days whereas an [expedited release](../operate/windows-autopatch-wqu-overview.md#expedited-releases) would roll out more rapidly. From 03dd00bf5b2f1227f5dc17172409fa7a14d650b8 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Sat, 6 Aug 2022 19:57:14 -0700 Subject: [PATCH 49/77] Update windows-autopatch-faq.yml Updated date. --- .../windows-autopatch/overview/windows-autopatch-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml index e31bd34de9..ef94430a67 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml @@ -4,7 +4,7 @@ metadata: description: Answers to frequently asked questions about Windows Autopatch. ms.prod: w11 ms.topic: faq - ms.date: 07/06/2022 + ms.date: 08/08/2022 audience: itpro ms.localizationpriority: medium manager: dougeby From 32cea86a4922cea7bcdebeb12e2e1a86a8bce323 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Sat, 6 Aug 2022 20:05:51 -0700 Subject: [PATCH 50/77] Update windows-autopatch-faq.yml Fixed link. --- .../windows-autopatch/overview/windows-autopatch-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml index ef94430a67..54b36ea6ce 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml @@ -98,7 +98,7 @@ sections: No, you can't customize update scheduling. However, you can specify [active hours](../operate/windows-autopatch-wqu-end-user-exp.md#servicing-window) to prevent users from updating during business hours. - question: Does Autopatch support include and exclude groups, or dynamic groups to define deployment ring membership? answer: | - Windows autopatch doesn't support managing update deployment ring membership using your Azure AD groups. For more information, see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-rings). + Windows autopatch doesn't support managing update deployment ring membership using your Azure AD groups. For more information, see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings). - question: Does Autopatch have two release cadences per update or are there two release cadences per-ring? answer: | The release cadences are defined based on the update type. For example, a [regular cadence](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases) (for a Windows quality update would be a gradual rollout from the Test ring to the Broad ring over 14 days whereas an [expedited release](../operate/windows-autopatch-wqu-overview.md#expedited-releases) would roll out more rapidly. From 5cb7010bb258c28ab1eb78b8d3cc94f614072339 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 2 May 2022 18:33:00 +0530 Subject: [PATCH 51/77] Acrolinx enhancement --- ...ystem-image-using-configuration-manager.md | 6 +- ...-windows-pe-using-configuration-manager.md | 16 +-- ...e-boot-image-with-configuration-manager.md | 12 +- ...ence-with-configuration-manager-and-mdt.md | 16 +-- ...-windows-10-using-configuration-manager.md | 13 +- ...-10-using-pxe-and-configuration-manager.md | 19 +-- ...0-deployment-with-configuration-manager.md | 18 +-- ...f-windows-10-with-configuration-manager.md | 74 +++++----- ...-windows-10-using-configuration-manager.md | 12 +- ...-windows-10-using-configuration-manager.md | 37 ++--- ...o-windows-10-with-configuration-manager.md | 18 +-- ...d-environment-for-windows-10-deployment.md | 17 +-- .../configure-mdt-deployment-share-rules.md | 6 +- .../configure-mdt-settings.md | 7 +- .../create-a-windows-10-reference-image.md | 131 +++++++++--------- .../deploy-a-windows-10-image-using-mdt.md | 99 +++++++------ ...d-with-the-microsoft-deployment-toolkit.md | 39 +++--- 17 files changed, 272 insertions(+), 268 deletions(-) diff --git a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md index 1e4ef75b50..af75531621 100644 --- a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md @@ -21,8 +21,8 @@ Operating system images are typically the production image used for deployment t ## Infrastructure -For the purposes of this guide, we will use one server computer: CM01. -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. +For the purposes of this guide, we'll use one server computer: CM01. +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. - CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). @@ -46,7 +46,7 @@ An existing Configuration Manager infrastructure that is integrated with MDT is 5. On the **General** page, assign the name Windows 10 Enterprise x64 RTM, click **Next** twice, and then click **Close**. 6. Distribute the operating system image to the CM01 distribution point by right-clicking the **Windows 10 Enterprise x64 RTM** operating system image and then clicking **Distribute Content**. 7. In the Distribute Content Wizard, add the CM01 distribution point, click **Next** and click **Close**. -8. View the content status for the Windows 10 Enterprise x64 RTM package. Do not continue until the distribution is completed (it might take a few minutes). You also can review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line. +8. View the content status for the Windows 10 Enterprise x64 RTM package. Don't continue until the distribution is completed (it might take a few minutes). You also can review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line. ![figure 18.](../images/fig18-distwindows.png) diff --git a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md index 4dad48dc9d..1d57288f6f 100644 --- a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md @@ -17,10 +17,10 @@ ms.custom: seo-marvel-apr2020 - Windows 10 -In this topic, you will learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines. Even though the Windows PE boot image and the Windows 10 operating system contain many out-of-the-box drivers, it is likely you will have to add new or updated drivers to support all your hardware. In this section, you import drivers for both Windows PE and the full Windows 10 operating system. +In this topic, you'll learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines. Even though the Windows PE boot image and the Windows 10 operating system contain many out-of-the-box drivers, it's likely you'll have to add new or updated drivers to support all your hardware. In this section, you import drivers for both Windows PE and the full Windows 10 operating system. -For the purposes of this guide, we will use one server computer: CM01. -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. +For the purposes of this guide, we'll use one server computer: CM01. +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). @@ -29,9 +29,9 @@ For the purposes of this guide, we will use one server computer: CM01. This section will show you how to import some network and storage drivers for Windows PE. >[!NOTE] ->Windows PE usually has a fairly comprehensive set of drivers out of the box, assuming that you are using a recent version of the Windows ADK. This is different than the full Windows OS which will often require drivers. You shouldn't add drivers to Windows PE unless you have an issue or are missing functionality, and in these cases you should only add the driver that you need. An example of a common driver that is added is the Intel I217 driver. Adding too many drivers can cause conflicts and lead to driver bloat in the Config Mgr database. This section shows you how to add drivers, but typically you can just skip this procedure. +>Windows PE usually has a fairly comprehensive set of drivers out of the box, assuming that you are using a recent version of the Windows ADK. This is different than the full Windows OS which will often require drivers. You shouldn't add drivers to Windows PE unless you've an issue or are missing functionality, and in these cases you should only add the driver that you need. An example of a common driver that is added is the Intel I217 driver. Adding too many drivers can cause conflicts and lead to driver bloat in the Config Mgr database. This section shows you how to add drivers, but typically you can just skip this procedure. -This section assumes you have downloaded some drivers to the **D:\\Sources\\OSD\\DriverSources\\WinPE x64** folder on CM01. +This section assumes you've downloaded some drivers to the **D:\\Sources\\OSD\\DriverSources\\WinPE x64** folder on CM01. ![Drivers.](../images/cm01-drivers.png) @@ -58,7 +58,7 @@ On **CM01**: This section illustrates how to add drivers for Windows 10 using the HP EliteBook 8560w as an example. Use the HP Image Assistant from the [HP Client Management Solutions site](https://hp.com/go/clientmanagement). -For the purposes of this section, we assume that you have downloaded the Windows 10 drivers for the HP EliteBook 8560w model and copied them to the **D:\Sources$\OSD\DriverSources\Windows 10 x64\Hewlett-Packard\HP EliteBook 8560w** folder on CM01. +For the purposes of this section, we assume that you've downloaded the Windows 10 drivers for the HP EliteBook 8560w model and copied them to the **D:\Sources$\OSD\DriverSources\Windows 10 x64\Hewlett-Packard\HP EliteBook 8560w** folder on CM01. ![Drivers in Windows.](../images/cm01-drivers-windows.png) @@ -81,9 +81,9 @@ On **CM01**: * Path: \\\\CM01\\Sources$\\OSD\\DriverPackages\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w >[!NOTE] - >The package path does not yet exist, so you have to type it in. The wizard will create the new package using the path you specify. + >The package path does not yet exist, so you've to type it in. The wizard will create the new package using the path you specify. -5. On the **Select drivers to include in the boot image** page, do not select anything, and click **Next** twice. After the package has been created, click **Close**. +5. On the **Select drivers to include in the boot image** page, don't select anything, and click **Next** twice. After the package has been created, click **Close**. >[!NOTE] >If you want to monitor the driver import process more closely, you can open the SMSProv.log file during driver import. diff --git a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md index e925ac8f45..fb7aae6b8e 100644 --- a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md @@ -20,16 +20,16 @@ ms.custom: seo-marvel-apr2020 In Microsoft Endpoint Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process. - The boot image that is created is based on the version of ADK that is installed. -For the purposes of this guide, we will use one server computer: CM01. -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. +For the purposes of this guide, we'll use one server computer: CM01. +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). ## Add DaRT 10 files and prepare to brand the boot image -The steps below outline the process for adding DaRT 10 installation files to the MDT installation directory. You also copy a custom background image to be used later. These steps are optional. If you do not wish to add DaRT, skip the steps below to copy DaRT tools and later skip adding the DaRT component to the boot image. +The steps below outline the process for adding DaRT 10 installation files to the MDT installation directory. You also copy a custom background image to be used later. These steps are optional. If you don't wish to add DaRT, skip the steps below to copy DaRT tools and later skip adding the DaRT component to the boot image. -We assume you have downloaded [Microsoft Desktop Optimization Pack (MDOP) 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015) and copied the x64 version of MSDaRT100.msi to the **C:\\Setup\\DaRT 10** folder on CM01. We also assume you have created a custom background image and saved it in **C:\\Setup\\Branding** on CM01. In this section, we use a custom background image named ContosoBackground.bmp. +We assume you've downloaded [Microsoft Desktop Optimization Pack (MDOP) 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015) and copied the x64 version of MSDaRT100.msi to the **C:\\Setup\\DaRT 10** folder on CM01. We also assume you've created a custom background image and saved it in **C:\\Setup\\Branding** on CM01. In this section, we use a custom background image named ContosoBackground.bmp. On **CM01**: @@ -42,7 +42,7 @@ On **CM01**: ## Create a boot image for Configuration Manager using the MDT wizard -By using the MDT wizard to create the boot image in Configuration Manager, you gain additional options for adding components and features to the boot image. In this section, you create a boot image for Configuration Manager using the MDT wizard. +By using the MDT wizard to create the boot image in Configuration Manager, you gain more options for adding components and features to the boot image. In this section, you create a boot image for Configuration Manager using the MDT wizard. On **CM01**: @@ -65,7 +65,7 @@ On **CM01**: 6. On the **Customization** page, select the **Use a custom background bitmap file** check box, and in the **UNC path:** text box, browse to **\\\\CM01\\Sources$\\OSD\\Branding\\ContosoBackground.bmp** and then click **Next** twice. Wait a few minutes while the boot image is generated, and then click **Finish**. 7. Distribute the boot image to the CM01 distribution point by selecting the **Boot images** node, right-clicking the **Zero Touch WinPE x64** boot image, and selecting **Distribute Content**. 8. In the Distribute Content Wizard, add the CM01 distribution point, and complete the wizard. -9. Using Configuration Manager Trace, review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Do not continue until you can see that the boot image is distributed. Look for the line that reads **STATMSG: ID=2301**. You also can monitor Content Status in the Configuration Manager Console at **\Monitoring\Overview\Distribution Status\Content Status\Zero Touch WinPE x64**. See the following examples: +9. Using Configuration Manager Trace, review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Don't continue until you can see that the boot image is distributed. Look for the line that reads **STATMSG: ID=2301**. You also can monitor Content Status in the Configuration Manager Console at **\Monitoring\Overview\Distribution Status\Content Status\Zero Touch WinPE x64**. See the following examples: ![Content status for the Zero Touch WinPE x64 boot image step 1.](../images/fig16-contentstatus1.png)
                            ![Content status for the Zero Touch WinPE x64 boot image step 2.](../images/fig16-contentstatus2.png) diff --git a/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md index 260b79eadd..f846694f35 100644 --- a/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md +++ b/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md @@ -16,10 +16,10 @@ ms.topic: article - Windows 10 -In this article, you will learn how to create a Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. Creating task sequences in Configuration Manager requires many more steps than creating task sequences for MDT Lite Touch installation. Luckily, the MDT wizard helps you through the process and also guides you through creating the needed packages. +In this article, you'll learn how to create a Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. Creating task sequences in Configuration Manager requires many more steps than creating task sequences for MDT Lite Touch installation. Luckily, the MDT wizard helps you through the process and also guides you through creating the needed packages. -For the purposes of this guide, we will use one server computer: CM01. -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. +For the purposes of this guide, we'll use one server computer: CM01. +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). Note: Active Directory [permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) for the **CM_JD** account are required for the task sequence to work properly. @@ -93,9 +93,9 @@ On **CM01**: Add an application to the Configuration Manager task sequence >[!NOTE] - >In recent versions of Configuration Manager the Request State Store and Release State Store actions described below are present by default. These actions are used for common computer replace scenarios. There is also the additional condition on the options tab: USMTOfflineMigration not equals TRUE. If these actions are not present, try updating to the Config Mgr current branch release. + >In recent versions of Configuration Manager the Request State Store and Release State Store actions described below are present by default. These actions are used for common computer replace scenarios. There's also the additional condition on the options tab: USMTOfflineMigration not equals TRUE. If these actions are not present, try updating to the Config Mgr current branch release. -9. In the **State Restore** group, after the **Set Status 5** action, verify there is a **User State \ Request State Store** action with the following settings: +9. In the **State Restore** group, after the **Set Status 5** action, verify there's a **User State \ Request State Store** action with the following settings: * Request state storage location to: Restore state from another computer * If computer account fails to connect to state store, use the Network Access account: selected * Options: Continue on error @@ -103,7 +103,7 @@ On **CM01**: * Task Sequence Variable * USMTLOCAL not equals True -10. In the **State Restore** group, after the **Restore User State** action, verify there is a **Release State Store** action with the following settings: +10. In the **State Restore** group, after the **Restore User State** action, verify there's a **Release State Store** action with the following settings: * Options: Continue on error * Options / Condition: * Task Sequence Variable @@ -113,14 +113,14 @@ On **CM01**: ## Organize your packages (optional) -If desired, you can create a folder structure for packages. This is purely for organizational purposes and is useful if you need to manage a large number of packages. +If desired, you can create a folder structure for packages. This folder structure is purely for organizational purposes and is useful if you need to manage a large number of packages. To create a folder for packages: On **CM01**: 1. Using the Configuration Manager Console, in the Software Library workspace, expand **Application Management**, and then select **Packages**. -2. Right-click **Packages**, point to **Folder**, click **Create Folder** and create the OSD folder. This will create the Root \ OSD folder structure. +2. Right-click **Packages**, point to **Folder**, click **Create Folder** and create the OSD folder. This process will create the Root \ OSD folder structure. 3. Select the **MDT**, **User State Migration Tool for Windows**, and **Windows 10 x64 Settings** packages, right-click and select **Move**. 4. In the **Move Selected Items** dialog box, select the **OSD** folder, and click **OK**. diff --git a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md index caae9de1b6..102b3ae2d6 100644 --- a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md @@ -1,6 +1,7 @@ --- title: Create an app to deploy with Windows 10 using Configuration Manager -description: Microsoft Microsoft Endpoint Manager supports deploying applications as part of the Windows 10 deployment process. +description: Microsoft Endpoint Manager supports deploying applications as part of the Windows 10 deployment process. +ms.assetid: 2dfb2f39-1597-4999-b4ec-b063e8a8c90c ms.reviewer: manager: dougeby ms.author: aaroncz @@ -19,8 +20,8 @@ ms.topic: article Microsoft Endpoint Manager supports deploying applications as part of the Windows 10 deployment process. In this section, you create an application in Microsoft Endpoint Manager that you later configure the task sequence to use. -For the purposes of this guide, we will use one server computer: CM01. -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. +For the purposes of this guide, we'll use one server computer: CM01. +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. >[!NOTE] >The [reference image](add-a-windows-10-operating-system-image-using-configuration-manager.md) used in this lab already contains some applications, such as Microsoft Office 365 Pro Plus x64. The procedure demonstrated in this article enables you to add some additional custom applications beyond those included in the reference image. @@ -29,9 +30,9 @@ For the purposes of this guide, we will use one server computer: CM01. On **CM01**: -1. Create the **D:\Setup** folder if it does not already exist. +1. Create the **D:\Setup** folder if it doesn't already exist. 1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (ex: AcroRdrDC2000620034_en_US.exe) to **D:\\Setup\\Adobe** on CM01. The filename will differ depending on the version of Acrobat Reader. -2. Extract the .exe file that you downloaded to an .msi. The source folder will differ depending on where you downloaded the file. See the following example: +2. Extract the .exe file that you downloaded to a .msi. The source folder will differ depending on where you downloaded the file. See the following example: ```powershell Set-Location C:\Users\administrator.CONTOSO\Downloads @@ -64,7 +65,7 @@ On **CM01**: Add the "OSD Install" suffix to the application name -11. In the **Applications** node, select the Adobe Reader - OSD Install application, and click **Properties** on the ribbon bar (this is another place to view properties, you can also right-click and select properties). +11. In the **Applications** node, select the Adobe Reader - OSD Install application, and click **Properties** on the ribbon bar (this path is another place to view properties, you can also right-click and select properties). 12. On the **General Information** tab, select the **Allow this application to be installed from the Install Application task sequence action without being deployed** check box, and click **OK**. Next, see [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md). diff --git a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md index 55d9928a01..253e63190e 100644 --- a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md @@ -1,6 +1,7 @@ --- title: Deploy Windows 10 using PXE and Configuration Manager (Windows 10) -description: In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Manager deployment packages and task sequences. +description: In this topic, you'll learn how to deploy Windows 10 using Microsoft Endpoint Manager deployment packages and task sequences. +ms.assetid: fb93f514-5b30-4f4b-99dc-58e6860009fa manager: dougeby ms.author: aaroncz ms.prod: w10 @@ -16,9 +17,9 @@ ms.collection: highpri - Windows 10 -In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Manager deployment packages and task sequences. This topic will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) computer named PC0001. An existing Configuration Manager infrastructure that is integrated with MDT is used for the procedures in this topic. +In this topic, you'll learn how to deploy Windows 10 using Microsoft Endpoint Manager deployment packages and task sequences. This topic will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) computer named PC0001. An existing Configuration Manager infrastructure that is integrated with MDT is used for the procedures in this topic. -This topic assumes that you have completed the following prerequisite procedures: +This topic assumes that you've completed the following prerequisite procedures: - [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) - [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md) - [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) @@ -27,10 +28,10 @@ This topic assumes that you have completed the following prerequisite procedures - [Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md) - [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md) -For the purposes of this guide, we will use a minimum of two server computers (DC01 and CM01) and one client computer (PC0001). +For the purposes of this guide, we'll use a minimum of two server computers (DC01 and CM01) and one client computer (PC0001). - DC01 is a domain controller and DNS server for the contoso.com domain. DHCP services are also available and optionally installed on DC01 or another server. Note: DHCP services are required for the client (PC0001) to connect to the Windows Deployment Service (WDS). -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. - - CM01 is also running WDS which will be required to start PC0001 via PXE. **Note**: Ensure that only CM01 is running WDS. +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. + - CM01 is also running WDS that will be required to start PC0001 via PXE. **Note**: Ensure that only CM01 is running WDS. - PC0001 is a client computer that is blank, or has an operating system that will be erased and replaced with Windows 10. The device must be configured to boot from the network. >[!NOTE] @@ -38,7 +39,7 @@ For the purposes of this guide, we will use a minimum of two server computers (D All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. -All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. +All server and client computers referenced in this guide are on the same subnet. This connection isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. >[!NOTE] >No WDS console configuration is required for PXE to work. Everything is done with the Configuration Manager console. @@ -50,7 +51,7 @@ All server and client computers referenced in this guide are on the same subnet. 3. On the **Select a task sequence to run** page, select **Windows 10 Enterprise x64 RTM** and click **Next**. 4. On the **Edit Task Sequence Variables** page, double-click the **OSDComputerName** variable, and in the **Value** field, type **PC0001** and click **OK**. Then click **Next**. 5. The operating system deployment will take several minutes to complete. -6. You can monitor the deployment on CM01 using the MDT Deployment Workbench. When you see the PC0001 entry, double-click **PC0001**, and then click **DaRT Remote Control** and review the **Remote Control** option. The task sequence will run and do the following: +6. You can monitor the deployment on CM01 using the MDT Deployment Workbench. When you see the PC0001 entry, double-click **PC0001**, and then click **DaRT Remote Control** and review the **Remote Control** option. The task sequence will run and do the following steps: * Install the Windows 10 operating system. * Install the Configuration Manager client and the client hotfix. @@ -64,7 +65,7 @@ All server and client computers referenced in this guide are on the same subnet. Monitoring the deployment with MDT. -7. When the deployment is finished you will have a domain-joined Windows 10 computer with the Adobe Reader application installed as well as the applications that were included in the reference image, such as Office 365 Pro Plus. +7. When the deployment is finished you'll have a domain-joined Windows 10 computer with the Adobe Reader application installed as well as the applications that were included in the reference image, such as Office 365 Pro Plus. Examples are provided below of various stages of deployment: diff --git a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md index 15ccee4085..3984e65a9b 100644 --- a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md @@ -19,8 +19,8 @@ ms.custom: seo-marvel-apr2020 This topic walks you through the steps to finalize the configuration of your Windows 10 operating deployment, which includes enabling optional MDT monitoring for Configuration Manager, logs folder settings, rules configuration, content distribution, and deployment of the previously created task sequence. -For the purposes of this guide, we will use one server computer: CM01. -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. +For the purposes of this guide, we'll use one server computer: CM01. +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). @@ -45,11 +45,11 @@ On **CM01**: ## Configure the Logs folder -The D:\Logs folder was [created previously](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md?#review-the-sources-folder-structure) and SMB permissions were added. Next, we will add NTFS folder permissions for the Configuration Manager Network Access Account (CM_NAA), and enable server-side logging by modifying the CustomSettings.ini file used by the Configuration Manager task sequence. +The D:\Logs folder was [created previously](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md?#review-the-sources-folder-structure) and SMB permissions were added. Next, we'll add NTFS folder permissions for the Configuration Manager Network Access Account (CM_NAA), and enable server-side logging by modifying the CustomSettings.ini file used by the Configuration Manager task sequence. On **CM01**: -1. To configure NTFS permissions using icacls.exe, type the following at an elevated Windows PowerShell prompt: +1. To configure NTFS permissions using icacls.exe, type the following command at an elevated Windows PowerShell prompt: ``` icacls D:\Logs /grant '"CM_NAA":(OI)(CI)(M)' @@ -82,17 +82,17 @@ On **CM01**: 3. In the Configuration Manager console, update the distribution point for the **Windows 10 x64 Settings** package by right-clicking the **Windows 10 x64 Settings** package and selecting **Update Distribution Points**. Click **OK** in the popup dialog box. >[!NOTE] - >Although you have not yet added a distribution point, you still need to select Update Distribution Points. This process also updates the Configuration Manager content library with changes. + >Although you haven't yet added a distribution point, you still need to select Update Distribution Points. This process also updates the Configuration Manager content library with changes. ## Distribute content to the CM01 distribution portal -In Configuration Manager, you can distribute all packages needed by a task sequence in a single task. In this section, you distribute packages that have not yet been distributed to the CM01 distribution point. +In Configuration Manager, you can distribute all packages needed by a task sequence in a single task. In this section, you distribute packages that haven't yet been distributed to the CM01 distribution point. On **CM01**: 1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems** and select **Task Sequences**. Right-click the **Windows 10 Enterprise x64 RTM** task sequence, and select **Distribute Content**. 2. In the Distribute Content Wizard, click **Next** twice then on the **Specify the content destination** page add the Distribution Point: **CM01.CONTOSO.COM**, and then complete the wizard. -3. Using the CMTrace tool, verify the distribution to the CM01 distribution point by reviewing the distmgr.log file, or use the Distribution Status / Content Status option in the Monitoring workspace. Do not continue until you see all the new packages being distributed successfully. +3. Using the CMTrace tool, verify the distribution to the CM01 distribution point by reviewing the distmgr.log file, or use the Distribution Status / Content Status option in the Monitoring workspace. Don't continue until you see all the new packages being distributed successfully. ![Content status.](../images/cm01-content-status1.png) @@ -100,7 +100,7 @@ On **CM01**: ## Create a deployment for the task sequence -This sections provides steps to help you create a deployment for the task sequence. +This section provides steps to help you create a deployment for the task sequence. On **CM01**: @@ -126,7 +126,7 @@ On **CM01**: ## Configure Configuration Manager to prompt for the computer name during deployment (optional) -You can have Configuration Manager prompt you for a computer name or you can use rules to generate a computer name. For more details on how to do this, see [Configure MDT settings](../deploy-windows-mdt/configure-mdt-settings.md). +You can have Configuration Manager prompt you for a computer name or you can use rules to generate a computer name. For more information on how to do this step, see [Configure MDT settings](../deploy-windows-mdt/configure-mdt-settings.md). This section provides steps to help you configure the All Unknown Computers collection to have Configuration Manager prompt for computer names. diff --git a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md index 840f69546c..785a68cc3d 100644 --- a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md @@ -20,7 +20,7 @@ This article walks you through the Zero Touch Installation (ZTI) process of Wind ## Prerequisites -In this article, you'll use [components](#components-of-configuration-manager-operating-system-deployment) of an existing Configuration Manager infrastructure to prepare for Windows 10 OSD. In addition to the base setup, the following configurations should be made in the Configuration Manager environment: +In this topic, you'll use [components](#components-of-configuration-manager-operating-system-deployment) of an existing Configuration Manager infrastructure to prepare for Windows 10 OSD. In addition to the base setup, the following configurations should be made in the Configuration Manager environment: - Configuration Manager current branch + all security and critical updates are installed. @@ -32,19 +32,18 @@ In this article, you'll use [components](#components-of-configuration-manager-op - The Configuration Manager [reporting services](/mem/configmgr/core/servers/manage/configuring-reporting) point role has been added and configured. - A file system folder structure and Configuration Manager console folder structure for packages has been created. Steps to verify or create this folder structure are [provided below](#review-the-sources-folder-structure). - The [Windows ADK](/windows-hardware/get-started/adk-install) (including USMT) version 1903, Windows PE add-on, WSIM 1903 update, [MDT](https://www.microsoft.com/download/details.aspx?id=54259) version 8456, and DaRT 10 (part of [MDOP 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015)) are installed. -- The [CMTrace tool](/mem/configmgr/core/support/cmtrace) (cmtrace.exe) is installed on the distribution point. - - > [!NOTE] - > CMTrace is automatically installed with the current branch of Configuration Manager. +- The [CMTrace tool](/configmgr/core/support/cmtrace) (cmtrace.exe) is installed on the distribution point. + > [!NOTE] + > CMTrace is automatically installed with the current branch of Configuration Manager at **Program Files\Microsoft Configuration Manager\tools\cmtrace.exe**. In previous releases of ConfigMgr, it was necessary to install the [Configuration Manager Toolkit](https://www.microsoft.com/download/details.aspx?id=50012) separately to get the CMTrace tool, but this separate installation is no longer needed. Configuration Manager version 1910 installs version 5.0.8913.1000 of the CMTrace tool. For the purposes of this guide, we'll use three server computers: DC01, CM01 and HV01. - DC01 is a domain controller and DNS server for the contoso.com domain. DHCP services are also available and optionally installed on DC01 or another server. -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. - HV01 is a Hyper-V host computer that is used to build a Windows 10 reference image. This computer doesn't need to be a domain member. All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. -All server and client computers referenced in this guide are on the same subnet. This configuration isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. +All server and client computers referenced in this guide are on the same subnet. This interrelation isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. ### Domain credentials @@ -57,13 +56,13 @@ The following generic credentials are used in this guide. You should replace the ## Create the OU structure >[!NOTE] ->If you have already [created the OU structure](../deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md#create-the-ou-structure) that was used in the OSD guide for MDT, the same structure is used here and you can skip this section. +>If you've already [created the OU structure](../deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md#create-the-ou-structure) that was used in the OSD guide for MDT, the same structure is used here and you can skip this section. On **DC01**: To create the OU structure, you can use the Active Directory Users and Computers console (dsa.msc), or you can use Windows PowerShell. The procedure below uses Windows PowerShell. -To use Windows PowerShell, copy the following commands into a text file and save it as **C:\Setup\Scripts\ou.ps1**. Be sure that you're viewing file extensions and that you save the file with the `.ps1` extension. +To use Windows PowerShell, copy the following commands into a text file and save it as C:\Setup\Scripts\ou.ps1. Ensure that you're viewing file extensions and that you save the file with the .ps1 extension. ```powershell $oulist = Import-csv -Path c:\oulist.txt @@ -123,11 +122,11 @@ On **DC01**: ## Configure Active Directory permissions -In order for the Configuration Manager Join Domain Account (CM\_JD) to join machines into the contoso.com domain you need to configure permissions in Active Directory. These steps assume you've downloaded the sample [Set-OUPermissions.ps1 script](https://github.com/DeploymentArtist/SWP1/tree/master/Scripts) and copied it to C:\\Setup\\Scripts on DC01. +In order for the Configuration Manager Join Domain Account (CM\_JD) to join machines into the contoso.com domain, you need to configure permissions in Active Directory. These steps assume you've downloaded the sample [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copied it to C:\\Setup\\Scripts on DC01. On **DC01**: -1. Sign in as contoso\administrator and enter the following at an elevated Windows PowerShell prompt: +1. Sign in as contoso\administrator and enter the following commands at an elevated Windows PowerShell prompt: ```powershell Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force @@ -135,7 +134,7 @@ On **DC01**: .\Set-OUPermissions.ps1 -Account CM_JD -TargetOU "OU=Workstations,OU=Computers,OU=Contoso" ``` -2. The Set-OUPermissions.ps1 script allows the CM\_JD user account permissions to manage computer accounts in the Contoso / Computers / Workstations OU. The following is a list of the permissions being granted: +2. The Set-OUPermissions.ps1 script allows the CM\_JD user account permissions to manage computer accounts in the Contoso / Computers / Workstations OU. The following list is that of permissions being granted: * Scope: This object and all descendant objects * Create Computer objects @@ -174,7 +173,7 @@ To support the packages you create in this article, the following folder structu You can run the following commands from an elevated Windows PowerShell prompt to create this folder structure: ->We will also create the D:\Logs folder here which will be used later to support server-side logging. +>We'll also create the D:\Logs folder here which will be used later to support server-side logging. ```powershell New-Item -ItemType Directory -Path "D:\Sources" @@ -196,7 +195,7 @@ New-SmbShare -Name Logs$ -Path D:\Logs -ChangeAccess EVERYONE ## Integrate Configuration Manager with MDT -To extend the Configuration Manager console with MDT wizards and templates, install MDT with the default settings and run the **Configure ConfigManager Integration** desktop app. In these steps, we assume you have already [downloaded MDT](https://www.microsoft.com/download/details.aspx?id=54259) and installed it with default settings. +To extend the Configuration Manager console with MDT wizards and templates, install MDT with the default settings and run the **Configure ConfigManager Integration** desktop app. In these steps, we assume you've already [downloaded MDT](https://www.microsoft.com/download/details.aspx?id=54259) and installed it with default settings. On **CM01**: @@ -264,7 +263,7 @@ On **CM01**: Configure the CM01 distribution point for PXE. >[!NOTE] - >If you select **Enable a PXE responder without Windows Deployment Service**, then WDS will not be installed, or if it is already installed it will be suspended, and the **ConfigMgr PXE Responder Service** (SccmPxe) will be used instead of WDS. The ConfigMgr PXE Responder does not support multicast. For more information, see [Install and configure distribution points](/mem/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_config-pxe). + >If you select **Enable a PXE responder without Windows Deployment Service**, then WDS won't be installed, or if it's already installed it will be suspended, and the **ConfigMgr PXE Responder Service** (SccmPxe) will be used instead of WDS. The ConfigMgr PXE Responder doesn't support multicast. For more information, see [Install and configure distribution points](/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_config-pxe). 4. Using the CMTrace tool, review the C:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Look for ConfigurePXE and CcmInstallPXE lines. @@ -272,7 +271,7 @@ On **CM01**: The distmgr.log displays a successful configuration of PXE on the distribution point. -5. Verify that you have seven files in each of the folders **D:\\RemoteInstall\\SMSBoot\\x86** and **D:\\RemoteInstall\\SMSBoot\\x64**. +5. Verify that you've seven files in each of the folders **D:\\RemoteInstall\\SMSBoot\\x86** and **D:\\RemoteInstall\\SMSBoot\\x64**. ![figure 14.](../images/mdt-06-fig15.png) @@ -284,18 +283,17 @@ Next, see [Create a custom Windows PE boot image with Configuration Manager](cre ## Components of Configuration Manager operating system deployment -Operating system deployment with Configuration Manager is part of the normal software distribution infrastructure, but there are other components. For example, operating system deployment in Configuration Manager may use the State Migration Point role, which isn't used by normal application deployment in Configuration Manager. This section describes the Configuration Manager components involved with the deployment of an operating system, such as Windows 10. +Operating system deployment with Configuration Manager is part of the normal software distribution infrastructure, but there are more components. For example, operating system deployment in Configuration Manager may use the State Migration Point role, which isn't used by normal application deployment in Configuration Manager. This section describes the Configuration Manager components involved with the deployment of an operating system, such as Windows 10. - **State migration point (SMP).** The state migration point is used to store user state migration data during computer replace scenarios. - **Distribution point (DP).** The distribution point is used to store all packages in Configuration Manager, including the operating system deployment-related packages. - **Software update point (SUP).** The software update point, which is normally used to deploy updates to existing machines, also can be used to update an operating system as part of the deployment process. You also can use offline servicing to update the image directly on the Configuration Manager server. - **Reporting services point.** The reporting services point can be used to monitor the operating system deployment process. - **Boot images.** Boot images are the Windows Preinstallation Environment (Windows PE) images Configuration Manager uses to start the deployment. -- **Operating system images.** The operating system image package contains only one file, the custom .wim image. This is typically the production deployment image. +- **Operating system images.** The operating system image package contains only one file, the custom .wim image. This image is typically the production deployment image. - **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md). - **Drivers.** Like MDT Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers. -- **Task sequences.** The task sequences in Configuration Manager look and feel much like the sequences in MDT Lite Touch, and they're used for the same purpose. However, in Configuration Manager the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides extra task sequence templates to Configuration Manager. - +- **Task sequences.** The task sequences in Configuration Manager look and feel much like the sequences in MDT Lite Touch, and they're used for the same purpose. However, in Configuration Manager, the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides more task sequence templates to Configuration Manager. > [!NOTE] > The Windows Assessment and Deployment Kit (ADK) for Windows 10 is also required to support management and deployment of Windows 10. @@ -303,12 +301,17 @@ Operating system deployment with Configuration Manager is part of the normal sof As noted above, MDT adds many enhancements to Configuration Manager. While these enhancements are called Zero Touch, that name doesn't reflect how deployment is conducted. The following sections provide a few samples of the 280 enhancements that MDT adds to Configuration Manager. +>[!NOTE] +>MDT installation requires the following: +>- The Windows ADK for Windows 10 (installed in the previous procedure) +>- Windows PowerShell ([version 5.1](https://www.microsoft.com/download/details.aspx?id=54616) is recommended; type **$host** to check) +>- Microsoft .NET Framework + ### MDT enables dynamic deployment -When MDT is integrated with Configuration Manager, the task sequence takes other instructions from the MDT rules. In its most simple form, these settings are stored in a text file, the CustomSettings.ini file, but you can store the settings in Microsoft SQL Server databases, or have a script or web services provide the settings used. +When MDT is integrated with Configuration Manager, the task sequence takes more instructions from the MDT rules. In its most simple form, these settings are stored in a text file, the CustomSettings.ini file, but you can store the settings in Microsoft SQL Server databases, or have Microsoft Visual Basic Scripting Edition (VBScripts) or web services provide the settings used. The task sequence uses instructions that allow you to reduce the number of task sequences in Configuration Manager and instead store settings outside the task sequence. Here are a few examples: - - The following settings instruct the task sequence to install the HP Hotkeys package, but only if the hardware is an HP EliteBook 8570w. You don't have to add the package to the task sequence. ``` syntax @@ -349,7 +352,7 @@ The folder that contains the rules, a few scripts from MDT, and a custom script ### MDT adds real-time monitoring -With MDT integration, you can follow your deployments in real time, and if you have access to Microsoft Diagnostics and Recovery Toolkit (DaRT), you can even remote into Windows Preinstallation Environment (Windows PE) during deployment. The real-time monitoring data can be viewed from within the MDT Deployment Workbench, via a web browser, Windows PowerShell, the Event Viewer, or Microsoft Excel 2013. In fact, any script or app that can read an Open Data (OData) feed can read the information. +With MDT integration, you can follow your deployments in real time, and if you've access to Microsoft Diagnostics and Recovery Toolkit (DaRT), you can even remote into Windows Preinstallation Environment (Windows PE) during deployment. The real-time monitoring data can be viewed from within the MDT Deployment Workbench, via a web browser, Windows PowerShell, the Event Viewer, or Microsoft Excel 2013. In fact, any script or app that can read an Open Data (OData) feed can read the information. ![figure 4.](../images/mdt-06-fig04.png) @@ -370,25 +373,18 @@ MDT Zero Touch simply extends Configuration Manager with many useful built-in op You can create reference images for Configuration Manager in Configuration Manager, but in general we recommend creating them in MDT Lite Touch for the following reasons: - You can use the same image for every type of operating system deployment - Microsoft Virtual Desktop Infrastructure (VDI), Microsoft System Center Virtual Machine Manager (VMM), MDT, Configuration Manager, Windows Deployment Services (WDS), and more. -- Configuration Manager performs deployment in the LocalSystem context. This means that you can't configure the Administrator account with all of the settings that you would like to be included in the image. MDT runs in the context of the Local Administrator, which means you can configure the look and feel of the configuration and then use the CopyProfile functionality to copy these changes to the default user during deployment. +- Configuration Manager performs deployment in the LocalSystem context, which means that you can't configure the Administrator account with all of the settings that you would like to be included in the image. MDT runs in the context of the Local Administrator, which means you can configure the look and feel of the configuration and then use the CopyProfile functionality to copy these changes to the default user during deployment. - The Configuration Manager task sequence doesn't suppress user interface interaction. - MDT Lite Touch supports a Suspend action that allows for reboots, which is useful when you need to perform a manual installation or check the reference image before it's automatically captured. - MDT Lite Touch doesn't require any infrastructure and is easy to delegate. -## Related articles - -[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md) - -[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) - -[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) - -[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) - -[Create a task sequence with Configuration Manager and MDT](./create-a-task-sequence-with-configuration-manager-and-mdt.md) - -[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md) - -[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) +## Related topics +[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
                            +[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
                            +[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
                            +[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
                            +[Create a task sequence with Configuration Manager and MDT](./create-a-task-sequence-with-configuration-manager-and-mdt.md)
                            +[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
                            +[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
                            [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) diff --git a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md index 117dedd018..41822baf59 100644 --- a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -17,7 +17,7 @@ ms.custom: seo-marvel-apr2020 - Windows 10 -This topic will show you how to refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager and Microsoft Deployment Toolkit (MDT). A computer refresh is not the same as an in-place upgrade. A computer refresh involves storing user data and settings from the old installation, wiping the hard drives, installing a new OS, and then restoring the user data at the end of the installation. Also see the MDT refesh procedure: [Refresh a Windows 7 computer with Windows 10](../deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md). +This topic will show you how to refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager and Microsoft Deployment Toolkit (MDT). A computer refresh isn't the same as an in-place upgrade. A computer refresh involves storing user data and settings from the old installation, wiping the hard drives, installing a new OS, and then restoring the user data at the end of the installation. Also see the MDT refresh procedure: [Refresh a Windows 7 computer with Windows 10](../deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md). A computer refresh with Configuration Manager works the same as it does with MDT Lite Touch installation. Configuration Manager also uses the User State Migration Tool (USMT) from the Windows Assessment and Deployment Kit (Windows ADK) 10 in the background. A computer refresh with Configuration Manager has the following steps: @@ -31,8 +31,8 @@ A computer refresh with Configuration Manager works the same as it does with MDT An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). -For the purposes of this article, we will use one server computer (CM01) and one client computer (PC0003). -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. +For the purposes of this article, we'll use one server computer (CM01) and one client computer (PC0003). +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. - PC0003 is a domain member client computer running Windows 7 SP1, or a later version of Windows, with the Configuration Manager client installed, that will be refreshed to Windows 10. >[!NOTE] @@ -40,7 +40,7 @@ For the purposes of this article, we will use one server computer (CM01) and one All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. -All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. +All server and client computers referenced in this guide are on the same subnet. This interrelation isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. >[!IMPORTANT] >This article assumes that you have [configured Active Directory permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) in the specified OU for the **CM_JD** account, and the client's Active Directory computer account is in the **Contoso > Computers > Workstations** OU. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed. @@ -76,7 +76,7 @@ On **CM01**: Use the default settings to complete the remaining wizard pages and click **Close**. -2. Review the Install Windows 10 Enterprise x64 collection. Do not continue until you see the PC0003 machine in the collection. +2. Review the Install Windows 10 Enterprise x64 collection. Don't continue until you see the PC0003 machine in the collection. >[!NOTE] >It may take a short while for the collection to refresh; you can view progress via the Colleval.log file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership. @@ -94,7 +94,7 @@ Using the Configuration Manager console, in the Software Library workspace, expa - Make available to the following: Configuration Manager clients, media and PXE >[!NOTE] - >It is not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point. + >It's not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point. - Scheduling - <default> diff --git a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md index 242bcd70ee..4d0bcca63b 100644 --- a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -1,6 +1,7 @@ --- title: Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager -description: In this topic, you will learn how to replacing a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager. +description: In this topic, you'll learn how to replace a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager. +ms.assetid: 3c8a2d53-8f08-475f-923a-bca79ca8ac36 ms.reviewer: manager: dougeby ms.author: aaroncz @@ -17,16 +18,16 @@ ms.custom: seo-marvel-apr2020 - Windows 10 -In this topic, you will learn how to replace a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager. This process is similar to refreshing a computer, but since you are replacing the device, you have to run the backup job separately from the deployment of Windows 10. +In this topic, you'll learn how to replace a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager. This process is similar to refreshing a computer, but since you're replacing the device, you have to run the backup job separately from the deployment of Windows 10. -In this topic, you will create a backup-only task sequence that you run on PC0004 (the device you are replacing), deploy the PC0006 computer running Windows 10, and then restore this backup of PC0004 onto PC006. This is similar to the MDT replace process: [Replace a Windows 7 computer with a Windows 10 computer](../deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md). +In this topic, you'll create a backup-only task sequence that you run on PC0004 (the device you're replacing), deploy the PC0006 computer running Windows 10, and then restore this backup of PC0004 onto PC006. This process is similar to the MDT replace process: [Replace a Windows 7 computer with a Windows 10 computer](../deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md). ## Infrastructure An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). -For the purposes of this article, we will use one server computer (CM01) and two client computers (PC0004, PC0006). -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. +For the purposes of this article, we'll use one server computer (CM01) and two client computers (PC0004, PC0006). +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. - Important: CM01 must include the **[State migration point](/configmgr/osd/get-started/manage-user-state#BKMK_StateMigrationPoint)** role for the replace task sequence used in this article to work. - PC0004 is a domain member client computer running Windows 7 SP1, or a later version of Windows, with the Configuration Manager client installed, that will be replaced. - PC0006 is a domain member client computer running Windows 10, with the Configuration Manager client installed, that will replace PC0004. @@ -36,7 +37,7 @@ For the purposes of this article, we will use one server computer (CM01) and two All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. -All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. +All server and client computers referenced in this guide are on the same subnet. This interrelation isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. >[!IMPORTANT] >This article assumes that you have [configured Active Directory permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) in the specified OU for the **CM_JD** account, and the client's Active Directory computer account is in the **Contoso > Computers > Workstations** OU. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed. @@ -70,15 +71,15 @@ The backup-only task sequence (named Replace Task Sequence). ## Associate the new device with the old computer -This section walks you through the process of associating a new, blank device (PC0006), with an existing computer (PC0004), for the purpose of replacing PC0004 with PC0006. PC0006 can be either a physical or virtual machine. +This section walks you through the process of associating a new, blank device (PC0006), with an existing computer (PC0004), for replacing PC0004 with PC0006. PC0006 can be either a physical or virtual machine. On **HV01** (if PC0006 is a VM) or in the PC0006 BIOS: -1. Make a note of the MAC address for PC0006. (If PC0006 is a virtual machine, you can see the MAC Address in the virtual machine settings.) In our example, the PC0006 MAC Address is 00:15:5D:0A:6A:96. Do not attempt to PXE boot PC0006 yet. +1. Make a note of the MAC address for PC0006. (If PC0006 is a virtual machine, you can see the MAC Address in the virtual machine settings.) In our example, the PC0006 MAC Address is 00:15:5D:0A:6A:96. Don't attempt to PXE boot PC0006 yet. On **CM01**: -2. Using the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices**, and then click **Import Computer Information**. +2. When you're using the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices**, and then click **Import Computer Information**. 3. On the **Select Source** page, select **Import single computer** and click **Next**. 4. On the **Single Computer** page, use the following settings and then click **Next**: @@ -95,14 +96,14 @@ On **CM01**: 7. On the **Choose additional collections** page, click **Add** and then select the **Install Windows 10 Enterprise x64** collection. Now, select the checkbox next to the Install Windows 10 Enterprise x64 collection you just added, and then click **Next**. 8. On the **Summary** page, click **Next**, and then click **Close**. 9. Select the **User State Migration** node and review the computer association in the right hand pane. -10. Right-click the **PC0004/PC0006** association and click **View Recovery Information**. Note that a recovery key has been assigned already, but a user state store location has not. -11. Review the **Install Windows 10 Enterprise x64** collection. Do not continue until you see the **PC0006** computer in the collection. You might have to update membership and refresh the collection again. +10. Right-click the **PC0004/PC0006** association and click **View Recovery Information**. A recovery key has been assigned already, but a user state store location hasn't. +11. Review the **Install Windows 10 Enterprise x64** collection. Don't continue until you see the **PC0006** computer in the collection. You might have to update membership and refresh the collection again. ## Create a device collection and add the PC0004 computer On **CM01**: -1. Using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: +1. When you're using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: * General * Name: USMT Backup (Replace) @@ -117,7 +118,7 @@ On **CM01**: Use default settings for the remaining wizard pages, then click **Close**. -2. Review the **USMT Backup (Replace)** collection. Do not continue until you see the **PC0004** computer in the collection. +2. Review the **USMT Backup (Replace)** collection. Don't continue until you see the **PC0004** computer in the collection. ## Create a new deployment @@ -145,7 +146,7 @@ This section assumes that you have a computer named PC0004 with the Configuratio On **PC0004**: -1. If it is not already started, start the PC0004 computer and open the Configuration Manager control panel (control smscfgrc). +1. If it's not already started, start the PC0004 computer and open the Configuration Manager control panel (control smscfgrc). 2. On the **Actions** tab, select **Machine Policy Retrieval & Evaluation Cycle**, click **Run Now**, and then click **OK** in the popup dialog box that appears. >[!NOTE] @@ -161,8 +162,8 @@ Capturing the user state On **CM01**: -6. Open the state migration point storage folder (ex: D:\Migdata) and verify that a sub-folder was created containing the USMT backup. -7. Using the Configuration Manager console, in the Assets and Compliance workspace, select the **User State Migration** node, right-click the **PC0004/PC0006** association, and select **View Recovery Information**. Note that the object now also has a user state store location. +6. Open the state migration point storage folder (ex: D:\Migdata) and verify that a subfolder was created containing the USMT backup. +7. Using the Configuration Manager console, in the Assets and Compliance workspace, select the **User State Migration** node, right-click the **PC0004/PC0006** association, and select **View Recovery Information**. The object now also has a user state store location. >[!NOTE] >It may take a few minutes for the user state store location to be populated. @@ -176,7 +177,7 @@ On **PC0006**: * Password: pass@word1 * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM -2. The setup now starts and does the following: +2. The setup now starts and does the following steps: * Installs the Windows 10 operating system * Installs the Configuration Manager client @@ -184,7 +185,7 @@ On **PC0006**: * Installs the applications * Restores the PC0004 backup -When the process is complete, you will have a new Windows 10 computer in your domain with user data and settings restored. See the following examples: +When the process is complete, you'll have a new Windows 10 computer in your domain with user data and settings restored. See the following examples: ![User data and setting restored example 1.](../images/pc0006a.png)
                            ![User data and setting restored example 2.](../images/pc0006b.png)
                            diff --git a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md index dd7097e837..5d6a936a26 100644 --- a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md @@ -27,28 +27,28 @@ The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Wi An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). -For the purposes of this article, we will use one server computer (CM01) and one client computers (PC0004). -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. +For the purposes of this article, we'll use one server computer (CM01) and one client computer (PC0004). +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. - PC0004 is a domain member client computer running Windows 7 SP1, or a later version of Windows, with the Configuration Manager client installed, that will be upgraded to Windows 10. All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. -All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. +All server and client computers referenced in this guide are on the same subnet. This interrelation isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. ## Add an OS upgrade package -Configuration Manager Current Branch includes a native in-place upgrade task. This task sequence differs from the MDT in-place upgrade task sequence in that it does not use a default OS image, but rather uses an [OS upgrade package](/configmgr/osd/get-started/manage-operating-system-upgrade-packages). +Configuration Manager Current Branch includes a native in-place upgrade task. This task sequence differs from the MDT in-place upgrade task sequence in that it doesn't use a default OS image, but rather uses an [OS upgrade package](/configmgr/osd/get-started/manage-operating-system-upgrade-packages). On **CM01**: 1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Operating System Upgrade Packages**, and click **Add Operating System Upgrade Package**. -2. On the **Data Source** page, under **Path**, click **Browse** and enter the UNC path to your media source. In this example, we have extracted the Windows 10 installation media to **\\\\cm01\\Sources$\\OSD\\UpgradePackages\\Windows 10**. -3. If you have multiple image indexes in the installation media, select **Extract a specific image index from install.wim...** and choose the image index you want from the dropdown menu. In this example, we have chosen **Windows 10 Enterprise**. +2. On the **Data Source** page, under **Path**, click **Browse** and enter the UNC path to your media source. In this example, we've extracted the Windows 10 installation media to **\\\\cm01\\Sources$\\OSD\\UpgradePackages\\Windows 10**. +3. If you have multiple image indexes in the installation media, select **Extract a specific image index from install.wim...** and choose the image index you want from the dropdown menu. In this example, we've chosen **Windows 10 Enterprise**. 4. Next to **Architecture**, select **x64**, choose a language from the dropdown menu next to **Language**, and then click **Next**. 5. Next to **Name**, enter **Windows 10 x64 RTM** and then complete the wizard by clicking **Next** and **Close**. 6. Distribute the OS upgrade package to the CM01 distribution point by right-clicking the **Windows 10 x64 RTM** OS upgrade package and then clicking **Distribute Content**. 7. In the Distribute Content Wizard, add the CM01 distribution point, click **Next** and click **Close**. -8. View the content status for the Windows 10 x64 RTM upgrade package. Do not continue until the distribution is completed (it might take a few minutes). You also can review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line. +8. View the content status for the Windows 10 x64 RTM upgrade package. Don't continue until the distribution is completed (it might take a few minutes). You also can review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line. ## Create an in-place upgrade task sequence @@ -77,7 +77,7 @@ After you create the upgrade task sequence, you can create a collection to test On **CM01**: -1. Using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: +1. When you're using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: - General - Name: Windows 10 x64 in-place upgrade - Limited Collection: All Systems @@ -89,7 +89,7 @@ On **CM01**: - Select Resources - Select PC0004 -2. Review the Windows 10 x64 in-place upgrade collection. Do not continue until you see PC0004 in the collection. +2. Review the Windows 10 x64 in-place upgrade collection. Don't continue until you see PC0004 in the collection. ## Deploy the Windows 10 upgrade diff --git a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md index 3300697ddc..619447fac2 100644 --- a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md +++ b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md @@ -1,6 +1,7 @@ --- title: Build a distributed environment for Windows 10 deployment (Windows 10) -description: In this topic, you will learn how to replicate your Windows 10 deployment shares to facilitate the deployment of Windows 10 in remote or branch locations. + [!NOTE] > Robocopy has options that allow for synchronization between folders. It has a simple reporting function; it supports transmission retry; and, by default, it will only copy/remove files from the source that are newer than files on the target. @@ -40,7 +41,7 @@ LDS is a built-in feature in MDT for replicating content. However, LDS works bes ### Why DFS-R is a better option -DFS-R is not only very fast and reliable, but it also offers central monitoring, bandwidth control, and a great delta replication engine. DFS-R will work equally well whether you have 2 sites or 90. When using DFS-R for MDT, we recommend running your deployment servers on Windows Server 2008 R2 or higher. From that version on, you can configure the replication targets as read-only, which is exactly what you want for MDT. This way, you can have your master deployment share centralized and replicate out changes as they happen. DFS-R will quickly pick up changes at the central deployment share in MDT01 and replicate the delta changes to MDT02. +DFS-R isn't only fast and reliable, but it also offers central monitoring, bandwidth control, and a great delta replication engine. DFS-R will work equally well whether you have 2 sites or 90. When using DFS-R for MDT, we recommend running your deployment servers on Windows Server 2008 R2 or higher. From that version on, you can configure the replication targets as read-only, which is exactly what you want for MDT. This way, you can have your master deployment share centralized and replicate out changes as they happen. DFS-R will quickly pick up changes at the central deployment share in MDT01 and replicate the delta changes to MDT02. ## Set up Distributed File System Replication (DFS-R) for replication @@ -113,7 +114,7 @@ When you have multiple deployment servers sharing the same content, you need to On **MDT01**: -1. Using Notepad, navigate to the **D:\\MDTProduction\\Control** folder and modify the Boostrap.ini file as follows. Under [DefaultGateway] enter the IP addresses for the client's default gateway in New York and Stockholm, respectively (replace 10.10.10.1 and 10.10.20.1 with your default gateways). The default gateway setting is what tells the client which deployment share (i.e. server) to use. +1. Using Notepad, navigate to the **D:\\MDTProduction\\Control** folder and modify the Boostrap.ini file as follows. Under [DefaultGateway] enter the IP addresses for the client's default gateway in New York and Stockholm, respectively (replace 10.10.10.1 and 10.10.20.1 with your default gateways). The default gateway setting is what tells the client which deployment share (that is, server) to use. ```ini [Settings] @@ -152,7 +153,7 @@ On **MDT01**: ## Replicate the content - Once the MDT01 and MDT02 servers are prepared, you are ready to configure the actual replication. + Once the MDT01 and MDT02 servers are prepared, you're ready to configure the actual replication. ### Create the replication group @@ -247,7 +248,7 @@ Now you should have a solution ready for deploying the Windows 10 client to the 1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image 2. Computer Name: PC0006 3. Applications: Select the Install - Adobe Reader -4. Setup will now start and perform the following: +4. Setup will now start and perform the following steps: 1. Install the Windows 10 Enterprise operating system. 2. Install applications. 3. Update the operating system using your local Windows Server Update Services (WSUS) server. diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md index 078bb06ca8..fe96dcd42b 100644 --- a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md +++ b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md @@ -12,7 +12,7 @@ ms.topic: article # Configure MDT deployment share rules -In this topic, you will learn how to configure the MDT rules engine to reach out to other resources, including external scripts, databases, and web services, for additional information instead of storing settings directly in the rules engine. The rules engine in MDT is powerful: most of the settings used for operating system deployments are retrieved and assigned via the rules engine. In its simplest form, the rules engine is the CustomSettings.ini text file. +In this topic, you'll learn how to configure the MDT rules engine to reach out to other resources, including external scripts, databases, and web services, for additional information instead of storing settings directly in the rules engine. The rules engine in MDT is powerful: most of the settings used for operating system deployments are retrieved and assigned via the rules engine. In its simplest form, the rules engine is the CustomSettings.ini text file. ## Assign settings @@ -29,7 +29,7 @@ Before adding the more advanced components like scripts, databases, and web serv ### Set computer name by MAC Address -If you have a small test environment, or simply want to assign settings to a very limited number of machines, you can edit the rules to assign settings directly for a given MAC Address. If you have many machines, it makes sense to use the database instead. +If you have a small test environment, or simply want to assign settings to a limited number of machines, you can edit the rules to assign settings directly for a given MAC Address. If you have many machines, it makes sense to use the database instead. ``` [Settings] @@ -90,7 +90,7 @@ In the preceding sample, you still configure the rules to set the computer name ### Add laptops to a different organizational unit (OU) in Active Directory -In the rules, you find built-in properties that use a Windows Management Instrumentation (WMI) query to determine whether the machine you are deploying is a laptop, desktop, or server. In this sample, we assume you want to add laptops to different OUs in Active Directory. Note that ByLaptopType is not a reserved word; rather, it is the name of the section to read. +In the rules, you find built-in properties that use a Windows Management Instrumentation (WMI) query to determine whether the machine you're deploying is a laptop, desktop, or server. In this sample, we assume you want to add laptops to different OUs in Active Directory. Note that ByLaptopType isn't a reserved word; rather, it's the name of the section to read. ``` [Settings] diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md index c4bbe93743..8c0ba8179d 100644 --- a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md +++ b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md @@ -1,6 +1,7 @@ --- title: Configure MDT settings (Windows 10) -description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. +description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there's virtually no limitation to what you can do in terms of customization. +ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122 ms.reviewer: manager: dougeby ms.author: aaroncz @@ -12,8 +13,8 @@ ms.topic: article # Configure MDT settings -One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. In this topic, you learn about configuring customizations for your environment. -For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](./prepare-for-windows-deployment-with-mdt.md). +One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there's virtually no limitation to what you can do in terms of customization. In this topic, you learn about configuring customizations for your environment. +For the purposes of this topic, we'll use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more information on the setup for this topic, see [Deploy Windows 10 with the Microsoft Deployment Toolkit](./prepare-for-windows-deployment-with-mdt.md). ![figure 1.](../images/mdt-09-fig01.png) diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md index e9d1c48603..1f482f177d 100644 --- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md +++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md @@ -15,12 +15,12 @@ ms.topic: article **Applies to** - Windows 10 -Creating a reference image is important because that image serves as the foundation for the devices in your organization. In this topic, you will learn how to create a Windows 10 reference image using the Microsoft Deployment Toolkit (MDT). You will create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 10 reference image. After completing the steps outlined in this topic, you will have a Windows 10 reference image that can be used in your deployment solution. +Creating a reference image is important because that image serves as the foundation for the devices in your organization. In this topic, you 'll learn how to create a Windows 10 reference image using the Microsoft Deployment Toolkit (MDT). You 'll create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 10 reference image. After completing the steps outlined in this topic, you 'll have a Windows 10 reference image that can be used in your deployment solution. >[!NOTE] ->See [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) for more information about the server, client, and network infrastructure used in this guide. +>For more information about the server, client, and network infrastructure used in this guide, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). -For the purposes of this topic, we will use three computers: DC01, MDT01, and HV01. +For the purposes of this topic, we'll use three computers: DC01, MDT01, and HV01. - DC01 is a domain controller for the contoso.com domain. - MDT01 is a contoso.com domain member server. - HV01 is a Hyper-V server that will be used to build the reference image. @@ -31,22 +31,22 @@ For the purposes of this topic, we will use three computers: DC01, MDT01, and HV ## The reference image -The reference image described in this guide is designed primarily for deployment to physical devices. However, the reference image is typically created on a virtual platform, before being automatically run through the System Preparation (Sysprep) tool process and captured to a Windows Imaging (WIM) file. The reasons for creating the reference image on a virtual platform are the following: +The reference image described in this guide is designed primarily for deployment to physical devices. However, the reference image is typically created on a virtual platform, before being automatically run through the System Preparation (Sysprep) tool process and captured to a Windows Imaging (WIM) file. The reasons for creating the reference image on a virtual platform are: - To reduce development time and can use snapshots to test different configurations quickly. -- To rule out hardware issues. You simply get the best possible image, and if you have a problem, it's not likely to be hardware related. -- To ensures that you won't have unwanted applications that could be installed as part of a driver install but not removed by the Sysprep process. +- To rule out hardware issues. You get the best possible image, and if you've a problem, it's not likely to be hardware related. +- To ensure that you won't have unwanted applications that could be installed as part of a driver install but not removed by the Sysprep process. - The image is easy to move between lab, test, and production. ## Set up the MDT build lab deployment share -With Windows 10, there is no hard requirement to create reference images. However, to reduce the time needed for deployment, you might want to create a reference image that contains a few base applications as well as all of the latest updates. This section will show you how to create and configure the MDT Build Lab deployment share to create a Windows 10 reference image. Because reference images will be deployed only to virtual machines during the creation process and have specific settings (rules), you should always create a separate deployment share specifically for this process. +With Windows 10, there's no hard requirement to create reference images. However, to reduce the time needed for deployment, you might want to create a reference image that contains a few base applications and all of the latest updates. This section will show you how to create and configure the MDT Build Lab deployment share to create a Windows 10 reference image. Because reference images will be deployed only to virtual machines during the creation process and have specific settings (rules), you should always create a separate deployment share specifically for this process. ### Create the MDT build lab deployment share On **MDT01**: - Sign in as contoso\\administrator using a password of pass@word1 (credentials from the [prepare for deployment](prepare-for-windows-deployment-with-mdt.md) topic). -- Start the MDT deployment workbench, and pin this to the taskbar for easy access. +- Start the MDT deployment workbench, and pin this workbench to the taskbar for easy access. - Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. - Use the following settings for the New Deployment Share Wizard: - Deployment share path: **D:\\MDTBuildLab** @@ -70,7 +70,7 @@ In order to read files in the deployment share and write the reference image bac On **MDT01**: -1. Ensure you are signed in as **contoso\\administrator**. +1. Ensure you're signed in as **contoso\\administrator**. 2. Modify the NTFS permissions for the **D:\\MDTBuildLab** folder by running the following command in an elevated Windows PowerShell prompt: ``` powershell @@ -84,7 +84,7 @@ This section will show you how to populate the MDT deployment share with the Win ### Add the Windows 10 installation files -MDT supports adding both full source Windows 10 DVDs (ISOs) and custom images that you have created. In this case, you create a reference image, so you add the full source setup files from Microsoft. +MDT supports adding both full source Windows 10 DVDs (ISOs) and custom images that you've created. In this case, you create a reference image, so you add the full source setup files from Microsoft. >[!NOTE] >Due to the Windows limits on path length, we are purposely keeping the operating system destination directory short, using the folder name W10EX64RTM rather than a more descriptive name like Windows 10 Enterprise x64 RTM. @@ -129,9 +129,9 @@ The steps in this section use a strict naming standard for your MDT applications Using a script naming standard is always recommended when using MDT as it helps maintain order and consistency. -By storing configuration items as MDT applications, it is easy to move these objects between various solutions, or between test and production environments. +By storing configuration items as MDT applications, it's easy to move these objects between various solutions, or between test and production environments. -In example sections, you will add the following applications: +In example sections, you 'll add the following applications: - Install - Microsoft Office 365 Pro Plus - x64 - Install - Microsoft Visual C++ Redistributable 2019 - x86 @@ -146,7 +146,7 @@ Download links: Download all three items in this list to the D:\\Downloads folder on MDT01. -**Note**: For the purposes of this lab, we will leave the MSVC files in the D:\\Downloads folder and the Office365 files will be extracted to a child folder. If you prefer, you can place each application in its own separate child folder and then modify the $ApplicationSourcePath below as needed (instead of just D:\\Downloads). +**Note**: For the purposes of this lab, we'll leave the MSVC files in the D:\\Downloads folder and the Office365 files will be extracted to a child folder. If you prefer, you can place each application in its own separate child folder and then modify the $ApplicationSourcePath below as needed (instead of just D:\\Downloads). >[!NOTE] >All the Microsoft Visual C++ downloads can be found on [The latest supported Visual C++ downloads](https://go.microsoft.com/fwlink/p/?LinkId=619523). Visual C++ 2015, 2017 and 2019 all share the same redistributable files. @@ -157,7 +157,9 @@ Download all three items in this list to the D:\\Downloads folder on MDT01. 2. Using a text editor (such as Notepad), create an XML file in the D:\\Downloads\\Office365 directory with the installation settings for Microsoft 365 Apps for enterprise that are appropriate for your organization. The file uses an XML format, so the file you create must have an extension of .xml but the file can have any filename. For example, you can use the following configuration.xml file, which provides these configuration settings: - - Install the 64-bit version of Microsoft 365 Apps for enterprise in English directly from the Office Content Delivery Network (CDN) on the internet. Note: 64-bit is now the default and recommended edition. + - Install the 64-bit version of Microsoft 365 Apps for enterprise in English directly from the Office Content Delivery Network (CDN) on the internet. + > [!NOTE] + > 64-bit is now the default and recommended edition. - Use the General Availability Channel and get updates directly from the Office CDN on the internet. - Perform a silent installation. You won’t see anything that shows the progress of the installation and you won’t see any error messages. @@ -173,27 +175,27 @@ Download all three items in this list to the D:\\Downloads folder on MDT01. ``` - By using these settings, any time you build the reference image you’ll be installing the most up-to-date General Availability Channel version of Microsoft 365 Apps for enterprise. + When you use these settings, any time you build the reference image you’ll be installing the most up-to-date General Availability Channel version of Microsoft 365 Apps for enterprise. >[!TIP] >You can also use the web-based interface of the [Office Customization Tool](https://config.office.com/) to help you create your configuration.xml file. - Also see [Configuration options for the Office Deployment Tool](/deployoffice/configuration-options-for-the-office-2016-deployment-tool) and [Overview of the Office Deployment Tool](/DeployOffice/overview-of-the-office-2016-deployment-tool) for more information. + For more information, see [Configuration options for the Office Deployment Tool](/deployoffice/configuration-options-for-the-office-2016-deployment-tool) and [Overview of the Office Deployment Tool](/DeployOffice/overview-of-the-office-2016-deployment-tool). 3. Ensure the configuration.xml file is in the D:\\Downloads\\Office365 folder. See the following example of the extracted files plus the configuration.xml file in the Downloads\\Office365 folder: ![folder.](../images/office-folder.png) - Assuming you have named the file "configuration.xml" as shown above, we will use the command "**setup.exe /configure configuration.xml**" when we create the application in MDT. This will perform the installation of Microsoft 365 Apps for enterprise using the configuration settings in the configuration.xml file. Do not perform this step yet. + Assuming you've named the file "configuration.xml" as shown above, we'll use the command "**setup.exe /configure configuration.xml**" when we create the application in MDT. This command execution will perform the installation of Microsoft 365 Apps for enterprise using the configuration settings in the configuration.xml file. Don't perform this step yet. >[!IMPORTANT] - >After Microsoft 365 Apps for enterprise is installed on the reference image, do NOT open any Office programs. if you open an Office program, you are prompted to sign-in, which activates the installation of Microsoft 365 Apps for enterprise. Even if you don't sign in and you close the Sign in to set up Office dialog box, a temporary product key is installed. You don't want any kind of product key for Microsoft 365 Apps for enterprise installed as part of your reference image. + >After Microsoft 365 Apps for enterprise is installed on the reference image, do NOT open any Office programs. if you open an Office program, you're prompted to sign-in, which activates the installation of Microsoft 365 Apps for enterprise. Even if you don't sign in and you close the Sign in to set up Office dialog box, a temporary product key is installed. You don't want any kind of product key for Microsoft 365 Apps for enterprise installed as part of your reference image. Additional information -- Microsoft 365 Apps for enterprise is usually updated on a monthly basis with security updates and other quality updates (bug fixes), and possibly new features (depending on which update channel you’re using). That means that once you’ve deployed your reference image, Microsoft 365 Apps for enterprise will most likely need to download and install the latest updates that have been released since you created your reference image. +- Microsoft 365 Apps for enterprise is updated on a monthly basis with security updates and other quality updates (bug fixes), and possibly new features (depending on which update channel you’re using). That means that once you’ve deployed your reference image, Microsoft 365 Apps for enterprise will most likely need to download and install the latest updates that have been released since you created your reference image. -- **Note**: By using installing Office Deployment Tool as part of the reference image, Microsoft 365 Apps for enterprise is installed immediately after the reference image is deployed to the user’s device, rather than including Office apps part of the reference image. This way the user will have the most up-to-date version of Microsoft 365 Apps for enterprise right away and won’t have to download any new updates (which is most likely what would happen if Microsoft 365 Apps for enterprise was installed as part of the reference image.) - - When you are creating your reference image, instead of installing Microsoft 365 Apps for enterprise directly from the Office CDN on the internet, you can install Microsoft 365 Apps for enterprise from a location on your local network, such as a file share. To do that, you would use the Office Deployment Tool in /download mode to download the installation files to that file share. Then you could use the Office Deployment Tool in /configure mode to install Microsoft 365 Apps for enterprise from that location on to your reference image. As part of that, you’ll need to point to that location in your configuration.xml file so that the Office Deployment Tool knows where to get the Microsoft 365 Apps for enterprise files. If you decide to do this, the next time you create a new reference image, you’ll want to be sure to use the Office Deployment Tool to download the most up-to-date installation files for Microsoft 365 Apps for enterprise to that location on your internal network. That way your new reference image will have a more up-to-date installation of Microsoft 365 Apps for enterprise. +- **Note**: With the installing Office Deployment Tool being used as part of the reference image, Microsoft 365 Apps for enterprise is installed immediately after the reference image is deployed to the user’s device, rather than including Office apps part of the reference image. This way the user will have the most up-to-date version of Microsoft 365 Apps for enterprise right away and won’t have to download any new updates (which is most likely what would happen if Microsoft 365 Apps for enterprise was installed as part of the reference image.) + - When you're creating your reference image, instead of installing Microsoft 365 Apps for enterprise directly from the Office CDN on the internet, you can install Microsoft 365 Apps for enterprise from a location on your local network, such as a file share. To do that, you would use the Office Deployment Tool in /download mode to download the installation files to that file share. Then you could use the Office Deployment Tool in /configure mode to install Microsoft 365 Apps for enterprise from that location on to your reference image. As part of that process, you’ll need to point to that location in your configuration.xml file so that the Office Deployment Tool knows where to get the Microsoft 365 Apps for enterprise files. If you decide to do this step, the next time you create a new reference image, you’ll want to be sure to use the Office Deployment Tool to download the most up-to-date installation files for Microsoft 365 Apps for enterprise to that location on your internal network. That way your new reference image will have a more up-to-date installation of Microsoft 365 Apps for enterprise. ### Connect to the deployment share using Windows PowerShell @@ -201,7 +203,7 @@ If you need to add many applications, you can take advantage of the PowerShell s On **MDT01**: -1. Ensure you are signed in as **contoso\\Administrator**. +1. Ensure you're signed in as **contoso\\Administrator**. 2. Import the snap-in and create the PSDrive by running the following commands in an elevated PowerShell prompt: ``` powershell @@ -213,11 +215,11 @@ On **MDT01**: ### Create the install: Microsoft Office 365 Pro Plus - x64 -In these steps we assume that you have downloaded the Office Deployment Tool. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads\\Office365. +In these steps, we assume that you've downloaded the Office Deployment Tool. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads\\Office365. On **MDT01**: -1. Ensure you are signed on as **contoso\\Administrator**. +1. Ensure you're signed on as **contoso\\Administrator**. 2. Create the application by running the following commands in an elevated PowerShell prompt: ``` powershell @@ -227,7 +229,7 @@ On **MDT01**: Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -CommandLine $CommandLine -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName -Verbose ``` - Upon successful installation the following text is displayed: + Upon successful installation, the following text is displayed: ``` VERBOSE: Performing the operation "import" on target "Application". VERBOSE: Beginning application import @@ -246,11 +248,11 @@ On **MDT01**: >[!NOTE] >We have abbreviated "Microsoft Visual C++ Redistributable" in the $ApplicationName below as "MSVC" to avoid the path name exceeding the maxiumum allowed length of 248 characters. -In these steps we assume that you have downloaded Microsoft Visual C++ Redistributable 2019 - x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads. +In these steps, we assume that you've downloaded Microsoft Visual C++ Redistributable 2019 - x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads. On **MDT01**: -1. Ensure you are signed on as **contoso\\Administrator**. +1. Ensure you're signed on as **contoso\\Administrator**. 2. Create the application by running the following commands in an elevated PowerShell prompt: ``` powershell @@ -260,7 +262,7 @@ On **MDT01**: Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -CommandLine $CommandLine -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName -Verbose ``` - Upon successful installation the following text is displayed: + Upon successful installation, the following text is displayed: ``` VERBOSE: Performing the operation "import" on target "Application". VERBOSE: Beginning application import @@ -275,11 +277,11 @@ On **MDT01**: ### Create the install: Microsoft Visual C++ Redistributable 2019 - x64 -In these steps we assume that you have downloaded Microsoft Visual C++ Redistributable 2019 - x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads. +In these steps, we assume that you've downloaded Microsoft Visual C++ Redistributable 2019 - x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads. On **MDT01**: -1. Ensure you are signed on as **contoso\\Administrator**. +1. Ensure you're signed on as **contoso\\Administrator**. 2. Create the application by running the following commands in an elevated PowerShell prompt: ``` powershell @@ -291,8 +293,8 @@ On **MDT01**: ## Create the reference image task sequence -In order to build and capture your Windows 10 reference image for deployment using MDT, you will create a task sequence. The task sequence will reference the operating system and applications that you previously imported into the MDT Build Lab deployment share to build a Windows 10 reference image. -After creating the task sequence, you configure it to enable patching against the Windows Server Update Services (WSUS) server. The Task Sequence Windows Update action supports getting updates directly from Microsoft Update, but you get more stable patching if you use a local WSUS server. WSUS also allows for an easy process of approving the patches that you are deploying. +In order to build and capture your Windows 10 reference image for deployment using MDT, you 'll create a task sequence. The task sequence will reference the operating system and applications that you previously imported into the MDT Build Lab deployment share to build a Windows 10 reference image. +After creating the task sequence, you configure it to enable patching against the Windows Server Update Services (WSUS) server. The Task Sequence Windows Update action supports getting updates directly from Microsoft Update, but you get more stable patching if you use a local WSUS server. WSUS also allows for an easy process of approving the patches that you're deploying. ### Drivers and the reference image @@ -304,18 +306,18 @@ To create a Windows 10 reference image task sequence, the process is as follows On **MDT01**: -1. Using the Deployment Workbench, under **Deployment Shares > MDT Build Lab** right-click **Task Sequences**, and create a **New Folder** named **Windows 10**. +1. When you're using the Deployment Workbench, under **Deployment Shares > MDT Build Lab** right-click **Task Sequences**, and create a **New Folder** named **Windows 10**. 2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: 1. Task sequence ID: REFW10X64-001 2. Task sequence name: Windows 10 Enterprise x64 RTM Default Image 3. Task sequence comments: Reference Build 4. Template: Standard Client Task Sequence 5. Select OS: Windows 10 Enterprise x64 RTM Default Image - 6. Specify Product Key: Do not specify a product key at this time + 6. Specify Product Key: Don't specify a product key at this time 7. Full Name: Contoso 8. Organization: Contoso 9. Internet Explorer home page: http://www.contoso.com - 10. Admin Password: Do not specify an Administrator Password at this time + 10. Admin Password: Don't specify an Administrator Password at this time ### Edit the Windows 10 task sequence @@ -338,7 +340,7 @@ On **MDT01**: 3. Select the roles and features that should be installed: .NET Framework 3.5 (includes .NET 2.0 and 3.0) >[!IMPORTANT] - >This is probably the most important step when creating a reference image. Many applications need the .NET Framework, and we strongly recommend having it available in the image. The one thing that makes this different from other components is that .NET Framework 3.5.1 is not included in the WIM file. It is installed from the **Sources\\SxS** folder on the media, and that makes it more difficult to add after the image has been deployed. + >This is probably the most important step when creating a reference image. Many applications need the .NET Framework, and we strongly recommend having it available in the image. The one thing that makes this different from other components is that .NET Framework 3.5.1 is not included in the WIM file. It's installed from the **Sources\\SxS** folder on the media, and that makes it more difficult to add after the image has been deployed. ![task sequence.](../images/fig8-cust-tasks.png) @@ -355,7 +357,7 @@ On **MDT01**: ### Optional configuration: Add a suspend action -The goal when creating a reference image is of course to automate everything. But sometimes you have a special configuration or application setup that is too time-consuming to automate. If you need to do some manual configuration, you can add a little-known feature called Lite Touch Installation (LTI) Suspend. If you add the LTISuspend.wsf script as a custom action in the task sequence, it will suspend the task sequence until you click the Resume Task Sequence shortcut icon on the desktop. In addition to using the LTI Suspend feature for manual configuration or installation, you can also use it simply for verifying a reference image before you allow the task sequence to continue and use Sysprep and capture the virtual machine. +The goal when creating a reference image is to automate everything. But sometimes you've a special configuration or application setup that is too time-consuming to automate. If you need to do some manual configuration, you can add a little-known feature called Lite Touch Installation (LTI) Suspend. If you add the LTISuspend.wsf script as a custom action in the task sequence, it will suspend the task sequence until you click the Resume Task Sequence shortcut icon on the desktop. In addition to using the LTI Suspend feature for manual configuration or installation, you can also use it simply for verifying a reference image before you allow the task sequence to continue and use Sysprep and capture the virtual machine. ![figure 8.](../images/fig8-suspend.png) @@ -367,20 +369,20 @@ The goal when creating a reference image is of course to automate everything. Bu ### Edit the Unattend.xml file for Windows 10 Enterprise -When using MDT, you don't need to edit the Unattend.xml file very often because most configurations are taken care of by MDT. However if, for example, you want to configure Internet Explorer behavior, then you can edit the Unattend.xml for this. Editing the Unattend.xml for basic Internet Explorer settings is easy, but for more advanced settings, you will want to use the Internet Explorer Administration Kit (IEAK). +When using MDT, you don't need to edit the Unattend.xml file often because most configurations are taken care of by MDT. However if, for example, you want to configure Internet Explorer behavior, then you can edit the Unattend.xml. Editing the Unattend.xml for basic Internet Explorer settings is easy, but for more advanced settings, you 'll want to use the Internet Explorer Administration Kit (IEAK). >[!WARNING] ->Do not use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml file. These settings are deprecated and can have unintended effects if used. +>Don't use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml file. These settings are deprecated and can have unintended effects if used. >[!NOTE] ->You also can use the Unattend.xml to enable components in Windows 10, like the Telnet Client or Hyper-V client. Normally we prefer to do this via the **Install Roles and Features** action, or using Deployment Image Servicing and Management (DISM) command-line tools, because then we can add that as an application, being dynamic, having conditions, and so forth. Also, if you are adding packages via Unattend.xml, it is version specific, so Unattend.xml must match the exact version of the operating system you are servicing. +>You also can use the Unattend.xml to enable components in Windows 10, like the Telnet Client or Hyper-V client. Normally we prefer to do this via the **Install Roles and Features** action, or using Deployment Image Servicing and Management (DISM) command-line tools, because then we can add that as an application, being dynamic, having conditions, and so forth. Also, if you're adding packages via Unattend.xml, it's version specific, so Unattend.xml must match the exact version of the operating system you're servicing. Follow these steps to configure Internet Explorer settings in Unattend.xml for the Windows 10 Enterprise x64 RTM Default Image task sequence: On **MDT01**: -1. Using the Deployment Workbench, under **Deployment Shares > MDT Build Lab > Task Sequences** right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence and select **Properties**. -2. In the **OS Info** tab, click **Edit Unattend.xml**. MDT now generates a catalog file. This will take a few minutes, and then Windows System Image Manager (Windows SIM) will start. +1. When you're using the Deployment Workbench, under **Deployment Shares > MDT Build Lab > Task Sequences** right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence and select **Properties**. +2. In the **OS Info** tab, click **Edit Unattend.xml**. MDT now generates a catalog file. This file generation process will take a few minutes, and then Windows System Image Manager (Windows SIM) will start. > [!IMPORTANT] > The ADK version 1903 has a [known issue](/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-1903) generating a catalog file for Windows 10, version 1903 or 1909 X64 install.wim. You might see the error "Could not load file or assembly" in in the console output. To avoid this issue, [install the ADK, version 2004 or a later version](/windows-hardware/get-started/adk-install). A workaround is also available for the ADK version 1903: @@ -393,7 +395,8 @@ On **MDT01**: 4. In the **amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral properties** window (right-hand window), set the following values: - DisableDevTools: true 5. Save the Unattend.xml file, and close Windows SIM. - - Note: If errors are reported that certain display values are incorrect, you can ignore this or browse to **7oobeSystem\\amd64_Microsoft-Windows-Shell-Setup__neutral\\Display** and enter the following: ColorDepth 32, HorizontalResolution 1, RefreshRate 60, VerticalResolution 1. + > [!NOTE] + > If errors are reported that certain display values are incorrect, you can ignore this message or browse to **7oobeSystem\\amd64_Microsoft-Windows-Shell-Setup__neutral\\Display** and enter the following: ColorDepth 32, HorizontalResolution 1, RefreshRate 60, VerticalResolution 1. 6. On the Windows 10 Enterprise x64 RTM Default Image Properties, click **OK**. ![figure 10.](../images/fig10-unattend.png) @@ -413,7 +416,7 @@ To configure the rules for the MDT Build Lab deployment share: On **MDT01**: 1. Using the Deployment Workbench, right-click the **MDT Build Lab** deployment share and select **Properties**. -2. Select the **Rules** tab and replace the existing content with the following information (edit the settings as needed to match your deployment). For example, If you do not have a WSUS server in your environment, delete the **WSUSServer** line from the configuration: +2. Select the **Rules** tab and replace the existing content with the following information (edit the settings as needed to match your deployment). For example, If you don't have a WSUS server in your environment, delete the **WSUSServer** line from the configuration: ``` [Settings] @@ -469,7 +472,7 @@ On **MDT01**: ``` >[!NOTE] - >For security reasons, you normally don't add the password to the Bootstrap.ini file; however, because this deployment share is for creating reference image builds only, and should not be published to the production network, it is acceptable to do so in this situation. Obviously if you are not using the same password (pass@word3) that is provided in this lab, you must enter your own custom password on the Rules tab and in Bootstrap.ini. + >For security reasons, you normally don't add the password to the Bootstrap.ini file; however, because this deployment share is for creating reference image builds only, and should not be published to the production network, it's acceptable to do so in this situation. Obviously if you're not using the same password (pass@word3) that is provided in this lab, you must enter your own custom password on the Rules tab and in Bootstrap.ini. 4. On the **Windows PE** tab, in the **Platform** drop-down list, select **x86**. 5. In the **Lite Touch Boot Image Settings** area, configure the following settings: @@ -486,7 +489,7 @@ On **MDT01**: ### Update the deployment share -After the deployment share has been configured, it needs to be updated. This is the process when the Windows PE boot images are created. +After the deployment share has been configured, it needs to be updated. This update-process is the one when the Windows PE boot images are created. 1. In the Deployment Workbench, right-click the **MDT Build Lab** deployment share and select **Update Deployment Share**. 2. Use the default options for the Update Deployment Share Wizard. @@ -496,9 +499,9 @@ After the deployment share has been configured, it needs to be updated. This is ### The rules explained -Now that the MDT Build Lab deployment share (the share used to create the reference images) has been configured, it is time to explain the various settings used in the Bootstrap.ini and CustomSettings.ini files. +Now that the MDT Build Lab deployment share (the share used to create the reference images) has been configured, it's time to explain the various settings used in the Bootstrap.ini and CustomSettings.ini files. -The Bootstrap.ini and CustomSettings.ini files work together. The Bootstrap.ini file is always present on the boot image and is read first. The basic purpose for Bootstrap.ini is to provide just enough information for MDT to find the CustomSettings.ini. +The Bootstrap.ini and CustomSettings.ini files work together. The Bootstrap.ini file is always present on the boot image and is read first. The basic purpose for Bootstrap.ini is to provide enough information for MDT to find the CustomSettings.ini. The CustomSettings.ini file is normally stored on the server, in the Deployment share\\Control folder, but also can be stored on the media (when using offline media). @@ -521,14 +524,14 @@ SkipBDDWelcome=YES ``` So, what are these settings? -- **Priority.** This determines the order in which different sections are read. This Bootstrap.ini has only one section, named \[Default\]. -- **DeployRoot.** This is the location of the deployment share. Normally, this value is set by MDT, but you need to update the DeployRoot value if you move to another server or other share. If you don't specify a value, the Windows Deployment Wizard prompts you for a location. -- **UserDomain, UserID, and UserPassword.** These values are used for automatic log on to the deployment share. Again, if they are not specified, the wizard prompts you. +- **Priority.** This setting determines the order in which different sections are read. This Bootstrap.ini has only one section, named \[Default\]. +- **DeployRoot.** This location is of the deployment share. Normally, this value is set by MDT, but you need to update the DeployRoot value if you move to another server or other share. If you don't specify a value, the Windows Deployment Wizard prompts you for a location. +- **UserDomain, UserID, and UserPassword.** These values are used for automatic sign in to the deployment share. Again, if they aren't specified, the wizard prompts you. >[!WARNING] >Caution is advised. These values are stored in clear text on the boot image. Use them only for the MDT Build Lab deployment share and not for the MDT Production deployment share that you learn to create in the next topic. -- **SkipBDDWelcome.** Even if it is nice to be welcomed every time we start a deployment, we prefer to skip the initial welcome page of the Windows Deployment Wizard. +- **SkipBDDWelcome.** Even if it's nice to be welcomed every time we start a deployment, we prefer to skip the initial welcome page of the Windows Deployment Wizard. >[!NOTE] >All properties beginning with "Skip" control only whether to display that pane in the Windows Deployment Wizard. Most of the panes also require you to actually set one or more values. @@ -569,20 +572,20 @@ SkipRoles=YES SkipCapture=NO SkipFinalSummary=YES ``` -- **Priority.** Has the same function as in Bootstrap.ini. Priority determines the order in which different sections are read. This CustomSettings.ini has only one section, named \[Default\]. In general, if you have multiple sections that set the same value, the value from the first section (higher priority) wins. The rare exceptions are listed in the ZTIGather.xml file. +- **Priority.** Has the same function as in Bootstrap.ini. Priority determines the order in which different sections are read. This CustomSettings.ini has only one section, named \[Default\]. In general, if you've multiple sections that set the same value, the value from the first section (higher priority) wins. The rare exceptions are listed in the ZTIGather.xml file. - **\_SMSTSORGNAME.** The organization name displayed in the task sequence progress bar window during deployment. -- **UserDataLocation.** Controls the settings for user state backup. You do not need to use when building and capturing a reference image. +- **UserDataLocation.** Controls the settings for user state backup. You don't need to use when building and capturing a reference image. - **DoCapture.** Configures the task sequence to run the System Preparation (Sysprep) tool and capture the image to a file when the operating system is installed. -- **OSInstall.** Must be set to Y or YES (the code actually just looks for the Y character) for the setup to proceed. +- **OSInstall.** Must be set to Y or YES (the code just looks for the Y character) for the setup to proceed. - **AdminPassword.** Sets the local Administrator account password. - **TimeZoneName.** Establishes the time zone to use. Don't confuse this value with TimeZone, which is only for legacy operating systems (Windows 7 and Windows Server 2003). **Note**: The easiest way to find the current time zone name on a Windows 10 machine is to run tzutil /g in a command prompt. You can also run tzutil /l to get a listing of all available time zone names. - **JoinWorkgroup.** Configures Windows to join a workgroup. -- **HideShell.** Hides the Windows Shell during deployment. This is especially useful for Windows 10 deployments in which the deployment wizard will otherwise appear behind the tiles. +- **HideShell.** Hides the Windows Shell during deployment. This hide-operation is especially useful for Windows 10 deployments in which the deployment wizard will otherwise appear behind the tiles. - **FinishAction.** Instructs MDT what to do when the task sequence is complete. -- **DoNotCreateExtraPartition.** Configures the task sequence not to create the extra partition for BitLocker. There is no need to do this for your reference image. +- **DoNotCreateExtraPartition.** Configures the task sequence not to create the extra partition for BitLocker. There's no need to do this configuration for your reference image. - **WSUSServer.** Specifies which Windows Server Update Services (WSUS) server (and port, if needed) to use during the deployment. Without this option MDT will use Microsoft Update directly, which will increase deployment time and limit your options of controlling which updates are applied. - **SLSHARE.** Instructs MDT to copy the log files to a server share if something goes wrong during deployment, or when a deployment is successfully completed. - **ApplyGPOPack.** Allows you to deploy local group policies created by Microsoft Security Compliance Manager (SCM). @@ -602,9 +605,9 @@ SkipFinalSummary=YES ## Build the Windows 10 reference image -As previously described, this section requires a Hyper-V host. See [Hyper-V requirements](prepare-for-windows-deployment-with-mdt.md#hyper-v-requirements) for more information. +As previously described, this section requires a Hyper-V host. For more information, see [Hyper-V requirements](prepare-for-windows-deployment-with-mdt.md#hyper-v-requirements). -Once you have created your task sequence, you are ready to create the Windows 10 reference image. This will be performed by launching the task sequence from a virtual machine which will then automatically perform the reference image creation and capture process. +Once you've created your task sequence, you're ready to create the Windows 10 reference image. This image creation will be performed by launching the task sequence from a virtual machine that will then automatically perform the reference image creation and capture process. The steps below outline the process used to boot a virtual machine using an ISO boot image created by MDT, and then run the reference image task sequence image to create and capture the Windows 10 reference image. @@ -628,7 +631,7 @@ On **HV01**: 4. Start the REFW10X64-001 virtual machine and connect to it. - **Note**: Up to this point we have not discussed IP addressing or DHCP. In the initial setup for this guide, DC01 was provisioned as a DHCP server to provide IP address leases to client computers. You might have a different DHCP server on your network that you wish to use. The REFW10X64-001 virtual machine requires an IP address lease that provides it with connectivity to MDT01 so that it can connect to the \\MDT01\MDTBuildLab$ share. In the current scenario this is accomplished with a DHCP scope that provides IP addresses in the 10.10.10.100 - 10.10.10.200 range, as part of a /24 subnet so that the client can connect to MDT01 at 10.10.10.11. + **Note**: Up to this point we haven't discussed IP addressing or DHCP. In the initial setup for this guide, DC01 was provisioned as a DHCP server to provide IP address leases to client computers. You might have a different DHCP server on your network that you wish to use. The REFW10X64-001 virtual machine requires an IP address lease that provides it with connectivity to MDT01 so that it can connect to the \\MDT01\MDTBuildLab$ share. In the current scenario, this connectivity is accomplished with a DHCP scope that provides IP addresses in the 10.10.10.100 - 10.10.10.200 range, as part of a /24 subnet so that the client can connect to MDT01 at 10.10.10.11. After booting into Windows PE, complete the Windows Deployment Wizard with the following settings: 1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Default Image @@ -640,7 +643,7 @@ On **HV01**: The Windows Deployment Wizard for the Windows 10 reference image. -5. The setup now starts and does the following: +5. The setup now starts and does the following steps: 1. Installs the Windows 10 Enterprise operating system. 2. Installs the added applications, roles, and features. 3. Updates the operating system via your local Windows Server Update Services (WSUS) server. @@ -649,7 +652,7 @@ On **HV01**: 6. Captures the installation to a Windows Imaging (WIM) file. 7. Turns off the virtual machine. -After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim. +After some time, you 'll have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim. ![image.](../images/image-captured.png) @@ -662,9 +665,9 @@ If you [enabled monitoring](#enable-monitoring), you can check the progress of t ![monitoring.](../images/mdt-monitoring.png) -If there are problems with your task sequence, you can troubleshoot in Windows PE by pressing F8 to open a command prompt. There are several [MDT log files](/configmgr/mdt/troubleshooting-reference#mdt-logs) created that can be helpful determining the origin of an error, such as BDD.log. From the command line in Windows PE you can copy these logs from the client to your MDT server for viewing with CMTrace. For example: copy BDD.log \\\\mdt01\\logs$. +If there are problems with your task sequence, you can troubleshoot in Windows PE by pressing F8 to open a command prompt. There are several [MDT log files](/configmgr/mdt/troubleshooting-reference#mdt-logs) created that can be helpful determining the origin of an error, such as BDD.log. From the command line in Windows PE, you can copy these logs from the client to your MDT server for viewing with CMTrace. For example: copy BDD.log \\\\mdt01\\logs$. -After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim. +After some time, you 'll have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim. ## Related topics diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index 25eddbf4ef..90deeb5238 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -15,16 +15,16 @@ ms.topic: article **Applies to** - Windows 10 -This topic will show you how to take your reference image for Windows 10 (that was just [created](create-a-windows-10-reference-image.md)), and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT). +This topic will show you how to take your reference image for Windows 10 (that was [created](create-a-windows-10-reference-image.md)), and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT). -We will prepare for this by creating an MDT deployment share that is used solely for image deployment. Separating the processes of creating reference images from the processes used to deploy them in production allows greater control of on both processes. We will configure Active Directory permissions, configure the deployment share, create a new task sequence, and add applications, drivers, and rules. +We'll prepare for this deployment by creating an MDT deployment share that is used solely for image deployment. Separating the processes of creating reference images from the processes used to deploy them in production allows greater control of on both processes. We'll configure Active Directory permissions, configure the deployment share, create a new task sequence, and add applications, drivers, and rules. -For the purposes of this topic, we will use four computers: DC01, MDT01, HV01 and PC0005. +For the purposes of this topic, we'll use four computers: DC01, MDT01, HV01 and PC0005. - DC01 is a domain controller - MDT01 is a domain member server - HV01 is a Hyper-V server -- PC0005 is a blank device to which we will deploy Windows 10 +- PC0005 is a blank device to which we'll deploy Windows 10 MDT01 and PC0005 are members of the domain contoso.com for the fictitious Contoso Corporation. HV01 used to test deployment of PC0005 in a virtual environment. @@ -35,7 +35,7 @@ MDT01 and PC0005 are members of the domain contoso.com for the fictitious Contos ## Step 1: Configure Active Directory permissions -These steps will show you how to configure an Active Directory account with the permissions required to deploy a Windows 10 machine to the domain using MDT. These steps assume you have The account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01. In order for MDT to join machines into the contoso.com domain you need to create an account and configure permissions in Active Directory. +These steps will show you how to configure an Active Directory account with the permissions required to deploy a Windows 10 machine to the domain using MDT. These steps assume you've The account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01. In order for MDT to join machines into the contoso.com domain you need to create an account and configure permissions in Active Directory. On **DC01**: @@ -55,7 +55,7 @@ On **DC01**: .\Set-OUPermissions.ps1 -Account MDT_JD -TargetOU "OU=Workstations,OU=Computers,OU=Contoso" ``` - The following is a list of the permissions being granted: + The following list is of the permissions being granted: - Scope: This object and all descendant objects - Create Computer objects @@ -72,7 +72,7 @@ On **DC01**: ## Step 2: Set up the MDT production deployment share -Next, create a new MDT deployment share. You should not use the same deployment share that you used to create the reference image for a production deployment. Perform this procedure on the MDT01 server. +Next, create a new MDT deployment share. You shouldn't use the same deployment share that you used to create the reference image for a production deployment. Perform this procedure on the MDT01 server. ### Create the MDT production deployment share @@ -80,7 +80,7 @@ On **MDT01**: The steps for creating the deployment share for production are the same as when you created the deployment share for creating the custom reference image: -1. Ensure you are signed on as: contoso\administrator. +1. Ensure you're signed on as: contoso\administrator. 2. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. 3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and click **Next**. @@ -97,7 +97,7 @@ To read files in the deployment share, you need to assign NTFS and SMB permissio On **MDT01**: -1. Ensure you are signed in as **contoso\\administrator**. +1. Ensure you're signed in as **contoso\\administrator**. 2. Modify the NTFS permissions for the **D:\\MDTProduction** folder by running the following command in an elevated Windows PowerShell prompt: ``` powershell @@ -107,11 +107,11 @@ On **MDT01**: ## Step 3: Add a custom image -The next step is to add a reference image into the deployment share with the setup files required to successfully deploy Windows 10. When adding a custom image, you still need to copy setup files (an option in the wizard) because Windows 10 stores additional components in the Sources\\SxS folder which is outside the image and may be required when installing components. +The next step is to add a reference image into the deployment share with the setup files required to successfully deploy Windows 10. When adding a custom image, you still need to copy setup files (an option in the wizard) because Windows 10 stores other components in the Sources\\SxS folder that is outside the image and may be required when installing components. ### Add the Windows 10 Enterprise x64 RTM custom image -In these steps, we assume that you have completed the steps in the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic, so you have a Windows 10 reference image at **D:\\MDTBuildLab\\Captures\REFW10X64-001.wim** on MDT01. +In these steps, we assume that you've completed the steps in the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic, so you've a Windows 10 reference image at **D:\\MDTBuildLab\\Captures\REFW10X64-001.wim** on MDT01. 1. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**; select the **Operating Systems** node, and create a folder named **Windows 10**. 2. Right-click the **Windows 10** folder and select **Import Operating System**. @@ -139,8 +139,8 @@ When you configure your MDT Build Lab deployment share, you can also add applica On **MDT01**: -1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2200120142_en_US.exe) to **D:\\setup\\adobe** on MDT01. -2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC2200120142_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne). +1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2100520060_en_US.exe) to **D:\\setup\\adobe** on MDT01. +2. Extract the .exe file that you downloaded to a .msi (ex: .\AcroRdrDC2100520060_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne). 3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node. 4. Right-click the **Applications** node, and create a new folder named **Adobe**. @@ -175,12 +175,12 @@ For boot images, you need to have storage and network drivers; for the operating ### Create the driver source structure in the file system -The key to successful management of drivers for MDT, as well as for any other deployment solution, is to have a really good driver repository. From this repository, you import drivers into MDT for deployment, but you should always maintain the repository for future use. +The key to successful management of drivers for MDT, and for any other deployment solution, is to have a good driver repository. From this repository, you import drivers into MDT for deployment, but you should always maintain the repository for future use. On **MDT01**: > [!IMPORTANT] -> In the steps below, it is critical that the folder names used for various computer makes and models exactly match the results of **wmic computersystem get model,manufacturer** on the target system. +> In the steps below, it's critical that the folder names used for various computer makes and models exactly match the results of **wmic computersystem get model,manufacturer** on the target system. 1. Using File Explorer, create the **D:\\drivers** folder. 2. In the **D:\\drivers** folder, create the following folder structure: @@ -198,11 +198,11 @@ On **MDT01**: - Surface Laptop > [!NOTE] -> Even if you are not going to use both x86 and x64 boot images, we still recommend that you add the support structure for future use. +> Even if you're not going to use both x86 and x64 boot images, we still recommend that you add the support structure for future use. ### Create the logical driver structure in MDT -When you import drivers to the MDT driver repository, MDT creates a single instance folder structure based on driver class names. However, you can, and should, mimic the driver structure of your driver source repository in the Deployment Workbench. This is done by creating logical folders in the Deployment Workbench. +When you import drivers to the MDT driver repository, MDT creates a single instance folder structure based on driver class names. However, you can, and should, mimic the driver structure of your driver source repository in the Deployment Workbench. This mimic is done by creating logical folders in the Deployment Workbench. 1. On MDT01, using Deployment Workbench, select the **Out-of-Box Drivers** node. 2. In the **Out-Of-Box Drivers** node, create the following folder structure: 1. WinPE x86 @@ -260,7 +260,7 @@ On **MDT01**: ### Extract and import drivers for the x64 boot image -Windows PE supports all the hardware models that we have, but here you learn to add boot image drivers to accommodate any new hardware that might require additional drivers. In this example, you add the latest Intel network drivers to the x64 boot image. +Windows PE supports all the hardware models that we have, but here you learn to add boot image drivers to accommodate any new hardware that might require more drivers. In this example, you add the latest Intel network drivers to the x64 boot image. On **MDT01**: @@ -282,7 +282,7 @@ For the ThinkStation P500 model, you use the Lenovo ThinkVantage Update Retrieve To get the updates, download the drivers from the Lenovo ThinkVantage Update Retriever using its export function. You can also download the drivers by searching PC Support on the [Lenovo website](https://go.microsoft.com/fwlink/p/?LinkId=619543). -In this example, we assume you have downloaded and extracted the drivers using ThinkVantage Update Retriever to the **D:\\Drivers\\Lenovo\\ThinkStation P500 (30A6003TUS)** directory. +In this example, we assume you've downloaded and extracted the drivers using ThinkVantage Update Retriever to the **D:\\Drivers\\Lenovo\\ThinkStation P500 (30A6003TUS)** directory. On **MDT01**: @@ -292,13 +292,13 @@ On **MDT01**: **D:\\Drivers\\Windows 10 x64\\Lenovo\\ThinkStation P500 (30A6003TUS)** - The folder you select and all sub-folders will be checked for drivers, expanding any .cab files that are present and searching for drivers. + The folder you select and all subfolders will be checked for drivers, expanding any .cab files that are present and searching for drivers. ### For the Latitude E7450 For the Dell Latitude E7450 model, you use the Dell Driver CAB file, which is accessible via the [Dell TechCenter website](https://go.microsoft.com/fwlink/p/?LinkId=619544). -In these steps, we assume you have downloaded and extracted the CAB file for the Latitude E7450 model to the **D:\\Drivers\\Dell Inc.\\Latitude E7450** folder. +In these steps, we assume you've downloaded and extracted the CAB file for the Latitude E7450 model to the **D:\\Drivers\\Dell Inc.\\Latitude E7450** folder. On **MDT01**: @@ -312,7 +312,7 @@ On **MDT01**: For the HP EliteBook 8560w, you use HP Image Assistant to get the drivers. The HP Image Assistant can be accessed on the [HP Support site](https://ftp.ext.hp.com/pub/caps-softpaq/cmit/HPIA.html). -In these steps, we assume you have downloaded and extracted the drivers for the HP EliteBook 8650w model to the **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** folder. +In these steps, we assume you've downloaded and extracted the drivers for the HP EliteBook 8650w model to the **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** folder. On **MDT01**: @@ -324,7 +324,7 @@ On **MDT01**: ### For the Microsoft Surface Laptop -For the Microsoft Surface Laptop model, you find the drivers on the Microsoft website. In these steps we assume you have downloaded and extracted the Surface Laptop drivers to the **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop** folder. +For the Microsoft Surface Laptop model, you find the drivers on the Microsoft website. In these steps, we assume you've downloaded and extracted the Surface Laptop drivers to the **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop** folder. On **MDT01**: @@ -336,7 +336,7 @@ On **MDT01**: ## Step 6: Create the deployment task sequence -This section will show you how to create the task sequence used to deploy your production Windows 10 reference image. You will then configure the task sequence to enable patching via a Windows Server Update Services (WSUS) server. +This section will show you how to create the task sequence used to deploy your production Windows 10 reference image. You'll then configure the task sequence to enable patching via a Windows Server Update Services (WSUS) server. ### Create a task sequence for Windows 10 Enterprise @@ -350,11 +350,11 @@ On **MDT01**: - Task sequence comments: Production Image - Template: Standard Client Task Sequence - Select OS: Windows 10 Enterprise x64 RTM Custom Image - - Specify Product Key: Do not specify a product key at this time + - Specify Product Key: Don't specify a product key at this time - Full Name: Contoso - Organization: Contoso - Internet Explorer home page: `https://www.contoso.com` - - Admin Password: Do not specify an Administrator Password at this time + - Admin Password: Don't specify an Administrator Password at this time ### Edit the Windows 10 task sequence @@ -372,7 +372,7 @@ On **MDT01**: - Install all drivers from the selection profile > [!NOTE] - > The configuration above indicates that MDT should only use drivers from the folder specified by the DriverGroup001 property, which is defined by the "Choose a selection profile: Nothing" setting, and that MDT should not use plug and play to determine which drivers to copy, which is defined by the "Install all drivers from the selection profile" setting. + > The configuration above indicates that MDT should only use drivers from the folder specified by the DriverGroup001 property, which is defined by the "Choose a selection profile: Nothing" setting, and that MDT shouldn't use plug and play to determine which drivers to copy, which is defined by the "Install all drivers from the selection profile" setting. 3. State Restore. Enable the **Windows Update (Pre-Application Installation)** action. @@ -386,7 +386,7 @@ On **MDT01**: ## Step 7: Configure the MDT production deployment share -In this section, you will learn how to configure the MDT Build Lab deployment share with the rules required to create a simple and dynamic deployment process. This includes configuring commonly used rules and an explanation of how these rules work. +In this section, you'll learn how to configure the MDT Build Lab deployment share with the rules required to create a dynamic deployment process. This configuration includes commonly used rules and an explanation of how these rules work. ### Configure the rules @@ -460,7 +460,7 @@ On **MDT01**: > [!NOTE] > - > Because you are going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you do not need the ISO file; however, we recommend creating ISO files because they are useful when troubleshooting deployments and for quick tests. + > Because you're going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you don't need the ISO file; however, we recommend creating ISO files because they're useful when troubleshooting deployments and for quick tests. 6. On the **Drivers and Patches** sub tab, select the **WinPE x86** selection profile and select the **Include all drivers from the selection profile** option. @@ -488,13 +488,13 @@ On **MDT01**: ### The rules explained -The rules for the MDT Production deployment share are somewhat different from those for the MDT Build Lab deployment share. The biggest differences are that you deploy the machines into a domain instead of a workgroup. +The rules for the MDT Production deployment share are different from those rules for the MDT Build Lab deployment share. The biggest differences are that you deploy the machines into a domain instead of a workgroup. -You can optionally remove the **UserID** and **UserPassword** entries from Bootstrap.ini so that users performing PXE boot are prompted to provide credentials with permission to connect to the deployment share. Setting **SkipBDDWelcome=NO** enables the welcome screen that displays options to run the deployment wizard, run DaRT tools (if installed), exit to a Windows PE command prompt, set the keyboard layout, or configure a static IP address. In this example we are skipping the welcome screen and providing credentials. +You can optionally remove the **UserID** and **UserPassword** entries from Bootstrap.ini so that users performing PXE boot are prompted to provide credentials with permission to connect to the deployment share. Setting **SkipBDDWelcome=NO** enables the welcome screen that displays options to run the deployment wizard, run DaRT tools (if installed), exit to a Windows PE command prompt, set the keyboard layout, or configure a static IP address. In this example, we're skipping the welcome screen and providing credentials. ### The Bootstrap.ini file -This is the MDT Production Bootstrap.ini: +This file is the MDT Production Bootstrap.ini: ``` [Settings] @@ -510,7 +510,7 @@ SkipBDDWelcome=YES ### The CustomSettings.ini file -This is the CustomSettings.ini file with the new join domain information: +This file is the CustomSettings.ini file with the new join domain information: ``` [Settings] @@ -557,7 +557,7 @@ Some properties to use in the MDT Production rules file are as follows: - **DomainAdminPassword.** The password for the join domain account. - **MachineObjectOU.** The organizational unit (OU) to which to add the computer account. - **ScanStateArgs.** Arguments for the User State Migration Tool (USMT) ScanState command. -- **USMTMigFiles(\*).** List of USMT templates (controlling what to backup and restore). +- **USMTMigFiles(\*).** List of USMT templates (controlling what to back up and restore). - **EventService.** Activates logging information to the MDT monitoring web service. > [!NOTE] @@ -568,11 +568,11 @@ Some properties to use in the MDT Production rules file are as follows: ### Optional deployment share configuration -If your organization has a Microsoft Software Assurance agreement, you also can subscribe to the additional Microsoft Desktop Optimization Package (MDOP) license (at an additional cost). Included in MDOP is Microsoft Diagnostics and Recovery Toolkit (DaRT), which contains tools that can help you troubleshoot MDT deployments, as well as troubleshoot Windows itself. +If your organization has a Microsoft Software Assurance agreement, you also can subscribe to another Microsoft Desktop Optimization Package (MDOP) license (at an extra cost). Included in MDOP is Microsoft Diagnostics and Recovery Toolkit (DaRT), which contains tools that can help you troubleshoot MDT deployments, and troubleshoot Windows itself. ### Add DaRT 10 to the boot images -If you have licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you do not have DaRT licensing, or don't want to use it, simply skip to the next section, [Update the Deployment Share](#update-the-deployment-share). To enable the remote connection feature in MDT, you need to do the following: +If you've licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you don't have DaRT licensing, or don't want to use it, skip to the next section, [Update the Deployment Share](#update-the-deployment-share). To enable the remote connection feature in MDT, you need to do the following steps: > [!NOTE] @@ -608,7 +608,7 @@ On **MDT01**: ### Update the deployment share -Like the MDT Build Lab deployment share, the MDT Production deployment share needs to be updated after it has been configured. This is the process during which the Windows PE boot images are created. +Like the MDT Build Lab deployment share, the MDT Production deployment share needs to be updated after it has been configured. This update-process is the one during which the Windows PE boot images are created. 1. Right-click the **MDT Production** deployment share and select **Update Deployment Share**. @@ -639,7 +639,7 @@ On **MDT01**: ### Deploy the Windows 10 client -At this point, you should have a solution ready for deploying the Windows 10 client. We recommend starting by trying a few deployments at a time until you are confident that your configuration works as expected. We find it useful to try some initial tests on virtual machines before testing on physical hardware. This helps rule out hardware issues when testing or troubleshooting. Here are the steps to deploy your Windows 10 image to a virtual machine: +At this point, you should have a solution ready for deploying the Windows 10 client. We recommend starting by trying a few deployments at a time until you're confident that your configuration works as expected. We find it useful to try some initial tests on virtual machines before testing on physical hardware. These tests help rule out hardware issues when testing or troubleshooting. Here are the steps to deploy your Windows 10 image to a virtual machine: On **HV01**: @@ -665,7 +665,7 @@ On **HV01**: - Computer Name: **PC0005** - Applications: Select the **Install - Adobe Reader** checkbox. -4. Setup now begins and does the following: +4. Setup now begins and does the following steps: - Installs the Windows 10 Enterprise operating system. - Installs the added application. @@ -681,7 +681,7 @@ Following OS installation, Microsoft Office 365 Pro Plus - x64 is installed auto ### Use the MDT monitoring feature -Since you have enabled the monitoring on the MDT Production deployment share, you can follow your deployment of PC0005 via the monitoring node. +Since you've enabled the monitoring on the MDT Production deployment share, you can follow your deployment of PC0005 via the monitoring node. On **MDT01**: @@ -705,12 +705,11 @@ The Event Viewer showing a successful deployment of PC0005. ## Multicast deployments -Multicast deployment allows for image deployment with reduced network load during simultaneous deployments. Multicast is a useful operating system deployment feature in MDT deployments, however it is important to ensure that your network supports it and is designed for it. If you have a limited number of simultaneous deployments, you probably do not need to enable multicast. +Multicast deployment allows for image deployment with reduced network load during simultaneous deployments. Multicast is a useful operating system deployment feature in MDT deployments, however it's important to ensure that your network supports it and is designed for it. If you've a limited number of simultaneous deployments, you probably don't need to enable multicast. ### Requirements -Multicast requires that Windows Deployment Services (WDS) is running on Windows Server 2008 or later. In addition to the core MDT setup for multicast, the network needs to be configured to support multicast. In general, this means involving the organization networking team to make sure that -Internet Group Management Protocol (IGMP) snooping is turned on and that the network is designed for multicast traffic. The multicast solution uses IGMPv3. +Multicast requires that Windows Deployment Services (WDS) is running on Windows Server 2008 or later. In addition to the core MDT setup for multicast, the network needs to be configured to support multicast. In general, this configuration means involvement of the organization networking team to ensure that Internet Group Management Protocol (IGMP) snooping is turned on and that the network is designed for multicast traffic. The multicast solution uses IGMPv3. ### Set up MDT for multicast @@ -729,9 +728,9 @@ On **MDT01**: ## Use offline media to deploy Windows 10 -In addition to network-based deployments, MDT supports the use of offline media-based deployments of Windows 10. You can very easily generate an offline version of your deployment share - either the full deployment share or a subset of it - through the use of selection profiles. The generated offline media can be burned to a DVD or copied to a USB stick for deployment. +In addition to network-based deployments, MDT supports the use of offline media-based deployments of Windows 10. You can easily generate an offline version of your deployment share - either the full deployment share or a subset of it - by using selection profiles. The generated offline media can be burned to a DVD or copied to a USB stick for deployment. -Offline media are useful not only when you do not have network connectivity to the deployment share, but also when you have limited connection to the deployment share and do not want to copy 5 GB of data over the wire. Offline media can still join the domain, but you save the transfer of operating system images, drivers, and applications over the wire. +Offline media are useful not only when you don't have network connectivity to the deployment share, but also when you've limited connection to the deployment share and don't want to copy 5 GB of data over the wire. Offline media can still join the domain, but you save the transfer of operating system images, drivers, and applications over the wire. ### Create the offline media selection profile @@ -762,7 +761,7 @@ In these steps, you generate offline media from the MDT Production deployment sh 1. On MDT01, using File Explorer, create the **D:\\MDTOfflineMedia** folder. >[!NOTE] - >When creating offline media, you need to create the target folder first. It is crucial that you do not create a subfolder inside the deployment share folder because it will break the offline media. + >When creating offline media, you need to create the target folder first. It's crucial that you don't create a subfolder inside the deployment share folder because it will break the offline media. 2. In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click the **Media** node, and select **New Media**. @@ -798,7 +797,7 @@ On **MDT01**: ### Generate the offline media -You have now configured the offline media deployment share, however the share has not yet been populated with the files required for deployment. Now everything is ready you populate the deployment share content folder and generate the offline media ISO. +You've now configured the offline media deployment share, however the share hasn't yet been populated with the files required for deployment. Now everything is ready you populate the deployment share content folder and generate the offline media ISO. On **MDT01**: @@ -808,7 +807,7 @@ On **MDT01**: ### Create a bootable USB stick -The ISO that you got when updating the offline media item can be burned to a DVD and used directly (it will be bootable), but it is often more efficient to use USB sticks instead since they are faster and can hold more data. (A dual-layer DVD is limited to 8.5 GB.) +The ISO that you got when updating the offline media item can be burned to a DVD and used directly (it will be bootable), but it's often more efficient to use USB sticks instead since they're faster and can hold more data. (A dual-layer DVD is limited to 8.5 GB.) >[!TIP] >In this example, the .wim file is 5.5 GB in size. However, bootable USB sticks are formatted with the FAT32 file system which limits file size to 4.0 GB. You can place the image on a different drive (ex: E:\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.swm) and then modify E:\Deploy\Control\OperatingSystems.xml to point to it. Alternatively to keep using the USB you must split the .wim file, which can be done using DISM:
                             
                            Dism /Split-Image /ImageFile:D:\MDTOfflinemedia\Content\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.wim /SWMFile:E:\sources\install.swm /FileSize:3800.
                             
                            Windows Setup automatically installs from this file, provided you name it install.swm. The file names for the next files include numbers, for example: install2.swm, install3.swm.
                             
                            To enable split image in MDT, the Settings.xml file in your deployment share (ex: D:\MDTProduction\Control\Settings.xml) must have the **SkipWimSplit** value set to **False**. By default this value is set to True (`True`), so this must be changed and the offline media content updated. @@ -821,7 +820,7 @@ Follow these steps to create a bootable USB stick from the offline media content 3. Start an elevated command prompt (run as Administrator), and start the Diskpart utility by typing **Diskpart** and pressing **Enter**. -4. In the Diskpart utility, you can type **list volume** (or the shorter **list vol**) to list the volumes, but you really only need to remember the drive letter of the USB stick to which you copied the content. In our example, the USB stick had the drive letter F. +4. In the Diskpart utility, you can type **list volume** (or the shorter **list vol**) to list the volumes, but you only need to remember the drive letter of the USB stick to which you copied the content. In our example, the USB stick had the drive letter F. 5. In the Diskpart utility, type **select volume F** (replace F with your USB stick drive letter). @@ -829,7 +828,7 @@ Follow these steps to create a bootable USB stick from the offline media content ## Unified Extensible Firmware Interface (UEFI)-based deployments -As referenced in [Windows 10 deployment scenarios and tools](../windows-deployment-scenarios-and-tools.md), Unified Extensible Firmware Interface (UEFI)-based deployments are becoming more common. In fact, when you create a generation 2 virtual machine in Hyper-V, you get a UEFI-based computer. During deployment, MDT automatically detects that you have an UEFI-based machine and creates the partitions UEFI requires. You do not need to update or change your task sequences in any way to accommodate UEFI. +As referenced in [Windows 10 deployment scenarios and tools](../windows-deployment-scenarios-and-tools.md), Unified Extensible Firmware Interface (UEFI)-based deployments are becoming more common. In fact, when you create a generation 2 virtual machine in Hyper-V, you get a UEFI-based computer. During deployment, MDT automatically detects that you've an UEFI-based machine and creates the partitions UEFI requires. You don't need to update or change your task sequences in any way to accommodate UEFI. ![figure 14.](../images/mdt-07-fig16.png) diff --git a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md index d5a9a7653a..9667f4a047 100644 --- a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md +++ b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md @@ -21,23 +21,23 @@ This article provides an overview of the features, components, and capabilities MDT is a unified collection of tools, processes, and guidance for automating desktop and server deployment. You can use it to create reference images or as a complete deployment solution. MDT is one of the most important tools available to IT professionals today. -In addition to reducing deployment time and standardizing desktop and server images, MDT enables you to more easily manage security and ongoing configurations. MDT builds on top of the core deployment tools in the [Windows Assessment and Deployment Kit](/windows-hardware/get-started/adk-install) (Windows ADK) with additional guidance and features designed to reduce the complexity and time required for deployment in an enterprise environment. +In addition to reducing deployment time and standardizing desktop and server images, MDT enables you to more easily manage security and ongoing configurations. MDT builds on top of the core deployment tools in the [Windows Assessment and Deployment Kit](/windows-hardware/get-started/adk-install) (Windows ADK) with more guidance and features designed to reduce the complexity and time required for deployment in an enterprise environment. -MDT supports the deployment of Windows 10, as well as Windows 7, Windows 8.1, and Windows Server. It also includes support for zero-touch installation (ZTI) with [Microsoft Endpoint Configuration Manager](/configmgr/). +MDT supports the deployment of Windows 10, and Windows 7, Windows 8.1, and Windows Server. It also includes support for zero-touch installation (ZTI) with [Microsoft Endpoint Configuration Manager](/configmgr/). > [!IMPORTANT] > For more information about MDT supported platforms, see [MDT Release Notes](/mem/configmgr/mdt/release-notes#supported-platforms) and [MDT FAQ](/mem/configmgr/mdt/faq#is-this-release-only-supported-with-version--x--of-windows-client--windows-adk--or-configuration-manager-). ## Key features in MDT -MDT has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. The toolkit has evolved, both in functionality and popularity, and today it is considered fundamental to Windows operating system and enterprise application deployment. +MDT has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. The toolkit has evolved, both in functionality and popularity, and today it's considered fundamental to Windows operating system and enterprise application deployment. MDT has many useful features, such as: - **Windows Client support.** Supports Windows 7, Windows 8.1, and Windows 10. - **Windows Server support.** Supports Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019. -- **Additional operating systems support.** Supports Windows Thin PC and [Windows Embedded POSReady 7](https://www.microsoft.com/en-us/download/details.aspx?id=26558), as well as Windows 8.1 Embedded Industry. +- **Additional operating systems support.** Supports Windows Thin PC and [Windows Embedded POSReady 7](https://www.microsoft.com/en-us/download/details.aspx?id=26558), and Windows 8.1 Embedded Industry. - **UEFI support.** Supports deployment to machines using Unified Extensible Firmware Interface (UEFI) version 2.3.1. -- **GPT support.** Supports deployment to machines that require the new GPT partition table format. This is related to UEFI. +- **GPT support.** Supports deployment to machines that require the new GPT partition table format. This feature is related to UEFI. - **Enhanced Windows PowerShell support.** Provides support for running PowerShell scripts. ![figure 2.](../images/mdt-05-fig02.png) @@ -48,7 +48,7 @@ MDT has many useful features, such as: - **Automated participation in CEIP and WER.** Provides configuration for participation in Windows Customer Experience Improvement Program (CEIP) and Windows Error Reporting (WER). - **Deploy Windows RE.** Enables deployment of a customized Windows Recovery Environment (Windows RE) as part of the task sequence. - **Deploy to VHD.** Provides ready-made task sequence templates for deploying Windows into a virtual hard disk (VHD) file. -- **Improved deployment wizard.** Provides additional progress information and a cleaner UI for the Lite Touch Deployment Wizard. +- **Improved deployment wizard.** Provides more progress information and a cleaner UI for the Lite Touch Deployment Wizard. - **Monitoring.** Allows you to see the status of currently running deployments. - **Apply GPO Pack.** Allows you to deploy local group policy objects created by Microsoft Security Compliance Manager (SCM). - **Partitioning routines.** Provides improved partitioning routines to ensure that deployments work regardless of the current hard drive structure. @@ -65,21 +65,21 @@ MDT has many useful features, such as: - **Support for Microsoft Office.** Provides added support for deploying Microsoft Office. - **Support for Modern UI app package provisioning.** Provisions applications based on the new Windows app package standard, which is used in Windows 8 and later. - **Extensibility.** Provides the capability to extend MDT far beyond the built-in features by adding custom scripts, web services, System Center Orchestrator runbooks, PowerShell scripts, and VBScripts. -- **Upgrade task sequence.** Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, and Windows 8.1 systems directly to Windows 10, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, refer to the [Microsoft Deployment Toolkit resource page](/mem/configmgr/mdt/). +- **Upgrade task sequence.** Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, and Windows 8.1 systems directly to Windows 10, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, see the [Microsoft Deployment Toolkit resource page](/mem/configmgr/mdt/). ## MDT Lite Touch components -Many features in MDT support Lite Touch Installation (LTI) for Windows 10. An LTI deployment strategy requires very little infrastructure or user interaction, and can be used to deploy an operating system from a network share or from a physical media, such as a USB flash drive or disc. +Many features in MDT support Lite Touch Installation (LTI) for Windows 10. An LTI deployment strategy requires little infrastructure or user interaction, and can be used to deploy an operating system from a network share or from a physical media, such as a USB flash drive or disk. -When deploying the Windows operating system using MDT, most of the administration and configuration is done through the Deployment Workbench, but you also can perform many of the tasks using Windows PowerShell. The easiest way to find out how to use PowerShell in MDT is to use the Deployment Workbench to perform an operation and at the end of that task, click View Script. That will give you the PowerShell command. +When the Windows operating system is being deployed using MDT, most of the administration and configuration is done through the Deployment Workbench, but you also can perform many of the tasks using Windows PowerShell. The easiest way to find out how to use PowerShell in MDT is to use the Deployment Workbench to perform an operation and at the end of that task, click **View Script**. You're provided the PowerShell command. ![figure 4.](../images/mdt-05-fig04.png) -If you click **View Script** on the right side, you will get the PowerShell code that was used to perform the task. +If you click **View Script** on the right side, you'll get the PowerShell code that was used to perform the task. ## Deployment shares -A deployment share is essentially a folder on the server that is shared and contains all the setup files and scripts needed for the deployment solution. It also holds the configuration files (called rules) that are gathered when a machine is deployed. These configuration files can reach out to other sources, like a database, external script, or web server to get additional settings for the deployment. For Lite Touch deployments, it is common to have two deployment shares: one for creating the reference images and one for deployment. For Zero Touch, it is common to have only the deployment share for creating reference images because Configuration Manager deploys the image in the production environment. +A deployment share is essentially a folder on the server that is shared and contains all the setup files and scripts needed for the deployment solution. It also holds the configuration files (called rules) that are gathered when a machine is deployed. These configuration files can reach out to other sources, like a database, external script, or web server to get more settings for the deployment. For Lite Touch deployments, it's common to have two deployment shares: one for creating the reference images and one for deployment. For Zero Touch, it's common to have only the deployment share for creating reference images because Configuration Manager deploys the image in the production environment. ## Rules @@ -92,7 +92,7 @@ You can manage hundreds of settings in the rules. For more information, see the ![figure 5.](../images/mdt-05-fig05.png) -Example of a MDT rule. In this example, the new computer name is being calculated based on PC- plus the first seven (Left) characters from the serial number +Example of an MDT rule. In this example, the new computer name is being calculated based on PC- plus the first seven (Left) characters from the serial number ## Boot images @@ -101,7 +101,7 @@ share on the server and start the deployment. ## Operating systems -Using the Deployment Workbench, you import the operating systems you want to deploy. You can import either the full source (like the full Windows 10 DVD/ISO) or a custom image that you have created. The full-source operating systems are primarily used to create reference images; however, they also can be used for normal deployments. +Using the Deployment Workbench, you import the operating systems you want to deploy. You can import either the full source (like the full Windows 10 DVD/ISO) or a custom image that you've created. The full-source operating systems are primarily used to create reference images; however, they also can be used for normal deployments. ## Applications @@ -113,7 +113,7 @@ You also use the Deployment Workbench to import the drivers your hardware needs ## Packages -With the Deployment Workbench, you can add any Microsoft packages that you want to use. The most commonly added packages are language packs, and the Deployment Workbench Packages node works well for those. You also can add security and other updates this way. However, we generally recommend that you use Windows Server Update Services (WSUS) for operating system updates. The rare exceptions are critical hotfixes that are not available via WSUS, packages for the boot image, or any other package that needs to be deployed before the WSUS update process starts. +With the Deployment Workbench, you can add any Microsoft packages that you want to use. The most commonly added packages are language packs, and the Deployment Workbench Packages node works well for those packages. You also can add security and other updates this way. However, we generally recommend that you use Windows Server Update Services (WSUS) for operating system updates. The rare exceptions are critical hotfixes that aren't available via WSUS, packages for the boot image, or any other package that needs to be deployed before the WSUS update process starts. ## Task sequences @@ -128,17 +128,18 @@ You can think of a task sequence as a list of actions that need to be executed i ## Task sequence templates -MDT comes with nine default task sequence templates. You can also create your own templates. As long as you store them in the Templates folder, they will be available when you create a new task sequence. +MDT comes with nine default task sequence templates. You can also create your own templates. As long as you store them in the Templates folder, they'll be available when you create a new task sequence. - **Sysprep and Capture task sequence.** Used to run the System Preparation (Sysprep) tool and capture an image of a reference computer. - **Note**: It is preferable to use a complete build and capture instead of the Sysprep and Capture task sequence. A complete build and capture can be automated, whereas Sysprep and Capture cannot. + > [!NOTE] + > It's preferable to use a complete build and capture instead of the Sysprep and Capture task sequence. A complete build and capture can be automated, whereas Sysprep and Capture can't. - **Standard Client task sequence.** The most frequently used task sequence. Used for creating reference images and for deploying clients in production. - **Standard Client Replace task sequence.** Used to run User State Migration Tool (USMT) backup and the optional full Windows Imaging (WIM) backup action. Can also be used to do a secure wipe of a machine that is going to be decommissioned. - **Custom task sequence.** As the name implies, a custom task sequence with only one default action (one Install Application action). -- **Standard Server task sequence.** The default task sequence for deploying operating system images to servers. The main difference between this template and the Standard Client task sequence template is that it does not contain any USMT actions because USMT is not supported on servers. +- **Standard Server task sequence.** The default task sequence for deploying operating system images to servers. The main difference between this template and the Standard Client task sequence template is that it doesn't contain any USMT actions because USMT isn't supported on servers. - **Lite Touch OEM task sequence.** Used to preload operating systems images on the computer hard drive. Typically used by computer original equipment manufacturers (OEMs) but some enterprise organizations also use this feature. -- **Post OS Installation task sequence.** A task sequence prepared to run actions after the operating system has been deployed. Very useful for server deployments but not often used for client deployments. +- **Post OS Installation task sequence.** A task sequence prepared to run actions after the operating system has been deployed. Useful for server deployments but not often used for client deployments. - **Deploy to VHD Client task sequence.** Similar to the Standard Client task sequence template but also creates a virtual hard disk (VHD) file on the target computer and deploys the image to the VHD file. - **Deploy to VHD Server task sequence.** Same as the Deploy to VHD Client task sequence but for servers. - **Standard Client Upgrade task sequence.** A simple task sequence template used to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 directly to Windows 10, automatically preserving existing data, settings, applications, and drivers. @@ -161,7 +162,7 @@ The easiest way to view log files is to use Configuration Manager Trace (CMTrace ## Monitoring -On the deployment share, you also can enable monitoring. After you enable monitoring, you will see all running deployments in the Monitor node in the Deployment Workbench. +On the deployment share, you also can enable monitoring. After you enable monitoring, you'll see all running deployments in the Monitor node in the Deployment Workbench. ## See next From d36e245b91433239a23828e915e1211b10c48ff1 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 8 Aug 2022 17:06:55 +0530 Subject: [PATCH 52/77] Update build-a-distributed-environment-for-windows-10-deployment.md --- ...build-a-distributed-environment-for-windows-10-deployment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md index 619447fac2..ccf4df0e57 100644 --- a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md +++ b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md @@ -1,6 +1,6 @@ --- title: Build a distributed environment for Windows 10 deployment (Windows 10) - Date: Mon, 8 Aug 2022 12:37:50 -0400 Subject: [PATCH 53/77] Update hello-errors-during-pin-creation.md updated the description, fixing minor issues --- .../hello-for-business/hello-errors-during-pin-creation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index 592e53bc19..d7987dc9bc 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -70,7 +70,7 @@ If the error occurs again, check the error code against the following table to s | 0x801C044D | Authorization token does not contain device ID. | Unjoin the device from Azure AD and rejoin. | | | Unable to obtain user token. | Sign out and then sign in again. Check network and credentials. | | 0x801C044E | Failed to receive user credentials input. | Sign out and then sign in again. | -| 0xC00000BB | Something went wrong and you PIN isn’t available. Or That option is temporarily unavailable. For now, please use a different method to sign in. | Destination domain controller doesn't support the login, most likely KDC service dont have proper certificate to support the login.| +| 0xC00000BB | Your PIN or this option is temporarily unavailable.| The destination domain controller doesn't support the login method. Most often the KDC service doesn't have the proper certificate to support the login. Use a different login method.| From ab39b0047c32ff3ad5a9b3d71db48e5a2a02a5d2 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 25 Jul 2022 11:02:50 -0400 Subject: [PATCH 54/77] Cherry pick Changes for #9917 --- ...e-logon-message-text-for-users-attempting-to-log-on.md | 6 ++---- ...-logon-message-title-for-users-attempting-to-log-on.md | 8 +++----- 2 files changed, 5 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md index 2f384a46fc..09e60e2f2b 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md @@ -2,7 +2,7 @@ title: Interactive Logon Message text (Windows 10) description: Learn about best practices, security considerations and more for the security policy setting, Interactive logon Message text for users attempting to log on. ms.assetid: fcfe8a6d-ca65-4403-b9e6-2fa017a31c2e -ms.reviewer: +ms.reviewer: ms.author: dansimp ms.prod: m365-security ms.mktglfcycl: deploy @@ -32,9 +32,7 @@ The **Interactive logon: Message text for users attempting to log on** and [Inte **Interactive logon: Message text for users attempting to log on** specifies a text message to be displayed to users when they sign in. -**Interactive logon: Message title for users attempting to log on** specifies a title to appear in the title bar of the window that contains the text message. This text is often used for legal reasons—for example, to warn users about the ramifications of misusing company information, or to warn them that their actions might be audited. - -Not using this warning-message policy setting leaves your organization legally vulnerable to trespassers who unlawfully penetrate your network. Legal precedents have established that organizations that display warnings to users who connect to their servers over a network have a higher rate of successfully prosecuting trespassers. +**Interactive logon: Message title for users attempting to log on** specifies a title to appear in the title bar of the window that contains the text message. This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. When these policy settings are configured, users will see a dialog box before they can sign in to the server console. diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md index ab20a8f979..b16fd3bff2 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md @@ -2,7 +2,7 @@ title: Interactive logon Message title for users attempting to log on (Windows 10) description: Best practices, security considerations, and more for the security policy setting, Interactive logon Message title for users attempting to log on. ms.assetid: f2596470-4cc0-4ef1-849c-bef9dc3533c6 -ms.reviewer: +ms.reviewer: ms.author: dansimp ms.prod: m365-security ms.mktglfcycl: deploy @@ -30,9 +30,7 @@ Describes the best practices, location, values, policy management and security c This security setting allows you to specify a title that appears in the title bar of the window that contains the **Interactive logon: Message title for users attempting to log on**. This text is often used for legal reasons—for example, to warn users about the ramifications of misusing company information, or to warn them that their actions might be audited. -The **Interactive logon: Message title for users attempting to log on** and [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) policy settings are closely related. **Interactive logon: Message title for users attempting to log on** specifies a message title to be displayed to users when they log on. - -Not using this warning-message policy setting leaves your organization legally vulnerable to trespassers who unlawfully penetrate your network. Legal precedents have established that organizations that display warnings to users who connect to their servers over a network have a higher rate of successfully prosecuting trespassers. +The **Interactive logon: Message title for users attempting to log on** and [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) policy settings are closely related. **Interactive logon: Message title for users attempting to log on** specifies a message title to be displayed to users when they log on. This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. When these policy settings are configured, users will see a dialog box before they can sign in the server console. @@ -43,7 +41,7 @@ When these policy settings are configured, users will see a dialog box before th ### Best practices -1. It's advisable to set **Interactive logon: Message title for users attempting to log on** to a value similar to one of the following values: +1. It is advisable to set **Interactive logon: Message title for users attempting to log on** to a value similar to one the following: - RESTRICTED SYSTEM From 6c37b3f420866c66367d6998c17feef6fa214327 Mon Sep 17 00:00:00 2001 From: Jitin Mathew Date: Mon, 8 Aug 2022 23:09:11 +0530 Subject: [PATCH 55/77] Updated-6247330 Redirection file entry updated to resolve validation error. --- .openpublishing.redirection.json | 1 + 1 file changed, 1 insertion(+) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index bdc9f68fb9..afe30ff75b 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -19594,6 +19594,7 @@ "source_path": "windows/deployment/update/waas-delivery-optimization-faq.md", "redirect_url": "/windows/deployment/do/waas-delivery-optimization-faq", "redirect_document_id": false + }, { "source_path": "windows/security/identity-protection/access-control/security-identifiers.md", "redirect_url": "/windows-server/identity/ad-ds/manage/understand-security-identifiers", From 4536c4f0fe229a5c9117ca6864c00c2cd6122567 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Mon, 8 Aug 2022 12:50:26 -0700 Subject: [PATCH 56/77] Aligning TOC name with article name. --- windows/deployment/windows-autopatch/TOC.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml index c6e175c270..ecc4111a9c 100644 --- a/windows/deployment/windows-autopatch/TOC.yml +++ b/windows/deployment/windows-autopatch/TOC.yml @@ -35,7 +35,7 @@ - name: Operate href: operate/index.md items: - - name: Update management + - name: Software update management href: operate/windows-autopatch-update-management.md items: - name: Windows updates From a500a48dcd7d91a34ee4cfb57c6cb569bfdd26a2 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Tue, 9 Aug 2022 08:00:58 -0700 Subject: [PATCH 57/77] Improved documentation for reference computer scenarios. --- .../create-initial-default-policy.md | 134 ++++++++++++------ ...e-wdac-policy-for-fully-managed-devices.md | 7 +- 2 files changed, 97 insertions(+), 44 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md index 2d31e8f0f7..f9b070ff3b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md @@ -1,6 +1,6 @@ --- -title: Create a WDAC policy for fixed-workload devices using a reference computer (Windows) -description: To create a Windows Defender Application Control (WDAC) policy for fixed-workload devices within your organization, follow this guide. +title: Create a WDAC policy using a reference computer (Windows) +description: To create a Windows Defender Application Control (WDAC) policy that allows all code installed on a reference computer within your organization, follow this guide. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: m365-security @@ -11,83 +11,133 @@ ms.localizationpriority: medium audience: ITPro ms.collection: M365-security-compliance author: jsuther1974 -ms.reviewer: isbrahm +ms.reviewer: jogeurte ms.author: dansimp manager: dansimp -ms.date: 05/03/2018 +ms.date: 08/08/2022 ms.technology: windows-sec --- -# Create a WDAC policy for fixed-workload devices using a reference computer +# Create a WDAC policy using a reference computer **Applies to:** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and above >[!NOTE] >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). -This section outlines the process to create a Windows Defender Application Control (WDAC) policy for fixed-workload devices within an organization. Fixed-workload devices tend to be dedicated to a specific functional purpose and share common configuration attributes with other devices servicing the same functional role. Examples of fixed-workload devices may include Active Directory Domain Controllers, Secure Admin Workstations, pharmaceutical drug-mixing equipment, manufacturing devices, cash registers, ATMs, etc. - -For this example, you must initiate variables to be used during the creation process or use the full file paths in the command. -Then create the WDAC policy by scanning the system for installed applications. -The policy file is converted to binary format when it gets created so that Windows can interpret it. - -## Overview of the process of creating Windows Defender Application Control policies - -A common system imaging practice in today’s IT organization is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone more company assets. Windows Defender Application Control policies follow a similar methodology that begins with the establishment of a golden computer. As with imaging, you can have multiple golden computers based on model, department, application set, and so on. Although the thought process around the creation of WDAC policies is similar to imaging, these policies should be maintained independently. Assess the necessity of more WDAC policies based on what should be allowed to be installed and run and for whom. For more information on doing this assessment, see the [WDAC Design Guide](windows-defender-application-control-design-guide.md). - -Optionally, WDAC can align with your software catalog and any IT department–approved applications. One straightforward method to implement WDAC is to use existing images to create one master WDAC policy. You do so by creating a WDAC policy from each image, and then by merging the policies. This way, what is installed on all of those images will be allowed to run, if the applications are installed on a computer based on a different image. Alternatively, you may choose to create a base applications policy and add policies based on the computer’s role or department. Organizations have a choice of how their policies are created, merged, or serviced, and managed. - -If you plan to use an internal CA to sign catalog files or WDAC policies, see the steps in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md). +This section outlines the process to create a Windows Defender Application Control (WDAC) policy **using a reference computer** that is already configured with the software you want to allow. You can use this approach for fixed-workload devices that are dedicated to a specific functional purpose and share common configuration attributes with other devices servicing the same functional role. Examples of fixed-workload devices may include Active Directory Domain Controllers, Secure Admin Workstations, pharmaceutical drug-mixing equipment, manufacturing devices, cash registers, ATMs, etc. This approach can also be used to turn on WDAC on systems "in the wild" and you want to minimize the potential impact on users' productivity. > [!NOTE] -> Make sure the reference computer is virus and malware-free, and install any software you want to be scanned before creating the WDAC policy. +> Some of the Windows Defender Application Control options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs. -Each installed software application should be validated as trustworthy before you create a policy. -We recommend that you review the reference computer for software that can load arbitrary DLLs and run code or scripts that could render the PC more vulnerable. -Examples include software aimed at development or scripting such as msbuild.exe (part of Visual Studio and the .NET Framework) which can be removed if you don't want to run scripts. -You can remove or disable such software on the reference computer. +As described in [common Windows Defender Application Control deployment scenarios](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices. -To create a Windows Defender Application Control policy, copy each of the following commands into an elevated Windows PowerShell session, in order: +**Alice Pena** is the IT team lead tasked with the rollout of WDAC. -1. Initialize variables that you'll use. +## Create a custom base policy using a reference device + +Alice previously created a policy for the organization's fully managed end-user devices. She now wants to use WDAC to protect Lamna's critical infrastructure servers. Lamna's imaging practice for infrastructure systems is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone more company assets. Alice decides to use these same "golden" image systems to create the WDAC policies, which will result in separate custom base policies for each type of infrastructure server. As with imaging, she'll have to create policies from multiple golden computers based on model, department, application set, and so on. + +> [!NOTE] +> Make sure the reference computer is virus and malware-free, and install any software you want to be scanned before creating the WDAC policy.

                            Each installed software application should be validated as trustworthy before you create a policy.

                            We recommend that you review the reference computer for software that can load arbitrary DLLs and run code or scripts that could render the PC more vulnerable. Examples include software aimed at development or scripting such as msbuild.exe (part of Visual Studio and the .NET Framework) which can be removed if you don't want to run scripts. You can remove or disable such software on the reference computer. + +Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's critical infrastructure servers: + +- All devices are running Windows Server 2019 or above; +- All apps are centrally managed and deployed; +- No interactive users. + +Based on the above, Alice defines the pseudo-rules for the policy: + +1. **“Windows works”** rules that authorize: + - Windows + - WHQL (third-party kernel drivers) + - Windows Store signed apps + +2. Rules for **scanned files** that authorize all pre-existing app binaries found on the device + +To create the WDAC policy, Alice runs each of the following commands in an elevated Windows PowerShell session, in order: + +1. Initialize variables. ```powershell $PolicyPath=$env:userprofile+"\Desktop\" $PolicyName="FixedWorkloadPolicy_Audit" - $WDACPolicy=$PolicyPath+$PolicyName+".xml" - $WDACPolicyBin=$PolicyPath+$PolicyName+".bin" + $LamnaServerPolicy=$PolicyPath+$PolicyName+".xml" + $DefaultWindowsPolicy=$env:windir+"\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Audit.xml" + ``` 2. Use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to create a new WDAC policy by scanning the system for installed applications: ```powershell - New-CIPolicy -Level PcaCertificate -FilePath $WDACPolicy –UserPEs 3> CIPolicyLog.txt + New-CIPolicy -FilePath $LamnaServerPolicy -Level SignedVersion -Fallback FilePublisher,FileName,Hash -ScanPath c:\ -UserPEs -MultiplePolicyFormat -OmitPaths c:\Windows,'C:\Program Files\WindowsApps\',c:\windows.old\,c:\users\ 3> CIPolicyLog.txt ``` > [!Note] - > - > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the WDAC policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the allow list will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Windows Defender Application Control. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. - > - You can add the **-MultiplePolicyFormat** parameter when creating policies which will be deployed to computers which are running Windows build 1903+. For more information about multiple policies, see [Deploy multiple Windows Defender Application Control policies](deploy-multiple-windows-defender-application-control-policies.md). + > > - You can add the **-Fallback** parameter to catch any applications not discovered using the primary file rule level specified by the **-Level** parameter. For more information about file rule level options, see [Windows Defender Application Control file rule levels](select-types-of-rules-to-create.md). - > > - To specify that the WDAC policy scan only a specific drive, include the **-ScanPath** parameter followed by a path. Without this parameter, the tool will scan the C-drive by default. - > + > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the WDAC policy. If you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers. In other words, the allow list will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Windows Defender Application Control. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. + > - To create a policy for Windows 10 1903 and above, including support for supplemental policies, use **-MultiplePolicyFormat**. + > - To specify a list of paths to exclude from the scan, use the **-OmitPaths** option and supply a comma-delimited list of paths. > - The preceding example includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**. -3. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the WDAC policy to a binary format: +3. Merge the new policy with the WindowsDefault_Audit policy to ensure all Windows binaries and kernel drivers will load. + + ```powershell + Merge-CIPolicy -OutputFilePath $LamnaServerPolicy -PolicyPaths $LamnaServerPolicy,$DefaultWindowsPolicy + ``` + +4. Give the new policy a descriptive name, and initial version number: + + ```powershell + Set-CIPolicyIdInfo -FilePath $LamnaServerPolicy -PolicyName $PolicyName + Set-CIPolicyVersion -FilePath $LamnaServerPolicy -Version "1.0.0.0" + ``` + +5. Modify the merged policy to set policy rules: + + ```powershell + Set-RuleOption -FilePath $LamnaServerPolicy -Option 3 # Audit Mode + Set-RuleOption -FilePath $LamnaServerPolicy -Option 6 # Unsigned Policy + Set-RuleOption -FilePath $LamnaServerPolicy -Option 9 # Advanced Boot Menu + Set-RuleOption -FilePath $LamnaServerPolicy -Option 12 # Enforce Store Apps + Set-RuleOption -FilePath $LamnaServerPolicy -Option 16 # No Reboot + Set-RuleOption -FilePath $LamnaServerPolicy -Option 17 # Allow Supplemental + Set-RuleOption -FilePath $LamnaServerPolicy -Option 19 # Dynamic Code Security + ``` + +6. If appropriate, add more signer or file rules to further customize the policy for your organization. + +7. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the WDAC policy to a binary format: ```powershell - ConvertFrom-CIPolicy $WDACPolicy $WDACPolicyBin + [xml]$LamnaServerPolicyXML = Get-Content $LamnaServerPolicy + $PolicyId = $LamnaServerPolicyXML.SiPolicy.PolicyId + $LamnaServerPolicyBin = $PolicyPath+$PolicyId+".cip" + ConvertFrom-CIPolicy $LamnaServerPolicy $LamnaServerPolicyBin ``` -After you complete these steps, the WDAC binary file ($WDACPolicyBin) and original .xml file ($WDACPolicy) will be available on your desktop. You can use the binary file as a WDAC policy or sign it for more security. +8. Upload the base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration). -> [!NOTE] -> We recommend that you keep the original .xml file of the policy for use when you need to merge the WDAC policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge WDAC policies, see [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md). +Alice now has an initial policy for Lamna's critical infrastructure servers that is ready to deploy in audit mode. -We recommend that every WDAC policy be run in audit mode before being enforced. Doing so allows administrators to discover any issues with the policy without receiving error messages. For information about how to audit a WDAC policy, see [Audit Windows Defender Application Control policies](audit-windows-defender-application-control-policies.md). +## Create a custom base policy to minimize user impact on in-use client devices +Alice previously created a policy for the organization's fully managed devices. Alice has included the fully managed device policy as part of Lamna's device build process so all new devices now begin with WDAC enabled. She's preparing to deploy the policy to systems that are already in use, but is worried about causing disruption to users' productivity. To minimize that risk, Alice decides to take a different approach for those systems. She'll continue to deploy the fully managed device policy in audit mode to those devices, but for enforcement mode she'll merge the fully managed device policy rules with a policy created by scanning the device for all previously installed software. In this way, each device is treated as its own "golden" system. +Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's fully managed in-use devices: + +- Everything described for Lamna's [Fully Managed Devices](create-wdac-policy-for-fully-managed-devices.md); +- Users have installed apps that they need to continue to run. + +Based on the above, Alice defines the pseudo-rules for the policy: + +1. Everything included in the Fully Managed Devices policy +2. Rules for **scanned files** that authorize all pre-existing app binaries found on the device + +For Lamna's existing, in-use devices, Alice deploys a script along with the Fully Managed Devices policy XML (not the converted WDAC policy binary). The script then generates a custom policy locally on the client as described in the previous section, but instead of merging with the DefaultWindows policy, the script merges with Lamna's Fully Managed Devices policy. Alice also modifies the steps above to match the requirements of this different use case. diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md index 7cd08be428..2d13639669 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md @@ -82,8 +82,9 @@ Alice follows these steps to complete this task: 2. On the client device, run the following commands in an elevated Windows PowerShell session to initialize variables: ```powershell + $PolicyPath=$env:userprofile+"\Desktop\" $PolicyName= "Lamna_FullyManagedClients_Audit" - $LamnaPolicy=$env:userprofile+"\Desktop\"+$PolicyName+".xml" + $LamnaPolicy=$PolicyPath+$PolicyName+".xml" $MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml" ``` @@ -121,7 +122,9 @@ Alice follows these steps to complete this task: > In the sample commands below, replace the string "{InsertPolicyID}" with the actual PolicyID GUID (including braces **{ }**) found in your policy XML file. ```powershell - $WDACPolicyBin=$env:userprofile+"\Desktop\"+$PolicyName+"_{InsertPolicyID}.bin" + [xml]$LamnaPolicyXML = Get-Content $LamnaPolicy + $PolicyId = $LamnaPolicyXML.SiPolicy.PolicyId + $LamnaPolicyBin = $PolicyPath+$PolicyId+".cip" ConvertFrom-CIPolicy $LamnaPolicy $WDACPolicyBin ``` From 3457ee1bbba8b18732707ac074a867b1f0e1cc01 Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Tue, 9 Aug 2022 14:43:03 -0600 Subject: [PATCH 58/77] Update hello-faq.yml hello-faq.yml https://microsoft-ce-csi.acrolinx.cloud/api/v1/checking/scorecards/1d1a9154-130b-4baf-b1a4-f2d6fb33a323#CORRECTNESS Line 160: a SHA256 hash > an SHA256 hash --- .../identity-protection/hello-for-business/hello-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 21e0d01180..a0c26cb08e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -157,7 +157,7 @@ sections: - question: What is the format used to store Windows Hello biometrics data on the device? answer: | - Windows Hello biometrics data is stored on the device as an encrypted template database. The data from the biometrics sensor (e.g., face camera or fingerprint reader) creates a data representation—or graph—that is then encrypted before it’s stored on the device. Each biometrics sensor on the device which is used by Windows Hello (face or fingerprint) will have its own biometric database file where template data is stored. Each biometrics database file is encrypted with unique, randomly generated key that is encrypted to the system using AES encryption producing a SHA256 hash. + Windows Hello biometrics data is stored on the device as an encrypted template database. The data from the biometrics sensor (e.g., face camera or fingerprint reader) creates a data representation—or graph—that is then encrypted before it’s stored on the device. Each biometrics sensor on the device which is used by Windows Hello (face or fingerprint) will have its own biometric database file where template data is stored. Each biometrics database file is encrypted with unique, randomly generated key that is encrypted to the system using AES encryption producing an SHA256 hash. - question: Who has access on Windows Hello biometrics data? answer: | From 32f020e28a57e39f7182bebf2e21f2bf647cbca5 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Tue, 9 Aug 2022 13:54:15 -0700 Subject: [PATCH 59/77] Fixed language on Note regarding PowerShell scripts --- .../applocker/script-rules-in-applocker.md | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md index aee609a7fd..e30b2c517a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md @@ -1,6 +1,6 @@ --- title: Script rules in AppLocker (Windows) -description: This topic describes the file formats and available default rules for the script rule collection. +description: This article describes the file formats and available default rules for the script rule collection. ms.assetid: fee24ca4-935a-4c5e-8a92-8cf1d134d35f ms.reviewer: ms.author: macapara @@ -26,10 +26,6 @@ ms.technology: windows-sec - Windows 11 - Windows Server 2016 and above -> [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - - This article describes the file formats and available default rules for the script rule collection. AppLocker defines script rules to include only the following file formats: @@ -44,11 +40,11 @@ The following table lists the default rules that are available for the script ru | Purpose | Name | User | Rule condition type | | - | - | - | - | | Allows members of the local Administrators group to run all scripts| (Default Rule) All scripts| BUILTIN\Administrators | Path: `*\` | -| Allow all users to run scripts in the Windows folder| (Default Rule) All scripts located in the Windows folder| Everyone | Path: `%windir%\*` | -| Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder|Everyone | Path: `%programfiles%\*`| - +| Allow all users to run scripts in the Windows folder| (Default Rule) All scripts located in the Windows folder| Everyone | Path: `%windir%\*` | +| Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder|Everyone | Path: `%programfiles%\*`| + > [!NOTE] -> Windows Defender Application Control cannot be used to block PowerShell scripts. AppLocker just forces PowerShell scripts to be run in Constrained Language mode. Also note that in cases where a PS1 script is "blocked", AppLocker generates an 8007 event, which states that the script will be blocked, but then the script runs. +> When a script runs that is not allowed by policy, AppLocker raises an event indicating that the script was "blocked". However, the actual script enforcement behavior is handled by the script host. In the case of PowerShell, "blocked" scripts will still run, but only in [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). Authorized scripts run in Full Language Mode. ## Related articles From 6aea6fa9d6a0670602240b78f03b8c300303affe Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Tue, 9 Aug 2022 14:58:35 -0600 Subject: [PATCH 60/77] Update hello-feature-pin-reset.md hello-feature-pin-reset.md https://microsoft-ce-csi.acrolinx.cloud/api/v1/checking/scorecards/b68f8a1e-9075-4399-8da9-5f3fa90fe6e0#CORRECTNESS Line 25: a new log in key > a new login key Formatting Line 91: Important note is not formatted correctly because a blank line is between the note coding. Reformat the note to include the content of the note. Line 32: Delete duplicate of preceding H2 heading to avoid confusion with TOC. (Or create unique heading.) --- .../hello-for-business/hello-feature-pin-reset.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index d1d68b482e..3e53faec85 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -22,15 +22,13 @@ Windows Hello for Business provides the capability for users to reset forgotten There are two forms of PIN reset: -- **Destructive PIN reset**: with this option, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, are deleted from the client and a new log in key and PIN are provisioned. Destructive PIN reset is the default option, and doesn't require configuration. +- **Destructive PIN reset**: with this option, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, are deleted from the client and a new login key and PIN are provisioned. Destructive PIN reset is the default option, and doesn't require configuration. - **Non-destructive PIN reset**: with this option, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed. For non-destructive PIN reset, you must deploy the **Microsoft PIN Reset Service** and configure your clients' policy to enable the **PIN Recovery** feature. ## Using PIN reset There are two forms of PIN reset called destructive and non-destructive. Destructive PIN reset is the default and doesn't require configuration. During a destructive PIN reset, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned. For non-destructive PIN reset, you must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed. -## Using PIN Reset - **Requirements** - Reset from settings - Windows 10, version 1703 or later, Windows 11 @@ -88,7 +86,6 @@ When non-destructive PIN reset is enabled on a client, a 256-bit AES key is gene Using Group Policy, Microsoft Intune or a compatible MDM solution, you can configure Windows devices to securely use the **Microsoft PIN Reset Service** which enables users to reset their forgotten PIN without requiring re-enrollment. >[!IMPORTANT] - > The Microsoft PIN Reset service only works with **Enterprise Edition** for Windows 10, version 1709 to 1809 and later, and Windows 11. The feature works with **Enterprise Edition** and **Pro** edition with Windows 10, version 1903 and later, Windows 11. > The Microsoft PIN Reset service is not currently available in Azure Government. From 3b0f05702c4c8195d3f532e9ae4a7521b57ba96b Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Tue, 9 Aug 2022 15:09:19 -0600 Subject: [PATCH 61/77] Add punctuation to sentences. Editorial changes Lines 45-47, 54-58, 63-67, 118-119, 124-125, 130-132, 143-166, 172-175, 277-298: Add periods to sentences. Line 252: Add colon. --- .../hello-feature-pin-reset.md | 116 +++++++++--------- 1 file changed, 58 insertions(+), 58 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 3e53faec85..64e72640b6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -42,29 +42,29 @@ Destructive and non-destructive PIN reset use the same steps for initiating a PI ### Reset PIN from Settings -1. Sign-in to Windows 10 using an alternate credential -1. Open **Settings**, select **Accounts** > **Sign-in options** -1. Select **PIN (Windows Hello)** > **I forgot my PIN** and follow the instructions +1. Sign-in to Windows 10 using an alternate credential. +1. Open **Settings**, select **Accounts** > **Sign-in options**. +1. Select **PIN (Windows Hello)** > **I forgot my PIN** and follow the instructions. ### Reset PIN above the Lock Screen For Azure AD-joined devices: -1. If the PIN credential provider is not selected, expand the **Sign-in options** link, and select the PIN pad icon -1. Select **I forgot my PIN** from the PIN credential provider -1. Select an authentication option from the list of presented options. This list will be based on the different authentication methods enabled in your tenant (e.g., Password, PIN, Security key) -1. Follow the instructions provided by the provisioning process -1. When finished, unlock your desktop using your newly created PIN +1. If the PIN credential provider is not selected, expand the **Sign-in options** link, and select the PIN pad icon. +1. Select **I forgot my PIN** from the PIN credential provider. +1. Select an authentication option from the list of presented options. This list will be based on the different authentication methods enabled in your tenant (e.g., Password, PIN, Security key). +1. Follow the instructions provided by the provisioning process. +1. When finished, unlock your desktop using your newly created PIN. For Hybrid Azure AD-joined devices: -1. If the PIN credential provider is not selected, expand the **Sign-in options** link, and select the PIN pad icon -1. Select **I forgot my PIN** from the PIN credential provider -1. Enter your password and press enter -1. Follow the instructions provided by the provisioning process -1. When finished, unlock your desktop using your newly created PIN +1. If the PIN credential provider is not selected, expand the **Sign-in options** link, and select the PIN pad icon. +1. Select **I forgot my PIN** from the PIN credential provider. +1. Enter your password and press enter. +1. Follow the instructions provided by the provisioning process. +1. When finished, unlock your desktop using your newly created PIN. > [!NOTE] > Key trust on hybrid Azure AD-joined devices does not support destructive PIN reset from above the Lock Screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. For this deployment model, you must deploy non-destructive PIN reset for above lock PIN reset to work. @@ -115,21 +115,21 @@ Before you can remotely reset PINs, you must register two applications in your A #### Connect Azure Active Directory with the PIN Reset Service -1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using a Global Administrator account you use to manage your Azure Active Directory tenant -1. After you have logged in, select **Accept** to give consent to the **PIN Reset Service** to access your organization +1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using a Global Administrator account you use to manage your Azure Active Directory tenant. +1. After you have logged in, select **Accept** to give consent to the **PIN Reset Service** to access your organization. ![PIN reset service application in Azure.](images/pinreset/pin-reset-service-prompt.png) #### Connect Azure Active Directory with the PIN Reset Client -1. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using a Global Administrator account you use to manage your Azure Active Directory tenant -1. After you have logged in, select **Accept** to give consent for the **PIN Reset Client** to access your organization +1. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using a Global Administrator account you use to manage your Azure Active Directory tenant. +1. After you have logged in, select **Accept** to give consent for the **PIN Reset Client** to access your organization. ![PIN reset client application in Azure.](images/pinreset/pin-reset-client-prompt.png) #### Confirm that the two PIN Reset service principals are registered in your tenant -1. Sign in to the [Microsoft Entra Manager admin center](https://entra.microsoft.com) -1. Select **Azure Active Directory** > **Applications** > **Enterprise applications** -1. Search by application name "Microsoft PIN" and both **Microsoft Pin Reset Service Production** and **Microsoft Pin Reset Client Production** will show up in the list +1. Sign in to the [Microsoft Entra Manager admin center](https://entra.microsoft.com). +1. Select **Azure Active Directory** > **Applications** > **Enterprise applications**. +1. Search by application name "Microsoft PIN" and both **Microsoft Pin Reset Service Production** and **Microsoft Pin Reset Client Production** will show up in the list. :::image type="content" alt-text="PIN reset service permissions page." source="images/pinreset/pin-reset-applications.png" lightbox="images/pinreset/pin-reset-applications-expanded.png"::: ### Enable PIN Recovery on your devices @@ -140,39 +140,39 @@ Before you can remotely reset PINs, your devices must be configured to enable PI You can configure Windows devices to use the **Microsoft PIN Reset Service** using Microsoft Intune. -1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com) -1. Select **Devices** > **Configuration profiles** > **Create profile** +1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com). +1. Select **Devices** > **Configuration profiles** > **Create profile**. 1. Enter the following properties: - - **Platform**: Select **Windows 10 and later** - - **Profile type**: Select **Settings catalog** -1. Select **Create** + - **Platform**: Select **Windows 10 and later**. + - **Profile type**: Select **Settings catalog**. +1. Select **Create**. 1. In **Basics**, enter the following properties: - - **Name**: Enter a descriptive name for the profile - - **Description**: Enter a description for the profile. This setting is optional, but recommended -1. Select **Next** -1. In **Configuration settings**, select **Add settings** -1. In the settings picker, select **Windows Hello For Business** > **Enable Pin Recovery** -1. Configure **Enable Pin Recovery** to **true** -1. Select **Next** -1. In **Scope tags**, assign any applicable tags (optional) -1. Select **Next** -1. In **Assignments**, select the security groups that will receive the policy -1. Select **Next** -1. In **Review + create**, review your settings and select **Create** + - **Name**: Enter a descriptive name for the profile. + - **Description**: Enter a description for the profile. This setting is optional, but recommended. +1. Select **Next**. +1. In **Configuration settings**, select **Add settings**. +1. In the settings picker, select **Windows Hello For Business** > **Enable Pin Recovery**. +1. Configure **Enable Pin Recovery** to **true**. +1. Select **Next**. +1. In **Scope tags**, assign any applicable tags (optional). +1. Select **Next**. +1. In **Assignments**, select the security groups that will receive the policy. +1. Select **Next**. +1. In **Review + create**, review your settings and select **Create**. >[!NOTE] > You can also configure PIN recovery from the **Endpoint security** blade: -> 1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com) -> 1. Select **Endpoint security** > **Account protection** > **Create Policy** +> 1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com). +> 1. Select **Endpoint security** > **Account protection** > **Create Policy**. #### [✅ **GPO**](#tab/gpo) You can configure Windows devices to use the **Microsoft PIN Reset Service** using a Group Policy Object (GPO). -1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory -1. Edit the Group Policy object from Step 1 -1. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business** -1. Close the Group Policy Management Editor to save the Group Policy object +1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory. +1. Edit the Group Policy object from Step 1. +1. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**. +1. Close the Group Policy Management Editor to save the Group Policy object. #### [✅ **CSP**](#tab/csp) @@ -249,7 +249,7 @@ The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-au 1. In the **Name** field type **Web Sign In Allowed URLs** and optionally provide a description for the configuration. Click Next. -1. On the Configuration settings page, click **Add** to add a custom OMA-URI setting. Provide the following information for the custom settings +1. On the Configuration settings page, click **Add** to add a custom OMA-URI setting. Provide the following information for the custom settings: - **Name:** Web Sign In Allowed URLs - **Description:** (Optional) List of domains that are allowed during PIN reset flows. @@ -274,28 +274,28 @@ The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-au #### Configure Web Sign-in Allowed URLs using Microsoft Intune -1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) -1. Select **Devices** > **Configuration profiles** > **Create profile** +1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Select **Devices** > **Configuration profiles** > **Create profile**. 1. Enter the following properties: - - **Platform**: Select **Windows 10 and later** - - **Profile type**: Select **Templates** - - In the list of templates that is loaded, select **Custom** > **Create** + - **Platform**: Select **Windows 10 and later**. + - **Profile type**: Select **Templates**. + - In the list of templates that is loaded, select **Custom** > **Create**. 1. In **Basics**, enter the following properties: - - **Name**: Enter a descriptive name for the profile - - **Description**: Enter a description for the profile. This setting is optional, but recommended -1. Select **Next** + - **Name**: Enter a descriptive name for the profile. + - **Description**: Enter a description for the profile. This setting is optional, but recommended. +1. Select **Next**. 1. In **Configuration settings**, select **Add** and enter the following settings: - Name: **Web Sign In Allowed URLs** - Description: **(Optional) List of domains that are allowed during PIN reset flows** - OMA-URI: `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls` - Data type: **String** - - Value: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be **signin.contoso.com;portal.contoso.com** (without quotation marks) + - Value: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be **signin.contoso.com;portal.contoso.com** (without quotation marks). :::image type="content" alt-text="Custom Configuration for ConfigureWebSignInAllowedUrls policy." source="images/pinreset/allowlist.png" lightbox="images/pinreset/allowlist-expanded.png"::: -1. Select **Save** > **Next** -1. In **Assignments**, select the security groups that will receive the policy -1. Select **Next** -1. In **Applicability Rules**, select **Next** -1. In **Review + create**, review your settings and select **Create** +1. Select **Save** > **Next**. +1. In **Assignments**, select the security groups that will receive the policy. +1. Select **Next**. +1. In **Applicability Rules**, select **Next**. +1. In **Review + create**, review your settings and select **Create**. > [!NOTE] From 23d1a5c631fdfd8aa4b8f94b1d38b3c5e79dd353 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Wed, 10 Aug 2022 10:36:17 -0700 Subject: [PATCH 62/77] Update policy-csp-admx-deviceguard.md --- windows/client-management/mdm/policy-csp-admx-deviceguard.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-admx-deviceguard.md b/windows/client-management/mdm/policy-csp-admx-deviceguard.md index 4a673e49f0..be4d145990 100644 --- a/windows/client-management/mdm/policy-csp-admx-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-admx-deviceguard.md @@ -7,13 +7,16 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: dansimp -ms.date: 09/08/2021 +ms.date: 08/10/2022 ms.reviewer: manager: dansimp --- # Policy CSP - ADMX_DeviceGuard +> [!WARNING] +> Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for [policy deployment](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md). + > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > From ad11829aef274490ec8e531499096b8c34317859 Mon Sep 17 00:00:00 2001 From: Jeff Borsecnik <36546697+jborsecnik@users.noreply.github.com> Date: Wed, 10 Aug 2022 11:46:27 -0700 Subject: [PATCH 63/77] Update policy-csp-admx-deviceguard.md link fix --- windows/client-management/mdm/policy-csp-admx-deviceguard.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-deviceguard.md b/windows/client-management/mdm/policy-csp-admx-deviceguard.md index be4d145990..87a9eb5603 100644 --- a/windows/client-management/mdm/policy-csp-admx-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-admx-deviceguard.md @@ -15,7 +15,7 @@ manager: dansimp # Policy CSP - ADMX_DeviceGuard > [!WARNING] -> Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for [policy deployment](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md). +> Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for [policy deployment](../../security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md). > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). @@ -96,4 +96,4 @@ ADMX Info: ## Related topics -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) From 53b5821c2acf0aea80ac9e434dd14221946056fb Mon Sep 17 00:00:00 2001 From: Jeff Borsecnik <36546697+jborsecnik@users.noreply.github.com> Date: Wed, 10 Aug 2022 12:46:34 -0700 Subject: [PATCH 64/77] Update policy-csp-admx-deviceguard.md undo link test fix --- windows/client-management/mdm/policy-csp-admx-deviceguard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-admx-deviceguard.md b/windows/client-management/mdm/policy-csp-admx-deviceguard.md index 87a9eb5603..1e71306db0 100644 --- a/windows/client-management/mdm/policy-csp-admx-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-admx-deviceguard.md @@ -15,7 +15,7 @@ manager: dansimp # Policy CSP - ADMX_DeviceGuard > [!WARNING] -> Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for [policy deployment](../../security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md). +> Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for [policy deployment]/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md). > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). From 64e821a104fec6facbe83b32b63ff3fb48805888 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 10 Aug 2022 17:18:51 -0400 Subject: [PATCH 65/77] updated EDU metadata --- education/index.yml | 8 +++++--- education/windows/autopilot-reset.md | 18 +++++++++--------- education/windows/change-history-edu.md | 14 ++++++++------ education/windows/change-home-to-edu.md | 7 +++++-- education/windows/change-to-pro-education.md | 13 ++++++++----- .../windows/chromebook-migration-guide.md | 18 +++++++++--------- .../configure-windows-for-education.md | 18 ++++++++---------- .../deploy-windows-10-in-a-school-district.md | 17 ++++++++--------- .../windows/deploy-windows-10-in-a-school.md | 12 ++++++++---- .../windows/edu-deployment-recommendations.md | 16 +++++++--------- .../education-scenarios-store-for-business.md | 13 ++++++++----- .../enable-s-mode-on-surface-go-devices.md | 13 ++++++++----- .../windows/get-minecraft-for-education.md | 18 ++++++++---------- education/windows/index.md | 13 +++++++++---- education/windows/s-mode-switch-to-edu.md | 13 ++++++++----- education/windows/school-get-minecraft.md | 16 ++++++++-------- .../set-up-school-pcs-azure-ad-join.md | 13 ++++++++----- .../set-up-school-pcs-provisioning-package.md | 13 ++++++++----- .../set-up-school-pcs-shared-pc-mode.md | 13 ++++++++----- .../windows/set-up-school-pcs-technical.md | 18 ++++++++---------- .../windows/set-up-school-pcs-whats-new.md | 16 ++++++++++------ .../set-up-students-pcs-to-join-domain.md | 16 ++++++++-------- .../windows/set-up-students-pcs-with-apps.md | 18 ++++++++---------- education/windows/set-up-windows-10.md | 16 ++++++++-------- .../windows/take-a-test-app-technical.md | 18 ++++++++---------- education/windows/take-a-test-multiple-pcs.md | 17 ++++++++--------- education/windows/take-a-test-single-pc.md | 17 ++++++++--------- education/windows/take-tests-in-windows-10.md | 17 ++++++++--------- education/windows/teacher-get-minecraft.md | 17 ++++++++--------- education/windows/test-windows10s-for-edu.md | 16 ++++++++-------- .../windows/use-set-up-school-pcs-app.md | 14 ++++++++------ education/windows/windows-11-se-overview.md | 19 ++++++++----------- .../windows/windows-11-se-settings-list.md | 19 ++++++++----------- ...indows-editions-for-education-customers.md | 17 ++++++++--------- 34 files changed, 270 insertions(+), 251 deletions(-) diff --git a/education/index.yml b/education/index.yml index d9e629b791..b67a140734 100644 --- a/education/index.yml +++ b/education/index.yml @@ -10,9 +10,11 @@ metadata: description: Learn about product documentation and resources available for school IT administrators, teachers, students, and education app developers. ms.service: help ms.topic: hub-page - author: LaurenMoynihan - ms.author: v-lamoyn - ms.date: 10/24/2019 + ms.collection: education + author: paolomatarazzo + ms.author: paoloma + ms.date: 08/10/2022 + manager: aaroncz productDirectory: title: For IT admins diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md index 5e41713a4b..ad98be350e 100644 --- a/education/windows/autopilot-reset.md +++ b/education/windows/autopilot-reset.md @@ -1,23 +1,23 @@ --- title: Reset devices with Autopilot Reset description: Gives an overview of Autopilot Reset and how you can enable and use it in your schools. -keywords: Autopilot Reset, Windows 10, education -ms.prod: w10 +keywords: Autopilot Reset, Windows, education +ms.prod: windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 06/27/2018 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Reset devices with Autopilot Reset -**Applies to:** - -- Windows 10, version 1709 IT admins or technical teachers can use Autopilot Reset to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen anytime and apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use. With Autopilot Reset, devices are returned to a fully configured or known IT-approved state. diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md index 68e0429bb0..9a1acea7a1 100644 --- a/education/windows/change-history-edu.md +++ b/education/windows/change-history-edu.md @@ -2,17 +2,19 @@ title: Change history for Windows 10 for Education (Windows 10) description: New and changed topics in Windows 10 for Education keywords: Windows 10 education documentation, change history -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu -author: dansimp -ms.author: dansimp -ms.date: 05/21/2019 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- - # Change history for Windows 10 for Education This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation. diff --git a/education/windows/change-home-to-edu.md b/education/windows/change-home-to-edu.md index 85b1b85c00..bb3a601ed0 100644 --- a/education/windows/change-home-to-edu.md +++ b/education/windows/change-home-to-edu.md @@ -1,7 +1,7 @@ --- title: Upgrade Windows Home to Windows Education on student-owned devices description: Learn how IT Pros can upgrade student-owned devices from Windows Home to Windows Education using Mobile Device Management or Kivuto OnTheHub with qualifying subscriptions. -ms.date: 07/05/2021 +ms.date: 08/10/2022 ms.prod: windows ms.technology: windows ms.topic: how-to @@ -10,7 +10,10 @@ author: scottbreenmsft ms.author: scbree ms.reviewer: paoloma manager: jeffbu -ms.collection: highpri +ms.collection: education +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Upgrade Windows Home to Windows Education on student-owned devices diff --git a/education/windows/change-to-pro-education.md b/education/windows/change-to-pro-education.md index d1ed1e7192..3c0e5424ee 100644 --- a/education/windows/change-to-pro-education.md +++ b/education/windows/change-to-pro-education.md @@ -2,16 +2,19 @@ title: Change to Windows 10 Education from Windows 10 Pro description: Learn how IT Pros can opt into changing to Windows 10 Pro Education from Windows 10 Pro. keywords: change, free change, Windows 10 Pro to Windows 10 Pro Education, Windows 10 Pro to Windows 10 Pro Education, education customers, Windows 10 Pro Education, Windows 10 Pro -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 05/21/2019 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Change to Windows 10 Pro Education from Windows 10 Pro diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md index 6ecad551d4..94c26048bb 100644 --- a/education/windows/chromebook-migration-guide.md +++ b/education/windows/chromebook-migration-guide.md @@ -5,23 +5,23 @@ ms.assetid: 7A1FA48A-C44A-4F59-B895-86D4D77F8BEA ms.reviewer: manager: dansimp keywords: migrate, automate, device, Chromebook migration -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu, devices ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 10/13/2017 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 +ms.reviewer: +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Chromebook migration guide - -**Applies to** - -- Windows 10 - In this guide, you'll learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. You'll learn how to perform the necessary planning steps, including Windows device deployment, migration of user and device settings, app migration or replacement, and cloud storage migration. You'll then learn the best method to perform the migration by using automated deployment and migration tools. ## Plan Chromebook migration diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md index 6d0c2694a5..4b876aa023 100644 --- a/education/windows/configure-windows-for-education.md +++ b/education/windows/configure-windows-for-education.md @@ -4,21 +4,19 @@ description: Provides guidance on ways to configure the OS diagnostic data, cons keywords: Windows 10 deployment, recommendations, privacy settings, school, education, configurations, accessibility, assistive technology ms.mktglfcycl: plan ms.sitesec: library -ms.prod: w10 +ms.prod: windows ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- - # Windows 10 configuration recommendations for education customers -**Applies to:** - -- Windows 10 - Privacy is important to us, we want to provide you with ways to customize the OS diagnostic data, consumer experiences, Cortana, search, and some of the preinstalled apps, for usage with [education editions of Windows 10](windows-editions-for-education-customers.md) in education environments. These features work on all Windows 10 editions, but education editions of Windows 10 have the settings preconfigured. We recommend that all Windows 10 devices in an education setting be configured with **[SetEduPolicies](#setedupolicies)** enabled. For more information, see the following table. To learn more about Microsoft's commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305). diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md index aa2e5b4d70..d0a8aa44bd 100644 --- a/education/windows/deploy-windows-10-in-a-school-district.md +++ b/education/windows/deploy-windows-10-in-a-school-district.md @@ -2,24 +2,23 @@ title: Deploy Windows 10 in a school district (Windows 10) description: Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD), use Microsoft Endpoint Configuration Manager, Intune, and Group Policy to manage devices. keywords: configure, tools, device, school district, deploy Windows 10 -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.pagetype: edu ms.sitesec: library ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Deploy Windows 10 in a school district -**Applies to** - -- Windows 10 - - This guide shows you how to deploy the Windows 10 operating system in a school district. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Endpoint Configuration Manager, Microsoft Intune, and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you'll perform after initial deployment and the automated tools and built-in features of the operating system. ## Prepare for district deployment diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md index b618ca7b09..d9d1aff417 100644 --- a/education/windows/deploy-windows-10-in-a-school.md +++ b/education/windows/deploy-windows-10-in-a-school.md @@ -2,15 +2,19 @@ title: Deploy Windows 10 in a school (Windows 10) description: Learn how to integrate your school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD). Deploy Windows 10 and apps to new devices or upgrade existing devices to Windows 10. Manage faculty, students, and devices by using Microsoft Intune and Group Policy. keywords: configure, tools, device, school, deploy Windows 10 -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.pagetype: edu ms.sitesec: library ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Deploy Windows 10 in a school diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md index fb2c72d34b..8030077eee 100644 --- a/education/windows/edu-deployment-recommendations.md +++ b/education/windows/edu-deployment-recommendations.md @@ -5,19 +5,17 @@ keywords: Windows 10 deployment, recommendations, privacy settings, school ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 10/13/2017 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp -ms.prod: w10 +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Deployment recommendations for school IT administrators -**Applies to:** - -- Windows 10 - Your privacy is important to us, so we want to provide you with ways to customize the OS privacy settings, and some of the apps, so that you can choose what information is shared with Microsoft. To learn more about Microsoft’s commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305). The following sections provide some best practices and specific privacy settings we’d like you to be aware of. For more information about ways to customize the OS diagnostic data, consumer experiences, Cortana, and search, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md). diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md index 7909586e9b..4fbe0e9f89 100644 --- a/education/windows/education-scenarios-store-for-business.md +++ b/education/windows/education-scenarios-store-for-business.md @@ -2,17 +2,20 @@ title: Education scenarios Microsoft Store for Education description: Learn how IT admins and teachers can use Microsoft Store for Education to acquire and manage apps in schools. keywords: school, Microsoft Store for Education, Microsoft education store -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium searchScope: - Store -author: dansimp -ms.author: dansimp -ms.date: 03/30/2018 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Working with Microsoft Store for Education diff --git a/education/windows/enable-s-mode-on-surface-go-devices.md b/education/windows/enable-s-mode-on-surface-go-devices.md index e7dce928ea..e056e38381 100644 --- a/education/windows/enable-s-mode-on-surface-go-devices.md +++ b/education/windows/enable-s-mode-on-surface-go-devices.md @@ -2,16 +2,19 @@ title: Enable S mode on Surface Go devices for Education description: Steps that an education customer can perform to enable S mode on Surface Go devices keywords: Surface Go for Education, S mode -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 07/30/2018 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Surface Go for Education - Enabling S mode diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md index 2ce2c20be3..8ff94d1ac5 100644 --- a/education/windows/get-minecraft-for-education.md +++ b/education/windows/get-minecraft-for-education.md @@ -2,27 +2,25 @@ title: Get Minecraft Education Edition description: Learn how to get and distribute Minecraft Education Edition. keywords: school, Minecraft, education edition -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium author: dansimp searchScope: - Store -ms.author: dansimp -ms.date: 01/29/2019 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp -ms.topic: conceptual +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Get Minecraft: Education Edition -**Applies to:** - -- Windows 10 - - [Minecraft: Education Edition](https://education.minecraft.net/) is built for learning. Watch this video to learn more about Minecraft. diff --git a/education/windows/index.md b/education/windows/index.md index 9db6cd7672..3977c5f664 100644 --- a/education/windows/index.md +++ b/education/windows/index.md @@ -2,14 +2,19 @@ title: Windows 10 for Education (Windows 10) description: Learn how to use Windows 10 in schools. keywords: Windows 10, education -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 10/13/2017 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 +ms.reviewer: +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Windows 10 for Education diff --git a/education/windows/s-mode-switch-to-edu.md b/education/windows/s-mode-switch-to-edu.md index cb2e995ef3..a09d48ae19 100644 --- a/education/windows/s-mode-switch-to-edu.md +++ b/education/windows/s-mode-switch-to-edu.md @@ -4,14 +4,17 @@ description: Switching out of Windows 10 Pro in S mode to Windows 10 Pro Educati keywords: Windows 10 S switch, S mode Switch, switch in S mode, Switch S mode, Windows 10 Pro Education in S mode, S mode, system requirements, Overview, Windows 10 Pro in S mode, Education, EDU ms.mktglfcycl: deploy ms.localizationpriority: medium -ms.prod: w10 +ms.prod: windows ms.sitesec: library ms.pagetype: edu -ms.date: 12/03/2018 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp -ms.author: dansimp -author: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md index 6ba860cd94..75e363e7ed 100644 --- a/education/windows/school-get-minecraft.md +++ b/education/windows/school-get-minecraft.md @@ -2,26 +2,26 @@ title: For IT administrators get Minecraft Education Edition description: Learn how IT admins can get and distribute Minecraft in their schools. keywords: Minecraft, Education Edition, IT admins, acquire -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium author: dansimp searchScope: - Store -ms.author: dansimp -ms.date: 01/30/2019 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 ms.topic: conceptual --- # For IT administrators - get Minecraft: Education Edition -**Applies to:** - -- Windows 10 - When you sign up for a [Minecraft: Education Edition](https://education.minecraft.net) trial, or purchase a [Minecraft: Education Edition](https://education.minecraft.net) subscription. Minecraft will be added to the inventory in your Microsoft Store for Education which is associated with your Azure Active Directory (Azure AD) tenant. Your Microsoft Store for Education is only displayed to members of your organization. >[!Note] diff --git a/education/windows/set-up-school-pcs-azure-ad-join.md b/education/windows/set-up-school-pcs-azure-ad-join.md index a04a034238..b7a35b9784 100644 --- a/education/windows/set-up-school-pcs-azure-ad-join.md +++ b/education/windows/set-up-school-pcs-azure-ad-join.md @@ -2,16 +2,19 @@ title: Azure AD Join with Set up School PCs app description: Describes how Azure AD Join is configured in the Set up School PCs app. keywords: shared cart, shared PC, school, set up school pcs -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 01/11/2019 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Azure AD Join for school PCs diff --git a/education/windows/set-up-school-pcs-provisioning-package.md b/education/windows/set-up-school-pcs-provisioning-package.md index 328e6c3c68..3aeb7d738c 100644 --- a/education/windows/set-up-school-pcs-provisioning-package.md +++ b/education/windows/set-up-school-pcs-provisioning-package.md @@ -2,16 +2,19 @@ title: What's in Set up School PCs provisioning package description: Lists the provisioning package settings that are configured in the Set up School PCs app. keywords: shared cart, shared PC, school, set up school pcs -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 10/17/2018 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # What's in my provisioning package? diff --git a/education/windows/set-up-school-pcs-shared-pc-mode.md b/education/windows/set-up-school-pcs-shared-pc-mode.md index 25aa35b4f0..e007d4957b 100644 --- a/education/windows/set-up-school-pcs-shared-pc-mode.md +++ b/education/windows/set-up-school-pcs-shared-pc-mode.md @@ -2,16 +2,19 @@ title: Shared PC mode for school devices description: Describes how shared PC mode is set for devices set up with the Set up School PCs app. keywords: shared cart, shared PC, school, set up school pcs -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 07/13/2018 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Shared PC mode for school devices diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index de0bc50602..6dbdf70186 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -2,25 +2,23 @@ title: Set up School PCs app technical reference overview description: Describes the purpose of the Set up School PCs app for Windows 10 devices. keywords: shared cart, shared PC, school, set up school pcs -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 07/11/2018 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # What is Set up School PCs? - -**Applies to:** - -- Windows 10 - The **Set up School PCs** app helps you configure new Windows 10 PCs for school use. The app, which is available for Windows 10 version 1703 and later, configures and saves school-optimized settings, apps, and policies into a single provisioning package. You can then save the package to a USB drive and distribute it to your school PCs. diff --git a/education/windows/set-up-school-pcs-whats-new.md b/education/windows/set-up-school-pcs-whats-new.md index a22f1755e4..fce328a1c0 100644 --- a/education/windows/set-up-school-pcs-whats-new.md +++ b/education/windows/set-up-school-pcs-whats-new.md @@ -2,16 +2,20 @@ title: What's new in the Windows Set up School PCs app description: Find out about app updates and new features in Set up School PCs. keywords: shared cart, shared PC, school, set up school pcs -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 08/04/2022 -ms.reviewer: paoloma -manager: dansimp +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 +ms.reviewer: +manager: aaroncz +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # What's new in Set up School PCs diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md index cbad40867b..32f97bf4b3 100644 --- a/education/windows/set-up-students-pcs-to-join-domain.md +++ b/education/windows/set-up-students-pcs-to-join-domain.md @@ -2,21 +2,21 @@ title: Set up student PCs to join domain description: Learn how to use Configuration Designer to provision student devices to join Active Directory. keywords: school, student PC setup, Windows Configuration Designer -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 07/27/2017 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Set up student PCs to join domain -**Applies to:** - -- Windows 10 If your school uses Active Directory, use the Windows Configuration Designer tool to create a provisioning package that will configure a PC for student use that is joined to the Active Directory domain. diff --git a/education/windows/set-up-students-pcs-with-apps.md b/education/windows/set-up-students-pcs-with-apps.md index 2f08fa227c..840dd7836b 100644 --- a/education/windows/set-up-students-pcs-with-apps.md +++ b/education/windows/set-up-students-pcs-with-apps.md @@ -1,21 +1,19 @@ --- title: Provision student PCs with apps description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory. -ms.prod: w10 +ms.prod: windows ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 10/13/2017 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- - # Provision student PCs with apps -**Applies to:** - -- Windows 10 - To create and apply a provisioning package that contains apps to a device running all desktop editions of Windows 10 except Windows 10 Home, follow the steps in [Provision PCs with apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps). Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. diff --git a/education/windows/set-up-windows-10.md b/education/windows/set-up-windows-10.md index e1acdf9f1d..a9e53b4beb 100644 --- a/education/windows/set-up-windows-10.md +++ b/education/windows/set-up-windows-10.md @@ -2,22 +2,22 @@ title: Set up Windows devices for education description: Decide which option for setting up Windows 10 is right for you. keywords: school, Windows device setup, education device setup -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 07/27/2017 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Set up Windows devices for education -**Applies to:** - -- Windows 10 You have two tools to choose from to set up PCs for your classroom: * Set up School PCs diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md index 3e83e12653..dd064677bf 100644 --- a/education/windows/take-a-test-app-technical.md +++ b/education/windows/take-a-test-app-technical.md @@ -2,24 +2,22 @@ title: Take a Test app technical reference description: The policies and settings applied by the Take a Test app. keywords: take a test, test taking, school, policies -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 11/28/2017 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Take a Test app technical reference -**Applies to:** - -- Windows 10 - - Take a Test is an app that locks down the PC and displays an online assessment web page. diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md index fe484ddf82..e6daee3daa 100644 --- a/education/windows/take-a-test-multiple-pcs.md +++ b/education/windows/take-a-test-multiple-pcs.md @@ -2,23 +2,22 @@ title: Set up Take a Test on multiple PCs description: Learn how to set up and use the Take a Test app on multiple PCs. keywords: take a test, test taking, school, set up on multiple PCs -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 11/08/2017 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Set up Take a Test on multiple PCs -**Applies to:** - -- Windows 10 - Many schools use online testing for formative and summation assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md index 1ebd02e090..2dcc9c525c 100644 --- a/education/windows/take-a-test-single-pc.md +++ b/education/windows/take-a-test-single-pc.md @@ -2,22 +2,21 @@ title: Set up Take a Test on a single PC description: Learn how to set up and use the Take a Test app on a single PC. keywords: take a test, test taking, school, set up on single PC -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 11/08/2017 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- - # Set up Take a Test on a single PC -**Applies to:** - -- Windows 10 To configure [Take a Test](take-tests-in-windows-10.md) on a single PC, follow the guidance in this topic. diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md index 50853a9e67..e0e44e51c8 100644 --- a/education/windows/take-tests-in-windows-10.md +++ b/education/windows/take-tests-in-windows-10.md @@ -2,23 +2,22 @@ title: Take tests in Windows 10 description: Learn how to set up and use the Take a Test app. keywords: take a test, test taking, school, how to, use Take a Test -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 10/16/2017 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Take tests in Windows 10 -**Applies to:** - -- Windows 10 - Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10 creates the right environment for taking a test: diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md index 8d9850ce64..7d8bef5cad 100644 --- a/education/windows/teacher-get-minecraft.md +++ b/education/windows/teacher-get-minecraft.md @@ -2,26 +2,25 @@ title: For teachers get Minecraft Education Edition description: Learn how teachers can get and distribute Minecraft. keywords: school, Minecraft, Education Edition, educators, teachers, acquire, distribute -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium author: dansimp searchScope: - Store -ms.author: dansimp -ms.date: 01/05/2018 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp -ms.topic: conceptual +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # For teachers - get Minecraft: Education Edition -**Applies to:** - -- Windows 10 - The following article describes how teachers can get and distribute Minecraft: Education Edition. Minecraft: Education Edition is available for anyone to trial, and subscriptions can be purchased by qualified educational institutions directly in the Microsoft Store for Education, via volume licensing agreements and through partner resellers. diff --git a/education/windows/test-windows10s-for-edu.md b/education/windows/test-windows10s-for-edu.md index f1ac5e98b3..e76136de39 100644 --- a/education/windows/test-windows10s-for-edu.md +++ b/education/windows/test-windows10s-for-edu.md @@ -1,20 +1,20 @@ --- title: Test Windows 10 in S mode on existing Windows 10 education devices description: Provides guidance on downloading and testing Windows 10 in S mode for existing Windows 10 education devices. -ms.prod: w10 +ms.prod: windows ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 07/30/2019 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Test Windows 10 in S mode on existing Windows 10 education devices -**Applies to:** -- Devices running Windows 10, version 1709: Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, Windows 10 Enterprise - The Windows 10 in S mode self-installer will allow you to test Windows 10 in S mode on various individual Windows 10 devices (except Windows 10 Home) with a genuine, activated license[1](#footnote1). Test Windows 10 in S mode on various devices in your school and share your feedback with us. Windows 10 in S mode is built to give schools the familiar, robust, and productive experiences you count on from Windows in an experience that's been streamlined for security and performance in the classroom, and built to work with Microsoft Education[2](#footnote2). diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index ca36e12e5a..958e32ad29 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -2,18 +2,20 @@ title: Use Set up School PCs app description: Learn how to use the Set up School PCs app and apply the provisioning package. keywords: shared cart, shared PC, school, Set up School PCs, overview, how to use -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 10/23/2018 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- - # Use the Set up School PCs app IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up Windows 10 PCs for students. The app configures PCs with the apps and features students need, and it removes the ones they don't need. During setup, if licensed in your tenant, the app enrolls each student PC into a mobile device management (MDM) provider, such as Intune for Education. You can then manage all the settings the app configures through the MDM. diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index dd98543603..32691a8669 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -1,25 +1,22 @@ --- title: What is Windows 11 SE description: Learn more about Windows 11 SE, and the apps that are included with the operating system. Read about the features IT professionals and administrators should know about Windows 11 SE. Add and deploy your apps using Microsoft Intune for Education. -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mobile -author: aczechowski -ms.author: aaroncz -manager: dougeby +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -ms.localizationpriority: medium -ms.topic: article +manager: aaroncz +appliesto: +- ✅ Windows 11 SE --- # Windows 11 SE for Education -**Applies to**: - -- Windows 11 SE -- Microsoft Intune for Education - Windows 11 SE is a new edition of Windows that's designed for education. It runs on web-first devices that use essential education apps. Microsoft Office 365 is preinstalled (subscription sold separately). For education customers seeking cost-effective devices, Microsoft Windows 11 SE is a great choice. Windows 11 SE includes the following benefits: diff --git a/education/windows/windows-11-se-settings-list.md b/education/windows/windows-11-se-settings-list.md index b2b9df5de8..e654aff272 100644 --- a/education/windows/windows-11-se-settings-list.md +++ b/education/windows/windows-11-se-settings-list.md @@ -1,25 +1,22 @@ --- title: Windows 11 SE settings list description: Windows 11 SE automatically configures settings in the operating system. Learn more about the settings you can control and manage, and the settings you can't change. -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mobile -author: aczechowski -ms.author: aaroncz -manager: dougeby +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -ms.localizationpriority: medium -ms.topic: article +manager: aaroncz +appliesto: +- ✅ Windows 11 SE --- # Windows 11 SE for Education settings list -**Applies to**: - -- Windows 11 SE -- Microsoft Intune for Education - Windows 11 SE automatically configures settings and features in the operating system. These settings use the Configuration Service Provider (CSPs) provided by Microsoft. You can use an MDM provider to configure these settings. This article lists the settings automatically configured. For more information on Windows 11 SE, see [Windows 11 SE for Education overview](windows-11-se-overview.md). diff --git a/education/windows/windows-editions-for-education-customers.md b/education/windows/windows-editions-for-education-customers.md index 759d485046..b53f4a28bc 100644 --- a/education/windows/windows-editions-for-education-customers.md +++ b/education/windows/windows-editions-for-education-customers.md @@ -2,23 +2,22 @@ title: Windows 10 editions for education customers description: Provides an overview of the two Windows 10 editions that are designed for the needs of K-12 institutions. keywords: Windows 10 Pro Education, Windows 10 Education, Windows 10 editions, education customers -ms.prod: w10 +ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -ms.date: 05/21/2019 +ms.collection: education +author: paolomatarazzo +ms.author: paoloma +ms.date: 08/10/2022 ms.reviewer: -manager: dansimp +manager: aaroncz +appliesto: +- ✅ Windows 10 --- # Windows 10 editions for education customers -**Applies to:** - -- Windows 10 - Windows 10, version 1607 (Anniversary Update) continues our commitment to productivity, security, and privacy for all customers. Windows 10 Pro and Windows 10 Enterprise offer the functionality and safety features demanded by business and education customers around the globe. Windows 10 is the most secure Windows we’ve ever built. All of our Windows commercial editions can be configured to support the needs of schools, through group policies, domain join, and more. To learn more about Microsoft’s commitment to security and privacy in Windows 10, see more on both [security](/windows/security/security-foundations) and [privacy](https://go.microsoft.com/fwlink/?LinkId=822620). From 91918eff992e4de6dbe0cab2909a374dba5bbea1 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 10 Aug 2022 17:27:05 -0400 Subject: [PATCH 66/77] updated metadata --- education/windows/chromebook-migration-guide.md | 2 -- education/windows/edu-deployment-recommendations.md | 1 + education/windows/get-minecraft-for-education.md | 1 - education/windows/school-get-minecraft.md | 1 - education/windows/teacher-get-minecraft.md | 1 - 5 files changed, 1 insertion(+), 5 deletions(-) diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md index 94c26048bb..b7d6452223 100644 --- a/education/windows/chromebook-migration-guide.md +++ b/education/windows/chromebook-migration-guide.md @@ -2,8 +2,6 @@ title: Chromebook migration guide (Windows 10) description: In this guide, you'll learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. ms.assetid: 7A1FA48A-C44A-4F59-B895-86D4D77F8BEA -ms.reviewer: -manager: dansimp keywords: migrate, automate, device, Chromebook migration ms.prod: windows ms.mktglfcycl: plan diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md index 8030077eee..c29d3d4a47 100644 --- a/education/windows/edu-deployment-recommendations.md +++ b/education/windows/edu-deployment-recommendations.md @@ -4,6 +4,7 @@ description: Provides guidance on ways to customize the OS privacy settings, and keywords: Windows 10 deployment, recommendations, privacy settings, school ms.mktglfcycl: plan ms.sitesec: library +ms.prod: windows ms.localizationpriority: medium ms.collection: education author: paolomatarazzo diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md index 8ff94d1ac5..f03899ae3d 100644 --- a/education/windows/get-minecraft-for-education.md +++ b/education/windows/get-minecraft-for-education.md @@ -6,7 +6,6 @@ ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium -author: dansimp searchScope: - Store ms.collection: education diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md index 75e363e7ed..e24c73d2ef 100644 --- a/education/windows/school-get-minecraft.md +++ b/education/windows/school-get-minecraft.md @@ -6,7 +6,6 @@ ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium -author: dansimp searchScope: - Store ms.collection: education diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md index 7d8bef5cad..9436f4e605 100644 --- a/education/windows/teacher-get-minecraft.md +++ b/education/windows/teacher-get-minecraft.md @@ -6,7 +6,6 @@ ms.prod: windows ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium -author: dansimp searchScope: - Store ms.collection: education From 089d6c2989b97b42844aba329235c2fed445e8a2 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 10 Aug 2022 18:08:08 -0400 Subject: [PATCH 67/77] Metadata Changes --- .../administrative-tools-in-windows-10.md | 6 ++--- ...t-removal-policy-external-storage-media.md | 12 +++++----- .../connect-to-remote-aadj-pc.md | 6 ++--- ...s-for-enterprise-and-education-editions.md | 6 ++--- .../manage-corporate-devices.md | 8 +++---- ...e-device-installation-with-group-policy.md | 6 ++--- .../manage-settings-app-with-group-policy.md | 6 ++--- ...-in-your-organization-modern-management.md | 6 ++--- .../mandatory-user-profile.md | 6 ++--- .../mdm/Language-pack-management-csp.md | 6 ++--- .../mdm/accountmanagement-csp.md | 6 ++--- .../mdm/accountmanagement-ddf.md | 6 ++--- windows/client-management/mdm/accounts-csp.md | 6 ++--- .../mdm/accounts-ddf-file.md | 6 ++--- .../client-management/mdm/activesync-csp.md | 8 +++---- .../mdm/activesync-ddf-file.md | 6 ++--- ...ure-ad-tenant-and-azure-ad-subscription.md | 6 ++--- .../mdm/alljoynmanagement-csp.md | 6 ++--- .../mdm/alljoynmanagement-ddf.md | 6 ++--- .../client-management/mdm/application-csp.md | 6 ++--- .../mdm/applicationcontrol-csp-ddf.md | 4 ++-- .../mdm/applicationcontrol-csp.md | 4 ++-- .../client-management/mdm/applocker-csp.md | 6 ++--- .../mdm/applocker-ddf-file.md | 6 ++--- .../client-management/mdm/applocker-xsd.md | 6 ++--- .../mdm/appv-deploy-and-config.md | 6 ++--- windows/client-management/mdm/assign-seats.md | 6 ++--- .../mdm/assignedaccess-csp.md | 6 ++--- .../mdm/assignedaccess-ddf.md | 6 ++--- ...e-active-directory-integration-with-mdm.md | 6 ++--- ...omatic-mdm-enrollment-in-the-new-portal.md | 6 ++--- .../client-management/mdm/bitlocker-csp.md | 6 ++--- .../mdm/bitlocker-ddf-file.md | 6 ++--- ...bulk-assign-and-reclaim-seats-from-user.md | 6 ++--- ...ollment-using-windows-provisioning-tool.md | 6 ++--- .../mdm/cellularsettings-csp.md | 6 ++--- ...ficate-authentication-device-enrollment.md | 6 ++--- .../mdm/certificate-renewal-windows-mdm.md | 6 ++--- .../mdm/certificatestore-csp.md | 6 ++--- .../mdm/certificatestore-ddf-file.md | 6 ++--- .../change-history-for-mdm-documentation.md | 8 +++---- windows/client-management/mdm/cleanpc-csp.md | 6 ++--- windows/client-management/mdm/cleanpc-ddf.md | 6 ++--- .../mdm/clientcertificateinstall-csp.md | 6 ++--- .../mdm/clientcertificateinstall-ddf-file.md | 6 ++--- .../mdm/cm-cellularentries-csp.md | 6 ++--- windows/client-management/mdm/cmpolicy-csp.md | 6 ++--- .../mdm/cmpolicyenterprise-csp.md | 6 ++--- .../mdm/cmpolicyenterprise-ddf-file.md | 6 ++--- windows/client-management/mdm/config-lock.md | 6 ++--- ...onfiguration-service-provider-reference.md | 6 ++--- .../mdm/customdeviceui-csp.md | 6 ++--- .../mdm/customdeviceui-ddf.md | 6 ++--- ...a-structures-windows-store-for-business.md | 12 +++++----- windows/client-management/mdm/defender-csp.md | 6 ++--- windows/client-management/mdm/defender-ddf.md | 6 ++--- .../client-management/mdm/devdetail-csp.md | 6 ++--- .../mdm/devdetail-ddf-file.md | 6 ++--- .../mdm/developersetup-csp.md | 6 ++--- .../mdm/developersetup-ddf.md | 6 ++--- .../mdm/device-update-management.md | 6 ++--- .../client-management/mdm/devicelock-csp.md | 6 ++--- .../mdm/devicelock-ddf-file.md | 6 ++--- .../mdm/devicemanageability-csp.md | 8 +++---- .../mdm/devicemanageability-ddf.md | 6 ++--- .../client-management/mdm/devicestatus-csp.md | 6 ++--- .../client-management/mdm/devicestatus-ddf.md | 6 ++--- windows/client-management/mdm/devinfo-csp.md | 6 ++--- .../client-management/mdm/devinfo-ddf-file.md | 6 ++--- .../diagnose-mdm-failures-in-windows-10.md | 6 ++--- .../mdm/diagnosticlog-csp.md | 6 ++--- .../mdm/diagnosticlog-ddf.md | 6 ++--- .../disconnecting-from-mdm-unenrollment.md | 12 +++++----- windows/client-management/mdm/dmacc-csp.md | 6 ++--- .../client-management/mdm/dmacc-ddf-file.md | 6 ++--- windows/client-management/mdm/dmclient-csp.md | 6 ++--- .../mdm/dmclient-ddf-file.md | 6 ++--- .../mdm/dmprocessconfigxmlfiltered.md | 22 +++++++++---------- .../mdm/dmsessionactions-csp.md | 6 ++--- .../mdm/dmsessionactions-ddf.md | 6 ++--- .../mdm/dynamicmanagement-csp.md | 6 ++--- .../mdm/dynamicmanagement-ddf.md | 6 ++--- .../mdm/eap-configuration.md | 6 ++--- windows/client-management/mdm/email2-csp.md | 6 ++--- .../client-management/mdm/email2-ddf-file.md | 6 ++--- .../mdm/enable-admx-backed-policies-in-mdm.md | 6 ++--- ...device-automatically-using-group-policy.md | 8 +++---- .../mdm/enrollmentstatustracking-csp-ddf.md | 4 ++-- .../mdm/enrollmentstatustracking-csp.md | 4 ++-- .../mdm/enterprise-app-management.md | 6 ++--- .../mdm/enterpriseapn-csp.md | 6 ++--- .../mdm/enterpriseapn-ddf.md | 6 ++--- .../mdm/enterpriseappvmanagement-csp.md | 8 +++---- .../mdm/enterpriseappvmanagement-ddf.md | 6 ++--- .../mdm/enterprisedataprotection-csp.md | 6 ++--- .../mdm/enterprisedataprotection-ddf-file.md | 6 ++--- .../mdm/enterprisedesktopappmanagement-csp.md | 6 ++--- ...enterprisedesktopappmanagement-ddf-file.md | 6 ++--- .../enterprisedesktopappmanagement2-xsd.md | 6 ++--- .../mdm/enterprisemodernappmanagement-csp.md | 6 ++--- .../mdm/enterprisemodernappmanagement-ddf.md | 6 ++--- .../mdm/enterprisemodernappmanagement-xsd.md | 6 ++--- .../mdm/esim-enterprise-management.md | 4 ++-- windows/client-management/mdm/euiccs-csp.md | 6 ++--- .../client-management/mdm/euiccs-ddf-file.md | 6 ++--- ...erated-authentication-device-enrollment.md | 6 ++--- windows/client-management/mdm/firewall-csp.md | 6 ++--- .../mdm/firewall-ddf-file.md | 6 ++--- .../client-management/mdm/get-inventory.md | 12 +++++----- .../mdm/get-localized-product-details.md | 6 ++--- .../mdm/get-offline-license.md | 6 ++--- .../mdm/get-product-details.md | 6 ++--- .../mdm/get-product-package.md | 6 ++--- .../mdm/get-product-packages.md | 6 ++--- windows/client-management/mdm/get-seat.md | 6 ++--- .../mdm/get-seats-assigned-to-a-user.md | 6 ++--- windows/client-management/mdm/get-seats.md | 6 ++--- .../mdm/healthattestation-csp.md | 6 ++--- .../mdm/healthattestation-ddf.md | 6 ++--- ...rver-side-mobile-application-management.md | 8 +++---- ...ent-tool-for-windows-store-for-business.md | 12 +++++----- .../mdm/mdm-enrollment-of-windows-devices.md | 12 +++++----- .../mdm/mobile-device-enrollment.md | 6 ++--- windows/client-management/mdm/multisim-csp.md | 6 ++--- windows/client-management/mdm/multisim-ddf.md | 6 ++--- windows/client-management/mdm/nap-csp.md | 6 ++--- windows/client-management/mdm/napdef-csp.md | 6 ++--- .../client-management/mdm/networkproxy-csp.md | 6 ++--- .../client-management/mdm/networkproxy-ddf.md | 6 ++--- .../mdm/networkqospolicy-csp.md | 6 ++--- .../mdm/networkqospolicy-ddf.md | 6 ++--- ...ew-in-windows-mdm-enrollment-management.md | 12 +++++----- .../client-management/mdm/nodecache-csp.md | 6 ++--- .../mdm/nodecache-ddf-file.md | 6 ++--- windows/client-management/mdm/office-csp.md | 6 ++--- windows/client-management/mdm/office-ddf.md | 6 ++--- .../mdm/oma-dm-protocol-support.md | 6 ++--- ...remise-authentication-device-enrollment.md | 6 ++--- .../mdm/passportforwork-csp.md | 6 ++--- .../mdm/passportforwork-ddf.md | 6 ++--- .../mdm/personalization-csp.md | 6 ++--- .../mdm/personalization-ddf.md | 8 +++---- .../mdm/policies-in-policy-csp-admx-backed.md | 6 ++--- ...in-policy-csp-supported-by-group-policy.md | 6 ++--- ...ed-by-hololens-1st-gen-commercial-suite.md | 6 ++--- ...by-hololens-1st-gen-development-edition.md | 6 ++--- ...es-in-policy-csp-supported-by-hololens2.md | 6 ++--- ...ies-in-policy-csp-supported-by-iot-core.md | 6 ++--- ...-in-policy-csp-supported-by-surface-hub.md | 6 ++--- ...in-policy-csp-that-can-be-set-using-eas.md | 6 ++--- .../policy-configuration-service-provider.md | 6 ++--- .../mdm/policy-csp-abovelock.md | 8 +++---- .../mdm/policy-csp-accounts.md | 8 +++---- .../mdm/policy-csp-activexcontrols.md | 6 ++--- .../policy-csp-admx-activexinstallservice.md | 6 ++--- .../mdm/policy-csp-admx-addremoveprograms.md | 6 ++--- .../mdm/policy-csp-admx-admpwd.md | 6 ++--- .../mdm/policy-csp-admx-appcompat.md | 6 ++--- .../mdm/policy-csp-admx-appxpackagemanager.md | 6 ++--- .../mdm/policy-csp-admx-appxruntime.md | 6 ++--- .../mdm/policy-csp-admx-attachmentmanager.md | 6 ++--- .../mdm/policy-csp-admx-auditsettings.md | 6 ++--- .../mdm/policy-csp-admx-bits.md | 6 ++--- .../mdm/policy-csp-admx-ciphersuiteorder.md | 6 ++--- .../mdm/policy-csp-admx-com.md | 6 ++--- .../mdm/policy-csp-admx-controlpanel.md | 6 ++--- .../policy-csp-admx-controlpaneldisplay.md | 6 ++--- .../mdm/policy-csp-admx-cpls.md | 6 ++--- .../policy-csp-admx-credentialproviders.md | 6 ++--- .../mdm/policy-csp-admx-credssp.md | 6 ++--- .../mdm/policy-csp-admx-credui.md | 6 ++--- .../mdm/policy-csp-admx-ctrlaltdel.md | 6 ++--- .../mdm/policy-csp-admx-datacollection.md | 6 ++--- .../mdm/policy-csp-admx-dcom.md | 6 ++--- .../mdm/policy-csp-admx-desktop.md | 6 ++--- .../mdm/policy-csp-admx-devicecompat.md | 6 ++--- .../mdm/policy-csp-admx-deviceguard.md | 6 ++--- .../mdm/policy-csp-admx-deviceinstallation.md | 6 ++--- .../mdm/policy-csp-admx-devicesetup.md | 6 ++--- .../mdm/policy-csp-admx-dfs.md | 6 ++--- .../mdm/policy-csp-admx-digitallocker.md | 6 ++--- .../mdm/policy-csp-admx-diskdiagnostic.md | 6 ++--- .../mdm/policy-csp-admx-disknvcache.md | 6 ++--- .../mdm/policy-csp-admx-diskquota.md | 6 ++--- ...policy-csp-admx-distributedlinktracking.md | 6 ++--- .../mdm/policy-csp-admx-dnsclient.md | 6 ++--- .../mdm/policy-csp-admx-dwm.md | 6 ++--- .../mdm/policy-csp-admx-eaime.md | 6 ++--- .../mdm/policy-csp-admx-encryptfilesonmove.md | 6 ++--- .../mdm/policy-csp-admx-enhancedstorage.md | 6 ++--- .../mdm/policy-csp-admx-errorreporting.md | 6 ++--- .../mdm/policy-csp-admx-eventforwarding.md | 6 ++--- .../mdm/policy-csp-admx-eventlog.md | 6 ++--- .../mdm/policy-csp-admx-eventlogging.md | 6 ++--- .../mdm/policy-csp-admx-eventviewer.md | 6 ++--- .../mdm/policy-csp-admx-explorer.md | 6 ++--- .../mdm/policy-csp-admx-externalboot.md | 6 ++--- .../mdm/policy-csp-admx-filerecovery.md | 6 ++--- .../mdm/policy-csp-admx-filerevocation.md | 6 ++--- .../policy-csp-admx-fileservervssprovider.md | 6 ++--- .../mdm/policy-csp-admx-filesys.md | 6 ++--- .../mdm/policy-csp-admx-folderredirection.md | 6 ++--- .../mdm/policy-csp-admx-framepanes.md | 6 ++--- .../mdm/policy-csp-admx-fthsvc.md | 6 ++--- .../mdm/policy-csp-admx-globalization.md | 6 ++--- .../mdm/policy-csp-admx-grouppolicy.md | 6 ++--- .../mdm/policy-csp-admx-help.md | 6 ++--- .../mdm/policy-csp-admx-helpandsupport.md | 6 ++--- .../mdm/policy-csp-admx-hotspotauth.md | 6 ++--- .../mdm/policy-csp-admx-icm.md | 6 ++--- .../mdm/policy-csp-admx-iis.md | 6 ++--- .../mdm/policy-csp-admx-iscsi.md | 6 ++--- .../mdm/policy-csp-admx-kdc.md | 6 ++--- .../mdm/policy-csp-admx-kerberos.md | 6 ++--- .../mdm/policy-csp-admx-lanmanserver.md | 6 ++--- .../mdm/policy-csp-admx-lanmanworkstation.md | 6 ++--- .../mdm/policy-csp-admx-leakdiagnostic.md | 6 ++--- ...icy-csp-admx-linklayertopologydiscovery.md | 6 ++--- .../policy-csp-admx-locationprovideradm.md | 6 ++--- .../mdm/policy-csp-admx-logon.md | 6 ++--- ...icy-csp-admx-microsoftdefenderantivirus.md | 6 ++--- .../mdm/policy-csp-admx-mmc.md | 6 ++--- .../mdm/policy-csp-admx-mmcsnapins.md | 6 ++--- .../policy-csp-admx-mobilepcmobilitycenter.md | 6 ++--- ...y-csp-admx-mobilepcpresentationsettings.md | 6 ++--- .../mdm/policy-csp-admx-msapolicy.md | 6 ++--- .../mdm/policy-csp-admx-msched.md | 6 ++--- .../mdm/policy-csp-admx-msdt.md | 6 ++--- .../mdm/policy-csp-admx-msi.md | 6 ++--- .../mdm/policy-csp-admx-msifilerecovery.md | 6 ++--- .../mdm/policy-csp-admx-nca.md | 6 ++--- .../mdm/policy-csp-admx-ncsi.md | 6 ++--- .../mdm/policy-csp-admx-netlogon.md | 6 ++--- .../mdm/policy-csp-admx-networkconnections.md | 6 ++--- .../mdm/policy-csp-admx-offlinefiles.md | 6 ++--- .../mdm/policy-csp-admx-pca.md | 6 ++--- .../mdm/policy-csp-admx-peertopeercaching.md | 6 ++--- .../mdm/policy-csp-admx-pentraining.md | 6 ++--- .../policy-csp-admx-performancediagnostics.md | 6 ++--- .../mdm/policy-csp-admx-power.md | 6 ++--- ...licy-csp-admx-powershellexecutionpolicy.md | 6 ++--- .../mdm/policy-csp-admx-previousversions.md | 6 ++--- .../mdm/policy-csp-admx-printing.md | 6 ++--- .../mdm/policy-csp-admx-printing2.md | 6 ++--- .../mdm/policy-csp-admx-programs.md | 6 ++--- .../mdm/policy-csp-admx-pushtoinstall.md | 6 ++--- .../mdm/policy-csp-admx-radar.md | 6 ++--- .../mdm/policy-csp-admx-reliability.md | 6 ++--- .../mdm/policy-csp-admx-remoteassistance.md | 6 ++--- .../mdm/policy-csp-admx-removablestorage.md | 6 ++--- .../mdm/policy-csp-admx-rpc.md | 6 ++--- .../mdm/policy-csp-admx-scripts.md | 6 ++--- .../mdm/policy-csp-admx-sdiageng.md | 6 ++--- .../mdm/policy-csp-admx-sdiagschd.md | 6 ++--- .../mdm/policy-csp-admx-securitycenter.md | 6 ++--- .../mdm/policy-csp-admx-sensors.md | 6 ++--- .../mdm/policy-csp-admx-servermanager.md | 6 ++--- .../mdm/policy-csp-admx-servicing.md | 6 ++--- .../mdm/policy-csp-admx-settingsync.md | 6 ++--- .../mdm/policy-csp-admx-sharedfolders.md | 6 ++--- .../mdm/policy-csp-admx-sharing.md | 6 ++--- ...csp-admx-shellcommandpromptregedittools.md | 6 ++--- .../mdm/policy-csp-admx-smartcard.md | 6 ++--- .../mdm/policy-csp-admx-snmp.md | 6 ++--- .../mdm/policy-csp-admx-soundrec.md | 6 ++--- .../mdm/policy-csp-admx-srmfci.md | 6 ++--- .../mdm/policy-csp-admx-startmenu.md | 6 ++--- .../mdm/policy-csp-admx-systemrestore.md | 6 ++--- .../mdm/policy-csp-admx-tabletshell.md | 6 ++--- .../mdm/policy-csp-admx-taskbar.md | 6 ++--- .../mdm/policy-csp-admx-tcpip.md | 6 ++--- .../mdm/policy-csp-admx-terminalserver.md | 6 ++--- .../mdm/policy-csp-admx-thumbnails.md | 6 ++--- .../mdm/policy-csp-admx-touchinput.md | 6 ++--- .../mdm/policy-csp-admx-tpm.md | 6 ++--- ...y-csp-admx-userexperiencevirtualization.md | 6 ++--- .../mdm/policy-csp-admx-userprofiles.md | 6 ++--- .../mdm/policy-csp-admx-w32time.md | 6 ++--- .../mdm/policy-csp-admx-wcm.md | 6 ++--- .../mdm/policy-csp-admx-wdi.md | 6 ++--- .../mdm/policy-csp-admx-wincal.md | 6 ++--- .../mdm/policy-csp-admx-windowscolorsystem.md | 6 ++--- .../mdm/policy-csp-admx-windowsconnectnow.md | 6 ++--- .../mdm/policy-csp-admx-windowsexplorer.md | 6 ++--- .../mdm/policy-csp-admx-windowsmediadrm.md | 6 ++--- .../mdm/policy-csp-admx-windowsmediaplayer.md | 6 ++--- ...policy-csp-admx-windowsremotemanagement.md | 6 ++--- .../mdm/policy-csp-admx-windowsstore.md | 6 ++--- .../mdm/policy-csp-admx-wininit.md | 6 ++--- .../mdm/policy-csp-admx-winlogon.md | 6 ++--- .../mdm/policy-csp-admx-winsrv.md | 6 ++--- .../mdm/policy-csp-admx-wlansvc.md | 6 ++--- .../mdm/policy-csp-admx-wordwheel.md | 6 ++--- .../mdm/policy-csp-admx-workfoldersclient.md | 6 ++--- .../mdm/policy-csp-admx-wpn.md | 6 ++--- .../mdm/policy-csp-applicationdefaults.md | 6 ++--- .../mdm/policy-csp-applicationmanagement.md | 6 ++--- .../mdm/policy-csp-appruntime.md | 6 ++--- .../mdm/policy-csp-appvirtualization.md | 6 ++--- .../mdm/policy-csp-attachmentmanager.md | 6 ++--- .../client-management/mdm/policy-csp-audit.md | 4 ++-- .../mdm/policy-csp-authentication.md | 6 ++--- .../mdm/policy-csp-autoplay.md | 6 ++--- .../mdm/policy-csp-bitlocker.md | 6 ++--- .../client-management/mdm/policy-csp-bits.md | 8 +++---- .../mdm/policy-csp-bluetooth.md | 6 ++--- .../mdm/policy-csp-browser.md | 6 ++--- .../mdm/policy-csp-camera.md | 6 ++--- .../mdm/policy-csp-cellular.md | 6 ++--- .../mdm/policy-csp-connectivity.md | 8 +++---- .../mdm/policy-csp-controlpolicyconflict.md | 6 ++--- .../mdm/policy-csp-credentialproviders.md | 6 ++--- .../mdm/policy-csp-credentialsdelegation.md | 6 ++--- .../mdm/policy-csp-credentialsui.md | 6 ++--- .../mdm/policy-csp-cryptography.md | 6 ++--- .../mdm/policy-csp-dataprotection.md | 6 ++--- .../mdm/policy-csp-datausage.md | 8 +++---- .../mdm/policy-csp-defender.md | 6 ++--- .../mdm/policy-csp-deliveryoptimization.md | 6 ++--- .../mdm/policy-csp-desktop.md | 6 ++--- .../mdm/policy-csp-deviceguard.md | 6 ++--- .../mdm/policy-csp-devicehealthmonitoring.md | 6 ++--- .../mdm/policy-csp-deviceinstallation.md | 6 ++--- .../mdm/policy-csp-devicelock.md | 6 ++--- .../mdm/policy-csp-display.md | 6 ++--- .../mdm/policy-csp-dmaguard.md | 6 ++--- .../client-management/mdm/policy-csp-eap.md | 8 +++---- .../mdm/policy-csp-education.md | 8 +++---- .../mdm/policy-csp-enterprisecloudprint.md | 6 ++--- .../mdm/policy-csp-errorreporting.md | 6 ++--- .../mdm/policy-csp-eventlogservice.md | 6 ++--- .../mdm/policy-csp-experience.md | 6 ++--- .../mdm/policy-csp-exploitguard.md | 6 ++--- .../client-management/mdm/policy-csp-feeds.md | 6 ++--- .../mdm/policy-csp-fileexplorer.md | 6 ++--- .../client-management/mdm/policy-csp-games.md | 6 ++--- .../mdm/policy-csp-handwriting.md | 6 ++--- .../mdm/policy-csp-humanpresence.md | 6 ++--- .../mdm/policy-csp-internetexplorer.md | 6 ++--- .../mdm/policy-csp-kerberos.md | 6 ++--- .../mdm/policy-csp-kioskbrowser.md | 6 ++--- .../mdm/policy-csp-lanmanworkstation.md | 6 ++--- .../mdm/policy-csp-licensing.md | 6 ++--- ...policy-csp-localpoliciessecurityoptions.md | 6 ++--- .../mdm/policy-csp-localusersandgroups.md | 6 ++--- .../mdm/policy-csp-lockdown.md | 6 ++--- .../client-management/mdm/policy-csp-maps.md | 6 ++--- .../mdm/policy-csp-memorydump.md | 6 ++--- .../mdm/policy-csp-messaging.md | 6 ++--- .../mdm/policy-csp-mixedreality.md | 6 ++--- .../mdm/policy-csp-mssecurityguide.md | 6 ++--- .../mdm/policy-csp-msslegacy.md | 8 +++---- .../mdm/policy-csp-multitasking.md | 6 ++--- .../mdm/policy-csp-networkisolation.md | 6 ++--- .../mdm/policy-csp-networklistmanager.md | 6 ++--- .../mdm/policy-csp-newsandinterests.md | 6 ++--- .../mdm/policy-csp-notifications.md | 6 ++--- .../client-management/mdm/policy-csp-power.md | 6 ++--- .../mdm/policy-csp-printers.md | 8 +++---- .../mdm/policy-csp-privacy.md | 6 ++--- .../mdm/policy-csp-remoteassistance.md | 6 ++--- .../mdm/policy-csp-remotedesktop.md | 6 ++--- .../mdm/policy-csp-remotedesktopservices.md | 6 ++--- .../mdm/policy-csp-remotemanagement.md | 6 ++--- .../mdm/policy-csp-remoteprocedurecall.md | 6 ++--- .../mdm/policy-csp-remoteshell.md | 6 ++--- .../mdm/policy-csp-restrictedgroups.md | 6 ++--- .../mdm/policy-csp-search.md | 6 ++--- .../mdm/policy-csp-security.md | 6 ++--- .../mdm/policy-csp-servicecontrolmanager.md | 2 +- .../mdm/policy-csp-settings.md | 6 ++--- .../mdm/policy-csp-smartscreen.md | 6 ++--- .../mdm/policy-csp-speech.md | 6 ++--- .../client-management/mdm/policy-csp-start.md | 6 ++--- .../mdm/policy-csp-storage.md | 6 ++--- .../mdm/policy-csp-system.md | 6 ++--- .../mdm/policy-csp-systemservices.md | 6 ++--- .../mdm/policy-csp-taskmanager.md | 6 ++--- .../mdm/policy-csp-taskscheduler.md | 6 ++--- .../mdm/policy-csp-textinput.md | 6 ++--- .../mdm/policy-csp-timelanguagesettings.md | 6 ++--- .../mdm/policy-csp-troubleshooting.md | 4 ++-- .../mdm/policy-csp-update.md | 6 ++--- .../mdm/policy-csp-userrights.md | 6 ++--- ...olicy-csp-virtualizationbasedtechnology.md | 6 ++--- .../client-management/mdm/policy-csp-wifi.md | 6 ++--- .../mdm/policy-csp-windowsautopilot.md | 6 ++--- .../policy-csp-windowsconnectionmanager.md | 6 ++--- ...olicy-csp-windowsdefendersecuritycenter.md | 8 +++---- .../mdm/policy-csp-windowsinkworkspace.md | 6 ++--- .../mdm/policy-csp-windowslogon.md | 6 ++--- .../mdm/policy-csp-windowspowershell.md | 6 ++--- .../mdm/policy-csp-windowssandbox.md | 4 ++-- .../mdm/policy-csp-wirelessdisplay.md | 6 ++--- .../client-management/mdm/policy-ddf-file.md | 6 ++--- .../client-management/mdm/provisioning-csp.md | 6 ++--- .../mdm/push-notification-windows-mdm.md | 12 +++++----- .../client-management/mdm/pxlogical-csp.md | 6 ++--- windows/client-management/mdm/reboot-csp.md | 6 ++--- .../client-management/mdm/reboot-ddf-file.md | 6 ++--- .../mdm/reclaim-seat-from-user.md | 6 ++--- ...ree-azure-active-directory-subscription.md | 6 ++--- .../client-management/mdm/remotefind-csp.md | 6 ++--- .../mdm/remotefind-ddf-file.md | 6 ++--- .../client-management/mdm/remotering-csp.md | 6 ++--- .../client-management/mdm/remotewipe-csp.md | 6 ++--- .../mdm/remotewipe-ddf-file.md | 6 ++--- .../client-management/mdm/reporting-csp.md | 6 ++--- .../mdm/reporting-ddf-file.md | 6 ++--- ...pi-reference-windows-store-for-business.md | 12 +++++----- .../mdm/rootcacertificates-csp.md | 6 ++--- .../mdm/rootcacertificates-ddf-file.md | 6 ++--- .../mdm/secureassessment-csp.md | 6 ++--- .../mdm/secureassessment-ddf-file.md | 6 ++--- .../mdm/securitypolicy-csp.md | 6 ++--- .../mdm/server-requirements-windows-mdm.md | 12 +++++----- windows/client-management/mdm/sharedpc-csp.md | 6 ++--- .../mdm/sharedpc-ddf-file.md | 6 ++--- windows/client-management/mdm/storage-csp.md | 6 ++--- .../client-management/mdm/storage-ddf-file.md | 6 ++--- .../structure-of-oma-dm-provisioning-files.md | 6 ++--- windows/client-management/mdm/supl-csp.md | 6 ++--- .../client-management/mdm/supl-ddf-file.md | 6 ++--- .../client-management/mdm/surfacehub-csp.md | 6 ++--- .../mdm/surfacehub-ddf-file.md | 6 ++--- .../mdm/tenantlockdown-csp.md | 6 ++--- .../mdm/tenantlockdown-ddf.md | 6 ++--- .../client-management/mdm/tpmpolicy-csp.md | 6 ++--- .../mdm/tpmpolicy-ddf-file.md | 6 ++--- windows/client-management/mdm/uefi-csp.md | 6 ++--- windows/client-management/mdm/uefi-ddf.md | 6 ++--- .../mdm/understanding-admx-backed-policies.md | 6 ++--- .../mdm/unifiedwritefilter-csp.md | 6 ++--- .../mdm/unifiedwritefilter-ddf.md | 6 ++--- .../mdm/universalprint-csp.md | 6 ++--- .../mdm/universalprint-ddf-file.md | 6 ++--- windows/client-management/mdm/update-csp.md | 6 ++--- .../client-management/mdm/update-ddf-file.md | 6 ++--- ...-scripting-with-the-wmi-bridge-provider.md | 6 ++--- windows/client-management/mdm/vpn-csp.md | 6 ++--- windows/client-management/mdm/vpn-ddf-file.md | 6 ++--- windows/client-management/mdm/vpnv2-csp.md | 6 ++--- .../client-management/mdm/vpnv2-ddf-file.md | 6 ++--- .../mdm/vpnv2-profile-xsd.md | 8 +++---- .../mdm/w4-application-csp.md | 6 ++--- .../mdm/w7-application-csp.md | 6 ++--- windows/client-management/mdm/wifi-csp.md | 8 +++---- .../client-management/mdm/wifi-ddf-file.md | 6 ++--- ...and-centennial-app-policy-configuration.md | 6 ++--- .../mdm/win32appinventory-csp.md | 6 ++--- .../mdm/win32appinventory-ddf-file.md | 6 ++--- .../mdm/win32compatibilityappraiser-csp.md | 6 ++--- .../mdm/win32compatibilityappraiser-ddf.md | 6 ++--- .../mdm/windows-mdm-enterprise-settings.md | 12 +++++----- .../windowsadvancedthreatprotection-csp.md | 6 ++--- .../windowsadvancedthreatprotection-ddf.md | 6 ++--- .../mdm/windowsautopilot-csp.md | 6 ++--- .../mdm/windowsautopilot-ddf-file.md | 6 ++--- .../windowsdefenderapplicationguard-csp.md | 6 ++--- ...indowsdefenderapplicationguard-ddf-file.md | 6 ++--- .../mdm/windowslicensing-csp.md | 6 ++--- .../mdm/windowslicensing-ddf-file.md | 6 ++--- .../client-management/mdm/wirednetwork-csp.md | 6 ++--- .../mdm/wirednetwork-ddf-file.md | 8 +++---- .../mdm/wmi-providers-supported-in-windows.md | 12 +++++----- .../new-policies-for-windows-10.md | 6 ++--- windows/client-management/quick-assist.md | 6 ++--- .../windows-10-support-solutions.md | 6 ++--- .../client-management/windows-libraries.md | 6 ++--- .../windows-version-search.md | 6 ++--- 470 files changed, 1465 insertions(+), 1465 deletions(-) diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/administrative-tools-in-windows-10.md index 76d04a5dd1..5260e5f1db 100644 --- a/windows/client-management/administrative-tools-in-windows-10.md +++ b/windows/client-management/administrative-tools-in-windows-10.md @@ -2,9 +2,9 @@ title: Windows Tools/Administrative Tools description: The folders for Windows Tools and Administrative Tools are folders in the Control Panel that contain tools for system administrators and advanced users. ms.prod: w10 -author: aczechowski -ms.author: aaroncz -manager: dougeby +author: vinaypamnani-msft +ms.author: vinpa +manager: aaroncz ms.localizationpriority: medium ms.date: 03/28/2022 ms.topic: article diff --git a/windows/client-management/change-default-removal-policy-external-storage-media.md b/windows/client-management/change-default-removal-policy-external-storage-media.md index 8b0e587b74..7a16f17f4d 100644 --- a/windows/client-management/change-default-removal-policy-external-storage-media.md +++ b/windows/client-management/change-default-removal-policy-external-storage-media.md @@ -1,15 +1,15 @@ --- title: Windows 10 default media removal policy -description: In Windows 10, version 1809, the default removal policy for external storage media changed from "Better performance" to "Quick removal." +description: In Windows 10, version 1809, the default removal policy for external storage media changed from Better performance to Quick removal. ms.prod: w10 -author: Teresa-Motiv -ms.author: dougeby +author: vinaypamnani-msft +ms.author: vinpa ms.date: 11/25/2020 ms.topic: article ms.custom: -- CI 111493 -- CI 125140 -- CSSTroubleshooting + - CI 111493 + - CI 125140 + - CSSTroubleshooting audience: ITPro ms.localizationpriority: medium manager: kaushika diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index ea9fe24821..a2b2682d33 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -2,12 +2,12 @@ title: Connect to remote Azure Active Directory-joined PC (Windows) description: You can use Remote Desktop Connection to connect to an Azure AD-joined PC. ms.prod: w10 -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium -ms.author: dansimp +ms.author: vinpa ms.date: 01/18/2022 ms.reviewer: -manager: dansimp +manager: aaroncz ms.topic: article ms.collection: highpri --- diff --git a/windows/client-management/group-policies-for-enterprise-and-education-editions.md b/windows/client-management/group-policies-for-enterprise-and-education-editions.md index dfb3d72af7..44304f2950 100644 --- a/windows/client-management/group-policies-for-enterprise-and-education-editions.md +++ b/windows/client-management/group-policies-for-enterprise-and-education-editions.md @@ -2,12 +2,12 @@ title: Group Policy settings that apply only to Windows 10 Enterprise and Education Editions (Windows 10) description: Use this topic to learn about Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education. ms.prod: w10 -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/14/2021 ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: troubleshooting --- diff --git a/windows/client-management/manage-corporate-devices.md b/windows/client-management/manage-corporate-devices.md index 36da3dfcc9..022820d4e9 100644 --- a/windows/client-management/manage-corporate-devices.md +++ b/windows/client-management/manage-corporate-devices.md @@ -2,11 +2,11 @@ title: Manage corporate devices description: You can use the same management tools to manage all device types running Windows 10 or Windows 11 desktops, laptops, tablets, and phones. ms.reviewer: -manager: dansimp -ms.author: dansimp -keywords: ["MDM", "device management"] +manager: aaroncz +ms.author: vinpa +keywords: [MDM, device management] ms.prod: w10 -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/14/2021 ms.topic: article diff --git a/windows/client-management/manage-device-installation-with-group-policy.md b/windows/client-management/manage-device-installation-with-group-policy.md index 79544bf12c..7c8c46580d 100644 --- a/windows/client-management/manage-device-installation-with-group-policy.md +++ b/windows/client-management/manage-device-installation-with-group-policy.md @@ -2,11 +2,11 @@ title: Manage Device Installation with Group Policy (Windows 10 and Windows 11) description: Find out how to manage Device Installation Restrictions with Group Policy. ms.prod: w10 -author: aczechowski +author: vinaypamnani-msft ms.date: 09/14/2021 ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: vinpa ms.topic: article --- diff --git a/windows/client-management/manage-settings-app-with-group-policy.md b/windows/client-management/manage-settings-app-with-group-policy.md index 4914694065..d78eac22f8 100644 --- a/windows/client-management/manage-settings-app-with-group-policy.md +++ b/windows/client-management/manage-settings-app-with-group-policy.md @@ -2,11 +2,11 @@ title: Manage the Settings app with Group Policy (Windows 10 and Windows 11) description: Find out how to manage the Settings app with Group Policy so you can hide specific pages from users. ms.prod: w10 -author: dansimp +author: vinaypamnani-msft ms.date: 09/14/2021 ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article --- diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md index 0f27f3d1d1..367392eba4 100644 --- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md @@ -4,10 +4,10 @@ description: This article offers strategies for deploying and managing Windows 1 ms.prod: w10 ms.localizationpriority: medium ms.date: 06/03/2022 -author: aczechowski -ms.author: aaroncz +author: vinaypamnani-msft +ms.author: vinpa ms.reviewer: -manager: dougeby +manager: aaroncz ms.topic: overview --- diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md index 18aaf583be..cbf11a9442 100644 --- a/windows/client-management/mandatory-user-profile.md +++ b/windows/client-management/mandatory-user-profile.md @@ -2,11 +2,11 @@ title: Create mandatory user profiles (Windows 10 and Windows 11) description: A mandatory user profile is a special type of pre-configured roaming user profile that administrators can use to specify settings for users. ms.prod: w10 -author: dansimp -ms.author: dansimp +author: vinaypamnani-msft +ms.author: vinpa ms.date: 09/14/2021 ms.reviewer: -manager: dansimp +manager: aaroncz ms.topic: article ms.collection: highpri --- diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index 6e1bc0d9c6..948207dc6d 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -2,12 +2,12 @@ title: Language Pack Management CSP description: Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10. ms.reviewer: -manager: dansimp -ms.author: v-nsatapathy +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 06/22/2021 --- diff --git a/windows/client-management/mdm/accountmanagement-csp.md b/windows/client-management/mdm/accountmanagement-csp.md index b55a87941f..03a75d8a7a 100644 --- a/windows/client-management/mdm/accountmanagement-csp.md +++ b/windows/client-management/mdm/accountmanagement-csp.md @@ -1,14 +1,14 @@ --- title: AccountManagement CSP description: Learn about the AccountManagement CSP, which is used to configure settings in the Account Manager service. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/23/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # AccountManagement CSP diff --git a/windows/client-management/mdm/accountmanagement-ddf.md b/windows/client-management/mdm/accountmanagement-ddf.md index 51380b7ed8..d425503b6a 100644 --- a/windows/client-management/mdm/accountmanagement-ddf.md +++ b/windows/client-management/mdm/accountmanagement-ddf.md @@ -1,14 +1,14 @@ --- title: AccountManagement DDF file description: View the OMA DM device description framework (DDF) for the AccountManagement configuration service provider. This file is used to configure settings. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/23/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # AccountManagement DDF file diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md index 95689e3b8f..d447311a4e 100644 --- a/windows/client-management/mdm/accounts-csp.md +++ b/windows/client-management/mdm/accounts-csp.md @@ -1,14 +1,14 @@ --- title: Accounts CSP description: The Accounts configuration service provider (CSP) is used by the enterprise to rename devices, and create local Windows accounts & join them to a group. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/27/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Accounts CSP diff --git a/windows/client-management/mdm/accounts-ddf-file.md b/windows/client-management/mdm/accounts-ddf-file.md index e522821656..b2bffb3a42 100644 --- a/windows/client-management/mdm/accounts-ddf-file.md +++ b/windows/client-management/mdm/accounts-ddf-file.md @@ -1,14 +1,14 @@ --- title: Accounts DDF file description: View the XML file containing the device description framework (DDF) for the Accounts configuration service provider. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 04/17/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Accounts DDF file diff --git a/windows/client-management/mdm/activesync-csp.md b/windows/client-management/mdm/activesync-csp.md index 929b2dc46a..d174729230 100644 --- a/windows/client-management/mdm/activesync-csp.md +++ b/windows/client-management/mdm/activesync-csp.md @@ -1,13 +1,13 @@ --- title: ActiveSync CSP -description: Learn how the ActiveSync configuration service provider is used to set up and change settings for Exchange ActiveSync. +description: Learn how the ActiveSync configuration service provider is used to set up and change settings for Exchange ActiveSync. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/activesync-ddf-file.md b/windows/client-management/mdm/activesync-ddf-file.md index 216550b80b..323fc038e9 100644 --- a/windows/client-management/mdm/activesync-ddf-file.md +++ b/windows/client-management/mdm/activesync-ddf-file.md @@ -2,12 +2,12 @@ title: ActiveSync DDF file description: Learn about the OMA DM device description framework (DDF) for the ActiveSync configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md index 85a599abb8..f5f05c6ddb 100644 --- a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md +++ b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md @@ -2,12 +2,12 @@ title: Add an Azure AD tenant and Azure AD subscription description: Here's a step-by-step guide to adding an Azure Active Directory tenant, adding an Azure AD subscription, and registering your subscription. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/alljoynmanagement-csp.md b/windows/client-management/mdm/alljoynmanagement-csp.md index b8a280a346..e8aab159fb 100644 --- a/windows/client-management/mdm/alljoynmanagement-csp.md +++ b/windows/client-management/mdm/alljoynmanagement-csp.md @@ -2,12 +2,12 @@ title: AllJoynManagement CSP description: The AllJoynManagement configuration service provider (CSP) allows an IT administrator to enumerate the AllJoyn devices that are connected to the AllJoyn bus. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/alljoynmanagement-ddf.md b/windows/client-management/mdm/alljoynmanagement-ddf.md index bcb19ed0cd..edc188feac 100644 --- a/windows/client-management/mdm/alljoynmanagement-ddf.md +++ b/windows/client-management/mdm/alljoynmanagement-ddf.md @@ -2,12 +2,12 @@ title: AllJoynManagement DDF description: Learn the OMA DM device description framework (DDF) for the AllJoynManagement configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/application-csp.md b/windows/client-management/mdm/application-csp.md index 4502b38c2c..466550a3e5 100644 --- a/windows/client-management/mdm/application-csp.md +++ b/windows/client-management/mdm/application-csp.md @@ -2,12 +2,12 @@ title: APPLICATION CSP description: Learn how the APPLICATION configuration service provider is used to configure an application transport using Open Mobile Alliance (OMA) Client Provisioning. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/applicationcontrol-csp-ddf.md b/windows/client-management/mdm/applicationcontrol-csp-ddf.md index 2c91bf430b..62648efd94 100644 --- a/windows/client-management/mdm/applicationcontrol-csp-ddf.md +++ b/windows/client-management/mdm/applicationcontrol-csp-ddf.md @@ -1,11 +1,11 @@ --- title: ApplicationControl CSP DDF description: View the OMA DM device description framework (DDF) for the ApplicationControl configuration service provider. DDF files are used only with OMA DM provisioning XML. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 07/10/2019 --- diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index 970bfa5103..e587cf8a3c 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -1,11 +1,11 @@ --- title: ApplicationControl CSP description: The ApplicationControl CSP allows you to manage multiple Windows Defender Application Control (WDAC) policies from an MDM server. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.reviewer: jsuther1974 ms.date: 09/10/2020 --- diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index 7ed2500275..abccc814e8 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -2,12 +2,12 @@ title: AppLocker CSP description: Learn how the AppLocker configuration service provider is used to specify which applications are allowed or disallowed. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/19/2019 --- diff --git a/windows/client-management/mdm/applocker-ddf-file.md b/windows/client-management/mdm/applocker-ddf-file.md index 38e2c8e7bc..30adaa5b15 100644 --- a/windows/client-management/mdm/applocker-ddf-file.md +++ b/windows/client-management/mdm/applocker-ddf-file.md @@ -2,12 +2,12 @@ title: AppLocker DDF file description: Learn about the OMA DM device description framework (DDF) for the AppLocker DDF file configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/applocker-xsd.md b/windows/client-management/mdm/applocker-xsd.md index 9eedf4f812..4c9943e332 100644 --- a/windows/client-management/mdm/applocker-xsd.md +++ b/windows/client-management/mdm/applocker-xsd.md @@ -2,12 +2,12 @@ title: AppLocker XSD description: View the XSD for the AppLocker CSP. The AppLocker CSP XSD provides an example of how the schema is organized. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/appv-deploy-and-config.md b/windows/client-management/mdm/appv-deploy-and-config.md index 79bb949ff1..a407704b93 100644 --- a/windows/client-management/mdm/appv-deploy-and-config.md +++ b/windows/client-management/mdm/appv-deploy-and-config.md @@ -1,14 +1,14 @@ --- title: Deploy and configure App-V apps using MDM description: Configure, deploy, and manage Microsoft Application Virtualization (App-V) apps using Microsoft Endpoint Manager or App-V server. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Deploy and configure App-V apps using MDM diff --git a/windows/client-management/mdm/assign-seats.md b/windows/client-management/mdm/assign-seats.md index d8c68d15e5..7394103149 100644 --- a/windows/client-management/mdm/assign-seats.md +++ b/windows/client-management/mdm/assign-seats.md @@ -2,12 +2,12 @@ title: Assign seat description: The Assign seat operation assigns seat for a specified user in the Microsoft Store for Business. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index cf61a9f2c1..c0085b11e0 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -2,12 +2,12 @@ title: AssignedAccess CSP description: The AssignedAccess configuration service provider (CSP) is used set the device to run in kiosk mode. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 05/03/2022 --- diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md index 276a419912..36b3670dac 100644 --- a/windows/client-management/mdm/assignedaccess-ddf.md +++ b/windows/client-management/mdm/assignedaccess-ddf.md @@ -2,12 +2,12 @@ title: AssignedAccess DDF description: Learn how the OMA DM device description framework (DDF) for the AssignedAccess configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 02/22/2018 --- diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md index 5430991444..467e007dd7 100644 --- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md @@ -2,12 +2,12 @@ title: Azure Active Directory integration with MDM description: Azure Active Directory is the world largest enterprise cloud identity management service. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.collection: highpri --- diff --git a/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md b/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md index ce25592491..e54875a1df 100644 --- a/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md +++ b/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md @@ -1,14 +1,14 @@ --- title: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new Portal description: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new portal -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/18/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 7af651d2c0..a9cfa0de6d 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -1,15 +1,15 @@ --- title: BitLocker CSP description: Learn how the BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 02/04/2022 ms.reviewer: -manager: dansimp +manager: aaroncz ms.collection: highpri --- diff --git a/windows/client-management/mdm/bitlocker-ddf-file.md b/windows/client-management/mdm/bitlocker-ddf-file.md index b40819c5e8..663e7d623f 100644 --- a/windows/client-management/mdm/bitlocker-ddf-file.md +++ b/windows/client-management/mdm/bitlocker-ddf-file.md @@ -1,15 +1,15 @@ --- title: BitLocker DDF file description: Learn about the OMA DM device description framework (DDF) for the BitLocker configuration service provider. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/30/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # BitLocker DDF file diff --git a/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md b/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md index 19a2fa944c..a02395dea5 100644 --- a/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md +++ b/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md @@ -2,12 +2,12 @@ title: Bulk assign and reclaim seats from users description: The Bulk assign and reclaim seats from users operation returns reclaimed or assigned seats in the Microsoft Store for Business. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md index a6d69bff48..c54261ccfa 100644 --- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md @@ -5,12 +5,12 @@ MS-HAID: - 'p\_phdevicemgmt.bulk\_enrollment' - 'p\_phDeviceMgmt.bulk\_enrollment\_using\_Windows\_provisioning\_tool' ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/cellularsettings-csp.md b/windows/client-management/mdm/cellularsettings-csp.md index 8e5f9ebac8..6c97d9489d 100644 --- a/windows/client-management/mdm/cellularsettings-csp.md +++ b/windows/client-management/mdm/cellularsettings-csp.md @@ -2,12 +2,12 @@ title: CellularSettings CSP description: Learn how the CellularSettings configuration service provider is used to configure cellular settings on a mobile device. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/certificate-authentication-device-enrollment.md b/windows/client-management/mdm/certificate-authentication-device-enrollment.md index f7af4adf18..9ea52d92fc 100644 --- a/windows/client-management/mdm/certificate-authentication-device-enrollment.md +++ b/windows/client-management/mdm/certificate-authentication-device-enrollment.md @@ -2,12 +2,12 @@ title: Certificate authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using certificate authentication policy. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/certificate-renewal-windows-mdm.md b/windows/client-management/mdm/certificate-renewal-windows-mdm.md index 078523d5fb..96a2369975 100644 --- a/windows/client-management/mdm/certificate-renewal-windows-mdm.md +++ b/windows/client-management/mdm/certificate-renewal-windows-mdm.md @@ -5,12 +5,12 @@ MS-HAID: - 'p\_phdevicemgmt.certificate\_renewal' - 'p\_phDeviceMgmt.certificate\_renewal\_windows\_mdm' ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md index 423745bbf6..585bfdba94 100644 --- a/windows/client-management/mdm/certificatestore-csp.md +++ b/windows/client-management/mdm/certificatestore-csp.md @@ -2,12 +2,12 @@ title: CertificateStore CSP description: Use the CertificateStore configuration service provider (CSP) to add secure socket layers (SSL), intermediate, and self-signed certificates. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 02/28/2020 --- diff --git a/windows/client-management/mdm/certificatestore-ddf-file.md b/windows/client-management/mdm/certificatestore-ddf-file.md index d05b283472..a99edbb1e3 100644 --- a/windows/client-management/mdm/certificatestore-ddf-file.md +++ b/windows/client-management/mdm/certificatestore-ddf-file.md @@ -2,12 +2,12 @@ title: CertificateStore DDF file description: Learn about OMA DM device description framework (DDF) for the CertificateStore configuration service provider. DDF files are used with OMA DM provisioning XML. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/change-history-for-mdm-documentation.md b/windows/client-management/mdm/change-history-for-mdm-documentation.md index 335e7119ac..a01ff5b853 100644 --- a/windows/client-management/mdm/change-history-for-mdm-documentation.md +++ b/windows/client-management/mdm/change-history-for-mdm-documentation.md @@ -1,10 +1,10 @@ --- title: Change history for MDM documentation description: This article lists new and updated articles for Mobile Device Management. -author: aczechowski -ms.author: aaroncz -ms.reviewer: -manager: dougeby +author: vinaypamnani-msft +ms.author: vinpa +ms.reviewer: +manager: aaroncz ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/cleanpc-csp.md b/windows/client-management/mdm/cleanpc-csp.md index 3c615c5b08..74cd9636c7 100644 --- a/windows/client-management/mdm/cleanpc-csp.md +++ b/windows/client-management/mdm/cleanpc-csp.md @@ -1,14 +1,14 @@ --- title: CleanPC CSP description: The CleanPC configuration service provider (CSP) allows you to remove user-installed and pre-installed applications, with the option to persist user data. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 ms.reviewer: -manager: dansimp +manager: aaroncz --- # CleanPC CSP diff --git a/windows/client-management/mdm/cleanpc-ddf.md b/windows/client-management/mdm/cleanpc-ddf.md index d5f5924627..9677737584 100644 --- a/windows/client-management/mdm/cleanpc-ddf.md +++ b/windows/client-management/mdm/cleanpc-ddf.md @@ -2,12 +2,12 @@ title: CleanPC DDF description: Learn about the OMA DM device description framework (DDF) for the CleanPC configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md index 8d30b4114c..faff015660 100644 --- a/windows/client-management/mdm/clientcertificateinstall-csp.md +++ b/windows/client-management/mdm/clientcertificateinstall-csp.md @@ -2,12 +2,12 @@ title: ClientCertificateInstall CSP description: The ClientCertificateInstall configuration service provider (CSP) enables the enterprise to install client certificates. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 07/30/2021 --- diff --git a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md index da749c41ae..716eff3eef 100644 --- a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md +++ b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md @@ -2,12 +2,12 @@ title: ClientCertificateInstall DDF file description: Learn about the OMA DM device description framework (DDF) for the ClientCertificateInstall configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md index 2204143dfe..910c3b6c31 100644 --- a/windows/client-management/mdm/cm-cellularentries-csp.md +++ b/windows/client-management/mdm/cm-cellularentries-csp.md @@ -2,12 +2,12 @@ title: CM\_CellularEntries CSP description: Learn how to configure the General Packet Radio Service (GPRS) entries using the CM\_CellularEntries CSP. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/02/2017 --- diff --git a/windows/client-management/mdm/cmpolicy-csp.md b/windows/client-management/mdm/cmpolicy-csp.md index 94b8c15c30..38d7d17625 100644 --- a/windows/client-management/mdm/cmpolicy-csp.md +++ b/windows/client-management/mdm/cmpolicy-csp.md @@ -2,12 +2,12 @@ title: CMPolicy CSP description: Learn how the CMPolicy configuration service provider (CSP) is used to define rules that the Connection Manager uses to identify correct connections. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/cmpolicyenterprise-csp.md b/windows/client-management/mdm/cmpolicyenterprise-csp.md index a2858ed680..8515da3881 100644 --- a/windows/client-management/mdm/cmpolicyenterprise-csp.md +++ b/windows/client-management/mdm/cmpolicyenterprise-csp.md @@ -2,12 +2,12 @@ title: CMPolicyEnterprise CSP description: Learn how the CMPolicyEnterprise CSP is used to define rules that the Connection Manager uses to identify the correct connection for a connection request. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md b/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md index 9714d6d292..47fd1ec39d 100644 --- a/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md +++ b/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md @@ -2,12 +2,12 @@ title: CMPolicyEnterprise DDF file description: Learn about the OMA DM device description framework (DDF) for the CMPolicyEnterprise configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/config-lock.md b/windows/client-management/mdm/config-lock.md index a2167e456e..a9339f8e76 100644 --- a/windows/client-management/mdm/config-lock.md +++ b/windows/client-management/mdm/config-lock.md @@ -1,12 +1,12 @@ --- title: Secured-core configuration lock description: A secured-core PC (SCPC) feature that prevents configuration drift from secured-core PC features caused by unintentional misconfiguration. -manager: dansimp -ms.author: v-lsaldanha +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w11 ms.technology: windows -author: lovina-saldanha +author: vinaypamnani-msft ms.date: 05/24/2022 --- diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 6c7adbc949..62eca97eea 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -2,12 +2,12 @@ title: Configuration service provider reference description: A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2020 ms.collection: highpri --- diff --git a/windows/client-management/mdm/customdeviceui-csp.md b/windows/client-management/mdm/customdeviceui-csp.md index de2896f574..759f17f26a 100644 --- a/windows/client-management/mdm/customdeviceui-csp.md +++ b/windows/client-management/mdm/customdeviceui-csp.md @@ -2,12 +2,12 @@ title: CustomDeviceUI CSP description: Learn how the CustomDeviceUI configuration service provider (CSP) allows OEMs to implement their custom foreground application. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/customdeviceui-ddf.md b/windows/client-management/mdm/customdeviceui-ddf.md index 0433c22507..f847a4ba95 100644 --- a/windows/client-management/mdm/customdeviceui-ddf.md +++ b/windows/client-management/mdm/customdeviceui-ddf.md @@ -2,12 +2,12 @@ title: CustomDeviceUI DDF description: Learn about the OMA DM device description framework (DDF) for the CustomDeviceUI configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/data-structures-windows-store-for-business.md b/windows/client-management/mdm/data-structures-windows-store-for-business.md index 138c6d80c8..e39e9c9e12 100644 --- a/windows/client-management/mdm/data-structures-windows-store-for-business.md +++ b/windows/client-management/mdm/data-structures-windows-store-for-business.md @@ -1,16 +1,16 @@ --- title: Data structures for Microsoft Store for Business description: Learn about the various data structures for Microsoft Store for Business. -MS-HAID: -- 'p\_phdevicemgmt.business\_store\_data\_structures' -- 'p\_phDeviceMgmt.data\_structures\_windows\_store\_for\_business' +MS-HAID: + - 'p\_phdevicemgmt.business\_store\_data\_structures' + - 'p\_phDeviceMgmt.data\_structures\_windows\_store\_for\_business' ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 6a6904fd19..ca3b7ea096 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -2,12 +2,12 @@ title: Defender CSP description: Learn how the Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 02/22/2022 --- diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md index 9bf6463258..1a99f5c85b 100644 --- a/windows/client-management/mdm/defender-ddf.md +++ b/windows/client-management/mdm/defender-ddf.md @@ -2,12 +2,12 @@ title: Defender DDF file description: Learn how the OMA DM device description framework (DDF) for the Defender configuration service provider is used. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 07/23/2021 --- diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md index 23a246c454..a1b368c716 100644 --- a/windows/client-management/mdm/devdetail-csp.md +++ b/windows/client-management/mdm/devdetail-csp.md @@ -2,12 +2,12 @@ title: DevDetail CSP description: Learn how the DevDetail configuration service provider handles the management object. This CSP provides device-specific parameters to the OMA DM server. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/27/2020 --- diff --git a/windows/client-management/mdm/devdetail-ddf-file.md b/windows/client-management/mdm/devdetail-ddf-file.md index e1d79c9308..957eb5558f 100644 --- a/windows/client-management/mdm/devdetail-ddf-file.md +++ b/windows/client-management/mdm/devdetail-ddf-file.md @@ -2,12 +2,12 @@ title: DevDetail DDF file description: Learn about the OMA DM device description framework (DDF) for the DevDetail configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/03/2020 --- diff --git a/windows/client-management/mdm/developersetup-csp.md b/windows/client-management/mdm/developersetup-csp.md index 244e26d627..592432a187 100644 --- a/windows/client-management/mdm/developersetup-csp.md +++ b/windows/client-management/mdm/developersetup-csp.md @@ -2,12 +2,12 @@ title: DeveloperSetup CSP description: The DeveloperSetup configuration service provider (CSP) is used to configure developer mode on the device. This CSP was added in the Windows 10, version 1703. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2018 --- diff --git a/windows/client-management/mdm/developersetup-ddf.md b/windows/client-management/mdm/developersetup-ddf.md index 4d959b186f..ae96fa64df 100644 --- a/windows/client-management/mdm/developersetup-ddf.md +++ b/windows/client-management/mdm/developersetup-ddf.md @@ -2,12 +2,12 @@ title: DeveloperSetup DDF file description: This topic shows the OMA DM device description framework (DDF) for the DeveloperSetup configuration service provider. This CSP was added in Windows 10, version 1703. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md index 030e89915c..bd5f317fc2 100644 --- a/windows/client-management/mdm/device-update-management.md +++ b/windows/client-management/mdm/device-update-management.md @@ -2,12 +2,12 @@ title: Mobile device management MDM for device updates description: Windows 10 provides several APIs to help mobile device management (MDM) solutions manage updates. Learn how to use these APIs to implement update management. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/15/2017 ms.collection: highpri --- diff --git a/windows/client-management/mdm/devicelock-csp.md b/windows/client-management/mdm/devicelock-csp.md index 2ee9b7eb60..29938e34dc 100644 --- a/windows/client-management/mdm/devicelock-csp.md +++ b/windows/client-management/mdm/devicelock-csp.md @@ -2,12 +2,12 @@ title: DeviceLock CSP description: Learn how the DeviceLock configuration service provider (CSP) is used by the enterprise management server to configure device lock related policies. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/devicelock-ddf-file.md b/windows/client-management/mdm/devicelock-ddf-file.md index 75ec208587..974d878b01 100644 --- a/windows/client-management/mdm/devicelock-ddf-file.md +++ b/windows/client-management/mdm/devicelock-ddf-file.md @@ -2,12 +2,12 @@ title: DeviceLock DDF file description: Learn about the OMA DM device description framework (DDF) for the DeviceLock configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/devicemanageability-csp.md b/windows/client-management/mdm/devicemanageability-csp.md index 355ebdc632..b650e3c405 100644 --- a/windows/client-management/mdm/devicemanageability-csp.md +++ b/windows/client-management/mdm/devicemanageability-csp.md @@ -1,13 +1,13 @@ --- title: DeviceManageability CSP -description: Learn how the DeviceManageability configuration service provider (CSP) is used to retrieve general information about MDM configuration capabilities on the device. +description: Learn how the DeviceManageability configuration service provider (CSP) is used to retrieve general information about MDM configuration capabilities on the device. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/01/2017 --- diff --git a/windows/client-management/mdm/devicemanageability-ddf.md b/windows/client-management/mdm/devicemanageability-ddf.md index f57ca0aef2..23dd9b8cf6 100644 --- a/windows/client-management/mdm/devicemanageability-ddf.md +++ b/windows/client-management/mdm/devicemanageability-ddf.md @@ -2,12 +2,12 @@ title: DeviceManageability DDF description: This topic shows the OMA DM device description framework (DDF) for the DeviceManageability configuration service provider. This CSP was added in Windows 10, version 1607. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md index e804c7d30b..c900b41939 100644 --- a/windows/client-management/mdm/devicestatus-csp.md +++ b/windows/client-management/mdm/devicestatus-csp.md @@ -2,12 +2,12 @@ title: DeviceStatus CSP description: Learn how the DeviceStatus configuration service provider keeps track of device inventory and queries the compliance state of devices within the enterprise. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/25/2021 --- diff --git a/windows/client-management/mdm/devicestatus-ddf.md b/windows/client-management/mdm/devicestatus-ddf.md index 5327b89015..9019f6a5b9 100644 --- a/windows/client-management/mdm/devicestatus-ddf.md +++ b/windows/client-management/mdm/devicestatus-ddf.md @@ -2,12 +2,12 @@ title: DeviceStatus DDF description: This topic shows the OMA DM device description framework (DDF) for the DeviceStatus configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/12/2018 --- diff --git a/windows/client-management/mdm/devinfo-csp.md b/windows/client-management/mdm/devinfo-csp.md index c8403f3163..fe9309086b 100644 --- a/windows/client-management/mdm/devinfo-csp.md +++ b/windows/client-management/mdm/devinfo-csp.md @@ -2,12 +2,12 @@ title: DevInfo CSP description: Learn how the DevInfo configuration service provider handles the managed object that provides device information to the OMA DM server. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/devinfo-ddf-file.md b/windows/client-management/mdm/devinfo-ddf-file.md index 9d99d2d67b..ae70ac7ba1 100644 --- a/windows/client-management/mdm/devinfo-ddf-file.md +++ b/windows/client-management/mdm/devinfo-ddf-file.md @@ -2,12 +2,12 @@ title: DevInfo DDF file description: Learn about the OMA DM device description framework (DDF) for the DevInfo configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md index ea79a37fdb..1191fc721d 100644 --- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md +++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md @@ -2,12 +2,12 @@ title: Diagnose MDM failures in Windows 10 description: Learn how to collect MDM logs. Examining these logs can help diagnose enrollment or device management issues in Windows 10 devices managed by an MDM server. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/25/2018 ms.collection: highpri --- diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md index cdf8c2917d..119d455dec 100644 --- a/windows/client-management/mdm/diagnosticlog-csp.md +++ b/windows/client-management/mdm/diagnosticlog-csp.md @@ -2,12 +2,12 @@ title: DiagnosticLog CSP description: Learn about the feature areas of the DiagnosticLog configuration service provider (CSP), including the DiagnosticLog area and Policy area. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/19/2019 --- diff --git a/windows/client-management/mdm/diagnosticlog-ddf.md b/windows/client-management/mdm/diagnosticlog-ddf.md index 38cf705e56..379b38b3fe 100644 --- a/windows/client-management/mdm/diagnosticlog-ddf.md +++ b/windows/client-management/mdm/diagnosticlog-ddf.md @@ -2,12 +2,12 @@ title: DiagnosticLog DDF description: Learn about the the OMA DM device description framework (DDF) for the DiagnosticLog configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md index b3582457ad..31fbaa5aa9 100644 --- a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md +++ b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md @@ -1,16 +1,16 @@ --- title: Disconnecting from the management infrastructure (unenrollment) description: Disconnecting is initiated either locally by the user using a phone or remotely by the IT admin using management server. -MS-HAID: -- 'p\_phdevicemgmt.disconnecting\_from\_the\_management\_infrastructure\_\_unenrollment\_' -- 'p\_phDeviceMgmt.disconnecting\_from\_mdm\_unenrollment' +MS-HAID: + - 'p\_phdevicemgmt.disconnecting\_from\_the\_management\_infrastructure\_\_unenrollment\_' + - 'p\_phDeviceMgmt.disconnecting\_from\_mdm\_unenrollment' ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/dmacc-csp.md b/windows/client-management/mdm/dmacc-csp.md index 9938c6c5dc..ad9d6ccc76 100644 --- a/windows/client-management/mdm/dmacc-csp.md +++ b/windows/client-management/mdm/dmacc-csp.md @@ -2,12 +2,12 @@ title: DMAcc CSP description: Learn how the DMAcc configuration service provider (CSP) allows an OMA Device Management (DM) version 1.2 server to handle OMA DM account objects. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/dmacc-ddf-file.md b/windows/client-management/mdm/dmacc-ddf-file.md index b967d91e87..4ba6320269 100644 --- a/windows/client-management/mdm/dmacc-ddf-file.md +++ b/windows/client-management/mdm/dmacc-ddf-file.md @@ -2,12 +2,12 @@ title: DMAcc DDF file description: Learn about the OMA DM device description framework (DDF) for the DMAcc configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md index 165584ee19..dbaec53d02 100644 --- a/windows/client-management/mdm/dmclient-csp.md +++ b/windows/client-management/mdm/dmclient-csp.md @@ -2,12 +2,12 @@ title: DMClient CSP description: Understand how the DMClient configuration service provider (CSP) is used to specify enterprise-specific mobile device management (MDM) configuration settings. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/01/2017 --- diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md index ca0753b5bc..2f7ca1fb7e 100644 --- a/windows/client-management/mdm/dmclient-ddf-file.md +++ b/windows/client-management/mdm/dmclient-ddf-file.md @@ -2,12 +2,12 @@ title: DMClient DDF file description: Learn about the OMA DM device description framework (DDF) for the DMClient configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md index 27091ecd80..471f590bc9 100644 --- a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md +++ b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md @@ -3,20 +3,20 @@ title: DMProcessConfigXMLFiltered function description: Learn how the DMProcessConfigXMLFiltered function configures phone settings by using OMA Client Provisioning XML. Search.Refinement.TopicID: 184 ms.reviewer: -manager: dansimp -topic_type: -- apiref -api_name: -- DMProcessConfigXMLFiltered -api_location: -- dmprocessxmlfiltered.dll -api_type: -- DllExport -ms.author: dansimp +manager: aaroncz +topic_type: + - apiref +api_name: + - DMProcessConfigXMLFiltered +api_location: + - dmprocessxmlfiltered.dll +api_type: + - DllExport +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/dmsessionactions-csp.md b/windows/client-management/mdm/dmsessionactions-csp.md index 8a95673243..e9c3080fba 100644 --- a/windows/client-management/mdm/dmsessionactions-csp.md +++ b/windows/client-management/mdm/dmsessionactions-csp.md @@ -1,14 +1,14 @@ --- title: DMSessionActions CSP description: Learn how the DMSessionActions configuration service provider (CSP) is used to manage the number of sessions the client skips if the device is in a low-power state. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 ms.reviewer: -manager: dansimp +manager: aaroncz --- # DMSessionActions CSP diff --git a/windows/client-management/mdm/dmsessionactions-ddf.md b/windows/client-management/mdm/dmsessionactions-ddf.md index 7cebc030ce..fcb5cb106e 100644 --- a/windows/client-management/mdm/dmsessionactions-ddf.md +++ b/windows/client-management/mdm/dmsessionactions-ddf.md @@ -1,14 +1,14 @@ --- title: DMSessionActions DDF file description: Learn about the OMA DM device description framework (DDF) for the DMSessionActions configuration service provider (CSP). -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 ms.reviewer: -manager: dansimp +manager: aaroncz --- # DMSessionActions DDF file diff --git a/windows/client-management/mdm/dynamicmanagement-csp.md b/windows/client-management/mdm/dynamicmanagement-csp.md index ce38bf29cd..3e4e54c181 100644 --- a/windows/client-management/mdm/dynamicmanagement-csp.md +++ b/windows/client-management/mdm/dynamicmanagement-csp.md @@ -1,14 +1,14 @@ --- title: DynamicManagement CSP description: Learn how the Dynamic Management configuration service provider (CSP) enables configuration of policies that change how the device is managed. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 ms.reviewer: -manager: dansimp +manager: aaroncz ms.collection: highpri --- diff --git a/windows/client-management/mdm/dynamicmanagement-ddf.md b/windows/client-management/mdm/dynamicmanagement-ddf.md index 0bb1c75f3e..0e2a6dd191 100644 --- a/windows/client-management/mdm/dynamicmanagement-ddf.md +++ b/windows/client-management/mdm/dynamicmanagement-ddf.md @@ -2,12 +2,12 @@ title: DynamicManagement DDF file description: Learn about the OMA DM device description framework (DDF) for the DynamicManagement configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/eap-configuration.md b/windows/client-management/mdm/eap-configuration.md index 6eff7f2a44..1298e152d0 100644 --- a/windows/client-management/mdm/eap-configuration.md +++ b/windows/client-management/mdm/eap-configuration.md @@ -2,12 +2,12 @@ title: EAP configuration description: Learn how to create an Extensible Authentication Protocol (EAP) configuration XML for a VPN profile, including details about EAP certificate filtering in Windows 10. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/email2-csp.md b/windows/client-management/mdm/email2-csp.md index 2c03c1146b..a88665101f 100644 --- a/windows/client-management/mdm/email2-csp.md +++ b/windows/client-management/mdm/email2-csp.md @@ -2,12 +2,12 @@ title: EMAIL2 CSP description: Learn how the EMAIL2 configuration service provider (CSP) is used to configure Simple Mail Transfer Protocol (SMTP) email accounts. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/email2-ddf-file.md b/windows/client-management/mdm/email2-ddf-file.md index 7e3c271fc3..ec7d604849 100644 --- a/windows/client-management/mdm/email2-ddf-file.md +++ b/windows/client-management/mdm/email2-ddf-file.md @@ -2,12 +2,12 @@ title: EMAIL2 DDF file description: Learn how the OMA DM device description framework (DDF) for the EMAIL2 configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md index 7a4821350c..a8fdcc53b2 100644 --- a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md +++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md @@ -1,15 +1,15 @@ --- title: Enable ADMX policies in MDM description: Use this step-by-step guide to configure a selected set of Group Policy administrative templates (ADMX policies) in Mobile Device Management (MDM). -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 11/01/2017 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Enable ADMX policies in MDM diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 8076b0a504..b7a2a1544c 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -1,14 +1,14 @@ --- title: Enroll a Windows 10 device automatically using Group Policy description: Learn how to use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain-joined devices. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 04/30/2022 -ms.reviewer: -manager: dansimp +ms.reviewer: +manager: aaroncz ms.collection: highpri --- diff --git a/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md b/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md index 75870e43e0..40b17f8970 100644 --- a/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md +++ b/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md @@ -1,11 +1,11 @@ --- title: EnrollmentStatusTracking DDF description: View the OMA DM DDF for the EnrollmentStatusTracking configuration service provider. DDF files are used only with OMA DM provisioning XML. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 05/17/2019 --- diff --git a/windows/client-management/mdm/enrollmentstatustracking-csp.md b/windows/client-management/mdm/enrollmentstatustracking-csp.md index d345f06255..3ad33fa688 100644 --- a/windows/client-management/mdm/enrollmentstatustracking-csp.md +++ b/windows/client-management/mdm/enrollmentstatustracking-csp.md @@ -1,11 +1,11 @@ --- title: EnrollmentStatusTracking CSP description: Learn how to execute a hybrid certificate trust deployment of Windows Hello for Business, for systems with no previous installations. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 05/21/2019 --- diff --git a/windows/client-management/mdm/enterprise-app-management.md b/windows/client-management/mdm/enterprise-app-management.md index c64c2d9ba3..d2dc640f22 100644 --- a/windows/client-management/mdm/enterprise-app-management.md +++ b/windows/client-management/mdm/enterprise-app-management.md @@ -2,12 +2,12 @@ title: Enterprise app management description: This article covers one of the key mobile device management (MDM) features in Windows 10 for managing the lifecycle of apps across all of Windows. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/04/2021 --- diff --git a/windows/client-management/mdm/enterpriseapn-csp.md b/windows/client-management/mdm/enterpriseapn-csp.md index 1e49e6f694..7988975af6 100644 --- a/windows/client-management/mdm/enterpriseapn-csp.md +++ b/windows/client-management/mdm/enterpriseapn-csp.md @@ -2,12 +2,12 @@ title: EnterpriseAPN CSP description: The EnterpriseAPN configuration service provider is used by the enterprise to provision an APN for the Internet. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/22/2017 --- diff --git a/windows/client-management/mdm/enterpriseapn-ddf.md b/windows/client-management/mdm/enterpriseapn-ddf.md index 2e81ae80fd..e83aef75e3 100644 --- a/windows/client-management/mdm/enterpriseapn-ddf.md +++ b/windows/client-management/mdm/enterpriseapn-ddf.md @@ -2,12 +2,12 @@ title: EnterpriseAPN DDF description: Learn about the OMA DM device description framework (DDF) for the EnterpriseAPN configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/enterpriseappvmanagement-csp.md b/windows/client-management/mdm/enterpriseappvmanagement-csp.md index b2a5361647..23d45c61be 100644 --- a/windows/client-management/mdm/enterpriseappvmanagement-csp.md +++ b/windows/client-management/mdm/enterpriseappvmanagement-csp.md @@ -1,14 +1,14 @@ --- title: EnterpriseAppVManagement CSP -description: Examine the tree format for EnterpriseAppVManagement CSP to manage virtual applications in Windows 10 or Windows 11 PCs. (Enterprise and Education editions). -ms.author: dansimp +description: Examine the tree format for EnterpriseAppVManagement CSP to manage virtual applications in Windows 10 or Windows 11 PCs. (Enterprise and Education editions). +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 ms.reviewer: -manager: dansimp +manager: aaroncz --- # EnterpriseAppVManagement CSP diff --git a/windows/client-management/mdm/enterpriseappvmanagement-ddf.md b/windows/client-management/mdm/enterpriseappvmanagement-ddf.md index 1c18aff981..0572ef9f96 100644 --- a/windows/client-management/mdm/enterpriseappvmanagement-ddf.md +++ b/windows/client-management/mdm/enterpriseappvmanagement-ddf.md @@ -1,14 +1,14 @@ --- title: EnterpriseAppVManagement DDF file description: Learn about the OMA DM device description framework (DDF) for the EnterpriseAppVManagement configuration service provider (CSP). -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 ms.reviewer: -manager: dansimp +manager: aaroncz --- # EnterpriseAppVManagement DDF file diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md index 176e9f3b24..bf660969d6 100644 --- a/windows/client-management/mdm/enterprisedataprotection-csp.md +++ b/windows/client-management/mdm/enterprisedataprotection-csp.md @@ -3,12 +3,12 @@ title: EnterpriseDataProtection CSP description: Learn how the EnterpriseDataProtection configuration service provider (CSP) configures Windows Information Protection (formerly, Enterprise Data Protection) settings. ms.assetid: E2D4467F-A154-4C00-9208-7798EF3E25B3 ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/09/2017 --- diff --git a/windows/client-management/mdm/enterprisedataprotection-ddf-file.md b/windows/client-management/mdm/enterprisedataprotection-ddf-file.md index 68e337c333..f8be987381 100644 --- a/windows/client-management/mdm/enterprisedataprotection-ddf-file.md +++ b/windows/client-management/mdm/enterprisedataprotection-ddf-file.md @@ -2,12 +2,12 @@ title: EnterpriseDataProtection DDF file description: The following topic shows the OMA DM device description framework (DDF) for the EnterpriseDataProtection configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md index 4b5ab02de2..d06146f5a0 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md @@ -3,12 +3,12 @@ title: EnterpriseDesktopAppManagement CSP description: Learn how the EnterpriseDesktopAppManagement CSP handles enterprise desktop application management tasks, such as installing or removing applications. ms.assetid: 2BFF7491-BB01-41BA-9A22-AB209EE59FC5 ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 07/11/2017 --- diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md b/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md index 0803a2e9ab..dcf0663717 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md @@ -2,12 +2,12 @@ title: EnterpriseDesktopAppManagement DDF description: This topic shows the OMA DM device description framework (DDF) for the EnterpriseDesktopAppManagement configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md b/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md index c570ad096b..4117208a89 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md @@ -2,12 +2,12 @@ title: EnterpriseDesktopAppManagement XSD description: This topic contains the XSD schema file for the EnterpriseDesktopAppManagement configuration service provider’s DownloadInstall parameter. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md index 7b616f1543..6aed81068c 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -2,12 +2,12 @@ title: EnterpriseModernAppManagement CSP description: Learn how the EnterpriseModernAppManagement configuration service provider (CSP) is used for the provisioning and reporting of modern enterprise apps. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/19/2021 --- diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md index 9e25733411..3a270aad3c 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md @@ -2,12 +2,12 @@ title: EnterpriseModernAppManagement DDF description: Learn about the OMA DM device description framework (DDF) for the EnterpriseModernAppManagement configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/01/2019 --- diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md b/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md index dc9995f5ef..95016ab8fc 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md @@ -2,12 +2,12 @@ title: EnterpriseModernAppManagement XSD description: In this article, view the EnterpriseModernAppManagement XSD example so you can set application parameters. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/esim-enterprise-management.md b/windows/client-management/mdm/esim-enterprise-management.md index 30cebf3d9e..cdc60b2936 100644 --- a/windows/client-management/mdm/esim-enterprise-management.md +++ b/windows/client-management/mdm/esim-enterprise-management.md @@ -2,9 +2,9 @@ title: eSIM Enterprise Management description: Learn how Mobile Device Management (MDM) Providers support the eSIM Profile Management Solution on Windows. ms.prod: w10 -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium -ms.author: dansimp +ms.author: vinpa ms.topic: conceptual --- diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md index 4a840115e0..8d50139134 100644 --- a/windows/client-management/mdm/euiccs-csp.md +++ b/windows/client-management/mdm/euiccs-csp.md @@ -1,14 +1,14 @@ --- title: eUICCs CSP description: Learn how the eUICCs CSP is used to support eUICC enterprise use cases and enables the IT admin to manage (assign, reassign, remove) subscriptions to employees. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/02/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # eUICCs CSP diff --git a/windows/client-management/mdm/euiccs-ddf-file.md b/windows/client-management/mdm/euiccs-ddf-file.md index e6d041a4a2..c17f08e0f3 100644 --- a/windows/client-management/mdm/euiccs-ddf-file.md +++ b/windows/client-management/mdm/euiccs-ddf-file.md @@ -2,12 +2,12 @@ title: eUICCs DDF file description: Learn about the OMA DM device description framework (DDF) for the eUICCs configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/02/2018 --- diff --git a/windows/client-management/mdm/federated-authentication-device-enrollment.md b/windows/client-management/mdm/federated-authentication-device-enrollment.md index 1bbe746b59..d0e4cb46c1 100644 --- a/windows/client-management/mdm/federated-authentication-device-enrollment.md +++ b/windows/client-management/mdm/federated-authentication-device-enrollment.md @@ -2,12 +2,12 @@ title: Federated authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using federated authentication policy. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 07/28/2017 --- diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index ddcd82076c..af9202d9ca 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -1,13 +1,13 @@ --- title: Firewall CSP description: The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.reviewer: -manager: dansimp +manager: aaroncz --- # Firewall configuration service provider (CSP) diff --git a/windows/client-management/mdm/firewall-ddf-file.md b/windows/client-management/mdm/firewall-ddf-file.md index fa54a62a29..50b8729198 100644 --- a/windows/client-management/mdm/firewall-ddf-file.md +++ b/windows/client-management/mdm/firewall-ddf-file.md @@ -1,14 +1,14 @@ --- title: Firewall DDF file description: Learn about the OMA DM device description framework (DDF) for the Firewall configuration service provider. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Firewall CSP diff --git a/windows/client-management/mdm/get-inventory.md b/windows/client-management/mdm/get-inventory.md index c4613e5251..2aa1418ebf 100644 --- a/windows/client-management/mdm/get-inventory.md +++ b/windows/client-management/mdm/get-inventory.md @@ -1,16 +1,16 @@ --- title: Get Inventory description: The Get Inventory operation retrieves information from the Microsoft Store for Business to determine if new or updated applications are available. -MS-HAID: -- 'p\_phdevicemgmt.get\_seatblock' -- 'p\_phDeviceMgmt.get\_inventory' +MS-HAID: + - 'p\_phdevicemgmt.get\_seatblock' + - 'p\_phDeviceMgmt.get\_inventory' ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/get-localized-product-details.md b/windows/client-management/mdm/get-localized-product-details.md index 1b91dfb6f8..373bebf5d7 100644 --- a/windows/client-management/mdm/get-localized-product-details.md +++ b/windows/client-management/mdm/get-localized-product-details.md @@ -2,12 +2,12 @@ title: Get localized product details description: The Get localized product details operation retrieves the localization information of a product from the Microsoft Store for Business. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/07/2020 --- diff --git a/windows/client-management/mdm/get-offline-license.md b/windows/client-management/mdm/get-offline-license.md index 24ff7dd8f5..8960d7a7eb 100644 --- a/windows/client-management/mdm/get-offline-license.md +++ b/windows/client-management/mdm/get-offline-license.md @@ -2,12 +2,12 @@ title: Get offline license description: The Get offline license operation retrieves the offline license information of a product from the Microsoft Store for Business. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/get-product-details.md b/windows/client-management/mdm/get-product-details.md index 2b5f901e1d..14b0e24af9 100644 --- a/windows/client-management/mdm/get-product-details.md +++ b/windows/client-management/mdm/get-product-details.md @@ -2,12 +2,12 @@ title: Get product details description: The Get product details operation retrieves the product information from the Microsoft Store for Business for a specific application. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/get-product-package.md b/windows/client-management/mdm/get-product-package.md index aaeb5a3b5e..2fa11f65b3 100644 --- a/windows/client-management/mdm/get-product-package.md +++ b/windows/client-management/mdm/get-product-package.md @@ -2,12 +2,12 @@ title: Get product package description: The Get product package operation retrieves the information about a specific application in the Microsoft Store for Business. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/get-product-packages.md b/windows/client-management/mdm/get-product-packages.md index 3eb39cbd7c..4312842783 100644 --- a/windows/client-management/mdm/get-product-packages.md +++ b/windows/client-management/mdm/get-product-packages.md @@ -2,12 +2,12 @@ title: Get product packages description: The Get product packages operation retrieves the information about applications in the Microsoft Store for Business. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/get-seat.md b/windows/client-management/mdm/get-seat.md index d0aec2af0b..66b6b7340f 100644 --- a/windows/client-management/mdm/get-seat.md +++ b/windows/client-management/mdm/get-seat.md @@ -2,12 +2,12 @@ title: Get seat description: The Get seat operation retrieves the information about an active seat for a specified user in the Microsoft Store for Business. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/get-seats-assigned-to-a-user.md b/windows/client-management/mdm/get-seats-assigned-to-a-user.md index a657aa4026..27a30678ae 100644 --- a/windows/client-management/mdm/get-seats-assigned-to-a-user.md +++ b/windows/client-management/mdm/get-seats-assigned-to-a-user.md @@ -2,12 +2,12 @@ title: Get seats assigned to a user description: The Get seats assigned to a user operation retrieves information about assigned seats in the Microsoft Store for Business. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/get-seats.md b/windows/client-management/mdm/get-seats.md index 2dc6f0a475..333d467ee8 100644 --- a/windows/client-management/mdm/get-seats.md +++ b/windows/client-management/mdm/get-seats.md @@ -2,12 +2,12 @@ title: Get seats description: The Get seats operation retrieves the information about active seats in the Microsoft Store for Business. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 4eb0e57c7d..9c85e6205e 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -2,12 +2,12 @@ title: Device HealthAttestation CSP description: Learn how the DHA-CSP enables enterprise IT managers to assess if a device is booted to a trusted and compliant state, and take enterprise policy actions. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: --- diff --git a/windows/client-management/mdm/healthattestation-ddf.md b/windows/client-management/mdm/healthattestation-ddf.md index 65cf48aeb7..1d1e14d1ab 100644 --- a/windows/client-management/mdm/healthattestation-ddf.md +++ b/windows/client-management/mdm/healthattestation-ddf.md @@ -2,12 +2,12 @@ title: HealthAttestation DDF description: Learn about the OMA DM device description framework (DDF) for the HealthAttestation configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/implement-server-side-mobile-application-management.md b/windows/client-management/mdm/implement-server-side-mobile-application-management.md index 09eb2a8003..9d71b7234b 100644 --- a/windows/client-management/mdm/implement-server-side-mobile-application-management.md +++ b/windows/client-management/mdm/implement-server-side-mobile-application-management.md @@ -1,14 +1,14 @@ --- title: Support for mobile application management on Windows description: Learn about implementing the Windows version of mobile application management (MAM), which is a lightweight solution for managing company data access and security on personal devices. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/03/2022 -ms.reviewer: -manager: dansimp +ms.reviewer: +manager: aaroncz --- diff --git a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md index c472c83092..e67b40bb24 100644 --- a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md +++ b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md @@ -1,16 +1,16 @@ --- title: Management tool for the Microsoft Store for Business description: The Microsoft Store for Business has a new web service designed for the enterprise to acquire, manage, and distribute applications in bulk. -MS-HAID: -- 'p\_phdevicemgmt.business\_store\_portal\_management\_tool' -- 'p\_phDeviceMgmt.management\_tool\_for\_windows\_store\_for\_business' +MS-HAID: + - 'p\_phdevicemgmt.business\_store\_portal\_management\_tool' + - 'p\_phDeviceMgmt.management\_tool\_for\_windows\_store\_for\_business' ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/27/2017 --- diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md index ddd397d1dc..d8748f2ee6 100644 --- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md @@ -1,16 +1,16 @@ --- title: MDM enrollment of Windows 10-based devices description: Learn about mobile device management (MDM) enrollment of Windows 10-based devices to simplify access to your organization’s resources. -MS-HAID: -- 'p\_phdevicemgmt.enrollment\_ui' -- 'p\_phDeviceMgmt.mdm\_enrollment\_of\_windows\_devices' +MS-HAID: + - 'p\_phdevicemgmt.enrollment\_ui' + - 'p\_phDeviceMgmt.mdm\_enrollment\_of\_windows\_devices' ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.collection: highpri --- diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md index b02ed00f8b..b161e96c13 100644 --- a/windows/client-management/mdm/mobile-device-enrollment.md +++ b/windows/client-management/mdm/mobile-device-enrollment.md @@ -2,12 +2,12 @@ title: Mobile device enrollment description: Learn how mobile device enrollment verifies that only authenticated and authorized devices can be managed by their enterprise. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/11/2017 ms.collection: highpri --- diff --git a/windows/client-management/mdm/multisim-csp.md b/windows/client-management/mdm/multisim-csp.md index 3a2861bbf1..0042735b48 100644 --- a/windows/client-management/mdm/multisim-csp.md +++ b/windows/client-management/mdm/multisim-csp.md @@ -1,14 +1,14 @@ --- title: MultiSIM CSP description: MultiSIM configuration service provider (CSP) allows the enterprise to manage devices with dual SIM single active configuration. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/22/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # MultiSIM CSP diff --git a/windows/client-management/mdm/multisim-ddf.md b/windows/client-management/mdm/multisim-ddf.md index 18b9586283..662c3e0384 100644 --- a/windows/client-management/mdm/multisim-ddf.md +++ b/windows/client-management/mdm/multisim-ddf.md @@ -1,14 +1,14 @@ --- title: MultiSIM DDF file description: XML file containing the device description framework for the MultiSIM configuration service provider. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 02/27/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # MultiSIM DDF diff --git a/windows/client-management/mdm/nap-csp.md b/windows/client-management/mdm/nap-csp.md index f2e5e008b4..2a4d93d58f 100644 --- a/windows/client-management/mdm/nap-csp.md +++ b/windows/client-management/mdm/nap-csp.md @@ -2,12 +2,12 @@ title: NAP CSP description: Learn how the Network Access Point (NAP) configuration service provider (CSP) is used to manage and query GPRS and CDMA connections. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/napdef-csp.md b/windows/client-management/mdm/napdef-csp.md index c93d4789ae..ebef8beec0 100644 --- a/windows/client-management/mdm/napdef-csp.md +++ b/windows/client-management/mdm/napdef-csp.md @@ -2,12 +2,12 @@ title: NAPDEF CSP description: Learn how the NAPDEF configuration service provider (CSP) is used to add, modify, or delete WAP network access points (NAPs). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/networkproxy-csp.md b/windows/client-management/mdm/networkproxy-csp.md index 47b33480b1..c249a38718 100644 --- a/windows/client-management/mdm/networkproxy-csp.md +++ b/windows/client-management/mdm/networkproxy-csp.md @@ -1,14 +1,14 @@ --- title: NetworkProxy CSP description: Learn how the NetworkProxy configuration service provider (CSP) is used to configure a proxy server for ethernet and Wi-Fi connections. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/29/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # NetworkProxy CSP diff --git a/windows/client-management/mdm/networkproxy-ddf.md b/windows/client-management/mdm/networkproxy-ddf.md index 2b5f2798f2..ed25d003b2 100644 --- a/windows/client-management/mdm/networkproxy-ddf.md +++ b/windows/client-management/mdm/networkproxy-ddf.md @@ -1,14 +1,14 @@ --- title: NetworkProxy DDF file description: AppNetworkProxyLocker DDF file -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 ms.reviewer: -manager: dansimp +manager: aaroncz --- # NetworkProxy DDF file diff --git a/windows/client-management/mdm/networkqospolicy-csp.md b/windows/client-management/mdm/networkqospolicy-csp.md index 5f455a3e9c..5b5d5d930e 100644 --- a/windows/client-management/mdm/networkqospolicy-csp.md +++ b/windows/client-management/mdm/networkqospolicy-csp.md @@ -1,14 +1,14 @@ --- title: NetworkQoSPolicy CSP description: The NetworkQoSPolicy CSP applies the Quality of Service (QoS) policy for Microsoft Surface Hub. This CSP was added in Windows 10, version 1703. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 04/22/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # NetworkQoSPolicy CSP diff --git a/windows/client-management/mdm/networkqospolicy-ddf.md b/windows/client-management/mdm/networkqospolicy-ddf.md index 0ba34a7805..972f823ac5 100644 --- a/windows/client-management/mdm/networkqospolicy-ddf.md +++ b/windows/client-management/mdm/networkqospolicy-ddf.md @@ -2,12 +2,12 @@ title: NetworkQoSPolicy DDF description: View the OMA DM device description framework (DDF) for the NetworkQoSPolicy configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 1c9068aa93..fdfb90c836 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -1,16 +1,16 @@ --- title: What's new in MDM enrollment and management description: Discover what's new and breaking changes in Windows 10 and Windows 11 mobile device management (MDM) enrollment and management experience across all Windows 10 devices. -MS-HAID: -- 'p\_phdevicemgmt.mdm\_enrollment\_and\_management\_overview' -- 'p\_phDeviceMgmt.new\_in\_windows\_mdm\_enrollment\_management' +MS-HAID: + - 'p\_phdevicemgmt.mdm\_enrollment\_and\_management\_overview' + - 'p\_phDeviceMgmt.new\_in\_windows\_mdm\_enrollment\_management' ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 10/20/2020 --- diff --git a/windows/client-management/mdm/nodecache-csp.md b/windows/client-management/mdm/nodecache-csp.md index 09715dd733..dc9bf7a054 100644 --- a/windows/client-management/mdm/nodecache-csp.md +++ b/windows/client-management/mdm/nodecache-csp.md @@ -2,12 +2,12 @@ title: NodeCache CSP description: Use the NodeCache configuration service provider (CSP) to synchronize, monitor, and manage the client cache. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/nodecache-ddf-file.md b/windows/client-management/mdm/nodecache-ddf-file.md index e62ba59a21..8fb7117803 100644 --- a/windows/client-management/mdm/nodecache-ddf-file.md +++ b/windows/client-management/mdm/nodecache-ddf-file.md @@ -2,12 +2,12 @@ title: NodeCache DDF file description: Learn about the OMA DM device description framework (DDF) for the NodeCache configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md index e3ee2537c2..5fc7af65c0 100644 --- a/windows/client-management/mdm/office-csp.md +++ b/windows/client-management/mdm/office-csp.md @@ -1,14 +1,14 @@ --- title: Office CSP description: The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device. This CSP was added in Windows 10, version 1703. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/15/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Office CSP diff --git a/windows/client-management/mdm/office-ddf.md b/windows/client-management/mdm/office-ddf.md index 05bf3efc0f..94b6fecffe 100644 --- a/windows/client-management/mdm/office-ddf.md +++ b/windows/client-management/mdm/office-ddf.md @@ -2,12 +2,12 @@ title: Office DDF description: This topic shows the OMA DM device description framework (DDF) for the Office configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/15/2018 --- diff --git a/windows/client-management/mdm/oma-dm-protocol-support.md b/windows/client-management/mdm/oma-dm-protocol-support.md index 0a6a1332c0..add5219c9e 100644 --- a/windows/client-management/mdm/oma-dm-protocol-support.md +++ b/windows/client-management/mdm/oma-dm-protocol-support.md @@ -2,12 +2,12 @@ title: OMA DM protocol support description: See how the OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/on-premise-authentication-device-enrollment.md b/windows/client-management/mdm/on-premise-authentication-device-enrollment.md index 4d789fb346..129f2a8aae 100644 --- a/windows/client-management/mdm/on-premise-authentication-device-enrollment.md +++ b/windows/client-management/mdm/on-premise-authentication-device-enrollment.md @@ -2,12 +2,12 @@ title: On-premises authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using on-premises authentication policy. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md index 5c2ab3a0c1..d45249dffe 100644 --- a/windows/client-management/mdm/passportforwork-csp.md +++ b/windows/client-management/mdm/passportforwork-csp.md @@ -2,12 +2,12 @@ title: PassportForWork CSP description: The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 07/19/2019 --- diff --git a/windows/client-management/mdm/passportforwork-ddf.md b/windows/client-management/mdm/passportforwork-ddf.md index 0b43dbee05..5bdaf460f7 100644 --- a/windows/client-management/mdm/passportforwork-ddf.md +++ b/windows/client-management/mdm/passportforwork-ddf.md @@ -2,12 +2,12 @@ title: PassportForWork DDF description: View the OMA DM device description framework (DDF) for the PassportForWork configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 07/29/2019 --- diff --git a/windows/client-management/mdm/personalization-csp.md b/windows/client-management/mdm/personalization-csp.md index 2a21d44f28..465ac4ecd9 100644 --- a/windows/client-management/mdm/personalization-csp.md +++ b/windows/client-management/mdm/personalization-csp.md @@ -1,14 +1,14 @@ --- title: Personalization CSP description: Use the Personalization CSP to lock screen and desktop background images, prevent users from changing the image, and use the settings in a provisioning package. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/28/2022 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Personalization CSP diff --git a/windows/client-management/mdm/personalization-ddf.md b/windows/client-management/mdm/personalization-ddf.md index bc7605048f..80cdb39b9b 100644 --- a/windows/client-management/mdm/personalization-ddf.md +++ b/windows/client-management/mdm/personalization-ddf.md @@ -1,14 +1,14 @@ --- title: Personalization DDF file -description: Learn how to set the OMA DM device description framework (DDF) for the Personalization configuration service provider (CSP). -ms.author: dansimp +description: Learn how to set the OMA DM device description framework (DDF) for the Personalization configuration service provider (CSP). +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Personalization DDF file diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 96ba99c053..e06e70792f 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -2,12 +2,12 @@ title: ADMX-backed policies in Policy CSP description: Learn about the ADMX-backed policies in Policy CSP. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 10/08/2020 --- diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md index fe99b88a1c..55f6a99ca0 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md @@ -2,12 +2,12 @@ title: Policies in Policy CSP supported by Group Policy description: Learn about the policies in Policy CSP supported by Group Policy. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 07/18/2019 --- diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md index 58fffbd813..f70f86e654 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md @@ -2,12 +2,12 @@ title: Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite description: Learn the policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/17/2019 --- diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md index 7d67b45cd3..102a2eb6bc 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md @@ -2,12 +2,12 @@ title: Policies in Policy CSP supported by HoloLens (1st gen) Development Edition description: Learn about the policies in Policy CSP supported by HoloLens (1st gen) Development Edition. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 07/18/2019 --- diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md index 61da8064e2..d476c304ca 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md @@ -2,12 +2,12 @@ title: Policies in Policy CSP supported by HoloLens 2 description: Learn about the policies in Policy CSP supported by HoloLens 2. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 06/06/2022 --- diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md index 0c5f378ed9..710a6bea37 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md @@ -2,12 +2,12 @@ title: Policies in Policy CSP supported by Windows 10 IoT Core description: Learn about the policies in Policy CSP supported by Windows 10 IoT Core. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/16/2019 --- diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md index 5ab411d317..128bb7099b 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md @@ -2,12 +2,12 @@ title: Policies in Policy CSP supported by Microsoft Surface Hub description: Learn about the policies in Policy CSP supported by Microsoft Surface Hub. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 07/22/2020 --- diff --git a/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md b/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md index 4f12cf7aec..0529c08779 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md +++ b/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md @@ -2,12 +2,12 @@ title: Policies in Policy CSP that can be set using Exchange Active Sync (EAS) description: Learn about the policies in Policy CSP that can be set using Exchange Active Sync (EAS). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 07/18/2019 --- diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 023ece8e40..3b79fcf245 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -2,12 +2,12 @@ title: Policy CSP description: Learn how the Policy configuration service provider (CSP) enables the enterprise to configure policies on Windows 10 and Windows 11. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 07/18/2019 ms.collection: highpri diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md index e984f6f104..da3b56f932 100644 --- a/windows/client-management/mdm/policy-csp-abovelock.md +++ b/windows/client-management/mdm/policy-csp-abovelock.md @@ -1,15 +1,15 @@ --- title: Policy CSP - AboveLock -description: Learn the various AboveLock Policy configuration service provider (CSP) for Windows editions of Home, Pro, Business, and more. -ms.author: dansimp +description: Learn the various AboveLock Policy configuration service provider (CSP) for Windows editions of Home, Pro, Business, and more. +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - AboveLock diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md index e261b05c4e..9320bce051 100644 --- a/windows/client-management/mdm/policy-csp-accounts.md +++ b/windows/client-management/mdm/policy-csp-accounts.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Accounts -description: Learn about the Accounts policy configuration service provider (CSP). This article describes account policies. -ms.author: dansimp +description: Learn about the Accounts policy configuration service provider (CSP). This article describes account policies. +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Accounts diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md index d96b12b249..572eef454e 100644 --- a/windows/client-management/mdm/policy-csp-activexcontrols.md +++ b/windows/client-management/mdm/policy-csp-activexcontrols.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ActiveXControls description: Learn about various Policy configuration service provider (CSP) - ActiveXControls settings, including SyncML, for Windows 10. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ActiveXControls diff --git a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md index 2a3088be3f..05cbc1fcee 100644 --- a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md +++ b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_ActiveXInstallService description: Learn about the Policy CSP - ADMX_ActiveXInstallService. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/09/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_ActiveXInstallService diff --git a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md index 19c86af9d2..cf5b1966c0 100644 --- a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md +++ b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_AddRemovePrograms description: Learn about the Policy CSP - ADMX_AddRemovePrograms. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 08/13/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_AddRemovePrograms diff --git a/windows/client-management/mdm/policy-csp-admx-admpwd.md b/windows/client-management/mdm/policy-csp-admx-admpwd.md index b7c83023fa..5dd95ce744 100644 --- a/windows/client-management/mdm/policy-csp-admx-admpwd.md +++ b/windows/client-management/mdm/policy-csp-admx-admpwd.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_AdmPwd description: Learn about the Policy CSP - ADMX_AdmPwd. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/09/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_AdmPwd diff --git a/windows/client-management/mdm/policy-csp-admx-appcompat.md b/windows/client-management/mdm/policy-csp-admx-appcompat.md index 09e0448165..ecdf4b38bf 100644 --- a/windows/client-management/mdm/policy-csp-admx-appcompat.md +++ b/windows/client-management/mdm/policy-csp-admx-appcompat.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_AppCompat description: Policy CSP - ADMX_AppCompat -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 08/20/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_AppCompat diff --git a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md index bfa6e0e368..3e30dc883a 100644 --- a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md +++ b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_AppxPackageManager description: Learn about the Policy CSP - ADMX_AppxPackageManager. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/10/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_AppxPackageManager diff --git a/windows/client-management/mdm/policy-csp-admx-appxruntime.md b/windows/client-management/mdm/policy-csp-admx-appxruntime.md index f9d07fe835..786dc5626b 100644 --- a/windows/client-management/mdm/policy-csp-admx-appxruntime.md +++ b/windows/client-management/mdm/policy-csp-admx-appxruntime.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_AppXRuntime description: Learn about the Policy CSP - ADMX_AppXRuntime. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/10/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_AppXRuntime diff --git a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md index 991162ca51..0b7733a5a2 100644 --- a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md +++ b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_AttachmentManager description: Learn about the Policy CSP - ADMX_AttachmentManager. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/10/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_AttachmentManager diff --git a/windows/client-management/mdm/policy-csp-admx-auditsettings.md b/windows/client-management/mdm/policy-csp-admx-auditsettings.md index 4ae15d3c3b..d3fbdfca47 100644 --- a/windows/client-management/mdm/policy-csp-admx-auditsettings.md +++ b/windows/client-management/mdm/policy-csp-admx-auditsettings.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_AuditSettings description: Learn about the Policy CSP - ADMX_AuditSettings. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/13/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_AuditSettings. diff --git a/windows/client-management/mdm/policy-csp-admx-bits.md b/windows/client-management/mdm/policy-csp-admx-bits.md index ab01ed785d..52c73b763f 100644 --- a/windows/client-management/mdm/policy-csp-admx-bits.md +++ b/windows/client-management/mdm/policy-csp-admx-bits.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Bits description: Learn about the Policy CSP - ADMX_Bits. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/20/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Bits diff --git a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md index a0033b3741..86f2b2d508 100644 --- a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md +++ b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_CipherSuiteOrder description: Learn about the Policy CSP - ADMX_CipherSuiteOrder. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/17/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_CipherSuiteOrder diff --git a/windows/client-management/mdm/policy-csp-admx-com.md b/windows/client-management/mdm/policy-csp-admx-com.md index d24c27f120..8426131fb5 100644 --- a/windows/client-management/mdm/policy-csp-admx-com.md +++ b/windows/client-management/mdm/policy-csp-admx-com.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_COM description: Learn about the Policy CSP - ADMX_COM. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/18/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_COM diff --git a/windows/client-management/mdm/policy-csp-admx-controlpanel.md b/windows/client-management/mdm/policy-csp-admx-controlpanel.md index c38abdd5cc..55e7b8a33f 100644 --- a/windows/client-management/mdm/policy-csp-admx-controlpanel.md +++ b/windows/client-management/mdm/policy-csp-admx-controlpanel.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_ControlPanel description: Learn about the Policy CSP - ADMX_ControlPanel. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/05/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_ControlPanel diff --git a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md index 8a4ec1282c..637df89faf 100644 --- a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md +++ b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_ControlPanelDisplay description: Learn about the Policy CSP - ADMX_ControlPanelDisplay. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/05/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_ControlPanelDisplay diff --git a/windows/client-management/mdm/policy-csp-admx-cpls.md b/windows/client-management/mdm/policy-csp-admx-cpls.md index 0191a8c79c..b7c40099e2 100644 --- a/windows/client-management/mdm/policy-csp-admx-cpls.md +++ b/windows/client-management/mdm/policy-csp-admx-cpls.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Cpls description: Learn about the Policy CSP - ADMX_Cpls. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/26/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Cpls diff --git a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md index 2787753ef1..b72ed7c028 100644 --- a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md +++ b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_CredentialProviders description: Learn about the Policy CSP - ADMX_CredentialProviders. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/11/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_CredentialProviders diff --git a/windows/client-management/mdm/policy-csp-admx-credssp.md b/windows/client-management/mdm/policy-csp-admx-credssp.md index fb24354248..fb4a63852b 100644 --- a/windows/client-management/mdm/policy-csp-admx-credssp.md +++ b/windows/client-management/mdm/policy-csp-admx-credssp.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_CredSsp description: Learn about the Policy CSP - ADMX_CredSsp. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/12/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_CredSsp diff --git a/windows/client-management/mdm/policy-csp-admx-credui.md b/windows/client-management/mdm/policy-csp-admx-credui.md index 133b87350c..68623bfc04 100644 --- a/windows/client-management/mdm/policy-csp-admx-credui.md +++ b/windows/client-management/mdm/policy-csp-admx-credui.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_CredUI description: Learn about the Policy CSP - ADMX_CredUI. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/09/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_CredUI diff --git a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md index 22bb0e2b9c..0d6a23d272 100644 --- a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md +++ b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_CtrlAltDel description: Learn about the Policy CSP - ADMX_CtrlAltDel. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/26/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_CtrlAltDel diff --git a/windows/client-management/mdm/policy-csp-admx-datacollection.md b/windows/client-management/mdm/policy-csp-admx-datacollection.md index 9f7525d028..18b990f41a 100644 --- a/windows/client-management/mdm/policy-csp-admx-datacollection.md +++ b/windows/client-management/mdm/policy-csp-admx-datacollection.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_DataCollection description: Learn about the Policy CSP - ADMX_DataCollection. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/01/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DataCollection diff --git a/windows/client-management/mdm/policy-csp-admx-dcom.md b/windows/client-management/mdm/policy-csp-admx-dcom.md index 4e3e20eb48..f826ec41b1 100644 --- a/windows/client-management/mdm/policy-csp-admx-dcom.md +++ b/windows/client-management/mdm/policy-csp-admx-dcom.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_DCOM description: Learn about the Policy CSP - ADMX_DCOM. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/08/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DCOM diff --git a/windows/client-management/mdm/policy-csp-admx-desktop.md b/windows/client-management/mdm/policy-csp-admx-desktop.md index 5017634eeb..c18835be26 100644 --- a/windows/client-management/mdm/policy-csp-admx-desktop.md +++ b/windows/client-management/mdm/policy-csp-admx-desktop.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Desktop description: Learn about Policy CSP - ADMX_Desktop. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/02/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Desktop diff --git a/windows/client-management/mdm/policy-csp-admx-devicecompat.md b/windows/client-management/mdm/policy-csp-admx-devicecompat.md index c1ac73f776..b2ca71c22d 100644 --- a/windows/client-management/mdm/policy-csp-admx-devicecompat.md +++ b/windows/client-management/mdm/policy-csp-admx-devicecompat.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_DeviceCompat description: Learn about Policy CSP - ADMX_DeviceCompat. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 08/09/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DeviceCompat diff --git a/windows/client-management/mdm/policy-csp-admx-deviceguard.md b/windows/client-management/mdm/policy-csp-admx-deviceguard.md index 4a673e49f0..449f287d99 100644 --- a/windows/client-management/mdm/policy-csp-admx-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-admx-deviceguard.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_DeviceGuard description: Learn about Policy CSP - ADMX_DeviceGuard. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/08/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DeviceGuard diff --git a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md index bbc9785c1b..1da8e03482 100644 --- a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_DeviceInstallation description: Learn about Policy CSP - ADMX_DeviceInstallation. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/19/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DeviceInstallation diff --git a/windows/client-management/mdm/policy-csp-admx-devicesetup.md b/windows/client-management/mdm/policy-csp-admx-devicesetup.md index d3b545c45a..d4559a5746 100644 --- a/windows/client-management/mdm/policy-csp-admx-devicesetup.md +++ b/windows/client-management/mdm/policy-csp-admx-devicesetup.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_DeviceSetup description: Learn about Policy CSP - ADMX_DeviceSetup. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/19/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DeviceSetup diff --git a/windows/client-management/mdm/policy-csp-admx-dfs.md b/windows/client-management/mdm/policy-csp-admx-dfs.md index 029c5a1884..3a36dd326e 100644 --- a/windows/client-management/mdm/policy-csp-admx-dfs.md +++ b/windows/client-management/mdm/policy-csp-admx-dfs.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_DFS description: Learn about Policy CSP - ADMX_DFS. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/08/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DFS diff --git a/windows/client-management/mdm/policy-csp-admx-digitallocker.md b/windows/client-management/mdm/policy-csp-admx-digitallocker.md index 0b11ba27af..4cb25e95d8 100644 --- a/windows/client-management/mdm/policy-csp-admx-digitallocker.md +++ b/windows/client-management/mdm/policy-csp-admx-digitallocker.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_DigitalLocker description: Learn about Policy CSP - ADMX_DigitalLocker. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/31/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DigitalLocker diff --git a/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md b/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md index 206c700ce3..9262266a8d 100644 --- a/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md +++ b/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_DiskDiagnostic description: Learn about Policy CSP - ADMX_DiskDiagnostic. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/08/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DiskDiagnostic diff --git a/windows/client-management/mdm/policy-csp-admx-disknvcache.md b/windows/client-management/mdm/policy-csp-admx-disknvcache.md index e3d2d46297..92b5a4725e 100644 --- a/windows/client-management/mdm/policy-csp-admx-disknvcache.md +++ b/windows/client-management/mdm/policy-csp-admx-disknvcache.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_DiskNVCache description: Learn about Policy CSP - ADMX_DiskNVCache. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/12/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DiskNVCache diff --git a/windows/client-management/mdm/policy-csp-admx-diskquota.md b/windows/client-management/mdm/policy-csp-admx-diskquota.md index ac4604b2d6..bc75db6e4a 100644 --- a/windows/client-management/mdm/policy-csp-admx-diskquota.md +++ b/windows/client-management/mdm/policy-csp-admx-diskquota.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_DiskQuota description: Learn about Policy CSP - ADMX_DiskQuota. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/12/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DiskQuota diff --git a/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md b/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md index 098addf8db..7efbc6544a 100644 --- a/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md +++ b/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_DistributedLinkTracking description: Learn about Policy CSP - ADMX_DistributedLinkTracking. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/22/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DistributedLinkTracking diff --git a/windows/client-management/mdm/policy-csp-admx-dnsclient.md b/windows/client-management/mdm/policy-csp-admx-dnsclient.md index 080d80ae3d..8af9f82bc0 100644 --- a/windows/client-management/mdm/policy-csp-admx-dnsclient.md +++ b/windows/client-management/mdm/policy-csp-admx-dnsclient.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_DnsClient description: Learn about Policy CSP - ADMX_DnsClient. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/12/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DnsClient diff --git a/windows/client-management/mdm/policy-csp-admx-dwm.md b/windows/client-management/mdm/policy-csp-admx-dwm.md index a3118e564b..920a8c9d98 100644 --- a/windows/client-management/mdm/policy-csp-admx-dwm.md +++ b/windows/client-management/mdm/policy-csp-admx-dwm.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_DWM description: Learn about Policy CSP - ADMX_DWM. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/31/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_DWM diff --git a/windows/client-management/mdm/policy-csp-admx-eaime.md b/windows/client-management/mdm/policy-csp-admx-eaime.md index 6b81a966e1..c08bae6677 100644 --- a/windows/client-management/mdm/policy-csp-admx-eaime.md +++ b/windows/client-management/mdm/policy-csp-admx-eaime.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_EAIME description: Learn about the Policy CSP - ADMX_EAIME. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/19/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_EAIME diff --git a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md index 2ef08d8dea..21c1fdf20f 100644 --- a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md +++ b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_EncryptFilesonMove description: Learn about the Policy CSP - ADMX_EncryptFilesonMove. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/02/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_EncryptFilesonMove diff --git a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md index 7a97834588..01470abcbe 100644 --- a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md +++ b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_EnhancedStorage description: Learn about the Policy CSP - ADMX_EnhancedStorage. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/23/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_EnhancedStorage diff --git a/windows/client-management/mdm/policy-csp-admx-errorreporting.md b/windows/client-management/mdm/policy-csp-admx-errorreporting.md index 52dececdfe..75e7132a34 100644 --- a/windows/client-management/mdm/policy-csp-admx-errorreporting.md +++ b/windows/client-management/mdm/policy-csp-admx-errorreporting.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_ErrorReporting description: Learn about the Policy CSP - ADMX_ErrorReporting. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/23/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_ErrorReporting diff --git a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md index 0eeeb1a2e2..627492ca73 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md +++ b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_EventForwarding description: Learn about the Policy CSP - ADMX_EventForwarding. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/17/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_EventForwarding diff --git a/windows/client-management/mdm/policy-csp-admx-eventlog.md b/windows/client-management/mdm/policy-csp-admx-eventlog.md index 8e16b2c305..471b6a5631 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventlog.md +++ b/windows/client-management/mdm/policy-csp-admx-eventlog.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_EventLog description: Learn about the Policy CSP - ADMX_EventLog. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/01/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_EventLog diff --git a/windows/client-management/mdm/policy-csp-admx-eventlogging.md b/windows/client-management/mdm/policy-csp-admx-eventlogging.md index 62d1bc8a55..03921b2021 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventlogging.md +++ b/windows/client-management/mdm/policy-csp-admx-eventlogging.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_EventLogging description: Learn about the Policy CSP - ADMX_EventLogging. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/12/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_EventLogging diff --git a/windows/client-management/mdm/policy-csp-admx-eventviewer.md b/windows/client-management/mdm/policy-csp-admx-eventviewer.md index e04745a40b..a3979738bd 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventviewer.md +++ b/windows/client-management/mdm/policy-csp-admx-eventviewer.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_EventViewer description: Learn about the Policy CSP - ADMX_EventViewer. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/13/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_EventViewer diff --git a/windows/client-management/mdm/policy-csp-admx-explorer.md b/windows/client-management/mdm/policy-csp-admx-explorer.md index 36e0b39de2..c3be668f23 100644 --- a/windows/client-management/mdm/policy-csp-admx-explorer.md +++ b/windows/client-management/mdm/policy-csp-admx-explorer.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Explorer description: Learn about the Policy CSP - ADMX_Explorer. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/08/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Explorer diff --git a/windows/client-management/mdm/policy-csp-admx-externalboot.md b/windows/client-management/mdm/policy-csp-admx-externalboot.md index 93b3bee4e0..7d85473280 100644 --- a/windows/client-management/mdm/policy-csp-admx-externalboot.md +++ b/windows/client-management/mdm/policy-csp-admx-externalboot.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_ExternalBoot description: Learn about the Policy CSP - ADMX_ExternalBoot. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/13/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_ExternalBoot diff --git a/windows/client-management/mdm/policy-csp-admx-filerecovery.md b/windows/client-management/mdm/policy-csp-admx-filerecovery.md index b5239ba4b3..e81f6e1043 100644 --- a/windows/client-management/mdm/policy-csp-admx-filerecovery.md +++ b/windows/client-management/mdm/policy-csp-admx-filerecovery.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_FileRecovery description: Learn about the Policy CSP - ADMX_FileRecovery. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/24/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_FileRecovery diff --git a/windows/client-management/mdm/policy-csp-admx-filerevocation.md b/windows/client-management/mdm/policy-csp-admx-filerevocation.md index dedad2fa09..6cf18b696b 100644 --- a/windows/client-management/mdm/policy-csp-admx-filerevocation.md +++ b/windows/client-management/mdm/policy-csp-admx-filerevocation.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_FileRevocation description: Learn about the Policy CSP - ADMX_FileRevocation. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/13/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_FileRevocation diff --git a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md index 71897ec183..5f9d1741bd 100644 --- a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md +++ b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_FileServerVSSProvider description: Learn about the Policy CSP - ADMX_FileServerVSSProvider. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/02/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_FileServerVSSProvider diff --git a/windows/client-management/mdm/policy-csp-admx-filesys.md b/windows/client-management/mdm/policy-csp-admx-filesys.md index 0e4f4f4725..e5c5587bc2 100644 --- a/windows/client-management/mdm/policy-csp-admx-filesys.md +++ b/windows/client-management/mdm/policy-csp-admx-filesys.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_FileSys description: Learn about the Policy CSP - ADMX_FileSys. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/02/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_FileSys diff --git a/windows/client-management/mdm/policy-csp-admx-folderredirection.md b/windows/client-management/mdm/policy-csp-admx-folderredirection.md index fc2f29a559..cca8d67c3b 100644 --- a/windows/client-management/mdm/policy-csp-admx-folderredirection.md +++ b/windows/client-management/mdm/policy-csp-admx-folderredirection.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_FolderRedirection description: Learn about the Policy CSP - ADMX_FolderRedirection. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/02/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_FolderRedirection diff --git a/windows/client-management/mdm/policy-csp-admx-framepanes.md b/windows/client-management/mdm/policy-csp-admx-framepanes.md index ba90f4137d..a30e0b8b87 100644 --- a/windows/client-management/mdm/policy-csp-admx-framepanes.md +++ b/windows/client-management/mdm/policy-csp-admx-framepanes.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_FramePanes description: Learn about the Policy CSP - ADMX_FramePanes. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/14/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_FramePanes diff --git a/windows/client-management/mdm/policy-csp-admx-fthsvc.md b/windows/client-management/mdm/policy-csp-admx-fthsvc.md index a87f70ce8d..d571a60d05 100644 --- a/windows/client-management/mdm/policy-csp-admx-fthsvc.md +++ b/windows/client-management/mdm/policy-csp-admx-fthsvc.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_FTHSVC description: Learn about the Policy CSP - ADMX_FTHSVC. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/15/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_FTHSVC diff --git a/windows/client-management/mdm/policy-csp-admx-globalization.md b/windows/client-management/mdm/policy-csp-admx-globalization.md index 7483d618f1..51540ef8ab 100644 --- a/windows/client-management/mdm/policy-csp-admx-globalization.md +++ b/windows/client-management/mdm/policy-csp-admx-globalization.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Globalization description: Learn about the Policy CSP - ADMX_Globalization. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/14/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Globalization diff --git a/windows/client-management/mdm/policy-csp-admx-grouppolicy.md b/windows/client-management/mdm/policy-csp-admx-grouppolicy.md index 9b8a2007ca..986333d80f 100644 --- a/windows/client-management/mdm/policy-csp-admx-grouppolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-grouppolicy.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_GroupPolicy description: Learn about the Policy CSP - ADMX_GroupPolicy. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/21/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_GroupPolicy diff --git a/windows/client-management/mdm/policy-csp-admx-help.md b/windows/client-management/mdm/policy-csp-admx-help.md index 603e13fa68..ef05d2efca 100644 --- a/windows/client-management/mdm/policy-csp-admx-help.md +++ b/windows/client-management/mdm/policy-csp-admx-help.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Help description: Learn about the Policy CSP - ADMX_Help. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/03/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Help diff --git a/windows/client-management/mdm/policy-csp-admx-helpandsupport.md b/windows/client-management/mdm/policy-csp-admx-helpandsupport.md index d1db72afc5..e013dc38ab 100644 --- a/windows/client-management/mdm/policy-csp-admx-helpandsupport.md +++ b/windows/client-management/mdm/policy-csp-admx-helpandsupport.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_HelpAndSupport description: Learn about the Policy CSP - ADMX_HelpAndSupport. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/03/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_HelpAndSupport diff --git a/windows/client-management/mdm/policy-csp-admx-hotspotauth.md b/windows/client-management/mdm/policy-csp-admx-hotspotauth.md index 48356bdf1a..ba8121417b 100644 --- a/windows/client-management/mdm/policy-csp-admx-hotspotauth.md +++ b/windows/client-management/mdm/policy-csp-admx-hotspotauth.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_HotSpotAuth description: Learn about the Policy CSP - ADMX_HotSpotAuth. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/15/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_HotSpotAuth diff --git a/windows/client-management/mdm/policy-csp-admx-icm.md b/windows/client-management/mdm/policy-csp-admx-icm.md index c80b5b8007..9e9178ac7a 100644 --- a/windows/client-management/mdm/policy-csp-admx-icm.md +++ b/windows/client-management/mdm/policy-csp-admx-icm.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_ICM description: Learn about the Policy CSP - ADMX_ICM. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/17/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_ICM diff --git a/windows/client-management/mdm/policy-csp-admx-iis.md b/windows/client-management/mdm/policy-csp-admx-iis.md index c68c2b9d10..cdae65ef17 100644 --- a/windows/client-management/mdm/policy-csp-admx-iis.md +++ b/windows/client-management/mdm/policy-csp-admx-iis.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_IIS description: Learn about the Policy CSP - ADMX_IIS. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/17/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_IIS diff --git a/windows/client-management/mdm/policy-csp-admx-iscsi.md b/windows/client-management/mdm/policy-csp-admx-iscsi.md index 67786a4e35..e4938d1f67 100644 --- a/windows/client-management/mdm/policy-csp-admx-iscsi.md +++ b/windows/client-management/mdm/policy-csp-admx-iscsi.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_iSCSI description: Learn about the Policy CSP - ADMX_iSCSI. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/17/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_iSCSI diff --git a/windows/client-management/mdm/policy-csp-admx-kdc.md b/windows/client-management/mdm/policy-csp-admx-kdc.md index 5ea252a9f3..ec99d97b12 100644 --- a/windows/client-management/mdm/policy-csp-admx-kdc.md +++ b/windows/client-management/mdm/policy-csp-admx-kdc.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_kdc description: Learn about the Policy CSP - ADMX_kdc. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/13/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_kdc diff --git a/windows/client-management/mdm/policy-csp-admx-kerberos.md b/windows/client-management/mdm/policy-csp-admx-kerberos.md index a70fa508b8..3cbff4ed32 100644 --- a/windows/client-management/mdm/policy-csp-admx-kerberos.md +++ b/windows/client-management/mdm/policy-csp-admx-kerberos.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Kerberos description: Learn about the Policy CSP - ADMX_Kerberos. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/12/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Kerberos diff --git a/windows/client-management/mdm/policy-csp-admx-lanmanserver.md b/windows/client-management/mdm/policy-csp-admx-lanmanserver.md index 4baef48f3a..3fe3659069 100644 --- a/windows/client-management/mdm/policy-csp-admx-lanmanserver.md +++ b/windows/client-management/mdm/policy-csp-admx-lanmanserver.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_LanmanServer description: Learn about the Policy CSP - ADMX_LanmanServer. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/13/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_LanmanServer diff --git a/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md index 1459422b9a..969840fdeb 100644 --- a/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md +++ b/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_LanmanWorkstation description: Learn about the Policy CSP - ADMX_LanmanWorkstation. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/08/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_LanmanWorkstation diff --git a/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md b/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md index abf93f8dcf..2f421ddce0 100644 --- a/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md +++ b/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_LeakDiagnostic description: Learn about the Policy CSP - ADMX_LeakDiagnostic. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/17/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_LeakDiagnostic diff --git a/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md b/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md index 8af8087093..ac18bf4c6f 100644 --- a/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md +++ b/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_LinkLayerTopologyDiscovery description: Learn about Policy CSP - ADMX_LinkLayerTopologyDiscovery. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/04/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_LinkLayerTopologyDiscovery diff --git a/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md b/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md index 34d7b1561d..6557e565a3 100644 --- a/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md +++ b/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_LocationProviderAdm description: Learn about Policy CSP - ADMX_LocationProviderAdm. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/20/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_LocationProviderAdm diff --git a/windows/client-management/mdm/policy-csp-admx-logon.md b/windows/client-management/mdm/policy-csp-admx-logon.md index 39410f580e..3386f503ec 100644 --- a/windows/client-management/mdm/policy-csp-admx-logon.md +++ b/windows/client-management/mdm/policy-csp-admx-logon.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Logon description: Learn about Policy CSP - ADMX_Logon. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/21/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Logon diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md index b600ea3664..62d92eb76a 100644 --- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md +++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_MicrosoftDefenderAntivirus description: Learn about Policy CSP - ADMX_MicrosoftDefenderAntivirus. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 01/03/2022 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_MicrosoftDefenderAntivirus diff --git a/windows/client-management/mdm/policy-csp-admx-mmc.md b/windows/client-management/mdm/policy-csp-admx-mmc.md index 66f7ee9fa5..1d1d07a118 100644 --- a/windows/client-management/mdm/policy-csp-admx-mmc.md +++ b/windows/client-management/mdm/policy-csp-admx-mmc.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_MMC description: Learn about Policy CSP - ADMX_MMC. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/03/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_MMC diff --git a/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md b/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md index 42d6a7faa7..1dc887ce45 100644 --- a/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md +++ b/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_MMCSnapins description: Learn about Policy CSP - ADMX_MMCSnapins. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/13/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_MMCSnapins diff --git a/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md b/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md index 5beff76d0e..462bfc2801 100644 --- a/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md +++ b/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_MobilePCMobilityCenter description: Learn about Policy CSP - ADMX_MobilePCMobilityCenter. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/20/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_MobilePCMobilityCenter diff --git a/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md b/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md index 382e64f23d..a0b6581b36 100644 --- a/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md +++ b/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_MobilePCPresentationSettings description: Learn about Policy CSP - ADMX_MobilePCPresentationSettings. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/20/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_MobilePCPresentationSettings diff --git a/windows/client-management/mdm/policy-csp-admx-msapolicy.md b/windows/client-management/mdm/policy-csp-admx-msapolicy.md index e95aac830e..a706344772 100644 --- a/windows/client-management/mdm/policy-csp-admx-msapolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-msapolicy.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_MSAPolicy description: Learn about Policy CSP - ADMX_MSAPolicy. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/14/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_MSAPolicy diff --git a/windows/client-management/mdm/policy-csp-admx-msched.md b/windows/client-management/mdm/policy-csp-admx-msched.md index a3e9d15464..039423c269 100644 --- a/windows/client-management/mdm/policy-csp-admx-msched.md +++ b/windows/client-management/mdm/policy-csp-admx-msched.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_msched description: Learn about Policy CSP - ADMX_msched. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/08/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_msched diff --git a/windows/client-management/mdm/policy-csp-admx-msdt.md b/windows/client-management/mdm/policy-csp-admx-msdt.md index 01e72fdc64..3cf6d8ccbd 100644 --- a/windows/client-management/mdm/policy-csp-admx-msdt.md +++ b/windows/client-management/mdm/policy-csp-admx-msdt.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_MSDT description: Learn about Policy CSP - ADMX_MSDT. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/09/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_MSDT diff --git a/windows/client-management/mdm/policy-csp-admx-msi.md b/windows/client-management/mdm/policy-csp-admx-msi.md index af31120c3c..ee2aa88f20 100644 --- a/windows/client-management/mdm/policy-csp-admx-msi.md +++ b/windows/client-management/mdm/policy-csp-admx-msi.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_MSI description: Learn about Policy CSP - ADMX_MSI. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/16/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_MSI diff --git a/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md b/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md index 54717a8f50..b1d046c306 100644 --- a/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md +++ b/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_MsiFileRecovery description: Learn about Policy CSP - ADMX_MsiFileRecovery. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/20/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_MsiFileRecovery diff --git a/windows/client-management/mdm/policy-csp-admx-nca.md b/windows/client-management/mdm/policy-csp-admx-nca.md index 2b520f4ec5..7bfd8617d3 100644 --- a/windows/client-management/mdm/policy-csp-admx-nca.md +++ b/windows/client-management/mdm/policy-csp-admx-nca.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_nca description: Policy CSP - ADMX_nca -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/14/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_nca diff --git a/windows/client-management/mdm/policy-csp-admx-ncsi.md b/windows/client-management/mdm/policy-csp-admx-ncsi.md index 41bfae8db7..ddb9baa7e7 100644 --- a/windows/client-management/mdm/policy-csp-admx-ncsi.md +++ b/windows/client-management/mdm/policy-csp-admx-ncsi.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_NCSI description: Learn about Policy CSP - ADMX_NCSI. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/14/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_NCSI diff --git a/windows/client-management/mdm/policy-csp-admx-netlogon.md b/windows/client-management/mdm/policy-csp-admx-netlogon.md index 517f41ab17..119133aa16 100644 --- a/windows/client-management/mdm/policy-csp-admx-netlogon.md +++ b/windows/client-management/mdm/policy-csp-admx-netlogon.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Netlogon description: Learn about Policy CSP - ADMX_Netlogon. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/15/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Netlogon diff --git a/windows/client-management/mdm/policy-csp-admx-networkconnections.md b/windows/client-management/mdm/policy-csp-admx-networkconnections.md index 210fdcd3ca..178901d5b6 100644 --- a/windows/client-management/mdm/policy-csp-admx-networkconnections.md +++ b/windows/client-management/mdm/policy-csp-admx-networkconnections.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_NetworkConnections description: Learn about Policy CSP - ADMX_NetworkConnections. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/21/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_NetworkConnections diff --git a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md index 7d60db6150..efc0936d36 100644 --- a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md +++ b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_OfflineFiles description: Learn about Policy CSP - ADMX_OfflineFiles. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/21/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_OfflineFiles diff --git a/windows/client-management/mdm/policy-csp-admx-pca.md b/windows/client-management/mdm/policy-csp-admx-pca.md index 21b21c87e2..28a333dfcc 100644 --- a/windows/client-management/mdm/policy-csp-admx-pca.md +++ b/windows/client-management/mdm/policy-csp-admx-pca.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_pca description: Learn about Policy CSP - ADMX_pca. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/20/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_pca diff --git a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md index 7218cc97d6..b5e4199768 100644 --- a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md +++ b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_PeerToPeerCaching description: Learn about Policy CSP - ADMX_PeerToPeerCaching. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/16/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_PeerToPeerCaching diff --git a/windows/client-management/mdm/policy-csp-admx-pentraining.md b/windows/client-management/mdm/policy-csp-admx-pentraining.md index faf9afb98a..322223fccc 100644 --- a/windows/client-management/mdm/policy-csp-admx-pentraining.md +++ b/windows/client-management/mdm/policy-csp-admx-pentraining.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_PenTraining description: Learn about Policy CSP - ADMX_PenTraining. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/22/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_PenTraining diff --git a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md index 18ce028bb6..7c956fcf64 100644 --- a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md +++ b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_PerformanceDiagnostics description: Learn about Policy CSP - ADMX_PerformanceDiagnostics. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/16/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_PerformanceDiagnostics diff --git a/windows/client-management/mdm/policy-csp-admx-power.md b/windows/client-management/mdm/policy-csp-admx-power.md index d77be55b2b..e1e9ee133b 100644 --- a/windows/client-management/mdm/policy-csp-admx-power.md +++ b/windows/client-management/mdm/policy-csp-admx-power.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Power description: Learn about Policy CSP - ADMX_Power. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/22/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Power diff --git a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md index d9933722cc..0818fc3b94 100644 --- a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_PowerShellExecutionPolicy description: Learn about Policy CSP - ADMX_PowerShellExecutionPolicy. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/26/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_PowerShellExecutionPolicy diff --git a/windows/client-management/mdm/policy-csp-admx-previousversions.md b/windows/client-management/mdm/policy-csp-admx-previousversions.md index cb7bb6a236..05320e6fd6 100644 --- a/windows/client-management/mdm/policy-csp-admx-previousversions.md +++ b/windows/client-management/mdm/policy-csp-admx-previousversions.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_PreviousVersions description: Policy CSP - ADMX_PreviousVersions -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/01/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_PreviousVersions diff --git a/windows/client-management/mdm/policy-csp-admx-printing.md b/windows/client-management/mdm/policy-csp-admx-printing.md index fa322d02d0..f107901b56 100644 --- a/windows/client-management/mdm/policy-csp-admx-printing.md +++ b/windows/client-management/mdm/policy-csp-admx-printing.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Printing description: Learn about Policy CSP - ADMX_Printing. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/15/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Printing diff --git a/windows/client-management/mdm/policy-csp-admx-printing2.md b/windows/client-management/mdm/policy-csp-admx-printing2.md index 74159d9d3c..3032187dbe 100644 --- a/windows/client-management/mdm/policy-csp-admx-printing2.md +++ b/windows/client-management/mdm/policy-csp-admx-printing2.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Printing2 description: Learn about Policy CSP - ADMX_Printing2. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/15/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Printing2 diff --git a/windows/client-management/mdm/policy-csp-admx-programs.md b/windows/client-management/mdm/policy-csp-admx-programs.md index 681645a684..3758a6ba32 100644 --- a/windows/client-management/mdm/policy-csp-admx-programs.md +++ b/windows/client-management/mdm/policy-csp-admx-programs.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Programs description: Learn about Policy CSP - ADMX_Programs. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/01/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Programs diff --git a/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md b/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md index 4e6309ff2a..d5ba645c1e 100644 --- a/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md +++ b/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_PushToInstall description: Learn about Policy CSP - ADMX_PushToInstall. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/01/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_PushToInstall diff --git a/windows/client-management/mdm/policy-csp-admx-radar.md b/windows/client-management/mdm/policy-csp-admx-radar.md index dc01eef4a8..bcfa2454cb 100644 --- a/windows/client-management/mdm/policy-csp-admx-radar.md +++ b/windows/client-management/mdm/policy-csp-admx-radar.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Radar description: Learn about Policy CSP - ADMX_Radar. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/08/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Radar diff --git a/windows/client-management/mdm/policy-csp-admx-reliability.md b/windows/client-management/mdm/policy-csp-admx-reliability.md index fd6026410b..08a42720fb 100644 --- a/windows/client-management/mdm/policy-csp-admx-reliability.md +++ b/windows/client-management/mdm/policy-csp-admx-reliability.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Reliability description: Policy CSP - ADMX_Reliability -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/13/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Reliability diff --git a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md index 5433779640..5d6a8d5676 100644 --- a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md +++ b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_RemoteAssistance description: Learn about Policy CSP - ADMX_RemoteAssistance. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/14/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_RemoteAssistance diff --git a/windows/client-management/mdm/policy-csp-admx-removablestorage.md b/windows/client-management/mdm/policy-csp-admx-removablestorage.md index a823f286cf..f4f47dc890 100644 --- a/windows/client-management/mdm/policy-csp-admx-removablestorage.md +++ b/windows/client-management/mdm/policy-csp-admx-removablestorage.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_RemovableStorage description: Learn about Policy CSP - ADMX_RemovableStorage. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/10/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_RemovableStorage diff --git a/windows/client-management/mdm/policy-csp-admx-rpc.md b/windows/client-management/mdm/policy-csp-admx-rpc.md index 5215c95259..6f085b0205 100644 --- a/windows/client-management/mdm/policy-csp-admx-rpc.md +++ b/windows/client-management/mdm/policy-csp-admx-rpc.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_RPC description: Learn about Policy CSP - ADMX_RPC. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/08/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_RPC diff --git a/windows/client-management/mdm/policy-csp-admx-scripts.md b/windows/client-management/mdm/policy-csp-admx-scripts.md index 06fc58ebc7..fec515d046 100644 --- a/windows/client-management/mdm/policy-csp-admx-scripts.md +++ b/windows/client-management/mdm/policy-csp-admx-scripts.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Scripts description: Learn about Policy CSP - ADMX_Scripts. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/17/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Scripts diff --git a/windows/client-management/mdm/policy-csp-admx-sdiageng.md b/windows/client-management/mdm/policy-csp-admx-sdiageng.md index 7d9082639e..354380bdd2 100644 --- a/windows/client-management/mdm/policy-csp-admx-sdiageng.md +++ b/windows/client-management/mdm/policy-csp-admx-sdiageng.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_sdiageng description: Learn about Policy CSP - ADMX_sdiageng. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_sdiageng diff --git a/windows/client-management/mdm/policy-csp-admx-sdiagschd.md b/windows/client-management/mdm/policy-csp-admx-sdiagschd.md index 1b35263fab..84cea15e19 100644 --- a/windows/client-management/mdm/policy-csp-admx-sdiagschd.md +++ b/windows/client-management/mdm/policy-csp-admx-sdiagschd.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_sdiagschd description: Learn about Policy CSP - ADMX_sdiagschd. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/17/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_sdiagschd diff --git a/windows/client-management/mdm/policy-csp-admx-securitycenter.md b/windows/client-management/mdm/policy-csp-admx-securitycenter.md index db28229ae8..66efb88c7f 100644 --- a/windows/client-management/mdm/policy-csp-admx-securitycenter.md +++ b/windows/client-management/mdm/policy-csp-admx-securitycenter.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Securitycenter description: Learn about Policy CSP - ADMX_Securitycenter. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Securitycenter diff --git a/windows/client-management/mdm/policy-csp-admx-sensors.md b/windows/client-management/mdm/policy-csp-admx-sensors.md index 2849e15624..37049367dc 100644 --- a/windows/client-management/mdm/policy-csp-admx-sensors.md +++ b/windows/client-management/mdm/policy-csp-admx-sensors.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Sensors description: Learn about Policy CSP - ADMX_Sensors. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/22/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Sensors diff --git a/windows/client-management/mdm/policy-csp-admx-servermanager.md b/windows/client-management/mdm/policy-csp-admx-servermanager.md index a14eb4488d..2f5de5c9a8 100644 --- a/windows/client-management/mdm/policy-csp-admx-servermanager.md +++ b/windows/client-management/mdm/policy-csp-admx-servermanager.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_ServerManager description: Learn about Policy CSP - ADMX_ServerManager. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_ServerManager diff --git a/windows/client-management/mdm/policy-csp-admx-servicing.md b/windows/client-management/mdm/policy-csp-admx-servicing.md index e4d18d9a66..07ca3a013c 100644 --- a/windows/client-management/mdm/policy-csp-admx-servicing.md +++ b/windows/client-management/mdm/policy-csp-admx-servicing.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Servicing description: Learn about Policy CSP - ADMX_Servicing. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Servicing diff --git a/windows/client-management/mdm/policy-csp-admx-settingsync.md b/windows/client-management/mdm/policy-csp-admx-settingsync.md index c7355a160c..c68630eec1 100644 --- a/windows/client-management/mdm/policy-csp-admx-settingsync.md +++ b/windows/client-management/mdm/policy-csp-admx-settingsync.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_SettingSync description: Learn about Policy CSP - ADMX_SettingSync. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/01/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_SettingSync diff --git a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md index c48eab98b9..a018d51a65 100644 --- a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md +++ b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_SharedFolders description: Learn about Policy CSP - ADMX_SharedFolders. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/21/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_SharedFolders diff --git a/windows/client-management/mdm/policy-csp-admx-sharing.md b/windows/client-management/mdm/policy-csp-admx-sharing.md index 9a02cd3b35..77f8afb7f8 100644 --- a/windows/client-management/mdm/policy-csp-admx-sharing.md +++ b/windows/client-management/mdm/policy-csp-admx-sharing.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Sharing description: Learn about Policy CSP - ADMX_Sharing. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/21/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Sharing diff --git a/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md b/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md index e226b26906..fa6a4ebe37 100644 --- a/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md +++ b/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_ShellCommandPromptRegEditTools description: Learn about Policy CSP - ADMX_ShellCommandPromptRegEditTools. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_ShellCommandPromptRegEditTools diff --git a/windows/client-management/mdm/policy-csp-admx-smartcard.md b/windows/client-management/mdm/policy-csp-admx-smartcard.md index 6c6fae1e34..8145f4e15f 100644 --- a/windows/client-management/mdm/policy-csp-admx-smartcard.md +++ b/windows/client-management/mdm/policy-csp-admx-smartcard.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Smartcard description: Learn about Policy CSP - ADMX_Smartcard. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/23/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Smartcard diff --git a/windows/client-management/mdm/policy-csp-admx-snmp.md b/windows/client-management/mdm/policy-csp-admx-snmp.md index 0767b4c97c..a65f75e734 100644 --- a/windows/client-management/mdm/policy-csp-admx-snmp.md +++ b/windows/client-management/mdm/policy-csp-admx-snmp.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Snmp description: Learn about Policy CSP - ADMX_Snmp. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/24/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Snmp diff --git a/windows/client-management/mdm/policy-csp-admx-soundrec.md b/windows/client-management/mdm/policy-csp-admx-soundrec.md index 77dcf00f34..dcc94a5737 100644 --- a/windows/client-management/mdm/policy-csp-admx-soundrec.md +++ b/windows/client-management/mdm/policy-csp-admx-soundrec.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_SoundRec description: Learn about Policy CSP - ADMX_SoundRec. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/01/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_SoundRec diff --git a/windows/client-management/mdm/policy-csp-admx-srmfci.md b/windows/client-management/mdm/policy-csp-admx-srmfci.md index 125aec535d..b5f0f4d1cb 100644 --- a/windows/client-management/mdm/policy-csp-admx-srmfci.md +++ b/windows/client-management/mdm/policy-csp-admx-srmfci.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_srmfci description: Learn about Policy CSP - ADMX_srmfci. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_srmfci diff --git a/windows/client-management/mdm/policy-csp-admx-startmenu.md b/windows/client-management/mdm/policy-csp-admx-startmenu.md index 78b189b308..8c6e907ba3 100644 --- a/windows/client-management/mdm/policy-csp-admx-startmenu.md +++ b/windows/client-management/mdm/policy-csp-admx-startmenu.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_StartMenu description: Learn about Policy CSP - ADMX_StartMenu. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/20/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_StartMenu diff --git a/windows/client-management/mdm/policy-csp-admx-systemrestore.md b/windows/client-management/mdm/policy-csp-admx-systemrestore.md index 3349d83359..4ca5a3d3a1 100644 --- a/windows/client-management/mdm/policy-csp-admx-systemrestore.md +++ b/windows/client-management/mdm/policy-csp-admx-systemrestore.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_SystemRestore description: Learn about Policy CSP - ADMX_SystemRestore. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/13/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_SystemRestore diff --git a/windows/client-management/mdm/policy-csp-admx-tabletshell.md b/windows/client-management/mdm/policy-csp-admx-tabletshell.md index 2517de0c90..cfc57b2098 100644 --- a/windows/client-management/mdm/policy-csp-admx-tabletshell.md +++ b/windows/client-management/mdm/policy-csp-admx-tabletshell.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_TabletShell description: Learn about Policy CSP - ADMX_TabletShell. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/23/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_TabletShell diff --git a/windows/client-management/mdm/policy-csp-admx-taskbar.md b/windows/client-management/mdm/policy-csp-admx-taskbar.md index 259cfc544c..3436685cc9 100644 --- a/windows/client-management/mdm/policy-csp-admx-taskbar.md +++ b/windows/client-management/mdm/policy-csp-admx-taskbar.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Taskbar description: Learn about Policy CSP - ADMX_Taskbar. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/26/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Taskbar diff --git a/windows/client-management/mdm/policy-csp-admx-tcpip.md b/windows/client-management/mdm/policy-csp-admx-tcpip.md index 227131133b..7ef48341ef 100644 --- a/windows/client-management/mdm/policy-csp-admx-tcpip.md +++ b/windows/client-management/mdm/policy-csp-admx-tcpip.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_tcpip description: Learn about Policy CSP - ADMX_tcpip. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/23/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_tcpip diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md index 3f070da798..f4dd3f6be6 100644 --- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_TerminalServer description: Learn about Policy CSP - ADMX_TerminalServer. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/21/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_TerminalServer diff --git a/windows/client-management/mdm/policy-csp-admx-thumbnails.md b/windows/client-management/mdm/policy-csp-admx-thumbnails.md index 4cbe4a167f..b8a2fd7483 100644 --- a/windows/client-management/mdm/policy-csp-admx-thumbnails.md +++ b/windows/client-management/mdm/policy-csp-admx-thumbnails.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Thumbnails description: Learn about Policy CSP - ADMX_Thumbnails. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/25/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Thumbnails diff --git a/windows/client-management/mdm/policy-csp-admx-touchinput.md b/windows/client-management/mdm/policy-csp-admx-touchinput.md index 477fec0b8c..776951f78d 100644 --- a/windows/client-management/mdm/policy-csp-admx-touchinput.md +++ b/windows/client-management/mdm/policy-csp-admx-touchinput.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_TouchInput description: Learn about Policy CSP - ADMX_TouchInput. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/23/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_TouchInput diff --git a/windows/client-management/mdm/policy-csp-admx-tpm.md b/windows/client-management/mdm/policy-csp-admx-tpm.md index c7e72a4d44..2e39f46e4f 100644 --- a/windows/client-management/mdm/policy-csp-admx-tpm.md +++ b/windows/client-management/mdm/policy-csp-admx-tpm.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_TPM description: Learn about Policy CSP - ADMX_TPM. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/25/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_TPM diff --git a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md index 1b4c199855..c5a2aabcc3 100644 --- a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md +++ b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_UserExperienceVirtualization description: Learn about Policy CSP - ADMX_UserExperienceVirtualization. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/30/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_UserExperienceVirtualization diff --git a/windows/client-management/mdm/policy-csp-admx-userprofiles.md b/windows/client-management/mdm/policy-csp-admx-userprofiles.md index 799a90014c..f6d9875e16 100644 --- a/windows/client-management/mdm/policy-csp-admx-userprofiles.md +++ b/windows/client-management/mdm/policy-csp-admx-userprofiles.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_UserProfiles description: Learn about Policy CSP - ADMX_UserProfiles. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/11/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_UserProfiles diff --git a/windows/client-management/mdm/policy-csp-admx-w32time.md b/windows/client-management/mdm/policy-csp-admx-w32time.md index 7324ca3459..9ec5b2733d 100644 --- a/windows/client-management/mdm/policy-csp-admx-w32time.md +++ b/windows/client-management/mdm/policy-csp-admx-w32time.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_W32Time description: Learn about Policy CSP - ADMX_W32Time. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/28/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_W32Time diff --git a/windows/client-management/mdm/policy-csp-admx-wcm.md b/windows/client-management/mdm/policy-csp-admx-wcm.md index eeeacfe4ca..d396e0aaae 100644 --- a/windows/client-management/mdm/policy-csp-admx-wcm.md +++ b/windows/client-management/mdm/policy-csp-admx-wcm.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WCM description: Learn about Policy CSP - ADMX_WCM. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/22/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WCM diff --git a/windows/client-management/mdm/policy-csp-admx-wdi.md b/windows/client-management/mdm/policy-csp-admx-wdi.md index a5b1ce11d8..b3a2aefd94 100644 --- a/windows/client-management/mdm/policy-csp-admx-wdi.md +++ b/windows/client-management/mdm/policy-csp-admx-wdi.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WDI description: Learn about Policy CSP - ADMX_WDI. -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/09/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WDI diff --git a/windows/client-management/mdm/policy-csp-admx-wincal.md b/windows/client-management/mdm/policy-csp-admx-wincal.md index 81cb16ebed..410eda6d2b 100644 --- a/windows/client-management/mdm/policy-csp-admx-wincal.md +++ b/windows/client-management/mdm/policy-csp-admx-wincal.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WinCal description: Policy CSP - ADMX_WinCal -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/28/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WinCal diff --git a/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md b/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md index 08e1bacf93..c575e5f9a8 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md +++ b/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WindowsColorSystem description: Policy CSP - ADMX_WindowsColorSystem -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/27/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WindowsColorSystem diff --git a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md index 59c5880a8b..8d93498e0d 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WindowsConnectNow description: Policy CSP - ADMX_WindowsConnectNow -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/28/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WindowsConnectNow diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md index cb885ee871..5dd0274b06 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WindowsExplorer description: Policy CSP - ADMX_WindowsExplorer -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/29/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WindowsExplorer diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md b/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md index d8b921b3e5..e2b7d6b653 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WindowsMediaDRM description: Policy CSP - ADMX_WindowsMediaDRM -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/13/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WindowsMediaDRM diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md index dee6a3efe7..15f9ca5c47 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WindowsMediaPlayer description: Policy CSP - ADMX_WindowsMediaPlayer -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/09/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WindowsMediaPlayer diff --git a/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md b/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md index 927b7686c7..902f22ebc8 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WindowsRemoteManagement description: Policy CSP - ADMX_WindowsRemoteManagement -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/16/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WindowsRemoteManagement diff --git a/windows/client-management/mdm/policy-csp-admx-windowsstore.md b/windows/client-management/mdm/policy-csp-admx-windowsstore.md index 72fffb643f..3a56097a51 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsstore.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsstore.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WindowsStore description: Policy CSP - ADMX_WindowsStore -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/26/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WindowsStore diff --git a/windows/client-management/mdm/policy-csp-admx-wininit.md b/windows/client-management/mdm/policy-csp-admx-wininit.md index 421da6c478..0f1c09fbca 100644 --- a/windows/client-management/mdm/policy-csp-admx-wininit.md +++ b/windows/client-management/mdm/policy-csp-admx-wininit.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WinInit description: Policy CSP - ADMX_WinInit -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/29/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WinInit diff --git a/windows/client-management/mdm/policy-csp-admx-winlogon.md b/windows/client-management/mdm/policy-csp-admx-winlogon.md index 92bcea8397..767e746db8 100644 --- a/windows/client-management/mdm/policy-csp-admx-winlogon.md +++ b/windows/client-management/mdm/policy-csp-admx-winlogon.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WinLogon description: Policy CSP - ADMX_WinLogon -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/09/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WinLogon diff --git a/windows/client-management/mdm/policy-csp-admx-winsrv.md b/windows/client-management/mdm/policy-csp-admx-winsrv.md index 9b5ea557d1..7d744cb320 100644 --- a/windows/client-management/mdm/policy-csp-admx-winsrv.md +++ b/windows/client-management/mdm/policy-csp-admx-winsrv.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_Winsrv description: Policy CSP - ADMX_Winsrv -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 02/25/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_Winsrv diff --git a/windows/client-management/mdm/policy-csp-admx-wlansvc.md b/windows/client-management/mdm/policy-csp-admx-wlansvc.md index aeda8eb64c..146fa04b1b 100644 --- a/windows/client-management/mdm/policy-csp-admx-wlansvc.md +++ b/windows/client-management/mdm/policy-csp-admx-wlansvc.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_wlansvc description: Policy CSP - ADMX_wlansvc -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/27/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_wlansvc diff --git a/windows/client-management/mdm/policy-csp-admx-wordwheel.md b/windows/client-management/mdm/policy-csp-admx-wordwheel.md index 57124ac9b3..b027226ee8 100644 --- a/windows/client-management/mdm/policy-csp-admx-wordwheel.md +++ b/windows/client-management/mdm/policy-csp-admx-wordwheel.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WordWheel description: Policy CSP - ADMX_WordWheel -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/22/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WordWheel diff --git a/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md b/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md index 3a455a27b2..56d08ee87f 100644 --- a/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md +++ b/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WorkFoldersClient description: Policy CSP - ADMX_WorkFoldersClient -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.date: 09/22/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WorkFoldersClient diff --git a/windows/client-management/mdm/policy-csp-admx-wpn.md b/windows/client-management/mdm/policy-csp-admx-wpn.md index 857a782385..6397e4e333 100644 --- a/windows/client-management/mdm/policy-csp-admx-wpn.md +++ b/windows/client-management/mdm/policy-csp-admx-wpn.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ADMX_WPN description: Policy CSP - ADMX_WPN -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/13/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ADMX_WPN diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md index 08788dc5cf..db27b3a605 100644 --- a/windows/client-management/mdm/policy-csp-applicationdefaults.md +++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ApplicationDefaults description: Learn about various Policy configuration service providers (CSP) - ApplicationDefaults, including SyncML, for Windows 10. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ApplicationDefaults diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index a7f90d8ef1..a9bd9d1f06 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ApplicationManagement description: Learn about various Policy configuration service providers (CSP) - ApplicationManagement, including SyncML, for Windows 10. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 02/11/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ApplicationManagement diff --git a/windows/client-management/mdm/policy-csp-appruntime.md b/windows/client-management/mdm/policy-csp-appruntime.md index a73acd40df..ab3b3c38da 100644 --- a/windows/client-management/mdm/policy-csp-appruntime.md +++ b/windows/client-management/mdm/policy-csp-appruntime.md @@ -1,15 +1,15 @@ --- title: Policy CSP - AppRuntime description: Learn how the Policy CSP - AppRuntime setting controls whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - AppRuntime diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md index 04b7a70206..9803e28948 100644 --- a/windows/client-management/mdm/policy-csp-appvirtualization.md +++ b/windows/client-management/mdm/policy-csp-appvirtualization.md @@ -1,15 +1,15 @@ --- title: Policy CSP - AppVirtualization description: Learn how the Policy CSP - AppVirtualization setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - AppVirtualization diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md index 321527a0e3..2878642c3e 100644 --- a/windows/client-management/mdm/policy-csp-attachmentmanager.md +++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md @@ -1,15 +1,15 @@ --- title: Policy CSP - AttachmentManager description: Manage Windows marks file attachments with information about their zone of origin, such as restricted, internet, intranet, local. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - AttachmentManager diff --git a/windows/client-management/mdm/policy-csp-audit.md b/windows/client-management/mdm/policy-csp-audit.md index 2673bc236e..f70ec5324f 100644 --- a/windows/client-management/mdm/policy-csp-audit.md +++ b/windows/client-management/mdm/policy-csp-audit.md @@ -1,11 +1,11 @@ --- title: Policy CSP - Audit description: Learn how the Policy CSP - Audit setting causes an audit event to be generated when an account can't sign in to a computer because the account is locked out. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 --- diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index b934f952aa..b7a3091207 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -1,14 +1,14 @@ --- title: Policy CSP - Authentication description: The Policy CSP - Authentication setting allows the Azure AD tenant administrators to enable self service password reset feature on the Windows sign-in screen. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.reviewer: bobgil -manager: dansimp +manager: aaroncz --- # Policy CSP - Authentication diff --git a/windows/client-management/mdm/policy-csp-autoplay.md b/windows/client-management/mdm/policy-csp-autoplay.md index ac10523d39..cbccee0f6f 100644 --- a/windows/client-management/mdm/policy-csp-autoplay.md +++ b/windows/client-management/mdm/policy-csp-autoplay.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Autoplay description: Learn how the Policy CSP - Autoplay setting disallows AutoPlay for MTP devices like cameras or phones. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Autoplay diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md index e56c8f51fb..7aa01b7d63 100644 --- a/windows/client-management/mdm/policy-csp-bitlocker.md +++ b/windows/client-management/mdm/policy-csp-bitlocker.md @@ -1,15 +1,15 @@ --- title: Policy CSP - BitLocker description: Use the Policy configuration service provider (CSP) - BitLocker to manage encryption of PCs and devices. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - BitLocker diff --git a/windows/client-management/mdm/policy-csp-bits.md b/windows/client-management/mdm/policy-csp-bits.md index 19cb5e2ce2..639d2c8e86 100644 --- a/windows/client-management/mdm/policy-csp-bits.md +++ b/windows/client-management/mdm/policy-csp-bits.md @@ -1,15 +1,15 @@ --- title: Policy CSP - BITS -description: Use StartTime, EndTime and Transfer rate together to define the BITS bandwidth-throttling schedule and transfer rate. -ms.author: dansimp +description: Use StartTime, EndTime and Transfer rate together to define the BITS bandwidth-throttling schedule and transfer rate. +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - BITS diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md index 8312708e30..0a044cfc57 100644 --- a/windows/client-management/mdm/policy-csp-bluetooth.md +++ b/windows/client-management/mdm/policy-csp-bluetooth.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Bluetooth description: Learn how the Policy CSP - Bluetooth setting specifies whether the device can send out Bluetooth advertisements. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 02/12/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Bluetooth diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index 2c340877a4..6da1550f1d 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -4,11 +4,11 @@ description: Learn how to use the Policy CSP - Browser settings so you can confi ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp -ms.author: dansimp +author: vinaypamnani-msft +ms.author: vinpa ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz ms.localizationpriority: medium --- diff --git a/windows/client-management/mdm/policy-csp-camera.md b/windows/client-management/mdm/policy-csp-camera.md index 64b48bbc40..ed98c5d85b 100644 --- a/windows/client-management/mdm/policy-csp-camera.md +++ b/windows/client-management/mdm/policy-csp-camera.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Camera description: Learn how to use the Policy CSP - Camera setting so that you can configure it to disable or enable the camera. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Camera diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md index 62837b80db..eb2180cddd 100644 --- a/windows/client-management/mdm/policy-csp-cellular.md +++ b/windows/client-management/mdm/policy-csp-cellular.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Cellular description: Learn how to use the Policy CSP - Cellular setting so you can specify whether Windows apps can access cellular data. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Cellular diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md index 661ffccaf9..f4dc267b7a 100644 --- a/windows/client-management/mdm/policy-csp-connectivity.md +++ b/windows/client-management/mdm/policy-csp-connectivity.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Connectivity description: Learn how to use the Policy CSP - Connectivity setting to allow the user to enable Bluetooth or restrict access. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 -ms.reviewer: -manager: dansimp +ms.reviewer: +manager: aaroncz --- # Policy CSP - Connectivity diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md index d795f177d4..da457db759 100644 --- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md +++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md @@ -1,14 +1,14 @@ --- title: Policy CSP - ControlPolicyConflict description: Use the Policy CSP - ControlPolicyConflict setting to control which policy is used whenever both the MDM policy and its equivalent Group Policy are set on the device. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ControlPolicyConflict diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md index beeffe2585..28f4edb5ec 100644 --- a/windows/client-management/mdm/policy-csp-credentialproviders.md +++ b/windows/client-management/mdm/policy-csp-credentialproviders.md @@ -1,15 +1,15 @@ --- title: Policy CSP - CredentialProviders description: Learn how to use the policy CSP for credential provider so you can control whether a domain user can sign in using a convenience PIN. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - CredentialProviders diff --git a/windows/client-management/mdm/policy-csp-credentialsdelegation.md b/windows/client-management/mdm/policy-csp-credentialsdelegation.md index e459f00b15..4236a94376 100644 --- a/windows/client-management/mdm/policy-csp-credentialsdelegation.md +++ b/windows/client-management/mdm/policy-csp-credentialsdelegation.md @@ -1,15 +1,15 @@ --- title: Policy CSP - CredentialsDelegation description: Learn how to use the Policy CSP - CredentialsDelegation setting so that remote host can allow delegation of non-exportable credentials. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - CredentialsDelegation diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md index d126286e24..fd869a6c75 100644 --- a/windows/client-management/mdm/policy-csp-credentialsui.md +++ b/windows/client-management/mdm/policy-csp-credentialsui.md @@ -1,15 +1,15 @@ --- title: Policy CSP - CredentialsUI description: Learn how to use the Policy CSP - CredentialsUI setting to configure the display of the password reveal button in password entry user experiences. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - CredentialsUI diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md index 31ebde8cc2..1eb727623a 100644 --- a/windows/client-management/mdm/policy-csp-cryptography.md +++ b/windows/client-management/mdm/policy-csp-cryptography.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Cryptography description: Learn how to use the Policy CSP - Cryptography setting to allow or disallow the Federal Information Processing Standard (FIPS) policy. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Cryptography diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md index 43dc6aeab0..9bb4559320 100644 --- a/windows/client-management/mdm/policy-csp-dataprotection.md +++ b/windows/client-management/mdm/policy-csp-dataprotection.md @@ -1,15 +1,15 @@ --- title: Policy CSP - DataProtection description: Use the Policy CSP - DataProtection setting to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - DataProtection diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md index 5e271eabfc..0950d10f87 100644 --- a/windows/client-management/mdm/policy-csp-datausage.md +++ b/windows/client-management/mdm/policy-csp-datausage.md @@ -1,15 +1,15 @@ --- title: Policy CSP - DataUsage -description: Learn how to use the Policy CSP - DataUsage setting to configure the cost of 4G connections on the local machine. -ms.author: dansimp +description: Learn how to use the Policy CSP - DataUsage setting to configure the cost of 4G connections on the local machine. +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - DataUsage diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index 8912143332..6c42ebfde5 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Defender description: Learn how to use the Policy CSP - Defender setting so you can allow or disallow scanning of archives. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 05/12/2022 ms.reviewer: -manager: dansimp +manager: aaroncz ms.collection: highpri --- diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index f49ee66cee..f272b05108 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -1,15 +1,15 @@ --- title: Policy CSP - DeliveryOptimization description: Learn how to use the Policy CSP - DeliveryOptimization setting to configure one or more Microsoft Connected Cache servers to be used by Delivery Optimization. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 06/09/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - DeliveryOptimization diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md index 4d3d97a6bd..6e4f8b2502 100644 --- a/windows/client-management/mdm/policy-csp-desktop.md +++ b/windows/client-management/mdm/policy-csp-desktop.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Desktop description: Learn how to use the Policy CSP - Desktop setting to prevent users from changing the path to their profile folders. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Desktop diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md index 09369cf747..d34fce4b14 100644 --- a/windows/client-management/mdm/policy-csp-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-deviceguard.md @@ -1,15 +1,15 @@ --- title: Policy CSP - DeviceGuard description: Learn how to use the Policy CSP - DeviceGuard setting to allow the IT admin to configure the launch of System Guard. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - DeviceGuard diff --git a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md index 65ccf2ff72..b412a147d6 100644 --- a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md +++ b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md @@ -1,15 +1,15 @@ --- title: Policy CSP - DeviceHealthMonitoring description: Learn how the Policy CSP - DeviceHealthMonitoring setting is used as an opt-in health monitoring connection between the device and Microsoft. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - DeviceHealthMonitoring diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index ee81f379cf..9ba8e12f78 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -1,14 +1,14 @@ --- title: Policy CSP - DeviceInstallation ms.reviewer: -manager: dansimp +manager: aaroncz description: Use the Policy CSP - DeviceInstallation setting to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is allowed to install. -ms.author: dansimp +ms.author: vinpa ms.date: 09/27/2019 ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium --- diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index 39fa89a03f..96b7ecf2c1 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -1,15 +1,15 @@ --- title: Policy CSP - DeviceLock description: Learn how to use the Policy CSP - DeviceLock setting to specify whether the user must input a PIN or password when the device resumes from an idle state. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 05/16/2022 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - DeviceLock diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md index 25318d988f..601c24c077 100644 --- a/windows/client-management/mdm/policy-csp-display.md +++ b/windows/client-management/mdm/policy-csp-display.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Display description: Learn how to use the Policy CSP - Display setting to disable Per-Process System DPI for a semicolon-separated list of applications. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Display diff --git a/windows/client-management/mdm/policy-csp-dmaguard.md b/windows/client-management/mdm/policy-csp-dmaguard.md index 648380d02b..1188039966 100644 --- a/windows/client-management/mdm/policy-csp-dmaguard.md +++ b/windows/client-management/mdm/policy-csp-dmaguard.md @@ -1,15 +1,15 @@ --- title: Policy CSP - DmaGuard description: Learn how to use the Policy CSP - DmaGuard setting to provide more security against external DMA capable devices. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - DmaGuard diff --git a/windows/client-management/mdm/policy-csp-eap.md b/windows/client-management/mdm/policy-csp-eap.md index 94c84c45ca..9b16db9fd4 100644 --- a/windows/client-management/mdm/policy-csp-eap.md +++ b/windows/client-management/mdm/policy-csp-eap.md @@ -1,15 +1,15 @@ --- title: Policy CSP - EAP -description: Learn how to use the Policy CSP - Education setting to control graphing functionality in the Windows Calculator app. -ms.author: dansimp +description: Learn how to use the Policy CSP - Education setting to control graphing functionality in the Windows Calculator app. +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - EAP diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md index edab7bcabf..1fd25bb275 100644 --- a/windows/client-management/mdm/policy-csp-education.md +++ b/windows/client-management/mdm/policy-csp-education.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Education -description: Learn how to use the Policy CSP - Education setting to control the graphing functionality in the Windows Calculator app. -ms.author: dansimp +description: Learn how to use the Policy CSP - Education setting to control the graphing functionality in the Windows Calculator app. +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Education diff --git a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md index df2804c31e..2c125b1d1f 100644 --- a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md +++ b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md @@ -1,15 +1,15 @@ --- title: Policy CSP - EnterpriseCloudPrint description: Use the Policy CSP - EnterpriseCloudPrint setting to define the maximum number of printers that should be queried from a discovery end point. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - EnterpriseCloudPrint diff --git a/windows/client-management/mdm/policy-csp-errorreporting.md b/windows/client-management/mdm/policy-csp-errorreporting.md index 720f5cae3c..f387a56a6e 100644 --- a/windows/client-management/mdm/policy-csp-errorreporting.md +++ b/windows/client-management/mdm/policy-csp-errorreporting.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ErrorReporting description: Learn how to use the Policy CSP - ErrorReporting setting to determine the consent behavior of Windows Error Reporting for specific event types. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ErrorReporting diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md index 1616de5ece..3212b6504e 100644 --- a/windows/client-management/mdm/policy-csp-eventlogservice.md +++ b/windows/client-management/mdm/policy-csp-eventlogservice.md @@ -1,15 +1,15 @@ --- title: Policy CSP - EventLogService description: Learn how to use the Policy CSP - EventLogService setting to control Event Log behavior when the log file reaches its maximum size. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - EventLogService diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index ae3ff0f9a6..a2da6374ab 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Experience description: Learn how to use the Policy CSP - Experience setting to allow history of clipboard items to be stored in memory. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 11/02/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Experience diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md index 80582e1ec2..c187c4bbef 100644 --- a/windows/client-management/mdm/policy-csp-exploitguard.md +++ b/windows/client-management/mdm/policy-csp-exploitguard.md @@ -1,15 +1,15 @@ --- title: Policy CSP - ExploitGuard description: Use the Policy CSP - ExploitGuard setting to push out the desired system configuration and application mitigation options to all the devices in the organization. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - ExploitGuard diff --git a/windows/client-management/mdm/policy-csp-feeds.md b/windows/client-management/mdm/policy-csp-feeds.md index f8a8f5eea5..281f12f579 100644 --- a/windows/client-management/mdm/policy-csp-feeds.md +++ b/windows/client-management/mdm/policy-csp-feeds.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Feeds description: Use the Policy CSP - Feeds setting policy specifies whether news and interests is allowed on the device. -ms.author: v-nsatapathy +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/17/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Feeds diff --git a/windows/client-management/mdm/policy-csp-fileexplorer.md b/windows/client-management/mdm/policy-csp-fileexplorer.md index b46e93af9c..5f49f1d40e 100644 --- a/windows/client-management/mdm/policy-csp-fileexplorer.md +++ b/windows/client-management/mdm/policy-csp-fileexplorer.md @@ -1,15 +1,15 @@ --- title: Policy CSP - FileExplorer description: Use the Policy CSP - FileExplorer setting so you can allow certain legacy plug-in applications to function without terminating Explorer. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - FileExplorer diff --git a/windows/client-management/mdm/policy-csp-games.md b/windows/client-management/mdm/policy-csp-games.md index e6fde52f63..16a07d2e71 100644 --- a/windows/client-management/mdm/policy-csp-games.md +++ b/windows/client-management/mdm/policy-csp-games.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Games description: Learn to use the Policy CSP - Games setting so that you can specify whether advanced gaming services can be used. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Games diff --git a/windows/client-management/mdm/policy-csp-handwriting.md b/windows/client-management/mdm/policy-csp-handwriting.md index 8602af165b..3146be4db8 100644 --- a/windows/client-management/mdm/policy-csp-handwriting.md +++ b/windows/client-management/mdm/policy-csp-handwriting.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Handwriting description: Use the Policy CSP - Handwriting setting to allow an enterprise to configure the default mode for the handwriting panel. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Handwriting diff --git a/windows/client-management/mdm/policy-csp-humanpresence.md b/windows/client-management/mdm/policy-csp-humanpresence.md index 8b672ccbbf..df30b8f920 100644 --- a/windows/client-management/mdm/policy-csp-humanpresence.md +++ b/windows/client-management/mdm/policy-csp-humanpresence.md @@ -1,15 +1,15 @@ --- title: Policy CSP - HumanPresence description: Use the Policy CSP - HumanPresence setting allows wake on approach and lock on leave that can be managed from MDM. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - HumanPresence diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index 9d519bfe5d..ef76b0c2fb 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -1,14 +1,14 @@ --- title: Policy CSP - InternetExplorer description: Use the Policy CSP - InternetExplorer setting to add a specific list of search providers to the user's default list of search providers. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - InternetExplorer diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md index 5e4320bf4c..0e1fdaeb77 100644 --- a/windows/client-management/mdm/policy-csp-kerberos.md +++ b/windows/client-management/mdm/policy-csp-kerberos.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Kerberos description: Define the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs). -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Kerberos diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md index e5a08afafe..e1456fa569 100644 --- a/windows/client-management/mdm/policy-csp-kioskbrowser.md +++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md @@ -1,15 +1,15 @@ --- title: Policy CSP - KioskBrowser description: Use the Policy CSP - KioskBrowser setting to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - KioskBrowser diff --git a/windows/client-management/mdm/policy-csp-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-lanmanworkstation.md index 40e82cbc5d..15b727545c 100644 --- a/windows/client-management/mdm/policy-csp-lanmanworkstation.md +++ b/windows/client-management/mdm/policy-csp-lanmanworkstation.md @@ -1,15 +1,15 @@ --- title: Policy CSP - LanmanWorkstation description: Use the Policy CSP - LanmanWorkstation setting to determine if the SMB client will allow insecure guest sign ins to an SMB server. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - LanmanWorkstation diff --git a/windows/client-management/mdm/policy-csp-licensing.md b/windows/client-management/mdm/policy-csp-licensing.md index 80e2f0bd5a..af74d4384d 100644 --- a/windows/client-management/mdm/policy-csp-licensing.md +++ b/windows/client-management/mdm/policy-csp-licensing.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Licensing description: Use the Policy CSP - Licensing setting to enable or disable Windows license reactivation on managed devices. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Licensing diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index af2cf856e3..21dfa77d35 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -1,15 +1,15 @@ --- title: Policy CSP - LocalPoliciesSecurityOptions description: These settings prevent users from adding new Microsoft accounts on a specific computer using LocalPoliciesSecurityOptions. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 12/16/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - LocalPoliciesSecurityOptions diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index 46d691f702..c2c636a46f 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -1,15 +1,15 @@ --- title: Policy CSP - LocalUsersAndGroups description: Policy CSP - LocalUsersAndGroups -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 10/14/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - LocalUsersAndGroups diff --git a/windows/client-management/mdm/policy-csp-lockdown.md b/windows/client-management/mdm/policy-csp-lockdown.md index 97ea810006..7b338795e8 100644 --- a/windows/client-management/mdm/policy-csp-lockdown.md +++ b/windows/client-management/mdm/policy-csp-lockdown.md @@ -1,15 +1,15 @@ --- title: Policy CSP - LockDown description: Use the Policy CSP - LockDown setting to allow the user to invoke any system user interface by swiping in from any screen edge using touch. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - LockDown diff --git a/windows/client-management/mdm/policy-csp-maps.md b/windows/client-management/mdm/policy-csp-maps.md index 6ee7e3956d..d62a84d748 100644 --- a/windows/client-management/mdm/policy-csp-maps.md +++ b/windows/client-management/mdm/policy-csp-maps.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Maps description: Use the Policy CSP - Maps setting to allow the download and update of map data over metered connections. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Maps diff --git a/windows/client-management/mdm/policy-csp-memorydump.md b/windows/client-management/mdm/policy-csp-memorydump.md index 92d62d27ee..37bcafe0e4 100644 --- a/windows/client-management/mdm/policy-csp-memorydump.md +++ b/windows/client-management/mdm/policy-csp-memorydump.md @@ -1,15 +1,15 @@ --- title: Policy CSP - MemoryDump description: Use the Policy CSP -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - MemoryDump diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md index f002adc108..ea92d4a966 100644 --- a/windows/client-management/mdm/policy-csp-messaging.md +++ b/windows/client-management/mdm/policy-csp-messaging.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Messaging description: Enable, and disable, text message backup and restore as well as Messaging Everywhere by using the Policy CSP for messaging. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Messaging diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md index b0f1607d6b..1467f5ebf7 100644 --- a/windows/client-management/mdm/policy-csp-mixedreality.md +++ b/windows/client-management/mdm/policy-csp-mixedreality.md @@ -1,14 +1,14 @@ --- title: Policy CSP - MixedReality description: Policy CSP - MixedReality -ms.author: dansimp +ms.author: vinpa ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - MixedReality diff --git a/windows/client-management/mdm/policy-csp-mssecurityguide.md b/windows/client-management/mdm/policy-csp-mssecurityguide.md index c85466d3ee..d2b17be697 100644 --- a/windows/client-management/mdm/policy-csp-mssecurityguide.md +++ b/windows/client-management/mdm/policy-csp-mssecurityguide.md @@ -1,15 +1,15 @@ --- title: Policy CSP - MSSecurityGuide description: Learn how Policy CSP - MSSecurityGuide, an ADMX-backed policy, requires a special SyncML format to enable or disable. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - MSSecurityGuide diff --git a/windows/client-management/mdm/policy-csp-msslegacy.md b/windows/client-management/mdm/policy-csp-msslegacy.md index 83db3103f2..d6d732e4cf 100644 --- a/windows/client-management/mdm/policy-csp-msslegacy.md +++ b/windows/client-management/mdm/policy-csp-msslegacy.md @@ -1,15 +1,15 @@ --- title: Policy CSP - MSSLegacy -description: Learn how Policy CSP - MSSLegacy, an ADMX-backed policy, requires a special SyncML format to enable or disable. -ms.author: dansimp +description: Learn how Policy CSP - MSSLegacy, an ADMX-backed policy, requires a special SyncML format to enable or disable. +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - MSSLegacy diff --git a/windows/client-management/mdm/policy-csp-multitasking.md b/windows/client-management/mdm/policy-csp-multitasking.md index 9f93048ae9..0329b17188 100644 --- a/windows/client-management/mdm/policy-csp-multitasking.md +++ b/windows/client-management/mdm/policy-csp-multitasking.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Multitasking description: Policy CSP - Multitasking -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 10/30/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Multitasking diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md index 4b81789c59..d2d4a901b0 100644 --- a/windows/client-management/mdm/policy-csp-networkisolation.md +++ b/windows/client-management/mdm/policy-csp-networkisolation.md @@ -1,15 +1,15 @@ --- title: Policy CSP - NetworkIsolation description: Learn how Policy CSP - NetworkIsolation contains a list of Enterprise resource domains hosted in the cloud that need to be protected. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - NetworkIsolation diff --git a/windows/client-management/mdm/policy-csp-networklistmanager.md b/windows/client-management/mdm/policy-csp-networklistmanager.md index 72328ad669..bd33a1ddfa 100644 --- a/windows/client-management/mdm/policy-csp-networklistmanager.md +++ b/windows/client-management/mdm/policy-csp-networklistmanager.md @@ -1,15 +1,15 @@ --- title: Policy CSP - NetworkListManager description: Policy CSP - NetworkListManager is a setting creates a new MDM policy. This setting allows admins to configure a list of URIs of HTTPS endpoints that are considered secure. -ms.author: v-nsatapathy +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: nimishasatapathy +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 12/16/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - NetworkListManager diff --git a/windows/client-management/mdm/policy-csp-newsandinterests.md b/windows/client-management/mdm/policy-csp-newsandinterests.md index 6eb42f6671..59566c1026 100644 --- a/windows/client-management/mdm/policy-csp-newsandinterests.md +++ b/windows/client-management/mdm/policy-csp-newsandinterests.md @@ -1,15 +1,15 @@ --- title: Policy CSP - NewsAndInterests description: Learn how Policy CSP - NewsandInterests contains a list of news and interests. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - NewsAndInterests diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md index 3039a6845a..32ddde9d1a 100644 --- a/windows/client-management/mdm/policy-csp-notifications.md +++ b/windows/client-management/mdm/policy-csp-notifications.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Notifications description: Block applications from using the network to send tile, badge, toast, and raw notifications for Policy CSP - Notifications. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Notifications diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index ca3d7e34bd..117535d8e7 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Power description: Learn how the Policy CSP - Power setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Power diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md index 3fe4de393e..bcce2e1390 100644 --- a/windows/client-management/mdm/policy-csp-printers.md +++ b/windows/client-management/mdm/policy-csp-printers.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Printers -description: Use this policy setting to control the client Point and Print behavior, including security prompts for Windows Vista computers. -ms.author: dansimp +description: Use this policy setting to control the client Point and Print behavior, including security prompts for Windows Vista computers. +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Printers diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md index 6f984cad6c..eef582a24e 100644 --- a/windows/client-management/mdm/policy-csp-privacy.md +++ b/windows/client-management/mdm/policy-csp-privacy.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Privacy description: Learn how the Policy CSP - Privacy setting allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Privacy diff --git a/windows/client-management/mdm/policy-csp-remoteassistance.md b/windows/client-management/mdm/policy-csp-remoteassistance.md index 0faafb160a..eb47527466 100644 --- a/windows/client-management/mdm/policy-csp-remoteassistance.md +++ b/windows/client-management/mdm/policy-csp-remoteassistance.md @@ -1,15 +1,15 @@ --- title: Policy CSP - RemoteAssistance description: Learn how the Policy CSP - RemoteAssistance setting allows you to specify a custom message to display. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - RemoteAssistance diff --git a/windows/client-management/mdm/policy-csp-remotedesktop.md b/windows/client-management/mdm/policy-csp-remotedesktop.md index 077e297205..85588a127d 100644 --- a/windows/client-management/mdm/policy-csp-remotedesktop.md +++ b/windows/client-management/mdm/policy-csp-remotedesktop.md @@ -1,15 +1,15 @@ --- title: Policy CSP - RemoteDesktop description: Learn how the Policy CSP - RemoteDesktop setting allows you to specify a custom message to display. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - RemoteDesktop diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md index bc4a782639..09f3f50725 100644 --- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md +++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md @@ -1,15 +1,15 @@ --- title: Policy CSP - RemoteDesktopServices description: Learn how the Policy CSP - RemoteDesktopServices setting allows you to configure remote access to computers by using Remote Desktop Services. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - RemoteDesktopServices diff --git a/windows/client-management/mdm/policy-csp-remotemanagement.md b/windows/client-management/mdm/policy-csp-remotemanagement.md index 82936149da..ff88b2a36d 100644 --- a/windows/client-management/mdm/policy-csp-remotemanagement.md +++ b/windows/client-management/mdm/policy-csp-remotemanagement.md @@ -1,15 +1,15 @@ --- title: Policy CSP - RemoteManagement description: Learn how the Policy CSP - RemoteManagement setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - RemoteManagement diff --git a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md index 29a499d619..8708f25937 100644 --- a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md +++ b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md @@ -1,15 +1,15 @@ --- title: Policy CSP - RemoteProcedureCall description: The Policy CSP - RemoteProcedureCall setting controls whether RPC clients authenticate when the call they're making contains authentication information. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - RemoteProcedureCall diff --git a/windows/client-management/mdm/policy-csp-remoteshell.md b/windows/client-management/mdm/policy-csp-remoteshell.md index 9596508d36..53820c929c 100644 --- a/windows/client-management/mdm/policy-csp-remoteshell.md +++ b/windows/client-management/mdm/policy-csp-remoteshell.md @@ -1,15 +1,15 @@ --- title: Policy CSP - RemoteShell description: Learn details about the Policy CSP - RemoteShell setting so that you can configure access to remote shells. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - RemoteShell diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 74e05f8d7b..4e4e6b8876 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -1,15 +1,15 @@ --- title: Policy CSP - RestrictedGroups description: Learn how the Policy CSP - RestrictedGroups setting allows an administrator to define the members that are part of a security-sensitive (restricted) group. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 04/07/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - RestrictedGroups diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index 6c61c3e748..60777e520f 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Search description: Learn how the Policy CSP - Search setting allows search and Cortana to search cloud sources like OneDrive and SharePoint. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 02/12/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Search diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md index 7399515109..dced08216c 100644 --- a/windows/client-management/mdm/policy-csp-security.md +++ b/windows/client-management/mdm/policy-csp-security.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Security description: Learn how the Policy CSP - Security setting can specify whether to allow the runtime configuration agent to install provisioning packages. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Security diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md index 55e1034d36..20f852795a 100644 --- a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md +++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md @@ -1,7 +1,7 @@ --- title: Policy CSP - ServiceControlManager description: Learn how the Policy CSP - ServiceControlManager setting enables process mitigation options on svchost.exe processes. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md index 1b3303cfb8..37e5e21450 100644 --- a/windows/client-management/mdm/policy-csp-settings.md +++ b/windows/client-management/mdm/policy-csp-settings.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Settings description: Learn how to use the Policy CSP - Settings setting so that you can allow the user to change Auto Play settings. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Settings diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md index cb36588175..11d6e32c39 100644 --- a/windows/client-management/mdm/policy-csp-smartscreen.md +++ b/windows/client-management/mdm/policy-csp-smartscreen.md @@ -1,15 +1,15 @@ --- title: Policy CSP - SmartScreen description: Use the Policy CSP - SmartScreen setting to allow IT Admins to control whether users are allowed to install apps from places other than the Store. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - SmartScreen diff --git a/windows/client-management/mdm/policy-csp-speech.md b/windows/client-management/mdm/policy-csp-speech.md index f46af42add..b97360b3f1 100644 --- a/windows/client-management/mdm/policy-csp-speech.md +++ b/windows/client-management/mdm/policy-csp-speech.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Speech description: Learn how the Policy CSP - Speech setting specifies whether the device will receive updates to the speech recognition and speech synthesis models. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Speech diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index 3eacbd485d..e794d81f7b 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Start description: Use the Policy CSP - Start setting to control the visibility of the Documents shortcut on the Start menu. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Start diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index a9e43b4855..d0117fde5d 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Storage description: Learn to use the Policy CSP - Storage settings to automatically clean some of the user’s files to free up disk space. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 03/25/2022 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Storage diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index b44458dd98..4e5c11cbed 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -1,15 +1,15 @@ --- title: Policy CSP - System description: Learn policy settings that determine whether users can access the Insider build controls in the advanced options for Windows Update. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 08/26/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - System diff --git a/windows/client-management/mdm/policy-csp-systemservices.md b/windows/client-management/mdm/policy-csp-systemservices.md index 7ecb2141a8..dda3779328 100644 --- a/windows/client-management/mdm/policy-csp-systemservices.md +++ b/windows/client-management/mdm/policy-csp-systemservices.md @@ -1,15 +1,15 @@ --- title: Policy CSP - SystemServices description: Learn how to use the Policy CSP - SystemServices setting to determine whether the service's start type is Automatic(2), Manual(3), Disabled(4). -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - SystemServices diff --git a/windows/client-management/mdm/policy-csp-taskmanager.md b/windows/client-management/mdm/policy-csp-taskmanager.md index 123b672f38..359565b3aa 100644 --- a/windows/client-management/mdm/policy-csp-taskmanager.md +++ b/windows/client-management/mdm/policy-csp-taskmanager.md @@ -1,15 +1,15 @@ --- title: Policy CSP - TaskManager description: Learn how to use the Policy CSP - TaskManager setting to determine whether non-administrators can use Task Manager to end tasks. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - TaskManager diff --git a/windows/client-management/mdm/policy-csp-taskscheduler.md b/windows/client-management/mdm/policy-csp-taskscheduler.md index 841d5e8f3e..f6493ca356 100644 --- a/windows/client-management/mdm/policy-csp-taskscheduler.md +++ b/windows/client-management/mdm/policy-csp-taskscheduler.md @@ -1,15 +1,15 @@ --- title: Policy CSP - TaskScheduler description: Learn how to use the Policy CSP - TaskScheduler setting to determine whether the specific task is enabled (1) or disabled (0). -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - TaskScheduler diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md index 0d6692ed2c..f2976b8893 100644 --- a/windows/client-management/mdm/policy-csp-textinput.md +++ b/windows/client-management/mdm/policy-csp-textinput.md @@ -1,15 +1,15 @@ --- title: Policy CSP - TextInput description: The Policy CSP - TextInput setting allows the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 03/03/2022 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - TextInput diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md index a580e736f3..610c3a4580 100644 --- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md +++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md @@ -1,15 +1,15 @@ --- title: Policy CSP - TimeLanguageSettings description: Learn to use the Policy CSP - TimeLanguageSettings setting to specify the time zone to be applied to the device. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/28/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - TimeLanguageSettings diff --git a/windows/client-management/mdm/policy-csp-troubleshooting.md b/windows/client-management/mdm/policy-csp-troubleshooting.md index d588058db0..44b6119a56 100644 --- a/windows/client-management/mdm/policy-csp-troubleshooting.md +++ b/windows/client-management/mdm/policy-csp-troubleshooting.md @@ -1,11 +1,11 @@ --- title: Policy CSP - Troubleshooting description: The Policy CSP - Troubleshooting setting allows IT admins to configure how to apply recommended troubleshooting for known problems on the devices in their domains. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: MariciaAlforque +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 --- diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 53012c6503..384768cd58 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Update description: The Policy CSP - Update allows the IT admin, when used with Update/ActiveHoursStart, to manage a range of active hours where update reboots aren't scheduled. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 06/15/2022 ms.reviewer: -manager: dansimp +manager: aaroncz ms.collection: highpri --- diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index 9d126f072e..628076c675 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -1,15 +1,15 @@ --- title: Policy CSP - UserRights description: Learn how user rights are assigned for user accounts or groups, and how the name of the policy defines the user right in question. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 11/24/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - UserRights diff --git a/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md b/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md index 4d39b65348..1647ce615c 100644 --- a/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md +++ b/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md @@ -1,15 +1,15 @@ --- title: Policy CSP - VirtualizationBasedTechnology description: Learn to use the Policy CSP - VirtualizationBasedTechnology setting to control the state of Hypervisor-protected Code Integrity (HVCI) on devices. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: alekyaj +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 11/25/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - VirtualizationBasedTechnology diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md index 5306104d5c..8d71416429 100644 --- a/windows/client-management/mdm/policy-csp-wifi.md +++ b/windows/client-management/mdm/policy-csp-wifi.md @@ -1,15 +1,15 @@ --- title: Policy CSP - Wifi description: Learn how the Policy CSP - Wifi setting allows or disallows the device to automatically connect to Wi-Fi hotspots. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - Wifi diff --git a/windows/client-management/mdm/policy-csp-windowsautopilot.md b/windows/client-management/mdm/policy-csp-windowsautopilot.md index 5f934b05bd..80be71fb1a 100644 --- a/windows/client-management/mdm/policy-csp-windowsautopilot.md +++ b/windows/client-management/mdm/policy-csp-windowsautopilot.md @@ -1,15 +1,15 @@ --- title: Policy CSP - WindowsAutoPilot description: Learn to use the Policy CSP - WindowsAutoPilot setting to enable or disable Autopilot Agility feature. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: alekyaj +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 11/25/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - WindowsAutoPilot diff --git a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md index efce371108..8ebc7d88fe 100644 --- a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md +++ b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md @@ -1,15 +1,15 @@ --- title: Policy CSP - WindowsConnectionManager description: The Policy CSP - WindowsConnectionManager setting prevents computers from connecting to a domain-based network and a non-domain-based network simultaneously. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - WindowsConnectionManager diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md index 665a0824e5..874ba7b1ce 100644 --- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md +++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md @@ -1,15 +1,15 @@ --- title: Policy CSP - WindowsDefenderSecurityCenter -description: Learn how to use the Policy CSP - WindowsDefenderSecurityCenter setting to display the Account protection area in Windows Defender Security Center. -ms.author: dansimp +description: Learn how to use the Policy CSP - WindowsDefenderSecurityCenter setting to display the Account protection area in Windows Defender Security Center. +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - WindowsDefenderSecurityCenter diff --git a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md index b6cd4ac1ab..6879085541 100644 --- a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md +++ b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md @@ -1,15 +1,15 @@ --- title: Policy CSP - WindowsInkWorkspace description: Learn to use the Policy CSP - WindowsInkWorkspace setting to specify whether to allow the user to access the ink workspace. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - WindowsInkWorkspace diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index 4951a14248..bb762016fc 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -1,15 +1,15 @@ --- title: Policy CSP - WindowsLogon description: Use the Policy CSP - WindowsLogon setting to control whether a device automatically signs in and locks the last interactive user after the system restarts. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - WindowsLogon diff --git a/windows/client-management/mdm/policy-csp-windowspowershell.md b/windows/client-management/mdm/policy-csp-windowspowershell.md index 2aa49f3cfb..e03c8cee0e 100644 --- a/windows/client-management/mdm/policy-csp-windowspowershell.md +++ b/windows/client-management/mdm/policy-csp-windowspowershell.md @@ -1,15 +1,15 @@ --- title: Policy CSP - WindowsPowerShell description: Use the Policy CSP - WindowsPowerShell setting to enable logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - WindowsPowerShell diff --git a/windows/client-management/mdm/policy-csp-windowssandbox.md b/windows/client-management/mdm/policy-csp-windowssandbox.md index 8a946c0358..b66b784a64 100644 --- a/windows/client-management/mdm/policy-csp-windowssandbox.md +++ b/windows/client-management/mdm/policy-csp-windowssandbox.md @@ -1,11 +1,11 @@ --- title: Policy CSP - WindowsSandbox description: Policy CSP - WindowsSandbox -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 10/14/2020 --- diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md index 54953f93ee..f3891cb68f 100644 --- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md +++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md @@ -1,15 +1,15 @@ --- title: Policy CSP - WirelessDisplay description: Use the Policy CSP - WirelessDisplay setting to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/27/2019 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Policy CSP - WirelessDisplay diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md index bffc844378..16bce236f5 100644 --- a/windows/client-management/mdm/policy-ddf-file.md +++ b/windows/client-management/mdm/policy-ddf-file.md @@ -2,12 +2,12 @@ title: Policy DDF file description: Learn about the OMA DM device description framework (DDF) for the Policy configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 10/28/2020 --- diff --git a/windows/client-management/mdm/provisioning-csp.md b/windows/client-management/mdm/provisioning-csp.md index cf2bf86897..5b0882d135 100644 --- a/windows/client-management/mdm/provisioning-csp.md +++ b/windows/client-management/mdm/provisioning-csp.md @@ -2,12 +2,12 @@ title: Provisioning CSP description: The Provisioning configuration service provider is used for bulk user enrollment to an MDM service. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/push-notification-windows-mdm.md b/windows/client-management/mdm/push-notification-windows-mdm.md index 5c41f9aa36..5f5f318d06 100644 --- a/windows/client-management/mdm/push-notification-windows-mdm.md +++ b/windows/client-management/mdm/push-notification-windows-mdm.md @@ -1,16 +1,16 @@ --- title: Push notification support for device management description: The DMClient CSP supports the ability to configure push-initiated device management sessions. -MS-HAID: -- 'p\_phdevicemgmt.push\_notification\_support\_for\_device\_management' -- 'p\_phDeviceMgmt.push\_notification\_windows\_mdm' +MS-HAID: + - 'p\_phdevicemgmt.push\_notification\_support\_for\_device\_management' + - 'p\_phDeviceMgmt.push\_notification\_windows\_mdm' ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/22/2017 --- diff --git a/windows/client-management/mdm/pxlogical-csp.md b/windows/client-management/mdm/pxlogical-csp.md index cae3527452..78bb60896b 100644 --- a/windows/client-management/mdm/pxlogical-csp.md +++ b/windows/client-management/mdm/pxlogical-csp.md @@ -2,12 +2,12 @@ title: PXLOGICAL configuration service provider description: The PXLOGICAL configuration service provider is used to add, remove, or modify WAP logical and physical proxies by using WAP or the standard Windows techniques. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md index 1934327705..50bb03819f 100644 --- a/windows/client-management/mdm/reboot-csp.md +++ b/windows/client-management/mdm/reboot-csp.md @@ -2,12 +2,12 @@ title: Reboot CSP description: Learn how the Reboot configuration service provider (CSP) is used to configure reboot settings. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/reboot-ddf-file.md b/windows/client-management/mdm/reboot-ddf-file.md index ec6084c3b0..3628eaf7e4 100644 --- a/windows/client-management/mdm/reboot-ddf-file.md +++ b/windows/client-management/mdm/reboot-ddf-file.md @@ -2,12 +2,12 @@ title: Reboot DDF file description: This topic shows the OMA DM device description framework (DDF) for the Reboot configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/reclaim-seat-from-user.md b/windows/client-management/mdm/reclaim-seat-from-user.md index c5f35430d4..bdd37fcbbe 100644 --- a/windows/client-management/mdm/reclaim-seat-from-user.md +++ b/windows/client-management/mdm/reclaim-seat-from-user.md @@ -2,12 +2,12 @@ title: Reclaim seat from user description: The Reclaim seat from user operation returns reclaimed seats for a user in the Microsoft Store for Business. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 05/05/2020 --- diff --git a/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md b/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md index a51ff42cae..c73053417b 100644 --- a/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md +++ b/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md @@ -2,12 +2,12 @@ title: Register your free Azure Active Directory subscription description: Paid subscribers to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, have a free subscription to Azure AD. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/remotefind-csp.md b/windows/client-management/mdm/remotefind-csp.md index 4453fedf30..96140781af 100644 --- a/windows/client-management/mdm/remotefind-csp.md +++ b/windows/client-management/mdm/remotefind-csp.md @@ -2,12 +2,12 @@ title: RemoteFind CSP description: The RemoteFind configuration service provider retrieves the location information for a particular device. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/remotefind-ddf-file.md b/windows/client-management/mdm/remotefind-ddf-file.md index 1cc00be86b..e92498a5f3 100644 --- a/windows/client-management/mdm/remotefind-ddf-file.md +++ b/windows/client-management/mdm/remotefind-ddf-file.md @@ -2,12 +2,12 @@ title: RemoteFind DDF file description: This topic shows the OMA DM device description framework (DDF) for the RemoteFind configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/remotering-csp.md b/windows/client-management/mdm/remotering-csp.md index 0e0012bb4b..441f69fe60 100644 --- a/windows/client-management/mdm/remotering-csp.md +++ b/windows/client-management/mdm/remotering-csp.md @@ -2,12 +2,12 @@ title: RemoteRing CSP description: The RemoteRing CSP can be used to remotely trigger a device to produce an audible ringing sound regardless of the volume that's set on the device. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md index 8417d9c8af..07413835c9 100644 --- a/windows/client-management/mdm/remotewipe-csp.md +++ b/windows/client-management/mdm/remotewipe-csp.md @@ -2,12 +2,12 @@ title: RemoteWipe CSP description: Learn how the RemoteWipe configuration service provider (CSP) can be used by mobile operators DM server or enterprise management server to remotely wipe a device. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/13/2018 --- diff --git a/windows/client-management/mdm/remotewipe-ddf-file.md b/windows/client-management/mdm/remotewipe-ddf-file.md index b78051384b..290767b7a1 100644 --- a/windows/client-management/mdm/remotewipe-ddf-file.md +++ b/windows/client-management/mdm/remotewipe-ddf-file.md @@ -2,12 +2,12 @@ title: RemoteWipe DDF file description: Learn about the OMA DM device description framework (DDF) for the RemoteWipe configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/13/2018 --- diff --git a/windows/client-management/mdm/reporting-csp.md b/windows/client-management/mdm/reporting-csp.md index b35de0f323..79814579cb 100644 --- a/windows/client-management/mdm/reporting-csp.md +++ b/windows/client-management/mdm/reporting-csp.md @@ -2,12 +2,12 @@ title: Reporting CSP description: The Reporting configuration service provider is used to retrieve Windows Information Protection (formerly known as Enterprise Data Protection) and security auditing logs. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/reporting-ddf-file.md b/windows/client-management/mdm/reporting-ddf-file.md index ac2bc0f113..a18c3cb3b6 100644 --- a/windows/client-management/mdm/reporting-ddf-file.md +++ b/windows/client-management/mdm/reporting-ddf-file.md @@ -2,12 +2,12 @@ title: Reporting DDF file description: View the OMA DM device description framework (DDF) for the Reporting configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md b/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md index ef51421942..3dc28440bd 100644 --- a/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md +++ b/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md @@ -1,16 +1,16 @@ --- title: REST API reference for Microsoft Store for Business description: Learn how the REST API reference for Microsoft Store for Business includes available operations and data structures. -MS-HAID: -- 'p\_phdevicemgmt.business\_store\_portal\_management\_rest\_api\_reference' -- 'p\_phDeviceMgmt.rest\_api\_reference\_windows\_store\_for\_Business' +MS-HAID: + - 'p\_phdevicemgmt.business\_store\_portal\_management\_rest\_api\_reference' + - 'p\_phDeviceMgmt.rest\_api\_reference\_windows\_store\_for\_Business' ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/rootcacertificates-csp.md b/windows/client-management/mdm/rootcacertificates-csp.md index cbfbf19ba1..0ff47616c0 100644 --- a/windows/client-management/mdm/rootcacertificates-csp.md +++ b/windows/client-management/mdm/rootcacertificates-csp.md @@ -2,12 +2,12 @@ title: RootCATrustedCertificates CSP description: Learn how the RootCATrustedCertificates configuration service provider (CSP) enables the enterprise to set the Root Certificate Authority (CA) certificates. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/06/2018 --- diff --git a/windows/client-management/mdm/rootcacertificates-ddf-file.md b/windows/client-management/mdm/rootcacertificates-ddf-file.md index cc11893ef0..67f5c3a6d7 100644 --- a/windows/client-management/mdm/rootcacertificates-ddf-file.md +++ b/windows/client-management/mdm/rootcacertificates-ddf-file.md @@ -2,12 +2,12 @@ title: RootCATrustedCertificates DDF file description: Learn about the OMA DM device description framework (DDF) for the RootCACertificates configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/07/2018 --- diff --git a/windows/client-management/mdm/secureassessment-csp.md b/windows/client-management/mdm/secureassessment-csp.md index b973e23145..2f16f647de 100644 --- a/windows/client-management/mdm/secureassessment-csp.md +++ b/windows/client-management/mdm/secureassessment-csp.md @@ -2,12 +2,12 @@ title: SecureAssessment CSP description: Learn how the SecureAssessment configuration service provider (CSP) is used to provide configuration information for the secure assessment browser. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/secureassessment-ddf-file.md b/windows/client-management/mdm/secureassessment-ddf-file.md index 9c0896a99d..67118163ea 100644 --- a/windows/client-management/mdm/secureassessment-ddf-file.md +++ b/windows/client-management/mdm/secureassessment-ddf-file.md @@ -2,12 +2,12 @@ title: SecureAssessment DDF file description: View the OMA DM device description framework (DDF) for the SecureAssessment configuration service provider. DDF files are used only with OMA DM provisioning XML ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/securitypolicy-csp.md b/windows/client-management/mdm/securitypolicy-csp.md index 0f55bf6958..a3f9722270 100644 --- a/windows/client-management/mdm/securitypolicy-csp.md +++ b/windows/client-management/mdm/securitypolicy-csp.md @@ -2,12 +2,12 @@ title: SecurityPolicy CSP description: The SecurityPolicy CSP is used to configure security policy settings for WAP push, OMA DM, Service Indication (SI), Service Loading (SL), and MMS. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/server-requirements-windows-mdm.md b/windows/client-management/mdm/server-requirements-windows-mdm.md index f0cade5d43..1f89f971a0 100644 --- a/windows/client-management/mdm/server-requirements-windows-mdm.md +++ b/windows/client-management/mdm/server-requirements-windows-mdm.md @@ -1,16 +1,16 @@ --- title: Server requirements for using OMA DM to manage Windows devices description: Learn about the general server requirements for using OMA DM to manage Windows devices, including the supported versions of OMA DM. -MS-HAID: -- 'p\_phDeviceMgmt.server\_requirements\_for\_oma\_dm' -- 'p\_phDeviceMgmt.server\_requirements\_windows\_mdm' +MS-HAID: + - 'p\_phDeviceMgmt.server\_requirements\_for\_oma\_dm' + - 'p\_phDeviceMgmt.server\_requirements\_windows\_mdm' ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/sharedpc-csp.md b/windows/client-management/mdm/sharedpc-csp.md index f1c190ab44..1e4509043f 100644 --- a/windows/client-management/mdm/sharedpc-csp.md +++ b/windows/client-management/mdm/sharedpc-csp.md @@ -2,12 +2,12 @@ title: SharedPC CSP description: Learn how the SharedPC configuration service provider is used to configure settings for Shared PC usage. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 01/16/2019 --- diff --git a/windows/client-management/mdm/sharedpc-ddf-file.md b/windows/client-management/mdm/sharedpc-ddf-file.md index 359f191981..1eb414317a 100644 --- a/windows/client-management/mdm/sharedpc-ddf-file.md +++ b/windows/client-management/mdm/sharedpc-ddf-file.md @@ -2,12 +2,12 @@ title: SharedPC DDF file description: Learn how the OMA DM device description framework (DDF) for the SharedPC configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/storage-csp.md b/windows/client-management/mdm/storage-csp.md index d9df5b94c6..03f3fe6afa 100644 --- a/windows/client-management/mdm/storage-csp.md +++ b/windows/client-management/mdm/storage-csp.md @@ -2,12 +2,12 @@ title: Storage CSP description: Learn how the Storage enterprise configuration service provider (CSP) is used to configure the storage card settings. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/storage-ddf-file.md b/windows/client-management/mdm/storage-ddf-file.md index c5870a9cb4..4d2a9283a7 100644 --- a/windows/client-management/mdm/storage-ddf-file.md +++ b/windows/client-management/mdm/storage-ddf-file.md @@ -2,12 +2,12 @@ title: Storage DDF file description: Learn about the OMA DM device description framework (DDF) for the Storage configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md b/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md index 15ee879130..d34d3c1746 100644 --- a/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md +++ b/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md @@ -2,12 +2,12 @@ title: Structure of OMA DM provisioning files description: Learn about the structure of OMA DM provisioning files, for example how each message is composed of a header, specified by the SyncHdr element, and a message body. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md index 42cfa00702..802b366a55 100644 --- a/windows/client-management/mdm/supl-csp.md +++ b/windows/client-management/mdm/supl-csp.md @@ -2,12 +2,12 @@ title: SUPL CSP description: Learn how the SUPL configuration service provider (CSP) is used to configure the location client. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/12/2019 --- diff --git a/windows/client-management/mdm/supl-ddf-file.md b/windows/client-management/mdm/supl-ddf-file.md index 5d250c07da..62a7531702 100644 --- a/windows/client-management/mdm/supl-ddf-file.md +++ b/windows/client-management/mdm/supl-ddf-file.md @@ -2,12 +2,12 @@ title: SUPL DDF file description: This topic shows the OMA DM device description framework (DDF) for the SUPL configuration service provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/03/2020 --- diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md index 7dc0ffb4eb..a7ea49f35d 100644 --- a/windows/client-management/mdm/surfacehub-csp.md +++ b/windows/client-management/mdm/surfacehub-csp.md @@ -2,12 +2,12 @@ title: SurfaceHub CSP description: The SurfaceHub configuration service provider (CSP) is used to configure Microsoft Surface Hub settings. This CSP was added in Windows 10, version 1511. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 07/28/2017 --- diff --git a/windows/client-management/mdm/surfacehub-ddf-file.md b/windows/client-management/mdm/surfacehub-ddf-file.md index 1a8a825bde..3f66986007 100644 --- a/windows/client-management/mdm/surfacehub-ddf-file.md +++ b/windows/client-management/mdm/surfacehub-ddf-file.md @@ -2,12 +2,12 @@ title: SurfaceHub DDF file description: This topic shows the OMA DM device description framework (DDF) for the SurfaceHub configuration service provider. This CSP was added in Windows 10, version 1511. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/tenantlockdown-csp.md b/windows/client-management/mdm/tenantlockdown-csp.md index a4b4565694..c271871ce1 100644 --- a/windows/client-management/mdm/tenantlockdown-csp.md +++ b/windows/client-management/mdm/tenantlockdown-csp.md @@ -1,14 +1,14 @@ --- title: TenantLockdown CSP description: To lock a device to a tenant to prevent accidental or intentional resets or wipes, use the TenantLockdown configuration service provider. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/13/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # TenantLockdown CSP diff --git a/windows/client-management/mdm/tenantlockdown-ddf.md b/windows/client-management/mdm/tenantlockdown-ddf.md index e85778cb28..12dc9f5348 100644 --- a/windows/client-management/mdm/tenantlockdown-ddf.md +++ b/windows/client-management/mdm/tenantlockdown-ddf.md @@ -1,14 +1,14 @@ --- title: TenantLockdown DDF file description: XML file containing the device description framework for the TenantLockdown configuration service provider (CSP). -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/13/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # TenantLockdown DDF file diff --git a/windows/client-management/mdm/tpmpolicy-csp.md b/windows/client-management/mdm/tpmpolicy-csp.md index 698e2bf85e..14bb56f7ca 100644 --- a/windows/client-management/mdm/tpmpolicy-csp.md +++ b/windows/client-management/mdm/tpmpolicy-csp.md @@ -1,14 +1,14 @@ --- title: TPMPolicy CSP description: The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero-exhaust configuration on a Windows device for TPM software components. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/01/2017 ms.reviewer: -manager: dansimp +manager: aaroncz --- # TPMPolicy CSP diff --git a/windows/client-management/mdm/tpmpolicy-ddf-file.md b/windows/client-management/mdm/tpmpolicy-ddf-file.md index 5cd81b56b7..42f7a373d5 100644 --- a/windows/client-management/mdm/tpmpolicy-ddf-file.md +++ b/windows/client-management/mdm/tpmpolicy-ddf-file.md @@ -1,14 +1,14 @@ --- title: TPMPolicy DDF file description: Learn about the OMA DM device description framework (DDF) for the TPMPolicy configuration service provider (CSP). -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 ms.reviewer: -manager: dansimp +manager: aaroncz --- # TPMPolicy DDF file diff --git a/windows/client-management/mdm/uefi-csp.md b/windows/client-management/mdm/uefi-csp.md index fd47c179fa..b1fd8cdde4 100644 --- a/windows/client-management/mdm/uefi-csp.md +++ b/windows/client-management/mdm/uefi-csp.md @@ -1,14 +1,14 @@ --- title: UEFI CSP description: The Uefi CSP interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/02/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # UEFI CSP diff --git a/windows/client-management/mdm/uefi-ddf.md b/windows/client-management/mdm/uefi-ddf.md index 0124a0a281..51dec0bdd7 100644 --- a/windows/client-management/mdm/uefi-ddf.md +++ b/windows/client-management/mdm/uefi-ddf.md @@ -1,14 +1,14 @@ --- title: UEFI DDF file description: Learn about the OMA DM device description framework (DDF) for the Uefi configuration service provider (CSP). -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/02/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # UEFI DDF file diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md index da5516f990..c21a7a2573 100644 --- a/windows/client-management/mdm/understanding-admx-backed-policies.md +++ b/windows/client-management/mdm/understanding-admx-backed-policies.md @@ -1,14 +1,14 @@ --- title: Understanding ADMX policies description: In Windows 10, you can use ADMX policies for Windows 10 mobile device management (MDM) across Windows 10 devices. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/23/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Understanding ADMX policies diff --git a/windows/client-management/mdm/unifiedwritefilter-csp.md b/windows/client-management/mdm/unifiedwritefilter-csp.md index 46abb8acab..6e9a7e9322 100644 --- a/windows/client-management/mdm/unifiedwritefilter-csp.md +++ b/windows/client-management/mdm/unifiedwritefilter-csp.md @@ -2,12 +2,12 @@ title: UnifiedWriteFilter CSP description: The UnifiedWriteFilter (UWF) configuration service provider allows you to remotely manage the UWF. Understand how it helps protect physical storage media. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/unifiedwritefilter-ddf.md b/windows/client-management/mdm/unifiedwritefilter-ddf.md index 51a25e686a..f6cfcd2307 100644 --- a/windows/client-management/mdm/unifiedwritefilter-ddf.md +++ b/windows/client-management/mdm/unifiedwritefilter-ddf.md @@ -2,12 +2,12 @@ title: UnifiedWriteFilter DDF File description: UnifiedWriteFilter DDF File ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/universalprint-csp.md b/windows/client-management/mdm/universalprint-csp.md index fab5cf6f5e..bb4cae4a7b 100644 --- a/windows/client-management/mdm/universalprint-csp.md +++ b/windows/client-management/mdm/universalprint-csp.md @@ -1,14 +1,14 @@ --- title: UniversalPrint CSP description: Learn how the UniversalPrint configuration service provider (CSP) is used to install printers on Windows client devices. -ms.author: mandia +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: MandiOhlinger +author: vinaypamnani-msft ms.date: 06/02/2022 ms.reviewer: jimwu -manager: dougeby +manager: aaroncz --- # UniversalPrint CSP diff --git a/windows/client-management/mdm/universalprint-ddf-file.md b/windows/client-management/mdm/universalprint-ddf-file.md index cc624c9c29..6e8412dfa0 100644 --- a/windows/client-management/mdm/universalprint-ddf-file.md +++ b/windows/client-management/mdm/universalprint-ddf-file.md @@ -1,14 +1,14 @@ --- title: UniversalPrint DDF file description: UniversalPrint DDF file -ms.author: mandia +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: MandiOhlinger +author: vinaypamnani-msft ms.date: 06/02/2022 ms.reviewer: jimwu -manager: dougeby +manager: aaroncz --- # UniversalPrint DDF file diff --git a/windows/client-management/mdm/update-csp.md b/windows/client-management/mdm/update-csp.md index 8924365745..e7c54fb69a 100644 --- a/windows/client-management/mdm/update-csp.md +++ b/windows/client-management/mdm/update-csp.md @@ -2,12 +2,12 @@ title: Update CSP description: Learn how the Update configuration service provider (CSP) enables IT administrators to manage and control the rollout of new updates. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 02/23/2018 --- diff --git a/windows/client-management/mdm/update-ddf-file.md b/windows/client-management/mdm/update-ddf-file.md index 3daad32697..06da8be6f1 100644 --- a/windows/client-management/mdm/update-ddf-file.md +++ b/windows/client-management/mdm/update-ddf-file.md @@ -2,12 +2,12 @@ title: Update DDF file description: Learn about the OMA DM device description framework (DDF) for the Update configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 02/23/2018 --- diff --git a/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md b/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md index 6d66ae073b..d42e777b93 100644 --- a/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md +++ b/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md @@ -2,12 +2,12 @@ title: Using PowerShell scripting with the WMI Bridge Provider description: This topic covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, and how to invoke methods through the WMI Bridge Provider. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/vpn-csp.md b/windows/client-management/mdm/vpn-csp.md index e26ae9c716..6d484acd8d 100644 --- a/windows/client-management/mdm/vpn-csp.md +++ b/windows/client-management/mdm/vpn-csp.md @@ -2,12 +2,12 @@ title: VPN CSP description: Learn how the VPN configuration service provider (CSP) allows the mobile device management (MDM) server to configure the VPN profile of the device. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 04/02/2017 --- diff --git a/windows/client-management/mdm/vpn-ddf-file.md b/windows/client-management/mdm/vpn-ddf-file.md index a59443bf05..4cf629cb79 100644 --- a/windows/client-management/mdm/vpn-ddf-file.md +++ b/windows/client-management/mdm/vpn-ddf-file.md @@ -2,12 +2,12 @@ title: VPN DDF file description: Learn about the OMA DM device description framework (DDF) for the VPN configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index 053e642943..fb60f1756f 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -2,12 +2,12 @@ title: VPNv2 CSP description: Learn how the VPNv2 configuration service provider (CSP) allows the mobile device management (MDM) server to configure the VPN profile of the device. ms.reviewer: pesmith -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/21/2021 --- diff --git a/windows/client-management/mdm/vpnv2-ddf-file.md b/windows/client-management/mdm/vpnv2-ddf-file.md index d94de5b3c6..ec744e211f 100644 --- a/windows/client-management/mdm/vpnv2-ddf-file.md +++ b/windows/client-management/mdm/vpnv2-ddf-file.md @@ -2,12 +2,12 @@ title: VPNv2 DDF file description: This topic shows the OMA DM device description framework (DDF) for the VPNv2 configuration service provider. ms.reviewer: pesmith -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 10/30/2020 --- diff --git a/windows/client-management/mdm/vpnv2-profile-xsd.md b/windows/client-management/mdm/vpnv2-profile-xsd.md index b1daeaf543..6e67b7102c 100644 --- a/windows/client-management/mdm/vpnv2-profile-xsd.md +++ b/windows/client-management/mdm/vpnv2-profile-xsd.md @@ -1,13 +1,13 @@ --- title: ProfileXML XSD description: Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some profile examples. -ms.reviewer: -manager: dansimp -ms.author: dansimp +ms.reviewer: +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 07/14/2020 --- diff --git a/windows/client-management/mdm/w4-application-csp.md b/windows/client-management/mdm/w4-application-csp.md index a8d705d870..7bc64259b1 100644 --- a/windows/client-management/mdm/w4-application-csp.md +++ b/windows/client-management/mdm/w4-application-csp.md @@ -2,12 +2,12 @@ title: w4 APPLICATION CSP description: Use an APPLICATION configuration service provider (CSP) that has an APPID of w4 to configure Multimedia Messaging Service (MMS). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/w7-application-csp.md b/windows/client-management/mdm/w7-application-csp.md index cf703e5dca..f5dc037820 100644 --- a/windows/client-management/mdm/w7-application-csp.md +++ b/windows/client-management/mdm/w7-application-csp.md @@ -2,12 +2,12 @@ title: w7 APPLICATION CSP description: Learn that the APPLICATION configuration service provider (CSP) that has an APPID of w7 is used for bootstrapping a device with an OMA DM account. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index 4c2daf739b..60791f3a53 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -1,13 +1,13 @@ --- title: WiFi CSP -description: The WiFi configuration service provider (CSP) provides the functionality to add or delete Wi-Fi networks on a Windows device. +description: The WiFi configuration service provider (CSP) provides the functionality to add or delete Wi-Fi networks on a Windows device. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/18/2019 --- diff --git a/windows/client-management/mdm/wifi-ddf-file.md b/windows/client-management/mdm/wifi-ddf-file.md index 295832f932..3f1d8d46e7 100644 --- a/windows/client-management/mdm/wifi-ddf-file.md +++ b/windows/client-management/mdm/wifi-ddf-file.md @@ -2,12 +2,12 @@ title: WiFi DDF file description: Learn about the OMA DM device description framework (DDF) for the WiFi configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/28/2018 --- diff --git a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md index f822a664d9..824f17444b 100644 --- a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md +++ b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md @@ -1,14 +1,14 @@ --- title: Win32 and Desktop Bridge app ADMX policy Ingestion description: Starting in Windows 10, version 1703, you can ingest ADMX files and set those ADMX policies for Win32 and Desktop Bridge apps. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 03/23/2020 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Win32 and Desktop Bridge app ADMX policy Ingestion diff --git a/windows/client-management/mdm/win32appinventory-csp.md b/windows/client-management/mdm/win32appinventory-csp.md index c3d3098f0a..82a4e341dd 100644 --- a/windows/client-management/mdm/win32appinventory-csp.md +++ b/windows/client-management/mdm/win32appinventory-csp.md @@ -2,12 +2,12 @@ title: Win32AppInventory CSP description: Learn how the Win32AppInventory configuration service provider (CSP) is used to provide an inventory of installed applications on a device. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/win32appinventory-ddf-file.md b/windows/client-management/mdm/win32appinventory-ddf-file.md index cbb05d50b8..9cd08b73e2 100644 --- a/windows/client-management/mdm/win32appinventory-ddf-file.md +++ b/windows/client-management/mdm/win32appinventory-ddf-file.md @@ -2,12 +2,12 @@ title: Win32AppInventory DDF file description: Learn about the OMA DM device description framework (DDF) for the Win32AppInventory configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/win32compatibilityappraiser-csp.md b/windows/client-management/mdm/win32compatibilityappraiser-csp.md index ea3289d926..816e68336d 100644 --- a/windows/client-management/mdm/win32compatibilityappraiser-csp.md +++ b/windows/client-management/mdm/win32compatibilityappraiser-csp.md @@ -1,14 +1,14 @@ --- title: Win32CompatibilityAppraiser CSP description: Learn how the Win32CompatibilityAppraiser configuration service provider enables the IT admin to query the current status of the Appraiser and UTC telemetry health. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 07/19/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Win32CompatibilityAppraiser CSP diff --git a/windows/client-management/mdm/win32compatibilityappraiser-ddf.md b/windows/client-management/mdm/win32compatibilityappraiser-ddf.md index 057c668a74..56b7cbd8ed 100644 --- a/windows/client-management/mdm/win32compatibilityappraiser-ddf.md +++ b/windows/client-management/mdm/win32compatibilityappraiser-ddf.md @@ -1,14 +1,14 @@ --- title: Win32CompatibilityAppraiser DDF file description: Learn about the XML file containing the device description framework for the Win32CompatibilityAppraiser configuration service provider. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 07/19/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # Win32CompatibilityAppraiser DDF file diff --git a/windows/client-management/mdm/windows-mdm-enterprise-settings.md b/windows/client-management/mdm/windows-mdm-enterprise-settings.md index 6ae938bf13..0c7b48f2a8 100644 --- a/windows/client-management/mdm/windows-mdm-enterprise-settings.md +++ b/windows/client-management/mdm/windows-mdm-enterprise-settings.md @@ -1,16 +1,16 @@ --- title: Enterprise settings, policies, and app management description: The DM client manages the interaction between a device and a server. Learn more about the client-server management workflow. -MS-HAID: -- 'p\_phdevicemgmt.enterprise\_settings\_\_policies\_\_and\_app\_management' -- 'p\_phDeviceMgmt.windows\_mdm\_enterprise\_settings' +MS-HAID: + - 'p\_phdevicemgmt.enterprise\_settings\_\_policies\_\_and\_app\_management' + - 'p\_phDeviceMgmt.windows\_mdm\_enterprise\_settings' ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md index 153d3dd342..48b0ea237e 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md @@ -2,12 +2,12 @@ title: WindowsAdvancedThreatProtection CSP description: The Windows Defender Advanced Threat Protection (WDATP) CSP allows IT Admins to onboard, determine configuration and health status, and offboard endpoints for WDATP. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/01/2017 --- diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md index 044557e1f2..cddb4f73e0 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md @@ -3,12 +3,12 @@ title: WindowsAdvancedThreatProtection DDF file description: Learn about the OMA DM device description framework (DDF) for the WindowsAdvancedThreatProtection configuration service provider (CSP). ms.assetid: 0C62A790-4351-48AF-89FD-7D46C42D13E0 ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/windowsautopilot-csp.md b/windows/client-management/mdm/windowsautopilot-csp.md index f1a5f8bb5b..b50630eea2 100644 --- a/windows/client-management/mdm/windowsautopilot-csp.md +++ b/windows/client-management/mdm/windowsautopilot-csp.md @@ -2,12 +2,12 @@ title: WindowsAutopilot CSP description: Learn how without the ability to mark a device as remediation required, the device will remain in a broken state, which results in security and privacy concerns in Autopilot. ms.reviewer: -manager: dansimp -ms.author: v-nsatapathy +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 05/09/2022 --- diff --git a/windows/client-management/mdm/windowsautopilot-ddf-file.md b/windows/client-management/mdm/windowsautopilot-ddf-file.md index d6f71e89a4..dfc52ce96c 100644 --- a/windows/client-management/mdm/windowsautopilot-ddf-file.md +++ b/windows/client-management/mdm/windowsautopilot-ddf-file.md @@ -1,14 +1,14 @@ --- title: WindowsAutopilot DDF file description: Learn how without the ability to mark a device as remediation required, the device will remain in a broken state, for the WindowsAutopilot DDF file configuration service provider (CSP) . -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 02/07/2022 ms.reviewer: -manager: dansimp +manager: aaroncz --- # WindowsAutopilot DDF file diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md index 6a9c6a3055..e8c9563d43 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md @@ -1,14 +1,14 @@ --- title: WindowsDefenderApplicationGuard CSP description: Configure the settings in Microsoft Defender Application Guard by using the WindowsDefenderApplicationGuard configuration service provider (CSP). -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 11/02/2021 ms.reviewer: -manager: dansimp +manager: aaroncz --- # WindowsDefenderApplicationGuard CSP diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md index d910c1b600..c49a7214d2 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md @@ -1,14 +1,14 @@ --- title: WindowsDefenderApplicationGuard DDF file description: Learn about the OMA DM device description framework (DDF) for the WindowsDefenderApplicationGuard DDF file configuration service provider (CSP). -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 09/10/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # WindowsDefenderApplicationGuard DDF file diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md index 0345c70924..f120a8272e 100644 --- a/windows/client-management/mdm/windowslicensing-csp.md +++ b/windows/client-management/mdm/windowslicensing-csp.md @@ -2,12 +2,12 @@ title: WindowsLicensing CSP description: Learn how the WindowsLicensing configuration service provider (CSP) is designed for licensing related management scenarios. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 08/15/2018 --- diff --git a/windows/client-management/mdm/windowslicensing-ddf-file.md b/windows/client-management/mdm/windowslicensing-ddf-file.md index c570da1af6..6ebeec7c74 100644 --- a/windows/client-management/mdm/windowslicensing-ddf-file.md +++ b/windows/client-management/mdm/windowslicensing-ddf-file.md @@ -2,12 +2,12 @@ title: WindowsLicensing DDF file description: Learn about the OMA DM device description framework (DDF) for the WindowsLicensing configuration service provider (CSP). ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 07/16/2017 --- diff --git a/windows/client-management/mdm/wirednetwork-csp.md b/windows/client-management/mdm/wirednetwork-csp.md index ff85447bbd..dd76d25d3e 100644 --- a/windows/client-management/mdm/wirednetwork-csp.md +++ b/windows/client-management/mdm/wirednetwork-csp.md @@ -1,14 +1,14 @@ --- title: WiredNetwork CSP description: The WiredNetwork configuration service provider (CSP) is used by the enterprise to configure wired Internet on devices that don't have GP. Learn how it works. -ms.author: dansimp +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/27/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # WiredNetwork CSP diff --git a/windows/client-management/mdm/wirednetwork-ddf-file.md b/windows/client-management/mdm/wirednetwork-ddf-file.md index f527c65745..9d071d2ad5 100644 --- a/windows/client-management/mdm/wirednetwork-ddf-file.md +++ b/windows/client-management/mdm/wirednetwork-ddf-file.md @@ -1,14 +1,14 @@ --- title: WiredNetwork DDF file -description: This topic shows the OMA DM device description framework (DDF) for the WiredNetwork configuration service provider. -ms.author: dansimp +description: This topic shows the OMA DM device description framework (DDF) for the WiredNetwork configuration service provider. +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/28/2018 ms.reviewer: -manager: dansimp +manager: aaroncz --- # WiredNetwork DDF file diff --git a/windows/client-management/mdm/wmi-providers-supported-in-windows.md b/windows/client-management/mdm/wmi-providers-supported-in-windows.md index c185fbbae1..3026a02d56 100644 --- a/windows/client-management/mdm/wmi-providers-supported-in-windows.md +++ b/windows/client-management/mdm/wmi-providers-supported-in-windows.md @@ -1,16 +1,16 @@ --- title: WMI providers supported in Windows 10 description: Manage settings and applications on devices that subscribe to the Mobile Device Management (MDM) service with Windows Management Infrastructure (WMI). -MS-HAID: -- 'p\_phdevicemgmt.wmi\_providers\_supported\_in\_windows\_10\_technical\_preview' -- 'p\_phDeviceMgmt.wmi\_providers\_supported\_in\_windows' +MS-HAID: + - 'p\_phdevicemgmt.wmi\_providers\_supported\_in\_windows\_10\_technical\_preview' + - 'p\_phDeviceMgmt.wmi\_providers\_supported\_in\_windows' ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp +author: vinaypamnani-msft ms.date: 06/26/2017 --- diff --git a/windows/client-management/new-policies-for-windows-10.md b/windows/client-management/new-policies-for-windows-10.md index 386ac0ed29..5bc9aad966 100644 --- a/windows/client-management/new-policies-for-windows-10.md +++ b/windows/client-management/new-policies-for-windows-10.md @@ -2,10 +2,10 @@ title: New policies for Windows 10 (Windows 10) description: Learn how Windows 10 includes new policies for management, like Group Policy settings for the Windows system and components. ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: aaroncz +ms.author: vinpa ms.prod: w10 -author: dansimp +author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/15/2021 ms.topic: reference diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md index 28cd4f3642..b648d8d7c1 100644 --- a/windows/client-management/quick-assist.md +++ b/windows/client-management/quick-assist.md @@ -5,9 +5,9 @@ ms.prod: w10 ms.topic: article ms.technology: windows ms.localizationpriority: medium -author: aczechowski -ms.author: aaroncz -manager: dougeby +author: vinaypamnani-msft +ms.author: vinpa +manager: aaroncz ms.reviewer: pmadrigal ms.collection: highpri --- diff --git a/windows/client-management/windows-10-support-solutions.md b/windows/client-management/windows-10-support-solutions.md index 021f22ec21..6dd2f0b24a 100644 --- a/windows/client-management/windows-10-support-solutions.md +++ b/windows/client-management/windows-10-support-solutions.md @@ -2,10 +2,10 @@ title: Windows 10 support solutions description: Learn where to find information about troubleshooting Windows 10 issues, for example BitLocker issues and bugcheck errors. ms.reviewer: kaushika -manager: dansimp +manager: aaroncz ms.prod: w10 -ms.author: kaushika -author: kaushika-msft +ms.author: vinpa +author: vinaypamnani-msft ms.localizationpriority: medium ms.topic: troubleshooting --- diff --git a/windows/client-management/windows-libraries.md b/windows/client-management/windows-libraries.md index ffa5ea88a4..2ec424585c 100644 --- a/windows/client-management/windows-libraries.md +++ b/windows/client-management/windows-libraries.md @@ -1,13 +1,13 @@ --- ms.reviewer: -manager: dansimp +manager: aaroncz title: Windows Libraries ms.prod: windows-server-threshold -ms.author: dansimp +ms.author: vinpa ms.manager: dongill ms.technology: storage ms.topic: article -author: dansimp +author: vinaypamnani-msft description: All about Windows Libraries, which are containers for users' content, such as Documents and Pictures. ms.date: 09/15/2021 --- diff --git a/windows/client-management/windows-version-search.md b/windows/client-management/windows-version-search.md index ee3d39847a..939d36455a 100644 --- a/windows/client-management/windows-version-search.md +++ b/windows/client-management/windows-version-search.md @@ -5,11 +5,11 @@ keywords: Long-Term Servicing Channel, LTSC, LTSB, General Availability Channel, ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: dansimp -ms.author: dansimp +author: vinaypamnani-msft +ms.author: vinpa ms.date: 04/30/2018 ms.reviewer: -manager: dansimp +manager: aaroncz ms.topic: troubleshooting --- From 34f85b93061437cb691d99d6b4fb9388149d036e Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Wed, 10 Aug 2022 16:08:50 -0600 Subject: [PATCH 68/77] Update change-history-edu.md Test with bold html in applies to metadata removed. --- education/windows/change-history-edu.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md index 9a1acea7a1..c43c88a990 100644 --- a/education/windows/change-history-edu.md +++ b/education/windows/change-history-edu.md @@ -13,7 +13,7 @@ ms.date: 08/10/2022 ms.reviewer: manager: aaroncz appliesto: -- ✅ Windows 10 +- ✅Windows 10 --- # Change history for Windows 10 for Education @@ -153,4 +153,4 @@ The topics in this library have been updated for Windows 10, version 1607 (also | [Set up School PCs app technical reference (Preview)](set-up-school-pcs-technical.md) | New. Describes the changes that the Set up School PCs app makes to a PC. | | [Take tests in Windows 10 (Preview)](take-tests-in-windows-10.md)
                            [Set up Take a Test on a single PC (Preview)](take-a-test-single-pc.md)
                            [Set up Take a Test on multiple PCs (Preview)](take-a-test-multiple-pcs.md)
                            [Take a Test app technical reference (Preview)](take-a-test-app-technical.md) | New. Learn how to set up and use the Take a Test app. | | [Chromebook migration guide](chromebook-migration-guide.md) | Moved from [Windows 10 and Windows 10 Mobile](/windows/deployment/planning/) library, originally published in November 2015 | -| [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Moved from [Windows 10 and Windows 10 Mobile](/windows/deployment/planning/) library, originally published in May 2016 | \ No newline at end of file +| [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Moved from [Windows 10 and Windows 10 Mobile](/windows/deployment/planning/) library, originally published in May 2016 | From c2ab234e3f3fe0b32ce2e0edc779fa6649d07c72 Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Wed, 10 Aug 2022 16:16:43 -0600 Subject: [PATCH 69/77] Revert "Update change-history-edu.md" --- education/windows/change-history-edu.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md index c43c88a990..9a1acea7a1 100644 --- a/education/windows/change-history-edu.md +++ b/education/windows/change-history-edu.md @@ -13,7 +13,7 @@ ms.date: 08/10/2022 ms.reviewer: manager: aaroncz appliesto: -- ✅Windows 10 +- ✅ Windows 10 --- # Change history for Windows 10 for Education @@ -153,4 +153,4 @@ The topics in this library have been updated for Windows 10, version 1607 (also | [Set up School PCs app technical reference (Preview)](set-up-school-pcs-technical.md) | New. Describes the changes that the Set up School PCs app makes to a PC. | | [Take tests in Windows 10 (Preview)](take-tests-in-windows-10.md)
                            [Set up Take a Test on a single PC (Preview)](take-a-test-single-pc.md)
                            [Set up Take a Test on multiple PCs (Preview)](take-a-test-multiple-pcs.md)
                            [Take a Test app technical reference (Preview)](take-a-test-app-technical.md) | New. Learn how to set up and use the Take a Test app. | | [Chromebook migration guide](chromebook-migration-guide.md) | Moved from [Windows 10 and Windows 10 Mobile](/windows/deployment/planning/) library, originally published in November 2015 | -| [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Moved from [Windows 10 and Windows 10 Mobile](/windows/deployment/planning/) library, originally published in May 2016 | +| [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Moved from [Windows 10 and Windows 10 Mobile](/windows/deployment/planning/) library, originally published in May 2016 | \ No newline at end of file From 46d1db026ad3dbbe9beddda4338b010f03c12a17 Mon Sep 17 00:00:00 2001 From: Jeff Borsecnik <36546697+jborsecnik@users.noreply.github.com> Date: Wed, 10 Aug 2022 17:08:47 -0700 Subject: [PATCH 70/77] Update policy-csp-admx-deviceguard.md --- windows/client-management/mdm/policy-csp-admx-deviceguard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-admx-deviceguard.md b/windows/client-management/mdm/policy-csp-admx-deviceguard.md index 1e71306db0..cd2adaf1ad 100644 --- a/windows/client-management/mdm/policy-csp-admx-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-admx-deviceguard.md @@ -15,7 +15,7 @@ manager: dansimp # Policy CSP - ADMX_DeviceGuard > [!WARNING] -> Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for [policy deployment]/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md). +> Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for [policy deployment](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md). > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). From c8f895f80d5335913562774f6e3950f2a865502f Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Thu, 11 Aug 2022 10:37:35 -0400 Subject: [PATCH 71/77] update ms.author --- .../changes-to-start-policies-in-windows-10.md | 2 +- windows/configuration/configure-windows-10-taskbar.md | 6 +++--- windows/configuration/customize-and-export-start-layout.md | 2 +- .../configuration/customize-start-menu-layout-windows-11.md | 2 +- windows/configuration/customize-taskbar-windows-11.md | 2 +- ...tomize-windows-10-start-screens-by-using-group-policy.md | 2 +- ...ws-10-start-screens-by-using-mobile-device-management.md | 2 +- ...-start-screens-by-using-provisioning-packages-and-icd.md | 2 +- ...ind-the-application-user-model-id-of-an-installed-app.md | 4 ++-- windows/configuration/guidelines-for-assigned-access-app.md | 4 ++-- windows/configuration/kiosk-additional-reference.md | 2 +- windows/configuration/kiosk-mdm-bridge.md | 2 +- windows/configuration/kiosk-methods.md | 2 +- windows/configuration/kiosk-policies.md | 2 +- windows/configuration/kiosk-prepare.md | 2 +- windows/configuration/kiosk-shelllauncher.md | 2 +- windows/configuration/kiosk-single-app.md | 2 +- windows/configuration/kiosk-troubleshoot.md | 2 +- windows/configuration/kiosk-validate.md | 2 +- windows/configuration/kiosk-xml.md | 2 +- windows/configuration/lock-down-windows-10-applocker.md | 2 +- .../configuration/lock-down-windows-10-to-specific-apps.md | 2 +- windows/configuration/lockdown-features-windows-10.md | 4 ++-- windows/configuration/manage-tips-and-suggestions.md | 4 ++-- windows/configuration/manage-wifi-sense-in-enterprise.md | 2 +- windows/configuration/provisioning-apn.md | 2 +- .../how-it-pros-can-use-configuration-service-providers.md | 4 ++-- .../provision-pcs-for-initial-deployment.md | 4 ++-- .../provision-pcs-with-apps-and-certificates.md | 4 ++-- .../provisioning-packages/provision-pcs-with-apps.md | 2 +- .../provisioning-packages/provisioning-apply-package.md | 4 ++-- .../provisioning-packages/provisioning-command-line.md | 2 +- .../provisioning-packages/provisioning-create-package.md | 2 +- .../provisioning-packages/provisioning-how-it-works.md | 4 ++-- .../provisioning-packages/provisioning-install-icd.md | 4 ++-- .../provisioning-packages/provisioning-multivariant.md | 2 +- .../provisioning-packages/provisioning-packages.md | 2 +- .../provisioning-packages/provisioning-powershell.md | 2 +- .../provisioning-script-to-install-app.md | 2 +- .../provisioning-packages/provisioning-uninstall-package.md | 2 +- windows/configuration/set-up-shared-or-guest-pc.md | 2 +- windows/configuration/setup-digital-signage.md | 2 +- windows/configuration/start-layout-troubleshoot.md | 2 +- windows/configuration/start-layout-xml-desktop.md | 2 +- windows/configuration/start-secondary-tiles.md | 2 +- .../stop-employees-from-using-microsoft-store.md | 2 +- .../supported-csp-start-menu-layout-windows.md | 2 +- windows/configuration/supported-csp-taskbar-windows.md | 2 +- .../configuration/windows-10-accessibility-for-ITPros.md | 4 ++-- .../windows-10-start-layout-options-and-policies.md | 2 +- windows/configuration/windows-spotlight.md | 2 +- 51 files changed, 64 insertions(+), 64 deletions(-) diff --git a/windows/configuration/changes-to-start-policies-in-windows-10.md b/windows/configuration/changes-to-start-policies-in-windows-10.md index eb7ef825c6..cac298040d 100644 --- a/windows/configuration/changes-to-start-policies-in-windows-10.md +++ b/windows/configuration/changes-to-start-policies-in-windows-10.md @@ -5,7 +5,7 @@ ms.reviewer: manager: dougeby ms.prod: w10 author: aczechowski -ms.author: aaroncz +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.date: 11/28/2017 diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md index e5de9e2f90..817deb9b15 100644 --- a/windows/configuration/configure-windows-10-taskbar.md +++ b/windows/configuration/configure-windows-10-taskbar.md @@ -1,12 +1,12 @@ --- title: Configure Windows 10 taskbar (Windows 10) -description: Administrators can pin more apps to the taskbar and remove default pinned apps from the taskbar by adding a section to a layout modification XML file. -keywords: ["taskbar layout","pin apps"] +description: Administrators can pin more apps to the taskbar and remove default pinned apps from the taskbar by adding a section to a layout modification XML file. +keywords: [taskbar layout, pin apps] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: aczechowski -ms.author: aaroncz +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.date: 01/18/2018 diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md index 5f13879817..304ae60255 100644 --- a/windows/configuration/customize-and-export-start-layout.md +++ b/windows/configuration/customize-and-export-start-layout.md @@ -5,7 +5,7 @@ ms.reviewer: manager: dougeby ms.prod: w10 author: aczechowski -ms.author: aaroncz +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.date: 09/18/2018 diff --git a/windows/configuration/customize-start-menu-layout-windows-11.md b/windows/configuration/customize-start-menu-layout-windows-11.md index 069e047309..dbe65d79f4 100644 --- a/windows/configuration/customize-start-menu-layout-windows-11.md +++ b/windows/configuration/customize-start-menu-layout-windows-11.md @@ -2,7 +2,7 @@ title: Add or remove pinned apps on the Start menu in Windows 11 | Microsoft Docs description: Export Start layout to LayoutModification.json with pinned apps, and add or remove pinned apps. Use the JSON text in an MDM policy to deploy a custom Start menu layout to Windows 11 devices. manager: dougeby -ms.author: aaroncz +ms.author: lizlong ms.reviewer: ericpapa ms.prod: w11 author: aczechowski diff --git a/windows/configuration/customize-taskbar-windows-11.md b/windows/configuration/customize-taskbar-windows-11.md index 51335436d5..a2af4b2011 100644 --- a/windows/configuration/customize-taskbar-windows-11.md +++ b/windows/configuration/customize-taskbar-windows-11.md @@ -2,7 +2,7 @@ title: Configure and customize Windows 11 taskbar | Microsoft Docs description: On Windows 11 devices, pin and unpin default apps and organization apps on the taskbar using an XML file. Deploy the taskbar XML file using Group Policy or MDM and Microsoft Endpoint Manager. See what happens to the taskbar when the Windows OS client is installed or upgraded. manager: dougeby -ms.author: aaroncz +ms.author: lizlong ms.reviewer: chataylo ms.prod: w11 author: aczechowski diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md index 15c1cc2cad..d7dcbdd232 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md @@ -6,7 +6,7 @@ manager: dougeby ms.prod: w10 author: aczechowski ms.localizationpriority: medium -ms.author: aaroncz +ms.author: lizlong ms.topic: article ms.collection: highpri --- diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md index fb50dc5a39..3757b5297b 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md @@ -6,7 +6,7 @@ manager: dougeby ms.prod: w10 author: aczechowski ms.topic: article -ms.author: aaroncz +ms.author: lizlong ms.localizationpriority: medium ms.date: 08/05/2021 --- diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md index 0a2038ce7d..88c6723e8d 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md @@ -5,7 +5,7 @@ ms.reviewer: manager: dougeby ms.prod: w10 author: aczechowski -ms.author: aaroncz +ms.author: lizlong ms.topic: article ms.localizationpriority: medium --- diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md index 6691dbace6..6e914e16d3 100644 --- a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md +++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md @@ -2,9 +2,9 @@ title: Find the Application User Model ID of an installed app ms.reviewer: sybruckm manager: dougeby -description: To configure assigned access (kiosk mode), you need the Application User Model ID (AUMID) of apps installed on a device. +description: To configure assigned access (kiosk mode), you need the Application User Model ID (AUMID) of apps installed on a device. author: aczechowski -ms.author: aaroncz +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.prod: w10 diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index 04f81753d3..934f02aff6 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -1,13 +1,13 @@ --- title: Guidelines for choosing an app for assigned access (Windows 10/11) description: The following guidelines may help you choose an appropriate Windows app for your assigned access experience. -keywords: ["kiosk", "lockdown", "assigned access"] +keywords: [kiosk, lockdown, assigned access] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: aczechowski ms.localizationpriority: medium -ms.author: aaroncz +ms.author: lizlong ms.topic: article ms.reviewer: sybruckm manager: dougeby diff --git a/windows/configuration/kiosk-additional-reference.md b/windows/configuration/kiosk-additional-reference.md index fda7a6c1da..df40c0da13 100644 --- a/windows/configuration/kiosk-additional-reference.md +++ b/windows/configuration/kiosk-additional-reference.md @@ -3,7 +3,7 @@ title: More kiosk methods and reference information (Windows 10/11) description: Find more information for configuring, validating, and troubleshooting kiosk configuration. ms.reviewer: sybruckm manager: dougeby -ms.author: aaroncz +ms.author: lizlong ms.prod: w10 author: aczechowski ms.localizationpriority: medium diff --git a/windows/configuration/kiosk-mdm-bridge.md b/windows/configuration/kiosk-mdm-bridge.md index 509e5e3983..c2af3f933a 100644 --- a/windows/configuration/kiosk-mdm-bridge.md +++ b/windows/configuration/kiosk-mdm-bridge.md @@ -3,7 +3,7 @@ title: Use MDM Bridge WMI Provider to create a Windows 10/11 kiosk (Windows 10/1 description: Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class. ms.reviewer: sybruckm manager: dougeby -ms.author: aaroncz +ms.author: lizlong ms.prod: w10 author: aczechowski ms.localizationpriority: medium diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md index b0fe2894f6..f1495a70e4 100644 --- a/windows/configuration/kiosk-methods.md +++ b/windows/configuration/kiosk-methods.md @@ -2,7 +2,7 @@ title: Configure kiosks and digital signs on Windows 10/11 desktop editions ms.reviewer: sybruckm manager: dougeby -ms.author: aaroncz +ms.author: lizlong description: In this article, learn about the methods for configuring kiosks and digital signs on Windows 10 or Windows 11 desktop editions. ms.prod: w10 ms.localizationpriority: medium diff --git a/windows/configuration/kiosk-policies.md b/windows/configuration/kiosk-policies.md index a531192fa3..68a55858d0 100644 --- a/windows/configuration/kiosk-policies.md +++ b/windows/configuration/kiosk-policies.md @@ -6,7 +6,7 @@ manager: dougeby ms.prod: w10 author: aczechowski ms.localizationpriority: medium -ms.author: aaroncz +ms.author: lizlong ms.topic: article --- diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md index 2712131087..2be6850a31 100644 --- a/windows/configuration/kiosk-prepare.md +++ b/windows/configuration/kiosk-prepare.md @@ -3,7 +3,7 @@ title: Prepare a device for kiosk configuration on Windows 10/11 | Microsoft Doc description: Learn how to prepare a device for kiosk configuration. Also, learn about the recommended kiosk configuration changes. ms.reviewer: sybruckm manager: dougeby -ms.author: aaroncz +ms.author: lizlong ms.prod: w10 author: aczechowski ms.localizationpriority: medium diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md index 075be3e488..9eca68fa0a 100644 --- a/windows/configuration/kiosk-shelllauncher.md +++ b/windows/configuration/kiosk-shelllauncher.md @@ -3,7 +3,7 @@ title: Use Shell Launcher to create a Windows 10/11 kiosk (Windows 10/11) description: Shell Launcher lets you change the default shell that launches when a user signs in to a device. ms.reviewer: sybruckm manager: dougeby -ms.author: aaroncz +ms.author: lizlong ms.prod: w10 author: aczechowski ms.localizationpriority: medium diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md index 7c13c2715e..eb9b78370c 100644 --- a/windows/configuration/kiosk-single-app.md +++ b/windows/configuration/kiosk-single-app.md @@ -3,7 +3,7 @@ title: Set up a single-app kiosk on Windows 10/11 description: A single-use device is easy to set up in Windows 10 and Windows 11 for desktop editions (Pro, Enterprise, and Education). ms.reviewer: sybruckm manager: dougeby -ms.author: aaroncz +ms.author: lizlong ms.prod: w10 author: aczechowski ms.localizationpriority: medium diff --git a/windows/configuration/kiosk-troubleshoot.md b/windows/configuration/kiosk-troubleshoot.md index 091872a845..2598fdacd3 100644 --- a/windows/configuration/kiosk-troubleshoot.md +++ b/windows/configuration/kiosk-troubleshoot.md @@ -6,7 +6,7 @@ manager: dougeby ms.prod: w10 author: aczechowski ms.localizationpriority: medium -ms.author: aaroncz +ms.author: lizlong ms.topic: article --- diff --git a/windows/configuration/kiosk-validate.md b/windows/configuration/kiosk-validate.md index dfc4d3e91d..2a140c4bc4 100644 --- a/windows/configuration/kiosk-validate.md +++ b/windows/configuration/kiosk-validate.md @@ -3,7 +3,7 @@ title: Validate kiosk configuration (Windows 10/11) description: In this article, learn what to expect on a multi-app kiosk in Windows 10/11 Pro, Enterprise, and Education. ms.reviewer: sybruckm manager: dougeby -ms.author: aaroncz +ms.author: lizlong ms.prod: w10 author: aczechowski ms.localizationpriority: medium diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md index a5f84dcc40..418f8905eb 100644 --- a/windows/configuration/kiosk-xml.md +++ b/windows/configuration/kiosk-xml.md @@ -6,7 +6,7 @@ manager: dougeby ms.prod: w10 author: aczechowski ms.localizationpriority: medium -ms.author: aaroncz +ms.author: lizlong ms.topic: article --- diff --git a/windows/configuration/lock-down-windows-10-applocker.md b/windows/configuration/lock-down-windows-10-applocker.md index 4552e63e33..d8ff0bbaf3 100644 --- a/windows/configuration/lock-down-windows-10-applocker.md +++ b/windows/configuration/lock-down-windows-10-applocker.md @@ -7,7 +7,7 @@ ms.prod: w10 author: aczechowski ms.localizationpriority: medium ms.date: 07/30/2018 -ms.author: aaroncz +ms.author: lizlong ms.topic: article --- diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index fcc521e9df..76609c6683 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -4,7 +4,7 @@ description: Learn how to configure a kiosk device running Windows 10 so that us ms.prod: w10 ms.technology: windows author: aczechowski -ms.author: aaroncz +ms.author: lizlong manager: dougeby ms.reviewer: sybruckm ms.localizationpriority: medium diff --git a/windows/configuration/lockdown-features-windows-10.md b/windows/configuration/lockdown-features-windows-10.md index caeb98056f..6333e2e8db 100644 --- a/windows/configuration/lockdown-features-windows-10.md +++ b/windows/configuration/lockdown-features-windows-10.md @@ -1,11 +1,11 @@ --- title: Lockdown features from Windows Embedded 8.1 Industry (Windows 10) -description: Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. +description: Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. ms.reviewer: manager: dougeby ms.prod: w10 author: aczechowski -ms.author: aaroncz +ms.author: lizlong ms.topic: article ms.localizationpriority: medium --- diff --git a/windows/configuration/manage-tips-and-suggestions.md b/windows/configuration/manage-tips-and-suggestions.md index 6eb41bde06..614afcdf94 100644 --- a/windows/configuration/manage-tips-and-suggestions.md +++ b/windows/configuration/manage-tips-and-suggestions.md @@ -1,9 +1,9 @@ --- title: Manage Windows 10 and Microsoft Store tips, fun facts, and suggestions (Windows 10) -description: Windows 10 provides organizations with various options to manage user experiences to provide a consistent and predictable experience for employees. +description: Windows 10 provides organizations with various options to manage user experiences to provide a consistent and predictable experience for employees. ms.prod: w10 author: aczechowski -ms.author: aaroncz +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.date: 09/20/2017 diff --git a/windows/configuration/manage-wifi-sense-in-enterprise.md b/windows/configuration/manage-wifi-sense-in-enterprise.md index 1bd58d5c1e..3a6e33993b 100644 --- a/windows/configuration/manage-wifi-sense-in-enterprise.md +++ b/windows/configuration/manage-wifi-sense-in-enterprise.md @@ -3,7 +3,7 @@ title: Manage Wi-Fi Sense in your company (Windows 10) description: Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. ms.reviewer: manager: dougeby -ms.author: aaroncz +ms.author: lizlong ms.prod: w10 author: aczechowski ms.localizationpriority: medium diff --git a/windows/configuration/provisioning-apn.md b/windows/configuration/provisioning-apn.md index a168bce8f6..94a88f36de 100644 --- a/windows/configuration/provisioning-apn.md +++ b/windows/configuration/provisioning-apn.md @@ -5,7 +5,7 @@ ms.reviewer: manager: dougeby ms.prod: w10 author: aczechowski -ms.author: aaroncz +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.date: 04/13/2018 diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md index b37a32b863..f92b4d8548 100644 --- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md +++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md @@ -1,11 +1,11 @@ --- title: Configuration service providers for IT pros (Windows 10/11) -description: Describes how IT pros and system administrators can use configuration service providers (CSPs) to configure devices. +description: Describes how IT pros and system administrators can use configuration service providers (CSPs) to configure devices. ms.reviewer: gkomatsu manager: dougeby ms.prod: w10 author: aczechowski -ms.author: aaroncz +ms.author: lizlong ms.topic: article ms.localizationpriority: medium --- diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md index 53591bd83f..0fc61715ad 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md +++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md @@ -1,11 +1,11 @@ --- title: Provision PCs with common settings (Windows 10/11) -description: Create a provisioning package to apply common settings to a PC running Windows 10. +description: Create a provisioning package to apply common settings to a PC running Windows 10. ms.reviewer: gkomatsu manager: dougeby ms.prod: w10 author: aczechowski -ms.author: aaroncz +ms.author: lizlong ms.topic: article ms.localizationpriority: medium --- diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md index 45c362c928..c5214b8c16 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md +++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md @@ -1,9 +1,9 @@ --- title: Provision PCs with apps and certificates (Windows 10) -description: Create a provisioning package to apply settings to a PC running Windows 10. +description: Create a provisioning package to apply settings to a PC running Windows 10. ms.prod: w10 author: aczechowski -ms.author: aaroncz +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.date: 07/27/2017 diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md index b35c477258..cc084662f1 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md +++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md @@ -4,7 +4,7 @@ description: Learn how to install multiple Universal Windows Platform (UWP) apps ms.prod: w10 author: aczechowski ms.localizationpriority: medium -ms.author: aaroncz +ms.author: lizlong ms.topic: article ms.reviewer: gkomatsu manager: dougeby diff --git a/windows/configuration/provisioning-packages/provisioning-apply-package.md b/windows/configuration/provisioning-packages/provisioning-apply-package.md index 97a1f3bd50..866e08b1c0 100644 --- a/windows/configuration/provisioning-packages/provisioning-apply-package.md +++ b/windows/configuration/provisioning-packages/provisioning-apply-package.md @@ -1,9 +1,9 @@ --- title: Apply a provisioning package (Windows 10/11) -description: Provisioning packages can be applied to a device during initial setup (OOBE) and after ("runtime"). +description: Provisioning packages can be applied to a device during initial setup (OOBE) and after (runtime). ms.prod: w10 author: aczechowski -ms.author: aaroncz +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.reviewer: gkomatsu diff --git a/windows/configuration/provisioning-packages/provisioning-command-line.md b/windows/configuration/provisioning-packages/provisioning-command-line.md index fbe7aecde9..fe4d78d02f 100644 --- a/windows/configuration/provisioning-packages/provisioning-command-line.md +++ b/windows/configuration/provisioning-packages/provisioning-command-line.md @@ -3,7 +3,7 @@ title: Windows Configuration Designer command-line interface (Windows 10/11) description: Learn more about the ICD syntax, switches, and arguments that you can use in the Windows Configuration Designer command-line interface for Windows10/11 client devices. ms.prod: w10 author: aczechowski -ms.author: aaroncz +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.reviewer: gkomatsu diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md index 3d88ee9da1..3551e68464 100644 --- a/windows/configuration/provisioning-packages/provisioning-create-package.md +++ b/windows/configuration/provisioning-packages/provisioning-create-package.md @@ -3,7 +3,7 @@ title: Create a provisioning package (Windows 10/11) description: Learn how to create a provisioning package for Windows 10/11, which lets you quickly configure a device without having to install a new image. ms.prod: w10 author: aczechowski -ms.author: aaroncz +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.reviewer: gkomatsu diff --git a/windows/configuration/provisioning-packages/provisioning-how-it-works.md b/windows/configuration/provisioning-packages/provisioning-how-it-works.md index 5d03c7ed2f..34fe1d1df7 100644 --- a/windows/configuration/provisioning-packages/provisioning-how-it-works.md +++ b/windows/configuration/provisioning-packages/provisioning-how-it-works.md @@ -1,9 +1,9 @@ --- title: How provisioning works in Windows 10/11 -description: Learn more about how provisioning package work on Windows client devices. A provisioning package (.ppkg) is a container for a collection of configuration settings. +description: Learn more about how provisioning package work on Windows client devices. A provisioning package (.ppkg) is a container for a collection of configuration settings. ms.prod: w10 author: aczechowski -ms.author: aaroncz +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.reviewer: gkomatsu diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md index bae03efaf1..dc6daceb87 100644 --- a/windows/configuration/provisioning-packages/provisioning-install-icd.md +++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md @@ -1,9 +1,9 @@ --- title: Install Windows Configuration Designer (Windows 10/11) -description: Learn how to install and use Windows Configuration Designer so you can easily configure devices running Windows 10/11. +description: Learn how to install and use Windows Configuration Designer so you can easily configure devices running Windows 10/11. ms.prod: w10 author: aczechowski -ms.author: aaroncz +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.reviewer: gkomatsu diff --git a/windows/configuration/provisioning-packages/provisioning-multivariant.md b/windows/configuration/provisioning-packages/provisioning-multivariant.md index 65b4475739..011e7b444b 100644 --- a/windows/configuration/provisioning-packages/provisioning-multivariant.md +++ b/windows/configuration/provisioning-packages/provisioning-multivariant.md @@ -7,7 +7,7 @@ ms.topic: article ms.localizationpriority: medium ms.reviewer: gkomatsu manager: dougeby -ms.author: aaroncz +ms.author: lizlong --- # Create a provisioning package with multivariant settings diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md index b37ea19251..a9d3e90ca6 100644 --- a/windows/configuration/provisioning-packages/provisioning-packages.md +++ b/windows/configuration/provisioning-packages/provisioning-packages.md @@ -5,7 +5,7 @@ ms.reviewer: gkomatsu manager: dougeby ms.prod: w10 author: aczechowski -ms.author: aaroncz +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.collection: highpri diff --git a/windows/configuration/provisioning-packages/provisioning-powershell.md b/windows/configuration/provisioning-packages/provisioning-powershell.md index 0698178c23..96aeffe94d 100644 --- a/windows/configuration/provisioning-packages/provisioning-powershell.md +++ b/windows/configuration/provisioning-packages/provisioning-powershell.md @@ -3,7 +3,7 @@ title: PowerShell cmdlets for provisioning Windows 10/11 (Windows 10/11) description: Learn more about the Windows PowerShell cmdlets that you can use with Provisioning packages on Windows10/11 client desktop devices. ms.prod: w10 author: aczechowski -ms.author: aaroncz +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.reviewer: gkomatsu diff --git a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md index e768666071..bef6f60eb9 100644 --- a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md +++ b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md @@ -3,7 +3,7 @@ title: Use a script to install a desktop app in provisioning packages (Windows 1 description: With Windows 10/11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. ms.prod: w10 author: aczechowski -ms.author: aaroncz +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.reviewer: gkomatsu diff --git a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md index 6dc35cd108..0d53112f08 100644 --- a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md +++ b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md @@ -3,7 +3,7 @@ title: Uninstall a provisioning package - reverted settings (Windows 10/11) description: This article lists the settings that are reverted when you uninstall a provisioning package on Windows 10/11 desktop client devices. ms.prod: w10 author: aczechowski -ms.author: aaroncz +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.reviewer: gkomatsu diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md index a9bfdbcfdf..174348f84a 100644 --- a/windows/configuration/set-up-shared-or-guest-pc.md +++ b/windows/configuration/set-up-shared-or-guest-pc.md @@ -3,7 +3,7 @@ title: Set up a shared or guest PC with Windows 10/11 description: Windows 10 and Windows has shared PC mode, which optimizes Windows client for shared use scenarios. ms.prod: w10 author: aczechowski -ms.author: aaroncz +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.reviewer: sybruckm diff --git a/windows/configuration/setup-digital-signage.md b/windows/configuration/setup-digital-signage.md index dff1da75a5..20b9f2542b 100644 --- a/windows/configuration/setup-digital-signage.md +++ b/windows/configuration/setup-digital-signage.md @@ -3,7 +3,7 @@ title: Set up digital signs on Windows 10/11 description: A single-use device such as a digital sign is easy to set up in Windows 10 and Windows 11 (Pro, Enterprise, and Education). ms.reviewer: sybruckm manager: dougeby -ms.author: aaroncz +ms.author: lizlong ms.prod: w10 author: aczechowski ms.localizationpriority: medium diff --git a/windows/configuration/start-layout-troubleshoot.md b/windows/configuration/start-layout-troubleshoot.md index 793a35d714..5c7af721cd 100644 --- a/windows/configuration/start-layout-troubleshoot.md +++ b/windows/configuration/start-layout-troubleshoot.md @@ -2,7 +2,7 @@ title: Troubleshoot Start menu errors description: Learn how to troubleshoot common Start menu errors in Windows 10. For example, learn to troubleshoot errors related to deployment, crashes, and performance. ms.prod: w10 -ms.author: aaroncz +ms.author: lizlong author: aczechowski ms.localizationpriority: medium ms.reviewer: diff --git a/windows/configuration/start-layout-xml-desktop.md b/windows/configuration/start-layout-xml-desktop.md index ffcdeef194..ef753cf5a1 100644 --- a/windows/configuration/start-layout-xml-desktop.md +++ b/windows/configuration/start-layout-xml-desktop.md @@ -3,7 +3,7 @@ title: Start layout XML for desktop editions of Windows 10 (Windows 10) description: This article describes the options for customizing Start layout in LayoutModification.xml for Windows 10 desktop editions. ms.prod: w10 author: aczechowski -ms.author: aaroncz +ms.author: lizlong ms.topic: article ms.date: 10/02/2018 ms.reviewer: diff --git a/windows/configuration/start-secondary-tiles.md b/windows/configuration/start-secondary-tiles.md index 20c333fb2d..abeb6c7455 100644 --- a/windows/configuration/start-secondary-tiles.md +++ b/windows/configuration/start-secondary-tiles.md @@ -4,7 +4,7 @@ description: Add app tiles on Windows 10 that's a secondary tile. ms.prod: w10 ms.localizationpriority: medium author: aczechowski -ms.author: aaroncz +ms.author: lizlong ms.topic: article ms.reviewer: manager: dougeby diff --git a/windows/configuration/stop-employees-from-using-microsoft-store.md b/windows/configuration/stop-employees-from-using-microsoft-store.md index e819e8e329..52cd7eabfb 100644 --- a/windows/configuration/stop-employees-from-using-microsoft-store.md +++ b/windows/configuration/stop-employees-from-using-microsoft-store.md @@ -5,7 +5,7 @@ ms.reviewer: manager: dougeby ms.prod: w10 author: aczechowski -ms.author: aaroncz +ms.author: lizlong ms.topic: conceptual ms.localizationpriority: medium ms.date: 4/16/2018 diff --git a/windows/configuration/supported-csp-start-menu-layout-windows.md b/windows/configuration/supported-csp-start-menu-layout-windows.md index 30ef22ea5a..4c0e2f19cd 100644 --- a/windows/configuration/supported-csp-start-menu-layout-windows.md +++ b/windows/configuration/supported-csp-start-menu-layout-windows.md @@ -2,7 +2,7 @@ title: Supported CSP policies to customize Start menu on Windows 11 | Microsoft Docs description: See a list of the Policy CSP - Start items that are supported on Windows 11 to customize the Start menu. manager: dougeby -ms.author: aaroncz +ms.author: lizlong ms.reviewer: ericpapa ms.prod: w11 author: aczechowski diff --git a/windows/configuration/supported-csp-taskbar-windows.md b/windows/configuration/supported-csp-taskbar-windows.md index 40ada8b099..f1e6111ae5 100644 --- a/windows/configuration/supported-csp-taskbar-windows.md +++ b/windows/configuration/supported-csp-taskbar-windows.md @@ -2,7 +2,7 @@ title: Supported CSP policies to customize the Taskbar on Windows 11 | Microsoft Docs description: See a list of the Policy CSP - Start items that are supported on Windows 11 to customize the Taskbar. manager: dougeby -ms.author: aaroncz +ms.author: lizlong ms.reviewer: chataylo ms.prod: w11 author: aczechowski diff --git a/windows/configuration/windows-10-accessibility-for-ITPros.md b/windows/configuration/windows-10-accessibility-for-ITPros.md index 3f9a6310d2..91085feafc 100644 --- a/windows/configuration/windows-10-accessibility-for-ITPros.md +++ b/windows/configuration/windows-10-accessibility-for-ITPros.md @@ -1,9 +1,9 @@ --- title: Windows 10 accessibility information for IT Pros (Windows 10) -description: Lists the various accessibility features available in Windows 10 with links to detailed guidance on how to set them +description: Lists the various accessibility features available in Windows 10 with links to detailed guidance on how to set them keywords: accessibility, settings, vision, hearing, physical, cognition, assistive ms.prod: w10 -ms.author: aaroncz +ms.author: lizlong author: aczechowski ms.localizationpriority: medium ms.date: 01/12/2018 diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md index 4965185168..b97c70eb55 100644 --- a/windows/configuration/windows-10-start-layout-options-and-policies.md +++ b/windows/configuration/windows-10-start-layout-options-and-policies.md @@ -5,7 +5,7 @@ ms.reviewer: manager: dougeby ms.prod: w10 author: aczechowski -ms.author: aaroncz +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.date: 08/05/2021 diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md index 88baf2f9e0..3d38d4a913 100644 --- a/windows/configuration/windows-spotlight.md +++ b/windows/configuration/windows-spotlight.md @@ -5,7 +5,7 @@ ms.reviewer: manager: dougeby ms.prod: w10 author: aczechowski -ms.author: aaroncz +ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.date: 04/30/2018 From f92dc89ffa0b0795a866e9fc1533e1528d048729 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Thu, 11 Aug 2022 10:43:54 -0400 Subject: [PATCH 72/77] update manager --- .../configuration/changes-to-start-policies-in-windows-10.md | 2 +- windows/configuration/configure-windows-10-taskbar.md | 2 +- windows/configuration/customize-and-export-start-layout.md | 2 +- windows/configuration/customize-start-menu-layout-windows-11.md | 2 +- windows/configuration/customize-taskbar-windows-11.md | 2 +- .../customize-windows-10-start-screens-by-using-group-policy.md | 2 +- ...indows-10-start-screens-by-using-mobile-device-management.md | 2 +- ...s-10-start-screens-by-using-provisioning-packages-and-icd.md | 2 +- .../find-the-application-user-model-id-of-an-installed-app.md | 2 +- windows/configuration/guidelines-for-assigned-access-app.md | 2 +- windows/configuration/kiosk-additional-reference.md | 2 +- windows/configuration/kiosk-mdm-bridge.md | 2 +- windows/configuration/kiosk-methods.md | 2 +- windows/configuration/kiosk-policies.md | 2 +- windows/configuration/kiosk-prepare.md | 2 +- windows/configuration/kiosk-shelllauncher.md | 2 +- windows/configuration/kiosk-single-app.md | 2 +- windows/configuration/kiosk-troubleshoot.md | 2 +- windows/configuration/kiosk-validate.md | 2 +- windows/configuration/kiosk-xml.md | 2 +- windows/configuration/lock-down-windows-10-applocker.md | 2 +- windows/configuration/lock-down-windows-10-to-specific-apps.md | 2 +- windows/configuration/lockdown-features-windows-10.md | 2 +- windows/configuration/manage-tips-and-suggestions.md | 2 +- windows/configuration/manage-wifi-sense-in-enterprise.md | 2 +- windows/configuration/provisioning-apn.md | 2 +- .../how-it-pros-can-use-configuration-service-providers.md | 2 +- .../provision-pcs-for-initial-deployment.md | 2 +- .../provision-pcs-with-apps-and-certificates.md | 2 +- .../provisioning-packages/provision-pcs-with-apps.md | 2 +- .../provisioning-packages/provisioning-apply-package.md | 2 +- .../provisioning-packages/provisioning-command-line.md | 2 +- .../provisioning-packages/provisioning-create-package.md | 2 +- .../provisioning-packages/provisioning-how-it-works.md | 2 +- .../provisioning-packages/provisioning-install-icd.md | 2 +- .../provisioning-packages/provisioning-multivariant.md | 2 +- .../provisioning-packages/provisioning-packages.md | 2 +- .../provisioning-packages/provisioning-powershell.md | 2 +- .../provisioning-packages/provisioning-script-to-install-app.md | 2 +- .../provisioning-packages/provisioning-uninstall-package.md | 2 +- windows/configuration/set-up-shared-or-guest-pc.md | 2 +- windows/configuration/setup-digital-signage.md | 2 +- windows/configuration/start-layout-troubleshoot.md | 2 +- windows/configuration/start-layout-xml-desktop.md | 2 +- windows/configuration/start-secondary-tiles.md | 2 +- .../configuration/stop-employees-from-using-microsoft-store.md | 2 +- .../configuration/supported-csp-start-menu-layout-windows.md | 2 +- windows/configuration/supported-csp-taskbar-windows.md | 2 +- windows/configuration/windows-10-accessibility-for-ITPros.md | 2 +- .../windows-10-start-layout-options-and-policies.md | 2 +- windows/configuration/windows-spotlight.md | 2 +- 51 files changed, 51 insertions(+), 51 deletions(-) diff --git a/windows/configuration/changes-to-start-policies-in-windows-10.md b/windows/configuration/changes-to-start-policies-in-windows-10.md index cac298040d..6a1469e275 100644 --- a/windows/configuration/changes-to-start-policies-in-windows-10.md +++ b/windows/configuration/changes-to-start-policies-in-windows-10.md @@ -2,7 +2,7 @@ title: Changes to Group Policy settings for Windows 10 Start menu (Windows 10) description: Learn about changes to Group Policy settings for the Windows 10 Start menu. Also, learn about the new Windows 10 Start experience. ms.reviewer: -manager: dougeby +manager: aaroncz ms.prod: w10 author: aczechowski ms.author: lizlong diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md index 817deb9b15..cbfc12a885 100644 --- a/windows/configuration/configure-windows-10-taskbar.md +++ b/windows/configuration/configure-windows-10-taskbar.md @@ -11,7 +11,7 @@ ms.topic: article ms.localizationpriority: medium ms.date: 01/18/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.collection: highpri --- # Configure Windows 10 taskbar diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md index 304ae60255..fc49dda74a 100644 --- a/windows/configuration/customize-and-export-start-layout.md +++ b/windows/configuration/customize-and-export-start-layout.md @@ -2,7 +2,7 @@ title: Customize and export Start layout (Windows 10) description: The easiest method for creating a customized Start layout is to set up the Start screen and export the layout. ms.reviewer: -manager: dougeby +manager: aaroncz ms.prod: w10 author: aczechowski ms.author: lizlong diff --git a/windows/configuration/customize-start-menu-layout-windows-11.md b/windows/configuration/customize-start-menu-layout-windows-11.md index dbe65d79f4..30d49689cd 100644 --- a/windows/configuration/customize-start-menu-layout-windows-11.md +++ b/windows/configuration/customize-start-menu-layout-windows-11.md @@ -1,7 +1,7 @@ --- title: Add or remove pinned apps on the Start menu in Windows 11 | Microsoft Docs description: Export Start layout to LayoutModification.json with pinned apps, and add or remove pinned apps. Use the JSON text in an MDM policy to deploy a custom Start menu layout to Windows 11 devices. -manager: dougeby +manager: aaroncz ms.author: lizlong ms.reviewer: ericpapa ms.prod: w11 diff --git a/windows/configuration/customize-taskbar-windows-11.md b/windows/configuration/customize-taskbar-windows-11.md index a2af4b2011..fed390074e 100644 --- a/windows/configuration/customize-taskbar-windows-11.md +++ b/windows/configuration/customize-taskbar-windows-11.md @@ -1,7 +1,7 @@ --- title: Configure and customize Windows 11 taskbar | Microsoft Docs description: On Windows 11 devices, pin and unpin default apps and organization apps on the taskbar using an XML file. Deploy the taskbar XML file using Group Policy or MDM and Microsoft Endpoint Manager. See what happens to the taskbar when the Windows OS client is installed or upgraded. -manager: dougeby +manager: aaroncz ms.author: lizlong ms.reviewer: chataylo ms.prod: w11 diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md index d7dcbdd232..548fcd7e0f 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md @@ -2,7 +2,7 @@ title: Customize Windows 10 Start and taskbar with Group Policy (Windows 10) description: In Windows 10, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain. ms.reviewer: -manager: dougeby +manager: aaroncz ms.prod: w10 author: aczechowski ms.localizationpriority: medium diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md index 3757b5297b..033599816e 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md @@ -2,7 +2,7 @@ title: Change the Windows 10 Start and taskbar using mobile device management | Microsoft Docs description: In Windows 10, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. For example, use Microsoft Intune to configure the start menu layout and taskbar, and deploy the policy to your devices. ms.reviewer: -manager: dougeby +manager: aaroncz ms.prod: w10 author: aczechowski ms.topic: article diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md index 88c6723e8d..286c73d39f 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md @@ -2,7 +2,7 @@ title: Customize Windows 10 Start and taskbar with provisioning packages (Windows 10) description: In Windows 10, you can use a provisioning package to deploy a customized Start layout to users. ms.reviewer: -manager: dougeby +manager: aaroncz ms.prod: w10 author: aczechowski ms.author: lizlong diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md index 6e914e16d3..1952039c37 100644 --- a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md +++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md @@ -1,7 +1,7 @@ --- title: Find the Application User Model ID of an installed app ms.reviewer: sybruckm -manager: dougeby +manager: aaroncz description: To configure assigned access (kiosk mode), you need the Application User Model ID (AUMID) of apps installed on a device. author: aczechowski ms.author: lizlong diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index 934f02aff6..8d22327906 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -10,7 +10,7 @@ ms.localizationpriority: medium ms.author: lizlong ms.topic: article ms.reviewer: sybruckm -manager: dougeby +manager: aaroncz ms.collection: highpri --- diff --git a/windows/configuration/kiosk-additional-reference.md b/windows/configuration/kiosk-additional-reference.md index df40c0da13..f32cf1e388 100644 --- a/windows/configuration/kiosk-additional-reference.md +++ b/windows/configuration/kiosk-additional-reference.md @@ -2,7 +2,7 @@ title: More kiosk methods and reference information (Windows 10/11) description: Find more information for configuring, validating, and troubleshooting kiosk configuration. ms.reviewer: sybruckm -manager: dougeby +manager: aaroncz ms.author: lizlong ms.prod: w10 author: aczechowski diff --git a/windows/configuration/kiosk-mdm-bridge.md b/windows/configuration/kiosk-mdm-bridge.md index c2af3f933a..645aafe872 100644 --- a/windows/configuration/kiosk-mdm-bridge.md +++ b/windows/configuration/kiosk-mdm-bridge.md @@ -2,7 +2,7 @@ title: Use MDM Bridge WMI Provider to create a Windows 10/11 kiosk (Windows 10/11) description: Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class. ms.reviewer: sybruckm -manager: dougeby +manager: aaroncz ms.author: lizlong ms.prod: w10 author: aczechowski diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md index f1495a70e4..d77ba786dd 100644 --- a/windows/configuration/kiosk-methods.md +++ b/windows/configuration/kiosk-methods.md @@ -1,7 +1,7 @@ --- title: Configure kiosks and digital signs on Windows 10/11 desktop editions ms.reviewer: sybruckm -manager: dougeby +manager: aaroncz ms.author: lizlong description: In this article, learn about the methods for configuring kiosks and digital signs on Windows 10 or Windows 11 desktop editions. ms.prod: w10 diff --git a/windows/configuration/kiosk-policies.md b/windows/configuration/kiosk-policies.md index 68a55858d0..317bd6c9f8 100644 --- a/windows/configuration/kiosk-policies.md +++ b/windows/configuration/kiosk-policies.md @@ -2,7 +2,7 @@ title: Policies enforced on kiosk devices (Windows 10/11) description: Learn about the policies enforced on a device when you configure it as a kiosk. ms.reviewer: sybruckm -manager: dougeby +manager: aaroncz ms.prod: w10 author: aczechowski ms.localizationpriority: medium diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md index 2be6850a31..c2ec6d4156 100644 --- a/windows/configuration/kiosk-prepare.md +++ b/windows/configuration/kiosk-prepare.md @@ -2,7 +2,7 @@ title: Prepare a device for kiosk configuration on Windows 10/11 | Microsoft Docs description: Learn how to prepare a device for kiosk configuration. Also, learn about the recommended kiosk configuration changes. ms.reviewer: sybruckm -manager: dougeby +manager: aaroncz ms.author: lizlong ms.prod: w10 author: aczechowski diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md index 9eca68fa0a..ee7ffbd000 100644 --- a/windows/configuration/kiosk-shelllauncher.md +++ b/windows/configuration/kiosk-shelllauncher.md @@ -2,7 +2,7 @@ title: Use Shell Launcher to create a Windows 10/11 kiosk (Windows 10/11) description: Shell Launcher lets you change the default shell that launches when a user signs in to a device. ms.reviewer: sybruckm -manager: dougeby +manager: aaroncz ms.author: lizlong ms.prod: w10 author: aczechowski diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md index eb9b78370c..ae72bdf35b 100644 --- a/windows/configuration/kiosk-single-app.md +++ b/windows/configuration/kiosk-single-app.md @@ -2,7 +2,7 @@ title: Set up a single-app kiosk on Windows 10/11 description: A single-use device is easy to set up in Windows 10 and Windows 11 for desktop editions (Pro, Enterprise, and Education). ms.reviewer: sybruckm -manager: dougeby +manager: aaroncz ms.author: lizlong ms.prod: w10 author: aczechowski diff --git a/windows/configuration/kiosk-troubleshoot.md b/windows/configuration/kiosk-troubleshoot.md index 2598fdacd3..e8fc3cbdb2 100644 --- a/windows/configuration/kiosk-troubleshoot.md +++ b/windows/configuration/kiosk-troubleshoot.md @@ -2,7 +2,7 @@ title: Troubleshoot kiosk mode issues (Windows 10/11) description: Learn how to troubleshoot single-app and multi-app kiosk configurations, as well as common problems like sign-in issues. ms.reviewer: sybruckm -manager: dougeby +manager: aaroncz ms.prod: w10 author: aczechowski ms.localizationpriority: medium diff --git a/windows/configuration/kiosk-validate.md b/windows/configuration/kiosk-validate.md index 2a140c4bc4..29414e5de3 100644 --- a/windows/configuration/kiosk-validate.md +++ b/windows/configuration/kiosk-validate.md @@ -2,7 +2,7 @@ title: Validate kiosk configuration (Windows 10/11) description: In this article, learn what to expect on a multi-app kiosk in Windows 10/11 Pro, Enterprise, and Education. ms.reviewer: sybruckm -manager: dougeby +manager: aaroncz ms.author: lizlong ms.prod: w10 author: aczechowski diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md index 418f8905eb..4822af984d 100644 --- a/windows/configuration/kiosk-xml.md +++ b/windows/configuration/kiosk-xml.md @@ -2,7 +2,7 @@ title: Assigned Access configuration kiosk XML reference (Windows 10/11) description: Learn about the assigned access configuration (kiosk) for XML and XSD for kiosk device configuration in Windows 10/11. ms.reviewer: sybruckm -manager: dougeby +manager: aaroncz ms.prod: w10 author: aczechowski ms.localizationpriority: medium diff --git a/windows/configuration/lock-down-windows-10-applocker.md b/windows/configuration/lock-down-windows-10-applocker.md index d8ff0bbaf3..881c5923b4 100644 --- a/windows/configuration/lock-down-windows-10-applocker.md +++ b/windows/configuration/lock-down-windows-10-applocker.md @@ -2,7 +2,7 @@ title: Use AppLocker to create a Windows 10 kiosk that runs multiple apps (Windows 10) description: Learn how to use AppLocker to configure a kiosk device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. ms.reviewer: sybruckm -manager: dougeby +manager: aaroncz ms.prod: w10 author: aczechowski ms.localizationpriority: medium diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index 76609c6683..df27be70d5 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.technology: windows author: aczechowski ms.author: lizlong -manager: dougeby +manager: aaroncz ms.reviewer: sybruckm ms.localizationpriority: medium ms.topic: how-to diff --git a/windows/configuration/lockdown-features-windows-10.md b/windows/configuration/lockdown-features-windows-10.md index 6333e2e8db..621a8e32a9 100644 --- a/windows/configuration/lockdown-features-windows-10.md +++ b/windows/configuration/lockdown-features-windows-10.md @@ -2,7 +2,7 @@ title: Lockdown features from Windows Embedded 8.1 Industry (Windows 10) description: Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. ms.reviewer: -manager: dougeby +manager: aaroncz ms.prod: w10 author: aczechowski ms.author: lizlong diff --git a/windows/configuration/manage-tips-and-suggestions.md b/windows/configuration/manage-tips-and-suggestions.md index 614afcdf94..949c254378 100644 --- a/windows/configuration/manage-tips-and-suggestions.md +++ b/windows/configuration/manage-tips-and-suggestions.md @@ -8,7 +8,7 @@ ms.topic: article ms.localizationpriority: medium ms.date: 09/20/2017 ms.reviewer: -manager: dougeby +manager: aaroncz --- # Manage Windows 10 and Microsoft Store tips, "fun facts", and suggestions diff --git a/windows/configuration/manage-wifi-sense-in-enterprise.md b/windows/configuration/manage-wifi-sense-in-enterprise.md index 3a6e33993b..4f43c1ec67 100644 --- a/windows/configuration/manage-wifi-sense-in-enterprise.md +++ b/windows/configuration/manage-wifi-sense-in-enterprise.md @@ -2,7 +2,7 @@ title: Manage Wi-Fi Sense in your company (Windows 10) description: Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. ms.reviewer: -manager: dougeby +manager: aaroncz ms.author: lizlong ms.prod: w10 author: aczechowski diff --git a/windows/configuration/provisioning-apn.md b/windows/configuration/provisioning-apn.md index 94a88f36de..6fda9df643 100644 --- a/windows/configuration/provisioning-apn.md +++ b/windows/configuration/provisioning-apn.md @@ -2,7 +2,7 @@ title: Configure cellular settings for tablets and PCs (Windows 10) description: Enterprises can provision cellular settings for tablets and PC with built-in cellular modems or plug-in USB modem dongles. ms.reviewer: -manager: dougeby +manager: aaroncz ms.prod: w10 author: aczechowski ms.author: lizlong diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md index f92b4d8548..0aa040948e 100644 --- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md +++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md @@ -2,7 +2,7 @@ title: Configuration service providers for IT pros (Windows 10/11) description: Describes how IT pros and system administrators can use configuration service providers (CSPs) to configure devices. ms.reviewer: gkomatsu -manager: dougeby +manager: aaroncz ms.prod: w10 author: aczechowski ms.author: lizlong diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md index 0fc61715ad..434642c5e9 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md +++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md @@ -2,7 +2,7 @@ title: Provision PCs with common settings (Windows 10/11) description: Create a provisioning package to apply common settings to a PC running Windows 10. ms.reviewer: gkomatsu -manager: dougeby +manager: aaroncz ms.prod: w10 author: aczechowski ms.author: lizlong diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md index c5214b8c16..fdaa444c9e 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md +++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md @@ -8,7 +8,7 @@ ms.topic: article ms.localizationpriority: medium ms.date: 07/27/2017 ms.reviewer: -manager: dougeby +manager: aaroncz --- # Provision PCs with apps and certificates for initial deployment (advanced provisioning) diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md index cc084662f1..848f203b99 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md +++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md @@ -7,7 +7,7 @@ ms.localizationpriority: medium ms.author: lizlong ms.topic: article ms.reviewer: gkomatsu -manager: dougeby +manager: aaroncz --- # Provision PCs with apps diff --git a/windows/configuration/provisioning-packages/provisioning-apply-package.md b/windows/configuration/provisioning-packages/provisioning-apply-package.md index 866e08b1c0..266b58dcfa 100644 --- a/windows/configuration/provisioning-packages/provisioning-apply-package.md +++ b/windows/configuration/provisioning-packages/provisioning-apply-package.md @@ -7,7 +7,7 @@ ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.reviewer: gkomatsu -manager: dougeby +manager: aaroncz --- # Apply a provisioning package diff --git a/windows/configuration/provisioning-packages/provisioning-command-line.md b/windows/configuration/provisioning-packages/provisioning-command-line.md index fe4d78d02f..afafcc2b1e 100644 --- a/windows/configuration/provisioning-packages/provisioning-command-line.md +++ b/windows/configuration/provisioning-packages/provisioning-command-line.md @@ -7,7 +7,7 @@ ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.reviewer: gkomatsu -manager: dougeby +manager: aaroncz --- # Windows Configuration Designer command-line interface (reference) diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md index 3551e68464..af2eff53cd 100644 --- a/windows/configuration/provisioning-packages/provisioning-create-package.md +++ b/windows/configuration/provisioning-packages/provisioning-create-package.md @@ -7,7 +7,7 @@ ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.reviewer: gkomatsu -manager: dougeby +manager: aaroncz ms.collection: highpri --- diff --git a/windows/configuration/provisioning-packages/provisioning-how-it-works.md b/windows/configuration/provisioning-packages/provisioning-how-it-works.md index 34fe1d1df7..d42c2d9565 100644 --- a/windows/configuration/provisioning-packages/provisioning-how-it-works.md +++ b/windows/configuration/provisioning-packages/provisioning-how-it-works.md @@ -7,7 +7,7 @@ ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.reviewer: gkomatsu -manager: dougeby +manager: aaroncz --- # How provisioning works in Windows diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md index dc6daceb87..130a128c97 100644 --- a/windows/configuration/provisioning-packages/provisioning-install-icd.md +++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md @@ -7,7 +7,7 @@ ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.reviewer: gkomatsu -manager: dougeby +manager: aaroncz ms.collection: highpri --- diff --git a/windows/configuration/provisioning-packages/provisioning-multivariant.md b/windows/configuration/provisioning-packages/provisioning-multivariant.md index 011e7b444b..53358fe07d 100644 --- a/windows/configuration/provisioning-packages/provisioning-multivariant.md +++ b/windows/configuration/provisioning-packages/provisioning-multivariant.md @@ -6,7 +6,7 @@ author: aczechowski ms.topic: article ms.localizationpriority: medium ms.reviewer: gkomatsu -manager: dougeby +manager: aaroncz ms.author: lizlong --- diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md index a9d3e90ca6..6ff0b845e8 100644 --- a/windows/configuration/provisioning-packages/provisioning-packages.md +++ b/windows/configuration/provisioning-packages/provisioning-packages.md @@ -2,7 +2,7 @@ title: Provisioning packages overview on Windows 10/11 description: With Windows 10 and Windows 11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Learn about what provisioning packages, are and what they do. ms.reviewer: gkomatsu -manager: dougeby +manager: aaroncz ms.prod: w10 author: aczechowski ms.author: lizlong diff --git a/windows/configuration/provisioning-packages/provisioning-powershell.md b/windows/configuration/provisioning-packages/provisioning-powershell.md index 96aeffe94d..6e85692eff 100644 --- a/windows/configuration/provisioning-packages/provisioning-powershell.md +++ b/windows/configuration/provisioning-packages/provisioning-powershell.md @@ -7,7 +7,7 @@ ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.reviewer: gkomatsu -manager: dougeby +manager: aaroncz --- # PowerShell cmdlets for provisioning Windows client (reference) diff --git a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md index bef6f60eb9..7cecad44c5 100644 --- a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md +++ b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md @@ -7,7 +7,7 @@ ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.reviewer: gkomatsu -manager: dougeby +manager: aaroncz --- # Use a script to install a desktop app in provisioning packages diff --git a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md index 0d53112f08..6da9aadd73 100644 --- a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md +++ b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md @@ -7,7 +7,7 @@ ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.reviewer: gkomatsu -manager: dougeby +manager: aaroncz --- # Settings changed when you uninstall a provisioning package diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md index 174348f84a..2abfa45f96 100644 --- a/windows/configuration/set-up-shared-or-guest-pc.md +++ b/windows/configuration/set-up-shared-or-guest-pc.md @@ -7,7 +7,7 @@ ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.reviewer: sybruckm -manager: dougeby +manager: aaroncz ms.collection: highpri --- diff --git a/windows/configuration/setup-digital-signage.md b/windows/configuration/setup-digital-signage.md index 20b9f2542b..ac5289b0bb 100644 --- a/windows/configuration/setup-digital-signage.md +++ b/windows/configuration/setup-digital-signage.md @@ -2,7 +2,7 @@ title: Set up digital signs on Windows 10/11 description: A single-use device such as a digital sign is easy to set up in Windows 10 and Windows 11 (Pro, Enterprise, and Education). ms.reviewer: sybruckm -manager: dougeby +manager: aaroncz ms.author: lizlong ms.prod: w10 author: aczechowski diff --git a/windows/configuration/start-layout-troubleshoot.md b/windows/configuration/start-layout-troubleshoot.md index 5c7af721cd..4dded80d35 100644 --- a/windows/configuration/start-layout-troubleshoot.md +++ b/windows/configuration/start-layout-troubleshoot.md @@ -6,7 +6,7 @@ ms.author: lizlong author: aczechowski ms.localizationpriority: medium ms.reviewer: -manager: dougeby +manager: aaroncz ms.topic: troubleshooting ms.collection: highpri --- diff --git a/windows/configuration/start-layout-xml-desktop.md b/windows/configuration/start-layout-xml-desktop.md index ef753cf5a1..34420bfe1d 100644 --- a/windows/configuration/start-layout-xml-desktop.md +++ b/windows/configuration/start-layout-xml-desktop.md @@ -7,7 +7,7 @@ ms.author: lizlong ms.topic: article ms.date: 10/02/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.localizationpriority: medium ms.collection: highpri --- diff --git a/windows/configuration/start-secondary-tiles.md b/windows/configuration/start-secondary-tiles.md index abeb6c7455..79b8efd0a7 100644 --- a/windows/configuration/start-secondary-tiles.md +++ b/windows/configuration/start-secondary-tiles.md @@ -7,7 +7,7 @@ author: aczechowski ms.author: lizlong ms.topic: article ms.reviewer: -manager: dougeby +manager: aaroncz --- # Add image for secondary Microsoft Edge tiles diff --git a/windows/configuration/stop-employees-from-using-microsoft-store.md b/windows/configuration/stop-employees-from-using-microsoft-store.md index 52cd7eabfb..7d626c1229 100644 --- a/windows/configuration/stop-employees-from-using-microsoft-store.md +++ b/windows/configuration/stop-employees-from-using-microsoft-store.md @@ -2,7 +2,7 @@ title: Configure access to Microsoft Store (Windows 10) description: Learn how to configure access to Microsoft Store for client computers and mobile devices in your organization. ms.reviewer: -manager: dougeby +manager: aaroncz ms.prod: w10 author: aczechowski ms.author: lizlong diff --git a/windows/configuration/supported-csp-start-menu-layout-windows.md b/windows/configuration/supported-csp-start-menu-layout-windows.md index 4c0e2f19cd..360b0a8b82 100644 --- a/windows/configuration/supported-csp-start-menu-layout-windows.md +++ b/windows/configuration/supported-csp-start-menu-layout-windows.md @@ -1,7 +1,7 @@ --- title: Supported CSP policies to customize Start menu on Windows 11 | Microsoft Docs description: See a list of the Policy CSP - Start items that are supported on Windows 11 to customize the Start menu. -manager: dougeby +manager: aaroncz ms.author: lizlong ms.reviewer: ericpapa ms.prod: w11 diff --git a/windows/configuration/supported-csp-taskbar-windows.md b/windows/configuration/supported-csp-taskbar-windows.md index f1e6111ae5..6084e1d2b7 100644 --- a/windows/configuration/supported-csp-taskbar-windows.md +++ b/windows/configuration/supported-csp-taskbar-windows.md @@ -1,7 +1,7 @@ --- title: Supported CSP policies to customize the Taskbar on Windows 11 | Microsoft Docs description: See a list of the Policy CSP - Start items that are supported on Windows 11 to customize the Taskbar. -manager: dougeby +manager: aaroncz ms.author: lizlong ms.reviewer: chataylo ms.prod: w11 diff --git a/windows/configuration/windows-10-accessibility-for-ITPros.md b/windows/configuration/windows-10-accessibility-for-ITPros.md index 91085feafc..90ec9973cf 100644 --- a/windows/configuration/windows-10-accessibility-for-ITPros.md +++ b/windows/configuration/windows-10-accessibility-for-ITPros.md @@ -8,7 +8,7 @@ author: aczechowski ms.localizationpriority: medium ms.date: 01/12/2018 ms.reviewer: -manager: dougeby +manager: aaroncz ms.topic: reference --- diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md index b97c70eb55..bb6944717f 100644 --- a/windows/configuration/windows-10-start-layout-options-and-policies.md +++ b/windows/configuration/windows-10-start-layout-options-and-policies.md @@ -2,7 +2,7 @@ title: Customize and manage the Windows 10 Start and taskbar layout (Windows 10) | Microsoft Docs description: On Windows devices, customize the start menu layout and taskbar using XML, group policy, provisioning package, or MDM policy. You can add pinned folders, add a start menu size, pin apps to the taskbar, and more. ms.reviewer: -manager: dougeby +manager: aaroncz ms.prod: w10 author: aczechowski ms.author: lizlong diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md index 3d38d4a913..e9cef0c59b 100644 --- a/windows/configuration/windows-spotlight.md +++ b/windows/configuration/windows-spotlight.md @@ -2,7 +2,7 @@ title: Configure Windows Spotlight on the lock screen (Windows 10) description: Windows Spotlight is an option for the lock screen background that displays different background images on the lock screen. ms.reviewer: -manager: dougeby +manager: aaroncz ms.prod: w10 author: aczechowski ms.author: lizlong From fa1414a7716f274200e9b7829124b2afac29ac20 Mon Sep 17 00:00:00 2001 From: Nick White <104782157+nicholasswhite@users.noreply.github.com> Date: Thu, 11 Aug 2022 11:03:28 -0400 Subject: [PATCH 73/77] Metadata update windows\application-management --- .../add-apps-and-features.md | 6 ++-- .../apps-in-windows-10.md | 8 ++--- ...enterprise-background-activity-controls.md | 10 +++--- .../includes/app-v-end-life-statement.md | 6 ++-- .../applies-to-windows-client-versions.md | 6 ++-- windows/application-management/index.yml | 6 ++-- .../manage-windows-mixed-reality.md | 8 ++--- .../per-user-services-in-windows.md | 32 +++++++++---------- ...epository-mdm-company-portal-windows-11.md | 6 ++-- .../provisioned-apps-windows-client-os.md | 8 ++--- .../remove-provisioned-apps-during-update.md | 8 ++--- .../sideload-apps-in-windows-10.md | 6 ++-- .../svchost-service-refactoring.md | 6 ++-- .../system-apps-windows-client-os.md | 6 ++-- 14 files changed, 61 insertions(+), 61 deletions(-) diff --git a/windows/application-management/add-apps-and-features.md b/windows/application-management/add-apps-and-features.md index 9ee3c86345..a625c4f1c7 100644 --- a/windows/application-management/add-apps-and-features.md +++ b/windows/application-management/add-apps-and-features.md @@ -2,12 +2,12 @@ title: Add or hide optional apps and features on Windows devices | Microsoft Docs description: Learn how to add Windows 10 and Windows 11 optional features using the Apps & features page in the Settings app. Also see the group policy objects (GPO) and MDM policies that show or hide Apps and Windows Features in the Settings app. Use Windows PowerShell to show or hide specific features in Windows Features. ms.prod: w10 -ms.author: aaroncz -author: aczechowski +author: nicholasswhite +ms.author: nwhite +manager: aaroncz ms.localizationpriority: medium ms.date: 08/30/2021 ms.reviewer: -manager: dougeby ms.topic: article ms.collection: highpri --- diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index ba0a92dcf7..0c38b376be 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -1,11 +1,11 @@ --- title: Learn about the different app types in Windows 10/11 | Microsoft Docs -ms.reviewer: -manager: dougeby description: Learn more and understand the different types of apps that run on Windows 10 and Windows 11. For example, learn more about UWP, WPF, Win32, and Windows Forms apps, including the best way to install these apps. ms.prod: w10 -ms.author: aaroncz -author: aczechowski +author: nicholasswhite +ms.author: nwhite +manager: aaroncz +ms.reviewer: ms.localizationpriority: medium ms.topic: article ms.collection: highpri diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md index d85b5ea89f..60cb9c5b79 100644 --- a/windows/application-management/enterprise-background-activity-controls.md +++ b/windows/application-management/enterprise-background-activity-controls.md @@ -1,13 +1,13 @@ --- -author: aczechowski title: Remove background task resource restrictions description: Allow enterprise background tasks unrestricted access to computer resources. -ms.author: aaroncz +ms.prod: w10 +author: nicholasswhite +ms.author: nwhite +manager: aaroncz ms.date: 10/03/2017 ms.reviewer: -manager: dougeby ms.topic: article -ms.prod: w10 --- # Remove background task resource restrictions @@ -43,7 +43,7 @@ Starting with Windows 10, version 1703, enterprises can control background activ `./Vendor/Microsoft/Policy/Config/Privacy/LetAppsRunInBackground_ForceDenyTheseApps`  `./Vendor/Microsoft/Policy/Config/Privacy/LetAppsRunInBackground_UserInControlOfTheseApps` -These policies control the background activity battery settings for Universal Windows Platform (UWP) apps. They enable apps to not be managed by the Windows system policies and not be restricted when battery saver is active. Applying these policies to a device will disable the user controls for the applications specified in the policies in the **Settings** app. See [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider#privacy-letappsruninbackground) for more information about these policies. +These policies control the background activity battery settings for Universal Windows Platform (UWP) apps. They enable apps to not be managed by the Windows system policies and not be restricted when battery saver is active. Applying these policies to a device will disable the user controls for the applications specified in the policies in the **Settings** app. For more information about these policies, visit [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider#privacy-letappsruninbackground). An app can determine which settings are in place for itself by using [BackgroundExecutionManager.RequestAccessAsync](/uwp/api/Windows.ApplicationModel.Background.BackgroundAccessStatus) before any background activity is attempted, and then examining the returned [BackgroundAccessStatus](/uwp/api/windows.applicationmodel.background.backgroundaccessstatus) enumeration. The values of this enumeration correspond to settings in the **battery usage by App** settings page:     diff --git a/windows/application-management/includes/app-v-end-life-statement.md b/windows/application-management/includes/app-v-end-life-statement.md index 17dace9c69..87c9ec2b04 100644 --- a/windows/application-management/includes/app-v-end-life-statement.md +++ b/windows/application-management/includes/app-v-end-life-statement.md @@ -1,9 +1,9 @@ --- -author: aczechowski -ms.author: aaroncz +author: nicholasswhite +ms.author: nwhite +manager: aaroncz ms.date: 09/20/2021 ms.reviewer: -manager: dougeby ms.prod: w10 ms.topic: include --- diff --git a/windows/application-management/includes/applies-to-windows-client-versions.md b/windows/application-management/includes/applies-to-windows-client-versions.md index 7cb153ddb7..b26f9904a6 100644 --- a/windows/application-management/includes/applies-to-windows-client-versions.md +++ b/windows/application-management/includes/applies-to-windows-client-versions.md @@ -1,9 +1,9 @@ --- -author: aczechowski -ms.author: aaroncz +author: nicholasswhite +ms.author: nwhite +manager: aaroncz ms.date: 09/28/2021 ms.reviewer: -manager: dougeby ms.prod: w10 ms.topic: include --- diff --git a/windows/application-management/index.yml b/windows/application-management/index.yml index 8f6b781ec5..e13b0747f4 100644 --- a/windows/application-management/index.yml +++ b/windows/application-management/index.yml @@ -13,9 +13,9 @@ metadata: ms.collection: - windows-10 - highpri - author: aczechowski - ms.author: aaroncz - manager: dougeby + author: nicholasswhite + ms.author: nwhite + manager: aaroncz ms.date: 08/24/2021 #Required; mm/dd/yyyy format. ms.localizationpriority : medium diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md index 122ffdd4f1..e0270672bb 100644 --- a/windows/application-management/manage-windows-mixed-reality.md +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -2,11 +2,11 @@ title: Enable or block Windows Mixed Reality apps in the enterprise (Windows 10/11) description: Learn how to enable Windows Mixed Reality apps in WSUS or block the Windows Mixed Reality portal in enterprises. ms.reviewer: -manager: dougeby +author: nicholasswhite +ms.author: nwhite +manager: aaroncz ms.prod: w10 ms.localizationpriority: medium -author: aczechowski -ms.author: aaroncz ms.topic: article --- @@ -58,7 +58,7 @@ IT admins can also create [Side by side feature store (shared folder)](/previous You can use the [AppLocker configuration service provider (CSP)](/windows/client-management/mdm/applocker-csp) to block the Mixed Reality software. -In the following example, the **Id** can be any generated GUID and the **Name** can be any name you choose. Note that `BinaryName="*"` allows you to block any app executable in the Mixed Reality Portal package. **Binary/VersionRange**, as shown in the example, will block all versions of the Mixed Reality Portal app. +In the following example, the **Id** can be any generated GUID and the **Name** can be any name you choose. `BinaryName="*"` allows you to block any app executable in the Mixed Reality Portal package. **Binary/VersionRange**, as shown in the example, will block all versions of the Mixed Reality Portal app. ```xml diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md index 4657bd8ea3..7735990889 100644 --- a/windows/application-management/per-user-services-in-windows.md +++ b/windows/application-management/per-user-services-in-windows.md @@ -2,11 +2,11 @@ title: Per-user services in Windows 10 and Windows Server description: Learn about per-user services, how to change the template service Startup Type, and manage per-user services through Group Policy and security templates. ms.prod: w10 -ms.author: aaroncz -author: aczechowski +author: nicholasswhite +ms.author: nwhite +manager: aaroncz ms.date: 09/14/2017 ms.reviewer: -manager: dougeby --- # Per-user services in Windows 10 and Windows Server @@ -41,7 +41,7 @@ Before you disable any of these services, review the **Description** column in t | 1803 | DevicePickerUserSvc | DevicePicker | Manual | | Device Picker | | 1703 | DevicesFlowUserSvc | DevicesFlow | Manual | | Device Discovery and Connecting | | 1703 | MessagingService | MessagingService | Manual | | Service supporting text messaging and related functionality | -| 1607 | OneSyncSvc | Sync Host | Auto (delayed) | | Synchronizes mail, contacts, calendar, and other user data. Mail and other applications dependent on this service don't work correctly when this service is not running. | +| 1607 | OneSyncSvc | Sync Host | Auto (delayed) | | Synchronizes mail, contacts, calendar, and other user data. Mail and other applications dependent on this service don't work correctly when this service isn't running. | | 1607 | PimIndexMaintenanceSvc | Contact Data | Manual | UnistoreSvc | Indexes contact data for fast contact searching. If you stop or disable this service, search results might not display all contacts. | | 1709 | PrintWorkflowUserSvc | PrintWorkflow | Manual | | Print Workflow | | 1607 | UnistoreSvc | User Data Storage | Manual | | Handles storage of structured user data, including contact info, calendars, and messages. If you stop or disable this service, apps that use this data might not work correctly. | @@ -71,7 +71,7 @@ In light of these restrictions, you can use the following methods to manage per- ### Manage template services using a security template -You can manage the CDPUserSvc and OneSyncSvc per-user services with a [security template](/windows/device-security/security-policy-settings/administer-security-policy-settings#bkmk-sectmpl). See [Administer security policy settings](/windows/device-security/security-policy-settings/administer-security-policy-settings) for more information. +You can manage the CDPUserSvc and OneSyncSvc per-user services with a [security template](/windows/device-security/security-policy-settings/administer-security-policy-settings#bkmk-sectmpl). For more information, visit [Administer security policy settings](/windows/device-security/security-policy-settings/administer-security-policy-settings). For example: @@ -87,13 +87,13 @@ Revision=1 ### Manage template services using Group Policy preferences -If a per-user service can't be disabled using a the security template, you can disable it by using Group Policy preferences. +If a per-user service can't be disabled using the security template, you can disable it by using Group Policy preferences. -1. On a Windows Server domain controller or Windows 10 PC that has the [Remote Server Administration Tools (RSAT)](https://www.microsoft.com/download/details.aspx?id=45520) installed, click **Start**, type GPMC.MSC, and then press **Enter** to open the **Group Policy Management Console**. +1. On a Windows Server domain controller or Windows 10 PC that has the [Remote Server Administration Tools (RSAT)](https://www.microsoft.com/download/details.aspx?id=45520) installed, select **Start**, type GPMC.MSC, and then press **Enter** to open the **Group Policy Management Console**. 2. Create a new Group Policy Object (GPO) or use an existing GPO. -3. Right-click the GPO and click **Edit** to launch the Group Policy Object Editor. +3. Right-click the GPO and select **Edit** to launch the Group Policy Object Editor. 4. Depending on how you want to target the Group Policy, under **Computer configuration** or **User configuration** browse to Preferences\Windows Settings\Registry. @@ -101,23 +101,23 @@ If a per-user service can't be disabled using a the security template, you can d ![Group Policy preferences disabling per-user services.](media/gpp-per-user-services.png) -6. Make sure that HKEY_Local_Machine is selected for Hive and then click ... (the ellipses) next to Key Path. +6. Make sure that HKEY_Local_Machine is selected for Hive and then select ... (the ellipses) next to Key Path. ![Choose HKLM.](media/gpp-hklm.png) -7. Browse to **System\CurrentControlSet\Services\PimIndexMaintenanceSvc**. In the list of values, highlight **Start** and click **Select**. +7. Browse to **System\CurrentControlSet\Services\PimIndexMaintenanceSvc**. In the list of values, highlight **Start** and select **Select**. ![Select Start.](media/gpp-svc-start.png) -8. Change **Value data** from **00000003** to **00000004** and click **OK**. Note setting the Value data to **4** = **Disabled**. +8. Change **Value data** from **00000003** to **00000004** and select **OK**. Note setting the Value data to **4** = **Disabled**. ![Startup Type is Disabled.](media/gpp-svc-disabled.png) -9. To add the other services that cannot be managed with a Group Policy templates, edit the policy and repeat steps 5-8. +9. To add the other services that can't be managed with a Group Policy templates, edit the policy and repeat steps 5-8. ### Managing Template Services with reg.exe -If you cannot use Group Policy Preferences to manage the per-user services, you can edit the registry with reg.exe. +If you can't use Group Policy Preferences to manage the per-user services, you can edit the registry with reg.exe. To disable the Template Services, change the Startup Type for each service to 4 (disabled). For example: @@ -135,7 +135,7 @@ REG.EXE ADD HKLM\System\CurrentControlSet\Services\WpnUserService /v Start /t RE ### Managing Template Services with regedit.exe -If you cannot use Group Policy preferences to manage the per-user services, you can edit the registry with regedit.exe. To disable the template services, change the Startup Type for each service to 4 (disabled): +If you can't use Group Policy preferences to manage the per-user services, you can edit the registry with regedit.exe. To disable the template services, change the Startup Type for each service to 4 (disabled): ![Using Regedit to change servive Starup Type.](media/regedit-change-service-startup-type.png) @@ -159,7 +159,7 @@ Sample script using [sc.exe](/previous-versions/windows/it-pro/windows-server-20 ``` sc.exe configure start= disabled ``` -Note that the space after "=" is intentional. +The space after "=" is intentional. Sample script using the [Set-Service PowerShell cmdlet](/previous-versions/windows/it-pro/windows-powershell-1.0/ee176963(v=technet.10)): @@ -169,7 +169,7 @@ Set-Service -StartupType Disabled ## View per-user services in the Services console (services.msc) -As mentioned you can't view the template services in the Services console, but you can see the user-specific per-user services - they are displayed using the \_LUID format (where LUID is the locally unique identifier). +As mentioned you can't view the template services in the Services console, but you can see the user-specific per-user services - they're displayed using the \_LUID format (where LUID is the locally unique identifier). For example, you might see the following per-user services listed in the Services console: diff --git a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md index 45f7dec8fa..b039ab012b 100644 --- a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md +++ b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md @@ -1,11 +1,11 @@ --- title: Use the Company Portal app for your private app repo on Windows 11 devices | Microsoft Docs description: Use the Company Portal app in Windows 11 devices to access the private app repository for your organization or company apps. Add apps to an MDM/MAM provider, and deploy the apps to Windows devices using policies. The Company Portal app replaces Microsoft Store for Business private store on Windows 11 devices. -manager: dougeby -ms.author: aaroncz +author: nicholasswhite +ms.author: nwhite +manager: aaroncz ms.reviewer: amanh ms.prod: w11 -author: aczechowski ms.date: 09/15/2021 ms.localizationpriority: medium --- diff --git a/windows/application-management/provisioned-apps-windows-client-os.md b/windows/application-management/provisioned-apps-windows-client-os.md index c155a0e790..b61fb4f87e 100644 --- a/windows/application-management/provisioned-apps-windows-client-os.md +++ b/windows/application-management/provisioned-apps-windows-client-os.md @@ -1,11 +1,11 @@ --- title: Get the provisioned apps on Windows client operating system | Microsoft Docs ms.reviewer: -manager: dougeby +author: nicholasswhite +ms.author: nwhite +manager: aaroncz description: Use the Windows PowerShell Get-AppxProvisionedPackage command to get a list off the provisioned apps installed in Windows OS. See a list of some common provisioned apps installed a Windows Enterprise client computer or device, including Windows 10/11. ms.prod: w10 -ms.author: aaroncz -author: aczechowski ms.localizationpriority: medium ms.topic: article --- @@ -17,7 +17,7 @@ ms.topic: article - Windows 10 - Windows 11 -Provisioned apps are included with the OS, and automatically installed when a user signs into a Windows device the first time. They are per-user apps, and typically installed in the `C:\Program Files\WindowsApps` folder. On your Windows devices, you can use Windows PowerShell to see the provisioned apps automatically installed. +Provisioned apps are included with the OS, and automatically installed when a user signs into a Windows device the first time. They're per-user apps, and typically installed in the `C:\Program Files\WindowsApps` folder. On your Windows devices, you can use Windows PowerShell to see the provisioned apps automatically installed. This article lists some of the built-in provisioned apps on the different Windows client OS versions, and lists the Windows PowerShell command to get a list. diff --git a/windows/application-management/remove-provisioned-apps-during-update.md b/windows/application-management/remove-provisioned-apps-during-update.md index d05b8db3c7..817364d24a 100644 --- a/windows/application-management/remove-provisioned-apps-during-update.md +++ b/windows/application-management/remove-provisioned-apps-during-update.md @@ -2,17 +2,17 @@ title: How to keep apps removed from Windows 10 from returning during an update description: How to keep provisioned apps that were removed from your machine from returning during an update. ms.prod: w10 -ms.author: aaroncz -author: aczechowski +author: nicholasswhite +ms.author: nwhite +manager: aaroncz ms.date: 05/25/2018 ms.reviewer: -manager: dougeby --- # How to keep apps removed from Windows 10 from returning during an update > Applies to: Windows 10 (General Availability Channel) -When you update a computer running Windows 10, version 1703 or 1709, you might see provisioned apps that you previously removed return post-update. This can happen if the computer was offline when you removed the apps. This issue was fixed in Windows 10, version 1803. +When you update a computer running Windows 10, version 1703 or 1709, you might see provisioned apps that you previously removed post-update. This can happen if the computer was offline when you removed the apps. Windows 10, version 1803 has fixed this issue. >[!NOTE] >* This issue only occurs after a feature update (from one version to the next), not monthly updates or security-related updates. diff --git a/windows/application-management/sideload-apps-in-windows-10.md b/windows/application-management/sideload-apps-in-windows-10.md index 0e20c16ba3..466370dcd1 100644 --- a/windows/application-management/sideload-apps-in-windows-10.md +++ b/windows/application-management/sideload-apps-in-windows-10.md @@ -2,10 +2,10 @@ title: Sideload LOB apps in Windows client OS | Microsoft Docs description: Learn how to sideload line-of-business (LOB) apps in Windows client operating systems, including Windows 10/11. When you sideload an app, you deploy a signed app package to a device. ms.reviewer: -manager: dougeby -ms.author: aaroncz +author: nicholasswhite +ms.author: nwhite +manager: aaroncz ms.prod: w10 -author: aczechowski ms.localizationpriority: medium --- diff --git a/windows/application-management/svchost-service-refactoring.md b/windows/application-management/svchost-service-refactoring.md index 7fe5fa1c05..67476d451f 100644 --- a/windows/application-management/svchost-service-refactoring.md +++ b/windows/application-management/svchost-service-refactoring.md @@ -2,11 +2,11 @@ title: Service Host service refactoring in Windows 10 version 1703 description: Learn about the SvcHost Service Refactoring introduced in Windows 10 version 1703. ms.prod: w10 -ms.author: aaroncz -author: aczechowski +author: nicholasswhite +ms.author: nwhite +manager: aaroncz ms.date: 07/20/2017 ms.reviewer: -manager: dougeby --- # Changes to Service Host grouping in Windows 10 diff --git a/windows/application-management/system-apps-windows-client-os.md b/windows/application-management/system-apps-windows-client-os.md index 89689b0d06..eef2f72573 100644 --- a/windows/application-management/system-apps-windows-client-os.md +++ b/windows/application-management/system-apps-windows-client-os.md @@ -1,11 +1,11 @@ --- title: Get the system apps on Windows client operating system | Microsoft Docs ms.reviewer: -manager: dougeby +author: nicholasswhite +ms.author: nwhite +manager: aaroncz description: Use the Windows PowerShell Get-AppxPackage command to get a list off the system apps installed in Windows OS. See a list of some common system apps installed a Windows Enterprise client computer or device, including Windows 10/11. ms.prod: w10 -ms.author: aaroncz -author: aczechowski ms.localizationpriority: medium ms.topic: article --- From 5d16eefbc131143205ffb3b942d6bc79d1c7025d Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 11 Aug 2022 11:05:18 -0400 Subject: [PATCH 74/77] updated metadata for WHFB --- .../hello-for-business/WebAuthnAPIs.md | 8 +++---- .../feature-multifactor-unlock.md | 16 ++++++------- .../hello-aad-join-cloud-only-deploy.md | 8 +++---- .../hello-adequate-domain-controllers.md | 23 +++++++++--------- .../hello-and-password-changes.md | 16 ++++++------- .../hello-biometrics-in-enterprise.md | 15 ++++++------ .../hello-cert-trust-adfs.md | 20 +++++++--------- .../hello-cert-trust-policy-settings.md | 19 +++++++-------- .../hello-cert-trust-validate-ad-prereq.md | 20 +++++++--------- .../hello-cert-trust-validate-deploy-mfa.md | 20 +++++++--------- .../hello-cert-trust-validate-pki.md | 21 +++++++--------- .../hello-deployment-cert-trust.md | 20 +++++++--------- .../hello-deployment-guide.md | 7 +++--- .../hello-deployment-issues.md | 8 +++---- .../hello-deployment-key-trust.md | 20 +++++++--------- .../hello-deployment-rdp-certs.md | 20 +++++++--------- .../hello-errors-during-pin-creation.md | 15 ++++++------ .../hello-for-business/hello-event-300.md | 16 ++++++------- .../hello-for-business/hello-faq.yml | 7 +++--- .../hello-feature-conditional-access.md | 8 +++---- .../hello-feature-dual-enrollment.md | 8 +++---- .../hello-feature-dynamic-lock.md | 15 ++++++------ .../hello-feature-pin-reset.md | 7 +++--- .../hello-feature-remote-desktop.md | 8 +++---- .../hello-how-it-works-authentication.md | 16 ++++++------- .../hello-how-it-works-provisioning.md | 16 ++++++------- .../hello-how-it-works-technology.md | 16 ++++++------- .../hello-for-business/hello-how-it-works.md | 16 ++++++------- .../hello-hybrid-aadj-sso-base.md | 22 ++++++++--------- .../hello-hybrid-aadj-sso-cert.md | 22 ++++++++--------- .../hello-hybrid-aadj-sso.md | 18 ++++++-------- .../hello-hybrid-cert-new-install.md | 20 +++++++--------- .../hello-hybrid-cert-trust-devreg.md | 20 +++++++--------- .../hello-hybrid-cert-trust-prereqs.md | 20 +++++++--------- .../hello-hybrid-cert-trust.md | 20 +++++++--------- .../hello-hybrid-cert-whfb-provision.md | 20 +++++++--------- .../hello-hybrid-cert-whfb-settings-ad.md | 20 +++++++--------- .../hello-hybrid-cert-whfb-settings-adfs.md | 20 +++++++--------- ...ello-hybrid-cert-whfb-settings-dir-sync.md | 20 +++++++--------- .../hello-hybrid-cert-whfb-settings-pki.md | 20 +++++++--------- .../hello-hybrid-cert-whfb-settings-policy.md | 19 +++++++-------- .../hello-hybrid-cert-whfb-settings.md | 20 +++++++--------- .../hello-hybrid-cloud-trust.md | 16 ++++++------- .../hello-hybrid-key-new-install.md | 21 +++++++--------- .../hello-hybrid-key-trust-devreg.md | 20 +++++++--------- .../hello-hybrid-key-trust-dirsync.md | 20 +++++++--------- .../hello-hybrid-key-trust-prereqs.md | 13 ++++------ .../hello-hybrid-key-trust.md | 20 +++++++--------- .../hello-hybrid-key-whfb-provision.md | 19 +++++++-------- .../hello-hybrid-key-whfb-settings-ad.md | 19 +++++++-------- ...hello-hybrid-key-whfb-settings-dir-sync.md | 20 +++++++--------- .../hello-hybrid-key-whfb-settings-pki.md | 21 +++++++--------- .../hello-hybrid-key-whfb-settings-policy.md | 20 +++++++--------- .../hello-hybrid-key-whfb-settings.md | 24 +++++++------------ .../hello-identity-verification.md | 7 +++--- .../hello-key-trust-adfs.md | 20 +++++++--------- .../hello-key-trust-policy-settings.md | 21 +++++++--------- .../hello-key-trust-validate-ad-prereq.md | 20 +++++++--------- .../hello-key-trust-validate-deploy-mfa.md | 20 +++++++--------- .../hello-key-trust-validate-pki.md | 21 +++++++--------- .../hello-manage-in-organization.md | 15 ++++++------ .../hello-for-business/hello-overview.md | 16 ++++++------- .../hello-planning-guide.md | 15 ++++++------ .../hello-prepare-people-to-use.md | 16 ++++++------- .../hello-for-business/hello-videos.md | 16 ++++++------- .../hello-why-pin-is-better-than-password.md | 16 ++++++------- .../hello-for-business/index.yml | 7 +++--- .../microsoft-compatible-security-key.md | 8 +++---- .../passwordless-strategy.md | 8 +++---- .../hello-for-business/reset-security-key.md | 8 +++---- .../retired/hello-how-it-works.md | 8 +++---- 71 files changed, 527 insertions(+), 638 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md b/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md index af4b0207cd..c84b17cee4 100644 --- a/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md +++ b/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md @@ -2,14 +2,14 @@ title: WebAuthn APIs description: Learn how to use WebAuthn APIs to enable password-less authentication for your sites and apps. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 02/15/2019 -ms.reviewer: --- # WebAuthn APIs for password-less authentication on Windows diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md index 46c5ce15d2..50dac1c934 100644 --- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md +++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md @@ -2,22 +2,20 @@ title: Multi-factor Unlock description: Learn how Windows 10 and Windows 11 offer multi-factor device unlock by extending Windows Hello with trusted signals. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 03/20/2018 -ms.reviewer: +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: prsriva +manager: aaroncz +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Multi-factor Unlock -**Applies to:** - -- Windows 10 -- Windows 11 - **Requirements:** * Windows Hello for Business deployment (Cloud, Hybrid or On-premises) * Azure AD, Hybrid Azure AD, or Domain Joined (Cloud, Hybrid, or On-Premises deployments) diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index a22fdc4c4b..f83577bd98 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -2,14 +2,14 @@ title: Azure Active Directory join cloud only deployment description: Use this deployment guide to successfully use Azure Active Directory to join a Windows 10 or Windows 11 device. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 06/23/2021 -ms.reviewer: +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: prsriva +manager: aaroncz --- # Azure Active Directory join cloud only deployment diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md index 201f155223..edba592b4e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md +++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md @@ -2,24 +2,23 @@ title: Having enough Domain Controllers for Windows Hello for Business deployments description: Guide for planning to have an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/20/2018 -ms.reviewer: +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: prsriva +manager: aaroncz +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows Server 2016 or later +- ✅ Hybrid or On-Premises deployment +- ✅ Key trust --- # Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments -**Applies to** - -- Windows 10, version 1703 or later, or Windows 11 -- Windows Server, versions 2016 or later -- Hybrid or On-Premises deployment -- Key trust - > [!NOTE] >There was an issue with key trust authentication on Windows Server 2019. To fix it, refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044). @@ -90,7 +89,7 @@ Using the same methods described above, monitor the Kerberos authentication afte ```"Every n Windows Hello for Business clients results in x percentage of key-trust authentication."``` -Where _n_ equals the number of clients you switched to Windows Hello for Business and _x_ equals the increased percentage of authentication from the upgraded domain controller. Armed with this information, you can apply the observations of upgrading domain controllers and increasing Windows Hello for Business client count to appropriately phase your deployment. +Where *n* equals the number of clients you switched to Windows Hello for Business and _x_ equals the increased percentage of authentication from the upgraded domain controller. Armed with this information, you can apply the observations of upgrading domain controllers and increasing Windows Hello for Business client count to appropriately phase your deployment. Remember, increasing the number of clients changes the volume of authentication distributed across the Windows Server 2016 or newer domain controllers. If there is only one Windows Server 2016 or newer domain controller, there's no distribution and you are simply increasing the volume of authentication for which THAT domain controller is responsible. diff --git a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md index 409d7ad594..0b82e155e7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md +++ b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md @@ -1,23 +1,21 @@ --- title: Windows Hello and password changes (Windows) description: When you change your password on a device, you may need to sign in with a password on other devices to reset Hello. -ms.reviewer: ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 07/27/2017 +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: prsriva +manager: aaroncz +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Windows Hello and password changes -**Applies to** - -- Windows 10 -- Windows 11 - When you set up Windows Hello, the PIN or biometric gesture that you use is specific to that device. You can set up Hello for the same account on multiple devices. If the PIN or biometric is configured as part of Windows Hello for Business, changing the account password will not impact sign-in or unlock with these gestures since it uses a key or certificate. However, if Windows Hello for Business is not deployed and the password for that account changes, you must provide the new password on each device to continue to use Hello. ## Example diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md index 1b7fc74348..ebbea60361 100644 --- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md +++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md @@ -2,24 +2,23 @@ title: Windows Hello biometrics in the enterprise (Windows) description: Windows Hello uses biometrics to authenticate users and guard against potential spoofing, through fingerprint matching and facial recognition. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp ms.collection: - M365-identity-device-management - highpri ms.topic: article localizationpriority: medium ms.date: 01/12/2021 +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: prsriva +manager: aaroncz +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Windows Hello biometrics in the enterprise -**Applies to:** - -- Windows 10 -- Windows 11 - Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition. >[!NOTE] diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index 7c1152e8bf..8763270456 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -2,24 +2,22 @@ title: Prepare and Deploy Windows AD FS certificate trust (Windows Hello for Business) description: Learn how to Prepare and Deploy Windows Server 2016 Active Directory Federation Services (AD FS) for Windows Hello for Business, using certificate trust. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 01/14/2021 -ms.reviewer: +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: prsriva +manager: aaroncz +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ On-premises deployments +- ✅ Certificate trust/b> --- # Prepare and Deploy Windows Server 2016 Active Directory Federation Services - Certificate Trust -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- On-premises deployment -- Certificate trust - Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-premises certificate trust deployment uses Active Directory Federation Services roles for key registration, device registration, and as a certificate registration authority. The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts. diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md index eda6b35e15..e976e88743 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md @@ -2,25 +2,24 @@ title: Configure Windows Hello for Business Policy settings - certificate trust description: Configure Windows Hello for Business Policy settings for Windows Hello for Business. Certificate-based deployments need three group policy settings. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp ms.collection: - M365-identity-device-management - highpri ms.topic: article localizationpriority: medium ms.date: 08/20/2018 +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: prsriva +manager: aaroncz +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ On-premises deployments +- ✅ Certificate trust/b> --- # Configure Windows Hello for Business Policy settings - Certificate Trust -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- On-premises deployment -- Certificate trust - You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later. diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md index 281f5bf449..ffeb72f7a9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md @@ -2,24 +2,22 @@ title: Update Active Directory schema for cert-trust deployment (Windows Hello for Business) description: How to Validate Active Directory prerequisites for Windows Hello for Business when deploying with the certificate trust model. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/19/2018 -ms.reviewer: +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: prsriva +manager: aaroncz +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ On-premises deployments +- ✅ Certificate trust/b> --- # Validate Active Directory prerequisites for cert-trust deployment -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- On-premises deployment -- Certificate trust - The key registration process for the on-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema. > [!NOTE] diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md index 865759bf10..4fe4a8935e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md @@ -2,24 +2,22 @@ title: Validate and Deploy MFA for Windows Hello for Business with certificate trust description: How to Validate and Deploy Multi-factor Authentication (MFA) Services for Windows Hello for Business with certificate trust ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/19/2018 -ms.reviewer: +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: prsriva +manager: aaroncz +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ On-premises deployments +- ✅ Certificate trust/b> --- # Validate and Deploy Multi-Factor Authentication feature -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- On-premises deployment -- Certificate trust - Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. On-premises deployments can use certificates, third-party authentication providers for AD FS, or a custom authentication provider for AD FS as an on-premises MFA option. For information on available third-party authentication methods, see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method, see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md index d6356353aa..fc4eb5a6f9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md @@ -2,25 +2,22 @@ title: Validate Public Key Infrastructure - certificate trust model (Windows Hello for Business) description: How to Validate Public Key Infrastructure for Windows Hello for Business, under a certificate trust model. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/19/2018 -ms.reviewer: +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: prsriva +manager: aaroncz +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ On-premises deployments +- ✅ Certificate trust/b> --- # Validate and Configure Public Key Infrastructure - Certificate Trust Model -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- On-premises deployment -- Certificate trust - - Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate. ## Deploy an enterprise certificate authority diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md index 278560bbc5..167eb0b472 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md @@ -2,24 +2,22 @@ title: Windows Hello for Business Deployment Guide - On Premises Certificate Trust Deployment description: A guide to on premises, certificate trust Windows Hello for Business deployment. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/19/2018 -ms.reviewer: +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: prsriva +manager: aaroncz +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ On-premises deployments +- ✅ Certificate trust/b> --- # On Premises Certificate Trust Deployment -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- On-premises deployment -- Certificate trust - Windows Hello for Business replaces username and password sign-in to Windows with authentication using an asymmetric key pair. This deployment guide provides the information you'll need to successfully deploy Windows Hello for Business in an existing environment. Below, you can find all the information needed to deploy Windows Hello for Business in a Certificate Trust Model in your on-premises environment: diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md index afe7fdf157..0f2c45e2f0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md @@ -2,9 +2,10 @@ title: Windows Hello for Business Deployment Overview description: Use this deployment guide to successfully deploy Windows Hello for Business in an existing environment. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md index 47d8b38c53..43ff73fc92 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md @@ -3,14 +3,14 @@ title: Windows Hello for Business Deployment Known Issues description: A Troubleshooting Guide for Known Windows Hello for Business Deployment Issues params: siblings_only ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 05/03/2021 -ms.reviewer: --- # Windows Hello for Business Known Deployment Issues diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md index 280f51120d..faab624132 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md @@ -2,24 +2,22 @@ title: Windows Hello for Business Deployment Guide - On Premises Key Deployment description: A guide to on premises, key trust Windows Hello for Business deployment. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/20/2018 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ On-premises deployment +- ✅ Key trust --- # On Premises Key Trust Deployment -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- On-premises deployment -- Key trust - Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in an existing environment. Below, you can find all the information you need to deploy Windows Hello for Business in a key trust model in your on-premises environment: diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md index 5df469ff3e..d0cc1cad93 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md @@ -2,25 +2,23 @@ title: Deploying Certificates to Key Trust Users to Enable RDP description: Learn how to deploy certificates to a Key Trust user to enable remote desktop with supplied credentials ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 02/22/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Key trust --- # Deploying Certificates to Key Trust Users to Enable RDP -**Applies To** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Key trust - Windows Hello for Business supports using a certificate as the supplied credential when establishing a remote desktop connection to a server or other device. For certificate trust deployments, creation of this certificate occurs at container creation time. This document discusses an approach for key trust deployments where authentication certificates can be deployed to an existing key trust user. diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index d7987dc9bc..d995550c13 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -2,24 +2,23 @@ title: Windows Hello errors during PIN creation (Windows) description: When you set up Windows Hello in Windows 10/11, you may get an error during the Create a work PIN step. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri ms.topic: troubleshooting ms.localizationpriority: medium ms.date: 05/05/2018 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Windows Hello errors during PIN creation -**Applies to** - -- Windows 10 -- Windows 11 - When you set up Windows Hello in Windows client, you may get an error during the **Create a PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support. ## Where is the error code? diff --git a/windows/security/identity-protection/hello-for-business/hello-event-300.md b/windows/security/identity-protection/hello-for-business/hello-event-300.md index 3e481d0f4d..8fa58bce19 100644 --- a/windows/security/identity-protection/hello-for-business/hello-event-300.md +++ b/windows/security/identity-protection/hello-for-business/hello-event-300.md @@ -1,24 +1,22 @@ --- title: Event ID 300 - Windows Hello successfully created (Windows) description: This event is created when a Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). -ms.reviewer: ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.date: 07/27/2017 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Event ID 300 - Windows Hello successfully created -**Applies to** - -- Windows 10 -- Windows 11 - This event is created when Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request. ## Event details diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index a0c26cb08e..0047419c51 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -8,9 +8,10 @@ metadata: ms.sitesec: library ms.pagetype: security, mobile audience: ITPro - author: GitPrakhar13 - ms.author: prsriva - manager: dansimp + author: paolomatarazzo + ms.author: paoloma + manager: aaroncz + ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md index 5dac00754e..2acbb4823a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md @@ -2,14 +2,14 @@ title: Conditional Access description: Ensure that only approved users can access your devices, applications, and services from anywhere by enabling single sign-on with Azure Active Directory. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 09/09/2019 -ms.reviewer: --- # Conditional access diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md index 445df8f5a8..489d5513cf 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md @@ -2,14 +2,14 @@ title: Dual Enrollment description: Learn how to configure Windows Hello for Business dual enrollment. Also, learn how to configure Active Directory to support Domain Administrator enrollment. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 09/09/2019 -ms.reviewer: --- # Dual Enrollment diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md index bdd56753a1..4fbe94952d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md @@ -2,22 +2,21 @@ title: Dynamic lock description: Learn how to set Dynamic lock on Windows 10 and Windows 11 devices, by configuring group policies. This feature locks a device when a Bluetooth signal falls below a set value. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 07/12/2022 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Dynamic lock -**Requirements:** - -* Windows 10, version 1703 or later - Dynamic lock enables you to configure Windows devices to automatically lock when Bluetooth paired device signal falls below the maximum Received Signal Strength Indicator (RSSI) value. This makes it more difficult for someone to gain access to your device if you step away from your PC and forget to lock it. > [!IMPORTANT] diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 64e72640b6..5b2df11202 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -2,9 +2,10 @@ title: Pin Reset description: Learn how Microsoft PIN reset services enable you to help users recover who have forgotten their PIN. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md index b622e6277f..6e297b92e3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md @@ -2,14 +2,14 @@ title: Remote Desktop description: Learn how Windows Hello for Business supports using biometrics with remote desktop ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 02/24/2021 -ms.reviewer: --- # Remote Desktop diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md index 76b94b5ddb..909df0b77b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md @@ -2,22 +2,20 @@ title: How Windows Hello for Business works - Authentication description: Learn about the authentication flow for Windows Hello for Business. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 02/15/2022 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Windows Hello for Business and Authentication -**Applies to:** - -- Windows 10 -- Windows 11 - Windows Hello for Business authentication is passwordless, two-factor authentication. Authenticating with Windows Hello for Business provides a convenient sign-in experience that authenticates the user to both Azure Active Directory and Active Directory resources. Azure Active Directory-joined devices authenticate to Azure during sign-in and can optionally authenticate to Active Directory. Hybrid Azure Active Directory-joined devices authenticate to Active Directory during sign-in, and authenticate to Azure Active Directory in the background. diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md index c81ed991e1..7d93ef16b8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md @@ -2,22 +2,20 @@ title: How Windows Hello for Business works - Provisioning description: Explore the provisioning flows for Windows Hello for Business, from within a variety of environments. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 2/15/2022 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Windows Hello for Business Provisioning -**Applies to:** - -- Windows 10 -- Windows 11 - Windows Hello for Business provisioning enables a user to enroll a new, strong, two-factor credential that they can use for passwordless authentication. Provisioning experience vary based on: - How the device is joined to Azure Active Directory diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md index 1813f3e403..ff24499d85 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md @@ -2,23 +2,21 @@ title: How Windows Hello for Business works - technology and terms description: Explore technology and terms associated with Windows Hello for Business. Learn how Windows Hello for Business works. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 10/08/2018 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Technology and terms -**Applies to:** - -- Windows 10 -- Windows 11 - ## Attestation identity keys Because the endorsement certificate is unique for each device and doesn't change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service. diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md index 768b3a0e02..cb5b134268 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md @@ -2,22 +2,20 @@ title: How Windows Hello for Business works description: Learn how Windows Hello for Business works, and how it can help your users authenticate to services. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 05/05/2018 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # How Windows Hello for Business works in Windows Devices -**Applies to** - -- Windows 10 -- Windows 11 - Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory-joined, Hybrid Azure Active Directory-joined, or Azure AD registered devices. Windows Hello for Business also works for domain joined devices. Watch this quick video where Pieter Wigleven gives a simple explanation of how Windows Hello for Business works and some of its supporting features. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 51f303b2ba..cb658f8704 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -2,26 +2,24 @@ title: Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business description: Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support them. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri ms.topic: article localizationpriority: medium ms.date: 01/14/2021 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Azure Active Directory-join +- ✅ Hybrid Deployment +- ✅ Key trust model --- # Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business - -**Applies to** - -- Windows 10 -- Windows 11 -- Azure Active Directory-joined -- Hybrid Deployment -- Key trust model - ## Prerequisites Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support Azure AD-joined devices. Unlike hybrid Azure AD-joined devices, Azure AD-joined devices do not have a relationship with your Active Directory domain. This factor changes the way in which users authenticate to Active Directory. Validate the following configurations to ensure they support Azure AD-joined devices. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 53931e113c..3e922b467b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -2,26 +2,24 @@ title: Using Certificates for AADJ On-premises Single-sign On single sign-on description: If you want to use certificates for on-premises single-sign on for Azure Active Directory-joined devices, then follow these additional steps. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/19/2018 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Azure AD-join +- ✅ Hybrid Deployment +- ✅ Certificate trust model --- # Using Certificates for AADJ On-premises Single-sign On -**Applies to:** - -- Windows 10 -- Windows 11 -- Azure Active Directory-joined -- Hybrid Deployment -- Certificate trust - If you plan to use certificates for on-premises single-sign on, then follow these **additional** steps to configure the environment to enroll Windows Hello for Business certificates for Azure AD-joined devices. > [!IMPORTANT] diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md index 1acba0f5b3..0842bb52e6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md @@ -2,24 +2,20 @@ title: Azure AD Join Single Sign-on Deployment description: Learn how to provide single sign-on to your on-premises resources for Azure Active Directory-joined devices, using Windows Hello for Business. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/19/2018 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Azure AD Join Single Sign-on Deployment -**Applies to** - -- Windows 10 -- Windows 11 -- Azure Active Directory-joined -- Hybrid deployment - Windows Hello for Business combined with Azure Active Directory-joined devices makes it easy for users to securely access cloud-based resources using a strong, two-factor credential. Some resources may remain on-premises as enterprises transition resources to the cloud and Azure AD-joined devices may need to access these resources. With additional configurations to your current hybrid deployment, you can provide single sign-on to your on-premises resources for Azure Active Directory-joined devices using Windows Hello for Business, using a key or a certificate. ## Key vs. Certificate diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md index 546fe98a8e..1dbae77cc3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md @@ -2,24 +2,22 @@ title: Hybrid Azure AD joined Windows Hello for Business Trust New Installation (Windows Hello for Business) description: Learn about new installations for Windows Hello for Business certificate trust and the various technologies hybrid certificate trust deployments rely on. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Certificate trust --- # Hybrid Azure AD joined Windows Hello for Business Certificate Trust New Installation -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Certificate trust - Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure. Hybrid certificate trust deployments of Windows Hello for Business rely on these technologies - [Active Directory](#active-directory) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 2d15af954c..b35fa21dac 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -2,24 +2,22 @@ title: Configure Device Registration for Hybrid Azure AD joined Windows Hello for Business description: Azure Device Registration for Hybrid Certificate Trust Deployment (Windows Hello for Business) ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Certificate trust --- # Configure Device Registration for Hybrid Azure AD joined Windows Hello for Business -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Certificate trust - Your environment is federated and you're ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication. > [!IMPORTANT] diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index edba57fd05..b6d189d7c1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -2,24 +2,22 @@ title: Hybrid Azure AD joined Windows Hello for Business Prerequisites description: Learn these prerequisites for hybrid Windows Hello for Business deployments using certificate trust. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Certificate trust --- # Hybrid Azure AD joined Windows Hello for Business Prerequisites -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Certificate trust - Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources. The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include: diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md index f9c3cf3feb..72086e9d13 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md @@ -2,24 +2,22 @@ title: Hybrid Certificate Trust Deployment (Windows Hello for Business) description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 09/08/2017 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Certificate trust --- # Hybrid Azure AD joined Certificate Trust Deployment -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Certificate trust - Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario. It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514). diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md index f6e69dad32..6721675b09 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md @@ -2,24 +2,22 @@ title: Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning (Windows Hello for Business) description: In this article, learn about provisioning for hybrid certificate trust deployments of Windows Hello for Business. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Certificate trust --- # Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Certificate trust - ## Provisioning The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md index f8b0c788c1..230a694361 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md @@ -2,24 +2,22 @@ title: Configure Hybrid Azure AD joined Windows Hello for Business - Active Directory (AD) description: Discussing the configuration of Active Directory (AD) in a Hybrid deployment of Windows Hello for Business ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Certificate trust --- # Configure Hybrid Azure AD joined Windows Hello for Business: Active Directory -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Certificate trust - The key synchronization process for the hybrid deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. ### Creating Security Groups diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md index ed13229f6a..03989ad22c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -2,24 +2,22 @@ title: Configuring Hybrid Azure AD joined Windows Hello for Business - Active Directory Federation Services (ADFS) description: Discussing the configuration of Active Directory Federation Services (ADFS) in a Hybrid deployment of Windows Hello for Business ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Certificate trust --- # Configure Hybrid Azure AD joined Windows Hello for Business: Active Directory Federation Services -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Certificate trust - ## Federation Services The Windows Server 2016 Active Directory Federation Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md index 3dea044165..7e29ef7f6a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md @@ -2,25 +2,23 @@ title: Configure Hybrid Azure AD joined Windows Hello for Business Directory Synch description: Discussing Directory Synchronization in a Hybrid deployment of Windows Hello for Business ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Certificate trust --- # Configure Hybrid Azure AD joined Windows Hello for Business- Directory Synchronization -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Certificate Trust - ## Directory Synchronization In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index 0a7da03055..e604fc736f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -2,25 +2,23 @@ title: Configuring Hybrid Azure AD joined Windows Hello for Business - Public Key Infrastructure (PKI) description: Discussing the configuration of the Public Key Infrastructure (PKI) in a Hybrid deployment of Windows Hello for Business ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Certificate trust --- # Configure Hybrid Azure AD joined Windows Hello for Business - Public Key Infrastructure -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid Deployment -- Certificate Trust - Windows Hello for Business deployments rely on certificates. Hybrid deployments use publicly-issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows between them and the client computer. All deployments use enterprise issued certificates for domain controllers as a root of trust. Hybrid certificate trust deployments issue users with a sign-in certificate that enables them to authenticate using Windows Hello for Business credentials to non-Windows Server 2016 domain controllers. Additionally, hybrid certificate trust deployments issue certificates to registration authorities to provide defense-in-depth security when issuing user authentication certificates. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md index bba12adf27..2708e9a22c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md @@ -2,23 +2,22 @@ title: Configuring Hybrid Azure AD joined Windows Hello for Business - Group Policy description: Discussing the configuration of Group Policy in a Hybrid deployment of Windows Hello for Business ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Certificate trust --- # Configure Hybrid Azure AD joined Windows Hello for Business - Group Policy -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Certificate trust ## Policy Configuration diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md index ec22d31a65..c0ba9ce415 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md @@ -2,24 +2,22 @@ title: Configure Hybrid Windows Hello for Business Settings (Windows Hello for Business) description: Learn how to configure Windows Hello for Business settings in hybrid certificate trust deployment. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Certificate trust --- # Configure Hybrid Azure AD joined Windows Hello for Business -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Certificate trust - Your environment is federated and you are ready to configure your hybrid environment for Windows Hello for business using the certificate trust model. > [!IMPORTANT] > If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md index 1f4f7f1f17..e8589d8b29 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md @@ -2,22 +2,20 @@ title: Hybrid Cloud Trust Deployment (Windows Hello for Business) description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid cloud trust scenario. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 2/15/2022 -ms.reviewer: +appliesto: +- ✅ Windows 10 21H2 and later +- ✅ Windows 11 --- # Hybrid Cloud Trust Deployment (Preview) -Applies to - -- Windows 10, version 21H2 -- Windows 11 and later - Windows Hello for Business replaces username and password Windows sign-in with strong authentication using an asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid cloud trust scenario. ## Introduction to Cloud Trust diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md index 66a720d026..98599d9132 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md @@ -2,25 +2,22 @@ title: Windows Hello for Business Hybrid Azure AD joined Key Trust New Installation description: Learn how to configure a hybrid key trust deployment of Windows Hello for Business for systems with no previous installations. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Key trust --- # Windows Hello for Business Hybrid Azure AD joined Key Trust New Installation -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Key trust - - Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure. Hybrid key trust deployments of Windows Hello for Business rely on these technologies - [Active Directory](#active-directory) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md index 4d064c210c..1c1867312d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md @@ -2,25 +2,23 @@ title: Configure Device Registration for Hybrid Azure AD joined key trust Windows Hello for Business description: Azure Device Registration for Hybrid Certificate Key Deployment (Windows Hello for Business) ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 05/04/2022 ms.reviewer: prsriva - +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Key trust --- # Configure Device Registration for Hybrid Azure AD joined key trust Windows Hello for Business -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Key trust - You're ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration to enable proper device authentication. > [!NOTE] diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md index 299e93c00c..d3e68887fd 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md @@ -2,24 +2,22 @@ title: Configure Directory Synchronization for Hybrid Azure AD joined key trust Windows Hello for Business description: Azure Directory Synchronization for Hybrid Certificate Key Deployment (Windows Hello for Business) ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Key trust --- # Configure Directory Synchronization for Hybrid Azure AD joined key trust Windows Hello for Business -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Key trust - You are ready to configure directory synchronization for your hybrid environment. Hybrid Windows Hello for Business deployment needs both a cloud and an on-premises identity to authenticate and access resources in the cloud or on-premises. ## Deploy Azure AD Connect diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index 0850fae7f7..66fae5f56b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -9,17 +9,14 @@ ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Key trust --- # Hybrid Azure AD joined Key trust Windows Hello for Business Prerequisites -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Key trust - Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources. The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include: diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md index 833968247b..7a7e3f3eed 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md @@ -2,24 +2,22 @@ title: Hybrid Key Trust Deployment (Windows Hello for Business) description: Review this deployment guide to successfully deploy Windows Hello for Business in a hybrid key trust scenario. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/20/2018 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Key trust --- # Hybrid Azure AD joined Key Trust Deployment -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Key trust - Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid key trust scenario. It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514). diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md index 925d6d12e8..7985f54d92 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md @@ -2,23 +2,22 @@ title: Hybrid Azure AD joined Windows Hello for Business key trust Provisioning (Windows Hello for Business) description: Learn about provisioning for hybrid key trust deployments of Windows Hello for Business and learn where to find the hybrid key trust deployment guide. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: --- # Hybrid Azure AD joined Windows Hello for Business Key Trust Provisioning +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Key trust -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Key trust ## Provisioning diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md index bbdde28351..49124b1ddf 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md @@ -2,23 +2,22 @@ title: Configuring Hybrid Azure AD joined key trust Windows Hello for Business - Active Directory (AD) description: Configuring Hybrid key trust Windows Hello for Business - Active Directory (AD) ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: --- # Configuring Hybrid Azure AD joined key trust Windows Hello for Business: Active Directory +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Key trust -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Key trust Configure the appropriate security groups to efficiently deploy Windows Hello for Business to users. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md index 0ed4142f70..1092173f9c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md @@ -2,24 +2,22 @@ title: Hybrid Azure AD joined Windows Hello for Business - Directory Synchronization description: How to configure Hybrid key trust Windows Hello for Business - Directory Synchronization ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Key trust --- # Configure Hybrid Azure AD joined Windows Hello for Business: Directory Synchronization -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Key trust - ## Directory Synchronization In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md index 5f2d0ed289..8a9e8ee322 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md @@ -2,25 +2,22 @@ title: Configure Hybrid Azure AD joined key trust Windows Hello for Business description: Configuring Hybrid key trust Windows Hello for Business - Public Key Infrastructure (PKI) ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 04/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Key trust --- - # Configure Hybrid Azure AD joined Windows Hello for Business: Public Key Infrastructure -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid Deployment -- Key trust - Windows Hello for Business deployments rely on certificates. Hybrid deployments use publicly issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows them and the client computer. All deployments use enterprise issued certificates for domain controllers as a root of trust. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md index 26b31e209b..4522c3b93d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md @@ -2,24 +2,22 @@ title: Configure Hybrid Azure AD joined Windows Hello for Business - Group Policy description: Configuring Hybrid key trust Windows Hello for Business - Group Policy ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Key trust --- # Configure Hybrid Azure AD joined Windows Hello for Business: Group Policy -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Key trust - ## Policy Configuration You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md index 29c29de56f..ea0439b451 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md @@ -2,24 +2,22 @@ title: Configure Hybrid Azure AD joined Windows Hello for Business key trust Settings description: Begin the process of configuring your hybrid key trust environment for Windows Hello for Business. Start with your Active Directory configuration. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Key trust --- # Configure Hybrid Azure AD joined Windows Hello for Business key trust settings -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- Hybrid deployment -- Key trust - You are ready to configure your hybrid Azure AD joined key trust environment for Windows Hello for Business. > [!IMPORTANT] @@ -36,10 +34,6 @@ For the most efficient deployment, configure these technologies in order beginni > [!div class="step-by-step"] > [Configure Active Directory >](hello-hybrid-key-whfb-settings-ad.md) -

                            - -
                            - ## Follow the Windows Hello for Business hybrid key trust deployment guide 1. [Overview](hello-hybrid-key-trust.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index 185768fe63..7a9e8e62b1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -2,9 +2,10 @@ title: Windows Hello for Business Deployment Prerequisite Overview description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md index d2c141ca3a..8761b3eaf6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md @@ -2,24 +2,22 @@ title: Prepare & Deploy Windows Active Directory Federation Services with key trust (Windows Hello for Business) description: How to Prepare and Deploy Windows Server 2016 Active Directory Federation Services for Windows Hello for Business using key trust. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/19/2018 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ On-premises deployment +- ✅ Key trust --- # Prepare and Deploy Windows Server 2016 Active Directory Federation Services with Key Trust -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- On-premises deployment -- Key trust - Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-premises key trust deployment uses Active Directory Federation Services roles for key registration and device registration. The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts. diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md index 5baf31a055..b954e4d073 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md @@ -2,25 +2,22 @@ title: Configure Windows Hello for Business Policy settings - key trust description: Configure Windows Hello for Business Policy settings for Windows Hello for Business ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/19/2018 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ On-premises deployment +- ✅ Key trust --- # Configure Windows Hello for Business Policy settings - Key Trust -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- On-premises deployment -- Key trust - - You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later. diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md index c8227d9536..64195a8b82 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md @@ -2,24 +2,22 @@ title: Key registration for on-premises deployment of Windows Hello for Business description: How to Validate Active Directory prerequisites for Windows Hello for Business when deploying with the key trust model. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/19/2018 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ On-premises deployment +- ✅ Key trust --- # Validate Active Directory prerequisites - Key Trust -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- On-premises deployment -- Key trust - Key trust deployments need an adequate number of 2016 or later domain controllers to ensure successful user authentication with Windows Hello for Business. To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md), the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section. > [!NOTE] diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md index 968ae0d5b0..81e0df5016 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md @@ -2,27 +2,25 @@ title: Validate and Deploy MFA for Windows Hello for Business with key trust description: How to Validate and Deploy Multifactor Authentication (MFA) Services for Windows Hello for Business with key trust ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/19/2018 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ On-premises deployment +- ✅ Key trust --- # Validate and Deploy Multifactor Authentication (MFA) > [!IMPORTANT] > As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multifactor authentication from their users should use cloud-based Azure AD Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual. -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- On-premises deployment -- Key trust - Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. On-premises deployments can use certificates, third-party authentication providers for AD FS, or a custom authentication provider for AD FS as an on-premises MFA option. For information on available third-party authentication methods see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method) diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md index 809720fdba..d12ad32ade 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md @@ -2,25 +2,22 @@ title: Validate Public Key Infrastructure - key trust model (Windows Hello for Business) description: How to Validate Public Key Infrastructure for Windows Hello for Business, under a key trust model. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/19/2018 -ms.reviewer: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ On-premises deployment +- ✅ Key trust --- - # Validate and Configure Public Key Infrastructure - Key Trust -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 -- On-premises deployment -- Key trust - Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller. ## Deploy an enterprise certificate authority diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md index deba83abae..7127970af5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md +++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md @@ -2,24 +2,23 @@ title: Manage Windows Hello in your organization (Windows) description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri ms.topic: article ms.localizationpriority: medium ms.date: 2/15/2022 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Manage Windows Hello for Business in your organization -**Applies to** - -- Windows 10 -- Windows 11 - You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10. >[!IMPORTANT] diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index 37a81d4995..3199b2ae91 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -3,23 +3,21 @@ title: Windows Hello for Business Overview (Windows) ms.reviewer: An overview of Windows Hello for Business description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices in Windows 10 and Windows 11. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri ms.topic: conceptual localizationpriority: medium +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- - # Windows Hello for Business Overview -**Applies to** - -- Windows 10 -- Windows 11 - In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. >[!NOTE] diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 3212485067..c1dc768999 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -2,23 +2,22 @@ title: Planning a Windows Hello for Business Deployment description: Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri ms.topic: article localizationpriority: conceptual ms.date: 09/16/2020 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Planning a Windows Hello for Business Deployment -**Applies to** - -- Windows 10 -- Windows 11 - Congratulations! You are taking the first step forward in helping move your organizations away from password to a two-factor, convenience authentication for Windows — Windows Hello for Business. This planning guide helps you understand the different topologies, architectures, and components that encompass a Windows Hello for Business infrastructure. This guide explains the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of the infrastructure. Armed with your planning worksheet, you'll use that information to select the correct deployment guide for your needs. diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md index 6b57daee9c..dd469ded49 100644 --- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md +++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md @@ -3,22 +3,20 @@ title: Prepare people to use Windows Hello (Windows) description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization. ms.reviewer: ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/19/2018 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- - # Prepare people to use Windows Hello -**Applies to** - -- Windows 10 -- Windows 11 - When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization by explaining how to use Hello. After enrollment in Hello, users should use their gesture (such as a PIN or fingerprint) for access to corporate resources. Their gesture is only valid on the enrolled device. diff --git a/windows/security/identity-protection/hello-for-business/hello-videos.md b/windows/security/identity-protection/hello-for-business/hello-videos.md index 05c92d9ba2..139a74ae31 100644 --- a/windows/security/identity-protection/hello-for-business/hello-videos.md +++ b/windows/security/identity-protection/hello-for-business/hello-videos.md @@ -2,22 +2,20 @@ title: Windows Hello for Business Videos description: View several informative videos describing features and experiences in Windows Hello for Business in Windows 10 and Windows 11. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 07/26/2022 ms.reviewer: paoloma +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Windows Hello for Business Videos - -**Applies to** - -- Windows 10 -- Windows 11 - ## Overview of Windows Hello for Business and Features Watch Pieter Wigleven explain Windows Hello for Business, Multi-factor Unlock, and Dynamic Lock diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md index ef30d59ed1..887d2893eb 100644 --- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md +++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md @@ -2,24 +2,22 @@ title: Why a PIN is better than an online password (Windows) description: Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) an online password . ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri ms.topic: article ms.localizationpriority: medium ms.date: 10/23/2017 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- - # Why a PIN is better than an online password -**Applies to** - -- Windows 10 -- Windows 11 - Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a local password? On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than an online password, it's how it works. First we need to distinguish between two types of passwords: `local` passwords are validated against the machine's password store, whereas `online` passwords are validated against a server. This article mostly covers the benefits a PIN has over an online password, and also why it can be considered even better than a local password. diff --git a/windows/security/identity-protection/hello-for-business/index.yml b/windows/security/identity-protection/hello-for-business/index.yml index 62c038bd6b..bdd841ab2c 100644 --- a/windows/security/identity-protection/hello-for-business/index.yml +++ b/windows/security/identity-protection/hello-for-business/index.yml @@ -8,9 +8,10 @@ metadata: description: Learn how to manage and deploy Windows Hello for Business. ms.prod: m365-security ms.topic: landing-page - author: GitPrakhar13 - manager: dansimp - ms.author: prsriva + author: paolomatarazzo + ms.author: paoloma + manager: aaroncz + ms.reviewer: prsriva ms.date: 01/22/2021 ms.collection: - M365-identity-device-management diff --git a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md index 75645f288d..2d0f9aed02 100644 --- a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md +++ b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md @@ -2,14 +2,14 @@ title: Microsoft-compatible security key description: Learn how a Microsoft-compatible security key for Windows is different (and better) than any other FIDO2 security key. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 11/14/2018 -ms.reviewer: --- # What is a Microsoft-compatible security key? diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 74765dffac..333d6270a0 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -2,10 +2,10 @@ title: Password-less strategy description: Learn about the password-less strategy and how Windows Hello for Business implements this strategy in Windows 10 and Windows 11. ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp -ms.reviewer: +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: conceptual localizationpriority: medium diff --git a/windows/security/identity-protection/hello-for-business/reset-security-key.md b/windows/security/identity-protection/hello-for-business/reset-security-key.md index e2f9b9e978..3818cf29e6 100644 --- a/windows/security/identity-protection/hello-for-business/reset-security-key.md +++ b/windows/security/identity-protection/hello-for-business/reset-security-key.md @@ -2,14 +2,14 @@ title: Reset-security-key description: Windows 10 and Windows 11 enables users to sign in to their device using a security key. How to reset a security key ms.prod: m365-security -author: GitPrakhar13 -ms.author: prsriva -manager: dansimp +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 11/14/2018 -ms.reviewer: --- # How to reset a Microsoft-compatible security key? > [!Warning] diff --git a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md index 29e42655ab..b703e6ea15 100644 --- a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md @@ -9,14 +9,12 @@ ms.date: 10/16/2017 ms.reviewer: manager: dansimp ms.topic: article +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # How Windows Hello for Business works in Windows devices -**Applies to** - -- Windows 10 -- Windows 11 - Windows Hello for Business requires a registered device. When the device is set up, its user can use the device to authenticate to services. This topic explains how device registration works, what happens when a user requests authentication, how key material is stored and processed, and which servers and infrastructure components are involved in different parts of this process. ## Register a new user or device From 70ec50ca576d09a5b42916548d5ff9adb9e66136 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Thu, 11 Aug 2022 11:07:27 -0400 Subject: [PATCH 75/77] update author --- .../configuration/changes-to-start-policies-in-windows-10.md | 2 +- windows/configuration/configure-windows-10-taskbar.md | 2 +- windows/configuration/customize-and-export-start-layout.md | 2 +- windows/configuration/customize-start-menu-layout-windows-11.md | 2 +- windows/configuration/customize-taskbar-windows-11.md | 2 +- .../customize-windows-10-start-screens-by-using-group-policy.md | 2 +- ...indows-10-start-screens-by-using-mobile-device-management.md | 2 +- ...s-10-start-screens-by-using-provisioning-packages-and-icd.md | 2 +- .../find-the-application-user-model-id-of-an-installed-app.md | 2 +- windows/configuration/guidelines-for-assigned-access-app.md | 2 +- windows/configuration/kiosk-additional-reference.md | 2 +- windows/configuration/kiosk-mdm-bridge.md | 2 +- windows/configuration/kiosk-methods.md | 2 +- windows/configuration/kiosk-policies.md | 2 +- windows/configuration/kiosk-prepare.md | 2 +- windows/configuration/kiosk-shelllauncher.md | 2 +- windows/configuration/kiosk-single-app.md | 2 +- windows/configuration/kiosk-troubleshoot.md | 2 +- windows/configuration/kiosk-validate.md | 2 +- windows/configuration/kiosk-xml.md | 2 +- windows/configuration/lock-down-windows-10-applocker.md | 2 +- windows/configuration/lock-down-windows-10-to-specific-apps.md | 2 +- windows/configuration/lockdown-features-windows-10.md | 2 +- windows/configuration/manage-tips-and-suggestions.md | 2 +- windows/configuration/manage-wifi-sense-in-enterprise.md | 2 +- windows/configuration/provisioning-apn.md | 2 +- .../how-it-pros-can-use-configuration-service-providers.md | 2 +- .../provision-pcs-for-initial-deployment.md | 2 +- .../provision-pcs-with-apps-and-certificates.md | 2 +- .../provisioning-packages/provision-pcs-with-apps.md | 2 +- .../provisioning-packages/provisioning-apply-package.md | 2 +- .../provisioning-packages/provisioning-command-line.md | 2 +- .../provisioning-packages/provisioning-create-package.md | 2 +- .../provisioning-packages/provisioning-how-it-works.md | 2 +- .../provisioning-packages/provisioning-install-icd.md | 2 +- .../provisioning-packages/provisioning-multivariant.md | 2 +- .../provisioning-packages/provisioning-packages.md | 2 +- .../provisioning-packages/provisioning-powershell.md | 2 +- .../provisioning-packages/provisioning-script-to-install-app.md | 2 +- .../provisioning-packages/provisioning-uninstall-package.md | 2 +- windows/configuration/set-up-shared-or-guest-pc.md | 2 +- windows/configuration/setup-digital-signage.md | 2 +- windows/configuration/start-layout-troubleshoot.md | 2 +- windows/configuration/start-layout-xml-desktop.md | 2 +- windows/configuration/start-secondary-tiles.md | 2 +- .../configuration/stop-employees-from-using-microsoft-store.md | 2 +- .../configuration/supported-csp-start-menu-layout-windows.md | 2 +- windows/configuration/supported-csp-taskbar-windows.md | 2 +- windows/configuration/windows-10-accessibility-for-ITPros.md | 2 +- .../windows-10-start-layout-options-and-policies.md | 2 +- windows/configuration/windows-spotlight.md | 2 +- 51 files changed, 51 insertions(+), 51 deletions(-) diff --git a/windows/configuration/changes-to-start-policies-in-windows-10.md b/windows/configuration/changes-to-start-policies-in-windows-10.md index 6a1469e275..350a9ffd87 100644 --- a/windows/configuration/changes-to-start-policies-in-windows-10.md +++ b/windows/configuration/changes-to-start-policies-in-windows-10.md @@ -4,7 +4,7 @@ description: Learn about changes to Group Policy settings for the Windows 10 Sta ms.reviewer: manager: aaroncz ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.author: lizlong ms.topic: article ms.localizationpriority: medium diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md index cbfc12a885..53a58baf77 100644 --- a/windows/configuration/configure-windows-10-taskbar.md +++ b/windows/configuration/configure-windows-10-taskbar.md @@ -5,7 +5,7 @@ keywords: [taskbar layout, pin apps] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: aczechowski +author: lizgt2000 ms.author: lizlong ms.topic: article ms.localizationpriority: medium diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md index fc49dda74a..747d7491b2 100644 --- a/windows/configuration/customize-and-export-start-layout.md +++ b/windows/configuration/customize-and-export-start-layout.md @@ -4,7 +4,7 @@ description: The easiest method for creating a customized Start layout is to set ms.reviewer: manager: aaroncz ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.author: lizlong ms.topic: article ms.localizationpriority: medium diff --git a/windows/configuration/customize-start-menu-layout-windows-11.md b/windows/configuration/customize-start-menu-layout-windows-11.md index 30d49689cd..d50036f2c7 100644 --- a/windows/configuration/customize-start-menu-layout-windows-11.md +++ b/windows/configuration/customize-start-menu-layout-windows-11.md @@ -5,7 +5,7 @@ manager: aaroncz ms.author: lizlong ms.reviewer: ericpapa ms.prod: w11 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.collection: highpri --- diff --git a/windows/configuration/customize-taskbar-windows-11.md b/windows/configuration/customize-taskbar-windows-11.md index fed390074e..f9af3940ce 100644 --- a/windows/configuration/customize-taskbar-windows-11.md +++ b/windows/configuration/customize-taskbar-windows-11.md @@ -5,7 +5,7 @@ manager: aaroncz ms.author: lizlong ms.reviewer: chataylo ms.prod: w11 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.collection: highpri --- diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md index 548fcd7e0f..dff79978bd 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md @@ -4,7 +4,7 @@ description: In Windows 10, you can use a Group Policy Object (GPO) to deploy a ms.reviewer: manager: aaroncz ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.author: lizlong ms.topic: article diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md index 033599816e..d14d3320b6 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md @@ -4,7 +4,7 @@ description: In Windows 10, you can use a mobile device management (MDM) policy ms.reviewer: manager: aaroncz ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.topic: article ms.author: lizlong ms.localizationpriority: medium diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md index 286c73d39f..33777e162b 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md @@ -4,7 +4,7 @@ description: In Windows 10, you can use a provisioning package to deploy a cust ms.reviewer: manager: aaroncz ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.author: lizlong ms.topic: article ms.localizationpriority: medium diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md index 1952039c37..27d56ce3c5 100644 --- a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md +++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md @@ -3,7 +3,7 @@ title: Find the Application User Model ID of an installed app ms.reviewer: sybruckm manager: aaroncz description: To configure assigned access (kiosk mode), you need the Application User Model ID (AUMID) of apps installed on a device. -author: aczechowski +author: lizgt2000 ms.author: lizlong ms.topic: article ms.localizationpriority: medium diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index 8d22327906..28d7a44308 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -5,7 +5,7 @@ keywords: [kiosk, lockdown, assigned access] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.author: lizlong ms.topic: article diff --git a/windows/configuration/kiosk-additional-reference.md b/windows/configuration/kiosk-additional-reference.md index f32cf1e388..3028bbe1c0 100644 --- a/windows/configuration/kiosk-additional-reference.md +++ b/windows/configuration/kiosk-additional-reference.md @@ -5,7 +5,7 @@ ms.reviewer: sybruckm manager: aaroncz ms.author: lizlong ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.topic: reference --- diff --git a/windows/configuration/kiosk-mdm-bridge.md b/windows/configuration/kiosk-mdm-bridge.md index 645aafe872..abda04599e 100644 --- a/windows/configuration/kiosk-mdm-bridge.md +++ b/windows/configuration/kiosk-mdm-bridge.md @@ -5,7 +5,7 @@ ms.reviewer: sybruckm manager: aaroncz ms.author: lizlong ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.topic: article --- diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md index d77ba786dd..f2071ae8ea 100644 --- a/windows/configuration/kiosk-methods.md +++ b/windows/configuration/kiosk-methods.md @@ -6,7 +6,7 @@ ms.author: lizlong description: In this article, learn about the methods for configuring kiosks and digital signs on Windows 10 or Windows 11 desktop editions. ms.prod: w10 ms.localizationpriority: medium -author: aczechowski +author: lizgt2000 ms.topic: article ms.collection: highpri --- diff --git a/windows/configuration/kiosk-policies.md b/windows/configuration/kiosk-policies.md index 317bd6c9f8..fda5b337bf 100644 --- a/windows/configuration/kiosk-policies.md +++ b/windows/configuration/kiosk-policies.md @@ -4,7 +4,7 @@ description: Learn about the policies enforced on a device when you configure it ms.reviewer: sybruckm manager: aaroncz ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.author: lizlong ms.topic: article diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md index c2ec6d4156..011b3f06f3 100644 --- a/windows/configuration/kiosk-prepare.md +++ b/windows/configuration/kiosk-prepare.md @@ -5,7 +5,7 @@ ms.reviewer: sybruckm manager: aaroncz ms.author: lizlong ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.topic: article ms.collection: highpri diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md index ee7ffbd000..b2ccf80c40 100644 --- a/windows/configuration/kiosk-shelllauncher.md +++ b/windows/configuration/kiosk-shelllauncher.md @@ -5,7 +5,7 @@ ms.reviewer: sybruckm manager: aaroncz ms.author: lizlong ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.topic: article ms.collection: highpri diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md index ae72bdf35b..8410a63f1f 100644 --- a/windows/configuration/kiosk-single-app.md +++ b/windows/configuration/kiosk-single-app.md @@ -5,7 +5,7 @@ ms.reviewer: sybruckm manager: aaroncz ms.author: lizlong ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.topic: article ms.collection: highpri diff --git a/windows/configuration/kiosk-troubleshoot.md b/windows/configuration/kiosk-troubleshoot.md index e8fc3cbdb2..ad0602aff4 100644 --- a/windows/configuration/kiosk-troubleshoot.md +++ b/windows/configuration/kiosk-troubleshoot.md @@ -4,7 +4,7 @@ description: Learn how to troubleshoot single-app and multi-app kiosk configurat ms.reviewer: sybruckm manager: aaroncz ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.author: lizlong ms.topic: article diff --git a/windows/configuration/kiosk-validate.md b/windows/configuration/kiosk-validate.md index 29414e5de3..6a43b111e8 100644 --- a/windows/configuration/kiosk-validate.md +++ b/windows/configuration/kiosk-validate.md @@ -5,7 +5,7 @@ ms.reviewer: sybruckm manager: aaroncz ms.author: lizlong ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.topic: article --- diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md index 4822af984d..d26ff8c364 100644 --- a/windows/configuration/kiosk-xml.md +++ b/windows/configuration/kiosk-xml.md @@ -4,7 +4,7 @@ description: Learn about the assigned access configuration (kiosk) for XML and X ms.reviewer: sybruckm manager: aaroncz ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.author: lizlong ms.topic: article diff --git a/windows/configuration/lock-down-windows-10-applocker.md b/windows/configuration/lock-down-windows-10-applocker.md index 881c5923b4..7c5751d47e 100644 --- a/windows/configuration/lock-down-windows-10-applocker.md +++ b/windows/configuration/lock-down-windows-10-applocker.md @@ -4,7 +4,7 @@ description: Learn how to use AppLocker to configure a kiosk device running Wind ms.reviewer: sybruckm manager: aaroncz ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.date: 07/30/2018 ms.author: lizlong diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index df27be70d5..209003e5e1 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -3,7 +3,7 @@ title: Set up a multi-app kiosk on Windows 10 description: Learn how to configure a kiosk device running Windows 10 so that users can only run a few specific apps. ms.prod: w10 ms.technology: windows -author: aczechowski +author: lizgt2000 ms.author: lizlong manager: aaroncz ms.reviewer: sybruckm diff --git a/windows/configuration/lockdown-features-windows-10.md b/windows/configuration/lockdown-features-windows-10.md index 621a8e32a9..05bf244383 100644 --- a/windows/configuration/lockdown-features-windows-10.md +++ b/windows/configuration/lockdown-features-windows-10.md @@ -4,7 +4,7 @@ description: Many of the lockdown features available in Windows Embedded 8.1 Ind ms.reviewer: manager: aaroncz ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.author: lizlong ms.topic: article ms.localizationpriority: medium diff --git a/windows/configuration/manage-tips-and-suggestions.md b/windows/configuration/manage-tips-and-suggestions.md index 949c254378..13dd5ee45a 100644 --- a/windows/configuration/manage-tips-and-suggestions.md +++ b/windows/configuration/manage-tips-and-suggestions.md @@ -2,7 +2,7 @@ title: Manage Windows 10 and Microsoft Store tips, fun facts, and suggestions (Windows 10) description: Windows 10 provides organizations with various options to manage user experiences to provide a consistent and predictable experience for employees. ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.author: lizlong ms.topic: article ms.localizationpriority: medium diff --git a/windows/configuration/manage-wifi-sense-in-enterprise.md b/windows/configuration/manage-wifi-sense-in-enterprise.md index 4f43c1ec67..eaff525abc 100644 --- a/windows/configuration/manage-wifi-sense-in-enterprise.md +++ b/windows/configuration/manage-wifi-sense-in-enterprise.md @@ -5,7 +5,7 @@ ms.reviewer: manager: aaroncz ms.author: lizlong ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.topic: article --- diff --git a/windows/configuration/provisioning-apn.md b/windows/configuration/provisioning-apn.md index 6fda9df643..2971e83a97 100644 --- a/windows/configuration/provisioning-apn.md +++ b/windows/configuration/provisioning-apn.md @@ -4,7 +4,7 @@ description: Enterprises can provision cellular settings for tablets and PC with ms.reviewer: manager: aaroncz ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.author: lizlong ms.topic: article ms.localizationpriority: medium diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md index 0aa040948e..3e4b126512 100644 --- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md +++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md @@ -4,7 +4,7 @@ description: Describes how IT pros and system administrators can use configurati ms.reviewer: gkomatsu manager: aaroncz ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.author: lizlong ms.topic: article ms.localizationpriority: medium diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md index 434642c5e9..149f92d455 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md +++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md @@ -4,7 +4,7 @@ description: Create a provisioning package to apply common settings to a PC runn ms.reviewer: gkomatsu manager: aaroncz ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.author: lizlong ms.topic: article ms.localizationpriority: medium diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md index fdaa444c9e..2e3e08cf89 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md +++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md @@ -2,7 +2,7 @@ title: Provision PCs with apps and certificates (Windows 10) description: Create a provisioning package to apply settings to a PC running Windows 10. ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.author: lizlong ms.topic: article ms.localizationpriority: medium diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md index 848f203b99..c96322afd3 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md +++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md @@ -2,7 +2,7 @@ title: Provision PCs with apps (Windows 10/11) description: Learn how to install multiple Universal Windows Platform (UWP) apps and Windows desktop applications (Win32) in a provisioning package. ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.author: lizlong ms.topic: article diff --git a/windows/configuration/provisioning-packages/provisioning-apply-package.md b/windows/configuration/provisioning-packages/provisioning-apply-package.md index 266b58dcfa..f3f3796147 100644 --- a/windows/configuration/provisioning-packages/provisioning-apply-package.md +++ b/windows/configuration/provisioning-packages/provisioning-apply-package.md @@ -2,7 +2,7 @@ title: Apply a provisioning package (Windows 10/11) description: Provisioning packages can be applied to a device during initial setup (OOBE) and after (runtime). ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.author: lizlong ms.topic: article ms.localizationpriority: medium diff --git a/windows/configuration/provisioning-packages/provisioning-command-line.md b/windows/configuration/provisioning-packages/provisioning-command-line.md index afafcc2b1e..365710b8c3 100644 --- a/windows/configuration/provisioning-packages/provisioning-command-line.md +++ b/windows/configuration/provisioning-packages/provisioning-command-line.md @@ -2,7 +2,7 @@ title: Windows Configuration Designer command-line interface (Windows 10/11) description: Learn more about the ICD syntax, switches, and arguments that you can use in the Windows Configuration Designer command-line interface for Windows10/11 client devices. ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.author: lizlong ms.topic: article ms.localizationpriority: medium diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md index af2eff53cd..a7fc0987ba 100644 --- a/windows/configuration/provisioning-packages/provisioning-create-package.md +++ b/windows/configuration/provisioning-packages/provisioning-create-package.md @@ -2,7 +2,7 @@ title: Create a provisioning package (Windows 10/11) description: Learn how to create a provisioning package for Windows 10/11, which lets you quickly configure a device without having to install a new image. ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.author: lizlong ms.topic: article ms.localizationpriority: medium diff --git a/windows/configuration/provisioning-packages/provisioning-how-it-works.md b/windows/configuration/provisioning-packages/provisioning-how-it-works.md index d42c2d9565..935cd2807e 100644 --- a/windows/configuration/provisioning-packages/provisioning-how-it-works.md +++ b/windows/configuration/provisioning-packages/provisioning-how-it-works.md @@ -2,7 +2,7 @@ title: How provisioning works in Windows 10/11 description: Learn more about how provisioning package work on Windows client devices. A provisioning package (.ppkg) is a container for a collection of configuration settings. ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.author: lizlong ms.topic: article ms.localizationpriority: medium diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md index 130a128c97..6440a0c7d2 100644 --- a/windows/configuration/provisioning-packages/provisioning-install-icd.md +++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md @@ -2,7 +2,7 @@ title: Install Windows Configuration Designer (Windows 10/11) description: Learn how to install and use Windows Configuration Designer so you can easily configure devices running Windows 10/11. ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.author: lizlong ms.topic: article ms.localizationpriority: medium diff --git a/windows/configuration/provisioning-packages/provisioning-multivariant.md b/windows/configuration/provisioning-packages/provisioning-multivariant.md index 53358fe07d..36f22395b0 100644 --- a/windows/configuration/provisioning-packages/provisioning-multivariant.md +++ b/windows/configuration/provisioning-packages/provisioning-multivariant.md @@ -2,7 +2,7 @@ title: Create a provisioning package with multivariant settings (Windows 10/11) description: Create a provisioning package with multivariant settings to customize the provisioned settings for defined conditions. ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.topic: article ms.localizationpriority: medium ms.reviewer: gkomatsu diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md index 6ff0b845e8..48a18fc43e 100644 --- a/windows/configuration/provisioning-packages/provisioning-packages.md +++ b/windows/configuration/provisioning-packages/provisioning-packages.md @@ -4,7 +4,7 @@ description: With Windows 10 and Windows 11, you can create provisioning package ms.reviewer: gkomatsu manager: aaroncz ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.author: lizlong ms.topic: article ms.localizationpriority: medium diff --git a/windows/configuration/provisioning-packages/provisioning-powershell.md b/windows/configuration/provisioning-packages/provisioning-powershell.md index 6e85692eff..76c5aaf5a9 100644 --- a/windows/configuration/provisioning-packages/provisioning-powershell.md +++ b/windows/configuration/provisioning-packages/provisioning-powershell.md @@ -2,7 +2,7 @@ title: PowerShell cmdlets for provisioning Windows 10/11 (Windows 10/11) description: Learn more about the Windows PowerShell cmdlets that you can use with Provisioning packages on Windows10/11 client desktop devices. ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.author: lizlong ms.topic: article ms.localizationpriority: medium diff --git a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md index 7cecad44c5..b203cd0294 100644 --- a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md +++ b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md @@ -2,7 +2,7 @@ title: Use a script to install a desktop app in provisioning packages (Windows 10/11) description: With Windows 10/11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.author: lizlong ms.topic: article ms.localizationpriority: medium diff --git a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md index 6da9aadd73..553df87c89 100644 --- a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md +++ b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md @@ -2,7 +2,7 @@ title: Uninstall a provisioning package - reverted settings (Windows 10/11) description: This article lists the settings that are reverted when you uninstall a provisioning package on Windows 10/11 desktop client devices. ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.author: lizlong ms.topic: article ms.localizationpriority: medium diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md index 2abfa45f96..191ecb60c4 100644 --- a/windows/configuration/set-up-shared-or-guest-pc.md +++ b/windows/configuration/set-up-shared-or-guest-pc.md @@ -2,7 +2,7 @@ title: Set up a shared or guest PC with Windows 10/11 description: Windows 10 and Windows has shared PC mode, which optimizes Windows client for shared use scenarios. ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.author: lizlong ms.topic: article ms.localizationpriority: medium diff --git a/windows/configuration/setup-digital-signage.md b/windows/configuration/setup-digital-signage.md index ac5289b0bb..572cd93eff 100644 --- a/windows/configuration/setup-digital-signage.md +++ b/windows/configuration/setup-digital-signage.md @@ -5,7 +5,7 @@ ms.reviewer: sybruckm manager: aaroncz ms.author: lizlong ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.date: 09/20/2021 ms.topic: article diff --git a/windows/configuration/start-layout-troubleshoot.md b/windows/configuration/start-layout-troubleshoot.md index 4dded80d35..28d3a28707 100644 --- a/windows/configuration/start-layout-troubleshoot.md +++ b/windows/configuration/start-layout-troubleshoot.md @@ -3,7 +3,7 @@ title: Troubleshoot Start menu errors description: Learn how to troubleshoot common Start menu errors in Windows 10. For example, learn to troubleshoot errors related to deployment, crashes, and performance. ms.prod: w10 ms.author: lizlong -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.reviewer: manager: aaroncz diff --git a/windows/configuration/start-layout-xml-desktop.md b/windows/configuration/start-layout-xml-desktop.md index 34420bfe1d..4d719d63a3 100644 --- a/windows/configuration/start-layout-xml-desktop.md +++ b/windows/configuration/start-layout-xml-desktop.md @@ -2,7 +2,7 @@ title: Start layout XML for desktop editions of Windows 10 (Windows 10) description: This article describes the options for customizing Start layout in LayoutModification.xml for Windows 10 desktop editions. ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.author: lizlong ms.topic: article ms.date: 10/02/2018 diff --git a/windows/configuration/start-secondary-tiles.md b/windows/configuration/start-secondary-tiles.md index 79b8efd0a7..23f838107a 100644 --- a/windows/configuration/start-secondary-tiles.md +++ b/windows/configuration/start-secondary-tiles.md @@ -3,7 +3,7 @@ title: Add image for secondary Microsoft Edge tiles (Windows 10) description: Add app tiles on Windows 10 that's a secondary tile. ms.prod: w10 ms.localizationpriority: medium -author: aczechowski +author: lizgt2000 ms.author: lizlong ms.topic: article ms.reviewer: diff --git a/windows/configuration/stop-employees-from-using-microsoft-store.md b/windows/configuration/stop-employees-from-using-microsoft-store.md index 7d626c1229..03338078f4 100644 --- a/windows/configuration/stop-employees-from-using-microsoft-store.md +++ b/windows/configuration/stop-employees-from-using-microsoft-store.md @@ -4,7 +4,7 @@ description: Learn how to configure access to Microsoft Store for client compute ms.reviewer: manager: aaroncz ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.author: lizlong ms.topic: conceptual ms.localizationpriority: medium diff --git a/windows/configuration/supported-csp-start-menu-layout-windows.md b/windows/configuration/supported-csp-start-menu-layout-windows.md index 360b0a8b82..cc9735faab 100644 --- a/windows/configuration/supported-csp-start-menu-layout-windows.md +++ b/windows/configuration/supported-csp-start-menu-layout-windows.md @@ -5,7 +5,7 @@ manager: aaroncz ms.author: lizlong ms.reviewer: ericpapa ms.prod: w11 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium --- diff --git a/windows/configuration/supported-csp-taskbar-windows.md b/windows/configuration/supported-csp-taskbar-windows.md index 6084e1d2b7..da0f246bc9 100644 --- a/windows/configuration/supported-csp-taskbar-windows.md +++ b/windows/configuration/supported-csp-taskbar-windows.md @@ -5,7 +5,7 @@ manager: aaroncz ms.author: lizlong ms.reviewer: chataylo ms.prod: w11 -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium --- diff --git a/windows/configuration/windows-10-accessibility-for-ITPros.md b/windows/configuration/windows-10-accessibility-for-ITPros.md index 90ec9973cf..12c67263e2 100644 --- a/windows/configuration/windows-10-accessibility-for-ITPros.md +++ b/windows/configuration/windows-10-accessibility-for-ITPros.md @@ -4,7 +4,7 @@ description: Lists the various accessibility features available in Windows 10 wi keywords: accessibility, settings, vision, hearing, physical, cognition, assistive ms.prod: w10 ms.author: lizlong -author: aczechowski +author: lizgt2000 ms.localizationpriority: medium ms.date: 01/12/2018 ms.reviewer: diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md index bb6944717f..11028a1ef0 100644 --- a/windows/configuration/windows-10-start-layout-options-and-policies.md +++ b/windows/configuration/windows-10-start-layout-options-and-policies.md @@ -4,7 +4,7 @@ description: On Windows devices, customize the start menu layout and taskbar usi ms.reviewer: manager: aaroncz ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.author: lizlong ms.topic: article ms.localizationpriority: medium diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md index e9cef0c59b..dcd61a2045 100644 --- a/windows/configuration/windows-spotlight.md +++ b/windows/configuration/windows-spotlight.md @@ -4,7 +4,7 @@ description: Windows Spotlight is an option for the lock screen background that ms.reviewer: manager: aaroncz ms.prod: w10 -author: aczechowski +author: lizgt2000 ms.author: lizlong ms.topic: article ms.localizationpriority: medium From 3affbd14657f6fa4ca1d1295d231a54c0d0e7b1e Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 11 Aug 2022 11:16:55 -0400 Subject: [PATCH 76/77] updated metadata --- .../hello-for-business/hello-hybrid-key-trust-devreg.md | 1 - .../identity-protection/hello-for-business/hello-overview.md | 1 - .../hello-for-business/hello-prepare-people-to-use.md | 1 - .../identity-protection/hello-for-business/hello-videos.md | 1 - 4 files changed, 4 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md index 1c1867312d..49cd5d3b42 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md @@ -10,7 +10,6 @@ ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 05/04/2022 -ms.reviewer: prsriva appliesto: - ✅ Windows 10 - ✅ Windows 11 diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index 3199b2ae91..6a355853aa 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -1,6 +1,5 @@ --- title: Windows Hello for Business Overview (Windows) -ms.reviewer: An overview of Windows Hello for Business description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices in Windows 10 and Windows 11. ms.prod: m365-security author: paolomatarazzo diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md index dd469ded49..89efd738ea 100644 --- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md +++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md @@ -1,7 +1,6 @@ --- title: Prepare people to use Windows Hello (Windows) description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization. -ms.reviewer: ms.prod: m365-security author: paolomatarazzo ms.author: paoloma diff --git a/windows/security/identity-protection/hello-for-business/hello-videos.md b/windows/security/identity-protection/hello-for-business/hello-videos.md index 139a74ae31..cf437e3bee 100644 --- a/windows/security/identity-protection/hello-for-business/hello-videos.md +++ b/windows/security/identity-protection/hello-for-business/hello-videos.md @@ -10,7 +10,6 @@ ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 07/26/2022 -ms.reviewer: paoloma appliesto: - ✅ Windows 10 - ✅ Windows 11 From 1ff8468e0fcb4be6bbf9f400b778c18c33b811da Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 11 Aug 2022 11:31:27 -0400 Subject: [PATCH 77/77] update --- .../hello-for-business/hello-aad-join-cloud-only-deploy.md | 3 +++ .../hello-for-business/hello-cert-trust-adfs.md | 2 +- .../hello-for-business/hello-cert-trust-policy-settings.md | 2 +- .../hello-cert-trust-validate-ad-prereq.md | 2 +- .../hello-cert-trust-validate-deploy-mfa.md | 2 +- .../hello-for-business/hello-cert-trust-validate-pki.md | 2 +- .../hello-for-business/hello-deployment-cert-trust.md | 2 +- .../identity-protection/hello-for-business/hello-faq.yml | 5 +++-- .../hello-for-business/hello-hybrid-aadj-sso-base.md | 2 +- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- .../hello-for-business/hello-hybrid-key-whfb-provision.md | 6 ++---- .../hello-for-business/passwordless-strategy.md | 3 +++ 12 files changed, 19 insertions(+), 14 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index f83577bd98..1c3acf11f8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -10,6 +10,9 @@ author: paolomatarazzo ms.author: paoloma ms.reviewer: prsriva manager: aaroncz +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Azure Active Directory join cloud only deployment diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index 8763270456..da1d9d6154 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -14,7 +14,7 @@ appliesto: - ✅ Windows 10 - ✅ Windows 11 - ✅ On-premises deployments -- ✅ Certificate trust/b> +- ✅ Certificate trust --- # Prepare and Deploy Windows Server 2016 Active Directory Federation Services - Certificate Trust diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md index e976e88743..36186166cf 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md @@ -16,7 +16,7 @@ appliesto: - ✅ Windows 10 - ✅ Windows 11 - ✅ On-premises deployments -- ✅ Certificate trust/b> +- ✅ Certificate trust --- # Configure Windows Hello for Business Policy settings - Certificate Trust diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md index ffeb72f7a9..9d4ca3a2f5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md @@ -14,7 +14,7 @@ appliesto: - ✅ Windows 10 - ✅ Windows 11 - ✅ On-premises deployments -- ✅ Certificate trust/b> +- ✅ Certificate trust --- # Validate Active Directory prerequisites for cert-trust deployment diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md index 4fe4a8935e..5ec79ae891 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md @@ -14,7 +14,7 @@ appliesto: - ✅ Windows 10 - ✅ Windows 11 - ✅ On-premises deployments -- ✅ Certificate trust/b> +- ✅ Certificate trust --- # Validate and Deploy Multi-Factor Authentication feature diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md index fc4eb5a6f9..578db1bd4e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md @@ -14,7 +14,7 @@ appliesto: - ✅ Windows 10 - ✅ Windows 11 - ✅ On-premises deployments -- ✅ Certificate trust/b> +- ✅ Certificate trust --- # Validate and Configure Public Key Infrastructure - Certificate Trust Model diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md index 167eb0b472..21b67500a6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md @@ -14,7 +14,7 @@ appliesto: - ✅ Windows 10 - ✅ Windows 11 - ✅ On-premises deployments -- ✅ Certificate trust/b> +- ✅ Certificate trust --- # On Premises Certificate Trust Deployment diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 0047419c51..5900a1444c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -18,11 +18,12 @@ metadata: ms.topic: faq localizationpriority: medium ms.date: 02/21/2022 + appliesto: + - ✅ Windows 10 + - ✅ Windows 11 title: Windows Hello for Business Frequently Asked Questions (FAQ) summary: | - Applies to: Windows 10 - sections: - name: Ignored diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index cb658f8704..c936ab0e6a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -17,7 +17,7 @@ appliesto: - ✅ Windows 11 - ✅ Azure Active Directory-join - ✅ Hybrid Deployment -- ✅ Key trust model +- ✅ Key trust --- # Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business ## Prerequisites diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 3e922b467b..875fe62728 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -15,7 +15,7 @@ appliesto: - ✅ Windows 11 - ✅ Azure AD-join - ✅ Hybrid Deployment -- ✅ Certificate trust model +- ✅ Certificate trust --- # Using Certificates for AADJ On-premises Single-sign On diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md index 7985f54d92..4b009fe228 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md @@ -10,15 +10,13 @@ ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 4/30/2021 ---- -# Hybrid Azure AD joined Windows Hello for Business Key Trust Provisioning appliesto: - ✅ Windows 10 - ✅ Windows 11 - ✅ Hybrid deployment - ✅ Key trust - - +--- +# Hybrid Azure AD joined Windows Hello for Business Key Trust Provisioning ## Provisioning The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**. diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 333d6270a0..be9b81f965 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -10,6 +10,9 @@ ms.collection: M365-identity-device-management ms.topic: conceptual localizationpriority: medium ms.date: 05/24/2022 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- # Password-less strategy