From dd4b16cba7cdccecf9eddab29a6c877c1b8db510 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Mon, 13 Jun 2022 11:44:46 +0530 Subject: [PATCH] Updated as per feedback --- ...ct-data-using-enterprise-site-discovery.md | 8 +++---- ...ct-data-using-enterprise-site-discovery.md | 8 +++---- ...he-internet-explorer-11-blocker-toolkit.md | 2 +- .../ie11-faq/faq-ie11-blocker-toolkit.yml | 4 ++-- .../windows/chromebook-migration-guide.md | 2 +- .../app-v/appv-capacity-planning.md | 2 +- .../app-v/appv-supported-configurations.md | 2 +- .../mdm/applicationcontrol-csp.md | 4 ++-- .../ue-v/uev-deploy-required-features.md | 2 +- .../configuration/ue-v/uev-sync-methods.md | 2 +- windows/deployment/deploy-windows-to-go.md | 2 +- ...oyment-considerations-for-windows-to-go.md | 2 +- ...ndows-to-go-frequently-asked-questions.yml | 2 +- .../update-compliance-configuration-mem.md | 2 +- .../upgrade/resolution-procedures.md | 2 +- .../demonstrate-deployment-on-vm.md | 2 +- ...ndows-diagnostic-events-and-fields-1703.md | 4 ++-- ...ndows-diagnostic-events-and-fields-1709.md | 2 +- ...ndows-diagnostic-events-and-fields-1803.md | 2 +- ...ndows-diagnostic-events-and-fields-1809.md | 4 ++-- ...ndows-diagnostic-events-and-fields-1903.md | 2 +- .../retired/hello-how-it-works.md | 2 +- .../bitlocker-management-for-enterprises.md | 2 +- .../deploy-appid-tagging-policies.md | 4 ++-- ...-apps-deployed-with-a-managed-installer.md | 2 +- .../create-wdac-deny-policy.md | 2 +- ...e-wdac-policy-for-fully-managed-devices.md | 22 ++++++++----------- ...wdac-policy-for-lightly-managed-devices.md | 20 +++++++---------- .../deploy-wdac-policies-with-memcm.md | 12 +++++----- .../example-wdac-base-policies.md | 2 +- .../feature-availability.md | 2 +- .../types-of-devices.md | 5 +---- ...ication-control-policy-design-decisions.md | 2 +- ...control-with-intelligent-security-graph.md | 4 ++-- 34 files changed, 66 insertions(+), 77 deletions(-) diff --git a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md index 9e5e461261..91c262c502 100644 --- a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md +++ b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md @@ -138,7 +138,7 @@ Before you can start to collect your data, you must run the provided PowerShell -OR- - Collect your hardware inventory using the MOF Editor with a .MOF import file.

-OR- -- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) +- Collect your hardware inventory using the SMS\DEF.MOF file (Configuration Manager 2007 only) ### WMI only: Running the PowerShell script to compile the .MOF file and to update security privileges You need to set up your computers for data collection by running the provided PowerShell script (IETelemetrySetUp.ps1) to compile the .mof file and to update security privileges for the new WMI classes. @@ -235,7 +235,7 @@ After you’ve collected your data, you’ll need to get the local files off of -OR- - Collect your hardware inventory using the MOF Editor with a .MOF import file.

-OR- -- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) +- Collect your hardware inventory using the SMS\DEF.MOF file (Configuration Manager 2007 only) ### Collect your hardware inventory using the MOF Editor while connected to a client device You can collect your hardware inventory using the MOF Editor, while you’re connected to your client devices. @@ -277,8 +277,8 @@ You can collect your hardware inventory using the MOF Editor and a .MOF import f 4. Click **OK** to close the default windows.
Your environment is now ready to collect your hardware inventory and review the sample reports. -### Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) -You can collect your hardware inventory using the using the Systems Management Server (SMS\DEF.MOF) file. Editing this file lets you collect your data for System Center Configuration Manager 2007. If you aren’t using this version of Configuration Manager, you won’t want to use this option. +### Collect your hardware inventory using the SMS\DEF.MOF file (Configuration Manager 2007 only) +You can collect your hardware inventory using the using the Systems Management Server (SMS\DEF.MOF) file. Editing this file lets you collect your data for Configuration Manager 2007. If you aren’t using this version of Configuration Manager, you won’t want to use this option. **To collect your inventory** diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md index 63709888c6..24265e0261 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md +++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md @@ -142,7 +142,7 @@ Before you can start to collect your data, you must run the provided PowerShell -OR- - Collect your hardware inventory using the MOF Editor with a .MOF import file.

-OR- -- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) +- Collect your hardware inventory using the SMS\DEF.MOF file (Configuration Manager 2007 only) ### WMI only: Running the PowerShell script to compile the .MOF file and to update security privileges You need to set up your computers for data collection by running the provided PowerShell script (IETelemetrySetUp.ps1) to compile the .mof file and to update security privileges for the new WMI classes. @@ -239,7 +239,7 @@ After you’ve collected your data, you’ll need to get the local files off of -OR- - Collect your hardware inventory using the MOF Editor with a .MOF import file.

-OR- -- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) +- Collect your hardware inventory using the SMS\DEF.MOF file (Configuration Manager 2007 only) ### Collect your hardware inventory using the MOF Editor while connected to a client device You can collect your hardware inventory using the MOF Editor, while you’re connected to your client devices. @@ -281,8 +281,8 @@ You can collect your hardware inventory using the MOF Editor and a .MOF import f 4. Click **OK** to close the default windows.
Your environment is now ready to collect your hardware inventory and review the sample reports. -### Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) -You can collect your hardware inventory using the using the Systems Management Server (SMS\DEF.MOF) file. Editing this file lets you collect your data for System Center Configuration Manager 2007. If you aren’t using this version of Configuration Manager, you won’t want to use this option. +### Collect your hardware inventory using the SMS\DEF.MOF file (Configuration Manager 2007 only) +You can collect your hardware inventory using the using the Systems Management Server (SMS\DEF.MOF) file. Editing this file lets you collect your data for Configuration Manager 2007. If you aren’t using this version of Configuration Manager, you won’t want to use this option. **To collect your inventory** diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md index 3ec3c7c763..13e84a6792 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md +++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md @@ -75,7 +75,7 @@ If you use Automatic Updates in your company, but want to stop your users from a > [!NOTE] >The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](../ie11-faq/faq-for-it-pros-ie11.yml). -- **Use an update management solution to control update deployment.** If you already use an update management solution, like [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [System Center 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682129(v=technet.10)), you should use that instead of the Internet Explorer Blocker Toolkit. +- **Use an update management solution to control update deployment.** If you already use an update management solution, like [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682129(v=technet.10)), you should use that instead of the Internet Explorer Blocker Toolkit. > [!NOTE] > If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company. diff --git a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.yml b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.yml index 178595abf4..618ec339b5 100644 --- a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.yml +++ b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.yml @@ -22,7 +22,7 @@ summary: | Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit. > [!Important] - > If you administer your company’s environment using an update management solution, such as Windows Server Update Services (WSUS) or System Center 2012 Configuration Manager, you don’t need to use the Internet Explorer 11 Blocker Toolkit. Update management solutions let you completely manage your Windows Updates and Microsoft Updates, including your Internet Explorer 11 deployment. + > If you administer your company’s environment using an update management solution, such as Windows Server Update Services (WSUS) or Configuration Manager, you don’t need to use the Internet Explorer 11 Blocker Toolkit. Update management solutions let you completely manage your Windows Updates and Microsoft Updates, including your Internet Explorer 11 deployment. - [Automatic updates delivery process](/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit#automatic-updates-delivery-process) @@ -47,7 +47,7 @@ sections: - question: | Whtools cI use to manage Windows Updates and Microsoft Updates in my company? answer: | - We encourage anyone who wants full control over their company’s deployment of Windows Updates and Microsoft Updates, to use [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), a free tool for users of Windows Server. You calso use the more advanced configuration management tool, [System Center 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682041(v=technet.10)). + We encourage anyone who wants full control over their company’s deployment of Windows Updates and Microsoft Updates, to use [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), a free tool for users of Windows Server. You calso use the more advanced configuration management tool, [Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682041(v=technet.10)). - question: | How long does the blocker mechanism work? diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md index 37e9cba645..6ecad551d4 100644 --- a/education/windows/chromebook-migration-guide.md +++ b/education/windows/chromebook-migration-guide.md @@ -485,7 +485,7 @@ Table 9. Management systems and deployment resources |--- |--- | |Windows provisioning packages|

  • [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package)
  • [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd)
  • [Step-By-Step: Building Windows 10 Provisioning Packages](/archive/blogs/canitpro/step-by-step-building-windows-10-provisioning-packages)| |Group Policy|
  • [Core Network Companion Guide: Group Policy Deployment](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj899807(v=ws.11))
  • [Deploying Group Policy](/previous-versions/windows/it-pro/windows-server-2003/cc737330(v=ws.10))"| -|Configuration Manager|
  • [Site Administration for System Center 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg681983(v=technet.10))
  • [Deploying Clients for System Center 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg699391(v=technet.10))| +|Configuration Manager|
  • [Site Administration for Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg681983(v=technet.10))
  • [Deploying Clients for Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg699391(v=technet.10))| |Intune|
  • [Set up and manage devices with Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=690262)
  • [System Center 2012 R2 Configuration Manager &amp; Windows Intune](/learn/?l=fCzIjVKy_6404984382)| |MDT|
  • [Step-By-Step: Installing Windows 8.1 From A USB Key](/archive/blogs/canitpro/step-by-step-installing-windows-8-1-from-a-usb-key)| diff --git a/windows/application-management/app-v/appv-capacity-planning.md b/windows/application-management/app-v/appv-capacity-planning.md index 969926e2ed..1b99178358 100644 --- a/windows/application-management/app-v/appv-capacity-planning.md +++ b/windows/application-management/app-v/appv-capacity-planning.md @@ -34,7 +34,7 @@ You can also manage your App-V environment using an electronic software distribu * **Standalone model**—The standalone model allows virtual applications to be Windows Installer-enabled for distribution without streaming. App-V in Standalone mode only needs the sequencer and the client; no extra components are required. Applications are prepared for virtualization using a process called sequencing. For more information, see [Planning for the App-V Sequencer and Client deployment](appv-planning-for-sequencer-and-client-deployment.md). The standalone model is recommended for the following scenarios: * When there are disconnected remote users who can't connect to the App-V infrastructure. - * When you're running a software management system, such as System Center 2012 Configuration Manager. + * When you're running a software management system, such as Configuration Manager. * When network bandwidth limitations inhibit electronic software distribution. * **Full infrastructure model**—The full infrastructure model provides for software distribution, management, and reporting capabilities; it also includes the streaming of applications across the network. The App-V full infrastructure model consists of one or more App-V management servers that can be used to publish applications to all clients. Publishing places the virtual application icons and shortcuts on the target computer. It can also stream applications to local users. For more information about how to install the management server, see [Planning for App-V Server deployment](appv-planning-for-appv-server-deployment.md). The full infrastructure model is recommended for the following scenarios: diff --git a/windows/application-management/app-v/appv-supported-configurations.md b/windows/application-management/app-v/appv-supported-configurations.md index 071879bc7c..2522c24732 100644 --- a/windows/application-management/app-v/appv-supported-configurations.md +++ b/windows/application-management/app-v/appv-supported-configurations.md @@ -119,7 +119,7 @@ See the Windows or Windows Server documentation for the hardware requirements. ## Supported versions of Microsoft Endpoint Configuration Manager -The App-V client works with Configuration Manager versions starting with Technical Preview for System Center Configuration Manager, version 1606. +The App-V client works with Configuration Manager versions starting with Technical Preview for Configuration Manager, version 1606. ## Related articles diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index 2975a094c7..8440d7e79f 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -152,7 +152,7 @@ Value type is char. ## Microsoft Endpoint Manager (MEM) Intune Usage Guidance -For customers using Intune standalone or hybrid management with Microsoft Endpoint Manager Configuration Manager (MEMCM) to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune). +For customers using Intune standalone or hybrid management with Microsoft Endpoint Configuration Manager (MEMCM) to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune). ## Generic MDM Server Usage Guidance @@ -301,7 +301,7 @@ An example of Delete command is: ## PowerShell and WMI Bridge Usage Guidance -The ApplicationControl CSP can also be managed locally from PowerShell or via Microsoft Endpoint Manager Configuration Manager's task sequence scripting by using the [WMI Bridge Provider](./using-powershell-scripting-with-the-wmi-bridge-provider.md). +The ApplicationControl CSP can also be managed locally from PowerShell or via Configuration Manager's task sequence scripting by using the [WMI Bridge Provider](./using-powershell-scripting-with-the-wmi-bridge-provider.md). ### Setup for using the WMI Bridge diff --git a/windows/configuration/ue-v/uev-deploy-required-features.md b/windows/configuration/ue-v/uev-deploy-required-features.md index 22cfb858c0..b41463da76 100644 --- a/windows/configuration/ue-v/uev-deploy-required-features.md +++ b/windows/configuration/ue-v/uev-deploy-required-features.md @@ -49,7 +49,7 @@ The settings storage location is defined by setting the SettingsStoragePath conf - Through [Group Policy](uev-configuring-uev-with-group-policy-objects.md) settings -- With the [System Center Configuration Pack](uev-configuring-uev-with-system-center-configuration-manager.md) for UE-V +- With the [Configuration Manager Pack](uev-configuring-uev-with-system-center-configuration-manager.md) for UE-V - With [Windows PowerShell or Windows Management Instrumentation (WMI)](uev-administering-uev-with-windows-powershell-and-wmi.md) diff --git a/windows/configuration/ue-v/uev-sync-methods.md b/windows/configuration/ue-v/uev-sync-methods.md index 31ae2008ce..47ddb1c82a 100644 --- a/windows/configuration/ue-v/uev-sync-methods.md +++ b/windows/configuration/ue-v/uev-sync-methods.md @@ -31,7 +31,7 @@ You can configure the sync method in these ways: - Through [Group Policy](uev-configuring-uev-with-group-policy-objects.md) settings -- With the [System Center Configuration Pack](uev-configuring-uev-with-system-center-configuration-manager.md) for UE-V +- With the [Configuration Manager Pack](uev-configuring-uev-with-system-center-configuration-manager.md) for UE-V - With [Windows PowerShell or Windows Management Instrumentation (WMI)](uev-administering-uev-with-windows-powershell-and-wmi.md) diff --git a/windows/deployment/deploy-windows-to-go.md b/windows/deployment/deploy-windows-to-go.md index 9846a41bcf..d4f4c27135 100644 --- a/windows/deployment/deploy-windows-to-go.md +++ b/windows/deployment/deploy-windows-to-go.md @@ -39,7 +39,7 @@ The following is a list of items that you should be aware of before you start th * When running a Windows To Go workspace, always shutdown the workspace before unplugging the drive. -* System Center 2012 Configuration Manager SP1 and later includes support for user self-provisioning of Windows To Go drives. You can download Configuration Manager for evaluation from the [Microsoft TechNet Evaluation Center](https://go.microsoft.com/fwlink/p/?LinkId=618746). For more information on this deployment option, see [How to Provision Windows To Go in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/jj651035(v=technet.10)). +* Configuration Manager SP1 and later includes support for user self-provisioning of Windows To Go drives. You can download Configuration Manager for evaluation from the [Microsoft TechNet Evaluation Center](https://go.microsoft.com/fwlink/p/?LinkId=618746). For more information on this deployment option, see [How to Provision Windows To Go in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/jj651035(v=technet.10)). * If you are planning on using a USB drive duplicator to duplicate Windows To Go drives, do not configure offline domain join or BitLocker on the drive. diff --git a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md index 397f230051..986659ce39 100644 --- a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md +++ b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md @@ -61,7 +61,7 @@ DirectAccess can be used to ensure that the user can log in with their domain cr ### Image deployment and drive provisioning considerations -The Image Deployment process can be accomplished either by a centralized IT process for your organization or by individual users creating their own Windows To Go workspaces. You must have local Administrator access and access to a Windows 10 Enterprise or Windows 10 Education image to create a Windows To Go workspace, or you must be using System Center 2012 Configuration Manager Service Pack 1 or later to distribute Windows To Go workspaces to users. The image deployment process takes a blank USB drive and a Windows 10 Enterprise image (WIM) and turns it into a Windows To Go drive. +The Image Deployment process can be accomplished either by a centralized IT process for your organization or by individual users creating their own Windows To Go workspaces. You must have local Administrator access and access to a Windows 10 Enterprise or Windows 10 Education image to create a Windows To Go workspace, or you must be using Configuration Manager Service Pack 1 or later to distribute Windows To Go workspaces to users. The image deployment process takes a blank USB drive and a Windows 10 Enterprise image (WIM) and turns it into a Windows To Go drive. ![windows to go image deployment.](images/wtg-image-deployment.gif) diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml index 468fb48151..f57d4eedc3 100644 --- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml +++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml @@ -162,7 +162,7 @@ sections: - question: | Can the user self-provision Windows To Go? answer: | - Yes, if the user has administrator permissions they can self-provision a Windows To Go drive using the Windows To Go Creator wizard which is included in Windows 10 Enterprise, Windows 10 Education and Windows 10 Professional. Additionally, System Center 2012 Configuration Manager SP1 and later releases includes support for user self-provisioning of Windows To Go drives. Configuration Manager can be downloaded for evaluation from the [Microsoft TechNet Evaluation Center](https://go.microsoft.com/fwlink/p/?LinkID=618746). + Yes, if the user has administrator permissions they can self-provision a Windows To Go drive using the Windows To Go Creator wizard which is included in Windows 10 Enterprise, Windows 10 Education and Windows 10 Professional. Additionally, Configuration Manager SP1 and later releases includes support for user self-provisioning of Windows To Go drives. Configuration Manager can be downloaded for evaluation from the [Microsoft TechNet Evaluation Center](https://go.microsoft.com/fwlink/p/?LinkID=618746). - question: | How can Windows To Go be managed in an organization? diff --git a/windows/deployment/update/update-compliance-configuration-mem.md b/windows/deployment/update/update-compliance-configuration-mem.md index 8d47eba6f3..8422a69d5e 100644 --- a/windows/deployment/update/update-compliance-configuration-mem.md +++ b/windows/deployment/update/update-compliance-configuration-mem.md @@ -25,7 +25,7 @@ ms.topic: article > [!NOTE] > As of May 10, 2021, a new policy is required to use Update Compliance: "Allow Update Compliance Processing." For more details, see the Mobile Device Management policies and Group policies tables. -This article is specifically targeted at configuring devices enrolled to [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) for Update Compliance, within MEM itself. Configuring devices for Update Compliance in MEM breaks down to the following steps: +This article is specifically targeted at configuring devices enrolled to [Microsoft Endpoint Manager (MEM)](/mem/endpoint-manager-overview) for Update Compliance, within MEM itself. Configuring devices for Update Compliance in MEM breaks down to the following steps: 1. [Create a configuration profile](#create-a-configuration-profile) for devices you want to enroll, that contains settings for all the MDM policies that must be configured. 2. [Deploy the configuration script](#deploy-the-configuration-script) as a Win32 app to those same devices, so additional checks can be performed to ensure devices are correctly configured. diff --git a/windows/deployment/upgrade/resolution-procedures.md b/windows/deployment/upgrade/resolution-procedures.md index aa86279555..5efc901351 100644 --- a/windows/deployment/upgrade/resolution-procedures.md +++ b/windows/deployment/upgrade/resolution-procedures.md @@ -84,7 +84,7 @@ See the following general troubleshooting procedures associated with a result co |0x80070522|The user doesn’t have required privilege or credentials to upgrade.|Ensure that you've signed in as a local administrator or have local administrator privileges.| |0xC1900107|A cleanup operation from a previous installation attempt is still pending and a system reboot is required in order to continue the upgrade.|Restart the device and run setup again. If restarting the device doesn't resolve the issue, then use the Disk Cleanup utility to clean up the temporary files and the System files. For more information, see [Disk cleanup in Windows 10](https://support.microsoft.com/windows/disk-cleanup-in-windows-8a96ff42-5751-39ad-23d6-434b4d5b9a68).| |0xC1900209|The user has chosen to cancel because the system doesn't pass the compatibility scan to install the update. Setup.exe will report this error when it can upgrade the machine with user data but cannot migrate installed applications.|Incompatible software is blocking the upgrade process. Uninstall the application and try the upgrade again. See [Windows 10 Pre-Upgrade Validation using SETUP.EXE](/archive/blogs/mniehaus/windows-10-pre-upgrade-validation-using-setup-exe) for more information.

    You can also download the Windows Assessment and Deployment Kit (ADK) for Windows 10 and install Application Compatibility Tools.| -|0x8007002|This error is specific to upgrades using System Center 2012 Configuration Manager R2 SP1 CU3 (5.00.8238.1403)|Analyze the SMSTS.log and verify that the upgrade is failing on "Apply Operating system" Phase: Error 80072efe DownloadFileWithRanges() failed. 80072efe. ApplyOperatingSystem (0x0760)

    The error 80072efe means that the connection with the server was terminated abnormally.

    To resolve this issue, try the OS Deployment test on a client in same VLAN as the Configuration Manager server. Check the network configuration for random client-server connection issues happening on the remote VLAN.| +|0x8007002|This error is specific to upgrades using Configuration Manager R2 SP1 CU3 (5.00.8238.1403)|Analyze the SMSTS.log and verify that the upgrade is failing on "Apply Operating system" Phase: Error 80072efe DownloadFileWithRanges() failed. 80072efe. ApplyOperatingSystem (0x0760)

    The error 80072efe means that the connection with the server was terminated abnormally.

    To resolve this issue, try the OS Deployment test on a client in same VLAN as the Configuration Manager server. Check the network configuration for random client-server connection issues happening on the remote VLAN.| |0x80240FFF|Occurs when update synchronization fails. It can occur when you're using Windows Server Update Services on its own or when it's integrated with Microsoft Endpoint Configuration Manager. If you enable update synchronization before you install hotfix 3095113, WSUS doesn't recognize the Upgrades classification and instead treats the upgrade like a regular update.|You can prevent this by installing hotfix 3095113 before you enable update synchronization. However, if you have already run into this problem, do the following:

    1. Disable the Upgrades classification.
    2. Install hotfix 3095113.
    3. Delete previously synched updates.
    4. Enable the Upgrades classification.
    5. Perform a full synch.

    For detailed information on how to run these steps check out How to delete upgrades in WSUS.| |0x8007007E|Occurs when update synchronization fails because you don't have hotfix 3095113 installed before you enable update synchronization. Specifically, the CopyToCache operation fails on clients that have already downloaded the upgrade because Windows Server Update Services has bad metadata related to the upgrade. It can occur when you're using standalone Windows Server Update Services or when WSUS is integrated with Microsoft Endpoint Configuration Manager.|Use the following steps to repair Windows Server Update Services. You must run these steps on each WSUS server that synched metadata before you installed the hotfix.

    Stop the Windows Update service.

  • Sign in as a user with administrative privileges, and then do the following:
  • Open Administrative Tools from the Control Panel.
  • Double-click Services.
  • Find the Windows Update service, right-click it, and then select Stop. If prompted, enter your credentials.

    Delete all files and folders under c:\Windows\SoftwareDistribution\DataStore.

    Restart the Windows Update service.| diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md index b942f83a14..d568f05eef 100644 --- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md +++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md @@ -613,7 +613,7 @@ To use the device (or VM) for other purposes after completion of this lab, you n ### Delete (deregister) Autopilot device -You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure AD), log into the MEM admin center, then go to **Intune > Devices > All Devices**. Select the device you want to delete, then select the **Delete** button along the top menu. +You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure AD), log into the Microsoft Endpoint Manager admin center, then go to **Intune > Devices > All Devices**. Select the device you want to delete, then select the **Delete** button along the top menu. > [!div class="mx-imgBorder"] > ![Delete device step 1.](images/delete-device1.png) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index cd1cb3afe6..c2f6129519 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -1314,7 +1314,7 @@ The following fields are available: - **IsEDPEnabled** Represents if Enterprise data protected on the device. - **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. - **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID -- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise System Center Configuration Manager environment. +- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise Configuration Manager environment. - **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. - **SystemCenterID** The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier. @@ -3140,7 +3140,7 @@ The following fields are available: - **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin. - **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled. - **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS. -- **RemediationShellDeviceSccm** TRUE if the device is managed by Microsoft System Center Configuration Manager. +- **RemediationShellDeviceSccm** TRUE if the device is managed by Configuration Manager. - **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely. - **RemediationTargetMachine** Indicates whether the device is a target of the specified fix. - **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 6a19d4f822..079490dd99 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -3148,7 +3148,7 @@ The following fields are available: - **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin. - **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled. - **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS. -- **RemediationShellDeviceSccm** TRUE if the device is managed by Microsoft System Center Configuration Manager. +- **RemediationShellDeviceSccm** TRUE if the device is managed by Configuration Manager. - **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely. - **RemediationTargetMachine** Indicates whether the device is a target of the specified fix. - **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index cf9e96bf73..912861438f 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -4550,7 +4550,7 @@ The following fields are available: - **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin. - **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled. - **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS. -- **RemediationShellDeviceSccm** TRUE if the device is managed by Microsoft System Center Configuration Manager. +- **RemediationShellDeviceSccm** TRUE if the device is managed by Configuration Manager. - **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely. - **RemediationTargetMachine** Indicates whether the device is a target of the specified fix. - **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index e1d9c05c8c..645690fd3d 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -3362,7 +3362,7 @@ The following fields are available: - **IsDeviceNetworkMetered** Indicates whether the device is connected to a metered network. - **IsDeviceOobeBlocked** Indicates whether user approval is required to install updates on the device. - **IsDeviceRequireUpdateApproval** Indicates whether user approval is required to install updates on the device. -- **IsDeviceSccmManaged** Indicates whether the device is running the Microsoft System Center Configuration Manager to keep the operating system and applications up to date. +- **IsDeviceSccmManaged** Indicates whether the device is running the Configuration Manager to keep the operating system and applications up to date. - **IsDeviceUninstallActive** Indicates whether the OS (operating system) on the device was recently updated. - **IsDeviceUpdateNotificationLevel** Indicates whether the device has a set policy to control update notifications. - **IsDeviceUpdateServiceManaged** Indicates whether the device uses WSUS (Windows Server Update Services). @@ -6058,7 +6058,7 @@ The following fields are available: - **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS. - **RemediationShellDeviceProSku** Indicates whether a Windows 10 Professional edition is detected. - **RemediationShellDeviceQualityUpdatesPaused** Indicates whether Quality Updates are paused on the device. -- **RemediationShellDeviceSccm** TRUE if the device is managed by Microsoft System Center Configuration Manager. +- **RemediationShellDeviceSccm** TRUE if the device is managed by Configuration Manager. - **RemediationShellDeviceSedimentMutexInUse** Indicates whether the Sediment Pack mutual exclusion object (mutex) is in use. - **RemediationShellDeviceSetupMutexInUse** Indicates whether device setup is in progress. - **RemediationShellDeviceWuRegistryBlocked** Indicates whether the Windows Update is blocked on the device via the registry. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 69a1cecb22..c474b2d518 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -3623,7 +3623,7 @@ The following fields are available: - **IsDeviceNetworkMetered** Indicates whether the device is connected to a metered network. - **IsDeviceOobeBlocked** Indicates whether the OOBE (Out of Box Experience) is blocked on the device. - **IsDeviceRequireUpdateApproval** Indicates whether user approval is required to install updates on the device. -- **IsDeviceSccmManaged** Indicates whether the device is running the Microsoft System Center Configuration Manager to keep the operating system and applications up to date. +- **IsDeviceSccmManaged** Indicates whether the device is running the Configuration Manager to keep the operating system and applications up to date. - **IsDeviceUninstallActive** Indicates whether the OS (operating system) on the device was recently updated. - **IsDeviceUpdateNotificationLevel** Indicates whether the device has a set policy to control update notifications. - **IsDeviceUpdateServiceManaged** Indicates whether the device uses WSUS (Windows Server Update Services). diff --git a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md index 7a06722124..a3f4153369 100644 --- a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md @@ -99,7 +99,7 @@ Windows Hello depends on having compatible IDPs available to it. As of this writ - Use an existing Windows-based PKI centered around Active Directory Certificate Services. This option requires additional infrastructure, including a way to issue certificates to users. You can use NDES to register devices directly, or Microsoft Intune where it’s available to manage mobile device participation in Windows Hello. - The normal discovery mechanism that clients use to find domain controllers and global catalogs relies on Domain Name System (DNS) SRV records, but those records don’t contain version data. Windows 10 computers will query DNS for SRV records to find all available Active Directory servers, and then query each server to identify those that can act as Windows Hello IDPs. The number of authentication requests your users generate, where your users are located, and the design of your network all drive the number of Windows Server 2016 domain controllers required. -- Azure AD can act as an IDP either by itself or alongside an on-premises AD DS forest. Organizations that use Azure AD can register devices directly without having to join them to a local domain by using the capabilities the Azure AD Device Registration service provides. In addition to the IDP, Windows Hello requires an MDM system. This system can be the cloud-based Intune if you use Azure AD, or an on-premises System Center Configuration Manager deployment that meets the system requirements described in the Deployment requirements section of this document. +- Azure AD can act as an IDP either by itself or alongside an on-premises AD DS forest. Organizations that use Azure AD can register devices directly without having to join them to a local domain by using the capabilities the Azure AD Device Registration service provides. In addition to the IDP, Windows Hello requires an MDM system. This system can be the cloud-based Intune if you use Azure AD, or an on-premises Configuration Manager deployment that meets the system requirements described in the Deployment requirements section of this document. ## Related topics diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index e5df19b1b9..1b234aad34 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -30,7 +30,7 @@ Though much Windows BitLocker [documentation](bitlocker-overview.md) has been pu ## Managing domain-joined computers and moving to cloud -Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 or later can use an existing task sequence to [pre-provision BitLocker](/configmgr/osd/understand/task-sequence-steps#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](/configmgr/osd/understand/task-sequence-steps#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use Configuration Manager to pre-set any desired [BitLocker Group Policy](./bitlocker-group-policy-settings.md). +Companies that image their own computers using Configuration Manager can use an existing task sequence to [pre-provision BitLocker](/configmgr/osd/understand/task-sequence-steps#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](/configmgr/osd/understand/task-sequence-steps#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use Configuration Manager to pre-set any desired [BitLocker Group Policy](./bitlocker-group-policy-settings.md). Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](/lifecycle/products/?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201%2F) or they can receive extended support until April 2026. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the [PowerShell examples](#powershell-examples) to see how to store recovery keys in Azure Active Directory (Azure AD). diff --git a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md index 8c2b314e2b..86efc39597 100644 --- a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md @@ -32,7 +32,7 @@ ms.technology: windows-sec Similar to Windows Defender Application Control (WDAC) policies, WDAC AppId Tagging policies can be deployed locally and to your managed endpoints several ways. Once you've created your AppId Tagging policy, use one of the following methods to deploy: 1. [Deploy AppId Tagging Policies with MDM](#deploy-appid-tagging-policies-with-mdm) -1. [Deploy policies with MEMCM](#deploy-appid-tagging-policies-with-memcm) +1. [Deploy policies with Microsoft Endpoint Configuration Manager](#deploy-appid-tagging-policies-with-memcm) 1. [Deploy policies using scripting](#deploy-appid-tagging-policies-via-scripting) 1. [Deploy using the ApplicationControl CSP](#deploying-policies-via-the-applicationcontrol-csp) @@ -42,7 +42,7 @@ Custom AppId Tagging policies can be deployed to endpoints using [the OMA-URI fe ## Deploy AppId Tagging Policies with MEMCM -Custom AppId Tagging policies can deployed via MEMCM using the [deployment task sequences](/deployment/deploy-windows-defender-application-control-policies-with-memcm.md#deploy-custom-wdac-policies-using-packagesprograms-or-task-sequences), policies can be deployed to your managed endpoints and users. +Custom AppId Tagging policies can deployed via Configuration Manager using the [deployment task sequences](/deployment/deploy-windows-defender-application-control-policies-with-memcm.md#deploy-custom-wdac-policies-using-packagesprograms-or-task-sequences), policies can be deployed to your managed endpoints and users. ### Deploy AppId Tagging Policies via Scripting diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md index 7f1f74be4f..e7fccafbfd 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md @@ -125,7 +125,7 @@ Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerS ``` -4. Verify your AppLocker policy. The following example shows a complete AppLocker policy that sets Microsoft Endpoint Config Manager (MEMCM)and Microsoft Endpoint Manager Intune as managed installers. Only those AppLocker rule collections that have actual rules defined are included in the final XML. This ensures the policy will merge successfully on devices which may already have an AppLocker policy in place. +4. Verify your AppLocker policy. The following example shows a complete AppLocker policy that sets Configuration Manager and Microsoft Endpoint Manager Intune as managed installers. Only those AppLocker rule collections that have actual rules defined are included in the final XML. This ensures the policy will merge successfully on devices which may already have an AppLocker policy in place. ```xml diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md index a5b01bd9ff..b5aca1e44a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md @@ -157,7 +157,7 @@ Policies should be thoroughly evaluated and first rolled out in audit mode befor 1. Mobile Device Management (MDM): [Deploy Windows Defender Application Control (WDAC) policies using Mobile Device Management (MDM) (Windows)](deploy-windows-defender-application-control-policies-using-intune.md) -2. Microsoft Endpoint Configuration Manager (MEMCM): [Deploy Windows Defender Application Control (WDAC) policies by using Microsoft Endpoint Configuration Manager (MEMCM) (Windows)](deployment/deploy-wdac-policies-with-memcm.md) +2. Configuration Manager: [Deploy Windows Defender Application Control (WDAC) policies by using Configuration Manager (Windows)](deployment/deploy-wdac-policies-with-memcm.md) 3. Scripting [Deploy Windows Defender Application Control (WDAC) policies using script (Windows)](deployment/deploy-wdac-policies-with-script.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md index d777bcb8fe..283ec90d38 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md @@ -46,13 +46,9 @@ Alice previously created a policy for the organization's lightly managed devices Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's fully managed devices: - All clients are running Windows 10 version 1903 or above or Windows 11; -- All clients are managed by Microsoft Endpoint Manager (MEM) either with Configuration Manager (MEMCM) standalone or hybrid mode with Intune; - -> [!NOTE] -> Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager. - -- Most, but not all, apps are deployed using MEMCM; -- Sometimes, IT staff install apps directly to these devices without using MEMCM; +- All clients are managed by Microsoft Endpoint Manager either with Configuration Manager or with Intune; +- Most, but not all, apps are deployed using Configuration Manager; +- Sometimes, IT staff install apps directly to these devices without using Configuration Manager; - All users except IT are standard users on these devices. Alice's team develops a simple console application, called *LamnaITInstaller.exe*, which will become the authorized way for IT staff to install apps directly to devices. *LamnaITInstaller.exe* allows the IT pro to launch another process, such as an app installer. Alice will configure *LamnaITInstaller.exe* as an additional managed installer for WDAC and allows her to remove the need for filepath rules. @@ -64,8 +60,8 @@ Based on the above, Alice defines the pseudo-rules for the policy: - WHQL (3rd party kernel drivers) - Windows Store signed apps -2. **"MEMCM works”** rules that include signer and hash rules for MEMCM components to properly function -3. **Allow Managed Installer** (MEMCM and *LamnaITInstaller.exe* configured as a managed installer) +2. **"MEMCM works”** rules that include signer and hash rules for Configuration Manager components to properly function. +3. **Allow Managed Installer** (Configuration Manager and *LamnaITInstaller.exe* configured as a managed installer) The critical differences between this set of pseudo-rules and those defined for Lamna's [lightly managed devices](create-wdac-policy-for-lightly-managed-devices.md#define-the-circle-of-trust-for-lightly-managed-devices) are: @@ -74,14 +70,14 @@ The critical differences between this set of pseudo-rules and those defined for ## Create a custom base policy using an example WDAC base policy -Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's fully-managed devices. She decides to use MEMCM to create the initial base policy and then customize it to meet Lamna's needs. +Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's fully-managed devices. She decides to use Configuration Manager to create the initial base policy and then customize it to meet Lamna's needs. Alice follows these steps to complete this task: > [!NOTE] -> If you do not use MEMCM or prefer to use a different [example Windows Defender Application Control base policy](example-wdac-base-policies.md) for your own policy, skip to step 2 and substitute the MEMCM policy path with your preferred example base policy. +> If you do not use Configuration Manager or prefer to use a different [example Windows Defender Application Control base policy](example-wdac-base-policies.md) for your own policy, skip to step 2 and substitute the Configuration Manager policy path with your preferred example base policy. -1. [Use MEMCM to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 or above, or Windows 11. +1. [Use Configuration Manager to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 or above, or Windows 11. 2. On the client device, run the following commands in an elevated Windows PowerShell session to initialize variables: @@ -91,7 +87,7 @@ Alice follows these steps to complete this task: $MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml" ``` -3. Copy the policy created by MEMCM to the desktop: +3. Copy the policy created by Configuration Manager to the desktop: ```powershell cp $MEMCMPolicy $LamnaPolicy diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md index 90b3e0fd6e..8ed966bba8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md @@ -46,12 +46,8 @@ For the majority of users and devices, Alice wants to create an initial policy t Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's lightly managed devices, which currently include most end-user devices: - All clients are running Windows 10 version 1903 and above, or Windows 11; -- All clients are managed by Microsoft Endpoint Manager (MEM) either with Configuration Manager (MEMCM) standalone or hybrid mode with Intune; - - > [!NOTE] - > Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager. - -- Some, but not all, apps are deployed using MEMCM; +- All clients are managed by Microsoft Endpoint Manager either with Configuration Manager or with Intune. +- Some, but not all, apps are deployed using Configuration Manager; - Most users are local administrators on their devices; - Some teams may need additional rules to authorize specific apps that don't apply generally to all other users. @@ -62,8 +58,8 @@ Based on the above, Alice defines the pseudo-rules for the policy: - WHQL (3rd party kernel drivers) - Windows Store signed apps -2. **"MEMCM works”** rules which include signer and hash rules for MEMCM components to properly function -3. **Allow Managed Installer** (MEMCM configured as a managed installer) +2. **"MEMCM works”** rules which include signer and hash rules for Configuration Manager components to properly function +3. **Allow Managed Installer** (Configuration Manager configured as a managed installer) 4. **Allow Intelligent Security Graph (ISG)** (reputation-based authorization) 5. **Admin-only path rules** for the following locations: - C:\Program Files\* @@ -72,14 +68,14 @@ Based on the above, Alice defines the pseudo-rules for the policy: ## Create a custom base policy using an example WDAC base policy -Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's lightly managed devices. She decides to use MEMCM to create the initial base policy and then customize it to meet Lamna's needs. +Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's lightly managed devices. She decides to use Configuration Manager to create the initial base policy and then customize it to meet Lamna's needs. Alice follows these steps to complete this task: > [!NOTE] -> If you do not use MEMCM or prefer to use a different [example Windows Defender Application Control base policy](example-wdac-base-policies.md) for your own policy, skip to step 2 and substitute the MEMCM policy path with your preferred example base policy. +> If you do not use Configuration Manager or prefer to use a different [example Windows Defender Application Control base policy](example-wdac-base-policies.md) for your own policy, skip to step 2 and substitute the Configuration Manager policy path with your preferred example base policy. -1. [Use MEMCM to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 and above, or Windows 11. +1. [Use Configuration Manager to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 and above, or Windows 11. 2. On the client device, run the following commands in an elevated Windows PowerShell session to initialize variables: @@ -89,7 +85,7 @@ Alice follows these steps to complete this task: $MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml" ``` -3. Copy the policy created by MEMCM to the desktop: +3. Copy the policy created by Configuration Manager to the desktop: ```powershell cp $MEMCMPolicy $LamnaPolicy diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md index 4c931b2732..856b95f0a8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md @@ -31,18 +31,18 @@ You can use Microsoft Endpoint Configuration Manager (MEMCM) to configure Window ## Use MEMCM's built-in policies -MEMCM includes native support for WDAC, which allows you to configure Windows 10 and Windows 11 client computers with a policy that will only allow: +Configuration Manager includes native support for WDAC, which allows you to configure Windows 10 and Windows 11 client computers with a policy that will only allow: - Windows components - Microsoft Store apps -- Apps installed by MEMCM (MEMCM self-configured as a managed installer) +- Apps installed by Configuration Manager (Configuration Manager self-configured as a managed installer) - [Optional] Reputable apps as defined by the Intelligent Security Graph (ISG) -- [Optional] Apps and executables already installed in admin-definable folder locations that MEMCM will allow through a one-time scan during policy creation on managed endpoints. +- [Optional] Apps and executables already installed in admin-definable folder locations that Configuration Manager will allow through a one-time scan during policy creation on managed endpoints. -Note that MEMCM does not remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable Windows Defender Application Control (WDAC) altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot or wait for the next reboot. +Note that Configuration Manager does not remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable Windows Defender Application Control (WDAC) altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot or wait for the next reboot. -For more information on using MEMCM's native WDAC policies, see [Windows Defender Application Control management with Configuration Manager](/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager). +For more information on using Configuration Manager's native WDAC policies, see [Windows Defender Application Control management with Configuration Manager](/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager). ## Deploy custom WDAC policies using Packages/Programs or Task Sequences -Using MEMCM's built-in policies can be a helpful starting point, but customers may find the circle-of-trust options available in MEMCM too limiting. To define your own circle-of-trust, you can use MEMCM to deploy custom WDAC policies using [script-based deployment](deploy-wdac-policies-with-script.md) via Software Distribution Packages and Programs or Operating System Deployment Task Sequences. +Using Configuration Manager's built-in policies can be a helpful starting point, but customers may find the circle-of-trust options available in Configuration Manager too limiting. To define your own circle-of-trust, you can use Configuration Manager to deploy custom WDAC policies using [script-based deployment](deploy-wdac-policies-with-script.md) via Software Distribution Packages and Programs or Operating System Deployment Task Sequences. diff --git a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md index bd792e1029..441c4694e4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md @@ -42,4 +42,4 @@ When you create policies for use with Windows Defender Application Control (WDAC | **AllowAll_EnableHVCI.xml** | This example policy can be used to enable [memory integrity](/windows/security/threat-protection/device-guard/memory-integrity) (also known as hypervisor-protected code integrity) using Windows Defender Application Control. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies | | **DenyAllAudit.xml** | ***Warning: May cause long boot time on Windows Server 2019.*** Only deploy this example policy in audit mode to track all binaries running on critical systems or to meet regulatory requirements. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies | | **Device Guard Signing Service (DGSS) DefaultPolicy.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed with your organization-specific certificates issued by the DGSS. | [Device Guard Signing Service NuGet Package](https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client) | -| **MEM Configuration Manager** | Customers who use MEM Configuration Manager (MEMCM) can deploy a policy with MEMCM's built-in WDAC integration, and then use the generated policy XML as an example base policy. | %OSDrive%\Windows\CCM\DeviceGuard on a managed endpoint | +| **MEM Configuration Manager** | Customers who use Configuration Manager can deploy a policy with Configuration Manager's built-in WDAC integration, and then use the generated policy XML as an example base policy. | %OSDrive%\Windows\CCM\DeviceGuard on a managed endpoint | diff --git a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md index 0435921894..d51eeb7f4d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md +++ b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md @@ -34,7 +34,7 @@ ms.technology: windows-sec |-------------|------|-------------| | Platform support | Available on Windows 10, Windows 11, and Windows Server 2016 or later | Available on Windows 8 or later | | SKU availability | Cmdlets are available on all SKUs on 1909+ builds.
    For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs. | Policies deployed through GP are only effective on Enterprise devices.
    Policies deployed through MDM are effective on all SKUs. | -| Management solutions |

    |