diff --git a/.acrolinx-config.edn b/.acrolinx-config.edn
index 0ffbb03551..4adf09ac5a 100644
--- a/.acrolinx-config.edn
+++ b/.acrolinx-config.edn
@@ -4,15 +4,14 @@
:targets
{
:counts {
- ;;:spelling 10
- ;;:grammar 3
+ ;;:correctness 13
;;:total 15 ;; absolute flag count but i don't know the difference between this and issues
;;:issues 15 ;; coming from the platform, will need to be tested.
}
:scores {
;;:terminology 100
:qualityscore 80 ;; Confirmed with Hugo that you just comment out the single score and leave the structure in place
- ;;:spelling 40
+ ;;:correctness 40
}
}
@@ -22,7 +21,7 @@
{
"languageId" "en"
"ruleSetName" "Standard"
- "requestedFlagTypes" ["SPELLING" "GRAMMAR" "STYLE"
+ "requestedFlagTypes" ["CORRECTNESS" "SPELLING" "GRAMMAR" "STYLE"
"TERMINOLOGY_DEPRECATED"
"TERMINOLOGY_VALID"
"VOICE_GUIDANCE"
@@ -35,7 +34,7 @@
"
## Acrolinx Scorecards
-**The minimum Acrolinx topic score of 80 is required for all MARVEL content merged to the default branch.**
+**The minimum Acrolinx topic score of 80 is required for all MAGIC content merged to the default branch.**
If you need a scoring exception for content in this PR, add the *Sign off* and the *Acrolinx exception* labels to the PR. The PubOps Team will review the exception request and may take one or more of the following actions:
@@ -47,12 +46,12 @@ For more information about the exception criteria and exception process, see [Mi
Click the scorecard links for each article to review the Acrolinx feedback on grammar, spelling, punctuation, writing style, and terminology:
-| Article | Score | Issues | Correctness issues | Scorecard | Processed |
+| Article | Score | Issues | Correctness score | Scorecard | Processed |
| ------- | ----- | ------ | ------ | --------- | --------- |
"
:template-change
- "| ${s/file} | ${acrolinx/qualityscore} | ${acrolinx/flags/issues} | ${acrolinx/flags/correctness} | [link](${acrolinx/scorecard}) | ${s/status} |
+ "| ${s/file} | ${acrolinx/qualityscore} | ${acrolinx/flags/issues} | ${acrolinx/scores/correctness} | [link](${acrolinx/scorecard}) | ${s/status} |
"
:template-footer
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
new file mode 100644
index 0000000000..deb2888417
--- /dev/null
+++ b/.github/pull_request_template.md
@@ -0,0 +1,39 @@
+
+
+
+## Why
+
+
+
+- Closes #[Issue Number]
+
+## Changes
+
+
+
+
\ No newline at end of file
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index db6d1b6b08..90f49aa969 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -1,5 +1,15 @@
{
"redirections": [
+ {
+ "source_path": "windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md",
+ "redirect_url": "/windows/security/windows/security/identity-protection/hello-for-business/webauthn-apis",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/application-management/manage-windows-mixed-reality.md",
+ "redirect_url": "/windows/mixed-reality/enthusiast-guide/manage-windows-mixed-reality",
+ "redirect_document_id": false
+ },
{
"source_path": "windows/client-management/mdm/browserfavorite-csp.md",
"redirect_url": "https://support.microsoft.com/windows/windows-phone-8-1-end-of-support-faq-7f1ef0aa-0aaf-0747-3724-5c44456778a3",
@@ -19634,6 +19644,16 @@
"source_path": "windows/security/identity-protection/access-control/dynamic-access-control.md",
"redirect_url": "/windows-server/identity/solution-guides/dynamic-access-control-overview",
"redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md",
+ "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/windows-10-accessibility-for-ITPros.md",
+ "redirect_url": "/windows/configuration/windows-accessibility-for-ITPros",
+ "redirect_document_id": false
}
]
}
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 3bf0503686..811fd84480 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -2,7 +2,7 @@
Thank you for your interest in the Windows IT professional documentation! We appreciate your feedback, edits, and additions to our docs.
This page covers the basic steps for editing our technical documentation.
-For a more up-to-date and complete contribution guide, see the main [Microsoft Docs contributor guide overview](https://docs.microsoft.com/contribute/).
+For a more up-to-date and complete contribution guide, see the main [contributor guide overview](https://learn.microsoft.com/contribute/).
## Sign a CLA
@@ -19,16 +19,16 @@ We've tried to make editing an existing, public file as simple as possible.
### To edit a topic
-1. Go to the page on [docs.microsoft.com](https://docs.microsoft.com/) that you want to update.
+1. Browse to the [Microsoft Docs](https://learn.microsoft.com/) article that you want to update.
> **Note**
- > If you're a Microsoft employee or vendor, before you edit the article, append `review.` to the beginning of the URL. This action lets you use the private repository, **windows-docs-pr**. For more information, see the [internal contributor guide](https://review.docs.microsoft.com/help/get-started/edit-article-in-github?branch=main).
+ > If you're a Microsoft employee or vendor, before you edit the article, append `review.` to the beginning of the URL. This action lets you use the private repository, **windows-docs-pr**. For more information, see the [internal contributor guide](https://review.learn.microsoft.com/help/get-started/edit-article-in-github?branch=main).
1. Then select the **Pencil** icon.
- 
+ 
- If the pencil icon isn't present, the content might not be open to public contributions. Some pages are generated (for example, from inline documentation in code) and must be edited in the project they belong to. This isn't always the case and you might be able to find the documentation by searching the [Microsoft Docs Organization on GitHub](https://github.com/MicrosoftDocs).
+ If the pencil icon isn't present, the content might not be open to public contributions. Some pages are generated (for example, from inline documentation in code) and must be edited in the project they belong to. This isn't always the case and you might be able to find the documentation by searching the [MicrosoftDocs organization on GitHub](https://github.com/MicrosoftDocs).
> **TIP**
> View the page source in your browser, and look for the following metadata: `original_content_git_url`. This path always points to the source markdown file for the article.
@@ -37,7 +37,7 @@ We've tried to make editing an existing, public file as simple as possible.
-1. Using Markdown language, make your changes to the file. For info about how to edit content using Markdown, see the [Microsoft Docs Markdown reference](https://docs.microsoft.com/contribute/markdown-reference) and GitHub's [Mastering Markdown](https://guides.github.com/features/mastering-markdown/) documentation.
+1. Using Markdown language, make your changes to the file. For info about how to edit content using Markdown, see the [Docs Markdown reference](https://learn.microsoft.com/contribute/markdown-reference) and GitHub's [Mastering Markdown](https://guides.github.com/features/mastering-markdown/) documentation.
1. Make your suggested change, and then select **Preview changes** to make sure it looks correct.
@@ -57,16 +57,16 @@ We've tried to make editing an existing, public file as simple as possible.
The pull request is sent to the writer of the topic and your edits are reviewed. If your request is accepted, updates are published to their respective article. This repository contains articles on some of the following topics:
- - [Windows client documentation for IT Pros](https://docs.microsoft.com/windows/resources/)
- - [Microsoft Store](https://docs.microsoft.com/microsoft-store)
- - [Windows 10 for Education](https://docs.microsoft.com/education/windows)
- - [Windows 10 for SMB](https://docs.microsoft.com/windows/smb)
- - [Internet Explorer 11](https://docs.microsoft.com/internet-explorer/)
+ - [Windows client documentation for IT Pros](https://learn.microsoft.com/windows/resources/)
+ - [Microsoft Store](https://learn.microsoft.com/microsoft-store)
+ - [Windows 10 for Education](https://learn.microsoft.com/education/windows)
+ - [Windows 10 for SMB](https://learn.microsoft.com/windows/smb)
+ - [Internet Explorer 11](https://learn.microsoft.com/internet-explorer/)
## Making more substantial changes
To make substantial changes to an existing article, add or change images, or contribute a new article, you'll need to create a local clone of the content.
-For info about creating a fork or clone, see [Set up a local Git repository](https://docs.microsoft.com/contribute/get-started-setup-local). The GitHub docs topic, [Fork a Repo](https://docs.github.com/articles/fork-a-repo), is also insightful.
+For info about creating a fork or clone, see [Set up a local Git repository](https://learn.microsoft.com/contribute/get-started-setup-local). The GitHub docs topic, [Fork a Repo](https://docs.github.com/articles/fork-a-repo), is also insightful.
Fork the official repo into your personal GitHub account, and then clone the fork down to your local device. Work locally, then push your changes back into your fork. Finally, open a pull request back to the main branch of the official repo.
@@ -82,4 +82,4 @@ In the new issue form, enter a brief title. In the body of the form, describe th
- You can use your favorite text editor to edit Markdown files. We recommend [Visual Studio Code](https://code.visualstudio.com/), a free lightweight open source editor from Microsoft.
- You can learn the basics of Markdown in just a few minutes. To get started, check out [Mastering Markdown](https://guides.github.com/features/mastering-markdown/).
-- Microsoft Docs uses several custom Markdown extensions. To learn more, see the [Microsoft Docs Markdown reference](https://docs.microsoft.com/contribute/markdown-reference).
+- Microsoft technical documentation uses several custom Markdown extensions. To learn more, see the [Docs Markdown reference](https://learn.microsoft.com/contribute/markdown-reference).
diff --git a/bcs/docfx.json b/bcs/docfx.json
deleted file mode 100644
index f1384ac71a..0000000000
--- a/bcs/docfx.json
+++ /dev/null
@@ -1,56 +0,0 @@
-{
- "build": {
- "content": [
- {
- "files": [
- "**/*.md",
- "**/*.yml"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**",
- "_themes/**",
- "_themes.pdf/**",
- "README.md",
- "LICENSE",
- "LICENSE-CODE",
- "ThirdPartyNotices"
- ]
- }
- ],
- "resource": [
- {
- "files": [
- "**/*.png",
- "**/*.jpg"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**",
- "_themes/**",
- "_themes.pdf/**"
- ]
- }
- ],
- "overwrite": [],
- "externalReference": [],
- "globalMetadata": {
- "recommendations": true,
- "breadcrumb_path": "/microsoft-365/business/breadcrumb/toc.json",
- "extendBreadcrumb": true,
- "contributors_to_exclude": [
- "rjagiewich",
- "traya1",
- "rmca14",
- "claydetels19",
- "jborsecnik",
- "tiburd",
- "garycentric"
- ]
- },
- "fileMetadata": {},
- "template": [],
- "dest": "bcs-vsts",
- "markdownEngineName": "dfm"
- }
-}
\ No newline at end of file
diff --git a/browsers/enterprise-mode/enterprise-mode-and-enterprise-site-list-include.md b/browsers/enterprise-mode/enterprise-mode-and-enterprise-site-list-include.md
index 25f58fb19f..a8f90c3697 100644
--- a/browsers/enterprise-mode/enterprise-mode-and-enterprise-site-list-include.md
+++ b/browsers/enterprise-mode/enterprise-mode-and-enterprise-site-list-include.md
@@ -5,7 +5,7 @@ Starting with Windows 10, version 1511 (also known as the Anniversary Update), y
### Site list xml file
-This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypflug/9e9961de771d2fcbd86b#file-emie-v2-schema-xml). There are equivalent Enterprise Mode Site List policies for both [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/emie-to-improve-compatibility) and [Internet Explorer 11](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list). The Microsoft Edge list is used to determine which sites should open in IE11; while the IE11 list is used to determine the compat mode for a site, and which sites should open in Microsoft Edge. We recommend using one list for both browsers, where each policy points to the same XML file location.
+This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypflug/9e9961de771d2fcbd86b#file-emie-v2-schema-xml). There are equivalent Enterprise Mode Site List policies for both [Microsoft Edge](/microsoft-edge/deploy/emie-to-improve-compatibility) and [Internet Explorer 11](/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list). The Microsoft Edge list is used to determine which sites should open in IE11; while the IE11 list is used to determine the compat mode for a site, and which sites should open in Microsoft Edge. We recommend using one list for both browsers, where each policy points to the same XML file location.
```xml
@@ -47,4 +47,4 @@ This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypf
-```
\ No newline at end of file
+```
diff --git a/browsers/includes/helpful-topics-include.md b/browsers/includes/helpful-topics-include.md
index 0a0f72e971..21e15f6d8d 100644
--- a/browsers/includes/helpful-topics-include.md
+++ b/browsers/includes/helpful-topics-include.md
@@ -35,4 +35,4 @@ ms.topic: include
- [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/browser/mt612809.aspx)
- [Download Internet Explorer 11](https://go.microsoft.com/fwlink/p/?linkid=290956)
- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](https://go.microsoft.com/fwlink/p/?LinkId=760646)
-- [Fix web compatibility issues using document modes and the Enterprise Mode site list](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list)
+- [Fix web compatibility issues using document modes and the Enterprise Mode site list](/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list)
diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json
index 37391cc166..83d51cf7f0 100644
--- a/browsers/internet-explorer/docfx.json
+++ b/browsers/internet-explorer/docfx.json
@@ -26,12 +26,6 @@
"recommendations": true,
"breadcrumb_path": "/internet-explorer/breadcrumb/toc.json",
"ROBOTS": "INDEX, FOLLOW",
- "audience": "ITPro",
- "ms.technology": "internet-explorer",
- "ms.prod": "ie11",
- "ms.topic": "article",
- "manager": "dansimp",
- "ms.date": "04/05/2017",
"feedback_system": "None",
"hideEdit": true,
"_op_documentIdPathDepotMapping": {
diff --git a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md
index ca1542a952..83c7c6b9b8 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md
@@ -7,6 +7,7 @@ ms.reviewer:
audience: itpro
manager: dansimp
ms.author: dansimp
+ms.prod: ie11
---
# Full-sized flowchart detailing how document modes are chosen in IE11
diff --git a/browsers/internet-explorer/internet-explorer.yml b/browsers/internet-explorer/internet-explorer.yml
index 05e93f6e25..17eee2393b 100644
--- a/browsers/internet-explorer/internet-explorer.yml
+++ b/browsers/internet-explorer/internet-explorer.yml
@@ -9,6 +9,7 @@ metadata:
author: aczechowski
ms.author: aaroncz
ms.date: 07/29/2022
+ ms.prod: ie11
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new
diff --git a/devices/hololens/docfx.json b/devices/hololens/docfx.json
deleted file mode 100644
index 017aa6750e..0000000000
--- a/devices/hololens/docfx.json
+++ /dev/null
@@ -1,75 +0,0 @@
-{
- "build": {
- "content": [
- {
- "files": [
- "**/*.md",
- "**/**.yml"
- ],
- "exclude": [
- "**/obj/**",
- "devices/hololens/**",
- "**/includes/**"
- ]
- }
- ],
- "resource": [
- {
- "files": [
- "**/*.png",
- "**/*.jpg",
- "**/*.gif"
- ],
- "exclude": [
- "**/obj/**",
- "devices/hololens/**",
- "**/includes/**"
- ]
- }
- ],
- "overwrite": [],
- "externalReference": [],
- "globalMetadata": {
- "recommendations": true,
- "breadcrumb_path": "/hololens/breadcrumb/toc.json",
- "ms.technology": "windows",
- "ms.topic": "article",
- "audience": "ITPro",
- "manager": "dansimp",
- "ms.date": "04/05/2017",
- "feedback_system": "GitHub",
- "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
- "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
- "_op_documentIdPathDepotMapping": {
- "./": {
- "depot_name": "Win.itpro-hololens",
- "folder_relative_path_in_docset": "./"
- }
-
- },
- "contributors_to_exclude": [
- "rjagiewich",
- "traya1",
- "rmca14",
- "claydetels19",
- "jborsecnik",
- "tiburd",
- "garycentric"
- ]
- },
- "fileMetadata": {},
- "template": [],
- "dest": "devices/hololens",
- "markdownEngineName": "markdig"
- },
- "contributors_to_exclude": [
- "rjagiewich",
- "traya1",
- "rmca14",
- "claydetels19",
- "Kellylorenebaker",
- "jborsecnik",
- "tiburd",
- "garycentric"
- ]
-}
diff --git a/devices/surface-hub/docfx.json b/devices/surface-hub/docfx.json
deleted file mode 100644
index a9772d7b8c..0000000000
--- a/devices/surface-hub/docfx.json
+++ /dev/null
@@ -1,63 +0,0 @@
-{
- "build": {
- "content": [
- {
- "files": [
- "**/**.md",
- "**/**.yml"
- ],
- "exclude": [
- "**/obj/**"
- ]
- }
- ],
- "resource": [
- {
- "files": [
- "**/images/**",
- "**/*.pptx",
- "**/*.pdf"
- ],
- "exclude": [
- "**/obj/**"
- ]
- }
- ],
- "globalMetadata": {
- "recommendations": true,
- "breadcrumb_path": "/surface-hub/breadcrumb/toc.json",
- "ROBOTS": "INDEX, FOLLOW",
- "ms.technology": "windows",
- "audience": "ITPro",
- "ms.topic": "article",
- "manager": "dansimp",
- "ms.mktglfcycl": "manage",
- "ms.sitesec": "library",
- "ms.date": "05/23/2017",
- "feedback_system": "GitHub",
- "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
- "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
- "_op_documentIdPathDepotMapping": {
- "./": {
- "depot_name": "Win.surface-hub",
- "folder_relative_path_in_docset": "./"
- }
- },
- "contributors_to_exclude": [
- "rjagiewich",
- "traya1",
- "rmca14",
- "claydetels19",
- "Kellylorenebaker",
- "jborsecnik",
- "tiburd",
- "garycentric"
- ],
- "titleSuffix": "Surface Hub"
- },
- "externalReference": [],
- "template": "op.html",
- "dest": "devices/surface-hub",
- "markdownEngineName": "markdig"
- }
-}
diff --git a/devices/surface/docfx.json b/devices/surface/docfx.json
deleted file mode 100644
index f11706aa9d..0000000000
--- a/devices/surface/docfx.json
+++ /dev/null
@@ -1,59 +0,0 @@
-{
- "build": {
- "content": [
- {
- "files": [
- "**/**.md",
- "**/**.yml"
- ],
- "exclude": [
- "**/obj/**"
- ]
- }
- ],
- "resource": [
- {
- "files": [
- "**/images/**"
- ],
- "exclude": [
- "**/obj/**"
- ]
- }
- ],
- "globalMetadata": {
- "recommendations": true,
- "breadcrumb_path": "/surface/breadcrumb/toc.json",
- "ROBOTS": "INDEX, FOLLOW",
- "ms.technology": "windows",
- "audience": "ITPro",
- "ms.topic": "article",
- "manager": "dansimp",
- "ms.date": "05/09/2017",
- "feedback_system": "GitHub",
- "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
- "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
- "_op_documentIdPathDepotMapping": {
- "./": {
- "depot_name": "Win.surface",
- "folder_relative_path_in_docset": "./"
- }
- },
- "contributors_to_exclude": [
- "rjagiewich",
- "traya1",
- "rmca14",
- "claydetels19",
- "Kellylorenebaker",
- "jborsecnik",
- "tiburd",
- "garycentric"
- ],
- "titleSuffix": "Surface"
- },
- "externalReference": [],
- "template": "op.html",
- "dest": "devices/surface",
- "markdownEngineName": "markdig"
-}
-}
diff --git a/education/breadcrumb/toc.yml b/education/breadcrumb/toc.yml
index 93f929e957..41fb052a33 100644
--- a/education/breadcrumb/toc.yml
+++ b/education/breadcrumb/toc.yml
@@ -1,3 +1,4 @@
+items:
- name: Docs
tocHref: /
topicHref: /
@@ -12,4 +13,7 @@
- name: Windows
tocHref: /education/windows
topicHref: /education/windows/index
-
\ No newline at end of file
+ - name: Windows
+ tocHref: /windows/security/
+ topicHref: /education/windows/index
+
diff --git a/education/docfx.json b/education/docfx.json
index 105c802404..7aabd80dfc 100644
--- a/education/docfx.json
+++ b/education/docfx.json
@@ -17,7 +17,8 @@
"files": [
"**/*.png",
"**/*.jpg",
- "**/*.svg"
+ "**/*.svg",
+ "**/*.gif"
],
"exclude": [
"**/obj/**",
diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md
index b9d519b4c6..9fa135eccb 100644
--- a/education/includes/education-content-updates.md
+++ b/education/includes/education-content-updates.md
@@ -2,59 +2,51 @@
+## Week of September 12, 2022
+
+
+| Published On |Topic title | Change |
+|------|------------|--------|
+| 9/13/2022 | [Chromebook migration guide (Windows 10)](/education/windows/chromebook-migration-guide) | modified |
+| 9/14/2022 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified |
+| 9/14/2022 | [Windows 11 SE settings list](/education/windows/windows-11-se-settings-list) | modified |
+
+
+## Week of September 05, 2022
+
+
+| Published On |Topic title | Change |
+|------|------------|--------|
+| 9/8/2022 | [Education scenarios Microsoft Store for Education](/education/windows/education-scenarios-store-for-business) | modified |
+| 9/8/2022 | [Get Minecraft Education Edition](/education/windows/get-minecraft-for-education) | modified |
+| 9/8/2022 | [For teachers get Minecraft Education Edition](/education/windows/teacher-get-minecraft) | modified |
+| 9/9/2022 | [Take tests in Windows](/education/windows/take-tests-in-windows-10) | modified |
+
+
+## Week of August 29, 2022
+
+
+| Published On |Topic title | Change |
+|------|------------|--------|
+| 8/31/2022 | [Configure applications with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-apps) | added |
+| 8/31/2022 | [Configure and secure devices with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-settings) | added |
+| 8/31/2022 | [Configure devices with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-devices-overview) | added |
+| 8/31/2022 | [Enrollment in Intune with standard out-of-box experience (OOBE)](/education/windows/tutorial-school-deployment/enroll-aadj) | added |
+| 8/31/2022 | [Enrollment in Intune with Windows Autopilot](/education/windows/tutorial-school-deployment/enroll-autopilot) | added |
+| 8/31/2022 | [Device enrollment overview](/education/windows/tutorial-school-deployment/enroll-overview) | added |
+| 8/31/2022 | [Enrollment of Windows devices with provisioning packages](/education/windows/tutorial-school-deployment/enroll-package) | added |
+| 8/31/2022 | [Introduction](/education/windows/tutorial-school-deployment/index) | added |
+| 8/31/2022 | [Manage devices with Microsoft Intune](/education/windows/tutorial-school-deployment/manage-overview) | added |
+| 8/31/2022 | [Management functionalities for Surface devices](/education/windows/tutorial-school-deployment/manage-surface-devices) | added |
+| 8/31/2022 | [Reset and wipe Windows devices](/education/windows/tutorial-school-deployment/reset-wipe) | added |
+| 8/31/2022 | [Set up Azure Active Directory](/education/windows/tutorial-school-deployment/set-up-azure-ad) | added |
+| 8/31/2022 | [Set up device management](/education/windows/tutorial-school-deployment/set-up-microsoft-intune) | added |
+| 8/31/2022 | [Troubleshoot Windows devices](/education/windows/tutorial-school-deployment/troubleshoot-overview) | added |
+
+
## Week of August 15, 2022
| Published On |Topic title | Change |
|------|------------|--------|
| 8/17/2022 | [For IT administrators get Minecraft Education Edition](/education/windows/school-get-minecraft) | modified |
-
-
-## Week of August 08, 2022
-
-
-| Published On |Topic title | Change |
-|------|------------|--------|
-| 8/10/2022 | [Reset devices with Autopilot Reset](/education/windows/autopilot-reset) | modified |
-| 8/10/2022 | [Change history for Windows 10 for Education (Windows 10)](/education/windows/change-history-edu) | modified |
-| 8/10/2022 | [Change to Windows 10 Education from Windows 10 Pro](/education/windows/change-to-pro-education) | modified |
-| 8/10/2022 | [Chromebook migration guide (Windows 10)](/education/windows/chromebook-migration-guide) | modified |
-| 8/10/2022 | [Windows 10 configuration recommendations for education customers](/education/windows/configure-windows-for-education) | modified |
-| 8/10/2022 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
-| 8/10/2022 | [Deploy Windows 10 in a school (Windows 10)](/education/windows/deploy-windows-10-in-a-school) | modified |
-| 8/10/2022 | [Deployment recommendations for school IT administrators](/education/windows/edu-deployment-recommendations) | modified |
-| 8/10/2022 | [Education scenarios Microsoft Store for Education](/education/windows/education-scenarios-store-for-business) | modified |
-| 8/10/2022 | [Enable S mode on Surface Go devices for Education](/education/windows/enable-s-mode-on-surface-go-devices) | modified |
-| 8/10/2022 | [Get Minecraft Education Edition](/education/windows/get-minecraft-for-education) | modified |
-| 8/10/2022 | [Windows 10 for Education (Windows 10)](/education/windows/index) | modified |
-| 8/10/2022 | [Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode](/education/windows/s-mode-switch-to-edu) | modified |
-| 8/10/2022 | [For IT administrators get Minecraft Education Edition](/education/windows/school-get-minecraft) | modified |
-| 8/10/2022 | [Azure AD Join with Set up School PCs app](/education/windows/set-up-school-pcs-azure-ad-join) | modified |
-| 8/10/2022 | [What's in Set up School PCs provisioning package](/education/windows/set-up-school-pcs-provisioning-package) | modified |
-| 8/10/2022 | [Shared PC mode for school devices](/education/windows/set-up-school-pcs-shared-pc-mode) | modified |
-| 8/10/2022 | [Set up School PCs app technical reference overview](/education/windows/set-up-school-pcs-technical) | modified |
-| 8/10/2022 | [What's new in the Windows Set up School PCs app](/education/windows/set-up-school-pcs-whats-new) | modified |
-| 8/10/2022 | [Set up student PCs to join domain](/education/windows/set-up-students-pcs-to-join-domain) | modified |
-| 8/10/2022 | [Provision student PCs with apps](/education/windows/set-up-students-pcs-with-apps) | modified |
-| 8/10/2022 | [Set up Windows devices for education](/education/windows/set-up-windows-10) | modified |
-| 8/10/2022 | [Take a Test app technical reference](/education/windows/take-a-test-app-technical) | modified |
-| 8/10/2022 | [Set up Take a Test on multiple PCs](/education/windows/take-a-test-multiple-pcs) | modified |
-| 8/10/2022 | [Set up Take a Test on a single PC](/education/windows/take-a-test-single-pc) | modified |
-| 8/10/2022 | [Take tests in Windows 10](/education/windows/take-tests-in-windows-10) | modified |
-| 8/10/2022 | [For teachers get Minecraft Education Edition](/education/windows/teacher-get-minecraft) | modified |
-| 8/10/2022 | [Test Windows 10 in S mode on existing Windows 10 education devices](/education/windows/test-windows10s-for-edu) | modified |
-| 8/10/2022 | [Use Set up School PCs app](/education/windows/use-set-up-school-pcs-app) | modified |
-| 8/10/2022 | [What is Windows 11 SE](/education/windows/windows-11-se-overview) | modified |
-| 8/10/2022 | [Windows 11 SE settings list](/education/windows/windows-11-se-settings-list) | modified |
-| 8/10/2022 | [Windows 10 editions for education customers](/education/windows/windows-editions-for-education-customers) | modified |
-
-
-## Week of July 25, 2022
-
-
-| Published On |Topic title | Change |
-|------|------------|--------|
-| 7/26/2022 | [Upgrade Windows Home to Windows Education on student-owned devices](/education/windows/change-home-to-edu) | added |
-| 7/26/2022 | [Secure the Windows boot process](/education/windows/change-home-to-edu) | modified |
-| 7/25/2022 | Edit an existing topic using the Edit link | removed |
-| 7/26/2022 | [Windows Hello for Business Videos](/education/windows/change-home-to-edu) | modified |
diff --git a/education/index.yml b/education/index.yml
index b67a140734..6ed1dbb047 100644
--- a/education/index.yml
+++ b/education/index.yml
@@ -73,7 +73,7 @@ productDirectory:
text: IT admin help
- url: https://support.office.com/education
text: Education help center
- - url: /learn/educator-center/
+ - url: /training/educator-center/
text: Teacher training packs
# Card
- title: Check out our education journey
@@ -115,4 +115,4 @@ additionalContent:
# Card
- title: Education Partner community Yammer group
summary: Sign in with your Microsoft Partner account and join the Education Partner community private group on Yammer.
- url: https://www.yammer.com/mepn/
\ No newline at end of file
+ url: https://www.yammer.com/mepn/
diff --git a/education/windows/TOC.yml b/education/windows/TOC.yml
index f2d04a9792..b3ef37c53c 100644
--- a/education/windows/TOC.yml
+++ b/education/windows/TOC.yml
@@ -1,73 +1,103 @@
-- name: Windows 11 SE for Education
+items:
+- name: Windows for Education Documentation
+ href: index.yml
+- name: Tutorials
+ expanded: true
items:
- - name: Overview
- href: windows-11-se-overview.md
- - name: Settings and CSP list
- href: windows-11-se-settings-list.md
-- name: Windows 10 for Education
- href: index.md
+ - name: Deploy and manage Windows devices in a school
+ href: tutorial-school-deployment/toc.yml
+- name: Concepts
items:
+ - name: Windows 11 SE
+ items:
+ - name: Overview
+ href: windows-11-se-overview.md
+ - name: Settings and CSP list
+ href: windows-11-se-settings-list.md
+ - name: Windows in S Mode
+ items:
+ - name: Test Windows 10 in S mode on existing Windows 10 education devices
+ href: test-windows10s-for-edu.md
+ - name: Enable Windows 10 in S mode on Surface Go devices
+ href: enable-s-mode-on-surface-go-devices.md
- name: Windows 10 editions for education customers
href: windows-editions-for-education-customers.md
+ - name: Shared PC mode for school devices
+ href: set-up-school-pcs-shared-pc-mode.md
- name: Windows 10 configuration recommendations for education customers
href: configure-windows-for-education.md
- - name: Deployment recommendations for school IT administrators
- href: edu-deployment-recommendations.md
- - name: Set up Windows devices for education
- href: set-up-windows-10.md
- items:
- - name: What's new in Set up School PCs
- href: set-up-school-pcs-whats-new.md
- - name: Technical reference for the Set up School PCs app
- href: set-up-school-pcs-technical.md
- items:
- - name: Azure AD Join for school PCs
- href: set-up-school-pcs-azure-ad-join.md
- - name: Shared PC mode for school devices
- href: set-up-school-pcs-shared-pc-mode.md
- - name: Provisioning package settings
- href: set-up-school-pcs-provisioning-package.md
- - name: Use the Set up School PCs app
- href: use-set-up-school-pcs-app.md
- - name: Set up student PCs to join domain
- href: set-up-students-pcs-to-join-domain.md
- - name: Provision student PCs with apps
- href: set-up-students-pcs-with-apps.md
- - name: Take tests in Windows 10
+ - name: Take tests and assessments in Windows
href: take-tests-in-windows-10.md
- items:
- - name: Set up Take a Test on a single PC
+- name: How-to-guides
+ items:
+ - name: Configure education features
+ items:
+ - name: Configure education themes
+ href: edu-themes.md
+ - name: Configure Stickers
+ href: edu-stickers.md
+ - name: Configure Take a Test on a single PC
href: take-a-test-single-pc.md
- - name: Set up Take a Test on multiple PCs
+ - name: Configure a Test on multiple PCs
href: take-a-test-multiple-pcs.md
- - name: Take a Test app technical reference
- href: take-a-test-app-technical.md
+ - name: Use the Set up School PCs app
+ href: use-set-up-school-pcs-app.md
+ - name: Change Windows edition
+ items:
+ - name: Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode
+ href: s-mode-switch-to-edu.md
+ - name: Change to Windows 10 Pro Education from Windows 10 Pro
+ href: change-to-pro-education.md
+ - name: Upgrade Windows Home to Windows Education on student-owned devices
+ href: change-home-to-edu.md
+ - name: "Get and deploy Minecraft: Education Edition"
+ items:
+ - name: "Get Minecraft: Education Edition"
+ href: get-minecraft-for-education.md
+ - name: "For IT administrators: get Minecraft Education Edition"
+ href: school-get-minecraft.md
+ - name: "For teachers: get Minecraft Education Edition"
+ href: teacher-get-minecraft.md
+ - name: Work with Microsoft Store for Education
+ href: education-scenarios-store-for-business.md
+ - name: Migrate from Chromebook to Windows
+ items:
+ - name: Chromebook migration guide
+ href: chromebook-migration-guide.md
+ - name: Deploy Windows 10 devices in a school
+ items:
+ - name: Overview
+ href: deploy-windows-10-overview.md
+ - name: Deploy Windows 10 in a school
+ href: deploy-windows-10-in-a-school.md
+ - name: Deploy Windows 10 in a school district
+ href: deploy-windows-10-in-a-school-district.md
+ - name: Deployment recommendations for school IT administrators
+ href: edu-deployment-recommendations.md
+ - name: Set up Windows devices for education
+ items:
+ - name: Overview
+ href: set-up-windows-10.md
+ - name: Azure AD join for school PCs
+ href: set-up-school-pcs-azure-ad-join.md
+ - name: Active Directory join for school PCs
+ href: set-up-students-pcs-to-join-domain.md
+ - name: Provision student PCs with apps
+ href: set-up-students-pcs-with-apps.md
- name: Reset devices with Autopilot Reset
href: autopilot-reset.md
- - name: Working with Microsoft Store for Education
- href: education-scenarios-store-for-business.md
- - name: "Get Minecraft: Education Edition"
- href: get-minecraft-for-education.md
- items:
- - name: "For teachers: get Minecraft Education Edition"
- href: teacher-get-minecraft.md
- - name: "For IT administrators: get Minecraft Education Edition"
- href: school-get-minecraft.md
- - name: Test Windows 10 in S mode on existing Windows 10 education devices
- href: test-windows10s-for-edu.md
- - name: Enable Windows 10 in S mode on Surface Go devices
- href: enable-s-mode-on-surface-go-devices.md
- - name: Deploy Windows 10 in a school
- href: deploy-windows-10-in-a-school.md
- - name: Deploy Windows 10 in a school district
- href: deploy-windows-10-in-a-school-district.md
- - name: Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode
- href: s-mode-switch-to-edu.md
- - name: Change to Windows 10 Pro Education from Windows 10 Pro
- href: change-to-pro-education.md
- - name: Upgrade Windows Home to Windows Education on student-owned devices
- href: change-home-to-edu.md
- - name: Chromebook migration guide
- href: chromebook-migration-guide.md
+- name: Reference
+ items:
+ - name: Set up School PCs
+ items:
+ - name: Set up School PCs app technical reference
+ href: set-up-school-pcs-technical.md
+ - name: Provisioning package settings
+ href: set-up-school-pcs-provisioning-package.md
+ - name: What's new in Set up School PCs
+ href: set-up-school-pcs-whats-new.md
+ - name: Take a Test app technical reference
+ href: take-a-test-app-technical.md
- name: Change history for Windows 10 for Education
href: change-history-edu.md
+
diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md
index 9a1acea7a1..2b3d262830 100644
--- a/education/windows/change-history-edu.md
+++ b/education/windows/change-history-edu.md
@@ -17,7 +17,7 @@ appliesto:
---
# Change history for Windows 10 for Education
-This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation.
+This topic lists new and updated topics in the [Windows 10 for Education](index.yml) documentation.
## May 2019
diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md
index b7d6452223..6893cd17a9 100644
--- a/education/windows/chromebook-migration-guide.md
+++ b/education/windows/chromebook-migration-guide.md
@@ -1,12 +1,8 @@
---
title: Chromebook migration guide (Windows 10)
description: In this guide, you'll learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment.
-ms.assetid: 7A1FA48A-C44A-4F59-B895-86D4D77F8BEA
-keywords: migrate, automate, device, Chromebook migration
-ms.prod: windows
-ms.mktglfcycl: plan
-ms.sitesec: library
-ms.pagetype: edu, devices
+ms.prod: windows-client
+ms.technology: itpro-edu
ms.localizationpriority: medium
ms.collection: education
author: paolomatarazzo
@@ -142,7 +138,7 @@ Table 3. Settings in the Security node in the Google Admin Console
|Set up single sign-on (SSO)|This section is used to configure SSO for Google web-based apps (such as Google Apps Gmail or Google Apps Calendar). While you don’t need to migrate any settings in this section, you probably will want to configure Azure Active Directory synchronization to replace Google-based SSO.|
|Advanced settings|This section is used to configure administrative access to user data and to configure the Google Secure Data Connector (which allows Google Apps to access data on your local network). You don’t need to migrate any settings in this section.|
-**Identify locally-configured settings to migrate**
+**Identify locally configured settings to migrate**
In addition to the settings configured in the Google Admin Console, users may have locally configured their devices based on their own personal preferences (as shown in Figure 2). Table 4 lists the Chromebook user and device settings that you can locally configure. Review the settings and determine which settings you'll migrate to Windows. Some of the settings listed in Table 4 can only be seen when you click the **Show advanced settings** link (as shown in Figure 2).
@@ -150,7 +146,7 @@ In addition to the settings configured in the Google Admin Console, users may ha
Figure 2. Locally configured settings on Chromebook
-Table 4. Locally-configured settings
+Table 4. Locally configured settings
| Section | Settings |
|------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
@@ -206,7 +202,7 @@ In addition to Chromebook devices, users may have companion devices (smartphones
After you've identified each companion device, verify the settings for the device that are used to access Office 365. You only need to test one type of each companion device. For example, if users use Android phones to access Google Apps Gmail mailboxes, configure the device to access Office 365 and then record those settings. You can publish those settings on a website or to your helpdesk staff so that users will know how to access their Office 365 mailbox.
-In most instances, users will only need to provide in their Office 365 email account and password. However, you should verify these credentials on each type of companion device. For more information about how to configure a companion device to work with Office 365, see [Compare how different mobile devices work with Office 365](https://go.microsoft.com/fwlink/p/?LinkId=690254).
+In most instances, users will only need to provide in their Office 365 email account and password. However, you should verify these credentials on each type of companion device. For more information about how to configure a companion device to work with Office 365, see [Compare how different mobile devices work with Office 365](https://support.microsoft.com/office/compare-how-different-mobile-devices-work-with-office-365-bdd06229-776a-4824-947c-82425d72597b).
**Identify the optimal timing for the migration**
@@ -416,11 +412,11 @@ Examine each of the following network infrastructure technologies and services a
For more information that compares Internet bandwidth consumption for Chromebook and Windows devices, see the following resources:
- - [Chromebook vs. Windows Notebook Network Traffic Analysis](https://go.microsoft.com/fwlink/p/?LinkId=690255)
+ - [Chromebook vs. Windows Notebook Network Traffic Analysis](https://www.principledtechnologies.com/Microsoft/Chromebook_PC_network_traffic_0613.pdf)
- - [Hidden Cost of Chromebook Deployments](https://go.microsoft.com/fwlink/p/?LinkId=690256)
+ - [Hidden Cost of Chromebook Deployments](https://www.principledtechnologies.com/Microsoft/Windows_Chromebook_bandwidth_0514.pdf)
- - [Microsoft Windows 8.1 Notebook vs. Chromebooks for Education](https://go.microsoft.com/fwlink/p/?LinkId=690257)
+ - [Microsoft Windows 8.1 Notebook vs. Chromebooks for Education](https://www.principledtechnologies.com/Microsoft/Windows_8.1_vs_Chromebooks_in_Education_0715.pdf)
- **Power.** Although not specifically a network infrastructure, you need to ensure your classrooms have adequate power. Chromebook and Windows devices should consume similar amounts of power. This condition means that your existing power outlets should support the same number of Windows devices.
@@ -442,15 +438,11 @@ You must perform some of the steps in this section in a specific sequence. Each
The first migration task is to perform any network infrastructure remediation. In the [Plan network infrastructure remediation](#plan-network-infra-remediation) section, you determined the network infrastructure remediation (if any) that you needed to perform.
-It's important that you perform any network infrastructure remediation first because the remaining migration steps are dependent on the network infrastructure. Table 7 lists the Microsoft network infrastructure products and technologies and deployment resources for each.
+It's important that you perform any network infrastructure remediation first because the remaining migration steps are dependent on the network infrastructure. Use the following Microsoft network infrastructure products and technologies:
-Table 7. Network infrastructure products and technologies and deployment resources
-
-|Product or technology|Resources|
-|--- |--- |
-|DHCP|
[Deploying Domain Name System (DNS)](/previous-versions/windows/it-pro/windows-server-2003/cc780661(v=ws.10))|
-
+- [Core network guidance for Windows Server](/windows-server/networking/core-network-guide/core-network-guide-windows-server)
+- [DHCP overview](/windows-server/networking/technologies/dhcp/dhcp-top)
+- [DNS overview](/windows-server/networking/dns/dns-top)
If you use network infrastructure products and technologies from other vendors, refer to the vendor documentation on how to perform the necessary remediation. If you determined that no remediation is necessary, you can skip this section.
@@ -459,34 +451,39 @@ If you use network infrastructure products and technologies from other vendors,
It's important that you perform AD DS and Azure AD services deployment or remediation right after you finish network infrastructure remediation. Many of the remaining migration steps are dependent on you having your identity system (AD DS or Azure AD) in place and up to necessary expectations.
-In the [Plan for Active Directory services](#plan-adservices) section, you determined the AD DS and/or Azure AD deployment or remediation (if any) that needed to be performed. Table 8 list AD DS, Azure AD, and the deployment resources for both. Use the resources in this table to deploy or remediate on-premises AD DS, Azure AD, or both.
+In the [Plan for Active Directory services](#plan-adservices) section, you determined the AD DS and/or Azure AD deployment or remediation (if any) that needed to be performed. Use the following resources to deploy or remediate on-premises AD DS, Azure AD, or both:
-Table 8. AD DS, Azure AD and deployment resources
-
-|Product or technology|Resources|
-|--- |--- |
-|AD DS|
[Azure Active Directory documentation](/azure/active-directory/)
[Manage and support Azure Active Directory Premium](https://go.microsoft.com/fwlink/p/?LinkId=690259)
[Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines](/windows-server/identity/ad-ds/introduction-to-active-directory-domain-services-ad-ds-virtualization-level-100)|
+- [Core network guidance for Windows Server](/windows-server/networking/core-network-guide/core-network-guide-windows-server)
+- [AD DS overview](/windows-server/identity/ad-ds/active-directory-domain-services)
+- [Azure AD documentation](/azure/active-directory/)
+- [Azure AD Premium](https://azure.microsoft.com/pricing/details/active-directory/)
+- [Safely virtualizing Active Directory Domain Services (AD DS)](/windows-server/identity/ad-ds/introduction-to-active-directory-domain-services-ad-ds-virtualization-level-100)|
If you decided not to migrate to AD DS or Azure AD as a part of the migration, or if you determined that no remediation is necessary, you can skip this section. If you use identity products and technologies from another vendor, refer to the vendor documentation on how to perform the necessary steps.
## Prepare device, user, and app management systems
-
In the [Plan device, user, and app management](#plan-userdevapp-manage) section of this guide, you selected the products and technologies that you'll use to manage devices, users, and apps on Windows devices. You need to prepare your management systems prior to Windows 10 device deployment. You'll use these management systems to manage the user and device settings that you selected to migrate in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section. You need to prepare these systems prior to the migration of user and device settings.
-Table 9 lists the Microsoft management systems and the deployment resources for each. Use the resources in this table to prepare (deploy or remediate) these management systems.
+Use the following Microsoft management systems and the deployment resources to prepare (deploy or remediate) these management systems.
-Table 9. Management systems and deployment resources
+- [Microsoft Intune](/mem/intune/fundamentals/setup-steps)
-|Management system|Resources|
-|--- |--- |
-|Windows provisioning packages|
[Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package)
[Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd)
[Step-By-Step: Building Windows 10 Provisioning Packages](/archive/blogs/canitpro/step-by-step-building-windows-10-provisioning-packages)|
-|Group Policy|
[Core Network Companion Guide: Group Policy Deployment](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj899807(v=ws.11))
[Deploying Group Policy](/previous-versions/windows/it-pro/windows-server-2003/cc737330(v=ws.10))"|
-|Configuration Manager|
[Site Administration for Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg681983(v=technet.10))
[Deploying Clients for Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg699391(v=technet.10))|
-|Intune|
[Set up and manage devices with Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=690262)
[System Center 2012 R2 Configuration Manager & Windows Intune](/learn/?l=fCzIjVKy_6404984382)|
-|MDT|
[Step-By-Step: Installing Windows 8.1 From A USB Key](/archive/blogs/canitpro/step-by-step-installing-windows-8-1-from-a-usb-key)|
+- [Windows Autopilot](/mem/autopilot/windows-autopilot)
+- Microsoft Endpoint Configuration Manager [core infrastructure documentation](/mem/configmgr/core/)
+
+- Provisioning packages:
+
+ - [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package)
+ - [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd)
+ - [Step-By-Step: Building Windows 10 Provisioning Packages](/archive/blogs/canitpro/step-by-step-building-windows-10-provisioning-packages)
+
+- Group policy
+
+ - [Core Network Companion Guide: Group Policy Deployment](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj899807(v=ws.11))
+ - [Deploying Group Policy](/previous-versions/windows/it-pro/windows-server-2003/cc737330(v=ws.10))
+
If you determined that no new management system or no remediation of existing systems is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps.
## Perform app migration or replacement
@@ -494,21 +491,19 @@ If you determined that no new management system or no remediation of existing sy
In the [Plan for app migration or replacement](#plan-app-migrate-replace) section, you identified the apps currently in use on Chromebook devices and selected the Windows apps that will replace the Chromebook apps. You also performed app compatibility testing for web apps to ensure that web apps on the Chromebook devices would run on Microsoft Edge and Internet Explorer.
-In this step, you need to configure your management system to deploy the apps to the appropriate Windows users and devices. Table 10 lists the Microsoft management systems and the app deployment resources for each. Use the resources in this table to configure these management systems to deploy the apps that you selected in the [Plan for app migration or replacement](#plan-app-migrate-replace) section of this guide.
+In this step, you need to configure your management system to deploy the apps to the appropriate Windows users and devices. Use the following Microsoft management systems and the app deployment resources to configure these management systems to deploy the apps that you selected in the [Plan for app migration or replacement](#plan-app-migrate-replace) section of this guide.
-Table 10. Management systems and app deployment resources
-
-|Management system|Resources|
-|--- |--- |
-|Group Policy|
[Editing an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791894(v=ws.10))
[Assigning and Publishing Software](/previous-versions/windows/it-pro/windows-server-2003/cc783635(v=ws.10))|
-|Configuration Manager|
[How to Deploy Applications in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682082(v=technet.10))
[Application Management in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg699373(v=technet.10))|
-|Intune|
[Manage apps with Microsoft Intune](/mem/intune/)|
+- [Manage apps in Microsoft Intune](/mem/intune/apps/)
+- [App management in Configuration Manager](/mem/configmgr/apps/)
+- Group policy
+ - [Edit an AppLocker policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791894(v=ws.10))
+ - [Group policy software deployment background](/previous-versions/windows/it-pro/windows-server-2003/cc739305(v=ws.10))
+ - [Assigning and publishing software](/previous-versions/windows/it-pro/windows-server-2003/cc783635(v=ws.10))
If you determined that no deployment of apps is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps.
## Perform migration of user and device settings
-
In the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, you determined the user and device settings that you want to migrate. You selected settings that are configured in the Google Admin Console and locally on the Chromebook device.
Perform the user and device setting migration by using the following steps:
@@ -534,7 +529,7 @@ Alternatively, if you want to migrate to Office 365 from:
- **On-premises Microsoft Exchange Server.** Use the following resources to migrate to Office 365 from an on-premises Microsoft Exchange Server:
- - [Cutover Exchange Migration and Single Sign-On](https://go.microsoft.com/fwlink/p/?LinkId=690266)
+ - [What you need to know about a cutover email migration in Exchange Online](/exchange/mailbox-migration/what-to-know-about-a-cutover-migration)
- [Step-By-Step: Migration of Exchange 2003 Server to Office 365](/archive/blogs/canitpro/step-by-step-migration-of-exchange-2003-server-to-office-365)
@@ -544,7 +539,6 @@ Alternatively, if you want to migrate to Office 365 from:
## Perform cloud storage migration
-
In the [Plan for cloud storage migration](#plan-cloud-storage-migration) section, you identified the cloud storage services currently in use, selected the Microsoft cloud storage services that you'll use, and optimized your cloud storage services migration plan. You can perform the cloud storage migration before or after you deploy the Windows devices.
Manually migrate the cloud storage migration by using the following steps:
@@ -577,7 +571,9 @@ In the [Select a Windows device deployment strategy](#select-windows-device-depl
For example, if you selected to deploy Windows devices by each classroom, start with the first classroom and then proceed through all of the classrooms until you’ve deployed all Windows devices.
-In some instances, you may receive the devices with Windows 10 already deployed, and want to use provisioning packages. In other cases, you may have a custom Windows 10 image that you want to deploy to the devices by using Configuration Manager and/or MDT. For information on how to deploy Windows 10 images to the devices, see the following resources:
+In some instances, you may receive the devices with Windows 10 already deployed, and want to use provisioning packages. In other cases, you may have a custom Windows 10 image that you want to deploy to the devices by using Configuration Manager or MDT. For more information on how to deploy Windows 10 images to the devices, see the following resources:
+
+- [OS deployment in Configuration Manager](/mem/configmgr/osd/)
- [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd)
@@ -585,8 +581,6 @@ In some instances, you may receive the devices with Windows 10 already deployed
- [Step-By-Step: Installing Windows 8.1 From A USB Key](/archive/blogs/canitpro/step-by-step-installing-windows-8-1-from-a-usb-key)
-- [Operating System Deployment in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682018(v=technet.10))
-
In addition to the Windows 10 image deployment, you may need to perform the following tasks as a part of device deployment:
- Enroll the device with your management system.
@@ -601,10 +595,6 @@ After you complete these steps, your management system should take over the day-
## Related topics
-
[Try it out: Windows 10 deployment (for education)](../index.yml)
[Try it out: Windows 10 in the classroom](../index.yml)
-
-
-
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index d0a8aa44bd..6f72f69d44 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -1278,9 +1278,9 @@ You've now identified the tasks you need to perform monthly, at the end of an ac
* [Try it out: Windows 10 in the classroom](../index.yml)
* [Chromebook migration guide](./chromebook-migration-guide.md)
* [Deploy Windows 10 in a school](./deploy-windows-10-in-a-school.md)
-* [Automate common Windows 10 deployment and configuration tasks for a school environment (video)](./index.md)
-* [Deploy a custom Windows 10 Start menu layout for a school (video)](./index.md)
-* [Manage Windows 10 updates and upgrades in a school environment (video)](./index.md)
-* [Reprovision devices at the end of the school year (video)](./index.md)
-* [Use MDT to deploy Windows 10 in a school (video)](./index.md)
-* [Use Microsoft Store for Business in a school environment (video)](./index.md)
+* [Automate common Windows 10 deployment and configuration tasks for a school environment (video)](./index.yml)
+* [Deploy a custom Windows 10 Start menu layout for a school (video)](./index.yml)
+* [Manage Windows 10 updates and upgrades in a school environment (video)](./index.yml)
+* [Reprovision devices at the end of the school year (video)](./index.yml)
+* [Use MDT to deploy Windows 10 in a school (video)](./index.yml)
+* [Use Microsoft Store for Business in a school environment (video)](./index.yml)
diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md
index d9d1aff417..ee97678d29 100644
--- a/education/windows/deploy-windows-10-in-a-school.md
+++ b/education/windows/deploy-windows-10-in-a-school.md
@@ -19,11 +19,6 @@ appliesto:
# Deploy Windows 10 in a school
-
-**Applies to**
-
-- Windows 10
-
This guide shows you how to deploy the Windows 10 operating system in a school environment. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Intune and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you'll perform after initial deployment and the automated tools and built-in features of the operating system.
## Prepare for school deployment
diff --git a/education/windows/index.md b/education/windows/deploy-windows-10-overview.md
similarity index 100%
rename from education/windows/index.md
rename to education/windows/deploy-windows-10-overview.md
diff --git a/education/windows/edu-stickers.md b/education/windows/edu-stickers.md
new file mode 100644
index 0000000000..f2bb99a869
--- /dev/null
+++ b/education/windows/edu-stickers.md
@@ -0,0 +1,77 @@
+---
+title: Configure Stickers for Windows 11 SE
+description: Description of the Stickers feature and how to configure it via Intune and provisioning package.
+ms.date: 09/15/2022
+ms.prod: windows
+ms.technology: windows
+ms.topic: how-to
+ms.localizationpriority: medium
+author: paolomatarazzo
+ms.author: paoloma
+ms.reviewer:
+manager: aaroncz
+ms.collection: education
+appliesto:
+- ✅ Windows 11 SE, version 22H2
+---
+
+# Configure Stickers for Windows 11 SE
+
+Starting in **Windows 11 SE, version 22H2**, *Stickers* is a new feature that allows students to decorate their desktop with digital stickers. Students can choose from over 500 cheerful, education-friendly digital stickers. Stickers can be arranged, resized, and customized on top of the desktop background. Each student's stickers remain, even when the background changes.
+
+Similar to the [education theme packs](edu-themes.md), Stickers is a personalization feature that helps the device feel like it was designed for students.
+
+:::image type="content" source="./images/win-11-se-stickers.png" alt-text="Windows 11 SE desktop with 3 stickers" border="true":::
+
+Stickers are simple to use, and give students an easy way to express themselves by decorating their desktop, helping to make learning fun.
+
+## Benefits of Stickers
+
+When students feel like they can express themselves at school, they pay more attention and learn, which benefits students, teachers, and the school community. Self-expression is critical to well-being and success at school. Customizing a device is one way to express a personal brand.
+
+With Stickers, students feel more attached to the device as they feel as if it's their own, they take better care of it, and it's more likely to last.
+
+## Enable Stickers
+
+Stickers aren't enabled by default. Follow the instructions below to configure your devices using either Microsoft Intune or a provisioning package (PPKG).
+
+#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
+
+To enable Stickers using Microsoft Intune, [create a custom profile][MEM-1] with the following settings:
+
+| Setting |
+|--------|
+|
|
+
+Assign the policy to a security group that contains as members the devices or users that you want to enable Stickers on.
+
+#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
+
+To configure Stickers using a provisioning package, use the following settings:
+
+| Setting |
+|--------|
+|
Path: **`Education/AllowStickers`**
Value: **True**
|
+
+Apply the provisioning package to the devices that you want to enable Stickers on.
+
+---
+
+## How to use Stickers
+
+Once the Stickers feature is enabled, the sticker editor can be opened by either:
+
+- using the contextual menu on the desktop and selecting the option **Add or edit stickers**
+- opening the Settings app > **Personalization** > **Background** > **Add stickers**
+
+:::image type="content" source="./images/win-11-se-stickers-menu.png" alt-text="Windows 11 SE desktop contextual menu to open the sticker editor" border="true":::
+
+Multiple stickers can be added from the picker by selecting them. The stickers can be resized, positioned or deleted from the desktop by using the mouse, keyboard, or touch.
+
+:::image type="content" source="./images/win-11-se-stickers-animation.gif" alt-text="animation showing Windows 11 SE desktop with 4 pirate stickers being resized and moved" border="true":::
+
+Select the *X button* at the top of the screen to save your progress and close the sticker editor.
+
+-----------
+
+[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
\ No newline at end of file
diff --git a/education/windows/edu-themes.md b/education/windows/edu-themes.md
new file mode 100644
index 0000000000..af6034a005
--- /dev/null
+++ b/education/windows/edu-themes.md
@@ -0,0 +1,64 @@
+---
+title: Configure education themes for Windows 11
+description: Description of education themes for Windows 11 and how to configure them via Intune and provisioning package.
+ms.date: 09/15/2022
+ms.prod: windows
+ms.technology: windows
+ms.topic: how-to
+ms.localizationpriority: medium
+author: paolomatarazzo
+ms.author: paoloma
+ms.reviewer:
+manager: aaroncz
+ms.collection: education
+appliesto:
+- ✅ Windows 11, version 22H2
+- ✅ Windows 11 SE, version 22H2
+---
+
+# Configure education themes for Windows 11
+
+Starting in **Windows 11, version 22H2**, you can deploy education themes to your devices. The education themes are designed for students using devices in a school.
+
+:::image type="content" source="./images/win-11-se-themes-1.png" alt-text="Windows 11 desktop with 3 stickers" border="true":::
+
+Themes allow the end user to quickly configure the look and feel of the device, with preset wallpaper, accent color, and other settings.
+Students can choose their own themes, making it feel the device is their own. When students feel more ownership over their device, they tend to take better care of it. This is great news for schools looking to give that same device to a new student the next year.
+
+## Enable education themes
+
+Education themes aren't enabled by default. Follow the instructions below to configure your devices using either Microsoft Intune or a provisioning package (PPKG).
+
+#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
+
+To enable education themes using Microsoft Intune, [create a custom profile][MEM-1] with the following settings:
+
+| Setting |
+|--------|
+|
|
+
+Assign the policy to a security group that contains as members the devices or users that you want to enable education themes on.
+
+#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
+
+To configure education themes using a provisioning package, use the following settings:
+
+| Setting |
+|--------|
+|
Path: **`Education/EnableEduThemes`**
Value: **True**
|
+
+Apply the provisioning package to the devices that you want to enable education themes on.
+
+---
+
+## How to use the education themes
+
+Once the education themes are enabled, the device will download them as soon as a user signs in to the device.
+
+To change the theme, select **Settings** > **Personalization** > **Themes** > **Select a theme**
+
+:::image type="content" source="./images/win-11-se-themes.png" alt-text="Windows 11 education themes selection" border="true":::
+
+-----------
+
+[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
\ No newline at end of file
diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md
index 4fbe0e9f89..0a06370a11 100644
--- a/education/windows/education-scenarios-store-for-business.md
+++ b/education/windows/education-scenarios-store-for-business.md
@@ -16,6 +16,8 @@ ms.reviewer:
manager: aaroncz
appliesto:
- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows 11 SE
---
# Working with Microsoft Store for Education
@@ -133,18 +135,10 @@ Teachers can:
## Distribute apps
-Manage and distribute apps to students and others in your organization. Different options are available for admins and teachers.
-
-Applies to: IT admins
-
**To manage and distribute apps**
- For info on how to distribute **Minecraft: Education Edition**, see [For IT admins – Minecraft: Education Edition](./school-get-minecraft.md#distribute-minecraft)
- For info on how to manage and distribute other apps, see [App inventory management - Microsoft Store for Business](/microsoft-store/app-inventory-management-windows-store-for-business)
-Applies to: Teachers
-
-For info on how to distribute **Minecraft: Education Edition**, see [For teachers – Minecraft: Education Edition](./teacher-get-minecraft.md#distribute-minecraft).
-
**To assign an app to a student**
1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com).
@@ -177,4 +171,4 @@ You can manage your orders through Microsoft Store for Business. For info on ord
It can take up to 24 hours after a purchase, before a receipt is available on your **Order history page**.
> [!NOTE]
-> For **Minecraft: Education Edition**, you can request a refund through Microsoft Store for Business for two months from the purchase date. After two months, refunds require a support call.
\ No newline at end of file
+> For **Minecraft: Education Edition**, you can request a refund through Microsoft Store for Business for two months from the purchase date. After two months, refunds require a support call.
diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md
index f03899ae3d..a29c2d277f 100644
--- a/education/windows/get-minecraft-for-education.md
+++ b/education/windows/get-minecraft-for-education.md
@@ -16,6 +16,8 @@ ms.reviewer:
manager: aaroncz
appliesto:
- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows 11 SE
---
# Get Minecraft: Education Edition
@@ -24,23 +26,18 @@ appliesto:
-Teachers and IT administrators can now get early access to **Minecraft: Education Edition** and add it their Microsoft Store for Business for distribution.
-
-
+Teachers and IT administrators can now get access to **Minecraft: Education Edition** and add it their Microsoft Admin Center for distribution.
## Prerequisites
-- **Minecraft: Education Edition** requires Windows 10.
+- For a complete list of Operating Systems supported by **Minecraft: Education Edition**, see [here](https://educommunity.minecraft.net/hc/articles/360047556591-System-Requirements).
- Trials or subscriptions of **Minecraft: Education Edition** are offered to education tenants that are managed by Azure Active Directory (Azure AD).
- If your school doesn't have an Azure AD tenant, the [IT administrator can set one up](school-get-minecraft.md) as part of the process of getting **Minecraft: Education Edition**.
- Office 365 Education, which includes online versions of Office apps plus 1 TB online storage. [Sign up your school for Office 365 Education.](https://www.microsoft.com/education/products/office)
- If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](/windows/client-management/mdm/register-your-free-azure-active-directory-subscription)
-
-[Learn how teachers can get and distribute **Minecraft: Education Edition**](teacher-get-minecraft.md)
-
-[Learn how IT administrators can get and distribute **Minecraft: Education Edition**](school-get-minecraft.md), and how to manage permissions for Minecraft.
\ No newline at end of file
+[Learn how IT administrators can get and distribute **Minecraft: Education Edition**](school-get-minecraft.md), and how to manage permissions for Minecraft.
diff --git a/education/windows/images/icons/accessibility.svg b/education/windows/images/icons/accessibility.svg
new file mode 100644
index 0000000000..21a6b4f235
--- /dev/null
+++ b/education/windows/images/icons/accessibility.svg
@@ -0,0 +1,3 @@
+
\ No newline at end of file
diff --git a/education/windows/images/icons/group-policy.svg b/education/windows/images/icons/group-policy.svg
new file mode 100644
index 0000000000..ace95add6b
--- /dev/null
+++ b/education/windows/images/icons/group-policy.svg
@@ -0,0 +1,3 @@
+
\ No newline at end of file
diff --git a/education/windows/images/icons/intune.svg b/education/windows/images/icons/intune.svg
new file mode 100644
index 0000000000..6e0d938aed
--- /dev/null
+++ b/education/windows/images/icons/intune.svg
@@ -0,0 +1,24 @@
+
\ No newline at end of file
diff --git a/education/windows/images/icons/powershell.svg b/education/windows/images/icons/powershell.svg
new file mode 100644
index 0000000000..ab2d5152ca
--- /dev/null
+++ b/education/windows/images/icons/powershell.svg
@@ -0,0 +1,20 @@
+
\ No newline at end of file
diff --git a/education/windows/images/icons/provisioning-package.svg b/education/windows/images/icons/provisioning-package.svg
new file mode 100644
index 0000000000..dbbad7d780
--- /dev/null
+++ b/education/windows/images/icons/provisioning-package.svg
@@ -0,0 +1,3 @@
+
\ No newline at end of file
diff --git a/education/windows/images/icons/registry.svg b/education/windows/images/icons/registry.svg
new file mode 100644
index 0000000000..06ab4c09d7
--- /dev/null
+++ b/education/windows/images/icons/registry.svg
@@ -0,0 +1,22 @@
+
\ No newline at end of file
diff --git a/education/windows/images/icons/windows-os.svg b/education/windows/images/icons/windows-os.svg
new file mode 100644
index 0000000000..da64baf975
--- /dev/null
+++ b/education/windows/images/icons/windows-os.svg
@@ -0,0 +1,3 @@
+
\ No newline at end of file
diff --git a/education/windows/images/win-11-se-stickers-animation.gif b/education/windows/images/win-11-se-stickers-animation.gif
new file mode 100644
index 0000000000..592b1a478b
Binary files /dev/null and b/education/windows/images/win-11-se-stickers-animation.gif differ
diff --git a/education/windows/images/win-11-se-stickers-menu.png b/education/windows/images/win-11-se-stickers-menu.png
new file mode 100644
index 0000000000..ddd761af0f
Binary files /dev/null and b/education/windows/images/win-11-se-stickers-menu.png differ
diff --git a/education/windows/images/win-11-se-stickers-picker.png b/education/windows/images/win-11-se-stickers-picker.png
new file mode 100644
index 0000000000..44fad2a725
Binary files /dev/null and b/education/windows/images/win-11-se-stickers-picker.png differ
diff --git a/education/windows/images/win-11-se-stickers.png b/education/windows/images/win-11-se-stickers.png
new file mode 100644
index 0000000000..fe6008bef3
Binary files /dev/null and b/education/windows/images/win-11-se-stickers.png differ
diff --git a/education/windows/images/win-11-se-themes-1.png b/education/windows/images/win-11-se-themes-1.png
new file mode 100644
index 0000000000..e37ce1062e
Binary files /dev/null and b/education/windows/images/win-11-se-themes-1.png differ
diff --git a/education/windows/images/win-11-se-themes.png b/education/windows/images/win-11-se-themes.png
new file mode 100644
index 0000000000..259784bc45
Binary files /dev/null and b/education/windows/images/win-11-se-themes.png differ
diff --git a/education/windows/images/windows-11-se.png b/education/windows/images/windows-11-se.png
new file mode 100644
index 0000000000..48446caa20
Binary files /dev/null and b/education/windows/images/windows-11-se.png differ
diff --git a/education/windows/index.yml b/education/windows/index.yml
new file mode 100644
index 0000000000..5205e02a4a
--- /dev/null
+++ b/education/windows/index.yml
@@ -0,0 +1,91 @@
+### YamlMime:Landing
+
+title: Windows for Education documentation
+summary: Evaluate, plan, deploy, and manage Windows devices in an education environment
+
+metadata:
+ title: Windows for Education documentation
+ description: Learn about how to plan, deploy and manage Windows devices in an education environment with Microsoft Intune
+ ms.topic: landing-page
+ ms.prod: windows
+ ms.collection: education
+ author: paolomatarazzo
+ ms.author: paoloma
+ ms.date: 08/10/2022
+ ms.reviewer:
+ manager: aaroncz
+ ms.localizationpriority: medium
+
+# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
+# Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+ # Card (optional)
+
+landingContent:
+
+ - title: Get started
+ linkLists:
+ - linkListType: tutorial
+ links:
+ - text: Deploy and manage Windows devices in a school
+ url: tutorial-school-deployment/index.md
+ - text: Prepare your tenant
+ url: tutorial-school-deployment/set-up-azure-ad.md
+ - text: Configure settings and applications with Microsoft Intune
+ url: tutorial-school-deployment/configure-devices-overview.md
+ - text: Manage devices with Microsoft Intune
+ url: tutorial-school-deployment/manage-overview.md
+ - text: Management functionalities for Surface devices
+ url: tutorial-school-deployment/manage-surface-devices.md
+
+
+ - title: Learn about Windows 11 SE
+ linkLists:
+ - linkListType: concept
+ links:
+ - text: What is Windows 11 SE?
+ url: windows-11-se-overview.md
+ - text: Windows 11 SE settings
+ url: windows-11-se-settings-list.md
+ - linkListType: whats-new
+ links:
+ - text: Configure education themes
+ url: edu-themes.md
+ - text: Configure Stickers
+ url: edu-stickers.md
+ - linkListType: video
+ links:
+ - text: Deploy Windows 11 SE using Set up School PCs
+ url: https://www.youtube.com/watch?v=Ql2fbiOop7c
+
+
+ - title: Deploy devices with Set up School PCs
+ linkLists:
+ - linkListType: concept
+ links:
+ - text: What is Set up School PCs?
+ url: set-up-school-pcs-technical.md
+ - linkListType: how-to-guide
+ links:
+ - text: Use the Set up School PCs app
+ url: use-set-up-school-pcs-app.md
+ - linkListType: reference
+ links:
+ - text: Provisioning package settings
+ url: set-up-school-pcs-provisioning-package.md
+ - linkListType: video
+ links:
+ - text: Use the Set up School PCs App
+ url: https://www.youtube.com/watch?v=2ZLup_-PhkA
+
+
+ - title: Configure devices
+ linkLists:
+ - linkListType: concept
+ links:
+ - text: Take tests and assessments
+ url: take-tests-in-windows-10.md
+ - text: Change Windows editions
+ url: change-home-to-edu.md
+ - text: "Deploy Minecraft: Education Edition"
+ url: get-minecraft-for-education.md
\ No newline at end of file
diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md
index d209181213..8ed1fbf9e7 100644
--- a/education/windows/school-get-minecraft.md
+++ b/education/windows/school-get-minecraft.md
@@ -53,16 +53,16 @@ If you’ve been approved and are part of the Enrollment for Education Solutions
1. Go to [https://education.minecraft.net/](https://education.minecraft.net/) and select **How to Buy** in the top navigation bar.
2. Scroll down and select **Buy Now** under Direct Purchase.
-
-3. This will route you to the purchase page in the Microsoft Admin center. You will need to log in to your Administrator account.
-4. If necessary, fill in any requested organization or payment information
+3. This will route you to the purchase page in the Microsoft Admin center. You will need to log in to your Administrator account.
-5. Select the quantity of licenses you would like to purchase and select **Place Order**.
+4. If necessary, fill in any requested organization or payment information.
-6. After you’ve purchased licenses, you’ll need to [assign them to users in the Admin Center](https://docs.microsoft.com/microsoft-365/admin/manage/assign-licenses-to-users)
+5. Select the quantity of licenses you would like to purchase and select **Place Order**.
-If you need additional licenses for **Minecraft: Education Edition**, see [Buy or remove subscription licenses](https://docs.microsoft.com/microsoft-365/commerce/licenses/buy-licenses).
+6. After you’ve purchased licenses, you’ll need to [assign them to users in the Admin Center](/microsoft-365/admin/manage/assign-licenses-to-users).
+
+If you need additional licenses for **Minecraft: Education Edition**, see [Buy or remove subscription licenses](/microsoft-365/commerce/licenses/buy-licenses).
### Minecraft: Education Edition - volume licensing
@@ -96,14 +96,16 @@ Invoices are now a supported payment method for Minecraft: Education Edition. Th
-For more info on invoices and how to pay by invoice, see [How to pay for your subscription](https://docs.microsoft.com/microsoft-365/commerce/billing-and-payments/pay-for-your-subscription?).
+For more info on invoices and how to pay by invoice, see [How to pay for your subscription](/microsoft-365/commerce/billing-and-payments/pay-for-your-subscription?).
## Distribute Minecraft
-After Minecraft: Education Edition is added to your Microsoft Admin Center inventory, you can [assign these licenses to your users](https://docs.microsoft.com/microsoft-365/admin/manage/assign-licenses-to-users) or [download the app](https://aka.ms/downloadmee).
+After Minecraft: Education Edition is added to your Microsoft Admin Center inventory, you can [assign these licenses to your users](/microsoft-365/admin/manage/assign-licenses-to-users) or [download the app](https://aka.ms/downloadmee).
## Learn more
-[About Intune Admin roles in the Microsoft 365 admin center](https://docs.microsoft.com/microsoft-365/business-premium/m365bp-intune-admin-roles-in-the-mac)
+
+[About Intune Admin roles in the Microsoft 365 admin center](/microsoft-365/business-premium/m365bp-intune-admin-roles-in-the-mac)
## Related topics
+
[Get Minecraft: Education Edition](get-minecraft-for-education.md)
diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md
index e6daee3daa..e2858efc79 100644
--- a/education/windows/take-a-test-multiple-pcs.md
+++ b/education/windows/take-a-test-multiple-pcs.md
@@ -15,6 +15,8 @@ ms.reviewer:
manager: aaroncz
appliesto:
- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows 11 SE
---
# Set up Take a Test on multiple PCs
@@ -114,8 +116,6 @@ You can configure a dedicated testing account through MDM or Configuration Manag
- **Custom OMA-DM URI** = ./Vendor/MSFT/SecureAssessment/LaunchURI
- **String value** = *assessment URL*
- See [Assessment URLs](#assessment-urls) for more information.
-
4. Create a policy that associates the assessment URL to the account using the following values:
- **Custom OMA-DM URI** = ./Vendor/MSFT/SecureAssessment/TesterAccount
@@ -263,16 +263,10 @@ You can also distribute the test link by creating a shortcut. To create the shor
Once the shortcut is created, you can copy it and distribute it to students.
-
-## Assessment URLs
-This assessment URL uses our lockdown API:
-- SBAC/AIR: [https://mobile.tds.airast.org/launchpad/](https://mobile.tds.airast.org/launchpad/).
-
-
## Related topics
-[Take tests in Windows 10](take-tests-in-windows-10.md)
+[Take tests in Windows](take-tests-in-windows-10.md)
[Set up Take a Test on a single PC](take-a-test-single-pc.md)
-[Take a Test app technical reference](take-a-test-app-technical.md)
\ No newline at end of file
+[Take a Test app technical reference](take-a-test-app-technical.md)
diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md
index 2dcc9c525c..2cf14b3079 100644
--- a/education/windows/take-a-test-single-pc.md
+++ b/education/windows/take-a-test-single-pc.md
@@ -15,6 +15,8 @@ ms.reviewer:
manager: aaroncz
appliesto:
- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows 11 SE
---
# Set up Take a Test on a single PC
@@ -23,7 +25,7 @@ To configure [Take a Test](take-tests-in-windows-10.md) on a single PC, follow t
## Set up a dedicated test account
To configure the assessment URL and a dedicated testing account on a single PC, follow these steps.
-1. Sign into the Windows 10 device with an administrator account.
+1. Sign into the Windows device with an administrator account.
2. Open the **Settings** app and go to **Accounts > Access work or school**.
3. Click **Set up an account for taking tests**.
@@ -127,7 +129,7 @@ Once the shortcut is created, you can copy it and distribute it to students.
## Related topics
-[Take tests in Windows 10](take-tests-in-windows-10.md)
+[Take tests in Windows](take-tests-in-windows-10.md)
[Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md)
diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md
index e0e44e51c8..64dc362a33 100644
--- a/education/windows/take-tests-in-windows-10.md
+++ b/education/windows/take-tests-in-windows-10.md
@@ -1,5 +1,5 @@
---
-title: Take tests in Windows 10
+title: Take tests in Windows
description: Learn how to set up and use the Take a Test app.
keywords: take a test, test taking, school, how to, use Take a Test
ms.prod: windows
@@ -15,11 +15,13 @@ ms.reviewer:
manager: aaroncz
appliesto:
- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows 11 SE
---
-# Take tests in Windows 10
+# Take tests in Windows
-Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10 creates the right environment for taking a test:
+Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows creates the right environment for taking a test:
- Take a Test shows just the test and nothing else.
- Take a Test clears the clipboard.
@@ -46,7 +48,7 @@ There are several ways to configure devices for assessments, depending on your u
- **For a single PC**
- You can use the Windows 10 **Settings** application. For more info, see [Set up Take a Test on a single PC](take-a-test-single-pc.md).
+ You can use the Windows **Settings** application. For more info, see [Set up Take a Test on a single PC](take-a-test-single-pc.md).
- **For multiple PCs**
@@ -55,7 +57,7 @@ There are several ways to configure devices for assessments, depending on your u
- A provisioning package created in Windows Configuration Designer
- Group Policy to deploy a scheduled task that runs a Powershell script
- Beginning with Windows 10 Creators Update (version 1703), you can also configure Take a Test using these options:
+ You can also configure Take a Test using these options:
- Set up School PCs app
- Intune for Education
diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md
index 9436f4e605..47f90a01c2 100644
--- a/education/windows/teacher-get-minecraft.md
+++ b/education/windows/teacher-get-minecraft.md
@@ -16,160 +16,34 @@ ms.reviewer:
manager: aaroncz
appliesto:
- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows 11 SE
---
# For teachers - get Minecraft: Education Edition
-The following article describes how teachers can get and distribute Minecraft: Education Edition.
-Minecraft: Education Edition is available for anyone to trial, and subscriptions can be purchased by qualified educational institutions directly in the Microsoft Store for Education, via volume licensing agreements and through partner resellers.
+The following article describes how teachers can get and distribute Minecraft: Education Edition at their school. Minecraft: Education Edition is available for anyone to trial, and subscriptions can be purchased by qualified educational institutions directly in the [Microsoft Admin Center by IT Admins](/education/windows/school-get-minecraft), via volume licensing agreements and through partner resellers.
-To get started, go to https://education.minecraft.net/ and select **GET STARTED**.
## Try Minecraft: Education Edition for Free
Minecraft: Education Edition is available for anyone to try for free! The free trial is fully functional but limited by the number of logins (25 for teachers and 10 for students) before a paid license will be required to continue playing.
-To learn more and get started, go to https://education.minecraft.net/ and select **GET STARTED**.
+To learn more and get started, [download the Minecraft: Education Edition app here.](https://aka.ms/download)
## Purchase Minecraft: Education Edition for Teachers and Students
-Minecraft: Education Edition is licensed via yearly subscriptions that are purchased through the Microsoft Store for Education, via volume licensing agreements and through partner resellers.
+As a teacher, you will need to have your IT Admin purchase licenses for you and your students directly through the Microsoft Admin Center, or you may already have access to licenses at your school (through a volume license agreement) if you have an Office 365 subscription.
->[!Note]
->M:EE is available on many platforms, but all license purchases can only be done through one of the three methods listed above.
+M:EE is included in many volume license agreements, however, only the administrators at your school will be able to assign and manage those licenses. If you have an Office 365 account, check with your school administration or IT administrator prior to purchasing M:EE directly.
-As a teacher, you may purchase subscription licenses for you and your students directly through the Microsoft Store for Education, or you may already have access to licenses at your school (through a volume license agreement) if you have an Office 365 account.
-
->[!Note]
->If you already have Office 365, you may already have Minecraft: Education Edition licenses for your school! M:EE is included in many volume license agreements, however, only the administrators at your school will be able to assign and manage those licenses. If you have an Office 365 account, check with your school administration or IT administrator prior to purchasing M:EE directly.
-
-You can purchase individual Minecraft: Education Edition subscriptions for you and other teachers and students directly in the Microsoft Store for Education.
-
-To purchase individual Minecraft: Education Edition subscriptions (that is, direct purchase):
-
-1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your Office 365 account.
-2. Click on [Minecraft: Education Edition](https://educationstore.microsoft.com/en-us/store/details/minecraft-education-edition/9nblggh4r2r6) (or use Search the Store to find it)
-3. Click **Buy**
-
->[!Note]
->Administrators can restrict the ability for teachers to purchase applications in the Microsoft Store for Education. If you do not have the ability to Buy, contact your school administration or IT administrator.
-
-
-## Distribute Minecraft
-
-After Minecraft: Education Edition licenses have been purchased, either directly, through a volume license agreement or through a partner reseller, those licenses will be added to your Microsoft Store for Education. From there you have three options:
-
-- You can install the app on your PC.
-- You can assign the app to others.
-- You can download the app to distribute.
-
-
-
-### Install for me
-You can install the app on your PC. This gives you a chance to work with the app before using it with your students.
-
-1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com).
-2. Click **Manage**, and then click **Install**.
-
-
-
-3. Click **Install**.
-
-### Assign to others
-Enter email addresses for your students, and each student will get an email with a link to install the app. This option is best for older, more tech-savvy students who will always use the same PC at school.
-
-**To assign to others**
-1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com).
-2. Click **Manage**.
-
-
-
-3. Click **Invite people**.
-
-4. Type the name, or email address of the student or group you want to assign the app to, and then click **Assign**.
-
- 
-
- You can assign the app to students with work or school accounts.
- If you don't find the student, you can still assign the app to them if self-service sign up is supported for your domain. Students will receive an email with a link to Microsoft 365 admin center where they can create an account, and then install **Minecraft: Education Edition**. Questions about self-service sign up? Check with your admin.
-
-
-**To finish Minecraft install (for students)**
-
-Students will receive an email with a link that will install the app on their PC.
-
-
-
-1. Click **Get the app** to start the app install in Microsoft Store app.
-2. In Microsoft Store app, click **Install**.
-
- 
-
- After installing the app, students can find Minecraft: Education Edition in Microsoft Store app under **My Library**.
-
- 
-
- When students click **My Library** they'll find apps assigned to them.
-
- 
-
-### Download for others
-Download for others allows teachers or IT admins to download packages that they can install on student PCs. This option will install Minecraft: Education Edition on the PC, and allows anyone with a Windows account to use the app on that PC. This option is best for students, and for shared computers. Choose this option when:
-- You have administrative permissions to install apps on the PC.
-- You want to install this app on each of your student's Windows 10 (at least version 1511) PCs.
-- Your students share Windows 10 computers, but sign in with their own Windows account.
-
-#### Requirements
-- Administrative permissions are required on the PC. If you don't have the correct permissions, you won't be able to install the app.
-- Windows 10 (at least version 1511) is required for PCs running Minecraft: Education Edition.
-
-#### Check for updates
-Minecraft: Education Edition won't install if there are updates pending for other apps on the PC. Before installing Minecraft, check to see if there are pending updates for Microsoft Store apps.
-
-**To check for app updates**
-1. Start Microsoft Store app on the PC (click **Start**, and type **Store**).
-2. Click the account button, and then click **Downloads and updates**.
-
- 
-
-3. Click **Check for updates**, and install all available updates.
-
- 
-
-4. Restart the computer before installing Minecraft: Education Edition.
-
-#### To download for others
-You'll download a .zip file, extract the files, and then use one of the files to install Minecraft: Education Edition on each PC.
-
-1. **Download Minecraft Education Edition.zip**. From the **Minecraft: Education Edition** page, click **Download for others** tab, and then click **Download**.
-
- 
-
-2. **Extract files**. Find the .zip file that you downloaded and extract the files. This downloaded location is usually your **Downloads** folder, unless you chose to save the .zip file to a different location. Right-click the file and choose **Extract all**.
-3. **Save to USB drive**. After you've extracted the files, save the Minecraft: Education Edition folder to a USB drive, or to a network location that you can access from each PC.
-4. **Install app**. Use the USB drive to copy the Minecraft folder to each Windows 10 PC where you want to install Minecraft: Education Edition. Open Minecraft: Education Edition folder, right-click **InstallMinecraftEducationEdition.bat** and click **Run as administrator**.
-5. **Quick check**. The install program checks the PC to make sure it can run Minecraft: Education Edition. If your PC passes this test, the app will automatically install.
-6. **Restart**. Once installation is complete, restart each PC. Minecraft: Education Edition app is now ready for any student to use.
#### Troubleshoot
-If you ran **InstallMinecraftEducationEdition.bat** and Minecraft: Education Edition isn't available, there are a few things that might have happened.
-
-| Problem | Possible cause | Solution |
-|---------|----------------|----------|
-| Script ran, but it doesn't look like the app installed. | There might be pending app updates. | Check for app updates (see steps earlier in this topic). Install updates. Restart PC. Run **InstallMinecraftEducationEdition.bat** again. |
-| App won't install. | AppLocker is configured and preventing app installs. | Contact IT Admin. |
-| App won't install. | Policy prevents users from installing apps on the PC. | Contact IT Admin. |
-| Script starts, but stops quickly. | Policy prevents scripts from running on the PC. | Contact IT Admin. |
-| App isn't available for other users. | No restart after install. If you don't restart the PC, and just switch users the app won't be available.| Restart PC. Run **InstallMinecraftEducationEdition.bat** again. If a restart doesn't work, contact your IT Admin. |
-
-
-If you're still having trouble installing the app, you can get more help on our [Support page](https://go.microsoft.com/fwlink/?LinkID=799757).
+If you're having trouble installing the app, you can get more help on our [Support page](https://aka.ms/minecraftedusupport).
## Related topics
-[Working with Microsoft Store for Education](education-scenarios-store-for-business.md)
-Learn about overall Microsoft Store for Business management: manage settings, shop for apps, distribute apps, manage inventory, and manage order history.
[Get Minecraft: Education Edition](get-minecraft-for-education.md)
[For IT admins: get Minecraft: Education Edition](school-get-minecraft.md)
diff --git a/education/windows/tutorial-school-deployment/configure-device-apps.md b/education/windows/tutorial-school-deployment/configure-device-apps.md
new file mode 100644
index 0000000000..ab88e770c4
--- /dev/null
+++ b/education/windows/tutorial-school-deployment/configure-device-apps.md
@@ -0,0 +1,99 @@
+---
+title: Configure applications with Microsoft Intune
+description: Configure applications with Microsoft Intune in preparation to device deployment
+ms.date: 08/31/2022
+ms.prod: windows
+ms.technology: windows
+ms.topic: tutorial
+ms.localizationpriority: medium
+author: paolomatarazzo
+ms.author: paoloma
+#ms.reviewer:
+manager: aaroncz
+ms.collection: education
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows 11 SE
+---
+
+# Configure applications with Microsoft Intune
+
+With Intune for Education, school IT administrators have access to diverse applications to help students unlock their learning potential. This section discusses tools and resources for adding apps to Intune for Education.
+
+Applications can be assigned to groups:
+
+- If you target apps to a **group of users**, the apps will be installed on any managed devices that the users sign into
+- If you target apps to a **group of devices**, the apps will be installed on those devices and available to any user who signs in
+
+In this section you will:
+> [!div class="checklist"]
+> * Add apps to Intune for Education
+> * Assign apps to groups
+> * Review some considerations for Windows 11 SE devices
+
+## Add apps to Intune for Education
+
+Intune for Education supports the deployment of two types of Windows applications: **web apps** and **desktop apps**.
+
+:::image type="content" source="./images/intune-education-apps.png" alt-text="Intune for Education - Apps" lightbox="./images/intune-education-apps.png" border="true":::
+
+### Desktop apps
+
+The addition of desktop applications to Intune should be carried out by repackaging the apps, and defining the commands to silently install them. The process is described in the article [Add, assign, and monitor a Win32 app in Microsoft Intune][MEM-1].
+
+### Web apps
+
+To create web applications in Intune for Education:
+
+1. Sign in to the Intune for Education portal
+1. Select **Apps**
+1. Select **New app** > **New web app**
+1. Provide a URL for the web app, a name and, optionally, an icon and description
+1. Select **Save**
+
+For more information, see [Add web apps][INT-2].
+
+## Assign apps to groups
+
+To assign applications to a group of users or devices:
+
+1. Sign in to the Intune for Education portal
+1. Select **Groups** > Pick a group to manage
+1. Select **Apps**
+1. Select either **Web apps** or **Windows apps**
+1. Select the apps you want to assign to the group > Save
+
+## Considerations for Windows 11 SE
+
+Windows 11 SE supports all web applications and a *curated list* of desktop applications.
+You can prepare and add a desktop app to Microsoft Intune as a Win32 app from the [approved app list][EDU-1].
+
+The process to add Win32 applications to Intune is described in the article [Add, assign, and monitor a Win32 app in Microsoft Intune][MEM-1].
+
+> [!NOTE]
+> If the applications you need aren't included in the list, anyone in your school district can submit an application request at Microsoft Education Support.
+
+> [!CAUTION]
+> If you assign an app to a device running **Windows 11 SE** and receive the **0x87D300D9** error code with a **Failed** state:
+> - Be sure the app is on the [approved app list][EDU-1]
+> - If you submitted a request to add your own app and it was approved, check that the app meets package requirements
+> - If the app is not approved, it will not run on Windows 11 SE. In this case, you will have to verify if the app can run in a web browser, such as a web app or PWA
+
+________________________________________________________
+
+## Next steps
+
+With the applications configured, you can now deploy students' and teachers' devices.
+
+> [!div class="nextstepaction"]
+> [Next: Deploy devices >](enroll-overview.md)
+
+
+
+[EDU-1]: /education/windows/windows-11-se-overview
+
+[MEM-1]: /mem/intune/apps/apps-win32-add
+
+[INT-1]: /intune-education/express-configuration-intune-edu
+[INT-2]: /intune-education/add-web-apps-edu
\ No newline at end of file
diff --git a/education/windows/tutorial-school-deployment/configure-device-settings.md b/education/windows/tutorial-school-deployment/configure-device-settings.md
new file mode 100644
index 0000000000..333618e34c
--- /dev/null
+++ b/education/windows/tutorial-school-deployment/configure-device-settings.md
@@ -0,0 +1,142 @@
+---
+title: Configure and secure devices with Microsoft Intune
+description: Configure policies with Microsoft Intune in preparation to device deployment
+ms.date: 08/31/2022
+ms.prod: windows
+ms.technology: windows
+ms.topic: tutorial
+ms.localizationpriority: medium
+author: paolomatarazzo
+ms.author: paoloma
+#ms.reviewer:
+manager: aaroncz
+ms.collection: education
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows 11 SE
+---
+
+# Configure and secure devices with Microsoft Intune
+
+With Intune for Education, you can configure settings for devices in the school, to ensure that they comply with specific policies.
+For example, you may need to secure your devices, ensuring that they are kept up to date. Or you may need to configure all the devices with the same look and feel.
+
+Settings can be assigned to groups:
+
+- If you target settings to a **group of users**, those settings will apply, regardless of what managed devices the targeted users sign in to
+- If you target settings to a **group of devices**, those settings will apply regardless of who is using the devices
+
+There are two ways to manage settings in Intune for Education:
+
+- **Express Configuration.** This option is used to configure a selection of settings that are commonly used in school environments
+- **Group settings.** This option is used to configure all settings that are offered by Intune for Education
+
+> [!NOTE]
+> Express Configuration is ideal when you are getting started. Settings are pre-configured to Microsoft-recommended values, but can be changed to fit your school's needs. It is recommended to use Express Configuration to initially set up your Windows devices.
+
+In this section you will:
+> [!div class="checklist"]
+> * Configure settings with Express Configuration
+> * Configure group settings
+> * Create Windows Update policies
+> * Configure security policies
+
+## Configure settings with Express Configuration
+
+With Express Configuration, you can get Intune for Education up and running in just a few steps. You can select a group of devices or users, select applications to distribute, and choose settings from the most commonly used in schools.
+
+> [!TIP]
+> To learn more, and practice step-by-step Express Configuration in Intune for Education, try this interactive demo.
+
+## Configure group settings
+
+Groups are used to manage users and devices with similar management needs, allowing you to apply changes to many devices or users at once. To review the available group settings:
+
+1. Sign in to the Intune for Education portal
+1. Select **Groups** > Pick a group to manage
+1. Select **Windows device settings**
+1. Expand the different categories and review information about individual settings
+
+Settings that are commonly configured for student devices include:
+
+- Wallpaper and lock screen background. See: [Lock screen and desktop][INT-7]
+- Wi-Fi connections. See: [Add Wi-Fi profiles][INT-8]
+- Enablement of the integrated testing and assessment solution *Take a test*. See: [Add Take a Test profile][INT-9]
+
+For more information, see [Windows device settings in Intune for Education][INT-3].
+
+## Create Windows Update policies
+
+It is important to keep Windows devices up to date with the latest security updates. You can create Windows Update policies using Intune for Education.
+
+To create a Windows Update policy:
+
+1. Select **Groups** > Pick a group to manage
+1. Select **Windows device settings**
+1. Expand the category **Update and upgrade**
+1. Configure the required settings as needed
+
+For more information, see [Updates and upgrade][INT-6].
+
+> [!NOTE]
+> If you require a more complex Windows Update policy, you can create it in Microsoft Endpoint Manager. For more information:
+> - [What is Windows Update for Business?][WIN-1]
+> - [Manage Windows software updates in Intune][MEM-1]
+
+## Configure security policies
+
+It is critical to ensure that the devices you manage are secured using the different security technologies available in Windows.
+Intune for Education provides different settings to secure devices.
+
+To create a security policy:
+
+1. Select **Groups** > Pick a group to manage
+1. Select **Windows device settings**
+1. Expand the category **Security**
+1. Configure the required settings as needed, including
+ - Windows Defender
+ - Windows Encryption
+ - Windows SmartScreen
+
+For more information, see [Security][INT-4].
+
+> [!NOTE]
+> If you require more sophisticated security policies, you can create them in Microsoft Endpoint Manager. For more information:
+> - [Antivirus][MEM-2]
+> - [Disk encryption][MEM-3]
+> - [Firewall][MEM-4]
+> - [Endpoint detection and response][MEM-5]
+> - [Attack surface reduction][MEM-6]
+> - [Account protection][MEM-7]
+
+________________________________________________________
+
+## Next steps
+
+With the Intune service configured, you can configure policies and applications to deploy to your students' and teachers' devices.
+
+> [!div class="nextstepaction"]
+> [Next: Configure applications >](configure-device-apps.md)
+
+
+
+[EDU-1]: /education/windows/windows-11-se-overview
+
+[INT-2]: /intune-education/express-configuration-intune-edu
+[INT-3]: /intune-education/all-edu-settings-windows
+[INT-4]: /intune-education/all-edu-settings-windows#security
+[INT-6]: /intune-education/all-edu-settings-windows#updates-and-upgrade
+[INT-7]: /intune-education/all-edu-settings-windows#lock-screen-and-desktop
+[INT-8]: /intune-education/add-wi-fi-profile
+[INT-9]: /intune-education/take-a-test-profiles
+
+[WIN-1]: /windows/deployment/update/waas-manage-updates-wufb
+
+[MEM-1]: /mem/intune/protect/windows-update-for-business-configure
+[MEM-2]: /mem/intune/protect/endpoint-security-antivirus-policy
+[MEM-3]: /mem/intune/protect/encrypt-devices
+[MEM-4]: /mem/intune/protect/endpoint-security-firewall-policy
+[MEM-5]: /mem/intune/protect/endpoint-security-edr-policy
+[MEM-6]: /mem/intune/protect/endpoint-security-asr-policy
+[MEM-7]: /mem/intune/protect/endpoint-security-account-protection-policy
\ No newline at end of file
diff --git a/education/windows/tutorial-school-deployment/configure-devices-overview.md b/education/windows/tutorial-school-deployment/configure-devices-overview.md
new file mode 100644
index 0000000000..bea37bf92b
--- /dev/null
+++ b/education/windows/tutorial-school-deployment/configure-devices-overview.md
@@ -0,0 +1,70 @@
+---
+title: Configure devices with Microsoft Intune
+description: Configure policies and applications in preparation to device deployment
+ms.date: 08/31/2022
+ms.prod: windows
+ms.technology: windows
+ms.topic: tutorial
+ms.localizationpriority: medium
+author: paolomatarazzo
+ms.author: paoloma
+#ms.reviewer:
+manager: aaroncz
+ms.collection: education
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows 11 SE
+---
+
+# Configure settings and applications with Microsoft Intune
+
+Before distributing devices to your users, you must ensure that the devices will be configured with the required policies, settings, and applications as they get enrolled in Intune.
+Microsoft Intune uses Azure AD groups to assign policies and applications to devices.
+With Microsoft Intune for Education, you can conveniently create groups and assign policies and applications to them.
+
+In this section you will:
+> [!div class="checklist"]
+> * Create groups
+> * Create and assign policies to groups
+> * Create and assign applications to groups
+
+## Create groups
+
+By organizing devices, students, classrooms, or learning curricula into groups, you can provide students with the resources and configurations they need.
+
+By default, Intune for Education creates two default groups: *All devices* and *All users*.
+Two additional groups are pre-created if you use **Microsoft School Data Sync (SDS)**: *All teachers* and *All students*. SDS can also be configured to automatically create and maintain groups of students and teachers for each school.
+
+:::image type="content" source="./images/intune-education-groups.png" alt-text="Intune for Education - Groups blade" border="true":::
+
+Beyond the defaults, groups can be customized to suit various needs. For example, if you have both *Windows 10* and *Windows 11 SE* devices in your school, you can create groups, such as *Windows 10 devices* and *Windows 11 SE devices*, to assign different policies and applications to.
+
+Two group types can be created:
+
+- **Assigned groups** are used when you want to manually add users or devices to a group
+- **Dynamic groups** reference rules that you create to assign students or devices to groups, which automate the membership's maintenance of those groups
+
+> [!TIP]
+> If you target applications and policies to a *device dynamic group*, they will be applied to the devices as soon as they are enrolled in Intune, before users signs in. This can be useful in bulk enrollment scenarios, where devices are enrolled without requiring users to sign in. Devices can be configured and prepared in advance, before distribution.
+
+For more information, see:
+
+- [Create groups in Intune for Education][EDU-1]
+- [Manually add or remove users and devices to an existing assigned group][EDU-2]
+- [Edit dynamic group rules to accommodate for new devices, locations, or school years][EDU-3]
+
+________________________________________________________
+
+## Next steps
+
+With the groups created, you can configure policies and applications to deploy to your groups.
+
+> [!div class="nextstepaction"]
+> [Next: Configure policies >](configure-device-settings.md)
+
+
+
+[EDU-1]: /intune-education/create-groups
+[EDU-2]: /intune-education/edit-groups-intune-for-edu
+[EDU-3]: /intune-education/edit-groups-intune-for-edu#edit-dynamic-group-rules
\ No newline at end of file
diff --git a/education/windows/tutorial-school-deployment/enroll-aadj.md b/education/windows/tutorial-school-deployment/enroll-aadj.md
new file mode 100644
index 0000000000..5747c986a4
--- /dev/null
+++ b/education/windows/tutorial-school-deployment/enroll-aadj.md
@@ -0,0 +1,42 @@
+---
+title: Enrollment in Intune with standard out-of-box experience (OOBE)
+description: how to join Azure AD for OOBE and automatically get the device enrolled in Intune
+ms.date: 08/31/2022
+ms.prod: windows
+ms.technology: windows
+ms.topic: tutorial
+ms.localizationpriority: medium
+author: paolomatarazzo
+ms.author: paoloma
+#ms.reviewer:
+manager: aaroncz
+ms.collection: education
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows 11 SE
+---
+# Automatic Intune enrollment via Azure AD join
+
+If you're setting up a Windows device individually, you can use the out-of-box experience to join it to your school's Azure Active Directory tenant, and automatically enroll it in Intune.
+With this process, no advance preparation is needed:
+
+1. Follow the on-screen prompts for region selection, keyboard selection, and network connection
+1. Wait for updates. If any updates are available, they'll be installed at this time
+ :::image type="content" source="./images/win11-oobe-updates.png" alt-text="Windows 11 OOBE - updates page" border="true":::
+1. When prompted, select **Set up for work or school** and authenticate using your school's Azure Active Directory account
+ :::image type="content" source="./images/win11-oobe-auth.png" alt-text="Windows 11 OOBE - authentication page" border="true":::
+1. The device will join Azure AD and automatically enroll in Intune. All settings defined in Intune will be applied to the device
+
+> [!IMPORTANT]
+> If you configured enrollment restrictions in Intune blocking personal Windows devices, this process will not complete. You will need to use a different enrollment method, or ensure that the devices are registered in Autopilot.
+
+:::image type="content" source="./images/win11-login-screen.png" alt-text="Windows 11 login screen" border="false":::
+
+________________________________________________________
+## Next steps
+
+With the devices joined to Azure AD tenant and managed by Intune, you can use Intune to maintain them and report on their status.
+
+> [!div class="nextstepaction"]
+> [Next: Manage devices >](manage-overview.md)
\ No newline at end of file
diff --git a/education/windows/tutorial-school-deployment/enroll-autopilot.md b/education/windows/tutorial-school-deployment/enroll-autopilot.md
new file mode 100644
index 0000000000..a64a7590e3
--- /dev/null
+++ b/education/windows/tutorial-school-deployment/enroll-autopilot.md
@@ -0,0 +1,160 @@
+---
+title: Enrollment in Intune with Windows Autopilot
+description: how to join Azure AD and enroll in Intune using Windows Autopilot
+ms.date: 08/31/2022
+ms.prod: windows
+ms.technology: windows
+ms.topic: tutorial
+ms.localizationpriority: medium
+author: paolomatarazzo
+ms.author: paoloma
+#ms.reviewer:
+manager: aaroncz
+ms.collection: education
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows 11 SE
+---
+
+# Windows Autopilot
+
+Windows Autopilot is designed to simplify all parts of Windows devices lifecycle, from initial deployment through end of life. Using cloud-based services, Windows Autopilot can reduce the overall costs for deploying, managing, and retiring devices.
+
+Traditionally, IT pros spend a significant amount of time building and customizing images that will later be deployed to devices. Windows Autopilot introduces a new, simplified approach. Devices don't need to be reimaged, rather they can be deployed with the OEM image, and customized using cloud-based services.
+
+From the user's perspective, it only takes a few simple operations to make their device ready to use. The only interaction required from the end user is to set their language and regional settings, connect to a network, and verify their credentials. Everything beyond that is automated.
+
+## Prerequisites
+
+Before setting up Windows Autopilot, consider these prerequisites:
+
+- **Software requirements.** Ensure your school and devices meet the [software, networking, licensing, and configuration requirements][WIN-1] for Windows Autopilot
+- **Devices ordered and registered.** Ensure your school IT administrator or Microsoft partner has ordered the devices from an original equipment manufacturer (OEM) and registered them for the Autopilot deployment service. To connect with a partner, you can use the [Microsoft Partner Center][MSFT-1] and work with them to register your devices
+- **Networking requirements.** Ensure students know to connect to the school network during OOBE setup. For more information on managing devices behind firewalls and proxy servers, see [Network endpoints for Microsoft Intune][MEM-1]
+
+> [!NOTE]
+> Where not explicitly specified, both HTTPS (443) and HTTP (80) must be accessible. If you are auto-enrolling your devices into Microsoft Intune or deploying Microsoft Office, follow the networking guidelines for [Microsoft Intune][INT-1] and [Microsoft 365][M365-1].
+
+## Register devices to Windows Autopilot
+
+Before deployment, devices must be registered in the Windows Autopilot service. Each device's unique hardware identity (known as a *hardware hash*) must be uploaded to the Autopilot service. In this way, the Autopilot service can recognize which tenant devices belong to, and which OOBE experience it should present. There are three main ways to register devices to Autopilot:
+
+- **OEM registration process.** When you purchase devices from an OEM or Reseller, that company can automatically register devices to Windows Autopilot and associate them to your tenant. Before this registration can happen, a *Global Administrator* must grant the OEM/Reseller permissions to register devices. For more information, see [OEM registration][MEM-2]
+ > [!NOTE]
+ > For **Microsoft Surface registration**, collect the details shown in this [documentation table][SURF-1] and follow the instruction to submit the request form to Microsoft Support.
+- **Cloud Solution Provider (CSP) registration process.** As with OEMs, CSP partners must be granted permission to register devices for a school. For more information, see [Partner registration][MEM-5]
+ > [!TIP]
+ > Try the Microsoft Partner Center clickable demo, which provides detailed steps to establish a partner relationship and register devices.
+- **Manual registration.** To manually register a device, you must first capture its hardware hash. Once this process has been completed, the hardware hash can be uploaded to the Windows Autopilot service using [Microsoft Intune][MEM-6]
+ > [!IMPORTANT]
+ > **Windows 11 SE** devices do not support the use of Windows PowerShell or Microsoft Configuration Manager to capture hardware hashes. Hardware hashes can only be captured manually. We recommend working with an OEM, partner, or device reseller to register devices.
+
+## Create groups for Autopilot devices
+
+**Windows Autopilot deployment profiles** determine the Autopilot *deployment mode* and define the out-of-box experience of your devices. A device group is required to assign a Windows Autopilot deployment profile to the devices.
+For this task, it's recommended to create dynamic device groups using Autopilot attributes.
+
+Here are the steps for creating a dynamic group for the devices that have an assigned Autopilot group tag:
+
+1. Sign in to the Intune for Education portal
+1. Select **Groups** > **Create group**
+1. Specify a **Group name** and select **Dynamic**
+1. Under **Rules**, select **I want to manage: Devices** and use the clause **Where: Device group tag starts with**, specifying the required tag value
+1. Select **Create group**
+ :::image type="content" source="./images/intune-education-autopilot-group.png" alt-text="Intune for Education - creation of a dynamic group for Autopilot devices" border="true":::
+
+More advanced dynamic membership rules can be created from Microsoft Endpoint Manager admin center. For more information, see [Create an Autopilot device group using Intune][MEM-3].
+
+> [!TIP]
+> You can use these dynamic groups not only to assign Autopilot profiles, but also to target applications and settings.
+
+## Create Autopilot deployment profiles
+
+For Autopilot devices to offer a customized OOBE experience, you must create **Windows Autopilot deployment profiles** and assign them to a group containing the devices.
+A deployment profile is a collection of settings that determine the behavior of the device during OOBE. Among other settings, a deployment profile specifies a **deployment mode**, which can either be:
+1. **User-driven:** devices with this profile are associated with the user enrolling the device. User credentials are required to complete the Azure AD join process during OOBE
+1. **Self-deploying:** devices with this profile aren't associated with the user enrolling the device. User credentials aren't required to complete the Azure AD join process. Rather, the device is joined automatically and, for this reason, specific hardware requirements must be met to use this mode.
+
+To create an Autopilot deployment profile:
+
+1. Sign in to the Intune for Education portal
+1. Select **Groups** > Select a group from the list
+1. Select **Windows device settings**
+1. Expand the **Enrolment** category
+1. From **Configure Autopilot deployment profile for device** select **User-driven**
+1. Ensure that **User account type** is configured as **Standard**
+1. Select **Save**
+
+While Intune for Education offers simple options for Autopilot configurations, more advanced deployment profiles can be created from Microsoft Endpoint Manager admin center. For more information, see [Windows Autopilot deployment profiles][MEM-4].
+
+### Configure an Enrollment Status Page
+
+An Enrollment Status Page (ESP) is a greeting page displayed to users while enrolling or signing in for the first time to Windows devices. The ESP displays provisioning progress, showing applications and profiles installation status.
+
+:::image type="content" source="./images/win11-oobe-esp.gif" alt-text="Windows OOBE - enrollment status page animation." border="false":::
+
+> [!NOTE]
+> Some Windows Autopilot deployment profiles **require** the ESP to be configured.
+
+To deploy the ESP to devices, you need to create an ESP profile in Microsoft Endpoint Manager.
+
+> [!TIP]
+> While testing the deployment process, you can configure the ESP to:
+> - allow the reset of the devices in case the installation fails
+> - allow the use of the device if installation error occurs
+>
+> This enables you to troubleshoot the installation process in case any issues arise and to easily reset the OS. You can turn these settings off once you are done testing.
+
+For more information, see [Set up the Enrollment Status Page][MEM-3].
+
+> [!CAUTION]
+> When targeting an ESP to **Windows 11 SE** devices, only applications included in the [approved app list][EDU-1] should part of the ESP configuration.
+
+### Autopilot end-user experience
+
+Once configuration is complete and devices are distributed, students and teachers are able to complete the out-of-box experience with Autopilot. They can set up their devices at home, at school, or wherever there's a reliable Internet connection.
+When a Windows device is turned on for the first time, the end-user experience with Windows Autopilot is as follows:
+
+1. Identify the language and region
+1. Select the keyboard layout and decide on the option for a second keyboard layout
+1. Connect to the internet: if connecting through Wi-Fi, the user will be prompted to connect to a wireless network. If the device is connected through an ethernet cable, Windows will skip this step
+1. Apply updates: the device will look for and apply required updates
+1. Windows will detect if the device has an Autopilot profile assigned to it. If so, it will proceed with the customized OOBE experience. If the Autopilot profile specifies a naming convention for the device, the device will be renamed, and a reboot will occur
+1. The user authenticates to Azure AD, using the school account
+1. The device joins Azure AD, enrolls in Intune and all the settings and applications are configured
+
+> [!NOTE]
+> Some of these steps may be skipped, depending on the Autopilot profile configuration and if the device is using a wired connection.
+
+:::image type="content" source="./images/win11-login-screen.png" alt-text="Windows 11 login screen" border="false":::
+
+________________________________________________________
+## Next steps
+
+With the devices joined to Azure AD tenant and managed by Intune, you can use Intune to maintain them and report on their status.
+
+> [!div class="nextstepaction"]
+> [Next: Manage devices >](manage-overview.md)
+
+
+
+[MEM-1]: /mem/intune/fundamentals/intune-endpoints
+[MEM-2]: /mem/autopilot/oem-registration
+[MEM-3]: /mem/autopilot/enrollment-autopilot#create-an-autopilot-device-group-using-intune
+[MEM-4]: /mem/autopilot/profiles
+[MEM-5]: /mem/autopilot/partner-registration
+[MEM-6]: /mem/autopilot/add-devices
+
+[WIN-1]: /windows/deployment/windows-autopilot/windows-autopilot-requirements
+
+[MSFT-1]: https://partner.microsoft.com/
+
+[INT-1]: /intune/network-bandwidth-use
+
+[M365-1]: https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2
+
+[EDU-1]: /education/windows/windows-11-se-overview
+[EDU-2]: /intune-education/windows-11-se-overview#windows-autopilot
+
+[SURF-1]: /surface/surface-autopilot-registration-support
\ No newline at end of file
diff --git a/education/windows/tutorial-school-deployment/enroll-overview.md b/education/windows/tutorial-school-deployment/enroll-overview.md
new file mode 100644
index 0000000000..1a0048e8b2
--- /dev/null
+++ b/education/windows/tutorial-school-deployment/enroll-overview.md
@@ -0,0 +1,48 @@
+---
+title: Device enrollment overview
+description: Options to enroll Windows devices in Microsoft Intune
+ms.date: 08/31/2022
+ms.prod: windows
+ms.technology: windows
+ms.topic: overview
+ms.localizationpriority: medium
+author: paolomatarazzo
+ms.author: paoloma
+#ms.reviewer:
+manager: aaroncz
+ms.collection: education
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows 11 SE
+---
+
+# Device enrollment overview
+
+There are three main methods for joining Windows devices to Azure AD and getting them enrolled and managed by Intune:
+
+- **Automatic Intune enrollment via Azure AD join** happens when a user first turns on a device that is in out-of-box experience (OOBE), and selects the option to join Azure AD. In this scenario, the user can customize certain Windows functionalities before reaching the desktop, and becomes a local administrator of the device. This option isn't an ideal enrollment method for education devices
+- **Bulk enrollment with provisioning packages.** Provisioning packages are files that can be used to set up Windows devices, and can include information to connect to Wi-Fi networks and to join an Azure AD tenant. Provisioning packages can be created using either **Set Up School PCs** or **Windows Configuration Designer** applications. These files can be applied during or after the out-of-box experience
+- **Enrollment via Windows Autopilot.** Windows Autopilot is a collection of cloud services to configure the out-of-box experience, enabling light-touch or zero-touch deployment scenarios. Windows Autopilot simplifies the Windows device lifecycle, from initial deployment to end of life, for OEMs, resellers, IT administrators and end users
+
+## Choose the enrollment method
+
+**Windows Autopilot** and the **Set up School PCs** app are usually the most efficient options for school environments.
+This [table][INT-1] describes the ideal scenarios for using either option. It's recommended to review the table when planning your enrollment and deployment strategies.
+
+:::image type="content" source="./images/enroll.png" alt-text="The device lifecycle for Intune-managed devices - enrollment" border="false":::
+
+Select one of the following options to learn the next steps about the enrollment method you chose:
+
+> [!div class="nextstepaction"]
+> [Next: Automatic Intune enrollment via Azure AD join >](enroll-aadj.md)
+
+> [!div class="nextstepaction"]
+> [Next: Bulk enrollment with provisioning packages >](enroll-package.md)
+
+> [!div class="nextstepaction"]
+> [Next: Enroll devices with Windows Autopilot >](enroll-autopilot.md)
+
+
+
+[INT-1]: /intune-education/add-devices-windows#when-to-use-set-up-school-pcs-vs-windows-autopilot
diff --git a/education/windows/tutorial-school-deployment/enroll-package.md b/education/windows/tutorial-school-deployment/enroll-package.md
new file mode 100644
index 0000000000..35f640ae75
--- /dev/null
+++ b/education/windows/tutorial-school-deployment/enroll-package.md
@@ -0,0 +1,76 @@
+---
+title: Enrollment of Windows devices with provisioning packages
+description: options how to enroll Windows devices with provisioning packages using SUSPCs and Windows Configuration Designer
+ms.date: 08/31/2022
+ms.prod: windows
+ms.technology: windows
+ms.topic: tutorial
+ms.localizationpriority: medium
+author: paolomatarazzo
+ms.author: paoloma
+#ms.reviewer:
+manager: aaroncz
+ms.collection: education
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows 11 SE
+---
+
+# Enrollment with provisioning packages
+
+Enrolling devices with provisioning packages is an efficient way to deploy a large number of Windows devices. Some of the benefits of provisioning packages are:
+
+- There are no particular hardware dependencies on the devices to complete the enrollment process
+- Devices don't need to be registered in advance
+- Enrollment is a simple task: just open a provisioning package and the process is automated
+
+You can create provisioning packages using either **Set Up School PCs** or **Windows Configuration Designer** applications, which are described in the following sections.
+
+## Set up School PCs
+
+With Set up School PCs, you can create a package containing the most common device configurations that students need, and enroll devices in Intune. The package is saved on a USB stick, which can then be plugged into devices during OOBE. Applications and settings will be automatically applied to the devices, including the Azure AD join and Intune enrollment process.
+
+### Create a provisioning package
+
+The Set Up School PCs app guides you through configuration choices for school-owned devices.
+
+:::image type="content" source="./images/supcs-win11se.png" alt-text="Configure device settings in Set Up School PCs app" border="false":::
+
+> [!CAUTION]
+> If you are creating a provisioning package for **Windows 11 SE** devices, ensure to select the correct *OS version* in the *Configure device settings* page.
+
+Set Up School PCs will configure many settings, allowing you to optimize devices for shared use and other scenarios.
+
+For more information on prerequisites, configuration, and recommendations, see [Use the Set Up School PCs app][EDU-1].
+
+> [!TIP]
+> To learn more and practice with Set up School PCs, try the Set Up School PCs demo, which provides detailed steps to create a provisioning package and deploy a device.
+## Windows Configuration Designer
+
+Windows Configuration Designer is especially useful in scenarios where a school needs to provision packages for both bring-you-own devices and school-owned devices. Differently from Set Up School PCs, Windows Configuration Designer doesn't offer a guided experience, and allows granular customizations, including the possibility to embed scripts in the package.
+
+:::image type="content" source="./images/wcd.png" alt-text="Set up device page in Windows Configuration Designer" border="false":::
+
+For more information, see [Install Windows Configuration Designer][WIN-1], which provides details about the app, its provisioning process, and considerations for its use.
+
+## Enroll devices with the provisioning package
+
+To provision Windows devices with provisioning packages, insert the USB stick containing the package during the out-of-box experience. The devices will read the content of the package, join Azure AD and automatically enroll in Intune.
+All settings defined in the package and in Intune will be applied to the device, and the device will be ready to use.
+
+:::image type="content" source="./images/win11-oobe-ppkg.gif" alt-text="Windows 11 OOBE - enrollment with provisioning package animation." border="false":::
+
+________________________________________________________
+## Next steps
+
+With the devices joined to Azure AD tenant and managed by Intune, you can use Intune to maintain them and report on their status.
+
+> [!div class="nextstepaction"]
+> [Next: Manage devices >](manage-overview.md)
+
+
+
+[EDU-1]: /education/windows/use-set-up-school-pcs-app
+
+[WIN-1]: /windows/configuration/provisioning-packages/provisioning-install-icd
\ No newline at end of file
diff --git a/education/windows/tutorial-school-deployment/images/advanced-support.png b/education/windows/tutorial-school-deployment/images/advanced-support.png
new file mode 100644
index 0000000000..d7655d1616
Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/advanced-support.png differ
diff --git a/education/windows/tutorial-school-deployment/images/configure.png b/education/windows/tutorial-school-deployment/images/configure.png
new file mode 100644
index 0000000000..6e3219a7cb
Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/configure.png differ
diff --git a/education/windows/tutorial-school-deployment/images/device-lifecycle.png b/education/windows/tutorial-school-deployment/images/device-lifecycle.png
new file mode 100644
index 0000000000..ab14cdb9f0
Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/device-lifecycle.png differ
diff --git a/education/windows/tutorial-school-deployment/images/dfci-profile-expanded.png b/education/windows/tutorial-school-deployment/images/dfci-profile-expanded.png
new file mode 100644
index 0000000000..3386f7673a
Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/dfci-profile-expanded.png differ
diff --git a/education/windows/tutorial-school-deployment/images/dfci-profile.png b/education/windows/tutorial-school-deployment/images/dfci-profile.png
new file mode 100644
index 0000000000..d77dc06f3d
Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/dfci-profile.png differ
diff --git a/education/windows/tutorial-school-deployment/images/enroll.png b/education/windows/tutorial-school-deployment/images/enroll.png
new file mode 100644
index 0000000000..352cda9509
Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/enroll.png differ
diff --git a/education/windows/tutorial-school-deployment/images/enrollment-restrictions.png b/education/windows/tutorial-school-deployment/images/enrollment-restrictions.png
new file mode 100644
index 0000000000..69b22745a6
Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/enrollment-restrictions.png differ
diff --git a/education/windows/tutorial-school-deployment/images/entra-assign-licenses.png b/education/windows/tutorial-school-deployment/images/entra-assign-licenses.png
new file mode 100644
index 0000000000..3f031053d5
Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/entra-assign-licenses.png differ
diff --git a/education/windows/tutorial-school-deployment/images/entra-branding.png b/education/windows/tutorial-school-deployment/images/entra-branding.png
new file mode 100644
index 0000000000..7201c7386d
Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/entra-branding.png differ
diff --git a/education/windows/tutorial-school-deployment/images/entra-device-settings.png b/education/windows/tutorial-school-deployment/images/entra-device-settings.png
new file mode 100644
index 0000000000..ef18b7391f
Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/entra-device-settings.png differ
diff --git a/education/windows/tutorial-school-deployment/images/entra-tenant-name.png b/education/windows/tutorial-school-deployment/images/entra-tenant-name.png
new file mode 100644
index 0000000000..4cf21148d1
Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/entra-tenant-name.png differ
diff --git a/education/windows/tutorial-school-deployment/images/i4e-autopilot-reset.png b/education/windows/tutorial-school-deployment/images/i4e-autopilot-reset.png
new file mode 100644
index 0000000000..69f9fb188a
Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/i4e-autopilot-reset.png differ
diff --git a/education/windows/tutorial-school-deployment/images/i4e-factory-reset.png b/education/windows/tutorial-school-deployment/images/i4e-factory-reset.png
new file mode 100644
index 0000000000..5c1215f6d8
Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/i4e-factory-reset.png differ
diff --git a/education/windows/tutorial-school-deployment/images/intune-diagnostics.png b/education/windows/tutorial-school-deployment/images/intune-diagnostics.png
new file mode 100644
index 0000000000..20b05ad9d7
Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/intune-diagnostics.png differ
diff --git a/education/windows/tutorial-school-deployment/images/intune-education-apps.png b/education/windows/tutorial-school-deployment/images/intune-education-apps.png
new file mode 100644
index 0000000000..ca344cf5cf
Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/intune-education-apps.png differ
diff --git a/education/windows/tutorial-school-deployment/images/intune-education-autopilot-group.png b/education/windows/tutorial-school-deployment/images/intune-education-autopilot-group.png
new file mode 100644
index 0000000000..75543684ca
Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/intune-education-autopilot-group.png differ
diff --git a/education/windows/tutorial-school-deployment/images/intune-education-groups.png b/education/windows/tutorial-school-deployment/images/intune-education-groups.png
new file mode 100644
index 0000000000..87f4546e88
Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/intune-education-groups.png differ
diff --git a/education/windows/tutorial-school-deployment/images/intune-education-portal.png b/education/windows/tutorial-school-deployment/images/intune-education-portal.png
new file mode 100644
index 0000000000..6bcc9f9375
Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/intune-education-portal.png differ
diff --git a/education/windows/tutorial-school-deployment/images/inventory-reporting.png b/education/windows/tutorial-school-deployment/images/inventory-reporting.png
new file mode 100644
index 0000000000..39c904e205
Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/inventory-reporting.png differ
diff --git a/education/windows/tutorial-school-deployment/images/m365-admin-center.png b/education/windows/tutorial-school-deployment/images/m365-admin-center.png
new file mode 100644
index 0000000000..d471b441dd
Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/m365-admin-center.png differ
diff --git a/education/windows/tutorial-school-deployment/images/protect-manage.png b/education/windows/tutorial-school-deployment/images/protect-manage.png
new file mode 100644
index 0000000000..7ee7040a46
Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/protect-manage.png differ
diff --git a/education/windows/tutorial-school-deployment/images/remote-actions.png b/education/windows/tutorial-school-deployment/images/remote-actions.png
new file mode 100644
index 0000000000..cfbd12f2da
Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/remote-actions.png differ
diff --git a/education/windows/tutorial-school-deployment/images/retire.png b/education/windows/tutorial-school-deployment/images/retire.png
new file mode 100644
index 0000000000..c079cfeaac
Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/retire.png differ
diff --git a/education/windows/tutorial-school-deployment/images/supcs-win11se.png b/education/windows/tutorial-school-deployment/images/supcs-win11se.png
new file mode 100644
index 0000000000..700ff6d87f
Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/supcs-win11se.png differ
diff --git a/education/windows/tutorial-school-deployment/images/surface-management-portal-expanded.png b/education/windows/tutorial-school-deployment/images/surface-management-portal-expanded.png
new file mode 100644
index 0000000000..339bd90904
Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/surface-management-portal-expanded.png differ
diff --git a/education/windows/tutorial-school-deployment/images/surface-management-portal.png b/education/windows/tutorial-school-deployment/images/surface-management-portal.png
new file mode 100644
index 0000000000..a1b7dd37ab
Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/surface-management-portal.png differ
diff --git a/education/windows/tutorial-school-deployment/images/wcd.png b/education/windows/tutorial-school-deployment/images/wcd.png
new file mode 100644
index 0000000000..fba5be741f
Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/wcd.png differ
diff --git a/education/windows/tutorial-school-deployment/images/whfb-disable.png b/education/windows/tutorial-school-deployment/images/whfb-disable.png
new file mode 100644
index 0000000000..97177965e3
Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/whfb-disable.png differ
diff --git a/education/windows/tutorial-school-deployment/images/win11-autopilot-reset.png b/education/windows/tutorial-school-deployment/images/win11-autopilot-reset.png
new file mode 100644
index 0000000000..0ec380619e
Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/win11-autopilot-reset.png differ
diff --git a/education/windows/tutorial-school-deployment/images/win11-login-screen.png b/education/windows/tutorial-school-deployment/images/win11-login-screen.png
new file mode 100644
index 0000000000..438dda11bc
Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/win11-login-screen.png differ
diff --git a/education/windows/tutorial-school-deployment/images/win11-oobe-auth.png b/education/windows/tutorial-school-deployment/images/win11-oobe-auth.png
new file mode 100644
index 0000000000..5ebb6a9f14
Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/win11-oobe-auth.png differ
diff --git a/education/windows/tutorial-school-deployment/images/win11-oobe-esp.gif b/education/windows/tutorial-school-deployment/images/win11-oobe-esp.gif
new file mode 100644
index 0000000000..fa2e4c3aeb
Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/win11-oobe-esp.gif differ
diff --git a/education/windows/tutorial-school-deployment/images/win11-oobe-ppkg.gif b/education/windows/tutorial-school-deployment/images/win11-oobe-ppkg.gif
new file mode 100644
index 0000000000..2defd5c1ce
Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/win11-oobe-ppkg.gif differ
diff --git a/education/windows/tutorial-school-deployment/images/win11-oobe-updates.png b/education/windows/tutorial-school-deployment/images/win11-oobe-updates.png
new file mode 100644
index 0000000000..51bbc39c9f
Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/win11-oobe-updates.png differ
diff --git a/education/windows/tutorial-school-deployment/images/win11-wipe.png b/education/windows/tutorial-school-deployment/images/win11-wipe.png
new file mode 100644
index 0000000000..027afae172
Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/win11-wipe.png differ
diff --git a/education/windows/tutorial-school-deployment/index.md b/education/windows/tutorial-school-deployment/index.md
new file mode 100644
index 0000000000..d68fd2fd82
--- /dev/null
+++ b/education/windows/tutorial-school-deployment/index.md
@@ -0,0 +1,87 @@
+---
+title: Introduction
+description: Introduction to deployment and management of Windows devices in education environments
+ms.date: 08/31/2022
+ms.prod: windows
+ms.technology: windows
+ms.topic: conceptual
+ms.localizationpriority: medium
+author: paolomatarazzo
+ms.author: paoloma
+#ms.reviewer:
+manager: aaroncz
+ms.collection: education
+---
+
+# Tutorial: deploy and manage Windows devices in a school
+
+This guide introduces the tools and services available from Microsoft to deploy, configure and manage Windows devices in an education environment.
+
+## Audience and user requirements
+
+This tutorial is intended for education professionals responsible for deploying and managing Windows devices, including:
+
+- School leaders
+- IT administrators
+- Teachers
+- Microsoft partners
+
+This content provides a comprehensive path for schools to deploy and manage new Windows devices with Microsoft Intune. It includes step-by-step information how to manage devices throughout their lifecycle, and specific guidance for **Windows 11 SE** and **Surface devices**.
+
+> [!NOTE]
+> Depending on your school setup scenario, you may not need to implement all steps.
+
+## Device lifecycle management
+
+Historically, school IT administrators and educators have struggled to find an easy-to-use, flexible, and secure way to manage the lifecycle of the devices in their schools. In response, Microsoft has developed integrated suites of products for streamlined, cost-effective device lifecycle management.
+
+Microsoft 365 Education provides tools and services that enable simplified management of all devices through Microsoft Endpoint Manager (MEM). With Microsoft's solutions, IT administrators have the flexibility to support diverse scenarios, including school-owned devices and bring-your-own devices.
+Microsoft Endpoint Manager services include:
+
+- [Microsoft Intune][MEM-1]
+- [Microsoft Intune for Education][INT-1]
+- [Configuration Manager][MEM-2]
+- [Desktop Analytics][MEM-3]
+- [Windows Autopilot][MEM-4]
+- [Surface Management Portal][MEM-5]
+
+These services are part of the Microsoft 365 stack to help secure access, protect data, and manage risk.
+
+## Why Intune for Education?
+
+Windows devices can be managed with Intune for Education, enabling simplified management of multiple devices from a single point.
+From enrollment, through configuration and protection, to resetting, Intune for Education helps school IT administrators manage and optimize the devices throughout their lifecycle:
+
+:::image type="content" source="./images/device-lifecycle.png" alt-text="The device lifecycle for Intune-managed devices" border="false":::
+
+- **Enroll:** to enable remote device management, devices must be enrolled in Intune with an account in your Azure AD tenant. Some enrollment methods require an IT administrator to initiate enrollment, while others require students to complete the initial device setup process. This document discusses the facets of various device enrollment methodologies
+- **Configure:** once the devices are enrolled in Intune, applications and settings will be applied, as defined by the IT administrator
+- **Protect and manage:** in addition to its configuration capabilities, Intune for Education helps protect devices from unauthorized access or malicious attacks. For example, adding an extra layer of authentication with Windows Hello can make devices more secure. Policies are available that let you control settings for Windows Firewall, Endpoint Protection, and software updates
+- **Retire:** when it's time to repurpose a device, Intune for Education offers several options, including resetting the device, removing it from management, or wiping school data. In this document, we cover different device return and exchange scenarios
+
+## Four pillars of modern device management
+
+In the remainder of this document, we'll discuss the key concepts and benefits of modern device management with Microsoft 365 solutions for education. The guidance is organized around the four main pillars of modern device management:
+
+- **Identity management:** setting up and configuring the identity system, with Microsoft 365 Education and Azure Active Directory, as the foundation for user identity and authentication
+- **Initial setup:** setting up the Intune for Education environment for managing devices, including configuring settings, deploying applications, and defining updates cadence
+- **Device enrollment:** Setting up Windows devices for deployment and enrolling them in Intune for Education
+- **Device reset:** Resetting managed devices with Intune for Education
+
+________________________________________________________
+## Next steps
+
+Let's begin with the creation and configuration of your Azure AD tenant and Intune environment.
+
+> [!div class="nextstepaction"]
+> [Next: Set up Azure Active Directory >](set-up-azure-ad.md)
+
+
+
+[MEM-1]: /mem/intune/fundamentals/what-is-intune
+[MEM-2]: /mem/configmgr/core/understand/introduction
+[MEM-3]: /mem/configmgr/desktop-analytics/overview
+[MEM-4]: /mem/autopilot/windows-autopilot
+[MEM-5]: /mem/autopilot/dfci-management
+
+[INT-1]: /intune-education/what-is-intune-for-education
\ No newline at end of file
diff --git a/education/windows/tutorial-school-deployment/manage-overview.md b/education/windows/tutorial-school-deployment/manage-overview.md
new file mode 100644
index 0000000000..6be402a17d
--- /dev/null
+++ b/education/windows/tutorial-school-deployment/manage-overview.md
@@ -0,0 +1,71 @@
+---
+title: Manage devices with Microsoft Intune
+description: Overview of device management capabilities in Intune for Education, including remote actions, remote assistance and inventory/reporting.
+ms.date: 08/31/2022
+ms.prod: windows
+ms.technology: windows
+ms.topic: tutorial
+ms.localizationpriority: medium
+author: paolomatarazzo
+ms.author: paoloma
+#ms.reviewer:
+manager: aaroncz
+ms.collection: education
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows 11 SE
+---
+
+# Manage devices with Microsoft Intune
+
+Microsoft Intune offers a streamlined remote device management experience throughout the school year. IT administrators can optimize device settings, deploy new applications, updates, ensuring that security and privacy are maintained.
+
+:::image type="content" source="./images/protect-manage.png" alt-text="The device lifecycle for Intune-managed devices - protect and manage devices" border="false":::
+
+## Remote device management
+
+With Intune for Education, there are several ways to manage students' devices. Groups can be created to organize devices and students, to facilitate remote management. You can determine which applications students have access to, and fine tune device settings and restrictions. You can also monitor which devices students sign in to, and troubleshoot devices remotely.
+
+### Remote actions
+
+Intune fo Education allows you to perform actions on devices without having to sign in to the devices. For example, you can send a command to a device to restart or to turn off, or you can locate a device.
+
+:::image type="content" source="./images/remote-actions.png" alt-text="Remote actions available in Intune for Education when selecting a Windows device" lightbox="./images/remote-actions.png" border="true":::
+
+With bulk actions, remote actions can be performed on multiple devices at once.
+
+To learn more about remote actions in Intune for Education, see [Remote actions][EDU-1].
+
+## Remote assistance
+
+With devices managed by Intune for Education, you can remotely assist students and teachers that are having issues with their devices.
+
+For more information, see [Remote assistance for managed devices - Intune for Education][EDU-2].
+
+## Device inventory and reporting
+
+With Intune for Education, it's possible view and report on current devices, applications, settings, and overall health. You can also download reports to review or share offline.
+
+Here are the steps for generating reports in Intune for Education:
+
+1. Sign in to the Intune for Education portal
+1. Select **Reports**
+1. Select between one of the report types:
+ - Device inventory
+ - Device actions
+ - Application inventory
+ - Settings errors
+ - Windows Defender
+ - Autopilot deployment
+1. If needed, use the search box to find specific devices, applications, and settings
+1. To download a report, select **Download**. The report will download as a comma-separated value (CSV) file, which you can view and modify in a spreadsheet app like Microsoft Excel.
+ :::image type="content" source="./images/inventory-reporting.png" alt-text="Reporting options available in Intune for Education when selecting the reports blade" border="true":::
+
+To learn more about reports in Intune for Education, see [Reports in Intune for Education][EDU-3].
+
+
+
+[EDU-1]: /intune-education/edu-device-remote-actions
+[EDU-2]: /intune-education/remote-assist-mobile-devices
+[EDU-3]: /intune-education/what-are-reports
diff --git a/education/windows/tutorial-school-deployment/manage-surface-devices.md b/education/windows/tutorial-school-deployment/manage-surface-devices.md
new file mode 100644
index 0000000000..c8d8f1a1c3
--- /dev/null
+++ b/education/windows/tutorial-school-deployment/manage-surface-devices.md
@@ -0,0 +1,54 @@
+---
+title: Management functionalities for Surface devices
+description: Management capabilities offered to Surface devices, including firmware management and the Surface Management Portal
+ms.date: 08/31/2022
+ms.prod: windows
+ms.technology: windows
+ms.topic: tutorial
+ms.localizationpriority: medium
+author: paolomatarazzo
+ms.author: paoloma
+#ms.reviewer:
+manager: aaroncz
+ms.collection: education
+appliesto:
+- ✅ Surface devices
+---
+
+# Management functionalities for Surface devices
+
+Microsoft Surface devices offer many advanced management functionalities, including the possibility to manage firmware settings and a web portal designed for them.
+
+## Manage device firmware for Surface devices
+
+Surface devices use a Unified Extensible Firmware Interface (UEFI) setting that allows you to enable or disable built-in hardware components, protect UEFI settings from being changed, and adjust device boot configuration. With [Device Firmware Configuration Interface profiles built into Intune][INT-1], Surface UEFI management extends the modern management capabilities to the hardware level. Windows can pass management commands from Intune to UEFI for Autopilot-deployed devices.
+
+DFCI supports zero-touch provisioning, eliminates BIOS passwords, and provides control of security settings for boot options, cameras and microphones, built-in peripherals, and more. For more information, see [Manage DFCI on Surface devices][SURF-1] and [Manage DFCI with Windows Autopilot][MEM-1], which includes a list of requirements to use DFCI.
+
+:::image type="content" source="./images/dfci-profile.png" alt-text="Creation of a DFCI profile from Microsoft Endpoint Manager" lightbox="./images/dfci-profile-expanded.png" border="true":::
+
+## Microsoft Surface Management Portal
+
+Located in the Microsoft Endpoint Manager admin center, the Microsoft Surface Management Portal enables you to self-serve, manage, and monitor your school's Intune-managed Surface devices at scale. Get insights into device compliance, support activity, warranty coverage, and more.
+
+When Surface devices are enrolled in cloud management and users sign in for the first time, information automatically flows into the Surface Management Portal, giving you a single pane of glass for Surface-specific administration activities.
+
+To access and use the Surface Management Portal:
+
+1. Sign in to Microsoft Endpoint Manager admin center
+1. Select **All services** > **Surface Management Portal**
+ :::image type="content" source="./images/surface-management-portal.png" alt-text="Surface Management Portal within Microsoft Endpoint Manager" lightbox="./images/surface-management-portal-expanded.png" border="true":::
+1. To obtain insights for all your Surface devices, select **Monitor**
+ - Devices that are out of compliance or not registered, have critically low storage, require updates, or are currently inactive, are listed here
+1. To obtain details on each insights category, select **View report**
+ - This dashboard displays diagnostic information that you can customize and export
+1. To obtain the device's warranty information, select **Device warranty and coverage**
+1. To review a list of support requests and their status, select **Support requests**
+
+
+
+[INT-1]: /intune/configuration/device-firmware-configuration-interface-windows
+
+[MEM-1]: /mem/autopilot/dfci-management
+
+[SURF-1]: /surface/surface-manage-dfci-guide
diff --git a/education/windows/tutorial-school-deployment/reset-wipe.md b/education/windows/tutorial-school-deployment/reset-wipe.md
new file mode 100644
index 0000000000..ca8bac240d
--- /dev/null
+++ b/education/windows/tutorial-school-deployment/reset-wipe.md
@@ -0,0 +1,122 @@
+---
+title: Reset and wipe Windows devices
+description: Reset and wipe options for Windows devices using Intune for Education, including scenarios when to delete devices
+ms.date: 08/31/2022
+ms.prod: windows
+ms.technology: windows
+ms.topic: tutorial
+ms.localizationpriority: medium
+author: paolomatarazzo
+ms.author: paoloma
+#ms.reviewer:
+manager: aaroncz
+ms.collection: education
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows 11 SE
+---
+
+# Device reset options
+
+There are different scenarios that require a device to be reset, for example:
+
+- The device isn't responding to commands
+- The device is lost or stolen
+- It's the end of the life of the device
+- It's the end of the school year and you want to prepare the device for a new school year
+- The device has hardware problems and you want to send it to the service center
+
+:::image type="content" source="./images/retire.png" alt-text="The device lifecycle for Intune-managed devices - retirement" border="false":::
+
+Intune for Education provides two device reset functionalities that enable IT administrators to remotely execute them:
+
+- **Factory reset** (also known as **wipe**) is used to wipe all data and settings from the device, returning it to the default factory settings
+- **Autopilot reset** is used to return the device to a fully configured or known IT-approved state
+
+## Factory reset (wipe)
+
+A factory reset, or a wipe, reverts a device to the original settings when it was purchased. All settings, applications and data installed on the device after purchase are removed. The device is also removed from Intune management.
+
+Once the wipe is completed, the device will be in out-of-box experience.
+
+Here are the steps to perform a factory reset from Intune for Education:
+
+1. Sign in to the Intune for Education portal
+1. Select **Devices**
+1. Select the device you want to reset > **Factory reset**
+1. Select **Factory reset** to confirm the action
+
+:::image type="content" source="./images/win11-wipe.png" alt-text="Three screenshots showing the device being wiped, ending up in OOBE" lightbox="./images/win11-wipe.png" border="false":::
+
+Consider using factory reset in the following example scenarios:
+
+- The device isn't working properly, and you want to reset it without reimaging it
+- It's the end of school year and you want to prepare the device for a new school year
+- You need to reassign the device to a different student, and you want to reset the device to its original settings
+- You're returning a device to the service center, and you want to remove all data and settings from the device
+
+> [!TIP]
+> Consider that once the device is wiped, the new user will go through OOBE. This option may be ideal if the device is also registered in Autopilot to make the OOBE experience seamless, or if you plan to use a provisioning package to re-enroll the device.
+
+## Autopilot Reset
+
+Autopilot Reset is ideal when all data on a device needs to be wiped, but the device remains enrolled in your tenant.
+
+Once the Autopilot reset action is completed, the device will ask to chose region and keyboard layout, then it will display the sign-in screen.
+
+Here are the steps to perform an Autopilot reset from Intune for Education:
+
+1. Sign in to the Intune for Education portal
+1. Select **Devices**
+1. Select the device you want to reset > **Autopilot reset**
+1. Select **Autopilot reset** to confirm the action
+
+:::image type="content" source="./images/win11-autopilot-reset.png" alt-text="Three screenshots showing the device being wiped, ending up in the login screen" border="false":::
+
+Consider using Autopilot reset in the following example scenarios:
+
+- The device isn't working properly, and you want to reset it without reimaging it
+- It's the end of school year and you want to prepare the device for a new school year
+- You need to reassign the device to a different student, and you want to reset the device to without requiring the student to go through OOBE
+
+> [!TIP]
+> Consider that the end user will **not** go through OOBE, and the association of the user to the device in Intune doesn't change. For this reason, this option may be ideal for devices that have been enrolled in Intune as *shared devices* (for example, a device that was enrolled with a provisioning package or using Autopilot self-deploying mode).
+
+## Wiping and deleting a device
+
+There are scenarios that require a device to be deleted from your tenant, for example:
+
+- The device is lost or stolen
+- It's the end of the life of the device
+- The device has been replaced with a new device or has its motherboard replaced
+
+> [!IMPORTANT]
+> The following actions should only be performed for devices that are no longer going to be used in your tenant.
+
+ To completely remove a device, you need to perform the following actions:
+
+1. If possible, perform a **factory reset (wipe)** of the device. If the device can't be wiped, delete the device from Intune using [these steps][MEM-1]
+1. If the device is registered in Autopilot, delete the Autopilot object using [these steps][MEM-2]
+1. Delete the device from Azure Active Directory using [these steps][MEM-3]
+
+## Autopilot considerations for a motherboard replacement scenario
+
+Repairing Autopilot-enrolled devices can be complex, as OEM requirements must be balanced with Autopilot requirements. If a motherboard replacement is needed on an Autopilot device, it's suggested the following process:
+
+1. Deregister the device from Autopilot
+1. Replace the motherboard
+1. Capture a new device ID (4K HH)
+1. Re-register the device with Autopilot
+ > [!IMPORTANT]
+ > For DFCI management, the device must be re-registered by a partner or OEM. Self-registration of devices is not supported with DFCI management.
+1. Reset the device
+1. Return the device
+
+For more information, see [Autopilot motherboard replacement scenario guidance][MEM-4].
+
+
+[MEM-1]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-intune-portal
+[MEM-2]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-intune-portal
+[MEM-3]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-azure-active-directory-portal
+[MEM-4]: /mem/autopilot/autopilot-mbr
diff --git a/education/windows/tutorial-school-deployment/set-up-azure-ad.md b/education/windows/tutorial-school-deployment/set-up-azure-ad.md
new file mode 100644
index 0000000000..efe5fa2545
--- /dev/null
+++ b/education/windows/tutorial-school-deployment/set-up-azure-ad.md
@@ -0,0 +1,179 @@
+---
+title: Set up Azure Active Directory
+description: How to create and prepare your Azure AD tenant for an education environment
+ms.date: 08/31/2022
+ms.prod: windows
+ms.technology: windows
+ms.topic: tutorial
+ms.localizationpriority: medium
+author: paolomatarazzo
+ms.author: paoloma
+#ms.reviewer:
+manager: aaroncz
+ms.collection: education
+#appliesto:
+---
+
+# Set up Azure Active Directory
+
+The Microsoft platform for education simplifies the management of Windows devices with Intune for Education and Microsoft 365 Education. The first, fundamental step, is to configure the identity infrastructure to manage user access and permissions for your school.
+
+Azure Active Directory (Azure AD), which is included with the Microsoft 365 Education subscription, provides authentication and authorization to any Microsoft cloud services. Identity objects are defined in Azure AD for human identities, like students and teachers, as well as non-human identities, like devices, services, and applications. Once users get Microsoft 365 licenses assigned, they'll be able to consume services and access resources within the tenant. With Microsoft 365 Education, you can manage identities for your teachers and students, assign licenses to devices and users, and create groups for the classrooms.
+
+In this section you will:
+> [!div class="checklist"]
+> * Set up a Microsoft 365 Education tenant
+> * Add users, create groups, and assign licenses
+> * Configure school branding
+> * Enable bulk enrollment
+
+## Create a Microsoft 365 tenant
+
+If you don't already have a Microsoft 365 tenant, you'll need to create one.
+
+For more information, see [Create your Office 365 tenant account][M365-1]
+
+> [!TIP]
+> To learn more, and practice how to configure the Microsoft 365 tenant for your school, try this interactive demo.
+### Explore the Microsoft 365 admin center
+
+The **Microsoft 365 admin center** is the hub for all administrative consoles for the Microsoft 365 cloud. To access the Microsoft Entra admin center, sign in with the same global administrator account when you [created the Microsoft 365 tenant](#create-a-microsoft-365-tenant).
+
+From the Microsoft 365 admin center, you can access different administrative dashboards: Azure Active Directory, Microsoft Endpoint Manager, Intune for Education, and others:
+
+:::image type="content" source="./images/m365-admin-center.png" alt-text="*All admin centers* page in *Microsoft 365 admin center*" lightbox="./images/m365-admin-center.png" border="true":::
+
+For more information, see [Overview of the Microsoft 365 admin center][M365-2].
+
+> [!NOTE]
+> Setting up your school's basic cloud infrastructure does not require you to complete the rest of the Microsoft 365 setup. For this reason, we will skip directly to adding students and teachers as users in the Microsoft 365 tenant.
+
+## Add users, create groups, and assign licenses
+
+With the Microsoft 365 tenant in place, it's time to add users, create groups, and assign licenses. All students and teachers need a user account before they can sign in and access the different Microsoft 365 services. There are multiple ways to do this, including using School Data Sync (SDS), synchronizing an on-premises Active Directory, manually, or a combination of the above.
+
+> [!NOTE]
+> Synchronizing your Student Information System (SIS) with School Data Sync is the preferred way to create students and teachers as users in a Microsoft 365 Education tenant. However, if you want to integrate an on-premises directory and synchronize accounts to the cloud, skip to [Azure Active Directory sync](#azure-active-directory-sync) below.
+
+### School Data Sync
+
+School Data Sync (SDS) imports and synchronizes SIS data to create classes in Microsoft 365, such as Microsoft 365 groups and class teams in Microsoft Teams. SDS can be used to create new, cloud-only, identities or to evolve existing identities. Users evolve into *students* or *teachers* and are associated with a *grade*, *school*, and other education-specific attributes.
+
+For more information, see [Overview of School Data Sync][SDS-1].
+
+> [!TIP]
+> To learn more and practice with School Data Sync, follow the Microsoft School Data Sync demo, which provides detailed steps to access, configure, and deploy School Data Sync in your Microsoft 365 Education tenant.
+
+> [!NOTE]
+> You can perform a test deployment by cloning or downloading sample SDS CSV school data from the [O365-EDU-Tools GitHub site](https://github.com/OfficeDev/O365-EDU-Tools).
+>
+> Remember that you should typically deploy test SDS data (users, groups, and so on) in a separate test tenant, not your school production environment.
+
+### Azure Active Directory sync
+
+To integrate an on-premises directory with Azure Active Directory, you can use **Microsoft Azure Active Directory Connect** to synchronize users, groups, and other objects. Azure AD Connect lets you configure the authentication method appropriate for your school, including:
+
+- [Password hash synchronization][AAD-1]
+- [Pass-through authentication][AAD-2]
+- [Federated authentication][AAD-3]
+
+For more information, see [Set up directory synchronization for Microsoft 365][O365-1].
+
+### Create users manually
+
+In addition to the above methods, you can manually add users and groups, and assign licenses through the Microsoft 365 admin center.
+
+There are two options for adding users manually, either individually or in bulk:
+
+1. To add students and teachers as users in Microsoft 365 Education *individually*:
+ - Sign in to the Microsoft Entra admin center
+ - Select **Azure Active Directory** > **Users** > **All users** > **New user** > **Create new user**
+ For more information, see [Add users and assign licenses at the same time][M365-3].
+1. To add *multiple* users to Microsoft 365 Education:
+ - Sign in to the Microsoft Entra admin center
+ - Select **Azure Active Directory** > **Users** > **All users** > **Bulk operations** > **Bulk create**
+
+For more information, see [Add multiple users in the Microsoft 365 admin center][M365-4].
+### Create groups
+
+Creating groups is important to simplify multiple tasks, like assigning licenses, delegating administration, deploy settings, applications or to distribute assignments to students. To create groups:
+
+1. Sign in to the Microsoft Entra admin center
+1. Select **Azure Active Directory** > **Groups** > **All groups** > **New group**
+1. On the **New group** page, select **Group type** > **Security**
+1. Provide a group name and add members, as needed
+1. Select **Next**
+
+For more information, see [Create a group in the Microsoft 365 admin center][M365-5].
+
+### Assign licenses
+
+The recommended way to assign licenses is through group-based licensing. With this method, Azure AD ensures that licenses are assigned to all members of the group. Any new members who join the group are assigned the appropriate licenses, and when members leave, their licenses are removed.
+
+To assign a license to a group:
+
+1. Sign in to the Microsoft Entra admin center
+1. Select **Azure Active Directory** > **Show More** > **Billing** > **Licenses**
+1. Select the required products that you want to assign licenses for > **Assign**
+1. Add the groups to which the licenses should be assigned
+
+ :::image type="content" source="images/entra-assign-licenses.png" alt-text="Assign licenses from Microsoft Entra admin center." lightbox="images/entra-assign-licenses.png":::
+
+For more information, see [Group-based licensing using Azure AD admin center][AAD-4].
+
+## Configure school branding
+
+Configuring your school branding enables a more familiar Autopilot experience to students and teachers. With a custom school branding, you can define a custom logo and a welcome message, which will appear during the Windows out-of-box experience.
+
+To configure your school's branding:
+
+1. Sign in to the Microsoft Entra admin center
+1. Select **Azure Active Directory** > **Show More** > **User experiences** > **Company branding**
+1. You can specify brand settings like background image, logo, username hint and a sign-in page text
+ :::image type="content" source="images/entra-branding.png" alt-text="Configure Azure AD branding from Microsoft Entra admin center." lightbox="images/entra-branding.png":::
+1. To adjust the school tenant's name displayed during OOBE, select **Azure Active Directory** > **Overview** > **Properties**
+1. In the **Name** field, enter the school district or organization's name > **Save**
+ :::image type="content" alt-text="Configure Azure AD tenant name from Microsoft Entra admin center." source="images/entra-tenant-name.png" lightbox="images/entra-tenant-name.png":::
+
+For more information, see [Add branding to your directory][AAD-5].
+
+## Enable bulk enrollment
+
+If you decide to enroll Windows devices using provisioning packages instead of Windows Autopilot, you must ensure that the provisioning packages can join Windows devices to the Azure AD tenant.
+
+To allow provisioning packages to complete the Azure AD Join process:
+
+1. Sign in to the Microsoft Entra admin center
+1. Select **Azure Active Directory** > **Devices** > **Device Settings**
+1. Under **Users may join devices to Azure AD**, select **All**
+ > [!NOTE]
+ > If it is required that only specific users can join devices to Azure AD, select **Selected**. Ensure that the user account that will create provisioning packages is included in the list of users.
+1. Select Save
+ :::image type="content" source="images/entra-device-settings.png" alt-text="Configure device settings from Microsoft Entra admin center." lightbox="images/entra-device-settings.png":::
+
+________________________________________________________
+
+## Next steps
+
+With users and groups created, and licensed for Microsoft 365 Education, you can now configure Microsoft Intune.
+
+> [!div class="nextstepaction"]
+> [Next: Set up Microsoft Intune >](set-up-microsoft-intune.md)
+
+
+
+[AAD-1]: /azure/active-directory/hybrid/whatis-phs
+[AAD-2]: /azure/active-directory/hybrid/how-to-connect-pta
+[AAD-3]: /azure/active-directory/hybrid/how-to-connect-fed-whatis
+[AAD-4]: /azure/active-directory/enterprise-users/licensing-groups-assign
+[AAD-5]: /azure/active-directory/fundamentals/customize-branding
+
+[M365-1]: /microsoft-365/education/deploy/create-your-office-365-tenant
+[M365-2]: /microsoft-365/admin/admin-overview/admin-center-overview
+[M365-3]: /microsoft-365/admin/add-users/add-users
+[M365-4]: /microsoft-365/enterprise/add-several-users-at-the-same-time
+[M365-5]: /microsoft-365/admin/create-groups/create-groups
+
+[O365-1]: /office365/enterprise/set-up-directory-synchronization
+
+[SDS-1]: /schooldatasync/overview-of-school-data-sync
diff --git a/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md b/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md
new file mode 100644
index 0000000000..a75509b502
--- /dev/null
+++ b/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md
@@ -0,0 +1,104 @@
+---
+title: Set up device management
+description: How to configure the Intune service and set up the environment for education.
+ms.date: 08/31/2022
+ms.prod: windows
+ms.technology: windows
+ms.topic: tutorial
+ms.localizationpriority: medium
+author: paolomatarazzo
+ms.author: paoloma
+#ms.reviewer:
+manager: aaroncz
+ms.collection: education
+#appliesto:
+---
+
+# Set up Microsoft Intune
+
+Without the proper tools and resources, managing hundreds or thousands of devices in a school environment can be a complex and time-consuming task. Microsoft Endpoint Manager provides a collection of services that simplifies the management of devices at scale.
+
+Microsoft Intune is one of the services provided by Microsoft Endpoint Manager. The Microsoft Intune service can be managed in different ways, and one of them is **Intune for Education**, a web portal designed for education environments.
+
+:::image type="content" source="./images/intune-education-portal.png" alt-text="Intune for Education dashboard" lightbox="./images/intune-education-portal.png" border="true":::
+
+**Intune for Education** supports the entire device lifecycle, from the enrollment phase through retirement. IT administrators can start managing classroom devices with bulk enrollment options and a streamlined deployment. At the end of the school year, IT admins can reset devices, ensuring they're ready for the next year.
+
+For more information, see [Intune for Education documentation][INT-1].
+
+In this section you will:
+> [!div class="checklist"]
+> * Review Intune's licensing prerequisites
+> * Configure the Intune service for education devices
+
+## Prerequisites
+
+Before configuring settings with Intune for Education, consider the following prerequisites:
+
+- **Intune subscription.** Microsoft Intune is licensed in three ways:
+ - As a standalone service
+ - As part of [Enterprise Mobility + Security][MSFT-1]
+ - As part of a [Microsoft 365 Education subscription][MSFT-2]
+- **Device platform.** Intune for Education can manage devices running a supported version of Windows 10, Windows 11, Windows 11 SE, iOS, and iPad OS
+
+For more information, see [Intune licensing][MEM-1] and [this comparison sheet][MSFT-3], which includes a table detailing the *Microsoft Modern Work Plan for Education*.
+
+## Configure the Intune service for education devices
+
+The Intune service can be configured in different ways, depending on the needs of your school. In this section, you'll configure the Intune service using settings commonly implemented by K-12 school districts.
+
+### Configure enrollment restrictions
+
+With enrollment restrictions, you can prevent certain types of devices from being enrolled and therefore managed by Intune. For example, you can prevent the enrollment of devices that are not owned by the school.
+
+To block personally owned Windows devices from enrolling:
+
+1. Sign in to the Microsoft Endpoint Manager admin center
+1. Select **Devices** > **Enroll devices** > **Enrollment device platform restrictions**
+1. Select the **Windows restrictions** tab
+1. Select **Create restriction**
+1. On the **Basics** page, provide a name for the restriction and, optionally, a description > **Next**
+1. On the **Platform settings** page, in the **Personally owned devices** field, select **Block** > **Next**
+ :::image type="content" source="./images/enrollment-restrictions.png" alt-text="Device enrollment restriction page in Microsoft Endpoint Manager admin center" lightbox="./images/enrollment-restrictions.png" border="true":::
+1. Optionally, on the **Scope tags** page, add scope tags > **Next**
+1. On the **Assignments** page, select **Add groups**, and then use the search box to find and choose groups to which you want to apply the restriction > **Next**
+1. On the **Review + create** page, select **Create** to save the restriction
+
+For more information, see [Create a device platform restriction][MEM-2].
+
+### Disable Windows Hello for Business
+
+Windows Hello for Business is a biometric authentication feature that allows users to sign in to their devices using a PIN, password, or fingerprint. Windows Hello for Business is enabled by default on Windows devices, and to set it up, users must perform for multi-factor authentication (MFA). As a result, this feature may not be ideal for students, who may not have MFA enabled.
+It's suggested to disable Windows Hello for Business on Windows devices at the tenant level, and enabling it only for devices that need it, for example for teachers and staff devices.
+To disable Windows Hello for Business at the tenant level:
+
+1. Sign in to the Microsoft Endpoint Manager admin center
+1. Select **Devices** > **Windows** > **Windows Enrollment**
+1. Select **Windows Hello for Business**
+1. Ensure that **Configure Windows Hello for Business** is set to **disabled**
+1. Select **Save**
+
+:::image type="content" source="./images/whfb-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Endpoint Manager admin center." border="true" lightbox="./images/whfb-disable.png":::
+
+For more information how to enable Windows Hello for Business on specific devices, see [Create a Windows Hello for Business policy][MEM-4].
+
+________________________________________________________
+
+## Next steps
+
+With the Intune service configured, you can configure policies and applications in preparation to the deployment of students' and teachers' devices.
+
+> [!div class="nextstepaction"]
+> [Next: Configure devices >](configure-devices-overview.md)
+
+
+
+[MEM-1]: /mem/intune/fundamentals/licenses
+[MEM-2]: /mem/intune/enrollment/enrollment-restrictions-set
+[MEM-4]: /mem/intune/protect/windows-hello#create-a-windows-hello-for-business-policy
+
+[INT-1]: /intune-education/what-is-intune-for-education
+
+[MSFT-1]: https://www.microsoft.com/microsoft-365/enterprise-mobility-security
+[MSFT-2]: https://www.microsoft.com/licensing/product-licensing/microsoft-365-education
+[MSFT-3]: https://edudownloads.azureedge.net/msdownloads/Microsoft-Modern-Work-Plan-Comparison-Education_11-2021.pdf
\ No newline at end of file
diff --git a/education/windows/tutorial-school-deployment/toc.yml b/education/windows/tutorial-school-deployment/toc.yml
new file mode 100644
index 0000000000..294e70dc20
--- /dev/null
+++ b/education/windows/tutorial-school-deployment/toc.yml
@@ -0,0 +1,38 @@
+items:
+ - name: Introduction
+ href: index.md
+ - name: 1. Prepare your tenant
+ items:
+ - name: Set up Azure Active Directory
+ href: set-up-azure-ad.md
+ - name: Set up Microsoft Intune
+ href: set-up-microsoft-intune.md
+ - name: 2. Configure settings and applications
+ items:
+ - name: Overview
+ href: configure-devices-overview.md
+ - name: Configure policies
+ href: configure-device-settings.md
+ - name: Configure applications
+ href: configure-device-apps.md
+ - name: 3. Deploy devices
+ items:
+ - name: Overview
+ href: enroll-overview.md
+ - name: Enroll devices via Azure AD join
+ href: enroll-aadj.md
+ - name: Enroll devices with provisioning packages
+ href: enroll-package.md
+ - name: Enroll devices with Windows Autopilot
+ href: enroll-autopilot.md
+ - name: 4. Manage devices
+ items:
+ - name: Overview
+ href: manage-overview.md
+ - name: Management functionalities for Surface devices
+ href: manage-surface-devices.md
+ - name: Reset and wipe devices
+ href: reset-wipe.md
+ - name: 5. Troubleshoot and get help
+ href: troubleshoot-overview.md
+
diff --git a/education/windows/tutorial-school-deployment/troubleshoot-overview.md b/education/windows/tutorial-school-deployment/troubleshoot-overview.md
new file mode 100644
index 0000000000..9b4a442ee2
--- /dev/null
+++ b/education/windows/tutorial-school-deployment/troubleshoot-overview.md
@@ -0,0 +1,68 @@
+---
+title: Troubleshoot Windows devices
+description: How to troubleshoot Windows devices from Intune and contact Microsoft Support for issues related to Intune and other Endpoint Manager services
+ms.date: 08/31/2022
+ms.prod: windows
+ms.technology: windows
+ms.topic: conceptual #reference troubleshooting how-to end-user-help overview (more in contrib guide)
+ms.localizationpriority: medium
+author: paolomatarazzo
+ms.author: paoloma
+#ms.reviewer:
+manager: aaroncz
+ms.collection: education
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+- ✅ Windows 11 SE
+---
+
+# Troubleshoot Windows devices
+
+Microsoft Endpoint Manager provides many tools that can help you troubleshoot Windows devices.
+Here's a collection of resources to help you troubleshoot Windows devices managed by Intune:
+
+- [Troubleshooting device enrollment in Intune][MEM-2]
+- [Troubleshooting Windows Autopilot][MEM-9]
+- [Troubleshoot Windows Wi-Fi profiles][MEM-6]
+- [Troubleshooting policies and profiles in Microsoft Intune][MEM-5]
+- [Troubleshooting BitLocker with the Intune encryption report][MEM-4]
+- [Troubleshooting CSP custom settings][MEM-8]
+- [Troubleshooting Win32 app installations with Intune][MEM-7]
+- [Troubleshooting device actions in Intune][MEM-3]
+- [**Collect diagnostics**][MEM-10] is a remote action that lets you collect and download Windows device logs without interrupting the user
+ :::image type="content" source="./images/intune-diagnostics.png" alt-text="Intune for Education dashboard" lightbox="./images/intune-diagnostics.png" border="true":::
+
+## How to contact Microsoft Support
+
+Microsoft provides global technical, pre-sales, billing, and subscription support for cloud-based device management services. This support includes Microsoft Intune, Configuration Manager, Windows 365, and Microsoft Managed Desktop.
+
+Follow these steps to obtain support in Microsoft Endpoint Manager:
+
+- Sign in to the Microsoft Endpoint Manager admin center
+- Select **Troubleshooting + support** > **Help and support**
+ :::image type="content" source="images/advanced-support.png" alt-text="Screenshot that shows how to obtain support from Microsoft Endpoint Manager." lightbox="images/advanced-support.png":::
+- Select the required support scenario: Configuration Manager, Intune, Co-management, or Windows 365
+- Above **How can we help?**, select one of three icons to open different panes: *Find solutions*, *Contact support*, or *Service requests*
+- In the **Find solutions** pane, use the text box to specify a few details about your issue. The console may offer suggestions based on what you've entered. Depending on the presence of specific keywords, the console provides help like:
+ - Run diagnostics: start automated tests and investigations of your tenant from the console to reveal known issues. When you run a diagnostic, you may receive mitigation steps to help with resolution
+ - View insights: find links to documentation that provides context and background specific to the product area or actions you've described
+ - Recommended articles: browse suggested troubleshooting topics and other content related to your issue
+- If needed, use the *Contact support* pane to file an online support ticket
+ > [!IMPORTANT]
+ > When opening a case, be sure to include as many details as possible in the *Description* field. Such information includes: timestamp and date, device ID, device model, serial number, OS version, and any other details relevant to the issue.
+- To review your case history, select the **Service requests** pane. Active cases are at the top of the list, with closed issues also available for review
+
+For more information, see [Microsoft Endpoint Manager support page][MEM-1]
+
+
+[MEM-1]: /mem/get-support
+[MEM-2]: /troubleshoot/mem/intune/troubleshoot-device-enrollment-in-intune
+[MEM-3]: /troubleshoot/mem/intune/troubleshoot-device-actions
+[MEM-4]: /troubleshoot/mem/intune/troubleshoot-bitlocker-admin-center
+[MEM-5]: /troubleshoot/mem/intune/troubleshoot-policies-in-microsoft-intune
+[MEM-6]: /troubleshoot/mem/intune/troubleshoot-wi-fi-profiles#troubleshoot-windows-wi-fi-profiles
+[MEM-7]: /troubleshoot/mem/intune/troubleshoot-win32-app-install
+[MEM-8]: /troubleshoot/mem/intune/troubleshoot-csp-custom-settings
+[MEM-9]: /mem/autopilot/troubleshooting
+[MEM-10]: /mem/intune/remote-actions/collect-diagnostics
diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md
index 32691a8669..f4f9890509 100644
--- a/education/windows/windows-11-se-overview.md
+++ b/education/windows/windows-11-se-overview.md
@@ -1,5 +1,5 @@
---
-title: What is Windows 11 SE
+title: Windows 11 SE Overview
description: Learn more about Windows 11 SE, and the apps that are included with the operating system. Read about the features IT professionals and administrators should know about Windows 11 SE. Add and deploy your apps using Microsoft Intune for Education.
ms.prod: windows
ms.mktglfcycl: deploy
@@ -8,130 +8,178 @@ ms.pagetype: mobile
ms.collection: education
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/10/2022
+ms.date: 09/12/2022
ms.reviewer:
manager: aaroncz
appliesto:
- ✅ Windows 11 SE
---
-# Windows 11 SE for Education
+# Windows 11 SE Overview
-Windows 11 SE is a new edition of Windows that's designed for education. It runs on web-first devices that use essential education apps. Microsoft Office 365 is preinstalled (subscription sold separately).
+Windows 11 SE is an edition of Windows that's designed for education. Windows SE runs on web-first devices that use essential education apps, and it comes with Microsoft Office 365 preinstalled (subscription sold separately).
For education customers seeking cost-effective devices, Microsoft Windows 11 SE is a great choice. Windows 11 SE includes the following benefits:
-- A simplified and secure experience for students. Student privacy is prioritized.
-- Admins remotely manage Windows 11 SE devices using [Microsoft Intune for Education](/intune-education/what-is-intune-for-education).
-- It's built for low-cost devices.
-- It has a curated app experience, and is designed to only run essential education apps.
+- A simplified and secure experience for students, where student privacy is prioritized. With a curated allowlist of applications maintained by Microsoft, Windows SE is designed to only run essential education apps
+- IT admin can remotely manage Windows 11 SE devices using [Microsoft Intune for Education][INT-1]
+- It's built for low-cost devices
+
+:::image type="content" source="./images/windows-11-se.png" alt-text="Screenshot of Windows 11 SE showing Start menu and taskbar with default layout" border="false":::
## Get Windows 11 SE
-Windows 11 SE is only available preinstalled on devices from OEMs. The OEM installs Windows 11 SE, and makes the devices available for you to purchase. For example, you'll be able to purchase Microsoft Surface devices with Windows 11 SE already installed.
+Windows 11 SE is only available preinstalled on devices from OEMs. OEMs install Windows 11 SE, and make the devices available for you to purchase. For example, you can purchase Microsoft Surface SE devices with Windows 11 SE already installed.
-## Available apps
+## Application types
-Windows 11 SE comes with some preinstalled apps. The following apps can also run on Windows 11 SE, and are deployed using the [Intune for Education portal](https://intuneeducation.portal.azure.com). For more information, see [Manage devices running Windows 11 SE](/intune-education/windows-11-se-overview).
+The following table lists the different application types available in Windows operating systems, detailing which application types are enabled in Windows 11 SE.
+| App type | Description | Enabled | Note|
+| --- | --- | :---: | ---|
+|Progressive Web Apps (PWAs) | PWAs are web-based applications that can run in a browser and that can be installed as standalone apps. |✅|PWAs are enabled by default in Windows 11 SE.|
+| Web apps | Web apps are web-based applications that run in a browser. | ✅ | Web apps are enabled by default in Windows 11 SE. |
+|Win32| Win32 applications are Windows classic applications that may require installation |⛔| If users try to install or execute Win32 applications that haven't been allowed to run, they'll fail.|
+|Universal Windows Platform (UWP)/Store apps |UWP apps are commonly obtained from the Microsoft Store and may require installation |⛔|If users try to install or execute UWP applications that haven't been allowed to run, they'll fail.|
-| Application | Supported version | App Type | Vendor |
-| --- | --- | --- | --- |
-|AirSecure |8.0.0 |Win32 |AIR|
-|Brave Browser |1.34.80|Win32 |Brave|
-|Bulb Digital Portfolio |0.0.7.0|Store|Bulb|
-|Cisco Umbrella |3.0.110.0 |Win32 |Cisco|
-|CKAuthenticator |3.6 |Win32 |Content Keeper|
-|Class Policy |114.0.0 |Win32 |Class Policy|
-|Classroom.cloud |1.40.0004 |Win32 |NetSupport|
-|CoGat Secure Browser |11.0.0.19 |Win32 |Riverside Insights|
-|Dragon Professional Individual |15.00.100 |Win32 |Nuance Communications|
-|DRC INSIGHT Online Assessments |12.0.0.0 |Store |Data recognition Corporation|
-|Duo from Cisco |2.25.0 |Win32 |Cisco|
-|e-Speaking Voice and Speech recognition |4.4.0.8 |Win32 |e-speaking|
-|eTests |4.0.25 |Win32 |CASAS|
-|FortiClient |7.0.1.0083 |Win32 |Fortinet|
-|Free NaturalReader |16.1.2 |Win32 |Natural Soft|
-|GoGuardian |1.4.4 |Win32 |GoGuardian|
-|Google Chrome |102.0.5005.115|Win32 |Google|
-|Illuminate Lockdown Browser |2.0.5 |Win32 |Illuminate Education|
-|Immunet |7.5.0.20795 |Win32 |Immunet|
-|JAWS for Windows |2022.2112.24 |Win32 |Freedom Scientific|
-|Kite Student Portal |8.0.3.0 |Win32 |Dynamic Learning Maps|
-|Kortext |2.3.433.0 |Store |Kortext|
-|Kurzweil 3000 Assistive Learning |20.13.0000 |Win32 |Kurzweil Educational Systems|
-|LanSchool |9.1.0.46 |Win32 |Stoneware|
-|Lightspeed Smart Agent |2.6.2 |Win32 |Lightspeed Systems|
-|Microsoft Connect |10.0.22000.1 |Store |Microsoft|
-|Mozilla Firefox |99.0.1 |Win32 |Mozilla|
-|NAPLAN |2.5.0 |Win32 |NAP|
-|NetSupport Manager |12.01.0011 |Win32 |NetSupport|
-|NetSupport Notify |5.10.1.215 |Win32 |NetSupport|
-|NetSupport School |14.00.0011 |Win32 |NetSupport|
-|NextUp Talker |1.0.49 |Win32 |NextUp Technologies|
-|NonVisual Desktop Access |2021.3.1 |Win32 |NV Access|
-|NWEA Secure Testing Browser |5.4.300.0 |Win32 |NWEA|
-|Pearson TestNav |1.10.2.0 |Store |Pearson|
-|Questar Secure Browser |4.8.3.376 |Win32 |Questar, Inc|
-|ReadAndWriteForWindows |12.0.60.0 |Win32 |Texthelp Ltd.|
-|Remote Desktop client (MSRDC) |1.2.3213.0 |Win32 |Microsoft|
-|Remote Help |3.8.0.12 |Win32 |Microsoft|
-|Respondus Lockdown Browser |2.0.8.05 |Win32 |Respondus|
-|Safe Exam Browser |3.3.2.413 |Win32 |Safe Exam Browser|
-|Secure Browser |14.0.0 |Win32 |Cambium Development|
-|Senso.Cloud |2021.11.15.0 |Win32|Senso.Cloud|
-|SuperNova Magnifier & Screen Reader |21.02 |Win32 |Dolphin Computer Access|
-|Zoom |5.9.1 (2581)|Win32 |Zoom|
-|ZoomText Fusion |2022.2109.10|Win32 |Freedom Scientific|
-|ZoomText Magnifier/Reader |2022.2109.25|Win32 |Freedom Scientific|
+> [!IMPORTANT]
+> If there are specific Win32 or UWP applications that you want to allow, work with Microsoft to get them enabled. For more information, see [Add your own applications](#add-your-own-applications).
-### Enabled apps
+## Applications included in Windows 11 SE
-| App type | Enabled |
-| --- | --- |
-| Apps that run in a browser | ✔️ Apps that run in a browser, like Progressive Web Apps (PWA) and Web apps, can run on Windows 11 SE without any changes or limitations. |
-| Apps that require installation | ❌ Apps that require an installation, including Microsoft Store apps and Win32 apps can't be installed. If students try to install these apps, the installation fails.
✔️ If there are specific installation-type apps you want to enable, then work with Microsoft to get them enabled. For more information, see [Add your own apps](#add-your-own-apps) (in this article). |
+The following table lists all the applications included in Windows 11 SE and the pinning to either the Start menu or to the taskbar.
-### Add your own apps
+| App name | App type | Pinned to Start? | Pinned to taskbar? |
+|:-----------------------------|:--------:|:----------------:|:------------------:|
+| Alarm & Clock | UWP | | |
+| Calculator | UWP | ✅ | |
+| Camera | UWP | ✅ | |
+| Microsoft Edge | Win32 | ✅ | ✅ |
+| Excel | Win32 | ✅ | |
+| Feedback Hub | UWP | | |
+| File Explorer | Win32 | | ✅ |
+| FlipGrid | PWA | | |
+| Get Help | UWP | | |
+| Groove Music | UWP | ✅ | |
+| Maps | UWP | | |
+| Minecraft: Education Edition | UWP | | |
+| Movies & TV | UWP | | |
+| News | UWP | | |
+| Notepad | Win32 | | |
+| OneDrive | Win32 | | |
+| OneNote | Win32 | ✅ | |
+| Outlook | PWA | ✅ | |
+| Paint | Win32 | ✅ | |
+| Photos | UWP | | |
+| PowerPoint | Win32 | ✅ | |
+| Settings | UWP | ✅ | |
+| Snip & Sketch | UWP | | |
+| Sticky Notes | UWP | | |
+| Teams | Win32 | ✅ | |
+| To Do | UWP | | |
+| Whiteboard | UWP | ✅ | |
+| Word | Win32 | ✅ | |
-If the apps you need aren't shown in the [available apps list](#available-apps) (in this article), then you can submit an application request at [aka.ms/eduapprequest](https://aka.ms/eduapprequest). Anyone from a school district can submit the request. In the form, sign in with your school account, such as `user@contoso.edu`. We'll update you using this email account.
+## Available applications
+
+The following applications can also run on Windows 11 SE, and can be deployed using Intune for Education. For more information, see [Configure applications with Microsoft Intune][EDUWIN-1]
+
+| Application | Supported version | App Type | Vendor |
+|-----------------------------------------|-------------------|----------|------------------------------|
+| AirSecure | 8.0.0 | Win32 | AIR |
+| Brave Browser | 1.34.80 | Win32 | Brave |
+| Bulb Digital Portfolio | 0.0.7.0 | Store | Bulb |
+| Cisco Umbrella | 3.0.110.0 | Win32 | Cisco |
+| CKAuthenticator | 3.6 | Win32 | Content Keeper |
+| Class Policy | 114.0.0 | Win32 | Class Policy |
+| Classroom.cloud | 1.40.0004 | Win32 | NetSupport |
+| CoGat Secure Browser | 11.0.0.19 | Win32 | Riverside Insights |
+| Dragon Professional Individual | 15.00.100 | Win32 | Nuance Communications |
+| DRC INSIGHT Online Assessments | 12.0.0.0 | Store | Data recognition Corporation |
+| Duo from Cisco | 2.25.0 | Win32 | Cisco |
+| e-Speaking Voice and Speech recognition | 4.4.0.8 | Win32 | e-speaking |
+| eTests | 4.0.25 | Win32 | CASAS |
+| FortiClient | 7.0.1.0083 | Win32 | Fortinet |
+| Free NaturalReader | 16.1.2 | Win32 | Natural Soft |
+| Ghotit Real Writer & Reader | 10.14.2.3 | Win32 | Ghotit Ltd |
+| GoGuardian | 1.4.4 | Win32 | GoGuardian |
+| Google Chrome | 102.0.5005.115 | Win32 | Google |
+| Illuminate Lockdown Browser | 2.0.5 | Win32 | Illuminate Education |
+| Immunet | 7.5.0.20795 | Win32 | Immunet |
+| Impero Backdrop Client | 4.4.86 | Win32 | Impero Software |
+| JAWS for Windows | 2022.2112.24 | Win32 | Freedom Scientific |
+| Kite Student Portal | 8.0.3.0 | Win32 | Dynamic Learning Maps |
+| Kortext | 2.3.433.0 | Store | Kortext |
+| Kurzweil 3000 Assistive Learning | 20.13.0000 | Win32 | Kurzweil Educational Systems |
+| LanSchool | 9.1.0.46 | Win32 | Stoneware |
+| Lightspeed Smart Agent | 1.9.1 | Win32 | Lightspeed Systems |
+| MetaMoJi ClassRoom | 3.12.4.0 | Store | MetaMoJi Corporation |
+| Microsoft Connect | 10.0.22000.1 | Store | Microsoft |
+| Mozilla Firefox | 99.0.1 | Win32 | Mozilla |
+| NAPLAN | 2.5.0 | Win32 | NAP |
+| Netref Student | 22.2.0 | Win32 | NetRef |
+| NetSupport Manager | 12.01.0014 | Win32 | NetSupport |
+| NetSupport Notify | 5.10.1.215 | Win32 | NetSupport |
+| NetSupport School | 14.00.0011 | Win32 | NetSupport |
+| NextUp Talker | 1.0.49 | Win32 | NextUp Technologies |
+| NonVisual Desktop Access | 2021.3.1 | Win32 | NV Access |
+| NWEA Secure Testing Browser | 5.4.356.0 | Win32 | NWEA |
+| Pearson TestNav | 1.10.2.0 | Store | Pearson |
+| Questar Secure Browser | 4.8.3.376 | Win32 | Questar, Inc |
+| ReadAndWriteForWindows | 12.0.60.0 | Win32 | Texthelp Ltd. |
+| Remote Desktop client (MSRDC) | 1.2.3213.0 | Win32 | Microsoft |
+| Remote Help | 3.8.0.12 | Win32 | Microsoft |
+| Respondus Lockdown Browser | 2.0.9.00 | Win32 | Respondus |
+| Safe Exam Browser | 3.3.2.413 | Win32 | Safe Exam Browser |
+| Secure Browser | 14.0.0 | Win32 | Cambium Development |
+| Senso.Cloud | 2021.11.15.0 | Win32 | Senso.Cloud |
+| SuperNova Magnifier & Screen Reader | 21.02 | Win32 | Dolphin Computer Access |
+| Zoom | 5.9.1 (2581) | Win32 | Zoom |
+| ZoomText Fusion | 2022.2109.10 | Win32 | Freedom Scientific |
+| ZoomText Magnifier/Reader | 2022.2109.25 | Win32 | Freedom Scientific |
+
+## Add your own applications
+
+If the applications you need aren't in the [available applications list](#available-applications), then you can submit an application request at [aka.ms/eduapprequest](https://aka.ms/eduapprequest). Anyone from a school district can submit the request. In the form, sign in with your school account, such as `user@contoso.edu`. We'll update you using this email account.
Microsoft reviews every app request to make sure each app meets the following requirements:
-- Apps can be any native Windows app type, such as a Microsoft Store app, Win32 app, `.MSIX`, `.APPX`, and more.
-
-- Apps must be in one of the following app categories:
- - Content Filtering apps
- - Test Taking solutions
+- Apps can be any native Windows app type, such as a Microsoft Store app, Win32 app, `.MSIX`, `.APPX`, and more
+- Apps must be in one of the following app categories:
+ - Content Filtering apps
+ - Test Taking solutions
- Assistive technologies
- - Classroom communication apps
+ - Classroom communication apps
- Essential diagnostics, management, and supportability apps
-
-- Apps must meet the performance [requirements of Windows 11](/windows/whats-new/windows-11-requirements).
-
+- Apps must meet the performance [requirements of Windows 11][WIN-1]
- Apps must meet the following security requirements:
- - All app binaries are code-signed.
- - All files include the `OriginalFileName` in the resource file header.
- - All kernel drivers are WHQL-signed.
-
-- Apps don't have an equivalent web application.
-
-- Apps can't invoke any processes that can be used to jailbreak a device, automate jailbreaks, or present a security risk. For example, processes such as Reg.exe, CBE.exe, CMD.exe, and KD.exe are blocked on Windows 11 SE.
+ - All app binaries are code-signed
+ - All files include the `OriginalFileName` in the resource file header
+ - All kernel drivers are WHQL-signed
+- Apps don't have an equivalent web application
+- Apps can't invoke any processes that can be used to jailbreak a device, automate jailbreaks, or present a security risk. For example, processes such as Reg.exe, CBE.exe, CMD.exe, and KD.exe are blocked on Windows 11 SE
If the app meets the requirements, Microsoft works with the Independent Software Vendor (ISV) to test the app, and make sure the app works as expected on Windows 11 SE.
-When the app is ready, Microsoft will update you. Then, you add the app to the [Intune for Education portal](https://intuneeducation.portal.azure.com), and [assign](/intune-education/assign-apps) it to your Windows 11 SE devices.
+When the app is ready, Microsoft will update you. Then, you add the app to the Intune for Education portal, and assign it to your Windows 11 SE devices.
-For more information on Intune requirements for adding education apps, see [Manage devices running Windows 11 SE](/intune-education/windows-11-se-overview).
+For more information on Intune requirements for adding education apps, see [Configure applications with Microsoft Intune][EDUWIN-1].
### 0x87D300D9 error with an app
When you deploy an app using Intune for Education, you may get a `0x87D300D9` error code with a `Failed` state in the [Intune for Education portal](https://intuneeducation.portal.azure.com). If you have an app that fails with this error, then:
-- Make sure the app is on the [available apps list](#available-apps) (in this article). Or, make sure your app is [approved for Windows 11 SE](#add-your-own-apps) (in this article).
-- If the app is approved, then it's possible the app is packaged wrong. For more information, see [Add your own apps](#add-your-own-apps) (in this article) and [Manage devices running Windows 11 SE](/intune-education/windows-11-se-overview).
-- If the app isn't approved, then it won't run on Windows 11 SE. To get apps approved, see [Add your own apps](#add-your-own-apps) (in this article). Or, use an app that runs in a web browser, such as a web app or PWA.
+- Make sure the app is on the [available applications list](#available-applications). Or, make sure your app is [approved for Windows 11 SE](#add-your-own-applications)
+- If the app is approved, then it's possible the app is packaged wrong. For more information, see [Add your own apps](#add-your-own-applications) and [Configure applications with Microsoft Intune][EDUWIN-1]
+- If the app isn't approved, then it won't run on Windows 11 SE. To get apps approved, see [Add your own apps](#add-your-own-applications). Or, use an app that runs in a web browser, such as a web app or PWA
## Related articles
-- [Use Intune for Education to manage devices running Windows 11 SE](/intune-education/windows-11-se-overview)
+- [Tutorial: deploy and manage Windows devices in a school][EDUWIN-2]
+
+[INT-1]: /intune-education/what-is-intune-for-education
+
+[EDUWIN-1]: /education/windows/tutorial-school-deployment/configure-device-apps
+[EDUWIN-2]: /education/windows/tutorial-school-deployment/
+
+[WIN-1]: /windows/whats-new/windows-11-requirements
diff --git a/education/windows/windows-11-se-settings-list.md b/education/windows/windows-11-se-settings-list.md
index e654aff272..0dda7bbc35 100644
--- a/education/windows/windows-11-se-settings-list.md
+++ b/education/windows/windows-11-se-settings-list.md
@@ -8,7 +8,7 @@ ms.pagetype: mobile
ms.collection: education
author: paolomatarazzo
ms.author: paoloma
-ms.date: 08/10/2022
+ms.date: 09/12/2022
ms.reviewer:
manager: aaroncz
appliesto:
@@ -25,26 +25,26 @@ This article lists the settings automatically configured. For more information o
The following table lists and describes the settings that can be changed by administrators.
-| Setting | Description |
-| --- | --- |
-| Block manual unenrollment | Default: Blocked
Users can't unenroll their devices from device management services.
[Experience/AllowManualMDMUnenrollment CSP](/windows/client-management/mdm/policy-csp-experience#experience-allowmanualmdmunenrollment) |
-| Allow option to Show Network | Default: Allowed
Gives users the option to see the **Show Network** folder in File Explorer. |
-| Allow option to Show This PC | Default: Allowed
Gives user the option to see the **Show This PC** folder in File Explorer. |
-| Set Allowed Folder location | Default folders: Documents, Desktop, Pictures, and Downloads
Gives user access to these folders. |
-| Set Allowed Storage Locations | Default: Blocks local drives and network drives
Blocks user access to these storage locations. |
-| Allow News and Interests | Default: Hide
Hides widgets. |
-| Disable advertising ID | Default: Disabled
Blocks apps from using usage data to tailor advertisements.
|
-| Enable App Install Control | Default: Turned On
Users can't download apps from the internet.
[SmartScreen/EnableAppInstallControl CSP](/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol)|
-| Configure Storage Sense Cloud Content Dehydration Threshold | Default: 30 days
If a file hasn't been opened in 30 days, it becomes an online-only file. Online-only files can be opened when there's an internet connection. When an online-only file is opened on a device, it downloads and becomes locally available on that device. The file is available until it's unopened for the specified number of days, and becomes online-only again.
Specify a jpg, jpeg, or png image to be used as the desktop image. This setting can take an http or https URL to a remote image to be downloaded, a file URL to a local image.
Specify a jpg, jpeg, or png image to be used as lock screen image. This setting can take an http or https URL to a remote image to be downloaded, a file URL to a local image.
[LockScreenImageUrl](/windows/client-management/mdm/personalization-csp) |
+| Setting | Description | Default Value |
+| --- | --- | --- |
+| Block manual unenrollment | When blocked, users can't unenroll their devices from device management services.
[Experience/AllowManualMDMUnenrollment CSP](/windows/client-management/mdm/policy-csp-experience#experience-allowmanualmdmunenrollment) | Blocked |
+| Allow option to Show Network | When allowed, it gives users the option to see the **Show Network** folder in File Explorer. | Allowed |
+| Allow option to Show This PC | When allowed, it gives users the option to see the **Show This PC** folder in File Explorer. | Allowed |
+| Set Allowed Folder location | Gives user access to these folders. | Default folders: Documents, Desktop, Pictures, and Downloads |
+| Set Allowed Storage Locations | Blocks user access to these storage locations. | Blocks local drives and network drives |
+| Allow News and Interests | Hides widgets. | Hide |
+| Disable advertising ID | Blocks apps from using usage data to tailor advertisements.
||
+| Enable App Install Control | When enabled, users can't download apps from the internet.
[SmartScreen/EnableAppInstallControl CSP](/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol)| Enabled |
+| Configure Storage Sense Cloud Content Dehydration Threshold | If a file hasn't been opened in 30 days, it becomes an online-only file. Online-only files can be opened when there's an internet connection. When an online-only file is opened on a device, it downloads and becomes locally available on that device. The file is available until it's unopened for the specified number of days, and becomes online-only again.
[Storage/ConfigStorageSenseCloudContentDehydrationThreshold CSP](/windows/client-management/mdm/policy-csp-storage#storage-configstoragesensecloudcontentdehydrationthreshold) | 30 days |
+| Allow Telemetry | With *Required Telemetry Only*, it sends only basic device info, including quality-related data, app compatibility, and similar data to keep the device secure and up-to-date.
[System/AllowTelemetry CSP](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | Required Telemetry Only |
+| Allow Experimentation | When disabled, Microsoft can't experiment with the product to study user preferences or device behavior.
[System/AllowExperimentation CSP](/windows/client-management/mdm/policy-csp-system#system-allowexperimentation) | Disabled |
+| Block external extensions | When blocked, in Microsoft Edge users can't install external extensions.
[BlockExternalExtensions](/DeployEdge/microsoft-edge-policies#blockexternalextensions) | Blocked |
+| Configure new tab page | Set the new tab page defaults to a specific url.
[Configure the new tab page URL](/DeployEdge/microsoft-edge-policies#configure-the-new-tab-page-url) | `Office.com` |
+| Configure homepage | Set the Microsoft Edge's homepage default.
[HomepageIsNewTabPage](/DeployEdge/microsoft-edge-policies#homepageisnewtabpage) | `Office.com` |
+| Prevent SmartScreen prompt override | When enabled, in Microsoft Edge, users can't override Windows Defender SmartScreen warnings.
[PreventSmartScreenPromptOverride](/DeployEdge/microsoft-edge-policies#preventsmartscreenpromptoverride) | Enabled |
+| Wallpaper Image Customization | Specify a jpg, jpeg, or png image to be used as the desktop image. This setting can take an http or https URL to a remote image to be downloaded, a file URL to a local image.
[DesktopImageUrl](/windows/client-management/mdm/personalization-csp) | Not configured |
+| Lock Screen Image Customization | Specify a jpg, jpeg, or png image to be used as lock screen image. This setting can take an http or https URL to a remote image to be downloaded, a file URL to a local image.
[LockScreenImageUrl](/windows/client-management/mdm/personalization-csp) | Not configured |
## Settings that can't be changed
diff --git a/education/windows/windows-editions-for-education-customers.md b/education/windows/windows-editions-for-education-customers.md
index b53f4a28bc..172f1e3c6c 100644
--- a/education/windows/windows-editions-for-education-customers.md
+++ b/education/windows/windows-editions-for-education-customers.md
@@ -63,7 +63,7 @@ For any other questions, contact [Microsoft Customer Service and Support](https:
## Related topics
- [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md)
-- [Windows deployment for education](./index.md)
+- [Windows deployment for education](./index.yml)
- [Windows 10 upgrade paths](/windows/deployment/upgrade/windows-10-upgrade-paths)
- [Volume Activation for Windows 10](/windows/deployment/volume-activation/volume-activation-windows-10)
- [Plan for volume activation](/windows/deployment/volume-activation/plan-for-volume-activation-client)
diff --git a/gdpr/docfx.json b/gdpr/docfx.json
deleted file mode 100644
index d786f46f58..0000000000
--- a/gdpr/docfx.json
+++ /dev/null
@@ -1,55 +0,0 @@
-{
- "build": {
- "content": [
- {
- "files": [
- "**/*.md",
- "**/*.yml"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**",
- "README.md",
- "LICENSE",
- "LICENSE-CODE",
- "ThirdPartyNotices"
- ]
- }
- ],
- "resource": [
- {
- "files": [
- "**/*.png",
- "**/*.jpg"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**"
- ]
- }
- ],
- "overwrite": [],
- "externalReference": [],
- "globalMetadata": {
- "recommendations": true,
- "author": "eross-msft",
- "ms.author": "lizross",
- "feedback_system": "GitHub",
- "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
- "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
- "contributors_to_exclude": [
- "rjagiewich",
- "traya1",
- "rmca14",
- "claydetels19",
- "jborsecnik",
- "tiburd",
- "garycentric"
- ]
- },
- "fileMetadata": {},
- "template": [],
- "dest": "gdpr",
- "markdownEngineName": "dfm"
- }
-}
\ No newline at end of file
diff --git a/mdop/docfx.json b/mdop/docfx.json
deleted file mode 100644
index 6ff865c683..0000000000
--- a/mdop/docfx.json
+++ /dev/null
@@ -1,63 +0,0 @@
-{
- "build": {
- "content": [
- {
- "files": [
- "**/**.md",
- "**/**.yml"
- ],
- "exclude": [
- "**/obj/**"
- ]
- }
- ],
- "resource": [
- {
- "files": [
- "**/images/**"
- ],
- "exclude": [
- "**/obj/**"
- ]
- }
- ],
- "globalMetadata": {
- "recommendations": true,
- "breadcrumb_path": "/microsoft-desktop-optimization-pack/breadcrumb/toc.json",
- "ROBOTS": "INDEX, FOLLOW",
- "ms.technology": "windows",
- "audience": "ITPro",
- "manager": "dansimp",
- "ms.prod": "w10",
- "ms.author": "dansimp",
- "author": "dansimp",
- "ms.sitesec": "library",
- "ms.topic": "article",
- "ms.date": "04/05/2017",
- "feedback_system": "GitHub",
- "feedback_github_repo": "https://github.com/MicrosoftDocs/mdop-docs",
- "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
- "_op_documentIdPathDepotMapping": {
- "./": {
- "depot_name": "Win.mdop",
- "folder_relative_path_in_docset": "./"
- }
- },
- "contributors_to_exclude": [
- "rjagiewich",
- "traya1",
- "rmca14",
- "claydetels19",
- "Kellylorenebaker",
- "jborsecnik",
- "tiburd",
- "garycentric"
- ],
- "titleSuffix": "Microsoft Desktop Optimization Pack"
- },
- "externalReference": [],
- "template": "op.html",
- "dest": "mdop",
- "markdownEngineName": "markdig"
- }
-}
diff --git a/store-for-business/acquire-apps-microsoft-store-for-business.md b/store-for-business/acquire-apps-microsoft-store-for-business.md
index 882b7e57ba..9922255c06 100644
--- a/store-for-business/acquire-apps-microsoft-store-for-business.md
+++ b/store-for-business/acquire-apps-microsoft-store-for-business.md
@@ -17,7 +17,7 @@ ms.date: 07/21/2021
# Acquire apps in Microsoft Store for Business and Education
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
> [!IMPORTANT]
> Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).
@@ -38,7 +38,7 @@ Some apps are free, and some have a price. Apps can be purchased in the Microsof
- Japan Commercial Bureau (JCB)
## Organization info
-There are a couple of things we need to know when you pay for apps. You can add this info to the **Account information** or **Payments & billing** page before you buy apps. If you haven’t provided it, we’ll ask when you make a purchase. Either way works. Here’s the info you’ll need to provide:
+There are a couple of things we need to know when you pay for apps. You can add this info to the **Account information** or **Payments & billing** page before you buy apps. If you haven't provided it, we'll ask when you make a purchase. Either way works. Here's the info you'll need to provide:
- Legal business address
- Payment option (credit card)
@@ -73,10 +73,10 @@ People in your org can request license for apps that they need, or that others n
3. Select the app you want to purchase.
4. On the product description page, choose your license type - either online or offline.
5. Free apps will be added to **Products & services**. For apps with a price, you can set the quantity you want to buy. Type the quantity and select **Next**.
-6. If you don’t have a payment method saved in **Billing & payments**, we will prompt you for one.
+6. If you don't have a payment method saved in **Billing & payments**, we will prompt you for one.
7. Add your credit card or debit card info, and select **Next**. Your card info is saved as a payment option on **Billing & payments - Payment methods**.
-You’ll also need to have your business address saved on **My organization - Profile**. The address is used to generate tax rates. For more information on taxes for apps, see [organization tax information](./update-microsoft-store-for-business-account-settings.md#organization-tax-information).
+You'll also need to have your business address saved on **My organization - Profile**. The address is used to generate tax rates. For more information on taxes for apps, see [organization tax information](./update-microsoft-store-for-business-account-settings.md#organization-tax-information).
Microsoft Store adds the app to your inventory. From **Products & services**, you can:
- Distribute the app: add to private store, or assign licenses
diff --git a/store-for-business/add-profile-to-devices.md b/store-for-business/add-profile-to-devices.md
index 2ee659bb6b..01fcc41871 100644
--- a/store-for-business/add-profile-to-devices.md
+++ b/store-for-business/add-profile-to-devices.md
@@ -20,7 +20,7 @@ ms.localizationpriority: medium
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Windows Autopilot simplifies device set up for IT Admins. For an overview of benefits, scenarios, and prerequisites, see [Overview of Windows Autopilot](/windows/deployment/windows-autopilot/windows-10-autopilot).
@@ -136,11 +136,11 @@ Here's info on some of the errors you might see while working with Autopilot dep
| ---------- | ------------------- |
| wadp001 | Check your file, or ask your device partner for a complete .csv file. This file is missing Serial Number and Product Id info. |
| wadp002 | Check your file, or ask your device partner for updated hardware hash info in the .csv file. Hardware hash info is invalid in the current .csv file. |
-| wadp003 | Looks like you need more than one .csv file for your devices. The maximum allowed is 1,000 items. You’re over the limit! Divide this device data into multiple .csv files. |
+| wadp003 | Looks like you need more than one .csv file for your devices. The maximum allowed is 1,000 items. You're over the limit! Divide this device data into multiple .csv files. |
| wadp004 | Try that again. Something happened on our end. Waiting a bit might help. |
| wadp005 | Check your .csv file with your device provider. One of the devices on your list has been claimed by another organization. |
| wadp006 | Try that again. Something happened on our end. Waiting a bit might help. |
| wadp007 | Check the info for this device in your .csv file. The device is already registered in your organization. |
| wadp008 | The device does not meet Autopilot Deployment requirements. |
-| wadp009 | Check with your device provider for an update .csv file. The current file doesn’t work |
+| wadp009 | Check with your device provider for an update .csv file. The current file doesn't work |
| wadp010 | Try that again. Something happened on our end. Waiting a bit might help. |
\ No newline at end of file
diff --git a/store-for-business/add-unsigned-app-to-code-integrity-policy.md b/store-for-business/add-unsigned-app-to-code-integrity-policy.md
index d96d350d9d..58ca7bff3e 100644
--- a/store-for-business/add-unsigned-app-to-code-integrity-policy.md
+++ b/store-for-business/add-unsigned-app-to-code-integrity-policy.md
@@ -18,72 +18,70 @@ ms.date: 07/21/2021
# Add unsigned app to code integrity policy
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
> [!IMPORTANT]
> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until June 9, 2021 to transition to DGSS v2. On June 9, 2021, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by June 9, 2021.
>
-> Following are the major changes we are making to the service:
+> Following are the major changes we are making to the service:
+>
> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download at [https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/](https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/).
-> - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it).
-> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files.
+> - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it).
+> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files.
>
> The following functionality will be available via these PowerShell cmdlets:
+>
> - Get a CI policy
> - Sign a CI policy
-> - Sign a catalog
+> - Sign a catalog
> - Download root cert
-> - Download history of your signing operations
+> - Download history of your signing operations
>
-> For any questions, please contact us at DGSSMigration@microsoft.com.
-
+> For any questions, please contact us at DGSSMigration@microsoft.com.
**Applies to**
-- Windows 10
+- Windows 10
When you want to add an unsigned app to a code integrity policy, you need to start with a code integrity policy created from a reference device. Then, create the catalog files for your unsigned app, sign the catalog files, and then merge the default policy that includes your signing certificate with existing code integrity policies.
-## In this section
-- [Create a code integrity policy based on a reference device](#create-ci-policy)
-- [Create catalog files for your unsigned app](#create-catalog-files)
-- [Catalog signing with Device Guard signing portal](#catalog-signing-device-guard-portal)
+## Create a code integrity policy based on a reference device
-## Create a code integrity policy based on a reference device
To add an unsigned app to a code integrity policy, your code integrity policy must be created from golden image machine. For more information, see [Create a Device Guard code integrity policy based on a reference device](/windows/device-security/device-guard/device-guard-deployment-guide).
-## Create catalog files for your unsigned app
+## Create catalog files for your unsigned app
+
Creating catalog files starts the process for adding an unsigned app to a code integrity policy.
Before you get started, be sure to review these best practices and requirements:
-**Requirements**
+### Requirements
- You'll use Package Inspector during this process.
- Only perform this process with a code integrity policy running in audit mode. You should not perform this process on a system running an enforced Device Guard policy.
-**Best practices**
+### Best practices
- **Naming convention** -- Using a naming convention makes it easier to find deployed catalog files. We'll use \*-Contoso.cat as the naming convention in this topic. For more information, see the section Inventorying catalog files by using Microsoft Endpoint Manager in the [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide).
-- **Where to deploy code integrity policy** -- The [code integrity policy that you created](#create-ci-policy) should be deployed to the system on which you are running Package Inspector. This will ensure that the code integrity policy binaries are trusted.
+- **Where to deploy code integrity policy** -- The [code integrity policy that you created](#create-a-code-integrity-policy-based-on-a-reference-device) should be deployed to the system on which you are running Package Inspector. This will ensure that the code integrity policy binaries are trusted.
Copy the commands for each step into an elevated Windows PowerShell session. You'll use Package Inspector to find and trust all binaries in the app.
-**To create catalog files for your unsigned app**
+### To create catalog files for your unsigned app
-1. Start Package Inspector to scan the C drive.
+1. Start Package Inspector to scan the C drive.
`PackageInspector.exe Start C:`
-2. Copy the installation media to the C drive.
+2. Copy the installation media to the C drive.
Copying the installation media to the C drive ensures that Package Inspector finds and catalogs the installer. If you skip this step, the code integrity policy may trust the application to run, but not trust it to be installed.
-3. Install and start the app.
+3. Install and start the app.
All binaries that are used while Package Inspector is running will be part of the catalog files. After the installation, start the app and make sure that any product updates are installed and any downloadable content was found during the scan. Then, close and restart the app to make sure that the scan found all binaries.
-4. Stop the scan and create definition and catalog files.
+4. Stop the scan and create definition and catalog files.
After app install is complete, stop the Package Inspector scan and create catalog and definition files on your desktop.
@@ -99,17 +97,17 @@ The Package Inspector scan catalogs the hash values for each binary file that is
After you're done, the files are saved to your desktop. You still need to sign the catalog file so that it will be trusted within the code integrity policy.
-## Catalog signing with Device Guard signing portal
+## Catalog signing with Device Guard signing portal
To sign catalog files with the Device Guard signing portal, you need to be signed up with the Microsoft Store for Business.
Catalog signing is a vital step to adding your unsigned apps to your code integrity policy.
-**To sign a catalog file with Device Guard signing portal**
+### To sign a catalog file with Device Guard signing portal
1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com).
2. Click **Settings**, click **Store settings**, and then click **Device Guard**.
-3. Click **Upload** to upload your unsigned catalog files. These are the catalog files you created earlier in [Create catalog files for your unsigned app](#create-catalog-files).
+3. Click **Upload** to upload your unsigned catalog files. These are the catalog files you created earlier in [Create catalog files for your unsigned app](#create-catalog-files-for-your-unsigned-app).
4. After the files are uploaded, click **Sign** to sign the catalog files.
5. Click Download to download each item:
- signed catalog file
diff --git a/store-for-business/app-inventory-management-microsoft-store-for-business.md b/store-for-business/app-inventory-management-microsoft-store-for-business.md
index 3eb99b3802..c3dd51ee67 100644
--- a/store-for-business/app-inventory-management-microsoft-store-for-business.md
+++ b/store-for-business/app-inventory-management-microsoft-store-for-business.md
@@ -21,7 +21,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
You can manage all apps that you've acquired on your **Apps & software** page. This page shows all of the content you've acquired, including apps that from Microsoft Store, and line-of-business (LOB) apps that you've accepted into your inventory. After LOB apps are submitted to your organization, you'll see a notification on your **Apps & software** page. On the **New LOB apps** tab, you can accept, or reject the LOB apps. For more information on LOB apps, see [Working with line-of-business apps](working-with-line-of-business-apps.md). The inventory page includes apps acquired by all people in your organization with the Store for Business Admin role.
diff --git a/store-for-business/apps-in-microsoft-store-for-business.md b/store-for-business/apps-in-microsoft-store-for-business.md
index 4e4499a673..c721a02787 100644
--- a/store-for-business/apps-in-microsoft-store-for-business.md
+++ b/store-for-business/apps-in-microsoft-store-for-business.md
@@ -23,7 +23,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Microsoft Store for Business and Education has thousands of apps from many different categories.
@@ -55,14 +55,14 @@ Line-of-business (LOB) apps are also supported using Microsoft Store. Admins can
Some apps offer you the option to make in-app purchases. In-app purchases are not currently supported for apps that are acquired through Microsoft Store and distributed to employees.
-If an employee makes an in-app purchase, they'll make it with their personal Microsoft account and pay for it with a personal payment method. The employee will own the item purchased, and it cannot be transferred to your organization’s inventory.
+If an employee makes an in-app purchase, they'll make it with their personal Microsoft account and pay for it with a personal payment method. The employee will own the item purchased, and it cannot be transferred to your organization's inventory.
## Licensing model: online and offline licenses
Microsoft Store supports two options to license apps: online and offline.
### Online licensing
-Online licensing is the default licensing model and is similar to the model used by Microsoft Store. Online licensed apps require customers and devices to connect to Microsoft Store service to acquire an app and its license. License management is enforced based on the user’s Azure AD identity and maintained by Microsoft Store as well as the management tool. By default app updates are handled by Windows Update.
+Online licensing is the default licensing model and is similar to the model used by Microsoft Store. Online licensed apps require customers and devices to connect to Microsoft Store service to acquire an app and its license. License management is enforced based on the user's Azure AD identity and maintained by Microsoft Store as well as the management tool. By default app updates are handled by Windows Update.
Distribution options for online-licensed apps include the ability to:
diff --git a/store-for-business/assign-apps-to-employees.md b/store-for-business/assign-apps-to-employees.md
index a718684e7e..b17921f3b5 100644
--- a/store-for-business/assign-apps-to-employees.md
+++ b/store-for-business/assign-apps-to-employees.md
@@ -23,7 +23,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Admins, Purchasers, and Basic Purchasers can assign online-licensed apps to employees or students in their organization.
diff --git a/store-for-business/billing-payments-overview.md b/store-for-business/billing-payments-overview.md
index add114e633..64489e2d0d 100644
--- a/store-for-business/billing-payments-overview.md
+++ b/store-for-business/billing-payments-overview.md
@@ -18,7 +18,7 @@ manager: dansimp
# Billing and payments
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Access invoices and managed your payment methods.
diff --git a/store-for-business/billing-profile.md b/store-for-business/billing-profile.md
index 284e5f8a87..866fc5fa17 100644
--- a/store-for-business/billing-profile.md
+++ b/store-for-business/billing-profile.md
@@ -18,7 +18,7 @@ manager: dansimp
# Understand billing profiles
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
For commercial customers purchasing software or hardware products from Microsoft using a Microsoft customer agreement, billing profiles let you customize what products are included on your invoice, and how you pay your invoices.
diff --git a/store-for-business/billing-understand-your-invoice-msfb.md b/store-for-business/billing-understand-your-invoice-msfb.md
index 725ba3bd9f..70f8c3d15d 100644
--- a/store-for-business/billing-understand-your-invoice-msfb.md
+++ b/store-for-business/billing-understand-your-invoice-msfb.md
@@ -17,15 +17,15 @@ manager: dansimp
# Understand your Microsoft Customer Agreement invoice
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
-The invoice provides a summary of your charges and provides instructions for payment. It’s available for
+The invoice provides a summary of your charges and provides instructions for payment. It's available for
download in the Portable Document Format (.pdf) for commercial customers from Microsoft Store for Business [Microsoft Store for Business - Invoice](https://businessstore.microsoft.com/manage/payments-billing/invoices) or can be sent via email. This article applies to invoices generated for a Microsoft Customer Agreement billing account. Check if you have a [Microsoft Customer Agreement](https://businessstore.microsoft.com/manage/organization/agreements).
## General invoice information
Invoices are your bill from Microsoft. A few things to note:
-- **Invoice schedule** - You’re invoiced on a monthly basis. You can find out which day of the month you receive invoices by checking invoice date under billing profile overview in [Microsoft Store for Business](https://businessstore.microsoft.com/manage/payments-billing/billing-profiles). Charges that occur between the end of the billing period and the invoice date are included in the next month's invoice, since they are in the next billing period. The billing period start and end dates for each invoice are listed in the invoice PDF above **Billing Summary**.
+- **Invoice schedule** - You're invoiced on a monthly basis. You can find out which day of the month you receive invoices by checking invoice date under billing profile overview in [Microsoft Store for Business](https://businessstore.microsoft.com/manage/payments-billing/billing-profiles). Charges that occur between the end of the billing period and the invoice date are included in the next month's invoice, since they are in the next billing period. The billing period start and end dates for each invoice are listed in the invoice PDF above **Billing Summary**.
- **Billing profile** - Billing profiles are created during your purchase. Invoices are created for each billing profile. Billing profiles let you customize what products are purchased, how you pay for them, and who can make purchases. For more information, see [Understand billing profiles](billing-profile.md)
- **Items included** - Your invoice includes total charges for all first and third-party software and hardware products purchased under a Microsoft Customer Agreement. That includes items purchased from Microsoft Store for Business and Azure Marketplace.
- **Charges** - Your invoice provides information about products purchased and their related charges and taxes. Purchases are aggregated to provide a concise view of your bill.
diff --git a/store-for-business/configure-mdm-provider-microsoft-store-for-business.md b/store-for-business/configure-mdm-provider-microsoft-store-for-business.md
index 0249a8b606..151722f51a 100644
--- a/store-for-business/configure-mdm-provider-microsoft-store-for-business.md
+++ b/store-for-business/configure-mdm-provider-microsoft-store-for-business.md
@@ -22,7 +22,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Microsoft Store for Business inventory to manage apps with offline licenses. Store for Business management tool services work with your third-party management tool to manage content.
diff --git a/store-for-business/device-guard-signing-portal.md b/store-for-business/device-guard-signing-portal.md
index dbccbf3bae..4c49b31308 100644
--- a/store-for-business/device-guard-signing-portal.md
+++ b/store-for-business/device-guard-signing-portal.md
@@ -22,7 +22,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
> [!IMPORTANT]
> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until June 9, 2021 to transition to DGSS v2. On June 9, 2021, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by June 9, 2021.
@@ -30,7 +30,7 @@ ms.date: 07/21/2021
> Following are the major changes we are making to the service:
> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/.
> - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it).
-> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files.
+> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files.
>
> The following functionality will be available via these PowerShell cmdlets:
> - Get a CI policy
diff --git a/store-for-business/distribute-apps-from-your-private-store.md b/store-for-business/distribute-apps-from-your-private-store.md
index c0ccce55a6..343c57ed38 100644
--- a/store-for-business/distribute-apps-from-your-private-store.md
+++ b/store-for-business/distribute-apps-from-your-private-store.md
@@ -22,7 +22,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
The private store is a feature in Microsoft Store for Business and Education that organizations receive during the signup process. When admins add apps to the private store, all employees in the organization can view and download the apps. Your private store is available as a tab in Microsoft Store app, and is usually named for your company or organization. Only apps with online licenses can be added to the private store.
diff --git a/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md b/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md
index 723648db24..de94448f75 100644
--- a/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md
+++ b/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md
@@ -23,7 +23,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Distribute apps to your employees from Microsoft Store for Business and Microsoft Store for Education. You can assign apps to employees, or let employees install them from your private store.
diff --git a/store-for-business/distribute-apps-with-management-tool.md b/store-for-business/distribute-apps-with-management-tool.md
index 38c26e9d99..0e41f26d57 100644
--- a/store-for-business/distribute-apps-with-management-tool.md
+++ b/store-for-business/distribute-apps-with-management-tool.md
@@ -23,7 +23,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
You can configure a mobile device management (MDM) tool to synchronize your Microsoft Store for Business or Microsoft Store for Education inventory. Microsoft Store management tool services work with MDM tools to manage content.
@@ -46,7 +46,7 @@ MDM tool requirements:
## Distribute offline-licensed apps
-If your vendor doesn’t support the ability to synchronize applications from the management tool services, or can't connect to the management tool services, your vendor may support the ability to deploy offline licensed applications by downloading the application and license from the store and then deploying the app through your MDM. For more information on online and offline licensing with Store for Business, see [Apps in the Microsoft Store for Business](./apps-in-microsoft-store-for-business.md#licensing-model).
+If your vendor doesn't support the ability to synchronize applications from the management tool services, or can't connect to the management tool services, your vendor may support the ability to deploy offline licensed applications by downloading the application and license from the store and then deploying the app through your MDM. For more information on online and offline licensing with Store for Business, see [Apps in the Microsoft Store for Business](./apps-in-microsoft-store-for-business.md#licensing-model).
This diagram shows how you can use a management tool to distribute offline-licensed app to employees in your organization. Once synchronized from Store for Business, management tools can use the Windows Management framework to distribute applications to devices.
diff --git a/store-for-business/distribute-offline-apps.md b/store-for-business/distribute-offline-apps.md
index 5ee0219d23..e431ad264f 100644
--- a/store-for-business/distribute-offline-apps.md
+++ b/store-for-business/distribute-offline-apps.md
@@ -23,8 +23,8 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
-
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
+>
Offline licensing is a new licensing option for Windows 10 with Microsoft Store for Business and Microsoft Store for Education. With offline licenses, organizations can download apps and their licenses to deploy within their network, or on devices that are not connected to the Internet. ISVs or devs can opt-in their apps for offline licensing when they submit them to the Windows Dev Center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Microsoft Store for Business and Microsoft Store for Education. This model allows organizations to deploy apps when users or devices do not have connectivity to the Store.
## Why offline-licensed apps?
diff --git a/store-for-business/find-and-acquire-apps-overview.md b/store-for-business/find-and-acquire-apps-overview.md
index 9a624bd3c0..1ae93064e6 100644
--- a/store-for-business/find-and-acquire-apps-overview.md
+++ b/store-for-business/find-and-acquire-apps-overview.md
@@ -23,7 +23,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Use the Microsoft Store for Business and Education to find apps for your organization. You can also work with developers to create line-of-business apps that are only available to your organization.
diff --git a/store-for-business/index.md b/store-for-business/index.md
index 83186f8f8b..03852f5eee 100644
--- a/store-for-business/index.md
+++ b/store-for-business/index.md
@@ -21,12 +21,12 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Welcome to the Microsoft Store for Business and Education! You can use Microsoft Store to find, acquire, distribute, and manage apps for your organization or school.
> [!IMPORTANT]
-> Starting April 14, 2021, all apps that charge a base price above free will no longer be available to buy in the Microsoft Store for Business and Education. If you’ve already bought a paid app, you can still use it, but no new purchases will be possible from businessstore.microsoft.com or educationstore.microsoft.com. Also, you won’t be able to buy additional licenses for apps you already bought. You can still assign and reassign licenses for apps that you already own and use the private store. Apps with a base price of “free” will still be available. This change doesn’t impact apps in the Microsoft Store on Windows 10.
+> Starting April 14, 2021, all apps that charge a base price above free will no longer be available to buy in the Microsoft Store for Business and Education. If you've already bought a paid app, you can still use it, but no new purchases will be possible from businessstore.microsoft.com or educationstore.microsoft.com. Also, you won't be able to buy additional licenses for apps you already bought. You can still assign and reassign licenses for apps that you already own and use the private store. Apps with a base price of "free" will still be available. This change doesn't impact apps in the Microsoft Store on Windows 10.
>
> Also starting April 14, 2021, you must sign in with your Azure Active Directory (Azure AD) account before you browse Microsoft Store for Business and Education.
diff --git a/store-for-business/manage-access-to-private-store.md b/store-for-business/manage-access-to-private-store.md
index 35b33daedd..9983264ab6 100644
--- a/store-for-business/manage-access-to-private-store.md
+++ b/store-for-business/manage-access-to-private-store.md
@@ -22,7 +22,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
You can manage access to your private store in Microsoft Store for Business and Microsoft Store for Education.
diff --git a/store-for-business/manage-apps-microsoft-store-for-business-overview.md b/store-for-business/manage-apps-microsoft-store-for-business-overview.md
index bc995342eb..04e2434086 100644
--- a/store-for-business/manage-apps-microsoft-store-for-business-overview.md
+++ b/store-for-business/manage-apps-microsoft-store-for-business-overview.md
@@ -22,7 +22,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Manage products and services in Microsoft Store for Business and Microsoft Store for Education. This includes apps, software, products, devices, and services available under **Products & services**.
diff --git a/store-for-business/manage-orders-microsoft-store-for-business.md b/store-for-business/manage-orders-microsoft-store-for-business.md
index 14825fb5b5..4988dab4d4 100644
--- a/store-for-business/manage-orders-microsoft-store-for-business.md
+++ b/store-for-business/manage-orders-microsoft-store-for-business.md
@@ -17,7 +17,7 @@ manager: dansimp
# Manage app orders in Microsoft Store for Business and Education
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
After you've acquired apps, you can review order information and invoices on **Order history**. On this page, you can view invoices, and request refunds.
diff --git a/store-for-business/manage-private-store-settings.md b/store-for-business/manage-private-store-settings.md
index c6c6e4564c..87d79fbe9d 100644
--- a/store-for-business/manage-private-store-settings.md
+++ b/store-for-business/manage-private-store-settings.md
@@ -22,7 +22,7 @@ ms.localizationpriority: medium
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
The private store is a feature in Microsoft Store for Business and Education that organizations receive during the sign up process. When admins add apps to the private store, all people in the organization can view and download the apps. Only online-licensed apps can be distributed from your private store.
diff --git a/store-for-business/manage-settings-microsoft-store-for-business.md b/store-for-business/manage-settings-microsoft-store-for-business.md
index f271481d73..12534f788b 100644
--- a/store-for-business/manage-settings-microsoft-store-for-business.md
+++ b/store-for-business/manage-settings-microsoft-store-for-business.md
@@ -22,7 +22,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
You can add users and groups, as well as update some of the settings associated with the Azure Active Directory (AD) tenant.
diff --git a/store-for-business/manage-users-and-groups-microsoft-store-for-business.md b/store-for-business/manage-users-and-groups-microsoft-store-for-business.md
index 5253b14c06..a57e52bfd5 100644
--- a/store-for-business/manage-users-and-groups-microsoft-store-for-business.md
+++ b/store-for-business/manage-users-and-groups-microsoft-store-for-business.md
@@ -23,7 +23,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Microsoft Store for Business and Education manages permissions with a set of roles. Currently, you can [assign these roles to individuals in your organization](roles-and-permissions-microsoft-store-for-business.md), but not to groups.
diff --git a/store-for-business/microsoft-store-for-business-education-powershell-module.md b/store-for-business/microsoft-store-for-business-education-powershell-module.md
index fd4d4e8c20..f599c5cc61 100644
--- a/store-for-business/microsoft-store-for-business-education-powershell-module.md
+++ b/store-for-business/microsoft-store-for-business-education-powershell-module.md
@@ -20,7 +20,7 @@ manager: dansimp
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Microsoft Store for Business and Education PowerShell module (preview) is now available on [PowerShell Gallery](https://go.microsoft.com/fwlink/?linkid=853459).
@@ -129,7 +129,7 @@ Remove-MSStoreSeatAssignment -ProductId 9NBLGGH4R2R6 -SkuId 0016 -Username 'user
```
## Assign or reclaim a product with a .csv file
-You can also use the PowerShell module to perform bulk operations on items in **Product and Services**. You'll need a .CSV file with at least one column for “Principal Names” (for example, user@host.com). You can create such a CSV using the AzureAD PowerShell Module.
+You can also use the PowerShell module to perform bulk operations on items in **Product and Services**. You'll need a .CSV file with at least one column for "Principal Names" (for example, user@host.com). You can create such a CSV using the AzureAD PowerShell Module.
**To assign or reclaim seats in bulk:**
diff --git a/store-for-business/microsoft-store-for-business-overview.md b/store-for-business/microsoft-store-for-business-overview.md
index a3cab33039..06da85f98c 100644
--- a/store-for-business/microsoft-store-for-business-overview.md
+++ b/store-for-business/microsoft-store-for-business-overview.md
@@ -19,10 +19,10 @@ ms.date: 07/21/2021
**Applies to**
-- Windows 10
+- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
> [!IMPORTANT]
> Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).
@@ -42,7 +42,7 @@ Organizations or schools of any size can benefit from using Microsoft Store for
- **Microsoft Store for Education** – Apps acquired from Microsoft Store for Education
- **Office 365** – Subscriptions
- **Volume licensing** - Apps purchased with volume licensing
-- **Private store** - Create a private store for your business that’s easily available from any Windows 10 device. Your private store is available from Microsoft Store on Windows 10, or with a browser on the Web. People in your organization can download apps from your organization's private store on Windows 10 devices.
+- **Private store** - Create a private store for your business that's easily available from any Windows 10 device. Your private store is available from Microsoft Store on Windows 10, or with a browser on the Web. People in your organization can download apps from your organization's private store on Windows 10 devices.
- **Flexible distribution options** - Flexible options for distributing content and apps to your employee devices:
- Distribute through Microsoft Store services. You can assign apps to individual employees, or make apps available to all employees in your private store.
- Use a management tool from Microsoft, or a 3rd-party tool for advanced distribution and management functions, or for managing images.
@@ -68,7 +68,7 @@ Microsoft Azure Active Directory (AD) accounts for your employees:
- Employees need Azure AD account when they access Store for Business content from Windows devices.
- If you use a management tool to distribute and manage online-licensed apps, all employees will need an Azure AD account
- For offline-licensed apps, Azure AD accounts are not required for employees.
-- Admins can add or remove user accounts in the Microsoft 365 admin center, even if you don’t have an Office 365 subscription. You can access the Office 365 admin portal directly from the Store for Business and Education.
+- Admins can add or remove user accounts in the Microsoft 365 admin center, even if you don't have an Office 365 subscription. You can access the Office 365 admin portal directly from the Store for Business and Education.
For more information on Azure AD, see [About Office 365 and Azure Active Directory](/previous-versions//dn509517(v=technet.10)), and [Intro to Azure: identity and access](https://go.microsoft.com/fwlink/p/?LinkId=708611).
@@ -83,7 +83,7 @@ While not required, you can use a management tool to distribute and manage apps.
## Sign up!
-The first step for getting your organization started with Store for Business and Education is signing up. Sign up using an existing account (the same one you use for Office 365, Dynamics 365, Intune, Azure, etc.) or we’ll quickly create an account for you. You must be a Global Administrator for your organization.
+The first step for getting your organization started with Store for Business and Education is signing up. Sign up using an existing account (the same one you use for Office 365, Dynamics 365, Intune, Azure, etc.) or we'll quickly create an account for you. You must be a Global Administrator for your organization.
## Set up
@@ -101,7 +101,7 @@ After your admin signs up for the Store for Business and Education, they can ass
In some cases, admins will need to add Azure Active Directory (AD) accounts for their employees. For more information, see [Manage user accounts and groups](manage-users-and-groups-microsoft-store-for-business.md).
-Also, if your organization plans to use a management tool, you’ll need to configure your management tool to sync with Store for Business and Education.
+Also, if your organization plans to use a management tool, you'll need to configure your management tool to sync with Store for Business and Education.
## Get apps and content
@@ -128,7 +128,7 @@ App distribution is handled through two channels, either through the Microsoft S
**Distribute with Store for Business and Education**:
- Email link – After purchasing an app, Admins can send employees a link in an email message. Employees can click the link to install the app.
-- Curate private store for all employees – A private store can include content you’ve purchased from Microsoft Store for Business, and your line-of-business apps that you’ve submitted to Microsoft Store for Business. Apps in your private store are available to all of your employees. They can browse the private store and install apps when needed.
+- Curate private store for all employees – A private store can include content you've purchased from Microsoft Store for Business, and your line-of-business apps that you've submitted to Microsoft Store for Business. Apps in your private store are available to all of your employees. They can browse the private store and install apps when needed.
- To use the options above users must be signed in with an Azure AD account on a Windows 10 device. Licenses are assigned as individuals install apps.
**Using a management tool** – For larger organizations that want a greater level of control over how apps are distributed and managed, a management tools provides other distribution options:
diff --git a/store-for-business/notifications-microsoft-store-business.md b/store-for-business/notifications-microsoft-store-business.md
index dd8d1a7d29..916cb00349 100644
--- a/store-for-business/notifications-microsoft-store-business.md
+++ b/store-for-business/notifications-microsoft-store-business.md
@@ -24,7 +24,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Microsoft Store for Business and Microsoft Store for Education use a set of notifications to alert admins if there is an issue or outage with Microsoft Store.
@@ -32,9 +32,9 @@ Microsoft Store for Business and Microsoft Store for Education use a set of noti
| Store area | Notification message | Customer impact |
| ---------- | -------------------- | --------------- |
-| General | We’re on it. Something happened on our end with the Store. Waiting a bit might help. | You might be unable to sign in. There might be an intermittent Azure AD outage. |
-| Manage | We’re on it. Something happened on our end with management for apps and software. We’re working to fix the problem. | You might be unable to manage inventory, including viewing inventory, distributing apps, assigning licenses, or viewing and managing order history. |
-| Shop | We’re on it. Something happened on our end with purchasing. We’re working to fix the problem. | Shop might not be available. You might not be able to purchase new, or additional licenses. |
-| Private store | We’re on it. Something happened on our end with your organization’s private store. People in your organization can’t download apps right now. We’re working to fix the problem. | People in your organization might not be able to view the private store, or get apps. |
-| Acquisition and licensing | We’re on it. People in your org might not be able to install or use certain apps. We’re working to fix the problem. | People in your org might not be able to claim a license from your private store. |
-| Partner | We’re on it. Something happened on our end with Find a Partner. We’re working to fix the problem. | You might not be able to search for a partner. |
+| General | We're on it. Something happened on our end with the Store. Waiting a bit might help. | You might be unable to sign in. There might be an intermittent Azure AD outage. |
+| Manage | We're on it. Something happened on our end with management for apps and software. We're working to fix the problem. | You might be unable to manage inventory, including viewing inventory, distributing apps, assigning licenses, or viewing and managing order history. |
+| Shop | We're on it. Something happened on our end with purchasing. We're working to fix the problem. | Shop might not be available. You might not be able to purchase new, or additional licenses. |
+| Private store | We're on it. Something happened on our end with your organization's private store. People in your organization can't download apps right now. We're working to fix the problem. | People in your organization might not be able to view the private store, or get apps. |
+| Acquisition and licensing | We're on it. People in your org might not be able to install or use certain apps. We're working to fix the problem. | People in your org might not be able to claim a license from your private store. |
+| Partner | We're on it. Something happened on our end with Find a Partner. We're working to fix the problem. | You might not be able to search for a partner. |
diff --git a/store-for-business/payment-methods.md b/store-for-business/payment-methods.md
index 43f09a403e..1ccc6c81fd 100644
--- a/store-for-business/payment-methods.md
+++ b/store-for-business/payment-methods.md
@@ -18,7 +18,7 @@ manager: dansimp
# Payment methods
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
You can purchase products and services from Microsoft Store for Business using your credit card. You can enter your credit card information on **Payment methods**, or when you purchase an app. We currently accept these credit cards:
- VISA
@@ -54,4 +54,4 @@ Once you select **Add**, the information you provided will be validated with a t
Once you click **Update**, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems.
> [!NOTE]
-> Certain actions, like updating or adding a payment option, require temporary “test authorization” transactions to validate the payment option. These may appear on your statement as $0.00 authorizations or as small pending transactions. These transactions are temporary and should not impact your account unless you make several changes in a short period of time, or have a low balance.
+> Certain actions, like updating or adding a payment option, require temporary "test authorization" transactions to validate the payment option. These may appear on your statement as $0.00 authorizations or as small pending transactions. These transactions are temporary and should not impact your account unless you make several changes in a short period of time, or have a low balance.
diff --git a/store-for-business/prerequisites-microsoft-store-for-business.md b/store-for-business/prerequisites-microsoft-store-for-business.md
index 2b8ea7784d..99e6061d97 100644
--- a/store-for-business/prerequisites-microsoft-store-for-business.md
+++ b/store-for-business/prerequisites-microsoft-store-for-business.md
@@ -22,7 +22,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
> [!IMPORTANT]
> Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).
diff --git a/store-for-business/release-history-microsoft-store-business-education.md b/store-for-business/release-history-microsoft-store-business-education.md
index a4f1f93a78..4ced84898d 100644
--- a/store-for-business/release-history-microsoft-store-business-education.md
+++ b/store-for-business/release-history-microsoft-store-business-education.md
@@ -16,7 +16,7 @@ manager: dansimp
# Microsoft Store for Business and Education release history
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Microsoft Store for Business and Education regularly releases new and improved features. Here's a summary of new or updated features in previous releases.
@@ -39,13 +39,13 @@ Looking for info on the latest release? Check out [What's new in Microsoft Store
- **Immersive Reader app available in Microsoft Store for Education** - This app is a free tool that uses proven techniques to improve reading and writing for people regardless of their age or ability. You can add the app to your private store, so students can easily install and use it.
## April 2018
-- **Assign apps to larger groups** - We're making it easier for admins to assign apps to groups of people. Admins can assign licenses to groups of any size, and include subgroups within those groups. We’ll figure out who’s in those groups, and assign licenses to people in the groups (skipping people who already have licenses). Along the way, we’ll let you know how many licenses are needed, and provide an estimate on the time required to assign licenses.
+- **Assign apps to larger groups** - We're making it easier for admins to assign apps to groups of people. Admins can assign licenses to groups of any size, and include subgroups within those groups. We'll figure out who's in those groups, and assign licenses to people in the groups (skipping people who already have licenses). Along the way, we'll let you know how many licenses are needed, and provide an estimate on the time required to assign licenses.
- **Change collection order in private store** - Private store collections make it easy for groups of people to find the apps that they need. Now, you can customize the order of your private store collections.
- **Office 365 subscription management** - We know that sometimes customers need to cancel a subscription. While we don't want to lose a customer, we want the process for managing subscriptions to be easy. Now, you can delete your Office 365 subscription without calling Support. From Microsoft Store for Business and Education, you can request to delete an Office 365 subscription. We'll wait three days before permanently deleting the subscription. In case of a mistake, customers are welcome to reactivate subscriptions during the three-day period.
## March 2018
- **Performance improvements in private store** - We've made it significantly faster for you to update the private store. Many changes to the private store are available immediately after you make them. [Get more info](./manage-private-store-settings.md#private-store-performance)
-- **Private store collection updates** - We’ve made it easier to find apps when creating private store collections – now you can search and filter results.
+- **Private store collection updates** - We've made it easier to find apps when creating private store collections – now you can search and filter results.
[Get more info](./manage-private-store-settings.md#private-store-collections)
- **Manage Skype Communication credits** - Office 365 customers that own Skype Communication Credits can now see and manage them in Microsoft Store for Business. You can view your account, add funds to your account, and manage auto-recharge settings.
- **Upgrade Microsoft 365 trial subscription** - Customers with Office 365 can upgrade their subscription and automatically re-assign their user licenses over to a new target subscription. For example, you could upgrade your Office 365 for business subscription to a Microsoft 365 for business subscription.
diff --git a/store-for-business/roles-and-permissions-microsoft-store-for-business.md b/store-for-business/roles-and-permissions-microsoft-store-for-business.md
index d04d9e5277..83baa7d2d3 100644
--- a/store-for-business/roles-and-permissions-microsoft-store-for-business.md
+++ b/store-for-business/roles-and-permissions-microsoft-store-for-business.md
@@ -23,7 +23,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
> [!IMPORTANT]
> Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).
diff --git a/store-for-business/settings-reference-microsoft-store-for-business.md b/store-for-business/settings-reference-microsoft-store-for-business.md
index 442ff303d1..3bbc577f09 100644
--- a/store-for-business/settings-reference-microsoft-store-for-business.md
+++ b/store-for-business/settings-reference-microsoft-store-for-business.md
@@ -18,7 +18,7 @@ ms.date: 07/21/2021
# Settings reference: Microsoft Store for Business and Education
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
The Microsoft Store for Business and Education has a group of settings that admins use to manage the store.
diff --git a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md
index d7f05fb986..5de355b03c 100644
--- a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md
+++ b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md
@@ -18,7 +18,7 @@ ms.date: 07/21/2021
# Sign code integrity policy with Device Guard signing
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
> [!IMPORTANT]
@@ -27,7 +27,7 @@ ms.date: 07/21/2021
> Following are the major changes we are making to the service:
> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/.
> - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it).
-> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files.
+> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files.
>
> The following functionality will be available via these PowerShell cmdlets:
> - Get a CI policy
diff --git a/store-for-business/sign-up-microsoft-store-for-business-overview.md b/store-for-business/sign-up-microsoft-store-for-business-overview.md
index c51e8f7899..5303f4a421 100644
--- a/store-for-business/sign-up-microsoft-store-for-business-overview.md
+++ b/store-for-business/sign-up-microsoft-store-for-business-overview.md
@@ -22,7 +22,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
IT admins can sign up for Microsoft Store for Business and Education, and get started working with apps.
diff --git a/store-for-business/troubleshoot-microsoft-store-for-business.md b/store-for-business/troubleshoot-microsoft-store-for-business.md
index febe7110b0..48cfe3c2fc 100644
--- a/store-for-business/troubleshoot-microsoft-store-for-business.md
+++ b/store-for-business/troubleshoot-microsoft-store-for-business.md
@@ -22,7 +22,7 @@ ms.date: 07/21/2021
- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Troubleshooting topics for Microsoft Store for Business.
diff --git a/store-for-business/update-microsoft-store-for-business-account-settings.md b/store-for-business/update-microsoft-store-for-business-account-settings.md
index edc1a362da..55f5f4fc07 100644
--- a/store-for-business/update-microsoft-store-for-business-account-settings.md
+++ b/store-for-business/update-microsoft-store-for-business-account-settings.md
@@ -18,7 +18,7 @@ manager: dansimp
# Update Billing account settings
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
A billing account contains defining information about your organization.
@@ -35,9 +35,9 @@ We need your business address, email contact, and tax-exemption certificates tha
Before purchasing apps that have a fee, you need to add or update your organization's business address, contact email address, and contact name.
-We use the Business address to calculate sales tax. If your organization's address has already been entered for other commercial purchases through Microsoft Store, or through other online purchases such as Office 365 or Azure subscriptions, then we’ll use the same address in Microsoft Store for Business and Microsoft Store for Education. If we don’t have an address, we’ll ask you to enter it during your first purchase.
+We use the Business address to calculate sales tax. If your organization's address has already been entered for other commercial purchases through Microsoft Store, or through other online purchases such as Office 365 or Azure subscriptions, then we'll use the same address in Microsoft Store for Business and Microsoft Store for Education. If we don't have an address, we'll ask you to enter it during your first purchase.
-We need an email address in case we need to contact you about your Microsoft Store for Business and for Education account. This email account should reach the admin for your organization’s Office 365 or Azure AD tenant that is used with Microsoft Store.
+We need an email address in case we need to contact you about your Microsoft Store for Business and for Education account. This email account should reach the admin for your organization's Office 365 or Azure AD tenant that is used with Microsoft Store.
**To update billing account information**
1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com)
@@ -100,7 +100,7 @@ If you qualify for tax-exempt status in your market, start a service request to
1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com).
2. Select **Manage**, click **Support**, and then under **Store settings & configuration** select **Create technical support ticket**.
-You’ll need this documentation:
+You'll need this documentation:
|Country or locale | Documentation |
|------------------|----------------|
diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md
index 4b0cd1e47d..86cbbe0beb 100644
--- a/store-for-business/whats-new-microsoft-store-business-education.md
+++ b/store-for-business/whats-new-microsoft-store-business-education.md
@@ -16,7 +16,7 @@ manager: dansimp
# What's new in Microsoft Store for Business and Education
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Microsoft Store for Business and Education regularly releases new and improved features.
@@ -35,13 +35,13 @@ Microsoft Store for Business and Education regularly releases new and improved f
## Previous releases and updates
@@ -97,4 +97,4 @@ We’ve been working on bug fixes and performance improvements to provide you a
- Manage prepaid Office 365 subscriptions
- Manage Office 365 subscriptions acquired by partners
- Edge extensions in Microsoft Store
-- Search results in Microsoft Store for Business
\ No newline at end of file
+- Search results in Microsoft Store for Business
diff --git a/store-for-business/working-with-line-of-business-apps.md b/store-for-business/working-with-line-of-business-apps.md
index 9478fd004c..de2e4d050a 100644
--- a/store-for-business/working-with-line-of-business-apps.md
+++ b/store-for-business/working-with-line-of-business-apps.md
@@ -19,89 +19,93 @@ ms.date: 07/21/2021
**Applies to**
-- Windows 10
+- Windows 10
> [!IMPORTANT]
-> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
+> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
Your company or school can make line-of-business (LOB) applications available through Microsoft Store for Business or Microsoft Store for Education. These apps are custom to your school or organization – they might be internal apps, or apps specific to your school, business, or industry.
Developers within your organization, or ISVs that you invite, can become LOB publishers and submit apps to Microsoft Store for your company or school. Once an LOB publisher submits an app for your company, the app is only available to your company. LOB publishers submit apps through the Windows Dev Center using the same process as all apps that are in Microsoft Store, and then can be managed or deployed using the same process as any other app that has been acquired through Microsoft Store.
-One advantage of making apps available through Microsoft Store for Business is that the app has been signed by Microsoft Store, and uses the standard Microsoft Store policies. For organizations that can’t submit their application through the Windows Dev Center (for example, those needing additional capabilities or due to compliance purposes), [Sideloading](/windows/application-management/sideload-apps-in-windows-10) is also supported on Windows 10.
+One advantage of making apps available through Microsoft Store for Business is that the app has been signed by Microsoft Store, and uses the standard Microsoft Store policies. For organizations that can't submit their application through the Windows Dev Center (for example, those needing additional capabilities or due to compliance purposes), [Sideloading](/windows/application-management/sideload-apps-in-windows-10) is also supported on Windows 10.
-## Adding LOB apps to your private store
+## Adding LOB apps to your private store
Admins and ISVs each own different parts of the process for getting LOB apps created, submitted, and deployed to your employees or students. Admins use Microsoft Store for Business or Microsoft Store for Education portal; ISVs or devs use the Windows Dev center on MSDN.
-Here’s what’s involved:
-- Microsoft Store for Business admin invites a developer or ISV to become an LOB publisher for your company.
-- LOB publisher develops and submits app to Microsoft Store, tagging the app so it is only available to your company.
-- Microsoft Store for Business admin accepts the app and can distribute the app to employees in your company.
+Here's what's involved:
+
+- Microsoft Store for Business admin invites a developer or ISV to become an LOB publisher for your company.
+- LOB publisher develops and submits app to Microsoft Store, tagging the app so it is only available to your company.
+- Microsoft Store for Business admin accepts the app and can distribute the app to employees in your company.
You'll need to set up:
-- Your company needs to be signed up with Microsoft Store for Business or Microsoft Store for Education.
-- LOB publishers need to have an active developer account. To learn more about account options, see [Ready to sign up](https://go.microsoft.com/fwlink/p/?LinkId=623432).
-- LOB publishers need to have an app in Microsoft Store, or have an app ready to submit to the Store.
+
+- Your company needs to be signed up with Microsoft Store for Business or Microsoft Store for Education.
+- LOB publishers need to have an active developer account. To learn more about account options, see [Ready to sign up](https://go.microsoft.com/fwlink/p/?LinkId=623432).
+- LOB publishers need to have an app in Microsoft Store, or have an app ready to submit to the Store.
The process and timing look like this:
-## Add an LOB publisher (Admin)
+## Add an LOB publisher (Admin)
+
Admins need to invite developer or ISVs to become an LOB publisher.
-**To invite a developer to become an LOB publisher**
+### To invite a developer to become an LOB publisher
1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com).
2. Click **Manage**, click **Permissions**, and then choose **Line-of-business publishers**.
3. On the Line-of business publishers page, click **Invite** to send an email invitation to a developer.
-
+
>[!Note]
> This needs to be the email address listed in contact info for the developer account.
-## Submit apps (LOB publisher)
+## Submit apps (LOB publisher)
The developer receives an email invite to become an LOB publisher for your company. Once they accept the invite, they can log in to the Windows Dev Center to create an app submission for your company. The info here assumes that devs or ISVs have an active developer account.
After an app is published and available in the Store, ISVs publish an updated version by creating another submission in their dashboard. Creating a new submission allows the ISV to make the changes required to create a LOB app for your company. To learn more about updates to an app submission, see [App submissions](/windows/uwp/publish/app-submissions) and [Distributing LOB apps to enterprises](/windows/uwp/publish/distribute-lob-apps-to-enterprises).
-**To create a new submission for an app**
+## To create a new submission for an app
-1. Sign in to the [Windows Dev Center](https://go.microsoft.com/fwlink/p/?LinkId=623486), go to your Dashboard, and click the app you want to make available as an LOB app.
-2. On the App overview page, under **Action**, click **Update**.
+1. Sign in to the [Windows Dev Center](https://go.microsoft.com/fwlink/p/?LinkId=623486), go to your Dashboard, and click the app you want to make available as an LOB app.
+2. On the App overview page, under **Action**, click **Update**.
-OR-
Submit your app following the guidelines in [App submissions](/windows/uwp/publish/app-submissions). Be sure to completed steps 3 and 4 when you set app pricing and availability options.
-3. On the **Pricing and availability** page, under **Distribution and visibility**, click **Line-of-business (LOB) distribution**, and then choose the enterprise(s) who will get the LOB app. No one else will have access to the app.
-4. Under **Organizational licensing**, click **Show options**.
+3. On the **Pricing and availability** page, under **Distribution and visibility**, click **Line-of-business (LOB) distribution**, and then choose the enterprise(s) who will get the LOB app. No one else will have access to the app.
+4. Under **Organizational licensing**, click **Show options**.
Organizational licensing options apply to all apps, not just LOB apps:
- - **Store-managed (online) volume licensing** - This is required. You must select this item to make your app available as an a LOB app. By default, it will be selected. This won't make the app available to anyone outside of the enterprise(s) that you selected in **Distribution and visibility**.
+ - **Store-managed (online) volume licensing** - This is required. You must select this item to make your app available as an a LOB app. By default, it will be selected. This won't make the app available to anyone outside of the enterprise(s) that you selected in **Distribution and visibility**.
- - **Disconnected (offline) licensing** - This is optional for LOB apps.
+ - **Disconnected (offline) licensing** - This is optional for LOB apps.
-5. Click **Save** to save your changes and start the app submission process.
+5. Click **Save** to save your changes and start the app submission process.
+
+For more information, see [Organizational licensing options]( https://go.microsoft.com/fwlink/p/?LinkId=708615) and [Distributing LOB apps to enterprises](/windows/uwp/publish/distribute-lob-apps-to-enterprises).
-For more information, see [Organizational licensing options]( https://go.microsoft.com/fwlink/p/?LinkId=708615) and [Distributing LOB apps to enterprises](/windows/uwp/publish/distribute-lob-apps-to-enterprises).
-
>[!Note]
> In order to get the LOB app, the organization must be located in a [supported market](./microsoft-store-for-business-overview.md#supported-markets), and you must not have excluded that market when submitting your app.
-## Add app to inventory (admin)
+## Add app to inventory (admin)
After an ISV submits the LOB app for your company or school, someone with Microsoft Store for Business and Education admin permissions needs to accept the app.
-**To add the LOB app to your inventory**
+### To add the LOB app to your inventory
-1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com).
-2. Click **Manage**, click **Products & services**, and then choose **New LOB apps**.
-3. Click the ellipses under **Action** for the app you want to add to your inventory, and then choose **Add to inventory**.
+1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com).
+2. Click **Manage**, click **Products & services**, and then choose **New LOB apps**.
+3. Click the ellipses under **Action** for the app you want to add to your inventory, and then choose **Add to inventory**.
After you add the app to your inventory, you can choose how to distribute the app. For more information, see:
-- [Distribute apps to your employees from the Microsoft Store for Business](distribute-apps-to-your-employees-microsoft-store-for-business.md)
-- [Distribute apps from your private store](distribute-apps-from-your-private-store.md)
-- [Assign apps to employees](assign-apps-to-employees.md)
-- [Distribute offline apps](distribute-offline-apps.md)
\ No newline at end of file
+
+- [Distribute apps to your employees from the Microsoft Store for Business](distribute-apps-to-your-employees-microsoft-store-for-business.md)
+- [Distribute apps from your private store](distribute-apps-from-your-private-store.md)
+- [Assign apps to employees](assign-apps-to-employees.md)
+- [Distribute offline apps](distribute-offline-apps.md)
diff --git a/template.md b/template.md
index 84c08cc7de..c5f9f794d8 100644
--- a/template.md
+++ b/template.md
@@ -28,7 +28,7 @@ When you create a new markdown file article, **Save as** this template to a new
## Metadata
-The full metadata block is above the markdown between the `---` lines. For more information, see [Metadata attributes](https://review.docs.microsoft.com/en-us/help/contribute/metadata-attributes?branch=main) in the contributor guide. Some key notes:
+The full metadata block is above the markdown between the `---` lines. For more information, see [Metadata attributes](https://review.learn.microsoft.com/help/contribute/metadata-attributes?branch=main) in the contributor guide. Some key notes:
- You _must_ have a space between the colon (`:`) and the value for a metadata element.
@@ -65,7 +65,7 @@ The full metadata block is above the markdown between the `---` lines. For more
All basic and Github-flavored markdown (GFM) is supported. For more information, see the following articles:
-- [Docs Markdown reference in the Contributor Guide](https://review.docs.microsoft.com/help/contribute/markdown-reference?branch=main)
+- [Docs Markdown reference in the Contributor Guide](https://review.learn.microsoft.com/help/contribute/markdown-reference?branch=main)
- [Baseline markdown syntax](https://daringfireball.net/projects/markdown/syntax)
- [Github-flavored markdown (GFM) documentation](https://docs.github.com/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax)
@@ -79,7 +79,7 @@ Second-level headings (`##`, also known as H2) generate the on-page TOC that app
Limit the length of second-level headings to avoid excessive line wraps.
-Make sure _all_ headings of any level have a unique name for the article. The build creates an anchor for all headings on the page using kebab formatting. For example, from the [Docs Markdown reference](https://review.docs.microsoft.com/help/contribute/markdown-reference?branch=main) article, the heading **Alerts (Note, Tip, Important, Caution, Warning)** becomes the anchor `#alerts-note-tip-important-caution-warning`. If there are duplicate headings, then the anchors don't behave properly. This behavior also applies when using include files, make sure the headings are unique across the main markdown file, and all include markdown files.
+Make sure _all_ headings of any level have a unique name for the article. The build creates an anchor for all headings on the page using kebab formatting. For example, from the [Docs Markdown reference](https://review.learn.microsoft.com/help/contribute/markdown-reference?branch=main) article, the heading **Alerts (Note, Tip, Important, Caution, Warning)** becomes the anchor `#alerts-note-tip-important-caution-warning`. If there are duplicate headings, then the anchors don't behave properly. This behavior also applies when using include files, make sure the headings are unique across the main markdown file, and all include markdown files.
Don't skip levels. For example, don't have an H3 (`###`) without a parent H2 (`##`).
@@ -111,7 +111,7 @@ _Italics_ (a single asterisk (`*`) also works, but the underscore (`_`) helps di
>
> It supports headings in the current and other files too! (Just not the custom `bkmk` anchors that are sometimes used in this content.)
-For more information, see [Add links to articles](https://review.docs.microsoft.com/help/contribute/links-how-to?branch=main) in the contributor guide.
+For more information, see [Add links to articles](https://review.learn.microsoft.com/help/contribute/links-how-to?branch=main) in the contributor guide.
### Article in the same repo
@@ -149,7 +149,7 @@ There's a broken link report that runs once a week in the build system, get the
Don't use URL shorteners like `go.microsoft.com/fwlink` or `aka.ms`. Include the full URL to the target.
-For more information, see [Add links to articles](https://review.docs.microsoft.com/help/contribute/links-how-to?branch=main) in the contributor guide.
+For more information, see [Add links to articles](https://review.learn.microsoft.com/help/contribute/links-how-to?branch=main) in the contributor guide.
## Lists
@@ -289,4 +289,4 @@ Always include alt text for accessibility, and always end it with a period.
## docs.ms extensions
> [!div class="nextstepaction"]
-> [Next step action](/mem/configmgr)
+> [Microsoft Endpoint Configuration Manager documentation](https://learn.microsoft.com/mem/configmgr)
diff --git a/windows/access-protection/docfx.json b/windows/access-protection/docfx.json
deleted file mode 100644
index 35b82f4d89..0000000000
--- a/windows/access-protection/docfx.json
+++ /dev/null
@@ -1,61 +0,0 @@
-{
- "build": {
- "content": [
- {
- "files": [
- "**/*.md",
- "**/*.yml"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**",
- "README.md",
- "LICENSE",
- "LICENSE-CODE",
- "ThirdPartyNotices"
- ]
- }
- ],
- "resource": [
- {
- "files": [
- "**/*.png",
- "**/*.jpg",
- "**/*.gif"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**"
- ]
- }
- ],
- "overwrite": [],
- "externalReference": [],
- "globalMetadata": {
- "recommendations": true,
- "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
- "ms.technology": "windows",
- "audience": "ITPro",
- "ms.topic": "article",
- "_op_documentIdPathDepotMapping": {
- "./": {
- "depot_name": "MSDN.win-access-protection",
- "folder_relative_path_in_docset": "./"
- }
- },
- "contributors_to_exclude": [
- "rjagiewich",
- "traya1",
- "rmca14",
- "claydetels19",
- "jborsecnik",
- "tiburd",
- "garycentric"
- ]
- },
- "fileMetadata": {},
- "template": [],
- "dest": "win-access-protection",
- "markdownEngineName": "markdig"
- }
-}
diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json
index 88a99ecd24..0c2d4413bb 100644
--- a/windows/application-management/docfx.json
+++ b/windows/application-management/docfx.json
@@ -21,6 +21,7 @@
"files": [
"**/*.png",
"**/*.jpg",
+ "**/*.svg",
"**/*.gif"
],
"exclude": [
@@ -36,10 +37,10 @@
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.technology": "windows",
- "audience": "ITPro",
"ms.topic": "article",
- "ms.author": "elizapo",
- "feedback_system": "None",
+ "feedback_system": "GitHub",
+ "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
+ "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.win-app-management",
@@ -58,7 +59,11 @@
],
"searchScope": ["Windows 10"]
},
- "fileMetadata": {},
+ "fileMetadata": {
+ "feedback_system": {
+ "app-v/**/*.*": "None"
+ }
+ },
"template": [],
"dest": "win-app-management",
"markdownEngineName": "markdig"
diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md
deleted file mode 100644
index e0270672bb..0000000000
--- a/windows/application-management/manage-windows-mixed-reality.md
+++ /dev/null
@@ -1,104 +0,0 @@
----
-title: Enable or block Windows Mixed Reality apps in the enterprise (Windows 10/11)
-description: Learn how to enable Windows Mixed Reality apps in WSUS or block the Windows Mixed Reality portal in enterprises.
-ms.reviewer:
-author: nicholasswhite
-ms.author: nwhite
-manager: aaroncz
-ms.prod: w10
-ms.localizationpriority: medium
-ms.topic: article
----
-
-# Enable or block Windows Mixed Reality apps in enterprises
-
-[!INCLUDE [Applies to Windows client versions](./includes/applies-to-windows-client-versions.md)]
-
-
-[Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/) was introduced in Windows 10, version 1709 (also known as the Fall Creators Update), as a [Windows Feature on Demand (FOD)](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). Features on Demand are Windows feature packages that can be added at any time. When a Windows client needs a new feature, it can request the feature package from Windows Update.
-
-Organizations that use Windows Server Update Services (WSUS) must take action to [enable Windows Mixed Reality](#enable-windows-mixed-reality-in-wsus). Any organization that wants to prohibit use of Windows Mixed Reality can [block the installation of the Mixed Reality Portal](#block-the-mixed-reality-portal).
-
-## Enable Windows Mixed Reality in WSUS
-
-1. [Check your version of Windows.](https://support.microsoft.com/help/13443/windows-which-operating-system)
-
- >[!NOTE]
- >You must be on at least Windows 10, version 1709, to run Windows Mixed Reality.
-
-2. Windows Mixed Reality Feature on Demand (FOD) is downloaded from Windows Update. If access to Windows Update is blocked, you must manually install the Windows Mixed Reality FOD.
-
- 1. Download the FOD .cab file:
-
- - [Windows 11, version 21H2](https://software-download.microsoft.com/download/sg/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd_64~~.cab)
- - [Windows 10, version 2004](https://software-static.download.prss.microsoft.com/pr/download/6cf73b63/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab)
- - [Windows 10, version 1903 and 1909](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab)
- - [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab)
- - [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab)
- - [Windows 10, version 1709](https://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab)
-
- > [!NOTE]
- > You must download the FOD .cab file that matches your operating system version.
-
- 1. Use `Dism` to add Windows Mixed Reality FOD to the image.
-
- ```powershell
- Dism /Online /Add-Package /PackagePath:(path)
- ```
-
- > [!NOTE]
- > On Windows 10 and 11, you must rename the FOD .CAB file to: **Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab**
-
- 1. In **Settings** > **Update & Security** > **Windows Update**, select **Check for updates**.
-
-
-IT admins can also create [Side by side feature store (shared folder)](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127275(v=ws.11)) to allow access to the Windows Mixed Reality FOD.
-
-## Block the Mixed Reality Portal
-
-You can use the [AppLocker configuration service provider (CSP)](/windows/client-management/mdm/applocker-csp) to block the Mixed Reality software.
-
-In the following example, the **Id** can be any generated GUID and the **Name** can be any name you choose. `BinaryName="*"` allows you to block any app executable in the Mixed Reality Portal package. **Binary/VersionRange**, as shown in the example, will block all versions of the Mixed Reality Portal app.
-
-```xml
-
-
-
- $CmdID$
-
-
- ./Vendor/MSFT/PolicyManager/My/ApplicationManagement/ApplicationRestrictions
-
-
- chr
- text/plain
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- >
-
-
-
-
-
-
-```
-
-
-## Related articles
-
-- [Mixed reality](https://developer.microsoft.com/windows/mixed-reality/mixed_reality)
diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json
index 6c35dc70a8..21740e86df 100644
--- a/windows/client-management/docfx.json
+++ b/windows/client-management/docfx.json
@@ -21,6 +21,7 @@
"files": [
"**/*.png",
"**/*.jpg",
+ "**/*.svg",
"**/*.gif"
],
"exclude": [
diff --git a/windows/client-management/images/quick-assist-get.png b/windows/client-management/images/quick-assist-get.png
new file mode 100644
index 0000000000..fc7ccdd1a4
Binary files /dev/null and b/windows/client-management/images/quick-assist-get.png differ
diff --git a/windows/client-management/manage-corporate-devices.md b/windows/client-management/manage-corporate-devices.md
index 022820d4e9..9f828bd150 100644
--- a/windows/client-management/manage-corporate-devices.md
+++ b/windows/client-management/manage-corporate-devices.md
@@ -44,6 +44,3 @@ You can use the same management tools to manage all device types running Windows
[Microsoft Intune End User Enrollment Guide](/samples/browse/?redirectedfrom=TechNet-Gallery)
[Windows 10 (and Windows 11) and Azure Active Directory: Embracing the Cloud](https://go.microsoft.com/fwlink/p/?LinkId=615768)
-
-Microsoft Virtual Academy course: [Configuration Manager & Windows Intune](/learn/)
-
\ No newline at end of file
diff --git a/windows/client-management/manage-device-installation-with-group-policy.md b/windows/client-management/manage-device-installation-with-group-policy.md
index 7c8c46580d..a78fb7d156 100644
--- a/windows/client-management/manage-device-installation-with-group-policy.md
+++ b/windows/client-management/manage-device-installation-with-group-policy.md
@@ -18,8 +18,8 @@ ms.topic: article
- Windows 11
- Windows Server 2022
-
## Summary
+
By using Windows operating systems, administrators can determine what devices can be installed on computers they manage. This guide summarizes the device installation process and demonstrates several techniques for controlling device installation by using Group Policy.
## Introduction
@@ -60,7 +60,6 @@ It's more difficult for users to make unauthorized copies of company data if use
You can ensure that users install only those devices that your technical support team is trained and equipped to support. This benefit reduces support costs and user confusion.
-
## Scenario Overview
The scenarios presented in this guide illustrate how you can control device installation and usage on the computers that you manage. The scenarios use Group Policy on a local machine to simplify using the procedures in a lab environment. In an environment where you manage multiple client computers, you should apply these settings using Group Policy.. With Group Policy deployed by Active Directory, you can apply settings to all computers that are members of a domain or an organizational unit in a domain. For more information about how to use Group Policy to manage your client computers, see Group Policy at the Microsoft Web site.
@@ -90,7 +89,6 @@ This scenario, although similar to scenario #2, brings another layer of complexi
In this scenario, combining all previous four scenarios, you'll learn how to protect a machine from all unauthorized USB devices. The administrator wants to allow users to install only a small set of authorized USB devices while preventing any other USB device from being installed. In addition, this scenario includes an explanation of how to apply the ‘prevent’ functionality to existing USB devices that have already been installed on the machine, and the administrator likes to prevent any farther interaction with them (blocking them all together). This scenario builds on the policies and structure we introduced in the first four scenarios and therefore it's preferred to go over them first before attempting this scenario.
-
## Technology Review
The following sections provide a brief overview of the core technologies discussed in this guide and give background information that is necessary to understand the scenarios.
@@ -126,14 +124,14 @@ Hardware IDs are the identifiers that provide the exact match between a device a
Windows uses these identifiers to select a driver if the operating system can't find a match with the device ID or any of the other hardware IDs. Compatible IDs are listed in the order of decreasing suitability. These strings are optional, and, when provided, they're generic, such as Disk. When a match is made using a compatible ID, you can typically use only the most basic functions of the device.
-When you install a device, such as a printer, a USB storage device, or a keyboard, Windows searches for driver packages that match the device you are attempting to install. During this search, Windows assigns a "rank" to each driver package it discovers with at least one match to a hardware or compatible ID. The rank indicates how well the driver matches the device. Lower rank numbers indicate better matches between the driver and the device. A rank of zero represents the best possible match. A match with the device ID to one in the driver package results in a lower (better) rank than a match to one of the other hardware IDs. Similarly, a match to a hardware ID results in a better rank than a match to any of the compatible IDs. After Windows ranks all of the driver packages, it installs the one with the lowest overall rank. For more information about the process of ranking and selecting driver packages, see How Setup Selects Drivers in the Microsoft Docs library.
+When you install a device, such as a printer, a USB storage device, or a keyboard, Windows searches for driver packages that match the device you are attempting to install. During this search, Windows assigns a "rank" to each driver package it discovers with at least one match to a hardware or compatible ID. The rank indicates how well the driver matches the device. Lower rank numbers indicate better matches between the driver and the device. A rank of zero represents the best possible match. A match with the device ID to one in the driver package results in a lower (better) rank than a match to one of the other hardware IDs. Similarly, a match to a hardware ID results in a better rank than a match to any of the compatible IDs. After Windows ranks all of the driver packages, it installs the one with the lowest overall rank. For more information about the process of ranking and selecting driver packages, see [How Windows selects a driver package for a device](/windows-hardware/drivers/install/how-windows-selects-a-driver-for-a-device).
> [!NOTE]
> For more information about the driver installation process, see the "Technology review" section of the Step-by-Step Guide to Driver Signing and Staging.
Some physical devices create one or more logical devices when they're installed. Each logical device might handle part of the functionality of the physical device. For example, a multi-function device, such as an all-in-one scanner/fax/printer, might have a different device identification string for each function.
-When you use Device Installation policies to allow or prevent the installation of a device that uses logical devices, you must allow or prevent all of the device identification strings for that device. For example, if a user attempts to install a multifunction device and you didn't allow or prevent all of the identification strings for both physical and logical devices, you could get unexpected results from the installation attempt. For more detailed information about hardware IDs, see Device Identification Strings in Microsoft Docs.
+When you use Device Installation policies to allow or prevent the installation of a device that uses logical devices, you must allow or prevent all of the device identification strings for that device. For example, if a user attempts to install a multifunction device and you didn't allow or prevent all of the identification strings for both physical and logical devices, you could get unexpected results from the installation attempt. For more detailed information about hardware IDs, see [Device identification strings](/windows-hardware/drivers/install/device-identification-strings).
#### Device setup classes
@@ -143,7 +141,7 @@ When you use device Classes to allow or prevent users from installing drivers, y
For example, a multi-function device, such as an all-in-one scanner/fax/printer, has a GUID for a generic multi-function device, a GUID for the printer function, a GUID for the scanner function, and so on. The GUIDs for the individual functions are "child nodes" under the multi-function device GUID. To install a child node, Windows must also be able to install the parent node. You must allow installation of the device setup class of the parent GUID for the multi-function device in addition to any child GUIDs for the printer and scanner functions.
-For more information, see [Device Setup Classes](/windows-hardware/drivers/install/overview-of-device-setup-classes) in Microsoft Docs.
+For more information, see [Device Setup Classes](/windows-hardware/drivers/install/overview-of-device-setup-classes).
This guide doesn't depict any scenarios that use device setup classes. However, the basic principles demonstrated with device identification strings in this guide also apply to device setup classes. After you discover the device setup class for a specific device, you can then use it in a policy to either allow or prevent installation of drivers for that class of devices.
@@ -154,14 +152,13 @@ The following two links provide the complete list of Device Setup Classes. ‘Sy
#### ‘Removable Device’ Device type
-Some devices could be classified as _Removable Device_. A device is considered _removable_ when the driver for the device to which it's connected indicates that the device is removable. For example, a USB device is reported to be removable by the drivers for the USB hub to which the device is connected.
-
+Some devices could be classified as _Removable Device_. A device is considered _removable_ when the driver for the device to which it's connected indicates that the device is removable. For example, a USB device is reported to be removable by the drivers for the USB hub to which the device is connected.
### Group Policy Settings for Device Installation
Group Policy is an infrastructure that allows you to specify managed configurations for users and computers through Group Policy settings and Group Policy Preferences.
-Device Installation section in Group Policy is a set of policies that control which device could or couldn't be installed on a machine. Whether you want to apply the settings to a stand-alone computer or to many computers in an Active Directory domain, you use the Group Policy Object Editor to configure and apply the policy settings. For more information, see Group Policy Object Editor Technical Reference.
+Device Installation section in Group Policy is a set of policies that control which device could or couldn't be installed on a machine. Whether you want to apply the settings to a stand-alone computer or to many computers in an Active Directory domain, you use the Group Policy Object Editor to configure and apply the policy settings. For more information, see [Group Policy Object Editor](/previous-versions/windows/desktop/Policy/group-policy-object-editor).
The following passages are brief descriptions of the Device Installation policies that are used in this guide.
@@ -210,12 +207,9 @@ This policy setting will change the evaluation order in which Allow and Prevent
> If you disable or don't configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device.
Some of these policies take precedence over other policies. The flowchart shown below illustrates how Windows processes them to determine whether a user can install a device or not, as shown in Figure below.
-
+
 _Device Installation policies flow chart_
-
-
-
## Requirements for completing the scenarios
### General
@@ -259,7 +253,7 @@ To find device identification strings using Device Manager
3. Device Manager starts and displays a tree representing all of the devices detected on your computer. At the top of the tree is a node with your computers name next to it. Lower nodes represent the various categories of hardware into which your computers devices are grouped.
4. Find the “Printers” section and find the target printer
-
+
 _Selecting the printer in Device Manager_
5. Double-click the printer and move to the ‘Details’ tab.
@@ -273,7 +267,7 @@ To find device identification strings using Device Manager
 _HWID and Compatible ID_
> [!TIP]
- > You can also determine your device identification strings by using the PnPUtil command-line utility. For more information, see [PnPUtil - Windows drivers](/windows-hardware/drivers/devtest/pnputil) in Microsoft Docs.
+ > You can also determine your device identification strings by using the PnPUtil command-line utility. For more information, see [PnPUtil - Windows drivers](/windows-hardware/drivers/devtest/pnputil).
### Getting device identifiers using PnPUtil
@@ -316,7 +310,7 @@ Setting up the environment for the scenario with the following steps:
1. Open Group Policy Editor and navigate to the Device Installation Restriction section.
-2. Disable all previous Device Installation policies, except ‘Apply layered order of evaluation’—although the policy is disabled in default, this policy is recommended to be enabled in most practical applications.
+2. Disable all previous Device Installation policies, except ‘Apply layered order of evaluation’—although the policy is disabled in default, this policy is recommended to be enabled in most practical applications.
3. If there are any enabled policies, changing their status to ‘disabled’, would clear them from all parameters
@@ -333,7 +327,7 @@ Getting the right device identifier to prevent it from being installed:
- [System-Defined Device Setup Classes Available to Vendors - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors)
- [System-Defined Device Setup Classes Reserved for System Use - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-reserved-for-system-use)
-3. Our current scenario is focused on preventing all printers from being installed, as such here's the Class GUID for most of printers in the market:
+3. Our current scenario is focused on preventing all printers from being installed, as such here's the Class GUID for most of printers in the market:
> Printers\
> Class = Printer\
@@ -347,7 +341,7 @@ Creating the policy to prevent all printers from being installed:
1. Open Group Policy Object Editor—either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI.
-2. Navigate to the Device Installation Restriction page:
+2. Navigate to the Device Installation Restriction page:
> Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
@@ -625,12 +619,12 @@ These devices are internal devices on the machine that define the USB port conne
> [!IMPORTANT]
> Some device in the system have several layers of connectivity to define their installation on the system. USB thumb-drives are such devices. Thus, when looking to either block or allow them on a system, it's important to understand the path of connectivity for each device. There are several generic Device IDs that are commonly used in systems and could provide a good start to build an ‘Allow list’ in such cases. See below for the list:
->
-> PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&HOST (for Host Controllers)/
+>
+> PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&HOST (for Host Controllers)/
> USB\ROOT_HUB30; USB\ROOT_HUB20 (for USB Root Hubs)/
> USB\USB20_HUB (for Generic USB Hubs)/
->
-> Specifically for desktop machines, it's very important to list all the USB devices that your keyboards and mice are connected through in the above list. Failing to do so could block a user from accessing its machine through HID devices.
+>
+> Specifically for desktop machines, it's very important to list all the USB devices that your keyboards and mice are connected through in the above list. Failing to do so could block a user from accessing its machine through HID devices.
>
> Different PC manufacturers sometimes have different ways to nest USB devices in the PnP tree, but in general this is how it's done.
diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md
index 948207dc6d..d4a2294c65 100644
--- a/windows/client-management/mdm/Language-pack-management-csp.md
+++ b/windows/client-management/mdm/Language-pack-management-csp.md
@@ -18,13 +18,13 @@ The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
-|Pro|No|Yes|
-|Windows SE|No|Yes|
+|Pro|Yes|Yes|
+|Windows SE|Yes|Yes|
|Business|No|No|
-|Enterprise|No|Yes|
-|Education|No|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
-The Language Pack Management CSP allows a direct way to provision languages remotely in Windows. MDMs like Intune can use management commands remotely to devices to configure language-related settings for System and new users.
+The Language Pack Management CSP allows a way to easily add languages and related language features and manage settings like System Preferred UI Language, System Locale, Input method (Keyboard), Locale, Speech Recognizer, User Preferred Language List. This CSP can be accessed using the new [LanguagePackManagement](/powershell/module/languagepackmanagement) PowerShell module.
1. Enumerate installed languages and features with GET command on the "InstalledLanguages" node. Below are the samples:
@@ -95,4 +95,4 @@ The Language Pack Management CSP allows a direct way to provision languages remo
## Related topics
-[Configuration service provider reference](configuration-service-provider-reference.md)
\ No newline at end of file
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md
index d447311a4e..2623c3d235 100644
--- a/windows/client-management/mdm/accounts-csp.md
+++ b/windows/client-management/mdm/accounts-csp.md
@@ -52,8 +52,11 @@ Available naming macros:
|Macro|Description|Example|Generated Name|
|:---|:---|:---|:---|
-|%RAND:<# of digits>|Generates the specified number of random digits.|Test%RAND:6%|Test123456|
-|%SERIAL%|Generates the serial number derived from the device. If the serial number causes the new name to exceed the 15 character limit, the serial number will be truncated from the beginning of the sequence.|Test-Device-%SERIAL%|Test-Device-456|
+|`%RAND:#%`|Generates the specified number (`#`) of random digits.|`Test%RAND:6%`|`Test123456`|
+|`%SERIAL%`|Generates the serial number derived from the device. If the serial number causes the new name to exceed the 15 character limit, the serial number will be truncated from the beginning of the sequence.|`Test-Device-%SERIAL%`|`Test-Device-456`|
+
+> [!NOTE]
+> If you use these naming macros, a unique name isn't guaranteed. The generated name may still be duplicated. To reduce the likelihood of a duplicated device name, use `%RAND:#%` with a large number. With the understanding that the maximum device name is 15 characters.
Supported operation is Add.
diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md
index 97ff6341d2..1334adc13d 100644
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@@ -754,7 +754,7 @@ ADMX Info:
This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of required startup key information. This setting is applied when you turn on BitLocker.
-The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. For more information about adding data recovery agents, see the BitLocker Drive Encryption Deployment Guide on Microsoft Docs.
+The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. For more information about adding data recovery agents, see [BitLocker recovery guide](/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan).
In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
@@ -843,7 +843,7 @@ ADMX Info:
This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker.
-The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. For more information about adding data recovery agents, see the BitLocker Drive Encryption Deployment Guide on Microsoft Docs.
+The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. For more information about adding data recovery agents, see [BitLocker recovery guide](/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan).
In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md
index 62eca97eea..b67e4c78ef 100644
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@@ -531,6 +531,18 @@ Additional lists:
+
+[Local Administrator Password Solution CSP](laps-csp.md)
+
+
+
+|Home|Pro|Business|Enterprise|Education|
+|--- |--- |--- |--- |--- |
+|Yes|Yes|Yes|Yes|Yes|
+
+
+
+
[MultiSIM CSP](multisim-csp.md)
diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md
index c900b41939..72be68417e 100644
--- a/windows/client-management/mdm/devicestatus-csp.md
+++ b/windows/client-management/mdm/devicestatus-csp.md
@@ -1,7 +1,7 @@
---
title: DeviceStatus CSP
description: Learn how the DeviceStatus configuration service provider keeps track of device inventory and queries the compliance state of devices within the enterprise.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -71,12 +71,14 @@ DeviceStatus
--------VirtualizationBasedSecurityHwReq
--------VirtualizationBasedSecurityStatus
--------LsaCfgCredGuardStatus
+----CertAttestation
+--------MDMClientCertAttestation
```
-**DeviceStatus**
+**DeviceStatus**
The root node for the DeviceStatus configuration service provider.
-**DeviceStatus/SecureBootState**
+**DeviceStatus/SecureBootState**
Indicates whether secure boot is enabled. The value is one of the following values:
- 0 - Not supported
@@ -85,67 +87,67 @@ Indicates whether secure boot is enabled. The value is one of the following valu
Supported operation is Get.
-**DeviceStatus/CellularIdentities**
+**DeviceStatus/CellularIdentities**
Required. Node for queries on the SIM cards.
>[!NOTE]
>Multiple SIMs are supported.
-**DeviceStatus/CellularIdentities/***IMEI*
+**DeviceStatus/CellularIdentities/***IMEI*
The unique International Mobile Station Equipment Identity (IMEI) number of the mobile device. An IMEI is present for each SIM card on the device.
-**DeviceStatus/CellularIdentities/*IMEI*/IMSI**
+**DeviceStatus/CellularIdentities/*IMEI*/IMSI**
The International Mobile Subscriber Identity (IMSI) associated with the IMEI number.
Supported operation is Get.
-**DeviceStatus/CellularIdentities/*IMEI*/ICCID**
+**DeviceStatus/CellularIdentities/*IMEI*/ICCID**
The Integrated Circuit Card ID (ICCID) of the SIM card associated with the specific IMEI number.
Supported operation is Get.
-**DeviceStatus/CellularIdentities/*IMEI*/PhoneNumber**
+**DeviceStatus/CellularIdentities/*IMEI*/PhoneNumber**
Phone number associated with the specific IMEI number.
Supported operation is Get.
-**DeviceStatus/CellularIdentities/*IMEI*/CommercializationOperator**
+**DeviceStatus/CellularIdentities/*IMEI*/CommercializationOperator**
The mobile service provider or mobile operator associated with the specific IMEI number.
Supported operation is Get.
-**DeviceStatus/CellularIdentities/*IMEI*/RoamingStatus**
+**DeviceStatus/CellularIdentities/*IMEI*/RoamingStatus**
Indicates whether the SIM card associated with the specific IMEI number is roaming.
Supported operation is Get.
-**DeviceStatus/CellularIdentities/*IMEI*/RoamingCompliance**
+**DeviceStatus/CellularIdentities/*IMEI*/RoamingCompliance**
Boolean value that indicates compliance with the enforced enterprise roaming policy.
Supported operation is Get.
-**DeviceStatus/NetworkIdentifiers**
+**DeviceStatus/NetworkIdentifiers**
Node for queries on network and device properties.
-**DeviceStatus/NetworkIdentifiers/***MacAddress*
+**DeviceStatus/NetworkIdentifiers/***MacAddress*
MAC address of the wireless network card. A MAC address is present for each network card on the device.
-**DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV4**
+**DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV4**
IPv4 address of the network card associated with the MAC address.
Supported operation is Get.
-**DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV6**
+**DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV6**
IPv6 address of the network card associated with the MAC address.
Supported operation is Get.
-**DeviceStatus/NetworkIdentifiers/*MacAddress*/IsConnected**
+**DeviceStatus/NetworkIdentifiers/*MacAddress*/IsConnected**
Boolean value that indicates whether the network card associated with the MAC address has an active network connection.
Supported operation is Get.
-**DeviceStatus/NetworkIdentifiers/*MacAddress*/Type**
+**DeviceStatus/NetworkIdentifiers/*MacAddress*/Type**
Type of network connection. The value is one of the following values:
- 2 - WLAN (or other Wireless interface)
@@ -154,10 +156,10 @@ Type of network connection. The value is one of the following values:
Supported operation is Get.
-**DeviceStatus/Compliance**
+**DeviceStatus/Compliance**
Node for the compliance query.
-**DeviceStatus/Compliance/EncryptionCompliance**
+**DeviceStatus/Compliance/EncryptionCompliance**
Boolean value that indicates compliance with the enterprise encryption policy for OS (system) drives. The value is one of the following values:
- 0 - Not encrypted
@@ -165,42 +167,42 @@ Boolean value that indicates compliance with the enterprise encryption policy fo
Supported operation is Get.
-**DeviceStatus/TPM**
+**DeviceStatus/TPM**
Added in Windows, version 1607. Node for the TPM query.
Supported operation is Get.
-**DeviceStatus/TPM/SpecificationVersion**
+**DeviceStatus/TPM/SpecificationVersion**
Added in Windows, version 1607. String that specifies the specification version.
Supported operation is Get.
-**DeviceStatus/OS**
+**DeviceStatus/OS**
Added in Windows, version 1607. Node for the OS query.
Supported operation is Get.
-**DeviceStatus/OS/Edition**
+**DeviceStatus/OS/Edition**
Added in Windows, version 1607. String that specifies the OS edition.
Supported operation is Get.
-**DeviceStatus/OS/Mode**
+**DeviceStatus/OS/Mode**
Added in Windows, version 1803. Read only node that specifies the device mode.
-Valid values:
+Valid values:
- 0 - The device is in standard configuration.
- 1 - The device is in S mode configuration.
Supported operation is Get.
-**DeviceStatus/Antivirus**
+**DeviceStatus/Antivirus**
Added in Windows, version 1607. Node for the antivirus query.
Supported operation is Get.
-**DeviceStatus/Antivirus/SignatureStatus**
+**DeviceStatus/Antivirus/SignatureStatus**
Added in Windows, version 1607. Integer that specifies the status of the antivirus signature.
Valid values:
@@ -218,7 +220,7 @@ If more than one antivirus provider is active, this node returns:
This node also returns 0 when no antivirus provider is active.
-**DeviceStatus/Antivirus/Status**
+**DeviceStatus/Antivirus/Status**
Added in Windows, version 1607. Integer that specifies the status of the antivirus.
Valid values:
@@ -231,12 +233,12 @@ Valid values:
Supported operation is Get.
-**DeviceStatus/Antispyware**
+**DeviceStatus/Antispyware**
Added in Windows, version 1607. Node for the anti-spyware query.
Supported operation is Get.
-**DeviceStatus/Antispyware/SignatureStatus**
+**DeviceStatus/Antispyware/SignatureStatus**
Added in Windows, version 1607. Integer that specifies the status of the anti-spyware signature.
Valid values:
@@ -254,7 +256,7 @@ If more than one anti-spyware provider is active, this node returns:
This node also returns 0 when no anti-spyware provider is active.
-**DeviceStatus/Antispyware/Status**
+**DeviceStatus/Antispyware/Status**
Added in Windows, version 1607. Integer that specifies the status of the anti-spyware.
Valid values:
@@ -266,12 +268,12 @@ Valid values:
Supported operation is Get.
-**DeviceStatus/Firewall**
+**DeviceStatus/Firewall**
Added in Windows, version 1607. Node for the firewall query.
Supported operation is Get.
-**DeviceStatus/Firewall/Status**
+**DeviceStatus/Firewall/Status**
Added in Windows, version 1607. Integer that specifies the status of the firewall.
Valid values:
@@ -284,75 +286,75 @@ Valid values:
Supported operation is Get.
-**DeviceStatus/UAC**
+**DeviceStatus/UAC**
Added in Windows, version 1607. Node for the UAC query.
Supported operation is Get.
-**DeviceStatus/UAC/Status**
+**DeviceStatus/UAC/Status**
Added in Windows, version 1607. Integer that specifies the status of the UAC.
Supported operation is Get.
-**DeviceStatus/Battery**
+**DeviceStatus/Battery**
Added in Windows, version 1607. Node for the battery query.
Supported operation is Get.
-**DeviceStatus/Battery/Status**
+**DeviceStatus/Battery/Status**
Added in Windows, version 1607. Integer that specifies the status of the battery
Supported operation is Get.
-**DeviceStatus/Battery/EstimatedChargeRemaining**
+**DeviceStatus/Battery/EstimatedChargeRemaining**
Added in Windows, version 1607. Integer that specifies the estimated battery charge remaining. This value is the one that is returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](/windows/win32/api/winbase/ns-winbase-system_power_status).
The value is the number of seconds of battery life remaining when the device isn't connected to an AC power source. When it's connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
Supported operation is Get.
-**DeviceStatus/Battery/EstimatedRuntime**
+**DeviceStatus/Battery/EstimatedRuntime**
Added in Windows, version 1607. Integer that specifies the estimated runtime of the battery. This value is the one that is returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](/windows/win32/api/winbase/ns-winbase-system_power_status).
The value is the number of seconds of battery life remaining when the device isn't connected to an AC power source. When it's connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
Supported operation is Get.
-**DeviceStatus/DomainName**
+**DeviceStatus/DomainName**
Added in Windows, version 1709. Returns the fully qualified domain name of the device (if any). If the device isn't domain-joined, it returns an empty string.
Supported operation is Get.
-**DeviceStatus/DeviceGuard**
+**DeviceStatus/DeviceGuard**
Added in Windows, version 1709. Node for Device Guard query.
Supported operation is Get.
-**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq**
+**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq**
Added in Windows, version 1709. Virtualization-based security hardware requirement status. The value is a 256 value bitmask.
- 0x0: System meets hardware configuration requirements
-- 0x1: SecureBoot required
+- 0x1: SecureBoot required
- 0x2: DMA Protection required
- 0x4: HyperV not supported for Guest VM
- 0x8: HyperV feature isn't available
Supported operation is Get.
-**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus**
+**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus**
Added in Windows, version 1709. Virtualization-based security status. Value is one of the following:
- 0 - Running
-- 1 - Reboot required
-- 2 - 64-bit architecture required
-- 3 - Not licensed
-- 4 - Not configured
-- 5 - System doesn't meet hardware requirements
+- 1 - Reboot required
+- 2 - 64-bit architecture required
+- 3 - Not licensed
+- 4 - Not configured
+- 5 - System doesn't meet hardware requirements
- 42 – Other. Event logs in Microsoft-Windows-DeviceGuard have more details.
Supported operation is Get.
-**DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus**
+**DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus**
Added in Windows, version 1709. Local System Authority (LSA) credential guard status.
- 0 - Running
@@ -363,6 +365,11 @@ Added in Windows, version 1709. Local System Authority (LSA) credential guard s
Supported operation is Get.
+**DeviceStatus/CertAttestation/MDMClientCertAttestation**
+Added in Windows 11, version 22H2. MDM Certificate attestation information. This will return an XML blob containing the relevant attestation fields.
+
+Supported operation is Get.
+
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/devicestatus-ddf.md b/windows/client-management/mdm/devicestatus-ddf.md
index 9019f6a5b9..f081bf1262 100644
--- a/windows/client-management/mdm/devicestatus-ddf.md
+++ b/windows/client-management/mdm/devicestatus-ddf.md
@@ -1,7 +1,7 @@
---
title: DeviceStatus DDF
description: This topic shows the OMA DM device description framework (DDF) for the DeviceStatus configuration service provider. DDF files are used only with OMA DM provisioning XML.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -25,862 +25,904 @@ The XML below is for Windows 10, version 1803.
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[]>
- 1.2
-
+ 1.2
+ DeviceStatus./Vendor/MSFT
-
-
-
-
-
-
-
-
-
-
-
-
-
- com.microsoft/1.4/MDM/DeviceStatus
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+ com.microsoft/1.4/MDM/DeviceStatus
+
- SecureBootState
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CellularIdentities
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+ SecureBootState
-
-
-
-
-
-
-
-
-
-
-
-
- IMEI
-
-
-
-
-
- IMSI
-
-
+
-
+
-
+
-
+
- text/plain
+ text/plain
-
-
-
- ICCID
-
+
+
+
+ CellularIdentities
+
-
+
-
+
-
+
-
+
- text/plain
+
-
-
-
- PhoneNumber
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CommercializationOperator
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RoamingStatus
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RoamingCompliance
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
- NetworkIdentifiers
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- MacAddress
-
-
-
- IPAddressV4
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IMEI
+
+
+
+
+
+ IMSI
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ICCID
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ PhoneNumber
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ CommercializationOperator
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ RoamingStatus
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ RoamingCompliance
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+
+ NetworkIdentifiers
+
-
+
-
+
-
+
-
+
- text/plain
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ MacAddress
+
+
+
+
+
+ IPAddressV4
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ IPAddressV6
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ IsConnected
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Type
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+
+ Compliance
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EncryptionCompliance
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ TPM
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SpecificationVersion
+
+
+
+
+ Not available
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ OS
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Edition
+
+
+
+
+ Not available
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
- IPAddressV6
-
+ Mode
+
+
+
+
+ Not available
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ Antivirus
+
-
+
-
+
-
+
-
+
- text/plain
+
-
+
+
+ SignatureStatus
+
+
+
+
+ 1
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
- IsConnected
-
+ Status
+
+
+
+
+ 3
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ Antispyware
+
-
+
-
+
-
+
-
+
- text/plain
+
-
+
+
+ SignatureStatus
+
+
+
+
+ 1
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
- Type
-
+ Status
+
+
+
+
+ 3
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ Firewall
+
-
+
-
+
-
+
-
+
- text/plain
+
-
+
+
+ Status
+
+
+
+
+ 3
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
-
- Compliance
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- EncryptionCompliance
+ UAC
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
+ Status
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
- TPM
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- SpecificationVersion
+ Battery
-
-
-
- Not available
-
-
-
-
-
-
-
-
-
-
- text/plain
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
+ Status
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EstimatedChargeRemaining
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EstimatedRuntime
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
- OS
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Edition
+ DomainName
-
-
-
- Not available
-
-
-
-
-
-
-
-
-
-
- text/plain
-
+
+
+
+ Returns the fully qualified domain name of the device(if any).
+
+
+
+
+
+
+
+
+
+ DomainName
+
+ text/plain
+
-
-
- Mode
-
-
-
-
- Not available
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
- Antivirus
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- SignatureStatus
+ DeviceGuard
-
-
-
- 1
-
-
-
-
-
-
-
-
-
-
- text/plain
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
- Status
-
-
-
-
- 3
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
+
+ VirtualizationBasedSecurityHwReq
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ VirtualizationBasedSecurityStatus
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ LsaCfgCredGuardStatus
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
- Antispyware
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- SignatureStatus
+ CertAttestation
-
-
-
- 1
-
-
-
-
-
-
-
-
-
-
- text/plain
-
+
+
+
+ Node for Certificate Attestation
+
+
+
+
+
+
+
+
+
+
+
+
-
-
- Status
-
-
-
-
- 3
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
+
+ MDMClientCertAttestation
+
+
+
+
+ MDM Certificate attestation information. This will return an XML blob containing the relevent attestation fields.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
- Firewall
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Status
-
-
-
-
- 3
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- UAC
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Status
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- Battery
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Status
-
-
-
-
- 0
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- EstimatedChargeRemaining
-
-
-
-
- 0
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- EstimatedRuntime
-
-
-
-
- 0
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- DomainName
-
-
-
-
- Returns the fully qualified domain name of the device(if any).
-
-
-
-
-
-
-
-
-
- DomainName
-
- text/plain
-
-
-
-
- DeviceGuard
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- VirtualizationBasedSecurityHwReq
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- VirtualizationBasedSecurityStatus
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LsaCfgCredGuardStatus
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
+
```
diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md
index 119d455dec..aea55b2259 100644
--- a/windows/client-management/mdm/diagnosticlog-csp.md
+++ b/windows/client-management/mdm/diagnosticlog-csp.md
@@ -565,7 +565,7 @@ The data type is string.
Default string is as follows:
-`https://docs.microsoft.com/windows/'desktop/WES/eventmanifestschema-channeltype-complextype`
+`https://learn.microsoft.com/windows/'desktop/WES/eventmanifestschema-channeltype-complextype`
Add **SDDL**
@@ -1677,4 +1677,4 @@ To read a log file:
## Related topics
-[Configuration service provider reference](configuration-service-provider-reference.md)
\ No newline at end of file
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/diagnosticlog-ddf.md b/windows/client-management/mdm/diagnosticlog-ddf.md
index 379b38b3fe..30dddf70ca 100644
--- a/windows/client-management/mdm/diagnosticlog-ddf.md
+++ b/windows/client-management/mdm/diagnosticlog-ddf.md
@@ -2028,7 +2028,7 @@ The content below are the latest versions of the DDF files:
- SDDL String controlling access to the channel. Default: https://docs.microsoft.com/windows/desktop/WES/eventmanifestschema-channeltype-complextype
+ SDDL String controlling access to the channel. Default: https://learn.microsoft.com/windows/desktop/WES/eventmanifestschema-channeltype-complextype
@@ -2178,9 +2178,3 @@ The content below are the latest versions of the DDF files:
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
index b7a2a1544c..6395d0f9f3 100644
--- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
@@ -219,7 +219,7 @@ Requirements:
4. Rename the extracted Policy Definitions folder to `PolicyDefinitions`.
-5. Copy the PolicyDefinitions folder to `\\SYSVOL\contoso.com\policies\PolicyDefinitions`.
+5. Copy the PolicyDefinitions folder to `\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions`.
If this folder doesn't exist, then you'll be switching to a [central policy store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for your entire domain.
diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md
index 8d50139134..607ecdeb20 100644
--- a/windows/client-management/mdm/euiccs-csp.md
+++ b/windows/client-management/mdm/euiccs-csp.md
@@ -40,6 +40,7 @@ eUICCs
------------ServerName
----------------DiscoveryState
----------------AutoEnable
+----------------IsDiscoveryServer
--------Profiles
------------ICCID
----------------ServerName
@@ -112,6 +113,13 @@ Supported operations are Add, Get, and Replace.
Value type is bool.
+**_eUICC_/DownloadServers/_ServerName_/IsDiscoveryServer**
+Optional. Indicates whether the server is a discovery server. This setting must be defined by the MDM when the ServerName subtree is created.
+
+Supported operations are Add, Get, and Replace.
+
+Value type is bool. Default value is false.
+
**_eUICC_/Profiles**
Interior node. Required. Represents all enterprise-owned profiles.
diff --git a/windows/client-management/mdm/euiccs-ddf-file.md b/windows/client-management/mdm/euiccs-ddf-file.md
index c17f08e0f3..62bced8f33 100644
--- a/windows/client-management/mdm/euiccs-ddf-file.md
+++ b/windows/client-management/mdm/euiccs-ddf-file.md
@@ -247,6 +247,30 @@ The XML below if for Windows 10, version 1803.
+
+ IsDiscoveryServer
+
+
+
+
+
+
+ false
+ Indicates whether the server is a discovery server. Optional, default value is false.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
diff --git a/windows/client-management/mdm/healthattestation-ddf.md b/windows/client-management/mdm/healthattestation-ddf.md
index 1d1e14d1ab..ccc7b8a660 100644
--- a/windows/client-management/mdm/healthattestation-ddf.md
+++ b/windows/client-management/mdm/healthattestation-ddf.md
@@ -92,7 +92,7 @@ The XML below is the current version for this CSP.
- Provides the current status of the device health request. For the complete list of status see https://docs.microsoft.com/en-us/windows/client-management/mdm/healthattestation-csp#device-healthattestation-csp-status-and-error-codes
+ Provides the current status of the device health request. For the complete list of status see https://learn.microsoft.com/windows/client-management/mdm/healthattestation-csp#device-healthattestation-csp-status-and-error-codes
@@ -456,9 +456,3 @@ The XML below is the current version for this CSP.
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/laps-csp.md b/windows/client-management/mdm/laps-csp.md
new file mode 100644
index 0000000000..f69dfcb4d0
--- /dev/null
+++ b/windows/client-management/mdm/laps-csp.md
@@ -0,0 +1,760 @@
+---
+title: Local Administrator Password Solution CSP
+description: Learn how the Local Administrator Password Solution configuration service provider (CSP) is used by the enterprise to manage backup of local administrator account passwords.
+ms.author: jsimmons
+ms.topic: article
+ms.prod: w11
+ms.technology: windows
+author: jsimmons
+ms.localizationpriority: medium
+ms.date: 07/04/2022
+ms.reviewer: jsimmons
+manager: jsimmons
+---
+
+# Local Administrator Password Solution CSP
+
+The Local Administrator Password Solution (LAPS) configuration service provider (CSP) is used by the enterprise to manage back up of local administrator account passwords. This CSP was added in Windows 11 as of version 25145.
+
+> [!IMPORTANT]
+> Windows LAPS is currently only available in Windows Insider builds as of 25145 and later. Support for the Windows LAPS Azure AD scenario is currently limited to a small group of Windows Insiders.
+
+The following example shows the LAPS CSP in tree format.
+
+```xml
+./Device/Vendor/MSFT
+LAPS
+----Policies
+--------BackupDirectory
+--------PasswordAgeDays
+--------PasswordLength
+--------PasswordComplexity
+--------PasswordExpirationProtectionEnabled
+--------AdministratorAccountName
+--------ADPasswordEncryptionEnabled
+--------ADPasswordEncryptionPrincipal
+--------ADEncryptedPasswordHistorySize
+--------PostAuthenticationResetDelay
+--------PostAuthenticationActions
+----Actions
+--------ResetPassword
+--------ResetPasswordStatus
+```
+
+The LAPS CSP can be used to manage devices that are either joined to Azure AD or joined to both Azure AD and Active Directory (hybrid-joined). The LAPS CSP manages a mix of AAD-only and AD-only settings. The AD-only settings are only applicable for hybrid-joined devices, and then only when BackupDirectory is set to 2.
+
+|Setting name|Azure-joined|Hybrid-joined|
+|---|---|---|
+|BackupDirectory|Yes|Yes
+|PasswordAgeDays|Yes|Yes
+|PasswordLength|Yes|Yes|
+|PasswordComplexity|Yes|Yes|
+|PasswordExpirationProtectionEnabled|No|Yes|
+|AdministratorAccountName|Yes|Yes|
+|ADPasswordEncryptionEnabled|No|Yes|
+|ADPasswordEncryptionPrincipal|No|Yes|
+|ADEncryptedPasswordHistorySize|No|Yes|
+|PostAuthenticationResetDelay|Yes|Yes|
+|PostAuthenticationActions|Yes|Yes|
+|ResetPassword|Yes|Yes|
+|ResetPasswordStatus|Yes|Yes|
+
+> [!IMPORTANT]
+> Windows supports a LAPS Group Policy Object that is entirely separate from the LAPS CSP. Many of the various settings are common across both the LAPS GPO and CSP (GPO does not support any of the Action-related settings). As long as at least one LAPS setting is configured via CSP, any GPO-configured settings will be ignored. Also see the TBD reference on LAPS policy configuration.
+
+## ./Device/Vendor/MSFT/LAPS
+
+Defines the root node for the LAPS CSP.
+
+
+### Policies
+
+Defines the interior parent node for all configuration-related settings in the LAPS CSP.
+
+
+
+### BackupDirectory
+
+Allows the administrator to configure which directory the local administrator account password is backed up to.
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|Yes|
+|Pro|No|Yes|
+|Business|No|Yes|
+|Enterprise|No|Yes|
+|Education|No|Yes|
+
+
+Data type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+The allowable settings are:
+
+|Value|Description of setting|
+|--- |--- |
+|0|Disabled (password won't be backed up)|
+|1|Back up the password to Azure AD only|
+|2|Back up the password to Active Directory only|
+
+If not specified, this setting will default to 0 (disabled).
+
+
+
+
+### PasswordAgeDays
+
+Use this policy to configure the maximum password age of the managed local administrator account.
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|Yes|
+|Pro|No|Yes|
+|Business|No|Yes|
+|Enterprise|No|Yes|
+|Education|No|Yes|
+
+
+
+If not specified, this setting will default to 30 days
+
+This setting has a minimum allowed value of 1 day when backing the password to on-premises Active Directory, and 7 days when backing the password Azure AD.
+
+This setting has a maximum allowed value of 365 days.
+
+
+Data type is integer.
+
+Supported operations are Add, Get, Replace, and Delete.
+
+
+
+### PasswordComplexity
+
+Use this setting to configure password complexity of the managed local administrator account.
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|Yes|
+|Pro|No|Yes|
+|Business|No|Yes|
+|Enterprise|No|Yes|
+|Education|No|Yes|
+
+
+
+The allowable settings are:
+
+|Value|Description of setting|
+|--- |--- |
+|1|Large letters|
+|2|Large letters + small letters|
+|3|Large letters + small letters + numbers|
+|4|Large letters + small letters + numbers + special characters|
+
+
+If not specified, this setting will default to 4.
+
+> [!IMPORTANT]
+> Windows supports the lower password complexity settings (1, 2, and 3) only for backwards compatibility with older versions of LAPS. Microsoft recommends that this setting always be configured to 4.
+
+
+Data type is integer.
+
+Supported operations are Add, Get, Replace, and Delete.
+
+
+
+### PasswordLength
+
+Use this setting to configure the length of the password of the managed local administrator account.
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|Yes|
+|Pro|No|Yes|
+|Business|No|Yes|
+|Enterprise|No|Yes|
+|Education|No|Yes|
+
+
+
+If not specified, this setting will default to 14 characters.
+
+This setting has a minimum allowed value of 8 characters.
+
+This setting has a maximum allowed value of 64 characters.
+
+
+Data type is integer.
+
+Supported operations are Add, Get, Replace, and Delete.
+
+
+
+### AdministratorAccountName
+
+Use this setting to configure the name of the managed local administrator account.
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|Yes|
+|Pro|No|Yes|
+|Business|No|Yes|
+|Enterprise|No|Yes|
+|Education|No|Yes|
+
+
+
+If not specified, the default built-in local administrator account will be located by well-known SID (even if renamed).
+
+If specified, the specified account's password will be managed.
+
+> [!IMPORTANT]
+> If a custom account name is specified in this setting, the specified account must be created via other means. Specifying a name in this setting will not cause the account to be created.
+
+
+Data type is string.
+
+Supported operations are Add, Get, Replace, and Delete.
+
+
+
+### PasswordExpirationProtectionEnabled
+
+Use this setting to configure additional enforcement of maximum password age for the managed local administrator account.
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|Yes|
+|Pro|No|Yes|
+|Business|No|Yes|
+|Enterprise|No|Yes|
+|Education|No|Yes|
+
+
+
+When this setting is set to True, planned password expiration that would result in a password age greater than what is specified by the "PasswordAgeDays" policy is NOT allowed. When such expiration is detected, the password is changed immediately, and the new password expiration date is set according to policy.
+
+If not specified, this setting defaults to True.
+
+> [!IMPORTANT]
+> This setting is ignored unless BackupDirectory is configured to back up the password to Active Directory.
+
+
+Data type is boolean.
+
+Supported operations are Add, Get, Replace, and Delete.
+
+
+
+### ADPasswordEncryptionEnabled
+
+Use this setting to configure whether the password is encrypted before being stored in Active Directory.
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|Yes|
+|Pro|No|Yes|
+|Business|No|Yes|
+|Enterprise|No|Yes|
+|Education|No|Yes|
+
+
+
+This setting is ignored if the password is currently being stored in Azure.
+
+If this setting is set to True, and the Active Directory domain meets the 2016 DFL prerequisite, the password is encrypted before being stored in Active Directory.
+
+If this setting is missing or set to False, or the Active Directory domain doesn't meet the DFL prerequisite, the password is stored as clear-text in Active Directory.
+
+If not specified, this setting defaults to False.
+> [!IMPORTANT]
+> This setting is ignored unless BackupDirectory is configured to back up the password to Active Directory, AND the the Active Directory domain is at Windows Server 2016 Domain Functional Level or higher.
+
+
+Data type is boolean.
+
+Supported operations are Add, Get, Replace, and Delete.
+
+
+
+### ADPasswordEncryptionPrincipal
+
+Use this setting to configure the name or SID of a user or group that can decrypt the password stored in Active Directory.
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|Yes|
+|Pro|No|Yes|
+|Business|No|Yes|
+|Enterprise|No|Yes|
+|Education|No|Yes|
+
+
+
+This setting is ignored if the password is currently being stored in Azure.
+
+If not specified, the password can only be decrypted by the Domain Admins group in the device's domain.
+
+If specified, the specified user or group will be able to decrypt the password stored in Active Directory.
+
+If the specified user or group account is invalid the device will fall back to using the Domain Admins group in the device's domain.
+> [!IMPORTANT]
+> The string stored in this setting must be either a SID in string form or the fully qualified name of a user or group. Valid examples include:
+>
+> "S-1-5-21-2127521184-1604012920-1887927527-35197"
+>
+> "contoso\LAPSAdmins"
+>
+> "lapsadmins@contoso.com"
+>
+> The principal identified (either by SID or user\group name) must exist and be resolvable by the device.
+
+> [!IMPORTANT]
+> This setting is ignored unless ADPasswordEncryptionEnabled is configured to True and all other prerequisites are met.
+
+
+Data type is string.
+
+Supported operations are Add, Get, Replace, and Delete.
+
+
+
+### ADEncryptedPasswordHistorySize
+
+Use this setting to configure how many previous encrypted passwords will be remembered in Active Directory.
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|Yes|
+|Pro|No|Yes|
+|Business|No|Yes|
+|Enterprise|No|Yes|
+|Education|No|Yes|
+
+
+
+If not specified, this setting will default to 0 passwords (disabled).
+
+This setting has a minimum allowed value of 0 passwords.
+
+This setting has a maximum allowed value of 12 passwords.
+
+> [!IMPORTANT]
+> This setting is ignored unless ADPasswordEncryptionEnabled is configured to True and all other prerequisites are met.
+
+
+Data type is integer.
+
+Supported operations are Add, Get, Replace, and Delete.
+
+
+
+### PostAuthenticationResetDelay
+
+Use this setting to specify the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions (see the PostAuthenticationActions setting below).
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|Yes|
+|Pro|No|Yes|
+|Business|No|Yes|
+|Enterprise|No|Yes|
+|Education|No|Yes|
+
+
+
+If not specified, this setting will default to 24 hours.
+
+This setting has a minimum allowed value of 0 hours (this disables all post-authentication actions).
+
+This setting has a maximum allowed value of 24 hours.
+
+
+Data type is integer.
+
+Supported operations are Add, Get, Replace, and Delete.
+
+
+
+### PostAuthenticationActions
+
+Use this setting to specify the actions to take upon expiration of the configured grace period (see the PostAuthenticationResetDelay setting above).
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|Yes|
+|Pro|No|Yes|
+|Business|No|Yes|
+|Enterprise|No|Yes|
+|Education|No|Yes|
+
+
+
+This setting can have ONE of the following values:
+
+|Value|Name|Action(s) taken upon expiry of the grace period|
+|--- |--- |--- |
+|1|Reset password|The managed account password will be reset|
+|3|Reset password and log off|The managed account password will be reset and any interactive logon sessions using the managed account will be terminated|
+|5|Reset password and reboot|The managed account password will be reset and the managed device will be immediately rebooted.|
+
+If not specified, this setting will default to 3.
+
+> [!IMPORTANT]
+> The allowed post-authentication actions are intended to help limit the amount of time that a LAPS password may be used before being reset. Logging off the managed account - or rebooting the device - are options to help ensure this. Abrupt termination of logon sessions, or rebooting the device, may result in data loss.
+
+> [!IMPORTANT]
+> From a security perspective, a malicious user who acquires administrative privileges on a device using a valid LAPS password does have the ultimate ability to prevent or circumvent these mechanisms.
+
+
+Data type is integer.
+
+Supported operations are Add, Get, Replace, and Delete.
+
+
+
+## Actions
+
+Defines the parent interior node for all action-related settings in the LAPS CSP.
+
+
+
+### ResetPassword
+
+Use this Execute action to request an immediate reset of the local administrator account password, ignoring the normal constraints such as PasswordLengthDays, etc.
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|Yes|
+|Pro|No|Yes|
+|Business|No|Yes|
+|Enterprise|No|Yes|
+|Education|No|Yes|
+
+
+
+
+
+
+Data type is integer.
+
+Supported operations are Execute.
+
+
+
+### ResetPasswordStatus
+
+Use this setting to query the status of the last submitted ResetPassword action.
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|Yes|
+|Pro|No|Yes|
+|Business|No|Yes|
+|Enterprise|No|Yes|
+|Education|No|Yes|
+
+
+
+The value returned is an HRESULT code.
+
+S_OK (0x0) - the last submitted ResetPassword action succeeded.
+
+E_PENDING (0x8000000) - the last submitted ResetPassword action is still executing.
+
+other - the last submitted ResetPassword action encountered the returned error.
+
+
+Data type is integer.
+
+Supported operations are Get.
+
+
+### SyncML examples
+
+The following examples are provided to show proper format and shouldn't be taken as a recommendation.
+
+#### Azure-joined device backing password up to Azure AD
+
+This example is configuring an Azure-joined device to back up its password to Azure Active Directory:
+
+```xml
+
+
+
+ 1
+
+
+ ./Device/Vendor/MSFT/LAPS/Policies/BackupDirectory
+
+
+ int
+ text/plain
+
+ 1
+
+
+
+ 2
+
+
+ ./Device/Vendor/MSFT/LAPS/Policies/PasswordAgeDays
+
+
+ int
+ text/plain
+
+ 7
+
+
+
+ 3
+
+
+ ./Device/Vendor/MSFT/LAPS/Policies/PasswordComplexity
+
+
+ int
+ text/plain
+
+ 4
+
+
+
+ 4
+
+
+ ./Device/Vendor/MSFT/LAPS/Policies/PasswordLength
+
+
+ int
+ text/plain
+
+ 32
+
+
+
+ 5
+
+
+ ./Device/Vendor/MSFT/LAPS/Policies/AdministratorAccountName
+
+
+ chr
+ text/plain
+
+ ContosoLocalLapsAdmin
+
+
+
+ 6
+
+
+ ./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationResetDelay
+
+
+ int
+ text/plain
+
+ 8
+
+
+
+ 7
+
+
+ ./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationActions
+
+
+ int
+ text/plain
+
+ 3
+
+ <Final/>
+
+```
+
+#### Hybrid-joined device backing password up to Active Directory
+
+This example is configuring a hybrid device to back up its password to Active Directory with password encryption enabled:
+
+```xml
+
+
+
+ 1
+
+
+ ./Device/Vendor/MSFT/LAPS/Policies/BackupDirectory
+
+
+ int
+ text/plain
+
+ 2
+
+
+
+ 2
+
+
+ ./Device/Vendor/MSFT/LAPS/Policies/PasswordAgeDays
+
+
+ int
+ text/plain
+
+ 20
+
+
+
+ 3
+
+
+ ./Device/Vendor/MSFT/LAPS/Policies/PasswordComplexity
+
+
+ int
+ text/plain
+
+ 3
+
+
+
+ 4
+
+
+ ./Device/Vendor/MSFT/LAPS/Policies/PasswordLength
+
+
+ int
+ text/plain
+
+ 14
+
+
+
+ 5
+
+
+ ./Device/Vendor/MSFT/LAPS/Policies/AdministratorAccountName
+
+
+ chr
+ text/plain
+
+ ContosoLocalLapsAdmin
+
+
+
+ 6
+
+
+ ./Device/Vendor/MSFT/LAPS/Policies/PasswordExpirationProtectionEnabled
+
+
+ bool
+ text/plain
+
+ True
+
+
+
+ 7
+
+
+ ./Device/Vendor/MSFT/LAPS/Policies/ADPasswordEncryptionEnabled
+
+
+ bool
+ text/plain
+
+ True
+
+
+
+ 8
+
+
+ ./Device/Vendor/MSFT/LAPS/Policies/ADPasswordEncryptionPrincipal
+
+
+ chr
+ text/plain
+
+ LAPSAdmins@contoso.com
+
+
+
+ 9
+
+
+ ./Device/Vendor/MSFT/LAPS/Policies/ADEncryptedPasswordHistorySize
+
+
+ int
+ text/plain
+
+ 6
+
+
+
+ 10
+
+
+ ./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationResetDelay
+
+
+ int
+ text/plain
+
+ 4
+
+
+
+ 11
+
+
+ ./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationActions
+
+
+ int
+ text/plain
+
+ 5
+
+ <Final/>
+
+```
+
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/laps-ddf-file.md b/windows/client-management/mdm/laps-ddf-file.md
new file mode 100644
index 0000000000..dcd69ca70c
--- /dev/null
+++ b/windows/client-management/mdm/laps-ddf-file.md
@@ -0,0 +1,654 @@
+---
+title: LAPS DDF file
+description: Learn about the OMA DM device description framework (DDF) for the Local Administrator Password Solution configuration service provider.
+ms.author: jsimmons
+ms.topic: article
+ms.prod: w11
+ms.technology: windows
+author: jsimmons
+ms.localizationpriority: medium
+ms.date: 07/04/2022
+ms.reviewer: jsimmons
+manager: jsimmons
+---
+
+# Local Administrator Password Solution DDF file
+
+This article shows the OMA DM device description framework (DDF) for the Local Administrator Password Solution (LAPS) configuration service provider.
+
+Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
+
+The XML below is the current version for this CSP.
+
+```xml
+
+
+
+
+ 1.2
+ "%windir%\system32\LapsCSP.dll
+
+ {298a6f17-03e7-4bd4-971c-544f359527b7}
+
+ LAPS
+ ./Device/Vendor/MSFT
+
+
+
+
+ The root node for the LAPS configuration service provider.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 99.9.99999
+ 1.0
+
+
+
+
+
+
+ Policies
+
+
+
+
+ Root node for LAPS policies.
+
+
+
+
+
+
+
+
+
+ Policies
+
+
+
+
+
+
+ BackupDirectory
+
+
+
+
+
+
+
+ 0
+ Use this setting to configure which directory the local admin account password is backed up to.
+
+The allowable settings are:
+
+0=Disabled (password will not be backed up)
+1=Backup the password to Azure AD only
+2=Backup the password to Active Directory only
+
+If not specified, this setting will default to 0.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ 0
+ Disabled (password will not be backed up)
+
+
+ 1
+ Backup the password to Azure AD only
+
+
+ 2
+ Backup the password to Active Directory only
+
+
+
+
+
+ PasswordAgeDays
+
+
+
+
+
+
+
+ 30
+ Use this policy to configure the maximum password age of the managed local administrator account.
+
+If not specified, this setting will default to 30 days
+
+This setting has a minimum allowed value of 1 day when backing the password to onpremises Active Directory, and 7 days when backing the password to Azure AD.
+
+This setting has a maximum allowed value of 365 days.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ [1-365]
+
+
+
+
+ [7-365]
+
+
+ Vendor/MSFT/LAPS/Policies/BackupDirectory
+
+
+ 1
+ BackupDirectory configured to Azure AD
+
+
+
+
+
+
+
+
+ PasswordComplexity
+
+
+
+
+
+
+
+ 4
+ Use this setting to configure password complexity of the managed local administrator account.
+
+The allowable settings are:
+
+1=Large letters
+2=Large letters + small letters
+3=Large letters + small letters + numbers
+4=Large letters + small letters + numbers + special characters
+
+If not specified, this setting will default to 4.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ 1
+ Large letters
+
+
+ 2
+ Large letters + small letters
+
+
+ 3
+ Large letters + small letters + numbers
+
+
+ 4
+ Large letters + small letters + numbers + special characters
+
+
+
+
+
+ PasswordLength
+
+
+
+
+
+
+
+ 14
+ Use this setting to configure the length of the password of the managed local administrator account.
+
+If not specified, this setting will default to 14 characters.
+
+This setting has a minimum allowed value of 8 characters.
+
+This setting has a maximum allowed value of 64 characters.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ [8-64]
+
+
+
+
+ AdministratorAccountName
+
+
+
+
+
+
+
+ Use this setting to configure the name of the managed local administrator account.
+
+If not specified, the default built-in local administrator account will be located by well-known SID (even if renamed).
+
+If specified, the specified account's password will be managed.
+
+Note: if a custom managed local administrator account name is specified in this setting, that account must be created via other means. Specifying a name in this setting will not cause the account to be created.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ PasswordExpirationProtectionEnabled
+
+
+
+
+
+
+
+ True
+ Use this setting to configure additional enforcement of maximum password age for the managed local administrator account.
+
+When this setting is enabled, planned password expiration that would result in a password age greater than that dictated by "PasswordAgeDays" policy is NOT allowed. When such expiration is detected, the password is changed immediately and the new password expiration date is set according to policy.
+
+If not specified, this setting defaults to True.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ false
+ Allow configured password expiriration timestamp to exceed maximum password age
+
+
+ true
+ Do not allow configured password expiriration timestamp to exceed maximum password age
+
+
+
+
+
+ Vendor/MSFT/LAPS/Policies/BackupDirectory
+
+
+ 2
+ BackupDirectory configured to Active Directory
+
+
+
+
+
+
+
+
+ ADPasswordEncryptionEnabled
+
+
+
+
+
+
+
+ False
+ Use this setting to configure whether the password is encrypted before being stored in Active Directory.
+
+This setting is ignored if the password is currently being stored in Azure.
+
+This setting is only honored when the Active Directory domain is at Windows Server 2016 Domain Functional Level or higher.
+
+If this setting is enabled, and the Active Directory domain meets the DFL prerequisite, the password will be encrypted before before being stored in Active Directory.
+
+If this setting is disabled, or the Active Directory domain does not meet the DFL prerequisite, the password will be stored as clear-text in Active Directory.
+
+If not specified, this setting defaults to False.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ false
+ Store the password in clear-text form in Active Directory
+
+
+ true
+ Store the password in encrypted form in Active Directory
+
+
+
+
+
+ Vendor/MSFT/LAPS/Policies/BackupDirectory
+
+
+ 2
+ BackupDirectory configured to Active Directory
+
+
+
+
+
+
+
+
+ ADPasswordEncryptionPrincipal
+
+
+
+
+
+
+
+ Use this setting to configure the name or SID of a user or group that can decrypt the password stored in Active Directory.
+
+This setting is ignored if the password is currently being stored in Azure.
+
+If not specified, the password will be decryptable by the Domain Admins group in the device's domain.
+
+If specified, the specified user or group will be able to decrypt the password stored in Active Directory.
+
+If the specified user or group account is invalid the device will fallback to using the Domain Admins group in the device's domain.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Vendor/MSFT/LAPS/Policies/BackupDirectory
+
+
+ 2
+ BackupDirectory configured to Active Directory
+
+
+
+
+
+
+
+
+ ADEncryptedPasswordHistorySize
+
+
+
+
+
+
+
+ 0
+ Use this setting to configure how many previous encrypted passwords will be remembered in Active Directory.
+
+If not specified, this setting will default to 0 passwords (disabled).
+
+This setting has a minimum allowed value of 0 passwords.
+
+This setting has a maximum allowed value of 12 passwords.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ [0-12]
+
+
+
+
+ Vendor/MSFT/LAPS/Policies/BackupDirectory
+
+
+ 2
+ BackupDirectory configured to Active Directory
+
+
+
+
+
+
+
+
+ PostAuthenticationResetDelay
+
+
+
+
+
+
+
+ 24
+ Use this setting to specify the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions.
+
+ If not specified, this setting will default to 24 hours.
+
+ This setting has a minimum allowed value of 0 hours (this disables all post-authentication actions).
+
+ This setting has a maximum allowed value of 24 hours.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ [0-24]
+
+
+
+
+ PostAuthenticationActions
+
+
+
+
+
+
+
+ 3
+ Use this setting to specify the actions to take upon expiration of the configured grace period.
+
+If not specified, this setting will default to 3 (Reset the password and logoff the managed account).
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+ 1
+ Reset password: upon expiry of the grace period, the managed account password will be reset.
+
+
+ 3
+ Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will terminated.
+
+
+ 5
+ Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted.
+
+
+
+
+
+
+ Actions
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Actions
+
+
+
+
+
+ ResetPassword
+
+
+
+
+ Use this setting to tell the CSP to immediately generate and store a new password for the managed local administrator account.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ ResetPasswordStatus
+
+
+
+
+ 0
+ Use this setting to query the status of the last submitted ResetPassword execute action.
+
+
+
+
+
+
+
+
+
+ ResetPasswordStatus
+
+ text/plain
+
+
+
+
+
+
+
+
+```
+
+## Related articles
+
+[LAPS configuration service provider](laps-csp.md)
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index fdfb90c836..715e8578ea 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -12,29 +12,94 @@ ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
-ms.date: 10/20/2020
+ms.date: 09/16/2022
---
# What's new in mobile device enrollment and management
-This article provides information about what's new in Windows 10 and Windows 11 mobile device management (MDM) enrollment and management experience across all Windows 10 and Windows 11 devices. This article also provides details about the breaking changes and known issues and frequently asked questions.
+This article provides information about what's new in Windows 10 and Windows 11 mobile device management (MDM) enrollment and management experience across all Windows 10 and Windows 11 devices. This article also provides details about the breaking changes and known issues and frequently asked questions.
-For details about Microsoft mobile device management protocols for Windows 10 and Windows 11, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347).
+For details about Microsoft mobile device management protocols for Windows 10 and Windows 11, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347).
+## What's new in MDM for Windows 11, version 22H2
-## What’s new in MDM for Windows 11, version 21H2
+| New or updated article | Description |
+|--|--|
+| [DeviceStatus](devicestatus-csp.md) | Added the following node:
MDMClientCertAttestation |
+| [eUUICs](euiccs-csp.md) | Added the following node:
IsDiscoveryServer |
+| [PersonalDataEncryption](personaldataencryption-csp.md) | New CSP |
+| [Policy CSP](policy-configuration-service-provider.md) | Added the following nodes:
Windowslogon/EnableMPRNotifications |
+| [SecureAssessment](secureassessment-csp.md) | Added the following node:
Asssessments |
+| [WindowsAutopilot](windowsautopilot-csp.md) | Added the following node:
HardwareMismatchRemediationData |
+
+## What's new in MDM for Windows 11, version 21H2
+
+| New or updated article | Description |
+|--|--|
+| [Policy CSP](policy-configuration-service-provider.md) | Added the following nodes:
Virtualizationbasedtechnology/RequireUEFIMemoryAttributesTable |
+| [DMClient CSP](dmclient-csp.md) | Updated the description of the following nodes:
Provider/ProviderID/ConfigLock/Lock
Provider/ProviderID/ConfigLock/UnlockDuration
Provider/ProviderID/ConfigLock/SecuredCore |
+| [PrinterProvisioning](universalprint-csp.md) | New CSP |
+
+## What's new in MDM for Windows 10, version 20H2
|New or updated article|Description|
|-----|-----|
-| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 11, version 21H2: - NewsAndInterests/AllowNewsAndInterests - Experiences/ConfigureChatIcon - Start/ConfigureStartPins - Virtualizationbasedtechnology/HypervisorEnforcedCodeIntegrity - Virtualizationbasedtechnology/RequireUEFIMemoryAttributesTable |
-| [DMClient CSP](dmclient-csp.md) | Updated the description of the following node: - Provider/ProviderID/ConfigLock/Lock - Provider/ProviderID/ConfigLock/UnlockDuration - Provider/ProviderID/ConfigLock/SecuredCore |
+| [Policy CSP](policy-configuration-service-provider.md) | Added the following nodes:
Multitasking/BrowserAltTabBlowout|
+| [SurfaceHub CSP](surfacehub-csp.md) | Added the following new node:
Properties/SleepMode |
+| [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) | Updated the description of the following node:
Settings/AllowWindowsDefenderApplicationGuard |
+## What's new in MDM for Windows 10, version 2004
+
+| New or updated article | Description |
+|-----|-----|
+| [Policy CSP](policy-configuration-service-provider.md) | Added the following nodes:
Updated the following policy in Windows 10, version 2004:
DeliveryOptimization/DOCacheHost
Deprecated the following policies in Windows 10, version 2004:
DeliveryOptimization/DOMaxDownloadBandwidth
DeliveryOptimization/DOMaxUploadBandwidth
DeliveryOptimization/DOPercentageMaxDownloadBandwidth |
+| [DevDetail CSP](devdetail-csp.md) | Added the following new node:
Ext/Microsoft/DNSComputerName |
+| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | Added the following node:
IsStub |
+| [SUPL CSP](supl-csp.md) | Added the following node:
FullVersion |
+
+## What's new in MDM for Windows 10, version 1909
+
+| New or updated article | Description |
+|-----|-----|
+| [BitLocker CSP](bitlocker-csp.md) | Added the following nodes:
ConfigureRecoveryPasswordRotation
RotateRecoveryPasswords
RotateRecoveryPasswordsStatus
RotateRecoveryPasswordsRequestID|
+
+## What's new in MDM for Windows 10, version 1903
+
+| New or updated article | Description |
+|-----|-----|
+|[Policy CSP](policy-configuration-service-provider.md) | Added the following nodes:
WindowsLogon/EnableFirstLogonAnimation|
+| [Policy CSP - Audit](policy-csp-audit.md) | Added the new Audit policy CSP. |
+| [ApplicationControl CSP](applicationcontrol-csp.md) | Added the new CSP. |
+| [Defender CSP](defender-csp.md) | Added the following new nodes:
Health/TamperProtectionEnabled
Health/IsVirtualMachine
Configuration
Configuration/TamperProtection
Configuration/EnableFileHashComputation |
+| [DiagnosticLog CSP](diagnosticlog-csp.md) [DiagnosticLog DDF](diagnosticlog-ddf.md) | Added version 1.4 of the CSP in Windows 10, version 1903. Added the new 1.4 version of the DDF. Added the following new nodes:
Policy
Policy/Channels
Policy/Channels/ChannelName
Policy/Channels/ChannelName/MaximumFileSize
Policy/Channels/ChannelName/SDDL
Policy/Channels/ChannelName/ActionWhenFull
Policy/Channels/ChannelName/Enabled
DiagnosticArchive
DiagnosticArchive/ArchiveDefinition
DiagnosticArchive/ArchiveResults |
+| [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) | Added the new CSP. |
+| [PassportForWork CSP](passportforwork-csp.md) | Added the following new nodes:
SecurityKey
SecurityKey/UseSecurityKeyForSignin |
+
+
+## What's new in MDM for Windows 10, version 1809
+
+| New or updated article | Description |
+|-----|-----|
+|[Policy CSP](policy-configuration-service-provider.md) | Added the following nodes:
WindowsLogon/DontDisplayNetworkSelectionUI |
+| [BitLocker CSP](bitlocker-csp.md) | Added a new node AllowStandardUserEncryption.
Added support for Windows 10 Pro. |
+| [Defender CSP](defender-csp.md) | Added a new node Health/ProductStatus. |
+| [DevDetail CSP](devdetail-csp.md) | Added a new node SMBIOSSerialNumber. |
+| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | Added NonRemovable setting under AppManagement node. |
+| [Office CSP](office-csp.md) | Added FinalStatus setting. |
+| [PassportForWork CSP](passportforwork-csp.md) | Added new settings. |
+| [RemoteWipe CSP](remotewipe-csp.md) | Added new settings. |
+| [SUPL CSP](supl-csp.md) | Added three new certificate nodes. |
+| [TenantLockdown CSP](tenantlockdown-csp.md) | Added new CSP. |
+| [Wifi CSP](wifi-csp.md) | Added a new node WifiCost. |
+| [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) | Added new settings. |
+| [WindowsLicensing CSP](windowslicensing-csp.md) | Added S mode settings and SyncML examples. |
+| [Win32CompatibilityAppraiser CSP](win32compatibilityappraiser-csp.md) | New CSP. |
## Breaking changes and known issues
-### Get command inside an atomic command isn’t supported
+### Get command inside an atomic command isn't supported
-In Windows 10 and Windows 11, a Get command inside an atomic command isn't supported.
+In Windows 10 and Windows 11, a Get command inside an atomic command isn't supported.
### Apps installed using WMI classes are not removed
@@ -42,11 +107,11 @@ Applications installed using WMI classes aren't removed when the MDM account is
### Passing CDATA in SyncML does not work
-Passing CDATA in data in SyncML to ConfigManager and CSPs doesn't work in Windows 10 and Windows 11.
+Passing CDATA in data in SyncML to ConfigManager and CSPs doesn't work in Windows 10 and Windows 11.
### SSL settings in IIS server for SCEP must be set to "Ignore"
-The certificate setting under "SSL Settings" in the IIS server for SCEP must be set to "Ignore" in Windows 10 and Windows 11.
+The certificate setting under "SSL Settings" in the IIS server for SCEP must be set to "Ignore" in Windows 10 and Windows 11.
@@ -62,7 +127,7 @@ Remote server unenrollment is disabled for mobile devices enrolled via Azure Act
### Certificates causing issues with Wi-Fi and VPN
-In Windows 10 and Windows 11, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This dual installation may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We're working to fix this issue.
+In Windows 10 and Windows 11, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This dual installation may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We're working to fix this issue.
### Version information for Windows 11
@@ -251,7 +316,7 @@ After the MDM client automatically renews the WNS channel URI, the MDM client wi
### User provisioning failure in Azure Active Directory-joined Windows 10 and Windows 11 devices
-In Azure AD joined Windows 10 and Windows 11, provisioning /.User resources fails when the user isn't logged in as an Azure AD user. If you attempt to join Azure AD from **Settings** > **System** > **About** user interface, ensure to sign out and sign in with Azure AD credentials to get your organizational configuration from your MDM server. This behavior is by design.
+In Azure AD joined Windows 10 and Windows 11, provisioning /.User resources fails when the user isn't logged in as an Azure AD user. If you attempt to join Azure AD from **Settings** > **System** > **About** user interface, ensure to sign out and sign in with Azure AD credentials to get your organizational configuration from your MDM server. This behavior is by design.
### Requirements to note for VPN certificates also used for Kerberos Authentication
@@ -288,63 +353,6 @@ What data is handled by dmwappushsvc? | It's a component handling the internal w
How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc). However, since this service is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to disable the service. Disabling this service will cause your management to fail.|
-
-## What’s new in MDM for Windows 10, version 20H2
-
-|New or updated article|Description|
-|-----|-----|
-| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 20H2: - [Experience/DisableCloudOptimizedContent](policy-csp-experience.md#experience-disablecloudoptimizedcontent) - [LocalUsersAndGroups/Configure](policy-csp-localusersandgroups.md#localusersandgroups-configure) - [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) - [MixedReality/BrightnessButtonDisabled](policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled) - [MixedReality/FallbackDiagnostics](policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics) - [MixedReality/MicrophoneDisabled](policy-csp-mixedreality.md#mixedreality-microphonedisabled) - [MixedReality/VolumeButtonDisabled](policy-csp-mixedreality.md#mixedreality-volumebuttondisabled) - [Multitasking/BrowserAltTabBlowout](policy-csp-multitasking.md#multitasking-browseralttabblowout) |
-| [SurfaceHub CSP](surfacehub-csp.md) | Added the following new node: - Properties/SleepMode |
-| [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) | Updated the description of the following node: - Settings/AllowWindowsDefenderApplicationGuard |
-
-## What’s new in MDM for Windows 10, version 2004
-
-| New or updated article | Description |
-|-----|-----|
-| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 2004: - [ApplicationManagement/BlockNonAdminUserInstall](policy-csp-applicationmanagement.md#applicationmanagement-blocknonadminuserinstall) - [Bluetooth/SetMinimumEncryptionKeySize](policy-csp-bluetooth.md#bluetooth-setminimumencryptionkeysize) - [DeliveryOptimization/DOCacheHostSource](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehostsource) - [DeliveryOptimization/DOMaxBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxbackgrounddownloadbandwidth) - [DeliveryOptimization/DOMaxForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxforegrounddownloadbandwidth) - [Education/AllowGraphingCalculator](policy-csp-education.md#education-allowgraphingcalculator) - [TextInput/ConfigureJapaneseIMEVersion](policy-csp-textinput.md#textinput-configurejapaneseimeversion) - [TextInput/ConfigureSimplifiedChineseIMEVersion](policy-csp-textinput.md#textinput-configuresimplifiedchineseimeversion) - [TextInput/ConfigureTraditionalChineseIMEVersion](policy-csp-textinput.md#textinput-configuretraditionalchineseimeversion)
Updated the following policy in Windows 10, version 2004: - [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost)
Deprecated the following policies in Windows 10, version 2004: - [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth) - [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth) - [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth) |
-| [DevDetail CSP](devdetail-csp.md) | Added the following new node: - Ext/Microsoft/DNSComputerName |
-| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | Added the following new node: - IsStub |
-| [SUPL CSP](supl-csp.md) | Added the following new node: - FullVersion |
-
-## What’s new in MDM for Windows 10, version 1909
-
-| New or updated article | Description |
-|-----|-----|
-| [BitLocker CSP](bitlocker-csp.md) | Added the following new nodes in Windows 10, version 1909: - ConfigureRecoveryPasswordRotation - RotateRecoveryPasswords - RotateRecoveryPasswordsStatus - RotateRecoveryPasswordsRequestID|
-
-## What’s new in MDM for Windows 10, version 1903
-
-| New or updated article | Description |
-|-----|-----|
-|[Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 1903: - [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground) - [DeliveryOptimization/DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground) - [DeviceHealthMonitoring/AllowDeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-allowdevicehealthmonitoring) - [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringscope) - [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination) - [DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdeviceinstanceids) - [DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdeviceinstanceids) - [Experience/ShowLockOnUserTile](policy-csp-experience.md#experience-showlockonusertile) - [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar) - [InternetExplorer/DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload) - [InternetExplorer/DisableCompatView](policy-csp-internetexplorer.md#internetexplorer-disablecompatview) - [InternetExplorer/DisableFeedsBackgroundSync](policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync) - [InternetExplorer/DisableGeolocation](policy-csp-internetexplorer.md#internetexplorer-disablegeolocation) - [InternetExplorer/DisableWebAddressAutoComplete](policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete) - [InternetExplorer/NewTabDefaultPage](policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage) - [Power/EnergySaverBatteryThresholdOnBattery](policy-csp-power.md#power-energysaverbatterythresholdonbattery) - [Power/EnergySaverBatteryThresholdPluggedIn](policy-csp-power.md#power-energysaverbatterythresholdpluggedin) - [Power/SelectLidCloseActionOnBattery](policy-csp-power.md#power-selectlidcloseactiononbattery) - [Power/SelectLidCloseActionPluggedIn](policy-csp-power.md#power-selectlidcloseactionpluggedin) - [Power/SelectPowerButtonActionOnBattery](policy-csp-power.md#power-selectpowerbuttonactiononbattery) - [Power/SelectPowerButtonActionPluggedIn](policy-csp-power.md#power-selectpowerbuttonactionpluggedin) - [Power/SelectSleepButtonActionOnBattery](policy-csp-power.md#power-selectsleepbuttonactiononbattery) - [Power/SelectSleepButtonActionPluggedIn](policy-csp-power.md#power-selectsleepbuttonactionpluggedin) - [Power/TurnOffHybridSleepOnBattery](policy-csp-power.md#power-turnoffhybridsleeponbattery) - [Power/TurnOffHybridSleepPluggedIn](policy-csp-power.md#power-turnoffhybridsleeppluggedin) - [Power/UnattendedSleepTimeoutOnBattery](policy-csp-power.md#power-unattendedsleeptimeoutonbattery) - [Power/UnattendedSleepTimeoutPluggedIn](policy-csp-power.md#power-unattendedsleeptimeoutpluggedin) - [Privacy/LetAppsActivateWithVoice](policy-csp-privacy.md#privacy-letappsactivatewithvoice) - [Privacy/LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md#privacy-letappsactivatewithvoiceabovelock) - [Search/AllowFindMyFiles](policy-csp-search.md#search-allowfindmyfiles) - [ServiceControlManager/SvchostProcessMitigation](policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation) - [System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline) - [System/TurnOffFileHistory](policy-csp-system.md#system-turnofffilehistory) - [TimeLanguageSettings/ConfigureTimeZone](policy-csp-timelanguagesettings.md#timelanguagesettings-configuretimezone) - [Troubleshooting/AllowRecommendations](policy-csp-troubleshooting.md#troubleshooting-allowrecommendations) - [Update/AutomaticMaintenanceWakeUp](policy-csp-update.md#update-automaticmaintenancewakeup) - [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates) - [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates) - [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod) - [WindowsLogon/AllowAutomaticRestartSignOn](policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon) - [WindowsLogon/ConfigAutomaticRestartSignOn](policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon) - [WindowsLogon/EnableFirstLogonAnimation](policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation)|
-| [Policy CSP - Audit](policy-csp-audit.md) | Added the new Audit policy CSP. |
-| [ApplicationControl CSP](applicationcontrol-csp.md) | Added the new CSP. |
-| [Defender CSP](defender-csp.md) | Added the following new nodes: - Health/TamperProtectionEnabled - Health/IsVirtualMachine - Configuration - Configuration/TamperProtection - Configuration/EnableFileHashComputation |
-| [DiagnosticLog CSP](diagnosticlog-csp.md) [DiagnosticLog DDF](diagnosticlog-ddf.md) | Added version 1.4 of the CSP in Windows 10, version 1903. Added the new 1.4 version of the DDF. Added the following new nodes: - Policy - Policy/Channels - Policy/Channels/ChannelName - Policy/Channels/ChannelName/MaximumFileSize - Policy/Channels/ChannelName/SDDL - Policy/Channels/ChannelName/ActionWhenFull - Policy/Channels/ChannelName/Enabled - DiagnosticArchive - DiagnosticArchive/ArchiveDefinition - DiagnosticArchive/ArchiveResults |
-| [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) | Added the new CSP. |
-| [PassportForWork CSP](passportforwork-csp.md) | Added the following new nodes: - SecurityKey - SecurityKey/UseSecurityKeyForSignin |
-
-
-## What’s new in MDM for Windows 10, version 1809
-
-| New or updated article | Description |
-|-----|-----|
-|[Policy CSP](policy-configuration-service-provider.md) | Added the following new policy settings in Windows 10, version 1809: - ApplicationManagement/LaunchAppAfterLogOn - ApplicationManagement/ScheduleForceRestartForUpdateFailures - Authentication/EnableFastFirstSignIn (Preview mode only) - Authentication/EnableWebSignIn (Preview mode only) - Authentication/PreferredAadTenantDomainName - Browser/AllowFullScreenMode - Browser/AllowPrelaunch - Browser/AllowPrinting - Browser/AllowSavingHistory - Browser/AllowSideloadingOfExtensions - Browser/AllowTabPreloading - Browser/AllowWebContentOnNewTabPage - Browser/ConfigureFavoritesBar - Browser/ConfigureHomeButton - Browser/ConfigureKioskMode - Browser/ConfigureKioskResetAfterIdleTimeout - Browser/ConfigureOpenMicrosoftEdgeWith - Browser/ConfigureTelemetryForMicrosoft365Analytics - Browser/PreventCertErrorOverrides - Browser/SetHomeButtonURL - Browser/SetNewTabPageURL - Browser/UnlockHomeButton - Defender/CheckForSignaturesBeforeRunningScan - Defender/DisableCatchupFullScan - Defender/DisableCatchupQuickScan - Defender/EnableLowCPUPriority - Defender/SignatureUpdateFallbackOrder - Defender/SignatureUpdateFileSharesSources - DeviceGuard/ConfigureSystemGuardLaunch - DeviceInstallation/AllowInstallationOfMatchingDeviceIDs - DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses - DeviceInstallation/PreventDeviceMetadataFromNetwork - DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings - DmaGuard/DeviceEnumerationPolicy - Experience/AllowClipboardHistory - Experience/DoNotSyncBrowserSettings - Experience/PreventUsersFromTurningOnBrowserSyncing - Kerberos/UPNNameHints - Privacy/AllowCrossDeviceClipboard - Privacy/DisablePrivacyExperience - Privacy/UploadUserActivities - Security/RecoveryEnvironmentAuthentication - System/AllowDeviceNameInDiagnosticData - System/ConfigureMicrosoft365UploadEndpoint - System/DisableDeviceDelete - System/DisableDiagnosticDataViewer - Storage/RemovableDiskDenyWriteAccess - TaskManager/AllowEndTask - Update/DisableWUfBSafeguards - Update/EngagedRestartDeadlineForFeatureUpdates - Update/EngagedRestartSnoozeScheduleForFeatureUpdates - Update/EngagedRestartTransitionScheduleForFeatureUpdates - Update/SetDisablePauseUXAccess - Update/SetDisableUXWUAccess - WindowsDefenderSecurityCenter/DisableClearTpmButton - WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning - WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl - WindowsLogon/DontDisplayNetworkSelectionUI |
-| [BitLocker CSP](bitlocker-csp.md) | Added a new node AllowStandardUserEncryption in Windows 10, version 1809. Added support for Windows 10 Pro. |
-| [Defender CSP](defender-csp.md) | Added a new node Health/ProductStatus in Windows 10, version 1809. |
-| [DevDetail CSP](devdetail-csp.md) | Added a new node SMBIOSSerialNumber in Windows 10, version 1809. |
-| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | Added NonRemovable setting under AppManagement node in Windows 10, version 1809. |
-| [Office CSP](office-csp.md) | Added FinalStatus setting in Windows 10, version 1809. |
-| [PassportForWork CSP](passportforwork-csp.md) | Added new settings in Windows 10, version 1809. |
-| [RemoteWipe CSP](remotewipe-csp.md) | Added new settings in Windows 10, version 1809. |
-| [SUPL CSP](supl-csp.md) | Added three new certificate nodes in Windows 10, version 1809. |
-| [TenantLockdown CSP](tenantlockdown-csp.md) | Added new CSP in Windows 10, version 1809. |
-| [Wifi CSP](wifi-csp.md) | Added a new node WifiCost in Windows 10, version 1809. |
-| [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) | Added new settings in Windows 10, version 1809. |
-| [WindowsLicensing CSP](windowslicensing-csp.md) | Added S mode settings and SyncML examples in Windows 10, version 1809. |
-| [Win32CompatibilityAppraiser CSP](win32compatibilityappraiser-csp.md) | Added new configuration service provider in Windows 10, version 1809. |
-
-
## Change history for MDM documentation
To know what's changed in MDM documentation, see [Change history for MDM documentation](change-history-for-mdm-documentation.md).
diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md
index d45249dffe..67c5ae122a 100644
--- a/windows/client-management/mdm/passportforwork-csp.md
+++ b/windows/client-management/mdm/passportforwork-csp.md
@@ -150,6 +150,15 @@ If you disable or don't configure this policy setting, the PIN will be provision
Supported operations are Add, Get, Delete, and Replace.
+***TenantId*/Policies/UseCloudTrustForOnPremAuth** (only for ./Device/Vendor/MSFT)
+Boolean value that enables Windows Hello for Business to use Azure AD Kerberos to authenticate to on-premises resources.
+
+If you enable this policy setting, Windows Hello for Business will use an Azure AD Kerberos ticket to authenticate to on-premises resources. The Azure AD Kerberos ticket is returned to the client after a successful authentication to Azure AD if Azure AD Kerberos is enabled for the tenant and domain.
+
+If you disable or do not configure this policy setting, Windows Hello for Business will use a key or certificate to authenticate to on-premises resources.
+
+Supported operations are Add, Get, Delete, and Replace.
+
***TenantId*/Policies/PINComplexity**
Node for defining PIN settings.
diff --git a/windows/client-management/mdm/personaldataencryption-csp.md b/windows/client-management/mdm/personaldataencryption-csp.md
new file mode 100644
index 0000000000..598c8121ec
--- /dev/null
+++ b/windows/client-management/mdm/personaldataencryption-csp.md
@@ -0,0 +1,47 @@
+---
+title: PersonalDataEncryption CSP
+description: Learn how the PersonalDataEncryption configuration service provider (CSP) is used by the enterprise to protect data confidentiality of PCs and devices.
+ms.author: v-nsatapathy
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nimishasatapathy
+ms.localizationpriority: medium
+ms.date: 09/12/2022
+ms.reviewer:
+manager: dansimp
+ms.collection: highpri
+---
+
+# PersonalDataEncryption CSP
+
+The PersonalDataEncryption configuration service provider (CSP) is used by the enterprise to protect data confidentiality of PCs and devices. This CSP was added in Windows 11, version 22H2.
+
+The following shows the PersonalDataEncryption configuration service provider in tree format:
+
+```
+./User/Vendor/MSFT/PDE
+-- EnablePersonalDataEncryption
+-- Status
+-------- PersonalDataEncryptionStatus
+
+```
+
+**EnablePersonalDataEncryption**:
+- 0 is default (disabled)
+- 1 (enabled) will make Personal Data Encryption (PDE) public API available to applications for the user: [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
+
+The public API allows the applications running as the user to encrypt data as soon as this policy is enabled. However, prerequisites must be met for the PDE to be enabled.
+
+**Status/PersonalDataEncryptionStatus**: Reports the current status of Personal Data Encryption (PDE) for the user. If prerequisites of PDE aren't met, then the status will be 0. If all prerequisites are met for PDE, then PDE will be enabled and status will be 1.
+
+> [!Note]
+> The policy is only applicable on Enterprise and Education SKUs.
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|No|Yes|
+|Education|No|Yes|
diff --git a/windows/client-management/mdm/personaldataencryption-ddf-file.md b/windows/client-management/mdm/personaldataencryption-ddf-file.md
new file mode 100644
index 0000000000..2911a85c66
--- /dev/null
+++ b/windows/client-management/mdm/personaldataencryption-ddf-file.md
@@ -0,0 +1,127 @@
+---
+title: PersonalDataEncryption DDF file
+description: Learn about the OMA DM device description framework (DDF) for the PersonalDataEncryption configuration service provider.
+ms.author: v-nsatapathy
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nimishasatapathy
+ms.localizationpriority: medium
+ms.date: 09/10/2022
+ms.reviewer:
+manager: dansimp
+---
+
+# PersonalDataEncryption DDF file
+
+This topic shows the OMA DM device description framework (DDF) for the **PersonalDataEncryption** configuration service provider.
+
+Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
+
+The XML below is the current version for this CSP.
+
+```xml
+
+]>
+
+ 1.2
+
+ PDE
+ ./User/Vendor/MSFT
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EnablePersonalDataEncryption
+
+
+
+
+
+
+
+ Allows the Admin to enable Personal Data Encryption. Set to '1' to set this policy.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Disable Personal Data Encryption.
+
+
+ 1
+ Enable Personal Data Encryption.
+
+
+
+
+
+ Status
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PersonalDataEncryptionStatus
+
+
+
+
+ This node reports the current state of Personal Data Encryption for a user. '0' means disabled. '1' means enabled.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
\ No newline at end of file
diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
index e06e70792f..aa15270570 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
@@ -1559,6 +1559,16 @@ ms.date: 10/08/2020
- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth)
- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth)
- [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders)
+- [DesktopAppInstaller/EnableAdditionalSources](./policy-csp-desktopappinstaller.md#desktopappinstaller-enableadditionalsources)
+- [DesktopAppInstaller/EnableAppInstaller](./policy-csp-desktopappinstaller.md#desktopappinstaller-enableappinstaller)
+- [DesktopAppInstaller/EnableLocalManifestFiles](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablelocalmanifestfiles)
+- [DesktopAppInstaller/EnableHashOverride](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablehashoverride)
+- [DesktopAppInstaller/EnableMicrosoftStoreSource](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablemicrosoftstoresource)
+- [DesktopAppInstaller/EnableMSAppInstallerProtocol](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablemsappinstallerprotocol)
+- [DesktopAppInstaller/EnableSettings](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablesettings)
+- [DesktopAppInstaller/EnableAllowedSources](./policy-csp-desktopappinstaller.md#desktopappinstaller-enableallowedsources)
+- [DesktopAppInstaller/EnableExperimentalFeatures](./policy-csp-desktopappinstaller.md#desktopappinstaller-enableexperimentalfeatures)
+- [DesktopAppInstaller/SourceAutoUpdateInterval](./policy-csp-desktopappinstaller.md#desktopappinstaller-sourceautoupdateinterval)
- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdeviceids)
- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdevicesetupclasses)
- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallationpreventdevicemetadatafromnetwork)
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
index 9d2038131f..8687773b6b 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
@@ -57,11 +57,13 @@ ms.date: 08/01/2022
- [MixedReality/AutoLogonUser](./policy-csp-mixedreality.md#mixedreality-autologonuser) 11
- [MixedReality/BrightnessButtonDisabled](./policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled) 9
- [MixedReality/ConfigureMovingPlatform](policy-csp-mixedreality.md#mixedreality-configuremovingplatform) *[Feb. 2022 Servicing release](/hololens/hololens-release-notes#windows-holographic-version-21h2---february-2022-update)
+- [MixedReality/ConfigureNtpClient](./policy-csp-mixedreality.md#mixedreality-configurentpclient) Insider
- [MixedReality/DisallowNetworkConnectivityPassivePolling](./policy-csp-mixedreality.md#mixedreality-disablesisallownetworkconnectivitypassivepolling) Insider
- [MixedReality/FallbackDiagnostics](./policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics) 9
- [MixedReality/HeadTrackingMode](policy-csp-mixedreality.md#mixedreality-headtrackingmode) 9
- [MixedReality/ManualDownDirectionDisabled](policy-csp-mixedreality.md#mixedreality-manualdowndirectiondisabled) *[Feb. 2022 Servicing release](/hololens/hololens-release-notes#windows-holographic-version-21h2---february-2022-update)
- [MixedReality/MicrophoneDisabled](./policy-csp-mixedreality.md#mixedreality-microphonedisabled) 9
+- [MixedReality/NtpClientEnabled](./policy-csp-mixedreality.md#mixedreality-ntpclientenabled) Insider
- [MixedReality/SkipCalibrationDuringSetup](./policy-csp-mixedreality.md#mixedreality-skipcalibrationduringsetup) Insider
- [MixedReality/SkipTrainingDuringSetup](./policy-csp-mixedreality.md#mixedreality-skiptrainingduringsetup) Insider
- [MixedReality/VisitorAutoLogon](policy-csp-mixedreality.md#mixedreality-visitorautologon) 10
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 3b79fcf245..79aba31f6b 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -5173,6 +5173,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+
### ADMX_WindowsRemoteManagement policies
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index 6c42ebfde5..172eeb0f4f 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -2105,17 +2105,17 @@ If you disable or don't configure this setting, security intelligence will be re
ADMX Info:
-- GP Friendly name: *Define security intelligence location for VDI clients*
+- GP Friendly name: *Specify the signature (Security intelligence) delivery optimization for Defender in Virtual Environments*
- GP name: *SecurityIntelligenceLocation*
- GP element: *SecurityIntelligenceLocation*
-- GP path: *Windows Components/Microsoft Defender Antivirus/Security Intelligence Updates*
+- GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender*
- GP ADMX file name: *WindowsDefender.admx*
- Empty string - no policy is set
-- Non-empty string - the policy is set and security intelligence is gathered from the location
+- Non-empty string - the policy is set and security intelligence is gathered from the location.
diff --git a/windows/client-management/mdm/policy-csp-desktopappinstaller.md b/windows/client-management/mdm/policy-csp-desktopappinstaller.md
new file mode 100644
index 0000000000..f6ec4db880
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-desktopappinstaller.md
@@ -0,0 +1,595 @@
+---
+title: Policy CSP - DesktopAppInstaller
+description: Learn about the Policy CSP - DesktopAppInstaller.
+ms.author: v-aljupudi
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: alekyaj
+ms.date: 08/24/2022
+ms.reviewer:
+manager: aaroncz
+---
+
+# Policy CSP - DesktopAppInstaller
+
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
+
+
+## DesktopAppInstaller policies
+
+
+
+
+
+
+
+**DesktopAppInstaller/EnableAdditionalSources**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy controls additional sources configured for [Windows Package Manager](/windows/package-manager/).
+
+If you don't configure this setting, no additional sources will be configured for Windows Package Manager.
+
+If you enable this setting, additional sources will be added to Windows Package Manager, and can't be removed. The representation for each additional source can be obtained from installed sources using [*winget source export*](/windows/package-manager/winget/).
+
+If you disable this setting, no additional sources can be configured by the user for Windows Package Manager.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Enable Additional Windows Package Manager Sources*
+- GP name: *EnableAdditionalSources*
+- GP path: *Administrative Templates\Windows Components\App Package Deployment*
+- GP ADMX file name: *AppxPackageManager.admx*
+
+
+
+
+
+
+
+
+**DesktopAppInstaller/EnableAppInstaller**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy controls whether Windows Package Manager can be used by users. Users will still be able to execute the *winget* command. The default help will be displayed, and users will still be able to execute *winget -?* to display the help as well. Any other command will result in the user being informed the operation is disabled by Group Policy.
+
+- If you enable or don't configure this setting, users will be able to use the Windows Package Manager.
+- If you disable this setting, users won't be able to use the Windows Package Manager.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Controls whether the Windows Package Manager can be used by the users*
+- GP name: *EnableAppInstaller*
+- GP path: *Administrative Templates\Windows Components\App Package Deployment*
+- GP ADMX file name: *AppxPackageManager.admx*
+
+
+
+
+
+
+
+**DesktopAppInstaller/EnableDefaultSource**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+This policy controls the default source included with the Windows Package Manager.
+If you do not configure this setting, the default source for the Windows Package Manager will be and can be removed.
+- If you enable this setting, the default source for the Windows Package Manager will be, and can't be removed.
+- If you disable this setting the default source for the Windows Package Manager won't be available.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Enable Windows Package Manager Default Source*
+- GP name: *EnableDefaultSource*
+- GP path: *Administrative Templates\Windows Components\App Package Deployment*
+- GP ADMX file name: *AppxPackageManager.admx*
+
+
+
+
+
+
+
+**DesktopAppInstaller/EnableLocalManifestFiles**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+This policy controls whether users can install packages with local manifest files.
+
+- If you enable or don't configure this setting, users will be able to install packages with local manifests using the Windows Package Manager.
+- If you disable this setting, users won't be able to install packages with local manifests using the Windows Package Manager.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Enable Windows Package Manager Local Manifest Files*
+- GP name: *EnableLocalManifestFiles*
+- GP path: *Administrative Templates\Windows Components\App Package Deployment*
+- GP ADMX file name: *AppxPackageManager.admx*
+
+
+
+
+
+
+**DesktopAppInstaller/EnableHashOverride**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+This policy controls whether Windows Package Manager can be configured to enable the ability to override `SHA256` security validation in settings. Windows Package Manager compares the installer after it has downloaded with the hash provided in the manifest.
+
+- If you enable or do not configure this setting, users will be able to enable the ability to override `SHA256` security validation in Windows Package Manager settings.
+
+- If you disable this setting, users will not be able to enable the ability to override SHA256 security validation in Windows Package Manager settings.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Enable App Installer Hash Override*
+- GP name: *EnableHashOverride*
+- GP path: *Administrative Templates\Windows Components\App Package Deployment*
+- GP ADMX file name: *AppxPackageManager.admx*
+
+
+
+
+
+
+
+**DesktopAppInstaller/EnableMicrosoftStoreSource**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+This policy controls the Microsoft Store source included with the Windows Package Manager.
+If you don't configure this setting, the Microsoft Store source for the Windows Package manager will be available and can be removed.
+- If you enable this setting, the Microsoft Store source for the Windows Package Manager will be available, and can't be removed.
+- If you disable this setting the Microsoft Store source for the Windows Package Manager won't be available.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Enable Windows Package Manager Microsoft Store Source*
+- GP name: *EnableMicrosoftStoreSource*
+- GP path: *Administrative Templates\Windows Components\App Package Deployment*
+- GP ADMX file name: *AppxPackageManager.admx*
+
+
+
+
+
+
+
+**DesktopAppInstaller/EnableMSAppInstallerProtocol**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+This policy controls whether users can install packages from a website that is using the `ms-appinstaller` protocol.
+
+- If you enable or do not configure this setting, users will be able to install packages from websites that use this protocol.
+
+- If you disable this setting, users will not be able to install packages from websites that use this protocol.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Enable MS App Installer Protocol*
+- GP name: *EnableMSAppInstallerProtocol*
+- GP path: *Administrative Templates\Windows Components\App Package Deployment*
+- GP ADMX file name: *AppxPackageManager.admx*
+
+
+
+
+
+
+
+**DesktopAppInstaller/EnableSettings**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+This policy controls whether users can change their settings. The settings are stored inside of a .json file on the user’s system. It may be possible for users to gain access to the file using elevated credentials. This won't override any policy settings that have been configured by this policy.
+
+- If you enable or do not configure this setting, users will be able to change settings for Windows Package Manager.
+- If you disable this setting, users will not be able to change settings for Windows Package Manager.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Enable Windows Package Manager Settings Command*
+- GP name: *EnableSettings*
+- GP path: *Administrative Templates\Windows Components\App Package Deployment*
+- GP ADMX file name: *AppxPackageManager.admx*
+
+
+
+
+
+
+
+**DesktopAppInstaller/EnableAllowedSources**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+This policy controls additional sources approved for users to configure using Windows Package Manager. If you don't configure this setting, users will be able to add or remove additional sources other than those configured by policy.
+
+- If you enable this setting, only the sources specified can be added or removed from Windows Package Manager. The representation for each allowed source can be obtained from installed sources using winget source export.
+- If you disable this setting, no additional sources can be configured by the user for Windows Package Manager.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Enable Windows Package Manager Settings Command*
+- GP name: *EnableAllowedSources*
+- GP path: *Administrative Templates\Windows Components\App Package Deployment*
+- GP ADMX file name: *AppxPackageManager.admx*
+
+
+
+
+
+
+
+**DesktopAppInstaller/EnableExperimentalFeatures**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+This policy controls whether users can enable experimental features in Windows Package Manager. Experimental features are used during Windows Package Manager development cycle to provide previews for new behaviors. Some of these experimental features may be implemented prior to the Group Policy settings designed to control their behavior.
+
+- If you enable or do not configure this setting, users will be able to enable experimental features for Windows Package Manager.
+
+- If you disable this setting, users will not be able to enable experimental features for Windows Package Manager.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Enable Windows Package Manager Experimental Features*
+- GP name: *EnableExperimentalFeatures*
+- GP path: *Administrative Templates\Windows Components\App Package Deployment*
+- GP ADMX file name: *AppxPackageManager.admx*
+
+
+
+
+
+
+
+**DesktopAppInstaller/SourceAutoUpdateInterval**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+This policy controls the auto-update interval for package-based sources. The default source for Windows Package Manager is configured such that an index of the packages is cached on the local machine. The index is downloaded when a user invokes a command, and the interval has passed (the index is not updated in the background). This setting has no impact on REST-based sources.
+
+- If you enable this setting, the number of minutes specified will be used by Windows Package Manager.
+
+- If you disable or do not configure this setting, the default interval or the value specified in settings will be used by Windows Package Manager.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Set Windows Package Manager Source Auto Update Interval In Minutes*
+- GP name: *SourceAutoUpdateInterval*
+- GP path: *Administrative Templates\Windows Components\App Package Deployment*
+- GP ADMX file name: *AppxPackageManager.admx*
+
+
+
+
+
+
+
+
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md
index 80986cd431..baeea5bf25 100644
--- a/windows/client-management/mdm/policy-csp-experience.md
+++ b/windows/client-management/mdm/policy-csp-experience.md
@@ -50,6 +50,9 @@ manager: aaroncz
@@ -494,6 +497,50 @@ The following list shows the supported values:
+
+**Experience/AllowSpotlightCollection**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|No|Yes|
+|Education|No|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy allows spotlight collection on the device.
+
+- If you enable this policy, "Spotlight collection" will not be available as an option in Personalization settings.
+- If you disable or do not configure this policy, "Spotlight collection" will appear as an option in Personalization settings, allowing the user to select "Spotlight collection" as the Desktop provider and display daily images from Microsoft on the desktop.
+
+
+
+The following list shows the supported values:
+
+- When set to 0: Spotlight collection will not show as an option in Personalization Settings and therefore be unavailable on Desktop
+- When set to 1: Spotlight collection will show as an option in Personalization Settings and therefore be available on Desktop, allowing Desktop to refresh for daily images from Microsoft
+- Default value: 1
+
+
+
+
+
+
**Experience/AllowTailoredExperiencesWithDiagnosticData**
diff --git a/windows/client-management/mdm/policy-csp-fileexplorer.md b/windows/client-management/mdm/policy-csp-fileexplorer.md
index 5f49f1d40e..be7a776997 100644
--- a/windows/client-management/mdm/policy-csp-fileexplorer.md
+++ b/windows/client-management/mdm/policy-csp-fileexplorer.md
@@ -46,8 +46,13 @@ manager: aaroncz
+
+
@@ -276,10 +281,10 @@ This policy configures the folders that the user can enumerate and access in the
The following list shows the supported values:
- 0: All folders
-- 15:Desktop, Documents, Pictures, and Downloads
-- 31:Desktop, Documents, Pictures, Downloads, and Network
-- 47:This PC (local drive), [Desktop, Documents, Pictures], and Downloads
-- 63:This PC, [Desktop, Documents, Pictures], Downloads, and Network
+- 15: Desktop, Documents, Pictures, and Downloads
+- 31: Desktop, Documents, Pictures, Downloads, and Network
+- 47: This PC (local drive), [Desktop, Documents, Pictures], and Downloads
+- 63: This PC, [Desktop, Documents, Pictures], Downloads, and Network
@@ -331,7 +336,7 @@ This policy configures the folders that the user can enumerate and access in the
The following list shows the supported values:
-- 0: all storage locations
+- 0: All storage locations
- 1: Removable Drives
- 2: Sync roots
- 3: Removable Drives, Sync roots, local drive
@@ -350,9 +355,62 @@ ADMX Info:
+
+**FileExplorer/DisableGraphRecentItems**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|Yes|
+|Windows SE|No|Yes|
+|Business|No|No|
+|Enterprise|No|Yes|
+|Education|No|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+
+This policy changes whether files from Office.com will be shown in the Recents and Favorites sections on the Home node (previously known as Quick Access) in File Explorer.
+
+
+
+
+The following list shows the supported values:
+
+- 0: Files from Office.com will display in the Home node
+- 1: No files from Office.com will be retrieved or displayed
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Turn off files from Office.com in Quick access view*
+- GP name: *DisableGraphRecentItems*
+- GP path: *File Explorer*
+- GP ADMX file name: *Explorer.admx*
+
+
+
+
+
+
## Related topics
-[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-humanpresence.md b/windows/client-management/mdm/policy-csp-humanpresence.md
index df30b8f920..d1a49971c5 100644
--- a/windows/client-management/mdm/policy-csp-humanpresence.md
+++ b/windows/client-management/mdm/policy-csp-humanpresence.md
@@ -20,6 +20,9 @@ manager: aaroncz
## HumanPresence policies
@@ -4423,6 +4432,115 @@ ADMX Info:
+
+
+
+**InternetExplorer/EnableGlobalWindowListInIEMode**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+This setting allows Internet Explorer mode to use the global window list that enables sharing state with other applications.
+The setting will take effect only when Internet Explorer 11 is disabled as a standalone browser.
+
+- If you enable this policy, Internet Explorer mode will use the global window list.
+
+- If you disable or don’t configure this policy, Internet Explorer mode will continue to maintain a separate window list.
+
+
+
+The following list shows the supported values:
+
+- 0 (default) - Disabled
+- 1 - Enabled
+
+
+
+ADMX Info:
+- GP Friendly name: *Enable global window list in Internet Explorer mode*
+- GP name: *EnableGlobalWindowListInIEMode*
+- GP path: *Windows Components/Internet Explorer/Main*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+
+
+
+**InternetExplorer/HideInternetExplorer11RetirementNotification**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|No|
+|Windows SE|No|No|
+|Business|Yes|No|
+|Enterprise|Yes|No|
+|Education|Yes|No|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+This policy setting allows you to manage whether the notification bar reminder that Internet Explorer is being retired is displayed. By default, the Notification bar is displayed in Internet Explorer 11.
+
+- If you enable this policy setting, the notification bar will not be displayed in Internet Explorer 11.
+
+- If you disable, or do not configure, this policy setting, the notification bar will be displayed in Internet Explorer 11.
+
+
+
+The following list shows the supported values:
+
+- 0 (default) - Disabled
+- 1 - Enabled
+
+
+
+ADMX Info:
+- GP Friendly name: *Hide Internet Explorer 11 retirement notification*
+- GP name: *DisableIEAppDeprecationNotification*
+- GP path: *Windows Components/Internet Explorer/Main*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
**InternetExplorer/IncludeAllLocalSites**
@@ -11161,6 +11279,60 @@ ADMX Info:
+
+**InternetExplorer/ResetZoomForDialogInIEMode**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+This policy setting lets admins reset zoom to default for HTML dialogs in Internet Explorer mode.
+
+- If you enable this policy, the zoom of an HTML dialog in Internet Explorer mode will not get propagated from its parent page.
+
+- If you disable, or don't configure this policy, the zoom of an HTML dialog in Internet Explorer mode will be set based on the zoom of it's parent page.
+
+
+
+The following list shows the supported values:
+
+- 0 (default) - Disabled
+- 1 - Enabled
+
+
+
+ADMX Info:
+- GP Friendly name: *Reset zoom to default for HTML dialogs in Internet Explorer mode*
+- GP name: *ResetZoomForDialogInIEMode*
+- GP path: *Windows Components/Internet Explorer/Main*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+
+
**InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses**
diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md
index 0e1fdaeb77..3c77cc2e2c 100644
--- a/windows/client-management/mdm/policy-csp-kerberos.md
+++ b/windows/client-management/mdm/policy-csp-kerberos.md
@@ -31,6 +31,18 @@ manager: aaroncz
Kerberos/RequireKerberosArmoring
@@ -231,22 +243,20 @@ ADMX Info:
This policy setting controls hash or checksum algorithms used by the Kerberos client when performing certificate authentication.
-If you enable this policy, you'll be able to configure one of four states for each algorithm:
-
-* **Default**: This state sets the algorithm to the recommended state.
-* **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
-* **Audited**: This state enables usage of the algorithm and reports an event (ID 205) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
-* **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
+If you enable this policy, you'll be able to configure one of four states for each hash algorithm (SHA1, SHA256, SHA384, and SHA512) using their respective policies.
If you disable or don't configure this policy, each algorithm will assume the **Default** state.
+* 0 - **Disabled**
+* 1 - **Enabled**
+
More information about the hash and checksum algorithms supported by the Windows Kerberos client and their default states can be found https://go.microsoft.com/fwlink/?linkid=2169037.
ADMX Info:
-- GP Friendly name: *Introducing agility to PKINIT in Kerberos protocol*
+- GP Friendly name: *Configure Hash algorithms for certificate logon*
- GP name: *PKInitHashAlgorithmConfiguration*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
@@ -256,6 +266,209 @@ ADMX Info:
+
+**Kerberos/PKInitHashAlgorithmSHA1**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+This policy setting controls the configuration of the SHA1 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm:
+
+* 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
+* 1 - **Default**: This state sets the algorithm to the recommended state.
+* 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
+* 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
+
+If you don't configure this policy, the SHA1 algorithm will assume the **Default** state.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Configure Hash algorithms for certificate logon*
+- GP name: *PKInitHashAlgorithmConfiguration*
+- GP path: *System/Kerberos*
+- GP ADMX file name: *Kerberos.admx*
+
+
+
+
+
+
+
+**Kerberos/PKInitHashAlgorithmSHA256**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+This policy setting controls the configuration of the SHA256 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm:
+
+* 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
+* 1 - **Default**: This state sets the algorithm to the recommended state.
+* 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
+* 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
+
+If you don't configure this policy, the SHA256 algorithm will assume the **Default** state.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Configure Hash algorithms for certificate logon*
+- GP name: *PKInitHashAlgorithmConfiguration*
+- GP path: *System/Kerberos*
+- GP ADMX file name: *Kerberos.admx*
+
+
+
+
+
+
+
+**Kerberos/PKInitHashAlgorithmSHA384**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+This policy setting controls the configuration of the SHA384 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm:
+
+* 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
+* 1 - **Default**: This state sets the algorithm to the recommended state.
+* 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
+* 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
+
+If you don't configure this policy, the SHA384 algorithm will assume the **Default** state.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Configure Hash algorithms for certificate logon*
+- GP name: *PKInitHashAlgorithmConfiguration*
+- GP path: *System/Kerberos*
+- GP ADMX file name: *Kerberos.admx*
+
+
+
+
+
+
+
+**Kerberos/PKInitHashAlgorithmSHA512**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+This policy setting controls the configuration of the SHA512 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm:
+
+* 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
+* 1 - **Default**: This state sets the algorithm to the recommended state.
+* 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
+* 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
+
+If you don't configure this policy, the SHA512 algorithm will assume the **Default** state.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Configure Hash algorithms for certificate logon*
+- GP name: *PKInitHashAlgorithmConfiguration*
+- GP path: *System/Kerberos*
+- GP ADMX file name: *Kerberos.admx*
+
+
+
+
+
**Kerberos/RequireKerberosArmoring**
@@ -456,4 +669,4 @@ Devices joined to Azure Active Directory in a hybrid environment need to interac
## Related topics
-[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-lsa.md b/windows/client-management/mdm/policy-csp-lsa.md
new file mode 100644
index 0000000000..a338134343
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-lsa.md
@@ -0,0 +1,131 @@
+---
+title: Policy CSP - LocalSecurityAuthority
+description: Use the LocalSecurityAuthority CSP to configure policies for the Windows Local Security Authority Subsystem Service (LSASS).
+ms.author: vinpa
+author: vinaypamnani-msft
+ms.reviewer:
+manager: aaroncz
+ms.topic: reference
+ms.prod: windows-client
+ms.technology: itpro-manage
+ms.localizationpriority: medium
+ms.date: 08/26/2022
+---
+
+# Policy CSP - LocalSecurity Authority
+
+
+
+
+
+## LocalSecurityAuthority policies
+
+
+
+> [!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
+
+
+**LocalSecurityAuthority/AllowCustomSSPsAPs**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting defines whether the Local Security Authority Subsystem Service (LSASS) will allow loading of custom security support providers (SSPs) and authentication providers (APs).
+
+If you enable this policy setting or don't configure it, LSASS will allow loading of custom SSPs and APs.
+
+If you disable this policy setting, LSASS will block custom SSPs and APs from loading.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Allow Custom SSPs and APs to be loaded into LSASS*
+- GP name: *AllowCustomSSPsAPs*
+- GP path: *System/Local Security Authority*
+- GP ADMX file name: *LocalSecurityAuthority.admx*
+
+
+
+
+
+
+
+**Kerberos/ConfigureLsaProtectedProcess**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting configures the Local Security Authority Subsystem Service (LSASS) to run as a protected process.
+
+If you disable (0) or don't configure this policy setting, LSASS won't run as a protected process.
+
+If you enable this policy with UEFI lock (1), LSASS will run as a protected process and this setting will be stored in a UEFI variable.
+
+If you enable this policy without UEFI lock (2), LSASS will run as a protected process and this setting won't be stored in a UEFI variable.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Configure LSASS to run as a protected process*
+- GP name: *ConfigureLsaProtectedProcess*
+- GP path: *System/Local Security Authority*
+- GP ADMX file name: *LocalSecurityAuthority.admx*
+
+
diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md
index 56f82e6ba2..e49f9c7be8 100644
--- a/windows/client-management/mdm/policy-csp-mixedreality.md
+++ b/windows/client-management/mdm/policy-csp-mixedreality.md
@@ -36,6 +36,9 @@ manager: aaroncz
@@ -307,6 +313,71 @@ Supported value is Integer.
+
+**MixedReality/ConfigureNtpClient**
+
+
+
+|Windows Edition|Supported|
+|--- |--- |
+|HoloLens (first gen) Development Edition|No|
+|HoloLens (first gen) Commercial Suite|No|
+|HoloLens 2|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+> [!NOTE]
+> This feature is currently only available in [HoloLens Insider](/hololens/hololens-insider) builds.
+
+You may want to configure a different time server for your device fleet. IT admins can use thi policy to configure certain aspects of NTP client with following policies. In the Settings app, the Time/Language page will show the time server after a time sync has occurred. E.g. `time.windows.com` or another if another value is configured via MDM policy.
+
+This policy setting specifies a set of parameters for controlling the Windows NTP Client. Refer to [Policy CSP - ADMX_W32Time - Windows Client Management](/windows/client-management/mdm/policy-csp-admx-w32time#admx-w32time-policy-configure-ntpclient) for supported configuration parameters.
+
+> [!NOTE]
+> This feature requires enabling[NtpClientEnabled](#mixedreality-ntpclientenabled) as well.
+
+- OMA-URI: `./Device/Vendor/MSFT/Policy/Config/MixedReality/ConfigureNtpClient`
+
+> [!NOTE]
+> Reboot is required for these policies to take effect.
+
+
+
+
+
+
+
+
+- Data Type: String
+- Value:
+
+```
+
+```
+
+
+
+
+
**MixedReality/DisallowNetworkConnectivityPassivePolling**
@@ -510,6 +581,48 @@ The following list shows the supported values:
- 1 - True
+
+
+**MixedReality/NtpClientEnabled**
+
+
+
+|Windows Edition|Supported|
+|--- |--- |
+|HoloLens (first gen) Development Edition|No|
+|HoloLens (first gen) Commercial Suite|No|
+|HoloLens 2|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+> [!NOTE]
+> This feature is currently only available in [HoloLens Insider](/hololens/hololens-insider) builds.
+
+This policy setting specifies whether the Windows NTP Client is enabled.
+
+- OMA-URI: `./Device/Vendor/MSFT/Policy/Config/MixedReality/NtpClientEnabled`
+
+
+
+
+
+
+- Data Type: String
+- Value ``
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md
index bcce2e1390..b62689625c 100644
--- a/windows/client-management/mdm/policy-csp-printers.md
+++ b/windows/client-management/mdm/policy-csp-printers.md
@@ -27,12 +27,36 @@ manager: aaroncz
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -109,7 +112,6 @@ These requirements include restricting printing to USB connected printers that m
This policy will contain the comma-separated list of approved USB Vid&Pid combinations that the print spooler will allow to print when Device Control is enabled.
The format of this setting is `/[,/]`
-Parent deliverable: 26209274 - Device Control: Printer
@@ -129,38 +131,14 @@ ADMX Info:
**Printers/ApprovedUsbPrintDevicesUser**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -194,42 +172,423 @@ ADMX Info:
+
+**Printers/ConfigureCopyFilesPolicy**
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\CopyFilesPolicy` registry entry to restrict processing of the CopyFiles registry entries during printer connection installation. This registry key was added to the print system as part of the 9B security update.
+
+The default value of the policy will be Unconfigured.
+
+If the policy object is either Unconfigured or Disabled, the code will default to *SyncCopyFilestoColorFolderOnly* as the value and process the CopyFiles entries as appropriate.
+
+If the policy object is Enabled, the code will read the *DWORD* value from the registry entry and act accordingly.
+
+The following are the supported values:
+
+Type: DWORD. Defaults to 1.
+
+- 0 (DisableCopyFiles) - Don't process any CopyFiles registry entries when installing printer connections.
+- 1 (SyncCopyFilestoColorFolderOnly) - Only allow CopyFiles entries that conform to the standard Color Profile scheme. This means entries using the Registry Key CopyFiles\ICM, containing a Directory value of COLOR and supporting mscms.dll as the Module value.
+- 2 (AllowCopyFile) - Allow any CopyFiles registry entries to be processed/created when installing printer connections.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Manage processing of Queue-specific files*
+- GP name: *ConfigureCopyFilesPolicy*
+- GP path: *Printers*
+- GP ADMX file name: *Printing.admx*
+
+
+
+
+
+
+**Printers/ConfigureDriverValidationLevel**
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\Driver\ValidationLevel` registry entry to determine the print driver digital signatures. This registry key was added to the print system as part of the 10C security update.
+
+The default value of the policy will be Unconfigured.
+
+If the policy object is either Unconfigured or Disabled, the code will default to *DriverValidationLevel_Legacy* as the value and process the print driver digital signatures as appropriate.
+
+If the policy object is Enabled, the code will read the *DWORD* value from the registry entry and act accordingly.
+
+The following are the supported values:
+
+Type: DWORD. Defaults to 4.
+
+- 0 (DriverValidationLevel_Inbox) - Only drivers that are shipped as part of a Windows image are allowed on this computer.
+- 1 (DriverValidationLevel_Trusted) - Only drivers that are shipped as part of a Windows image or drivers that are signed by certificates installed in the 'PrintDrivers' certificate store are allowed on this computer.
+- 2 (DriverValidationLevel_WHQL)- Only drivers allowed on this computer are those that are: shipped as part of a Windows image, signed by certificates installed in the 'PrintDrivers' certificate store, or signed by the Windows Hardware Quality Lab (WHQL).
+- 3 (DriverValidationLevel_TrustedShared) - Only drivers allowed on this computer are those that are: shipped as part of a Windows image, signed by certificates installed in the 'PrintDrivers' certificate store, signed by the Windows Hardware Quality Lab (WHQL), or signed by certificates installed in the 'Trusted Publishers' certificate store.
+- 4 (DriverValidationLevel_Legacy) - Any print driver that has a valid embedded signature or can be validated against the print driver catalog can be installed on this computer.
+
+
+
+ADMX Info:
+- GP Friendly name: *Manage Print Driver signature validation*
+- GP name: *ConfigureDriverValidationLevel*
+- GP path: *Printers*
+- GP ADMX file name: *Printing.admx*
+
+
+
+
+
+
+**Printers/ConfigureIppPageCountsPolicy**
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\IPP\AlwaysSendIppPageCounts`registry entry to allow administrators to configure setting for the IPP print stack.
+
+The default value of the policy will be Unconfigured.
+
+If the policy object is either Unconfigured or Disabled, the code will default to sending page count job accounting information for IPP print jobs only when necessary.
+
+If the policy object is Enabled, the code will always send page count job accounting information for IPP print jobs.
+
+The following are the supported values:
+
+AlwaysSendIppPageCounts: DWORD. Defaults to 0.
+
+- 0 (Disabled) - Job accounting information will not always be sent for IPP print jobs **(default)**.
+- 1 (Enabled) - Job accounting information will always be sent for IPP print jobs.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Always send job page count information for IPP printers*
+- GP name: *ConfigureIppPageCountsPolicy*
+- GP path: *Printers*
+- GP ADMX file name: *Printing.admx*
+
+
+
+
+
+
+**Printers/ConfigureRedirectionGuardPolicy**
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\ConfigureRedirectionGuard` registry entry, which in turn is used to control the functionality of the Redirection Guard feature in the spooler process.
+
+The default value of the policy will be Unconfigured.
+
+If the policy object is either Unconfigured or Disabled, the code will default to 1 (enabled) as the value and will prevent redirection primitives in the spooler from being used.
+
+If the policy object is Enabled, the code will read the *DWORD* value from the registry entry and act accordingly.
+
+The following are the supported values:
+
+Type: DWORD, defaults to 1.
+
+- 0 (Redirection Guard Disabled) - Redirection Guard is not enabled for the spooler process and will not prevent the use of redirection primitives within said process.
+- 1 (Redirection Guard Enabled) - Redirection Guard is enabled for the spooler process and will prevent the use of redirection primitives from being used.
+- 2 (Redirection Guard Audit Mode) - Redirection Guard will be disabled but will log telemetry events as though it were enabled.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Configure Redirection Guard*
+- GP name: *ConfigureRedirectionGuardPolicy*
+- GP path: *Printers*
+- GP ADMX file name: *Printing.admx*
+
+
+
+
+
+
+**Printers/ConfigureRpcConnectionPolicy**
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+This new Group Policy entry will be used to manage 2 new DWORD Values added under the `Software\Policies\Microsoft\Windows NT\Printers\RPC` registry key to allow administrators to configure RPC security settings used by RPC connections in the print stack.
+
+There are 2 values which can be configured:
+
+- RpcUseNamedPipeProtocol DWORD
+ - 0: RpcOverTcp (default)
+ - 1: RpcOverNamedPipes
+- RpcAuthentication DWORD
+ - 0: RpcConnectionAuthenticationDefault (default)
+ - 1: RpcConnectionAuthenticationEnabled
+ - 2: RpcConnectionAuthenticationDisabled
+
+The default value of the policy will be Unconfigured.
+
+If the policy object is either Unconfigured or Disabled, the code will default to *RpcOverTcp*, and RPC authentication enabled on domain joined machines and RPC authentication disabled on non domain joined machines.
+
+If the policy object is Enabled, the code will read the DWORD values from the registry entries and act accordingly.
+
+The following are the supported values:
+
+- Not configured or Disabled - The print stack makes RPC connections over TCP and enables RPC authentication on domain joined machines, but disables RPC authentication on non domain joined machines.
+- Enabled - The print stack reads from the registry to determine RPC protocols to connect on and whether to perform RPC authentication.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Configure RPC connection settings*
+- GP name: *ConfigureRpcConnectionPolicy*
+- GP path: *Printers*
+- GP ADMX file name: *Printing.admx*
+
+
+
+
+
+
+**Printers/ConfigureRpcListenerPolicy**
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+This new Group Policy entry will be used to manage 2 new DWORD Values added under the `Software\Policies\Microsoft\Windows NT\Printers\RPC` registry key to allow administrators to configure RPC security settings used by RPC listeners in the print stack.
+
+There are 2 values which can be configured:
+- RpcProtocols DWORD
+ - 3: RpcOverNamedPipes - Only listen for incoming RPC connections using named pipes
+ - 5: RpcOverTcp - Only listen for incoming RPC connections using TCP (default)
+ - 7: RpcOverNamedPipesAndTcp - Listen for both RPC connections over named pipes over TCP
+- ForceKerberosForRpc DWORD
+ - 0: RpcAuthenticationProtocol_Negotiate - Use Negotiate protocol for RPC connection authentication (default). Negotiate negotiates between Kerberos and NTLM depending on client/server support
+ - 1: RpcAuthenticationProtocol_Kerberos - Only allow Kerberos protocol to be used for RPC authentication
+
+The default value of the policy will be Unconfigured.
+
+If the policy object is either Unconfigured or Disabled, the code will default to *RpcOverTcp* and *RpcAuthenticationProtocol_Negotiate*.
+
+If the policy object is Enabled, the code will read the DWORD values from the registry entry and act accordingly.
+
+The following are the supported values:
+
+- Not configured or Disabled - The print stack listens for incoming RPC connections over TCP and uses Negotiate authentication protocol.
+- Enabled - The print stack reads from the registry to determine RPC protocols to listen on and authentication protocol to use.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Configure RPC listener settings*
+- GP name: *ConfigureRpcListenerPolicy*
+- GP path: *Printers*
+- GP ADMX file name: *Printing.admx*
+
+
+
+
+
+
+**Printers/ConfigureRpcTcpPort**
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+This new Group Policy entry will be used to manage a new DWORD Value added under the the `Software\Policies\Microsoft\Windows NT\Printers\RPC` registry key to allow administrators to configure RPC security settings used by RPC listeners and connections in the print stack.
+
+- RpcTcpPort DWORD
+ - 0: Use dynamic TCP ports for RPC over TCP (default).
+ - 1-65535: Use the given port for RPC over TCP.
+
+The default value of the policy will be Unconfigured.
+
+If the policy object is either Unconfigured or Disabled, the code will default to dynamic ports for *RpcOverTcp*.
+
+If the policy object is Enabled, the code will read the DWORD values from the registry entry and act accordingly.
+
+The following are the supported values:
+
+- Not configured or Disabled - The print stack uses dynamic TCP ports for RPC over TCP.
+- Enabled - The print stack reads from the registry to determine which TCP port to use for RPC over TCP.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Configure RPC over TCP port*
+- GP name: *ConfigureRpcTcpPort*
+- GP path: *Printers*
+- GP ADMX file name: *Printing.admx*
+
+
+
+
+
**Printers/EnableDeviceControl**
-
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -345,6 +680,62 @@ ADMX Info:
+
+**Printers/ManageDriverExclusionList**
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\Driver\ExclusionList` registry key to allow administrators to curate a set of print drivers that are not allowed to be installed on the computer. This registry key was added to the print system as part of the 10C security update.
+
+The default value of the policy will be Unconfigured.
+
+If the policy object is either Unconfigured or Disabled, the registry Key will not exist and there will not be a Print Driver exclusion list.
+
+If the policy object is Enabled, the ExclusionList Reg Key will contain one or more *REG_ZS* values that represent the list of excluded print driver INF or main DLL files. Tach *REG_SZ* value will have the file hash as the name and the file name as the data value.
+
+The following are the supported values:
+
+Create REG_SZ Values under key `Software\Policies\Microsoft\Windows NT\Printers\Driver\ExclusionList`
+
+Type: REG_SZ
+Value Name: Hash of excluded file
+Value Data: Name of excluded file
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Manage Print Driver exclusion list*
+- GP name: *ManageDriverExclusionList*
+- GP path: *Printers*
+- GP ADMX file name: *Printing.admx*
+
+
+
+
+
**Printers/PointAndPrintRestrictions**
@@ -548,6 +939,61 @@ ADMX Info:
+
+**Printers/RestrictDriverInstallationToAdministrators**
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\RestrictDriverInstallationToAdministrators` registry entry for restricting print driver installation to Administrator users.
+
+This registry key was added to the print system as part of the 7OOB security update and use of this registry key was expanded as part of the 8B security rollup.
+
+The default value of the policy will be Unconfigured.
+
+If the policy value is either Unconfigured or Enabled, only Administrators or members of an Administrator security group (Administrators, Domain Administrators, Enterprise Administrators) will be allowed to install print drivers on the computer.
+
+If the policy value is Disabled, standard users will also be allowed to install print drivers on the computer.
+
+The following are the supported values:
+
+- Not configured or Enabled - Only administrators can install print drivers on the computer.
+- Disabled - Standard users are allowed to install print drivers on the computer.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Restrict installation of print drivers to Administrators*
+- GP name: *RestrictDriverInstallationToAdministrators*
+- GP path: *Printers*
+- GP ADMX file name: *Printing.admx*
+
+
+
+
+
## Related topics
diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
index 09f3f50725..5d03cb7066 100644
--- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md
+++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
@@ -33,6 +33,9 @@ manager: aaroncz
RemoteDesktopServices/DoNotAllowPasswordSaving
@@ -130,7 +133,7 @@ ADMX Info:
-Specifies whether it require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you're using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) isn't recommended. This policy doesn't apply to SSL encryption.
+Specifies whether it requires the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you're using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) isn't recommended. This policy doesn't apply to SSL encryption.
If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available:
@@ -257,6 +260,56 @@ ADMX Info:
+
+**RemoteDesktopServices/DoNotAllowWebAuthnRedirection**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting lets you control the redirection of web authentication (WebAuthn) requests from a Remote Desktop session to the local device. This redirection enables users to authenticate to resources inside the Remote Desktop session using their local authenticator (e.g., Windows Hello for Business, security key, or other).
+
+By default, Remote Desktop allows redirection of WebAuthn requests.
+
+If you enable this policy setting, users can’t use their local authenticator inside the Remote Desktop session.
+
+If you disable or do not configure this policy setting, users can use local authenticators inside the Remote Desktop session.
+
+If you don't configure this policy setting, users can use local authenticators inside the Remote Desktop session.
+
+
+
+ADMX Info:
+- GP Friendly name: *Do not allow WebAuthn redirection*
+- GP name: *TS_WEBAUTHN*
+- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection*
+- GP ADMX file name: *terminalserver.admx*
+
+
+
+
+
+
**RemoteDesktopServices/PromptForPasswordUponConnection**
@@ -367,4 +420,4 @@ ADMX Info:
## Related topics
-[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md
index 60777e520f..5eb4a605e5 100644
--- a/windows/client-management/mdm/policy-csp-search.md
+++ b/windows/client-management/mdm/policy-csp-search.md
@@ -57,6 +57,9 @@ manager: aaroncz
@@ -639,6 +642,57 @@ The following list shows the supported values:
+
+**Search/DisableSearch**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|Yes|
+|Windows SE|No|Yes|
+|Business|No|Yes|
+|Enterprise|No|Yes|
+|Education|No|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+This policy setting completely disables Search UI and all its entry points such as keyboard shortcuts and touch-pad gestures.
+
+It removes the Search button from the Taskbar and the corresponding option in the Settings. It also disables type-to-search in the Start menu and removes the Start menu's search box.
+
+
+
+ADMX Info:
+
+- GP Friendly name: *Fully disable Search UI*
+- GP name: *DisableSearch*
+- GP path: *Windows Components/Search*
+- GP ADMX file name: *Search.admx*
+
+
+
+The following list shows the supported values:
+
+- 0 (default) – Do not disable search.
+- 1 – Disable search.
+
+
+
+
+
+
**Search/DoNotUseWebResults**
@@ -774,7 +828,7 @@ The following list shows the supported values:
-If enabled, clients will be unable to query this computer's index remotely. Thus, when they're browsing network shares that are stored on this computer, they won't search them using the index. If disabled, client search requests will use this computer's index..
+If enabled, clients will be unable to query this computer's index remotely. Thus, when they're browsing network shares that are stored on this computer, they won't search them using the index. If disabled, client search requests will use this computer's index.
diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md
index e794d81f7b..faf949f902 100644
--- a/windows/client-management/mdm/policy-csp-start.md
+++ b/windows/client-management/mdm/policy-csp-start.md
@@ -56,6 +56,12 @@ manager: aaroncz
@@ -665,6 +680,100 @@ The following list shows the supported values:
+
+
+
+**Start/DisableControlCenter**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+This policy setting disables the Control Center button from the bottom right area on the taskbar. The Control Center area is located at the left of the clock in the taskbar and includes icons for current network and volume.
+
+If this setting is enabled, Control Center area is displayed but the button to open the Control Center will be disabled.
+
+>[!Note]
+> A reboot is required for this policy setting to take effect.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Remove control center*
+- GP name: *DisableControlCenter*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *Taskbar.admx*
+
+
+
+The following are the supported values:
+
+- Integer 0 - Disabled/Not configured.
+- Integer 1 - Enabled.
+
+
+
+
+
+
+**Start/DisableEditingQuickSettings**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy will allow admins to indicate whether Quick Actions can be edited by the user.
+
+
+
+The following are the supported values:
+
+- 0: Allow editing Quick Actions (default)
+- 1: Disable editing Quick Actions
+
+
+
@@ -1208,6 +1317,47 @@ To validate on Desktop, do the following steps:
+
+**Start/HideRecommendedSection**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+> * User
+
+
+
+
+
+This policy allows you to hide the Start Menu's Recommended section when enabled.
+
+
+
+The following are the supported values:
+
+- 0 (default): Do not hide the Start menu's Recommended section.
+- 1: Hide the Start menu's Recommended section.
+
+
+
+
+
**Start/HideRestart**
@@ -1453,6 +1603,48 @@ To validate on Desktop, do the following steps:
+
+**Start/HideTaskViewButton**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+> * User
+
+
+
+
+
+This policy allows you to hide the Task View button from the Taskbar and its corresponding option in the Settings app.
+
+
+
+The following are the supported values:
+
+- 0 (default): Do not hide the Taskbar's Task View button.
+- 1: Hide the Taskbar's Task View button.
+
+
+
+
+
+
**Start/HideUserTile**
@@ -1622,38 +1814,15 @@ To validate on Desktop, do the following steps:
**Start/ShowOrHideMostUsedApps**
-
-
-
Edition
-
Windows 10
-
Windows 11
-
-
-
Home
-
No
-
No
-
-
-
Pro
-
Yes
-
Yes
-
-
-
Business
-
Yes
-
Yes
-
-
-
Enterprise
-
Yes
-
Yes
-
-
-
Education
-
Yes
-
Yes
-
-
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
@@ -1686,6 +1855,47 @@ On clean install, the user setting defaults to "hide".
+
+**Start/SimplifyQuickSettings**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy will allow admins to indicate whether the default or simplified Quick Actions layout should be loaded.
+
+
+
+The following are the supported values:
+
+- 0: load regular Quick Actions layout.
+- 1: load simplified Quick Actions layout.
+
+
+
+
+
+
**Start/StartLayout**
@@ -1746,4 +1956,4 @@ ADMX Info:
## Related topics
-[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 26dfc16e2f..e056057f7a 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -138,6 +138,9 @@ ms.collection: highpri
Update/PauseDeferrals
@@ -2382,6 +2385,55 @@ The following list shows the supported values:
+
+**Update/NoUpdateNotificationDuringActiveHours**
+
+
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy can be used in conjunction with Update/ActiveHoursStart and Update/ActiveHoursEnd policies to ensure that the end user sees no update notifications during active hours until deadline is reached. Note - if no active hour period is configured then this will apply to the intelligent active hours window calculated on the device.
+
+Supported value type is a boolean.
+
+0 (Default) This configuration will provide the default behavior (notifications may display during active hours)
+1: This setting will prevent notifications from displaying during active hours.
+
+
+
+ADMX Info:
+- GP Friendly name: *Display options for update notifications*
+- GP name: *NoUpdateNotificationDuringActiveHours*
+- GP element: *NoUpdateNotificationDuringActiveHours*
+- GP path: *Windows Components\WindowsUpdate\Manage end user experience*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
+
+
+
+
**Update/PauseDeferrals**
diff --git a/windows/client-management/mdm/policy-csp-webthreatdefense.md b/windows/client-management/mdm/policy-csp-webthreatdefense.md
new file mode 100644
index 0000000000..bd8d22ec50
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-webthreatdefense.md
@@ -0,0 +1,233 @@
+---
+title: Policy CSP - WebThreatDefense
+description: Learn about the Policy CSP - WebThreatDefense.
+ms.author: v-aljupudi
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: alekyaj
+ms.localizationpriority: medium
+ms.date: 09/27/2019
+ms.reviewer:
+manager: aaroncz
+---
+
+# Policy CSP - WebThreatDefense
+
+
+
+
+
+## WebThreatDefense policies
+
+
+
+>[!NOTE]
+>In Microsoft Intune, this CSP is under the “Enhanced Phishing Protection” category.
+
+
+**WebThreatDefense/EnableService**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Windows SE|No|Yes|
+|Business|No|Yes|
+|Enterprise|No|Yes|
+|Education|No|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. When in audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends telemetry through Microsoft Defender.
+
+If you enable this policy setting or don’t configure this setting, Enhanced Phishing Protection is enabled in audit mode, and your users are unable to turn it off.
+
+If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send telemetry, or notify users. Additionally, your users are unable to turn it on.
+
+
+
+ADMX Info:
+- GP Friendly name: *Configure Web Threat Defense*
+- GP name: *EnableWebThreatDefenseService*
+- GP path: *Windows Security\App & browser control\Reputation-based protection\Phishing protections*
+- GP ADMX file name: *WebThreatDefense.admx*
+
+
+
+The following list shows the supported values:
+
+- 0: Turns off Enhanced Phishing Protection.
+- 1: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends telemetry but doesn't show any notifications to your users.
+
+
+
+
+
+
+
+
+**WebThreatDefense/NotifyMalicious**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Windows SE|No|Yes|
+|Business|No|Yes|
+|Enterprise|No|Yes|
+|Education|No|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a login URL with an invalid certificate, or into an application connecting to either a reported phishing site or a login URL with an invalid certificate.
+
+If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above, and encourages them to change their password.
+
+If you disable or don’t configure this policy setting, Enhanced Phishing Protection won't warn your users if they type their work or school password into one of the malicious scenarios described above.
+
+
+
+The following list shows the supported values:
+
+- 0: Turns off Enhanced Phishing Protection notifications when users type their work or school password into one of the following malicious scenarios: a reported phishing site, a login URL with an invalid certificate, or into an application connecting to either a reported phishing site or a login URL with an invalid certificate.
+- 1: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password.
+
+
+
+
+
+
+**WebThreatDefense/NotifyPasswordReuse**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Windows SE|No|Yes|
+|Business|No|Yes|
+|Enterprise|No|Yes|
+|Education|No|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.
+
+If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.
+
+If you disable or don’t configure this policy setting, Enhanced Phishing Protection won't warn users if they reuse their work or school password.
+
+
+
+The following list shows the supported values:
+
+- 0: Turns off Enhanced Phishing Protection notifications when users reuse their work or school password.
+- 1: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password.
+
+
+
+
+
+
+
+**WebThreatDefense/NotifyUnsafeApp**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Windows SE|No|Yes|
+|Business|No|Yes|
+|Enterprise|No|Yes|
+|Education|No|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in text editor apps like OneNote, Word, Notepad, etc.
+
+If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in text editor apps.
+
+If you disable or don’t configure this policy setting, Enhanced Phishing Protection won't warn users if they store their password in text editor apps.
+
+
+The following list shows the supported values:
+
+- 0: Turns off Enhanced Phishing Protection notifications when users type their work or school passwords in text editor apps like OneNote, Word, Notepad, etc.
+- 1: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in text editor apps.
+
+
+
+
+
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md
index bb762016fc..0bc134a4cc 100644
--- a/windows/client-management/mdm/policy-csp-windowslogon.md
+++ b/windows/client-management/mdm/policy-csp-windowslogon.md
@@ -35,6 +35,9 @@ manager: aaroncz
@@ -362,6 +365,52 @@ Supported values:
+
+**WindowsLogon/EnableMPRNotifications**
+
+
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy allows winlogon to send MPR notifications in the system if a credential manager is configured.
+
+If you disable (0), MPR notifications will not be sent by winlogon.
+
+If you enable (1) or do not configure this policy setting this policy, MPR notifications will be sent by winlogon.
+
+
+
+Supported values:
+
+- 0 - disabled
+- 1 (default)- enabled
+
+
+
+
+
+
**WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers**
diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
index f3891cb68f..1c50ab927a 100644
--- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md
+++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
@@ -128,7 +128,7 @@ This policy setting allows you to turn off discovering the display service adver
The following list shows the supported values:
-- 0 - Don't allow
+- 0 - Doesn't allow
- 1 - Allow
@@ -166,9 +166,9 @@ The table below shows the applicability of Windows:
This policy setting allows you to disable the infrastructure movement detection feature.
-If you set it to 0, your PC may stay connected and continue to project if you walk away from a Wireless Display receiver to which you're projecting over infrastructure.
+- If you set it to 0, your PC may stay connected and continue to project if you walk away from a Wireless Display receiver to which you are projecting over infrastructure.
-If you set it to 1, your PC will detect that you've moved and will automatically disconnect your infrastructure Wireless Display session.
+- If you set it to 1, your PC will detect that you have moved and will automatically disconnect your infrastructure Wireless Display session.
The default value is 1.
@@ -177,7 +177,7 @@ The default value is 1.
The following list shows the supported values:
-- 0 - Don't allow
+- 0 - Doesn't allow
- 1 (Default) - Allow
diff --git a/windows/client-management/mdm/sharedpc-csp.md b/windows/client-management/mdm/sharedpc-csp.md
index 1e4509043f..9dc7485482 100644
--- a/windows/client-management/mdm/sharedpc-csp.md
+++ b/windows/client-management/mdm/sharedpc-csp.md
@@ -1,7 +1,7 @@
---
title: SharedPC CSP
description: Learn how the SharedPC configuration service provider is used to configure settings for Shared PC usage.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -31,6 +31,7 @@ The following example shows the SharedPC configuration service provider manageme
./Vendor/MSFT
SharedPC
----EnableSharedPCMode
+----EnableSharedPCModeWithOneDriveSync
----SetEduPolicies
----SetPowerPolicies
----MaintenanceStartTime
@@ -47,12 +48,12 @@ SharedPC
----InactiveThreshold
----MaxPageFileSizeMB
```
-**./Vendor/MSFT/SharedPC**
+**./Vendor/MSFT/SharedPC**
The root node for the SharedPC configuration service provider.
The supported operation is Get.
-**EnableSharedPCMode**
+**EnableSharedPCMode**
A boolean value that specifies whether Shared PC mode is enabled.
The supported operations are Add, Get, Replace, and Delete.
@@ -61,16 +62,23 @@ Setting this value to True triggers the action to configure a device to Shared P
The default value is Not Configured and SharedPC mode is not enabled.
-**SetEduPolicies**
+**EnableSharedPCModeWithOneDriveSync**
+Setting this node to true triggers the action to configure a device to Shared PC mode with OneDrive sync turned on.
+
+The supported operations are Add, Get, Replace, and Delete.
+
+The default value is false.
+
+**SetEduPolicies**
A boolean value that specifies whether the policies for education environment are enabled. Setting this value to true triggers the action to configure a device as education environment.
The supported operations are Add, Get, Replace, and Delete.
-The default value changed to false in Windows 10, version 1703. The default value is Not Configured and this node needs to be configured independent of EnableSharedPCMode.
+The default value changed to false in Windows 10, version 1703. The default value is Not Configured and this node needs to be configured independent of EnableSharedPCMode.
In Windows 10, version 1607, the value is set to True and the education environment is automatically configured when SharedPC mode is configured.
-**SetPowerPolicies**
+**SetPowerPolicies**
Optional. A boolean value that specifies that the power policies should be set when configuring SharedPC mode.
> [!NOTE]
@@ -80,7 +88,7 @@ The supported operations are Add, Get, Replace, and Delete.
The default value is Not Configured and the effective power settings are determined by the OS's default power settings. Its value in the SharedPC provisioning package is True.
-**MaintenanceStartTime**
+**MaintenanceStartTime**
Optional. An integer value that specifies the daily start time of maintenance hour. Given in minutes from midnight. The range is 0-1440.
> [!NOTE]
@@ -90,7 +98,7 @@ The supported operations are Add, Get, Replace, and Delete.
The default value is Not Configured and its value in the SharedPC provisioning package is 0 (12 AM).
-**SignInOnResume**
+**SignInOnResume**
Optional. A boolean value that, when set to True, requires sign in whenever the device wakes up from sleep mode.
> [!NOTE]
@@ -100,8 +108,8 @@ The supported operations are Add, Get, Replace, and Delete.
The default value is Not Configured and its value in the SharedPC provisioning package is True.
-**SleepTimeout**
-The amount of time in seconds before the PC sleeps. 0 means the PC never sleeps. Default is 5 minutes. This node is optional.
+**SleepTimeout**
+The amount of time in seconds before the PC sleeps. 0 means the PC never sleeps. Default is 5 minutes. This node is optional.
> [!NOTE]
> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
@@ -110,7 +118,7 @@ The supported operations are Add, Get, Replace, and Delete.
The default value is Not Configured, and effective behavior is determined by the OS's default settings. Its value in the SharedPC provisioning package for Windows 10, version 1703 is 300, and in Windows 10, version 1607 is 3600.
-**EnableAccountManager**
+**EnableAccountManager**
A boolean that enables the account manager for shared PC mode.
> [!NOTE]
@@ -120,7 +128,7 @@ The supported operations are Add, Get, Replace, and Delete.
The default value is Not Configured and its value in the SharedPC provisioning package is True.
-**AccountModel**
+**AccountModel**
Configures which type of accounts are allowed to use the PC.
> [!NOTE]
@@ -136,7 +144,7 @@ The following list shows the supported values:
Its value in the SharedPC provisioning package is 1 or 2.
-**DeletionPolicy**
+**DeletionPolicy**
Configures when accounts are deleted.
> [!NOTE]
@@ -149,7 +157,7 @@ For Windows 10, version 1607, here's the list shows the supported values:
- 0 - Delete immediately.
- 1 (default) - Delete at disk space threshold.
-For Windows 10, version 1703, here's the list of supported values:
+For Windows 10, version 1703, here's the list of supported values:
- 0 - Delete immediately.
- 1 - Delete at disk space threshold.
@@ -157,7 +165,7 @@ For Windows 10, version 1703, here's the list of supported values:
The default value is Not Configured. Its value in the SharedPC provisioning package is 1 or 2.
-**DiskLevelDeletion**
+**DiskLevelDeletion**
Sets the percentage of disk space remaining on a PC before cached accounts will be deleted to free disk space. Accounts that have been inactive the longest will be deleted first.
> [!NOTE]
@@ -169,7 +177,7 @@ For example, if the **DiskLevelCaching** number is set to 50 and the **DiskLevel
The supported operations are Add, Get, Replace, and Delete.
-**DiskLevelCaching**
+**DiskLevelCaching**
Sets the percentage of available disk space a PC should have before it stops deleting cached accounts.
> [!NOTE]
@@ -181,48 +189,48 @@ For example, if the **DiskLevelCaching** number is set to 50 and the **DiskLevel
The supported operations are Add, Get, Replace, and Delete.
-**RestrictLocalStorage**
-Added in Windows 10, version 1703. Restricts the user from using local storage. This node is optional.
+**RestrictLocalStorage**
+Added in Windows 10, version 1703. Restricts the user from using local storage. This node is optional.
The default value is Not Configured and behavior is no such restriction applied. Value type is bool. Supported operations are Add, Get, Replace, and Delete. Default in SharedPC provisioning package is False.
> [!NOTE]
> If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
-**KioskModeAUMID**
-Added in Windows 10, version 1703. Specifies the AUMID of the app to use with assigned access. This node is optional.
+**KioskModeAUMID**
+Added in Windows 10, version 1703. Specifies the AUMID of the app to use with assigned access. This node is optional.
-- Value type is string.
-- Supported operations are Add, Get, Replace, and Delete.
+- Value type is string.
+- Supported operations are Add, Get, Replace, and Delete.
> [!NOTE]
> If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
-**KioskModeUserTileDisplayText**
-Added in Windows 10, version 1703. Specifies the display text for the account shown on the sign-in screen that launches the app specified by KioskModeAUMID. This node is optional.
+**KioskModeUserTileDisplayText**
+Added in Windows 10, version 1703. Specifies the display text for the account shown on the sign-in screen that launches the app specified by KioskModeAUMID. This node is optional.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
> [!NOTE]
> If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
-**InactiveThreshold**
+**InactiveThreshold**
Added in Windows 10, version 1703. Accounts will start being deleted when they haven't been logged on during the specified period, given as number of days.
-- The default value is Not Configured.
-- Value type is integer.
+- The default value is Not Configured.
+- Value type is integer.
- Supported operations are Add, Get, Replace, and Delete.
The default in the SharedPC provisioning package is 30.
-**MaxPageFileSizeMB**
-Added in Windows 10, version 1703. Maximum size of the paging file in MB. Applies only to systems with less than 32-GB storage and at least 3 GB of RAM. This node is optional.
+**MaxPageFileSizeMB**
+Added in Windows 10, version 1703. Maximum size of the paging file in MB. Applies only to systems with less than 32-GB storage and at least 3 GB of RAM. This node is optional.
> [!NOTE]
> If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
-- Default value is Not Configured.
-- Value type is integer.
+- Default value is Not Configured.
+- Value type is integer.
- Supported operations are Add, Get, Replace, and Delete.
The default in the SharedPC provisioning package is 1024.
diff --git a/windows/client-management/mdm/sharedpc-ddf-file.md b/windows/client-management/mdm/sharedpc-ddf-file.md
index 1eb414317a..071887f881 100644
--- a/windows/client-management/mdm/sharedpc-ddf-file.md
+++ b/windows/client-management/mdm/sharedpc-ddf-file.md
@@ -1,7 +1,7 @@
---
title: SharedPC DDF file
description: Learn how the OMA DM device description framework (DDF) for the SharedPC configuration service provider (CSP).
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -70,6 +70,32 @@ The XML below is the DDF for Windows 10, version 1703.
+
+ EnableSharedPCModeWithOneDriveSync
+
+
+
+
+
+
+
+ false
+ Setting this node to “1” triggers the action to configure a device to Shared PC mode with OneDrive sync turned on
+
+
+
+
+
+
+
+
+
+ Enable Shared PC mode with OneDrive sync
+
+
+
+
+ SetEduPolicies
diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml
index 859cfd31fa..031dc15d89 100644
--- a/windows/client-management/mdm/toc.yml
+++ b/windows/client-management/mdm/toc.yml
@@ -299,6 +299,11 @@ items:
items:
- name: HealthAttestation DDF
href: healthattestation-ddf.md
+ - name: Local Administrator Password Solution CSP
+ href: laps-csp.md
+ items:
+ - name: Local Administrator Password Solution DDF
+ href: laps-ddf-file.md
- name: MultiSIM CSP
href: multisim-csp.md
items:
@@ -333,6 +338,11 @@ items:
items:
- name: PassportForWork DDF file
href: passportforwork-ddf.md
+ - name: PersonalDataEncryption CSP
+ href: personaldataencryption-csp.md
+ items:
+ - name: PersonalDataEncryption DDF file
+ href: personaldataencryption-ddf-file.md
- name: Personalization CSP
href: personalization-csp.md
items:
@@ -685,6 +695,8 @@ items:
href: policy-csp-deliveryoptimization.md
- name: Desktop
href: policy-csp-desktop.md
+ - name: DesktopAppInstaller
+ href: policy-csp-desktopappinstaller.md
- name: DeviceGuard
href: policy-csp-deviceguard.md
- name: DeviceHealthMonitoring
@@ -733,6 +745,8 @@ items:
href: policy-csp-licensing.md
- name: LocalPoliciesSecurityOptions
href: policy-csp-localpoliciessecurityoptions.md
+ - name: LocalSecurityAuthority
+ href: policy-csp-lsa.md
- name: LocalUsersAndGroups
href: policy-csp-localusersandgroups.md
- name: LockDown
@@ -813,6 +827,8 @@ items:
href: policy-csp-userrights.md
- name: VirtualizationBasedTechnology
href: policy-csp-virtualizationbasedtechnology.md
+ - name: WebThreatDefense
+ href: policy-csp-webthreatdefense.md
- name: Wifi
href: policy-csp-wifi.md
- name: WindowsAutoPilot
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
index e8c9563d43..15cbeaed69 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
@@ -322,10 +322,8 @@ Supported operation is Get.
- Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode.
- Bit 1 - Set to 1 when the client machine is Hyper-V capable.
- Bit 2 - Set to 1 when the client machine has a valid OS license and SKU.
-- Bit 3 - Set to 1 when Application Guard installed on the client machine.
+- Bit 3 - Set to 1 when Application Guard is installed on the client machine.
- Bit 4 - Set to 1 when required Network Isolation Policies are configured.
- > [!IMPORTANT]
- > If you are deploying Application Guard via Intune, Network Isolation Policy must be configured to enable Application Guard for Microsoft Edge.
- Bit 5 - Set to 1 when the client machine meets minimum hardware requirements.
- Bit 6 - Set to 1 when system reboot is required.
@@ -381,4 +379,4 @@ ADMX Info:
## Related topics
-[Configuration service provider reference](configuration-service-provider-reference.md)
\ No newline at end of file
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md
index b648d8d7c1..0b4918cbd6 100644
--- a/windows/client-management/quick-assist.md
+++ b/windows/client-management/quick-assist.md
@@ -10,6 +10,7 @@ ms.author: vinpa
manager: aaroncz
ms.reviewer: pmadrigal
ms.collection: highpri
+ms.date: 08/26/2022
---
# Use Quick Assist to help users
@@ -18,7 +19,7 @@ Quick Assist is a Microsoft Store application that enables a person to share the
## Before you begin
-All that's required to use Quick Assist is suitable network and internet connectivity. No particular roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn't have to authenticate.
+All that's required to use Quick Assist is suitable network and internet connectivity. No roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn't have to authenticate.
> [!NOTE]
> In case the helper and sharer use different keyboard layouts or mouse settings, the ones from the sharer are used during the session.
@@ -35,24 +36,30 @@ Both the helper and sharer must be able to reach these endpoints over port 443:
| Domain/Name | Description |
|--|--|
-| `*.support.services.microsoft.com` | Primary endpoint used for Quick Assist application |
-| `*.login.microsoftonline.com` | Required for logging in to the application (Microsoft account) |
-| `*.channelwebsdks.azureedge.net` | Used for chat services within Quick Assist |
-| `*.aria.microsoft.com` | Used for accessibility features within the app |
| `*.api.support.microsoft.com` | API access for Quick Assist |
-| `*.vortex.data.microsoft.com` | Used for diagnostic data |
+| `*.aria.microsoft.com` | Used for accessibility features within the app |
+| `*.cc.skype.com` | Azure Communication Service for chat and connection between parties |
| `*.channelservices.microsoft.com` | Required for chat services within Quick Assist |
+| `*.channelwebsdks.azureedge.net` | Used for chat services within Quick Assist |
+| `*.edgeassetservice.azureedge.net` | Used for diagnostic data |
+| `*.flightproxy.skype.com` | Azure Communication Service for chat and connection between parties |
+| `*.login.microsoftonline.com` | Required for logging in to the application (Microsoft account) |
+| `*.monitor.azure.com` | Service Performance Monitoring |
+| `*.registrar.skype.com` | Azure Communication Service for chat and connection between parties. |
| `*.remoteassistanceprodacs.communication.azure.com` | Azure Communication Services (ACS) technology the Quick Assist app uses. |
+| `*.support.services.microsoft.com` | Primary endpoint used for Quick Assist application |
+| `*.trouter.skype.com` | Azure Communication Service for chat and connection between parties. |
| `*.turn.azure.com` | Protocol used to help endpoint. |
+| `*.vortex.data.microsoft.com` | Used for diagnostic data |
| `browser.pipe.aria.microsoft.com` | Required diagnostic data for client and services used by Quick Assist. |
-| `browser.events.data.microsoft.com` | Required diagnostic data for client and services used by Quick Assist. |
-| `ic3.events.data.microsoft.com` | Required diagnostic data for client and services used by Quick Assist. |
+| `edge.skype.com` | Azure Communication Service for chat and connection between parties. |
+| `events.data.microsoft.com` | Required diagnostic data for client and services used by Quick Assist. |
## How it works
1. Both the helper and the sharer start Quick Assist.
-2. The helper selects **Assist another person**. Quick Assist on the helper's side contacts the Remote Assistance Service to obtain a session code. An RCC chat session is established and the helper's Quick Assist instance joins it. The helper then provides the code to the sharer.
+2. The helper selects **Assist another person**. Quick Assist on the helper's side contacts the Remote Assistance Service to obtain a session code. An RCC chat session is established, and the helper's Quick Assist instance joins it. The helper then provides the code to the sharer.
3. After the sharer enters the code in their Quick Assist app, Quick Assist uses that code to contact the Remote Assistance Service and join that specific session. The sharer's Quick Assist instance joins the RCC chat session.
@@ -89,10 +96,11 @@ Either the support staff or a user can start a Quick Assist session.
1. Support staff ("helper") starts Quick Assist in any of a few ways:
- Type *Quick Assist* in the search box and press ENTER.
- - From the Start menu, select **Windows Accessories**, and then select **Quick Assist**.
- - Type CTRL+Windows+Q
+ - Press **CTRL** + **Windows** + **Q**
+ - For **Windows 10** users, from the Start menu, select **Windows Accessories**, and then choose **Quick Assist**.
+ - For **Windows 11** users, from the Start menu, select **All Apps**, **Windows Tools**, and then choose **Quick Assist**.
-2. In the **Give assistance** section, helper selects **Assist another person**. The helper might be asked to choose their account or sign in. Quick Assist generates a time-limited security code.
+2. In the **Give assistance** section, the helper selects **Assist another person**. The helper might be asked to choose their account or sign in. Quick Assist generates a time-limited security code.
3. Helper shares the security code with the user over the phone or with a messaging system.
@@ -102,9 +110,51 @@ Either the support staff or a user can start a Quick Assist session.
6. The sharer receives a dialog asking for permission to show their screen or allow access. The sharer gives permission by selecting the **Allow** button.
-## If Quick Assist is missing
+## Install Quick Assist
-If for some reason a user doesn't have Quick Assist on their system or it's not working properly, try to uninstall and reinstall it. For more information, see [Install Quick Assist](https://support.microsoft.com/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca).
+### Install Quick Assist from the Microsoft Store
+
+1. Download the new version of Quick Assist by visiting the [Microsoft Store](https://apps.microsoft.com/store/detail/quick-assist/9P7BP5VNWKX5).
+1. In the Microsoft Store, select **Get in Store app**. Then, give permission to install Quick Assist. When the installation is complete, you'll see **Get** change to **Open**. :::image type="content" source="images/quick-assist-get.png" lightbox="images/quick-assist-get.png" alt-text="Microsoft Store window showing the Quick Assist app with a button labeled get in the bottom right corner.":::
+
+For more information, visit [Install Quick Assist](https://support.microsoft.com/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca).
+
+### Install Quick Assist with Intune
+
+Before installing Quick Assist, you'll need to set up synchronization between Intune and Microsoft Store for Business. If you've already set up sync, log into [Microsoft Store for Business](https://businessstore.microsoft.com) and skip to step 5.
+
+1. Go to [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/) and navigate to **Tenant administration** / **Connectors and tokens** / **Microsoft Store for Business** and verify that **Microsoft Store for Business sync** is set to **Enable**.
+1. Using your Global Admin account, log into [Microsoft Store for Business](https://businessstore.microsoft.com).
+1. Select **Manage** / **Settings** and turn on **Show offline apps**.
+1. Choose the **Distribute** tab and verify that **Microsoft Intune** is **Active**. You may need to use the **+Add management tool** link if it's not.
+1. Search for **Quick Assist** and select it from the Search results.
+1. Choose the **Offline** license and select **Get the app**
+1. From the Intune portal (Endpoint Manager admin center) choose **Sync**.
+1. Navigate to **Apps** / **Windows** and you should see **Quick Assist (Offline)** in the list.
+1. Select it to view its properties. By default, the app won't be assigned to anyone or any devices, select the **Edit** link.
+1. Assign the app to the required group of devices and choose **Review + save** to complete the application install.
+
+> [!NOTE]
+> Assigning the app to a device or group of devices instead of a user is important because it's the only way to install a store app in device context.
+
+Visit [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps-windows) for more information.
+
+### Install Quick Assist Offline
+
+To install Quick Assist offline, you'll need to download your APPXBUNDLE and unencoded XML file from [Microsoft Store for Business](https://businessstore.microsoft.com). Visit [Download an offline-licensed app](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app) for more information.
+
+1. Start **Windows PowerShell** with Administrative privileges.
+1. In PowerShell, change the directory to the location you've saved the file to in step 1. (CD <*location of package file*>)
+1. Run the following command to install Quick Assist: *Add-appxprovisionedpackage -online -PackagePath "MicrosoftCorporationII.QuickAssist_2022.509.2259.0_neutral___8wekyb3d8bbwe.AppxBundle" -LicensePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe_4bc27046-84c5-8679-dcc7-d44c77a47dd0.xml"*
+1. After Quick Assist has installed, run this command: _Get-appxpackage \*QuickAssist* -alluser_
+
+After running the command, you'll see Quick Assist 2.X is installed for the user.
+
+## Microsoft Edge WebView2
+
+The Microsoft Edge WebView2 is a development control that uses Microsoft Edge as the rendering engine to display web content in native apps. The new Quick Assist app is written using this control and is required. For Windows 11 users, this runtime control is built in. For Windows 10 users, the Quick Assist Store app will detect if WebView2 is present on launch and if necessary, it will be installed automatically. If an error message or prompt is shown indicating WebView2 isn't present, it will need to be installed separately.
+
+For more information on distributing and installing Microsoft Edge WebView2, visit [Distribute your app and the WebView2 Runtime](/microsoft-edge/webview2/concepts/distribution)
## Next steps
diff --git a/windows/configuration/TOC.yml b/windows/configuration/TOC.yml
index 24868ba91e..0c16704142 100644
--- a/windows/configuration/TOC.yml
+++ b/windows/configuration/TOC.yml
@@ -43,7 +43,7 @@
- name: Accessibility settings
items:
- name: Accessibility information for IT Pros
- href: windows-10-accessibility-for-ITPros.md
+ href: windows-accessibility-for-ITPros.md
- name: Configure access to Microsoft Store
href: stop-employees-from-using-microsoft-store.md
- name: Configure Windows Spotlight on the lock screen
diff --git a/windows/configuration/customize-taskbar-windows-11.md b/windows/configuration/customize-taskbar-windows-11.md
index f9af3940ce..18237e9510 100644
--- a/windows/configuration/customize-taskbar-windows-11.md
+++ b/windows/configuration/customize-taskbar-windows-11.md
@@ -157,7 +157,7 @@ Use the following steps to add your XML file to a group policy, and apply the po
4. When you apply the policy, the taskbar includes your changes. The next time users sign in, they'll see the changes.
- For more information on using group policies, see [Implement Group Policy Objects](/learn/modules/implement-group-policy-objects/).
+ For more information on using group policies, see [Implement Group Policy Objects](/training/modules/implement-group-policy-objects/).
### Create a Microsoft Endpoint Manager policy to deploy your XML file
diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json
index 18a8bd0b88..346cc5e640 100644
--- a/windows/configuration/docfx.json
+++ b/windows/configuration/docfx.json
@@ -21,6 +21,7 @@
"files": [
"**/*.png",
"**/*.jpg",
+ "**/*.svg",
"**/*.gif"
],
"exclude": [
@@ -36,10 +37,10 @@
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.technology": "windows",
- "audience": "ITPro",
"ms.topic": "article",
- "feedback_system": "None",
- "hideEdit": false,
+ "feedback_system": "GitHub",
+ "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
+ "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.win-configuration",
@@ -58,7 +59,12 @@
],
"searchScope": ["Windows 10"]
},
- "fileMetadata": {},
+ "fileMetadata": {
+ "feedback_system": {
+ "ue-v/**/*.*": "None",
+ "cortana-at-work/**/*.*": "None"
+ }
+ },
"template": [],
"dest": "win-configuration",
"markdownEngineName": "markdig"
diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md
index d26ff8c364..e0277d5709 100644
--- a/windows/configuration/kiosk-xml.md
+++ b/windows/configuration/kiosk-xml.md
@@ -59,7 +59,7 @@ ms.topic: article
@@ -192,7 +192,7 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom
@@ -313,7 +313,7 @@ This sample demonstrates that only a global profile is used, with no active user
@@ -365,7 +365,7 @@ Below sample shows dedicated profile and global profile mixed usage, a user woul
diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index 209003e5e1..7f321d5025 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -458,7 +458,7 @@ Usage is demonstrated below, by using the new XML namespace and specifying `Glob
diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
index 3e4b126512..a1ac8234e6 100644
--- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
+++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
@@ -160,12 +160,12 @@ Here is a list of CSPs supported on Windows 10 Enterprise:
- [Maps CSP](/windows/client-management/mdm/maps-csp)
- [NAP CSP](/windows/client-management/mdm/filesystem-csp)
- [NAPDEF CSP](/windows/client-management/mdm/napdef-csp)
-- [NodeCache CSP]( https://go.microsoft.com/fwlink/p/?LinkId=723265)
+- [NodeCache CSP](https://go.microsoft.com/fwlink/p/?LinkId=723265)
- [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp)
- [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider)
-- [PolicyManager CSP]( https://go.microsoft.com/fwlink/p/?LinkId=723418)
+- [PolicyManager CSP](https://go.microsoft.com/fwlink/p/?LinkId=723418)
- [Provisioning CSP](/windows/client-management/mdm/provisioning-csp)
-- [Proxy CSP]( https://go.microsoft.com/fwlink/p/?LinkId=723372)
+- [Proxy CSP](https://go.microsoft.com/fwlink/p/?LinkId=723372)
- [PXLOGICAL CSP](/windows/client-management/mdm/pxlogical-csp)
- [Registry CSP](/windows/client-management/mdm/registry-csp)
- [RemoteFind CSP](/windows/client-management/mdm/remotefind-csp)
@@ -179,6 +179,6 @@ Here is a list of CSPs supported on Windows 10 Enterprise:
- [Update CSP](/windows/client-management/mdm/update-csp)
- [VPN CSP](/windows/client-management/mdm/vpn-csp)
- [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp)
-- [Wi-Fi CSP](/documentation/)
+- [Wi-Fi CSP](/windows/client-management/mdm/wifi-csp)
- [WindowsLicensing CSP](/windows/client-management/mdm/windowslicensing-csp)
- [WindowsSecurityAuditing CSP](/windows/client-management/mdm/windowssecurityauditing-csp)
diff --git a/windows/configuration/supported-csp-start-menu-layout-windows.md b/windows/configuration/supported-csp-start-menu-layout-windows.md
index cc9735faab..4f791b62a0 100644
--- a/windows/configuration/supported-csp-start-menu-layout-windows.md
+++ b/windows/configuration/supported-csp-start-menu-layout-windows.md
@@ -14,6 +14,7 @@ ms.localizationpriority: medium
**Applies to**:
- Windows 11
+- Windows 11, version 22H2
The Windows OS exposes CSPs that are used by MDM providers, like [Microsoft Endpoint Manager](/mem/endpoint-manager-overview). In an MDM policy, these CSPs are settings that you configure in a policy. When the policy is ready, you deploy the policy to your devices.
@@ -49,6 +50,10 @@ For information on customizing the Start menu layout using policy, see [Customiz
The [Start/HideFrequentlyUsedApps](/windows/client-management/mdm/policy-csp-start#start-hidefrequentlyusedapps) policy enforces hiding Most Used Apps on the Start menu. You can't use this policy to enforce always showing Most Used Apps on the Start menu.
+**The following policies are supported starting with Windows 11, version 22H2:**
+
+- [Start/HideAppList](/windows/client-management/mdm/policy-csp-start#start-hideapplist)
+- [Start/DisableContextMenus](/windows/client-management/mdm/policy-csp-start#start-disablecontextmenus)
## Existing CSP policies that Windows 11 doesn't support
- [Start/StartLayout](/windows/client-management/mdm/policy-csp-start#start-startlayout)
@@ -56,6 +61,9 @@ For information on customizing the Start menu layout using policy, see [Customiz
- [Start/HideRecentlyAddedApps](/windows/client-management/mdm/policy-csp-start#start-hiderecentlyaddedapps)
- Group policy: `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Remove "Recently added" list from Start Menu`
+
+> [!NOTE]
+> The following two policies are supported starting in Windows 11, version 22H2
- [Start/HideAppList](/windows/client-management/mdm/policy-csp-start#start-hideapplist)
- Group policy:
diff --git a/windows/configuration/windows-10-accessibility-for-ITPros.md b/windows/configuration/windows-10-accessibility-for-ITPros.md
deleted file mode 100644
index 6bd9df7cb4..0000000000
--- a/windows/configuration/windows-10-accessibility-for-ITPros.md
+++ /dev/null
@@ -1,91 +0,0 @@
----
-title: Windows 10 accessibility information for IT Pros (Windows 10)
-description: Lists the various accessibility features available in Windows 10 with links to detailed guidance on how to set them
-keywords: accessibility, settings, vision, hearing, physical, cognition, assistive
-ms.prod: w10
-ms.author: lizlong
-author: lizgt2000
-ms.localizationpriority: medium
-ms.date: 01/12/2018
-ms.reviewer:
-manager: aaroncz
-ms.topic: reference
----
-
-# Accessibility information for IT Professionals
-Microsoft is dedicated to making its products and services accessible and usable for everyone. Windows 10 includes accessibility features that benefit all users. These features make it easier to customize the computer and give users with different abilities options to improve their experience with Windows.
-This topic helps IT administrators learn about built-in accessibility features, and includes a few recommendations for how to support people in your organization who use these features.
-
-## General recommendations
-- **Be aware of Ease of Access settings** – Understand how people in your organization might use these settings. Help people in your organization learn how they can customize Windows 10.
-- **Do not block settings** – Avoid using Group Policy or MDM settings that override Ease of Access settings.
-- **Encourage choice** – Allow people in your organization to customize their computers based on their needs. That customization might mean installing an add-on for their browser, or a non-Microsoft assistive technology.
-
-## Vision
-
-| Accessibility feature | Description |
-|---------------------------|------------|
-| [Use Narrator to use devices without a screen](https://support.microsoft.com/help/22798/windows-10-narrator-get-started) | Narrator describes Windows and apps and enables you to control devices by using a keyboard, controller, or with a range of gestures on touch-supported devices.|
-| [Create accessible apps](https://developer.microsoft.com/windows/accessible-apps) | You can develop accessible apps just like Mail, Groove, and Store that work well with Narrator and other leading screen readers.|
-| Use keyboard shortcuts for [Windows](https://support.microsoft.com/help/12445/windows-keyboard-shortcuts), [Narrator](https://support.microsoft.com/help/22806), and [Magnifier](https://support.microsoft.com/help/13810) | Get the most out of Windows with shortcuts for apps and desktops.|
-| Get closer with [Magnifier](https://support.microsoft.com/help/11542/windows-use-magnifier) | Magnifier enlarges all or part of your screen and offers various configuration settings.|
-| [Cursor and pointer adjustments](https://support.microsoft.com/help/27928/windows-10-make-windows-easier-to-see) | Changing the size or color of pointers or adding trails or touch feedback make it easier to follow the mouse.|
-| [Have Cortana assist](https://support.microsoft.com/help/17214/windows-10-what-is) | Cortana can handle various tasks for you, including setting reminders, opening apps, finding facts, and sending emails and texts.|
-| [Dictate text and commands](https://support.microsoft.com/help/17208/windows-10-use-speech-recognition) | Windows includes speech recognition that lets you tell it what to do.|
-| [Customize the size](https://support.microsoft.com/help/27928/windows-10-make-windows-easier-to-see) of screen items | You can adjust the size of text, icons, and other screen items to make them easier to see.|
-| [Improve contrast](https://support.microsoft.com/help/27928/windows-10-make-windows-easier-to-see) | Many high-contrast themes are available to suit your needs.|
-| [Simplify for focus](https://support.microsoft.com/help/27930) | Reducing animations and turning off background images and transparency can minimize distractions.|
-| [Keep notifications around longer](https://support.microsoft.com/help/27933/windows-10-make-windows-easier-to-hear) | If notifications aren't staying visible long enough for you to notice them, you can increase the time a notification will be displayed up to five minutes.|
-| [Read in Braille](https://support.microsoft.com/help/4004263) | Narrator supports braille displays from more than 35 manufacturers using more than 40 languages and multiple braille variants.|
-
-## Hearing
-
-| Accessibility feature | Description |
-|---------------------------|------------|
-| [Transcribe with Translator](https://www.skype.com/en/features/skype-translator) | Translator can transcribe voice to text so you won’t miss what’s being said. |
-| [Use Skype for sign language](https://www.skype.com/en/) | Skype is available on various platforms and devices, so you don’t have to worry about whether your co-workers, friends and family can communicate with you.|
-| [Get visual notifications for sounds](https://support.microsoft.com/help/27933/windows-10-make-windows-easier-to-hear) | You can replace audible alerts with visual alerts.|
-| [Keep notifications around longer](https://support.microsoft.com/help/27933/windows-10-make-windows-easier-to-hear)|If notifications aren't staying visible long enough for you to notice them, you can increase the time a notification will be displayed up to five minutes.|
-| [Read spoken words with closed captioning](https://support.microsoft.com/help/21055/windows-10-closed-caption-settings) | You can customize things like color, size, and background transparency to suit your needs and tastes.|
-| [Switch to mono audio](https://support.microsoft.com/help/27933/) | Sending all sounds to both left and right channels is helpful for those people with partial hearing loss or deafness in one ear.|
-
-## Physical
-
-| Accessibility feature | Description|
-|---------------------------|------------|
-| [Have Cortana assist](https://support.microsoft.com/help/17214/windows-10-what-is) | Cortana can handle various tasks for you, including setting reminders, opening apps, finding facts, and sending emails and texts.|
-| [Dictate text and commands](https://support.microsoft.com/help/17208/windows-10-use-speech-recognition) | Windows includes speech recognition that lets you tell it what to do.|
-| Use the On-Screen Keyboard (OSK) | Instead of relying on a physical keyboard, you can use the [On-Screen Keyboard](https://support.microsoft.com/help/10762/windows-use-on-screen-keyboard) to type and enter data and select keys with a mouse or other pointing device. Additionally, the OSK offers [word prediction and completion](https://support.microsoft.com/help/10762/windows-use-on-screen-keyboard).|
-| [Live Tiles](https://support.microsoft.com/help/17176/windows-10-organize-your-apps)| Because Live Tiles display constantly updated information for many apps, you don't have to bother actually opening them. You can arrange, resize, and move tiles as needed.|
-| [Keyboard assistance features](https://support.microsoft.com/help/27936)| You can personalize your keyboard to ignore repeated keys and do other helpful things if you have limited control of your hands.|
-| [Mouse Keys](https://support.microsoft.com/help/27936)|If a mouse is difficult to use, you can control the pointer by using your numeric keypad.|
-
-## Cognition
-
-| Accessibility feature | Description|
-|---------------------------|------------|
-| [Simplify for focus](https://support.microsoft.com/help/27930) | Reducing animations and turning off background images and transparency can minimize distractions.|
-| Use the On-Screen Keyboard (OSK) | Instead of relying on a physical keyboard, you can use the [On-Screen Keyboard](https://support.microsoft.com/help/10762/windows-use-on-screen-keyboard) to type and enter data and select keys with a mouse or other pointing device. Additionally, the OSK offers [word prediction and completion](https://support.microsoft.com/help/10762/windows-use-on-screen-keyboard).|
-| [Dictate text and commands](https://support.microsoft.com/help/17208/windows-10-use-speech-recognition) | Windows includes speech recognition that lets you tell it what to do.|
-| [Use fonts that are easier to read](https://www.microsoft.com/download/details.aspx?id=50721) | Fluent Sitka Small and Fluent Calibri are fonts that address "visual crowding" by adding character and enhance word and line spacing. |
-| [Edge Reading View](https://support.microsoft.com/help/17204/windows-10-take-your-reading-with-you) | Clears distracting content from web pages so you can stay focused on what you really want to read. |
-| [Edge includes an e-book reader](https://support.microsoft.com/help/4014945) | The Microsoft Edge e-book reader includes options to increase text spacing and read text aloud to help make it easier for everyone to read and enjoy text, including people with learning differences like dyslexia and English language learners. |
-
-
-
-## Assistive technology devices built into Windows 10
-| Assistive technology | How it helps |
-|---------------------------|------------|
-| [Hear text read aloud with Narrator](https://support.microsoft.com/help/17173) | Narrator reads text on your PC screen aloud and describes events, such as notifications or calendar appointments, so you can use your PC without a display.|
-| [Use Speech Recognition]( https://support.microsoft.com/help/17208 ) | Narrator reads text on your PC screen aloud and describes events, such as notifications or calendar appointments, so you can use your PC without a display.|
-| [Save time with keyboard shortcuts]( https://support.microsoft.com/help/17189) | Keyboard shortcuts for apps and desktops.|
-
-## Other resources
-[Windows accessibility](https://www.microsoft.com/Accessibility/windows)
-
-[Designing accessible software]( https://msdn.microsoft.com/windows/uwp/accessibility/designing-inclusive-software)
-
-[Inclusive Design](https://www.microsoft.com/design/inclusive)
-
-[Accessibility guide for Microsoft 365 Apps](/deployoffice/accessibility-guide)
-
diff --git a/windows/configuration/windows-accessibility-for-ITPros.md b/windows/configuration/windows-accessibility-for-ITPros.md
new file mode 100644
index 0000000000..38c0ed6030
--- /dev/null
+++ b/windows/configuration/windows-accessibility-for-ITPros.md
@@ -0,0 +1,117 @@
+---
+title: Windows accessibility information for IT Pros
+description: Lists the various accessibility features available in Windows client with links to detailed guidance on how to set them.
+ms.prod: windows-client
+ms.technology: itpro-configure
+ms.author: lizlong
+author: lizgt2000
+ms.reviewer:
+manager: aaroncz
+ms.localizationpriority: medium
+ms.date: 09/20/2022
+ms.topic: reference
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+---
+
+# Accessibility information for IT professionals
+
+Microsoft is dedicated to making its products and services accessible and usable for everyone. Windows includes accessibility features that benefit all users. These features make it easier to customize the computer and give users with different abilities options to improve their experience with Windows.
+
+This article helps you as the IT administrator learn about built-in accessibility features. It also includes recommendations for how to support people in your organization who use these features.
+
+Windows 11, version 22H2, includes improvements for people with disabilities: system-wide live captions, Focus sessions, voice access, and more natural voices for Narrator. For more information, see [New accessibility features coming to Windows 11](https://blogs.windows.com/windowsexperience/2022/05/10/new-accessibility-features-coming-to-windows-11/) and [How inclusion drives innovation in Windows 11](https://blogs.windows.com/windowsexperience/?p=177554).
+
+## General recommendations
+
+- **Be aware of Ease of Access settings**. Understand how people in your organization might use these settings. Help people in your organization learn how they can customize Windows.
+
+- **Don't block settings**. Avoid using group policy or MDM settings that override Ease of Access settings.
+
+- **Encourage choice**. Allow people in your organization to customize their computers based on their needs. That customization might be installing an add-on for their browser, or a non-Microsoft assistive technology.
+
+## Vision
+
+- [Use Narrator to use devices without a screen](https://support.microsoft.com/windows/complete-guide-to-narrator-e4397a0d-ef4f-b386-d8ae-c172f109bdb1). Narrator describes Windows and apps and enables you to control devices by using a keyboard, controller, or with a range of gestures on touch-supported devices. Starting in Windows 11, version 22H2, Narrator includes more natural voices.
+
+- [Create accessible apps](/windows/apps/develop/accessibility). You can develop accessible apps just like Mail, Groove, and Store that work well with Narrator and other leading screen readers.
+
+- Use keyboard shortcuts. Get the most out of Windows with shortcuts for apps and desktops.
+
+ - [Keyboard shortcuts in Windows](https://support.microsoft.com/windows/keyboard-shortcuts-in-windows-dcc61a57-8ff0-cffe-9796-cb9706c75eec)
+ - [Narrator keyboard commands and touch gestures](https://support.microsoft.com/windows/appendix-b-narrator-keyboard-commands-and-touch-gestures-8bdab3f4-b3e9-4554-7f28-8b15bd37410a)
+ - [Windows keyboard shortcuts for accessibility](https://support.microsoft.com/windows/windows-keyboard-shortcuts-for-accessibility-021bcb62-45c8-e4ef-1e4f-41b8c1fc87fd)
+
+- Get closer with [Magnifier](https://support.microsoft.com/windows/use-magnifier-to-make-things-on-the-screen-easier-to-see-414948ba-8b1c-d3bd-8615-0e5e32204198). Magnifier enlarges all or part of your screen and offers various configuration settings.
+
+- [Make Windows easier to see](https://support.microsoft.com/windows/make-windows-easier-to-see-c97c2b0d-cadb-93f0-5fd1-59ccfe19345d).
+
+ - Changing the size or color of pointers or adding trails or touch feedback make it easier to follow the mouse.
+ - Adjust the size of text, icons, and other screen items to make them easier to see.
+ - Many high-contrast themes are available to suit your needs.
+
+- [Have Cortana assist](https://support.microsoft.com/topic/what-is-cortana-953e648d-5668-e017-1341-7f26f7d0f825). Cortana can handle various tasks for you, including setting reminders, opening apps, finding facts, and sending emails and texts.
+
+- [Dictate text and commands](https://support.microsoft.com/windows/use-voice-recognition-in-windows-83ff75bd-63eb-0b6c-18d4-6fae94050571). Windows includes speech recognition that lets you tell it what to do.
+
+- [Simplify for focus](https://support.microsoft.com/windows/make-it-easier-to-focus-on-tasks-0d259fd9-e9d0-702c-c027-007f0e78eaf2). Reducing animations and turning off background images and transparency can minimize distractions.
+
+- [Keep notifications around longer](https://support.microsoft.com/windows/make-windows-easier-to-hear-9c18cfdc-63be-2d47-0f4f-5b00facfd2e1). If notifications aren't staying visible long enough for you to notice them, you can increase the time a notification will be displayed up to five minutes.
+
+- [Read in Braille](https://support.microsoft.com/windows/chapter-8-using-narrator-with-braille-3e5f065b-1c9d-6eb2-ec6d-1d07c9e94b20). Narrator supports braille displays from more than 35 manufacturers using more than 40 languages and multiple braille variants.
+
+## Hearing
+
+- [View live transcription in a Teams meeting](https://support.microsoft.com/office/view-live-transcription-in-a-teams-meeting-dc1a8f23-2e20-4684-885e-2152e06a4a8b). During any Teams meeting, view a live transcription so you don't miss what's being said.
+
+- [Use Teams for sign language](https://www.microsoft.com/microsoft-teams/group-chat-software). Teams is available on various platforms and devices, so you don't have to worry about whether your co-workers, friends, and family can communicate with you.
+
+- [Make Windows easier to hear](https://support.microsoft.com/windows/make-windows-easier-to-hear-9c18cfdc-63be-2d47-0f4f-5b00facfd2e1).
+
+ - Replace audible alerts with visual alerts.
+ - If notifications aren't staying visible long enough for you to notice them, you can increase the time a notification will be displayed up to five minutes.
+ - Send all sounds to both left and right channels, which is helpful for those people with partial hearing loss or deafness in one ear.
+
+- [Read spoken words with captioning](https://support.microsoft.com/windows/change-caption-settings-135c465b-8cfd-3bac-9baf-4af74bc0069a). You can customize things like color, size, and background transparency to suit your needs and tastes.
+
+- Use the [Azure Cognitive Services Translator](/azure/cognitive-services/translator/) service to add machine translation to your solutions.
+
+## Physical
+
+- [Have Cortana assist you](https://support.microsoft.com/topic/what-is-cortana-953e648d-5668-e017-1341-7f26f7d0f825). Cortana can handle various tasks for you, including setting reminders, opening apps, finding facts, and sending emails and texts.
+
+- [Dictate text and commands](https://support.microsoft.com/windows/use-voice-recognition-in-windows-83ff75bd-63eb-0b6c-18d4-6fae94050571). Windows includes voice recognition that lets you tell it what to do.
+
+- [Use the On-Screen Keyboard (OSK)](https://support.microsoft.com/windows/use-the-on-screen-keyboard-osk-to-type-ecbb5e08-5b4e-d8c8-f794-81dbf896267a). Instead of relying on a physical keyboard, use the OSK to enter data and select keys with a mouse or other pointing device. It also offers word prediction and completion.
+
+- [Make your mouse, keyboard, and other input devices easier to use](https://support.microsoft.com/windows/make-your-mouse-keyboard-and-other-input-devices-easier-to-use-10733da7-fa82-88be-0672-f123d4b3dcfe).
+
+ - If you have limited control of your hands, you can personalize your keyboard to do helpful things like ignore repeated keys.
+ - If a mouse is difficult to use, you can control the pointer by using your numeric keypad.
+
+## Cognition
+
+- [Simplify for focus](https://support.microsoft.com/windows/make-it-easier-to-focus-on-tasks-0d259fd9-e9d0-702c-c027-007f0e78eaf2). Reducing animations and turning off background images and transparency can minimize distractions.
+
+- [Download and use fonts that are easier to read](https://www.microsoft.com/download/details.aspx?id=50721). **Fluent Sitka Small** and **Fluent Calibri** are fonts that address "visual crowding" by adding character and enhance word and line spacing.
+
+- [Microsoft Edge reading view](https://support.microsoft.com/windows/take-your-reading-with-you-b6699255-4436-708e-7b93-4d2e19a15af8). Clears distracting content from web pages so you can stay focused on what you really want to read.
+
+## Assistive technology devices built into Windows
+
+- [Hear text read aloud with Narrator](https://support.microsoft.com/windows/hear-text-read-aloud-with-narrator-040f16c1-4632-b64e-110a-da4a0ac56917). Narrator reads text on your PC screen aloud and describes events, such as notifications or calendar appointments, so you can use your PC without a display.
+
+- [Use voice recognition](https://support.microsoft.com/windows/use-voice-recognition-in-windows-83ff75bd-63eb-0b6c-18d4-6fae94050571).
+
+- [Save time with keyboard shortcuts](https://support.microsoft.com/windows/keyboard-shortcuts-in-windows-dcc61a57-8ff0-cffe-9796-cb9706c75eec).
+
+## Other resources
+
+[Windows accessibility](https://www.microsoft.com/Accessibility/windows)
+
+[Designing accessible software](/windows/apps/design/accessibility/designing-inclusive-software)
+
+[Inclusive design](https://www.microsoft.com/design/inclusive)
+
+[Accessibility guide for Microsoft 365 Apps](/deployoffice/accessibility-guide)
diff --git a/windows/configure/docfx.json b/windows/configure/docfx.json
deleted file mode 100644
index 3ecf9e6104..0000000000
--- a/windows/configure/docfx.json
+++ /dev/null
@@ -1,57 +0,0 @@
-{
- "build": {
- "content": [
- {
- "files": [
- "**/*.md",
- "**/*.yml"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**",
- "README.md",
- "LICENSE",
- "LICENSE-CODE",
- "ThirdPartyNotices"
- ]
- }
- ],
- "resource": [
- {
- "files": [
- "**/*.png",
- "**/*.jpg"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**"
- ]
- }
- ],
- "overwrite": [],
- "externalReference": [],
- "globalMetadata": {
- "recommendations": true,
- "feedback_system": "None",
- "hideEdit": true,
- "_op_documentIdPathDepotMapping": {
- "./": {
- "depot_name": "MSDN.windows-configure"
- }
- },
- "contributors_to_exclude": [
- "rjagiewich",
- "traya1",
- "rmca14",
- "claydetels19",
- "jborsecnik",
- "tiburd",
- "garycentric"
- ]
- },
- "fileMetadata": {},
- "template": [],
- "dest": "windows-configure",
- "markdownEngineName": "markdig"
- }
-}
diff --git a/windows/deploy/docfx.json b/windows/deploy/docfx.json
deleted file mode 100644
index 24a5e3b0ff..0000000000
--- a/windows/deploy/docfx.json
+++ /dev/null
@@ -1,56 +0,0 @@
-{
- "build": {
- "content": [
- {
- "files": [
- "**/*.md",
- "**/*.yml"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**",
- "README.md",
- "LICENSE",
- "LICENSE-CODE",
- "ThirdPartyNotices"
- ]
- }
- ],
- "resource": [
- {
- "files": [
- "**/*.png",
- "**/*.jpg"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**"
- ]
- }
- ],
- "overwrite": [],
- "externalReference": [],
- "globalMetadata": {
- "recommendations": true,
- "_op_documentIdPathDepotMapping": {
- "./": {
- "depot_name": "MSDN.windows-deploy",
- "folder_relative_path_in_docset": "./"
- }
- },
- "contributors_to_exclude": [
- "rjagiewich",
- "traya1",
- "rmca14",
- "claydetels19",
- "jborsecnik",
- "tiburd",
- "garycentric"
- ]
- },
- "fileMetadata": {},
- "template": [],
- "dest": "windows-deploy",
- "markdownEngineName": "markdig"
- }
-}
diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml
index 5daa9b74d5..902c4828e2 100644
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@@ -263,7 +263,7 @@
href: update/update-compliance-schema-waasupdatestatus.md
- name: WaaSInsiderStatus
href: update/update-compliance-schema-waasinsiderstatus.md
- - name: WaaSDepoymentStatus
+ - name: WaaSDeploymentStatus
href: update/update-compliance-schema-waasdeploymentstatus.md
- name: WUDOStatus
href: update/update-compliance-schema-wudostatus.md
diff --git a/windows/deployment/deploy-windows-to-go.md b/windows/deployment/deploy-windows-to-go.md
index d398777f84..3f3f880cc0 100644
--- a/windows/deployment/deploy-windows-to-go.md
+++ b/windows/deployment/deploy-windows-to-go.md
@@ -33,7 +33,7 @@ The following is a list of items that you should be aware of before you start th
* When running a Windows To Go workspace, always shutdown the workspace before unplugging the drive.
-* Configuration Manager SP1 and later includes support for user self-provisioning of Windows To Go drives. You can download Configuration Manager for evaluation from the [Microsoft TechNet Evaluation Center](https://go.microsoft.com/fwlink/p/?LinkId=618746). For more information on this deployment option, see [How to Provision Windows To Go in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/jj651035(v=technet.10)).
+* Configuration Manager SP1 and later includes support for user self-provisioning of Windows To Go drives. For more information on this deployment option, see [How to Provision Windows To Go in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/jj651035(v=technet.10)).
* If you're planning on using a USB drive duplicator to duplicate Windows To Go drives, don't configure offline domain join or BitLocker on the drive.
diff --git a/windows/deployment/docfx.json b/windows/deployment/docfx.json
index 6e2cfcba95..ad1f0f4c84 100644
--- a/windows/deployment/docfx.json
+++ b/windows/deployment/docfx.json
@@ -21,9 +21,8 @@
"files": [
"**/*.png",
"**/*.jpg",
- "**/*.gif",
- "**/*.pdf",
- "**/*.vsdx"
+ "**/*.svg",
+ "**/*.gif"
],
"exclude": [
"**/obj/**",
@@ -37,9 +36,6 @@
"recommendations": true,
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
- "ms.technology": "windows",
- "audience": "ITPro",
- "ms.topic": "article",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml
index bb24db00ba..5da61c2f9a 100644
--- a/windows/deployment/index.yml
+++ b/windows/deployment/index.yml
@@ -100,8 +100,8 @@ landingContent:
- linkListType: learn
links:
- text: Plan to deploy updates for Windows 10 and Microsoft 365 Apps
- url: /learn/modules/windows-plan
+ url: /training/modules/windows-plan
- text: Prepare to deploy updates for Windows 10 and Microsoft 365 Apps
- url: /learn/modules/windows-prepare/
+ url: /training/modules/windows-prepare/
- text: Deploy updates for Windows 10 and Microsoft 365 Apps
- url: /learn/modules/windows-deploy
\ No newline at end of file
+ url: /training/modules/windows-deploy
diff --git a/windows/deployment/media/Windows10AutopilotFlowchart.pdf b/windows/deployment/media/Windows10AutopilotFlowchart.pdf
deleted file mode 100644
index 5ab6f1c52e..0000000000
Binary files a/windows/deployment/media/Windows10AutopilotFlowchart.pdf and /dev/null differ
diff --git a/windows/deployment/media/Windows10Autopilotflowchart.vsdx b/windows/deployment/media/Windows10Autopilotflowchart.vsdx
deleted file mode 100644
index ef702ab66b..0000000000
Binary files a/windows/deployment/media/Windows10Autopilotflowchart.vsdx and /dev/null differ
diff --git a/windows/deployment/media/Windows10DeploymentConfigManager.pdf b/windows/deployment/media/Windows10DeploymentConfigManager.pdf
deleted file mode 100644
index 3a4c5f022e..0000000000
Binary files a/windows/deployment/media/Windows10DeploymentConfigManager.pdf and /dev/null differ
diff --git a/windows/deployment/media/Windows10DeploymentConfigManager.vsdx b/windows/deployment/media/Windows10DeploymentConfigManager.vsdx
deleted file mode 100644
index 8b2db358ff..0000000000
Binary files a/windows/deployment/media/Windows10DeploymentConfigManager.vsdx and /dev/null differ
diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
index 8aa8e68722..4a695dc7b7 100644
--- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
+++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
@@ -50,10 +50,10 @@ sections:
- For some devices, Windows 10 may be unable to install drivers that are required for operation. If your device drivers aren't automatically installed, visit the manufacturer's support website for your device to download and manually install the drivers. If Windows 10 drivers aren't available, the most up-to-date drivers for Windows 8.1 will often work in Windows 10.
- For some devices, the manufacturer may provide more up-to-date drivers or drivers that enable more functionality than the drivers installed by Windows 10. Always follow the recommendations of the device manufacturer for optimal performance and stability.
- Some computer manufacturers provide packs of drivers for easy implementation in management and deployment solutions like the Microsoft Deployment Toolkit (MDT) or Microsoft Endpoint Configuration Manager. These driver packs contain all of the drivers needed for each device and can greatly simplify the process of deploying Windows to a new make or model of computer. Driver packs for some common manufacturers include:
- - [HP driver pack](http://www8.hp.com/us/en/ads/clientmanagement/drivers-pack.html)
- - [Dell driver packs for enterprise client OS deployment](http://en.community.dell.com/techcenter/enterprise-client/w/wiki/2065.dell-command-deploy-driver-packs-for-enterprise-client-os-deployment)
- - [Lenovo Configuration Manager and MDT package index](https://support.lenovo.com/us/en/documents/ht074984)
- - [Panasonic Driver Pack for Enterprise](http://pc-dl.panasonic.co.jp/itn/drivers/driver_packages.html)
+ - [HP driver pack](https://www.hp.com/us-en/solutions/client-management-solutions/drivers-pack.html)
+ - [Dell driver packs for enterprise client OS deployment](https://www.dell.com/support/kbdoc/en-us/000124139/dell-command-deploy-driver-packs-for-enterprise-client-os-deployment)
+ - [Lenovo Configuration Manager and MDT package index](https://support.lenovo.com/us/en/solutions/ht074984)
+ - [Panasonic Driver Pack for Enterprise](https://pc-dl.panasonic.co.jp/itn/drivers/driver_packages.html)
- question: |
Where can I find out if an application or device is compatible with Windows 10?
@@ -125,7 +125,7 @@ sections:
answer: |
For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](/windows/whats-new/) and [What's new in Windows 10, version 1703](/windows/whats-new/whats-new-windows-10-version-1703) in the Docs library.
- Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://blogs.technet.microsoft.com/windowsitpro/). Here you'll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10.
+ Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog). Here you'll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10.
To find out which version of Windows 10 is right for your organization, you can also [compare Windows editions](https://www.microsoft.com/WindowsForBusiness/Compare).
@@ -152,4 +152,3 @@ sections:
- If you're an IT professional or if you have a question about administering, managing, or deploying Windows 10 in your organization or business, visit the [Windows 10 IT Professional forums](https://social.technet.microsoft.com/forums/home?category=windows10itpro) on TechNet.
- If you're an end user or if you have a question about using Windows 10, visit the [Windows 10 forums on Microsoft Community](https://answers.microsoft.com/windows/forum).
- If you're a developer or if you have a question about making apps for Windows 10, visit the [Windows Desktop Development forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsdesktopdev).
- - If you have a question about Internet Explorer, visit the [Internet Explorer forums](https://social.technet.microsoft.com/forums/ie/en-us/home).
diff --git a/windows/deployment/update/check-release-health.md b/windows/deployment/update/check-release-health.md
index 8b93291b64..cbcb7c8acb 100644
--- a/windows/deployment/update/check-release-health.md
+++ b/windows/deployment/update/check-release-health.md
@@ -1,11 +1,14 @@
---
-title: "How to check Windows release health"
+title: How to check Windows release health
+description: Check the release health status of Microsoft 365 services before you call support to see if there's an active service interruption.
+ms.date: 08/16/2022
ms.author: v-nishmi
author: DocsPreview
manager: jren
-ms.topic: article
+ms.reviewer: mstewart
+ms.topic: how-to
ms.prod: w10
-localization_priority: Normal
+localization_priority: medium
ms.custom:
- Adm_O365
- 'O365P_ServiceHealthModern'
@@ -21,37 +24,35 @@ search.appverid:
- MOE150
- BCS160
- IWA160
-description: "Check the release health status of Microsoft 365 services before you call support to see if there is an active service interruption."
-feedback_system: none
---
# How to check Windows release health
-The Windows release health page in the Microsoft 365 admin center enables you to view the latest information on known issues for Windows monthly and feature updates. A known issue is an issue that has been identified in a Windows monthly update or feature update that impacts Windows devices. The Windows release health page is designed to inform you about known issues so you can troubleshoot issues your users may be experiencing and/or to determine when, and at what scale, to deploy an update in your organization.
+The Windows release health page in the Microsoft 365 admin center enables you to view the latest information on known issues for Windows monthly and feature updates. A known issue is an issue that has been identified in a Windows monthly update or feature update that impacts Windows devices. The Windows release health page is designed to inform you about known issues. You can use this information to troubleshoot issues your users may be experiencing. You can also determine when, and at what scale, to deploy an update in your organization.
-If you are unable to sign in to the Microsoft 365 admin portal, check the [Microsoft 365 service health](https://status.office365.com) status page to check for known issues preventing you from logging into your tenant.
+If you're unable to sign in to the Microsoft 365 admin portal, check the [Microsoft 365 service health](https://status.office365.com) status page to check for known issues preventing you from signing into your tenant.
-To be informed about the latest updates and releases, follow us on Twitter [@WindowsUpdate](https://twitter.com/windowsupdate).
+To be informed about the latest updates and releases, follow [@WindowsUpdate](https://twitter.com/windowsupdate) on Twitter.
## How to review Windows release health information
-1. Go to the Microsoft 365 admin center at [https://admin.microsoft.com](https://go.microsoft.com/fwlink/p/?linkid=2024339), and sign in with an administrator account.
+1. Go to the [Microsoft 365 admin center](https://admin.microsoft.com), and sign in with an administrator account.
> [!NOTE]
- > By default, the Windows release health page is available to individuals who have been assigned the global admin or service administrator role for their tenant. To allow Exchange, SharePoint, and Skype for Business admins to view the Windows release health page, you must first assign them to a Service admin role. For more information about roles that can view service health, see [About admin roles](/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide&preserve-view=true#roles-available-in-the-microsoft-365-admin-center).
+ > By default, the Windows release health page is available to individuals who have been assigned the global admin or service administrator role for their tenant. To allow Exchange, SharePoint, and Skype for Business admins to view the Windows release health page, you must first assign them to a Service admin role. For more information about roles that can view service health, see [About admin roles](/microsoft-365/admin/add-users/about-admin-roles#commonly-used-microsoft-365-admin-center-roles).
2. To view Windows release health in the Microsoft 365 Admin Center, go to **Health > Windows release health**.
-3. On the **Windows release health** page, you will have access to known issue information for all supported versions of the Windows operating system.
+3. On the **Windows release health** page, you'll have access to known issue information for all supported versions of the Windows operating system.
The **All versions** tab (the default view) shows all Windows products with access to their posted known issues.
- A known issue is an issue that has been identified in a Windows monthly update or feature update that impacts Windows devices. The **Active and recently resolved** column provides a link to the **Known issues** tab filtered to the version selected. Selecting the **Known issues** tab will show known issues that are active or resolved within the last 30 days.
-
+ A known issue is an issue that has been identified in a Windows monthly update or feature update that impacts Windows devices. The **Active and recently resolved** column provides a link to the **Known issues** tab filtered to the version selected. Selecting the **Known issues** tab will show known issues that are active or resolved within the last 30 days.
+
-
+
The **History** tab shows the history of known issues that have been resolved for up to 6 months.
@@ -64,24 +65,23 @@ To be informed about the latest updates and releases, follow us on Twitter [@Win
- **Originating KB** - The KB number where the issue was first identified.
- **Originating build** - The build number for the KB.
- Select the **Issue title** to access more information, including a link to the history of all status updates posted while we work on a solution. Here is an example:
+ Select the **Issue title** to access more information, including a link to the history of all status updates posted while we work on a solution. For example:
-
+
## Status definitions
In the **Windows release health** experience, every known issue is assigned as status. Those statuses are defined as follows:
-
| Status | Definition |
|:-----|:-----|
-|**Reported** | An issue has been brought to the attention of the Windows teams. At this stage, there is no confirmation that users are affected. |
-|**Investigating** | The issue is believed to affect users and efforts are underway to gather more information about the issue’s scope of impact, mitigation steps, and root cause. |
-|**Confirmed** | After close review, Microsoft teams have determined the issue is affecting Windows users, and progress is being made on mitigation steps and root cause. |
+|**Reported** | An issue has been brought to the attention of the Windows teams. At this stage, there's no confirmation that users are affected. |
+|**Investigating** | The issue is believed to affect users and efforts are underway to gather more information about the issue's scope, mitigation steps, and root cause. |
+|**Confirmed** | After close review, Microsoft has determined the issue is affecting Windows users, and progress is being made on mitigation steps and root cause. |
|**Mitigated** | A workaround is available and communicated to Windows customers for a known issue. A known issue will stay in this state until a KB article is released by Microsoft to resolve the known issue. |
|**Mitigated: External** | A workaround is available and communicated to Windows customers for a known issue that was caused by a software or driver from a third-party software or device manufacturer. A known issue will stay in this state until the issue is resolved by Microsoft or the third-party. |
-|**Resolved** | A solution has been released by Microsoft and has been documented in a KB article that will resolve the known issue once it’s deployed in the customer’s environment. |
-|**Resolved: External** | A solution has been released by a Microsoft or a third-party that will resolve the known issue once it’s deployed in the customer’s environment. |
+|**Resolved** | A solution has been released by Microsoft and has been documented in a KB article that will resolve the known issue once it's deployed in the customer's environment. |
+|**Resolved: External** | A solution has been released by a Microsoft or a third-party that will resolve the known issue once it's deployed in the customer's environment. |
## Known issue history
@@ -97,29 +97,29 @@ A list of all status updates posted in the selected timeframe will be displayed,
### Windows release health coverage
-- **What is Windows release health?**
+- **What is Windows release health?**
Windows release health is a Microsoft informational service created to keep licensed Windows customers aware of identified known issues and important announcements.
- **Microsoft 365 service health content is specific to my tenants and services. Is the content in Windows release health specific to my Windows environment?**
- Windows release health does not monitor user environments or collect customer environment information. In Windows release health, all known issue content across all supported Windows versions is published to all subscribed customers. Future iterations of the solution may target content based on customer location, industry, or Windows version.
+ Windows release health doesn't monitor user environments or collect customer environment information. In Windows release health, all known issue content across all supported Windows versions is published to all subscribed customers. Future iterations of the solution may target content based on customer location, industry, or Windows version.
- **Where do I find Windows release health?**
- After logging into Microsoft 365 admin center, expand the left-hand menu using **…Show All**, click **Health** and you’ll see **Windows release health**.
+ After logging into Microsoft 365 admin center, expand the left-hand menu using **…Show All**, select **Health** and you'll see **Windows release health**.
- **Is the Windows release health content published to Microsoft 365 admin center the same as the content on Windows release health on Docs.microsoft.com?**
- No. While the content is similar, you may see more issues and more technical details published to Windows release health on Microsoft 365 admin center to better support the IT admin. For example, you’ll find details to help you diagnose issues in your environment, steps to mitigate issues, and root cause analysis.
+ No. While the content is similar, you may see more issues and technical details published to Windows release health on Microsoft 365 admin center to better support the IT admin. For example, you'll find details to help you diagnose issues in your environment, steps to mitigate issues, and root cause analysis.
- **How often will content be updated?**
- In an effort to ensure Windows customers have important information as soon as possible, all major known issues will be shared with Windows customers on both Docs.microsoft.com and the Microsoft 365 admin center. We may also update the details available for Windows release health in the Microsoft 365 admin center when we have additional details on workarounds, root cause, or other information to help you plan for updates and handle issues in your environment.
+ To ensure Windows customers have important information as soon as possible, all major known issues will be shared with Windows customers on both Docs.microsoft.com and the Microsoft 365 admin center. We may also update the details available for Windows release health in the Microsoft 365 admin center when we have more details on workarounds, root cause, or other information to help you plan for updates and handle issues in your environment.
- **Can I share this content publicly or with other Windows customers?**
- Windows release health is provided to you as a licensed Windows customer and is not to be shared publicly.
+ Windows release health is provided to you as a licensed Windows customer and isn't to be shared publicly.
- **Is the content redundant? How is the content organized in the different tabs?**
- Windows release health provides three tabs. The landing **All versions** tab allows you to click into a specific version of Windows. The Known issues tab shows the list of issues that are active or resolved in the past 30 days. The History tab shows a six-month history of known issues that have been resolved.
+ Windows release health provides three tabs. The landing **All versions** tab allows you to select a specific version of Windows. The **Known issues** tab shows the list of issues that are active or resolved in the past 30 days. The **History** tab shows a six-month history of known issues that have been resolved.
-- **How do I find information for the versions of Windows I’m managing?**
- On the **All versions** tab, you can select any Windows version. This will take you to the Known issues tab filtered for the version you selected. The known issues tab provides the list of active known issues and those resolved in the last 30 days. This selection persists throughout your session until changed. From the History tab you can view the list of resolved issues for that version. To change versions, use the filter in the tab.
+- **How do I find information for the versions of Windows I'm managing?**
+ On the **All versions** tab, you can select any Windows version. This action takes you to the **Known issues** tab filtered for the version you selected. The **Known issues** tab provides the list of active known issues and the issues resolved in the last 30 days. This selection persists throughout your session until changed. From the **History** tab, you can view the list of resolved issues for that version. To change versions, use the filter in the tab.
### Microsoft 365 Admin Center functions
@@ -127,13 +127,13 @@ A list of all status updates posted in the selected timeframe will be displayed,
You can search Microsoft 365 admin center pages using keywords. For Windows release health, go to the desired product page and search using KB numbers, build numbers, or keywords.
- **How do I add other Windows admins?**
- Using the left-hand menu, go to Users, then select the Active Users tab and follow the prompts to add a new user, or assign an existing user, to the role of “Service Support admin.”
+ Using the left-hand menu, go to Users, then select the Active Users tab and follow the prompts to add a new user, or assign an existing user, to the role of **Service Support admin**.
-- **Why can’t I click to the KB article from the Known issues or History tabs?**
- Within the issue description, you’ll find links to the KB articles. In the Known issue and History tabs, the entire row is a clickable entry to the issue’s Details pane.
+- **Why can't I click to the KB article from the Known issues or History tabs?**
+ Within the issue description, you'll find links to the KB articles. In the Known issue and History tabs, the entire row is a clickable entry to the issue's Details pane.
-- **Microsoft 365 admin center has a mobile app but I don’t see Windows release health under the Health menu. Is this an open issue?**
- We are working to build the Windows release health experience on mobile devices in a future release.
+- **Microsoft 365 admin center has a mobile app but I don't see Windows release health under the Health menu. Is this an open issue?**
+ We're working to build the Windows release health experience on mobile devices in a future release.
### Help and support
@@ -141,7 +141,7 @@ A list of all status updates posted in the selected timeframe will be displayed,
Seek assistance through Premier support, the [Microsoft Support website](https://support.microsoft.com), or connect with your normal channels for Windows support.
- **When reaching out to Support, they asked me for an advisory ID. What is this and where can it?**
- The advisory ID can be found in the upper left-hand corner of the known issue Details pane. To find it, select the Known issue you’re seeking help on, click the Details pane and you’ll find the ID under the issue title. It will be the letters WI followed by a number, similar to “WI123456”.
+ The advisory ID can be found in the upper left-hand corner of the known issue Details pane. To find it, select the known issue you're seeking help on, select the **Details** pane, and you'll find the ID under the issue title. It will be the letters `WI` followed by a number, similar to `WI123456`.
- **How can I learn more about expanding my use of Microsoft 365 admin center?**
- To learn more, see the [Microsoft 365 admin center documentation](/microsoft-365/admin/admin-overview/about-the-admin-center).
+ For more information, see the [Microsoft 365 admin center documentation](/microsoft-365/admin/admin-overview/about-the-admin-center).
diff --git a/windows/deployment/update/deploy-updates-configmgr.md b/windows/deployment/update/deploy-updates-configmgr.md
index ef6be01503..bc3f4c1e0e 100644
--- a/windows/deployment/update/deploy-updates-configmgr.md
+++ b/windows/deployment/update/deploy-updates-configmgr.md
@@ -2,9 +2,9 @@
title: Deploy Windows client updates with Configuration Manager
description: Deploy Windows client updates with Configuration Manager
ms.prod: w10
-author: aczechowski
+author: mestew
ms.localizationpriority: medium
-ms.author: aaroncz
+ms.author: mstewart
ms.reviewer:
manager: dougeby
ms.topic: article
diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md
index 933d4dd014..f8d5a8cd98 100644
--- a/windows/deployment/update/deployment-service-overview.md
+++ b/windows/deployment/update/deployment-service-overview.md
@@ -88,8 +88,8 @@ The Microsoft Graph SDK includes a PowerShell extension that you can use to scri
### Building your own application
Microsoft Graph makes deployment service APIs available through. Get started with these learning paths:
-- Learning Path: [Microsoft Graph Fundamentals](/learn/paths/m365-msgraph-fundamentals/)
-- Learning Path: [Build apps with Microsoft Graph](/learn/paths/m365-msgraph-associate/)
+- Learning path: [Microsoft Graph Fundamentals](/training/paths/m365-msgraph-fundamentals/)
+- Learning path: [Build apps with Microsoft Graph](/training/paths/m365-msgraph-associate/)
Once you are familiar with Microsoft Graph development, see [Windows updates API overview in Microsoft Graph](/graph/windowsupdates-concept-overview) for more.
diff --git a/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md
index ec78a072db..80aca45d8a 100644
--- a/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md
+++ b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md
@@ -22,7 +22,7 @@ WaaSDeploymentStatus records track a specific update's installation progress on
|**DeferralDays** |[int](/azure/kusto/query/scalar-data-types/int) |`0` |The deferral policy for this content type or `UpdateCategory` (Windows `Feature` or `Quality`). |
|**DeploymentError** |[string](/azure/kusto/query/scalar-data-types/string) |`Disk Error` |A readable string describing the error, if any. If empty, there's either no string matching the error or there's no error. |
|**DeploymentErrorCode** |[int](/azure/kusto/query/scalar-data-types/int) |`8003001E` |Microsoft internal error code for the error, if any. If empty, there's either no error or there's *no error code*, meaning that the issue raised doesn't correspond to an error, but some inferred issue. |
-|**DeploymentStatus** |[string](/azure/kusto/query/scalar-data-types/string) |`Failed` |The high-level status of installing this update on this device. Possible values are:
**Update completed**: Device has completed the update installation.
**In Progress**: Device is in one of the various stages of installing an update, detailed in `DetailedStatus`.
**Deferred**: A device's deferral policy is preventing the update from being offered by Windows Update.
**Canceled**: The update was canceled.
**Blocked**: There's a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update.
**Unknown**: Update Compliance generated WaaSDeploymentStatus records for devices as soon as it detects an update newer than the one installed on the device. Devices that haven't sent any deployment data for that update will have the status `Unknown`.
**Update paused**: Devices are paused via Windows Update for Business Pause policies, preventing the update from being offered by Windows Update.
**Failed**: Device encountered a failure in the update process, preventing it from installing the update. This may result in an automatic retry in the case of Windows Update, unless the `DeploymentError` indicates the issue requires action before the update can continue.|
+|**DeploymentStatus** |[string](/azure/kusto/query/scalar-data-types/string) |`Failed` |The high-level status of installing this update on this device. Possible values are:
**Update completed**: Device has completed the update installation.
**In Progress**: Device is in one of the various stages of installing an update, detailed in `DetailedStatus`.
**Deferred**: A device's deferral policy is preventing the update from being offered by Windows Update.
**Canceled**: The update was canceled.
**Blocked**: There's a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update.
**Unknown**: Update Compliance generated WaaSDeploymentStatus records for devices as soon as it detects an update newer than the one installed on the device. Devices that haven't sent any deployment data for that update will have the status `Unknown`.
**Update paused**: Devices are paused via Windows Update for Business Pause policies, preventing the update from being offered by Windows Update.
**Failed**: Device encountered a failure in the update process, preventing it from installing the update. This may result in an automatic retry in the case of Windows Update, unless the `DeploymentError` indicates the issue requires action before the update can continue.
**Progress stalled**: The update is in progress, but has not completed over a period of 7 days.|
|**DetailedStatus** |[string](/azure/kusto/query/scalar-data-types/string) |`Reboot required` |A detailed status for the installation of this update on this device. Possible values are:
**Not Started**: Update hasn't started because the device isn't targeting the latest 2 builds
**Update deferred**: When a device's Windows Update for Business policy dictates the update is deferred.
**Update paused**: The device's Windows Update for Business policy dictates the update is paused from being offered.
**Update offered**: The device has been offered the update, but hasn't begun downloading it.
**Pre-Download tasks passed**: The device has finished all necessary tasks prior to downloading the update.
**Compatibility hold**: The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and won't resume the update until the hold has been cleared. For more information, see [Feature Update Status report](update-compliance-feature-update-status.md#safeguard-holds).
**Download started**: The update has begun downloading on the device.
**Download Succeeded**: The update has successfully completed downloading.
**Pre-Install Tasks Passed**: Tasks that must be completed prior to installing the update have been completed.
**Install Started**: Installation of the update has begun.
**Reboot Required**: The device has finished installing the update, and a reboot is required before the update can be completed.
**Reboot Pending**: The device has a scheduled reboot to apply the update.
**Reboot Initiated**: The scheduled reboot has been initiated.
**Commit**: Changes are being committed post-reboot. This is another step of the installation process.
**Update Completed**: The update has successfully installed.|
|**ExpectedInstallDate** |[datetime](/azure/kusto/query/scalar-data-types/datetime)|`3/28/2020, 1:00:01.318 PM`|Rather than the expected date this update will be installed, this should be interpreted as the minimum date Windows Update will make the update available for the device. This takes into account Deferrals. |
|**LastScan** |[datetime](/azure/kusto/query/scalar-data-types/datetime)|`3/22/2020, 1:00:01.318 PM`|The last point in time that this device sent Update Session data. |
diff --git a/windows/deployment/update/update-compliance-v2-configuration-mem.md b/windows/deployment/update/update-compliance-v2-configuration-mem.md
index 1dabf9b1e5..765128a9dc 100644
--- a/windows/deployment/update/update-compliance-v2-configuration-mem.md
+++ b/windows/deployment/update/update-compliance-v2-configuration-mem.md
@@ -9,7 +9,7 @@ ms.author: mstewart
ms.localizationpriority: medium
ms.collection: M365-analytics
ms.topic: article
-ms.date: 06/06/2022
+ms.date: 08/24/2022
---
# Configuring Microsoft Endpoint Manager devices for Update Compliance (preview)
@@ -29,48 +29,79 @@ This article is specifically targeted at configuring devices enrolled to [Micros
## Create a configuration profile
-Take the following steps to create a configuration profile that will set required policies for Update Compliance:
+Create a configuration profile that will set the required policies for Update Compliance. There are two profile types that can be used to create a configuration profile for Update Compliance:
+- The [settings catalog](#settings-catalog)
+- [Template](#custom-oma-uri-based-profile) for a custom OMA URI based profile
-1. Go to the Admin portal in Endpoint Manager and navigate to **Devices/Windows/Configuration profiles**.
-1. On the **Configuration profiles** view, select **Create a profile**.
+### Settings catalog
+
+1. Go to the Admin portal in Endpoint Manager and navigate to **Devices** > **Windows** > **Configuration profiles**.
+1. On the **Configuration profiles** view, select **Create profile**.
+1. Select **Platform**="Windows 10 and later" and **Profile type**="Settings Catalog", and then select **Create**.
+1. You're now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**.
+1. On the **Configuration settings** page, you'll be adding multiple settings from the **System** category. Using the **Settings picker**, select the **System** category, then add the following settings and values:
+ 1. Required settings for Update Compliance:
+ - **Setting**: Allow Commercial Data Pipeline
+ - **Value**: Enabled
+ - **Setting**: Allow Telemetry
+ - **Value**: Basic (*Basic is the minimum value, but it can be safely set to a higher value*)
+ - **Setting**: Allow Update Compliance Processing
+ - **Value**: Enabled
+ 1. (*Recommended, but not required*) Add settings for **disabling devices' Diagnostic Data opt-in settings interface**. If these aren't disabled, users of each device can potentially override the diagnostic data level of devices such that data won't be available for those devices in Update Compliance:
+ - **Setting**: Configure Telemetry Opt In Change Notification
+ - **Value**: Disable telemetry change notifications
+ - **Setting**: Configure Telemetry Opt In Settings Ux
+ - **Value**: Disable Telemetry opt-in Settings
+ 1. (*Recommended, but not required*) Allow device name to be sent in Windows Diagnostic Data. If this policy is disabled, the device name won't be sent and won't be visible in Update Compliance:
+ - **Setting**: Allow device name to be sent in Windows diagnostic data
+ - **Value**: Allowed
+
+1. Proceed through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll.
+1. Review the settings and then select **Create**.
+
+### Custom OMA URI based profile
+
+1. Go to the Admin portal in Endpoint Manager and navigate to **Devices** > **Windows** > **Configuration profiles**.
+1. On the **Configuration profiles** view, select **Create profile**.
1. Select **Platform**="Windows 10 and later" and **Profile type**="Templates".
-1. For **Template name**, select **Custom**, and then press **Create**.
+1. For **Template name**, select **Custom**, and then select **Create**.
1. You're now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**.
1. On the **Configuration settings** page, you'll be adding multiple OMA-URI Settings that correspond to the policies described in [Manually configuring devices for Update Compliance](update-compliance-v2-configuration-manual.md).
-
+
+ 1. Add a setting to **Allow commercial data pipeline**; this policy is required for Update Compliance:
+ - **Name**: Allow commercial data pipeline
+ - **Description**: Configures Microsoft to be the processor of the Windows diagnostic data collected from an Azure Active Directory-joined device.
+ - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowCommercialDataPipeline`
+ - **Data type**: Integer
+ - **Value**: 1
1. Add a setting configuring the **Windows Diagnostic Data level** for devices:
- **Name**: Allow Telemetry
- **Description**: Sets the maximum allowed diagnostic data to be sent to Microsoft, required for Update Compliance.
- **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowTelemetry`
- **Data type**: Integer
- - **Value**: 1 (*all that is required is 1, but it can be safely set to a higher value*).
- 1. (*Recommended, but not required*) Add a setting for **disabling devices' Diagnostic Data opt-in settings interface**. If this isn't disabled, users of each device can potentially override the diagnostic data level of devices such that data won't be available for those devices in Update Compliance:
- - **Name**: Disable Telemetry opt-in interface
- - **Description**: Disables the ability for end-users of devices can adjust diagnostic data to levels lower than defined by the Allow Telemetry setting.
- - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx`
- - **Data type**: Integer
- - **Value**: 1
- 1. Add a setting to **Allow device name in diagnostic data**; otherwise, there will be no device name in Update Compliance:
- - **Name**: Allow device name in Diagnostic Data
- - **Description**: Allows device name in Diagnostic Data.
- - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowDeviceNameInDiagnosticData`
- - **Data type**: Integer
- - **Value**: 1
+ - **Value**: 1 (*1 is the minimum value meaning basic, but it can be safely set to a higher value*).
1. Add a setting to **Allow Update Compliance processing**; this policy is required for Update Compliance:
- **Name**: Allow Update Compliance Processing
- **Description**: Opts device data into Update Compliance processing. Required to see data.
- **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowUpdateComplianceProcessing`
- **Data type**: Integer
- **Value**: 16
- 1. Add a setting to **Allow commercial data pipeline**; this policy is required for Update Compliance:
- - **Name**: Allow commercial data pipeline
- - **Description**: Configures Microsoft to be the processor of the Windows diagnostic data collected from an Azure Active Directory-joined device.
- - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowCommercialDataPipeline`
+ 1. (*Recommended, but not required*) Add settings for **disabling devices' Diagnostic Data opt-in settings interface**. If these aren't disabled, users of each device can potentially override the diagnostic data level of devices such that data won't be available for those devices in Update Compliance:
+ - **Name**: Disable Telemetry opt-in interface
+ - **Description**: Disables the ability for end-users of devices can adjust diagnostic data to levels lower than defined by the Allow Telemetry setting.
+ - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx`
+ - **Data type**: Integer
+ - **Value**: 1
+ 1. (*Recommended, but not required*) Add a setting to **Allow device name in diagnostic data**; otherwise, the device name won't be in Update Compliance:
+ - **Name**: Allow device name in Diagnostic Data
+ - **Description**: Allows device name in Diagnostic Data.
+ - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowDeviceNameInDiagnosticData`
- **Data type**: Integer
- **Value**: 1
+
1. Proceed through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll.
-1. Review and select **Create**.
+1. Review the settings and then select **Create**.
## Deploy the configuration script
diff --git a/windows/deployment/update/update-compliance-v2-help.md b/windows/deployment/update/update-compliance-v2-help.md
index 871ce3464e..e1fccf14ec 100644
--- a/windows/deployment/update/update-compliance-v2-help.md
+++ b/windows/deployment/update/update-compliance-v2-help.md
@@ -86,7 +86,7 @@ If you create an issue for something not related to documentation, Microsoft wil
- [Product questions (using Microsoft Q&A)](/answers/products/)
- [Support requests](#open-a-microsoft-support-case) for Update Compliance
-To share feedback on the fundamental docs.microsoft.com platform, see [Docs feedback](https://aka.ms/sitefeedback). The platform includes all of the wrapper components such as the header, table of contents, and right menu. Also how the articles render in the browser, such as the font, alert boxes, and page anchors.
+To share feedback about the Microsoft Docs platform, see [Microsoft Docs feedback](https://aka.ms/sitefeedback). The platform includes all of the wrapper components such as the header, table of contents, and right menu. Also how the articles render in the browser, such as the font, alert boxes, and page anchors.
## Troubleshooting tips
diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md
index a43f01d033..46d0719b49 100644
--- a/windows/deployment/update/waas-restart.md
+++ b/windows/deployment/update/waas-restart.md
@@ -10,6 +10,7 @@ ms.topic: article
ms.custom:
- seo-marvel-apr2020
ms.collection: highpri
+date: 09/22/2022
---
# Manage device restarts after updates
@@ -18,11 +19,11 @@ ms.collection: highpri
**Applies to**
- Windows 10
-
+- Windows 11
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-You can use Group Policy settings, mobile device management (MDM), or Registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts will not occur, or you can do both.
+You can use Group Policy settings, mobile device management (MDM), or Registry (not recommended) to configure when devices will restart after a Windows update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts will not occur, or you can do both.
## Schedule update installation
@@ -100,15 +101,27 @@ To configure active hours max range through MDM, use [**Update/ActiveHoursMaxRan
## Limit restart delays
-After an update is installed, Windows 10 attempts automatic restart outside of active hours. If the restart does not succeed after seven days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from seven days to any number of days between two and 14.
+After an update is installed, Windows attempts automatic restart outside of active hours. If the restart does not succeed after seven days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from seven days to any number of days between two and 14.
## Control restart notifications
-In Windows 10, version 1703, we have added settings to control restart notifications for users.
+### Display options for update notifications
+
+Starting in Windows 10 version 1809, you can define which Windows Update notifications are displayed to the user. This policy doesn't control how and when updates are downloaded and installed. You can use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Display options for update notifications** with these values:
+
+**0** (default) - Use the default Windows Update notifications
+**1** - Turn off all notifications, excluding restart warnings
+**2** - Turn off all notifications, including restart warnings
+
+To configure this behavior through MDM, use [**Update/UpdateNotificationLevel**](/windows/client-management/mdm/policy-configuration-service-provider#update-updatenotificationlevel).
+
+Starting in Windows 11, version 22H2, **Apply only during active hours** was added as an additional option for **Display options for update notifications**. When **Apply only during active hours** is selected, the notifications will only be disabled during active hours when options `1` or `2` are used. To ensure that the device stays updated, a notification will still be shown during active hours if **Apply only during active hours** is selected, and once a deadline has been reached when [Specify deadlines for automatic updates and restarts](wufb-compliancedeadlines.md) is configured.
+
+To configure this behavior through MDM, use [**Update/UpdateNotificationLevel**](/windows/client-management/mdm/policy-csp-update#update-NoUpdateNotificationDuringActiveHours).
### Auto-restart notifications
-Administrators can override the default behavior for the auto-restart required notification. By default, this notification will dismiss automatically.
+Administrators can override the default behavior for the auto-restart required notification. By default, this notification will dismiss automatically. This setting was added in Windows 10, version 1703.
To configure this behavior through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select **Configure auto-restart required notification for updates**. When configured to **2 - User Action**, a user that gets this notification must manually dismiss it.
@@ -198,10 +211,10 @@ There are three different registry combinations for controlling restart behavior
## Related articles
-- [Update Windows 10 in the enterprise](index.md)
+- [Update Windows in the enterprise](index.md)
- [Overview of Windows as a service](waas-overview.md)
-- [Configure Delivery Optimization for Windows 10 updates](../do/waas-delivery-optimization.md)
-- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Configure Delivery Optimization for Windows updates](../do/waas-delivery-optimization.md)
+- [Configure BranchCache for Windows updates](waas-branchcache.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md
index 4604ac1c8e..cfe3f8800a 100644
--- a/windows/deployment/update/waas-wu-settings.md
+++ b/windows/deployment/update/waas-wu-settings.md
@@ -3,12 +3,12 @@ title: Manage additional Windows Update settings
description: In this article, learn about additional settings to control the behavior of Windows Update.
ms.prod: w10
ms.localizationpriority: medium
-author: aczechowski
-ms.author: aaroncz
-manager: dougeby
+author: mestew
+ms.author: mstewart
+manager: aaroncz
ms.topic: article
-ms.custom: seo-marvel-apr2020
ms.collection: highpri
+date: 09/22/2022
---
# Manage additional Windows Update settings
@@ -36,6 +36,7 @@ You can use Group Policy settings or mobile device management (MDM) to configure
| [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location) | [AllowNonMicrosoftSignedUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | All |
| [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) | [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | 1607 |
| [Configure Automatic Updates](#configure-automatic-updates) | [AllowAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allowautoupdate) | All |
+| | [Windows Update notifications display organization name](#bkmk_display-name) *Organization name is displayed by default. A registry value can disable this behavior. | Windows 11 devices that are Azure Active Directory joined or registered |
>[!IMPORTANT]
>Additional information about settings to manage device restarts and restart notifications for updates is available on **[Manage device restarts after updates](waas-restart.md)**.
@@ -230,7 +231,7 @@ To do this, follow these steps:
> [!NOTE]
> This setting affects client behavior after the clients have updated to the SUS SP1 client version or later versions.
-To use Automatic Updates with a server that is running Software Update Services, see the Deploying Microsoft Windows Server Update Services 2.0 guidance.
+To use Automatic Updates with a server that is running Windows Software Update Services (WSUS), see the [Deploying Microsoft Windows Server Update Services](/windows-server/administration/windows-server-update-services/deploy/deploy-windows-server-update-services) guidance.
When you configure Automatic Updates directly by using the policy registry keys, the policy overrides the preferences that are set by the local administrative user to configure the client. If an administrator removes the registry keys at a later date, the preferences that were set by the local administrative user are used again.
@@ -246,3 +247,32 @@ HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
* WUStatusServer (REG_SZ)
This value sets the SUS statistics server by HTTP name (for example, http://IntranetSUS).
+
+## Display organization name in Windows Update notifications
+
+When Windows 11 clients are associated with an Azure AD tenant, the organization name appears in the Windows Update notifications. For instance, when you have a compliance deadline configured for Windows Update for Business, the user notification will display a message similar to **Contoso requires important updates to be installed**. The organization name will also display on the **Windows Update** page in the **Settings** for Windows 11.
+
+The organization name appears automatically for Windows 11 clients that are associated with Azure AD in any of the following ways:
+- [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join)
+- [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register)
+- [Hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
+
+To disable displaying the organization name in Windows Update notifications, add or modify the following in the registry:
+
+ - **Registry key**: `HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsUpdate\Orchestrator\Configurations`
+ - **DWORD value name**: UsoDisableAADJAttribution
+ - **Value data:** 1
+
+The following PowerShell script is provided as an example to you:
+```powershell
+$registryPath = "HKLM:\Software\Microsoft\WindowsUpdate\Orchestrator\Configurations"
+$Name = "UsoDisableAADJAttribution"
+$value = "1"
+
+if (!(Test-Path $registryPath))
+{
+ New-Item -Path $registryPath -Force | Out-Null
+}
+
+New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWORD -Force | Out-Null
+```
diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md
index 1aa46d22c9..e5027dfc14 100644
--- a/windows/deployment/update/waas-wufb-group-policy.md
+++ b/windows/deployment/update/waas-wufb-group-policy.md
@@ -178,12 +178,14 @@ There are additional settings that affect the notifications.
We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you have set. If you do have further needs that are not met by the default notification settings, you can use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Display options for update notifications** with these values:
-**0** (default) – Use the default Windows Update notifications
-**1** – Turn off all notifications, excluding restart warnings
-**2** – Turn off all notifications, including restart warnings
+**0** (default) - Use the default Windows Update notifications
+**1** - Turn off all notifications, excluding restart warnings
+**2** - Turn off all notifications, including restart warnings
-> [!NOTE]
-> Option **2** creates a poor experience for personal devices; it's only recommended for kiosk devices where automatic restarts have been disabled.
+Option **2** creates a poor experience for personal devices; it's only recommended for kiosk devices where automatic restarts have been disabled.
+
+> [!NOTE]
+> Starting in Windows 11, version 22H2, **Apply only during active hours** was added as an additional option for **Display options for update notifications**. When **Apply only during active hours** is selected, the notifications will only be disabled during active hours when options `1` or `2` are used. To ensure that the device stays updated, a notification will still be shown during active hours if **Apply only during active hours** is selected, and once a deadline has been reached when [Specify deadlines for automatic updates and restarts](wufb-compliancedeadlines.md) is configured.
Still more options are available in **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure auto-restart restart warning notifications schedule for updates**. This setting allows you to specify the period for auto-restart warning reminder notifications (from 2-24 hours; 4 hours is the default) before the update and to specify the period for auto-restart imminent warning notifications (15-60 minutes is the default). We recommend using the default notifications.
diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md
index b6b9becf85..641438bdd0 100644
--- a/windows/deployment/upgrade/setupdiag.md
+++ b/windows/deployment/upgrade/setupdiag.md
@@ -444,14 +444,14 @@ System Information:
Error: SetupDiag reports Optional Component installation failed to open OC Package. Package Name: Foundation, Error: 0x8007001F
Recommend you check the "Windows Modules Installer" service (Trusted Installer) is started on the system and set to automatic start, reboot and try the update again. Optionally, you can check the status of optional components on the system (search for Windows Features), uninstall any unneeded optional components, reboot and try the update again.
Error: SetupDiag reports down-level failure, Operation: Finalize, Error: 0x8007001F - 0x50015
-Refer to https://docs.microsoft.com/windows/deployment/upgrade/upgrade-error-codes for error information.
+Refer to https://learn.microsoft.com/windows/deployment/upgrade/upgrade-error-codes for error information.
```
### XML log sample
```xml
-
+1.6.0.0FindSPFatalErrorA4028172-1B09-48F8-AD3B-86CDD7D55852
@@ -494,7 +494,7 @@ Error: 0x00000057
LogEntry: 2019-06-06 21:47:11, Error SP Error converting install time 5/2/2019 to structure[gle=0x00000057]LogEntry: 2019-06-06 21:47:11, Error SP Error converting install time 5/2/2019 to structure[gle=0x00000057]
-Refer to "https://docs.microsoft.com/windows/desktop/Debug/system-error-codes" for error information.
+Refer to "https://learn.microsoft.com/windows/desktop/Debug/system-error-codes" for error information.
Err = 0x00000057, LastOperation = Gather data, scope: EVERYTHING, LastPhase = Downlevel
```
@@ -548,7 +548,7 @@ Refer to "https://docs.microsoft.com/windows/desktop/Debug/system-error-codes" f
"LogEntry: 2019-06-06 21:47:11, Error SP Error converting install time 5\/2\/2019 to structure[
gle=0x00000057
]",
- "\u000aRefer to \"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/Debug\/system-error-codes\" for error information."
+ "\u000aRefer to \"https:\/\/learn.microsoft.com\/windows\/desktop\/Debug\/system-error-codes\" for error information."
],
"FailureDetails":"Err = 0x00000057, LastOperation = Gather data, scope: EVERYTHING, LastPhase = Downlevel",
"DeviceDriverInfo":null,
diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
index bbc1b4b9d4..8dc4f7f75d 100644
--- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
+++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
@@ -1,50 +1,44 @@
---
-title: Activate using Active Directory-based activation (Windows 10)
-description: Learn how active directory-based activation is implemented as a role service that relies on AD DS to store activation objects.
-ms.custom: seo-marvel-apr2020
+title: Activate using Active Directory-based activation
+description: Learn how active directory-based activation is implemented as a role service that relies on AD DS to store activation objects.
manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
author: aczechowski
+ms.author: aaroncz
+ms.prod: windows-client
+ms.technology: itpro-deploy
ms.localizationpriority: medium
-ms.date: 01/13/2022
-ms.topic: article
+ms.date: 09/16/2022
+ms.topic: how-to
ms.collection: highpri
---
# Activate using Active Directory-based activation
-**Applies to**
+**Applies to supported versions of**
-Windows 11
-Windows 10
-Windows 8.1
-Windows 8
-Windows Server 2012 R2
-Windows Server 2012
-Windows Server 2016
-Windows Server 2019
-Office 2021*
-Office 2019*
-Office 2016*
-Office 2013*
+- Windows
+- Windows Server
+- Office
-**Looking for retail activation?**
+> [!TIP]
+> Are you looking for information on retail activation?
+>
+> - [Product activation for Windows](https://support.microsoft.com/windows/product-activation-for-windows-online-support-telephone-numbers-35f6a805-1259-88b4-f5e9-b52cccef91a0)
+> - [Activate Windows](https://support.microsoft.com/windows/activate-windows-c39005d4-95ee-b91e-b399-2820fda32227)
-- [Get Help Activating Microsoft Windows 7 or Windows 8.1](https://support.microsoft.com/help/15083/windows-activate-windows-7-or-8-1)
-- [Get Help Activating Microsoft Windows 10](https://support.microsoft.com/help/12440/windows-10-activate)
+Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. Active Directory-based activation requires that you update the forest schema using *adprep.exe* on a supported server OS. After the schema is updated, older domain controllers can still activate clients.
-Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. Active Directory-based activation requires that the forest schema be updated using *adprep.exe* on a supported server OS, but after the schema is updated, older domain controllers can still activate clients.
+Any domain-joined computers running a supported OS with a Generic Volume License Key (GVLK) will be activated automatically and transparently. They'll stay activated as long as they remain members of the domain and maintain periodic contact with a domain controller. Activation takes place after the Licensing service starts. When this service starts, the computer contacts AD DS automatically, receives the activation object, and is activated without user intervention.
-Any domain-joined computers running a supported operating system with a Generic Volume License Key (GVLK) will be activated automatically and transparently. They will stay activated as long as they remain members of the domain and maintain periodic contact with a domain controller. Activation takes place after the Licensing service starts. When this service starts, the computer contacts AD DS automatically, receives the activation object, and is activated without user intervention.
-
-To allow computers with GVLKs to activate themselves, use the Volume Activation Tools console or the [Volume Activation Management Tool (VAMT)](volume-activation-management-tool.md) in earlier versions of Windows Server to create an object in the AD DS forest. You create this activation object by submitting a KMS host key to Microsoft, as shown in Figure 10.
+To allow computers with GVLKs to activate themselves, use the Volume Activation Tools console or the [Volume Activation Management Tool (VAMT)](volume-activation-management-tool.md) in earlier versions of Windows Server to create an object in the AD DS forest. You create this activation object by submitting a KMS host key to Microsoft, as shown in Figure 10.
The process proceeds as follows:
-1. Perform one of the following tasks:
- - Install the Volume Activation Services server role on a domain controller and add a KMS host key by using the Volume Activation Tools Wizard.
- - Extend the domain to the Windows Server 2012 R2 or higher schema level, and add a KMS host key by using the VAMT.
+1. Do _one_ of the following tasks:
+
+ - Install the Volume Activation Services server role on a domain controller. Then add a KMS host key by using the Volume Activation Tools Wizard.
+
+ - Extend the domain schema level to Windows Server 2012 R2 or later. Then add a KMS host key by using the VAMT.
2. Microsoft verifies the KMS host key, and an activation object is created.
@@ -55,87 +49,91 @@ The process proceeds as follows:
**Figure 10**. The Active Directory-based activation flow
-For environments in which all computers are running an operating system listed under *Applies to*, and they are joined to a domain, Active Directory-based activation is the best option for activating all client computers and servers, and you may be able to remove any KMS hosts from your environment.
+For environments in which all computers are running a supported OS version, and they're joined to a domain, Active Directory-based activation is the best option for activating all client computers and servers. You may be able to remove any KMS hosts from your environment.
-If an environment will continue to contain earlier volume licensing operating systems and applications or if you have workgroup computers outside the domain, you need to maintain a KMS host to maintain activation status for earlier volume licensing editions of Windows and Office.
+If an environment will continue to contain earlier versions of volume licensed operating systems and applications, or if you have workgroup computers outside the domain, you need to maintain a KMS host to maintain activation status.
-Clients that are activated with Active Directory-based activation will maintain their activated state for up to 180 days since the last contact with the domain, but they will periodically attempt to reactivate before then and at the end of the 180 day period. By default, this reactivation event occurs every seven days.
+Clients that are activated with Active Directory-based activation will maintain their activated state for up to 180 days since the last contact with the domain. They'll periodically attempt to reactivate before then and at the end of the 180 day period. By default, this reactivation event occurs every seven days.
-When a reactivation event occurs, the client queries AD DS for the activation object. Client computers examine the activation object and compare it to the local edition as defined by the GVLK. If the object and GVLK match, reactivation occurs. If the AD DS object cannot be retrieved, client computers use KMS activation. If the computer is removed from the domain, and the computer or the Software Protection service is restarted, the operating system will change the status from activated to not activated, and the computer will try to activate with KMS.
+When a reactivation event occurs, the client queries AD DS for the activation object. Client computers examine the activation object and compare it to the local edition as defined by the GVLK. If the object and GVLK match, reactivation occurs. If the AD DS object can't be retrieved, client computers use KMS activation. If the computer is removed from the domain, and the computer or the Software Protection service is restarted, Windows will change the status to "not activated" and the computer will try to activate with KMS.
## Step-by-step configuration: Active Directory-based activation
> [!NOTE]
-> You must be a member of the local Administrators group on all computers mentioned in these steps. You also need to be a member of the Enterprise Administrators group, because setting up Active Directory-based activation changes forest-wide settings.
+> You must be a member of the local **Administrators** group on all computers mentioned in these steps. You also need to be a member of the **Enterprise Administrators** group, because setting up Active Directory-based activation changes forest-wide settings.
-**To configure Active Directory-based activation on Windows Server 2012 R2 or higher, complete the following steps:**
+To configure Active Directory-based activation on a supported version of Windows Server, complete the following steps:
-1. Use an account with Domain Administrator and Enterprise Administrator credentials to sign in to a domain controller.
+1. Use an account with **Domain Administrator** and **Enterprise Administrator** credentials to sign in to a domain controller.
-2. Launch Server Manager.
+2. Launch **Server Manager**.
-3. Add the Volume Activation Services role, as shown in Figure 11.
+3. Add the **Volume Activation Services** role, as shown in Figure 11.
**Figure 11**. Adding the Volume Activation Services role
-4. Click the link to launch the Volume Activation Tools (Figure 12).
+4. Select the **Volume Activation Tools**, as shown in Figure 12.
**Figure 12**. Launching the Volume Activation Tools
-5. Select the **Active Directory-Based Activation** option (Figure 13).
+5. Select the **Active Directory-Based Activation** option, as shown in Figure 13.
**Figure 13**. Selecting Active Directory-Based Activation
-6. Enter your KMS host key and (optionally) a display name (Figure 14).
+6. Enter your KMS host key and optionally specify a display name, as shown in Figure 14.
**Figure 14**. Entering your KMS host key
-7. Activate your KMS host key by phone or online (Figure 15).
+7. Activate your KMS host key by phone or online, as shown in Figure 15.
-
+
**Figure 15**. Choosing how to activate your product
> [!NOTE]
- > To activate a KMS Host Key (CSVLK) for Microsoft Office, you need to install the version-specific Office Volume License Pack on the server where the Volume Activation Server Role is installed. For more details, see [Activate volume licensed versions of Office by using Active Directory](/deployoffice/vlactivation/activate-office-by-using-active-directory).
-
- >
- >
+ > To activate a KMS Host Key (CSVLK) for Microsoft Office, you need to install the version-specific Office Volume License Pack on the server where the Volume Activation Server Role is installed.
+ >
> - [Office 2013 VL pack](https://www.microsoft.com/download/details.aspx?id=35584)
- >
+ >
> - [Office 2016 VL pack](https://www.microsoft.com/download/details.aspx?id=49164)
>
> - [Office 2019 VL pack](https://www.microsoft.com/download/details.aspx?id=57342)
>
> - [Office LTSC 2021 VL pack](https://www.microsoft.com/download/details.aspx?id=103446)
+ >
+ > For more information, see [Activate volume licensed versions of Office by using Active Directory](/deployoffice/vlactivation/activate-office-by-using-active-directory).
-8. After activating the key, click **Commit**, and then click **Close**.
+8. After activating the key, select **Commit**, and then select **Close**.
## Verifying the configuration of Active Directory-based activation
To verify your Active Directory-based activation configuration, complete the following steps:
-1. After you configure Active Directory-based activation, start a computer that is running an edition of Windows that is configured by volume licensing.
-2. If the computer has been previously configured with a MAK key, replace the MAK key with the GVLK by running the **slmgr.vbs /ipk** command and specifying the GLVK as the new product key.
-3. If the computer is not joined to your domain, join it to the domain.
+1. After you configure Active Directory-based activation, start a computer that is running an edition of Windows that's configured by volume licensing.
+
+2. If the computer has been previously configured with a MAK key, replace the MAK key with the GVLK. Run the `slmgr.vbs /ipk` command and specifying the GLVK as the new product key.
+
+3. If the computer isn't joined to your domain, join it to the domain.
+
4. Sign in to the computer.
-5. Open Windows Explorer, right-click **Computer**, and then click **Properties**.
+
+5. Open Windows Explorer, right-click **Computer**, and then select **Properties**.
+
6. Scroll down to the **Windows activation** section, and verify that this client has been activated.
> [!NOTE]
- > If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The **slmgr.vbs /dlv** command also indicates whether KMS has been used.
- >
- > To manage individual activations or apply multiple (mass) activations, please consider using the [VAMT](./volume-activation-management-tool.md).
-
+ > If you're using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that hasn't already been activated by KMS. The `slmgr.vbs /dlv` command also indicates whether KMS has been used.
+ >
+ > To manage individual activations or apply multiple (mass) activations, use the [VAMT](./volume-activation-management-tool.md).
## See also
-- [Volume Activation for Windows 10](volume-activation-windows-10.md)
+[Volume Activation for Windows 10](volume-activation-windows-10.md)
diff --git a/windows/deployment/volume-activation/introduction-vamt.md b/windows/deployment/volume-activation/introduction-vamt.md
index 403b5a2209..e8e03b1772 100644
--- a/windows/deployment/volume-activation/introduction-vamt.md
+++ b/windows/deployment/volume-activation/introduction-vamt.md
@@ -4,61 +4,62 @@ description: VAMT enables administrators to automate and centrally manage the Wi
ms.reviewer:
manager: dougeby
ms.author: aaroncz
-ms.prod: w10
+ms.prod: windows-client
+ms.technology: itpro-deploy
author: aczechowski
-ms.date: 04/25/2017
-ms.topic: article
+ms.date: 09/16/2022
+ms.topic: overview
---
# Introduction to VAMT
-The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office®, and select other Microsoft products volume and retail activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in and can be installed on any computer that has one of the following Windows operating systems: Windows® 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, or Windows Server 2012.
+The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows, Office, and select other Microsoft products volume and retail activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in and can be installed on any computer that has a supported Windows OS version.
> [!NOTE]
-> VAMT can be installed on, and can manage, physical or virtual instances. VAMT cannot detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated.
+> VAMT can be installed on, and can manage, physical or virtual instances. VAMT can't detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated.
-## In this Topic
-
-- [Managing Multiple Activation Key (MAK) and Retail Activation](#bkmk-managingmak)
-- [Managing Key Management Service (KMS) Activation](#bkmk-managingkms)
-- [Enterprise Environment](#bkmk-enterpriseenvironment)
-- [VAMT User Interface](#bkmk-userinterface)
-
-## Managing Multiple Activation Key (MAK) and Retail Activation
+## Managing MAK and retail activation
You can use a MAK or a retail product key to activate Windows, Windows Server, or Office on an individual computer or a group of computers. VAMT enables two different activation scenarios:
-- **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
-- **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host.
+- **Online activation**: Many organizations maintain a single Windows system image or Office installation package for deployment across the organization. Occasionally there's also a need to use retail product keys in special situations. Online activation enables you to activate over the internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
-## Managing Key Management Service (KMS) Activation
+- **Proxy activation**: This activation method enables you to perform volume activation for products installed on client computers that don't have internet access. The VAMT host computer distributes a MAK, KMS host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs internet access. You can also activate products installed on computers in a workgroup that's isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the internet-connected VAMT host.
-In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 and Microsoft Office 2010.\
-VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type product key; therefore, the experience for product key entry and activation management are identical for both these product key types.
+## Managing KMS activation
-## Enterprise Environment
+In addition to MAK or retail activation, you can use VAMT to perform volume activation using the KMS. VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by volume license editions of Windows, Windows Server, and Office.
-VAMT is commonly implemented in enterprise environments. The following screenshot illustrates three common environments—Core Network, Secure Zone, and Isolated Lab.
+VAMT treats a KMS host key (CSVLK) product key identically to a retail-type product key. The experience for product key entry and activation management are identical for both these product key types.
+
+## Enterprise environment
+
+VAMT is commonly implemented in enterprise environments. The following screenshot illustrates three common environments: core network, secure zone, and isolated lab.
-In the Core Network environment, all computers are within a common network managed by Active Directory® Domain Services (AD DS). The Secure Zone represents higher-security Core Network computers that have extra firewall protection.
-The Isolated Lab environment is a workgroup that is physically separate from the Core Network, and its computers do not have Internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the Isolated Lab.
+- In the core network environment, all computers are within a common network managed by Active Directory Domain Services (AD DS).
+- The secure zone represents higher-security core network computers that have extra firewall protection.
+- The isolated lab environment is a workgroup that is physically separate from the core network, and its computers don't have internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the isolated lab.
-## VAMT User Interface
+## VAMT user interface
-The following screenshot shows the VAMT graphical user interface.
+The following screenshot shows the VAMT graphical user interface:
VAMT provides a single, graphical user interface for managing activations, and for performing other activation-related tasks such as:
-- **Adding and removing computers.** You can use VAMT to discover computers in the local environment. VAMT can discover computers by querying AD DS, workgroups, by individual computer name or IP address, or via a general LDAP query.
-- **Discovering products.** You can use VAMT to discover Windows, Windows Server, Office, and select other products installed on the client computers.
-- **Monitoring activation status.** You can collect activation information about each product, including the last five characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information.
-- **Managing product keys.** You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs.
-- **Managing activation data.** VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format.
+- **Adding and removing computers**: You can use VAMT to discover computers in the local environment. VAMT can discover computers by querying AD DS, workgroups, by individual computer name or IP address, or via a general LDAP query.
-## Related topics
+- **Discovering products**: You can use VAMT to discover Windows, Windows Server, Office, and select other products installed on the client computers.
-- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md)
+- **Monitoring activation status**: You can collect activation information about each product, including the last five characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information.
+
+- **Managing product keys**: You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs.
+
+- **Managing activation data**: VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format.
+
+## Next steps
+
+[VAMT step-by-step scenarios](vamt-step-by-step.md)
diff --git a/windows/deployment/volume-activation/volume-activation-management-tool.md b/windows/deployment/volume-activation/volume-activation-management-tool.md
index ec4715c198..fd360dd5f2 100644
--- a/windows/deployment/volume-activation/volume-activation-management-tool.md
+++ b/windows/deployment/volume-activation/volume-activation-management-tool.md
@@ -1,40 +1,36 @@
---
-title: Volume Activation Management Tool (VAMT) Technical Reference (Windows 10)
+title: VAMT technical reference
description: The Volume Activation Management Tool (VAMT) enables network administrators to automate and centrally manage volume activation and retail activation.
manager: dougeby
ms.author: aaroncz
-ms.prod: w10
+ms.prod: windows-client
+ms.technology: itpro-deploy
author: aczechowski
-ms.date: 04/25/2017
-ms.topic: article
+ms.date: 09/16/2022
+ms.topic: overview
ms.custom: seo-marvel-apr2020
ms.collection: highpri
---
-# Volume Activation Management Tool (VAMT) Technical Reference
+# Volume Activation Management Tool (VAMT) technical reference
-The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process.
-VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in that requires the Microsoft Management Console (MMC) 3.0. VAMT can be installed on any computer that has one of the following Windows operating systems:
-- Windows® 7 or above
-- Windows Server 2008 R2 or above
+The Volume Activation Management Tool (VAMT) lets you automate and centrally manage the Windows, Office, and select other Microsoft products volume and retail-activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in. VAMT can be installed on any computer that has a supported Windows OS version.
-
-**Important**
-VAMT is designed to manage volume activation for: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 (or later), Microsoft Office 2010 (or above).
+> [!IMPORTANT]
+> VAMT is designed to manage volume activation for supported versions of Windows, Windows Server, and Office.
VAMT is only available in an EN-US (x86) package.
## In this section
-|Topic |Description |
+|Article |Description |
|------|------------|
|[Introduction to VAMT](introduction-vamt.md) |Provides a description of VAMT and common usages. |
-|[Active Directory-Based Activation Overview](active-directory-based-activation-overview.md) |Describes Active Directory-Based Activation scenarios. |
-|[Install and Configure VAMT](install-configure-vamt.md) |Describes how to install VAMT and use it to configure client computers on your network. |
-|[Add and Manage Products](add-manage-products-vamt.md) |Describes how to add client computers into VAMT. |
-|[Manage Product Keys](manage-product-keys-vamt.md) |Describes how to add and remove a product key from VAMT. |
-|[Manage Activations](manage-activations-vamt.md) |Describes how to activate a client computer by using a variety of activation methods. |
-|[Manage VAMT Data](manage-vamt-data.md) |Describes how to save, import, export, and merge a Computer Information List (CILX) file using VAMT. |
-|[VAMT Step-by-Step Scenarios](vamt-step-by-step.md) |Provides step-by-step instructions for using VAMT in typical environments. |
-|[VAMT Known Issues](vamt-known-issues.md) |Lists known issues in VAMT. |
-
+|[Active Directory-based activation overview](active-directory-based-activation-overview.md) |Describes Active Directory-based activation scenarios. |
+|[Install and configure VAMT](install-configure-vamt.md) |Describes how to install VAMT and use it to configure client computers on your network. |
+|[Add and manage products](add-manage-products-vamt.md) |Describes how to add client computers into VAMT. |
+|[Manage product keys](manage-product-keys-vamt.md) |Describes how to add and remove a product key from VAMT. |
+|[Manage activations](manage-activations-vamt.md) |Describes how to activate a client computer by using various activation methods. |
+|[Manage VAMT data](manage-vamt-data.md) |Describes how to save, import, export, and merge a Computer Information List (CILX) file using VAMT. |
+|[VAMT step-by-step scenarios](vamt-step-by-step.md) |Provides step-by-step instructions for using VAMT in typical environments. |
+|[VAMT known issues](vamt-known-issues.md) |Lists known issues in VAMT. |
diff --git a/windows/deployment/windows-10-deployment-posters.md b/windows/deployment/windows-10-deployment-posters.md
index 18021d5a5d..c4377a6979 100644
--- a/windows/deployment/windows-10-deployment-posters.md
+++ b/windows/deployment/windows-10-deployment-posters.md
@@ -5,31 +5,33 @@ ms.reviewer:
manager: dougeby
author: aczechowski
ms.author: aaroncz
-ms.prod: w10
+ms.prod: windows-client
+ms.technology: itpro-deploy
ms.localizationpriority: medium
-ms.topic: article
+ms.topic: reference
---
-# Windows 10 deployment process posters
+# Windows 10 deployment process posters
**Applies to**
-- Windows 10
+- Windows 10
-The following posters step through various options for deploying Windows 10 with Windows Autopilot or Microsoft Endpoint Configuration Manager.
+The following posters step through various options for deploying Windows 10 with Windows Autopilot or Microsoft Endpoint Configuration Manager.
## Deploy Windows 10 with Autopilot
-The Windows Autopilot poster is two pages in portrait mode (11x17). Click the image to view a PDF in your browser. You can also download this poster in [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10AutopilotFlowchart.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10Autopilotflowchart.vsdx) format.
+The Windows Autopilot poster is two pages in portrait mode (11x17). Select the image to download a PDF version.
-[](./media/Windows10AutopilotFlowchart.pdf)
+[](https://download.microsoft.com/download/8/4/b/84b5e640-8f66-4b43-81a9-1c3b9ea18eda/Windows10AutopilotFlowchart.pdf)
## Deploy Windows 10 with Microsoft Endpoint Configuration Manager
-The Configuration Manager poster is one page in landscape mode (17x11). Click the image to view a PDF in your browser. You can also download this poster in [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10DeploymentConfigManager.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10DeploymentConfigManager.vsdx) format.
+The Configuration Manager poster is one page in landscape mode (17x11). Select the image to download a PDF version.
-[](./media/Windows10DeploymentConfigManager.pdf)
+[](https://download.microsoft.com/download/e/2/a/e2a70587-d3cc-4f1a-ba49-cfd724a1736b/Windows10DeploymentConfigManager.pdf)
## See also
-[Overview of Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot)
-[Scenarios to deploy enterprise operating systems with Configuration Manager](/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems)
+[Overview of Windows Autopilot](/mem/autopilot/windows-autopilot)
+
+[Scenarios to deploy enterprise operating systems with Configuration Manager](/mem/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems)
diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml
index b56c8a8916..f2950818eb 100644
--- a/windows/deployment/windows-autopatch/TOC.yml
+++ b/windows/deployment/windows-autopatch/TOC.yml
@@ -32,6 +32,8 @@
href: deploy/windows-autopatch-device-registration-overview.md
- name: Register your devices
href: deploy/windows-autopatch-register-devices.md
+ - name: Post-device registration readiness checks
+ href: deploy/windows-autopatch-post-reg-readiness-checks.md
- name: Operate
href: operate/index.md
items:
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
index 1d55fce3d7..ede51bee83 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
@@ -1,7 +1,7 @@
---
title: Device registration overview
description: This article provides and overview on how to register devices in Autopatch
-ms.date: 07/28/2022
+ms.date: 09/07/2022
ms.prod: w11
ms.technology: windows
ms.topic: conceptual
@@ -44,12 +44,12 @@ See the following detailed workflow diagram. The diagram covers the Windows Auto
| **Step 1: Identify devices** | IT admin identifies devices to be managed by the Windows Autopatch service. |
| **Step 2: Add devices** | IT admin adds devices through direct membership or nests other Azure AD assigned or dynamic groups into the **Windows Autopatch Device Registration** Azure AD assigned group. |
| **Step 3: Discover devices** | The Windows Autopatch Discover Devices function hourly discovers devices previously added by the IT admin into the **Windows Autopatch Device Registration** Azure AD assigned group in **step #2**. The Azure AD device ID is used by Windows Autopatch to query device attributes in both Microsoft Endpoint Manager-Intune and Azure AD when registering devices into its service.
Once devices are discovered from the Azure AD group, the same function gathers additional device attributes and saves it into its memory during the discovery operation. The following device attributes are gathered from Azure AD in this step:
**AzureADDeviceID**
**OperatingSystem**
**DisplayName (Device name)**
**AccountEnabled**
**RegistrationDateTime**
**ApproximateLastSignInDateTime**
In this same step, the Windows Autopatch discover devices function calls another function, the device prerequisite check function. The device prerequisite check function evaluates software-based device-level prerequisites to comply with Windows Autopatch device readiness requirements prior to registration.
|
-| **Step 4: Check prerequisites** | The Windows Autopatch prerequisite function makes an Intune Graph API call to sequentially validate device readiness attributes required for the registration process. For detailed information, see the [Detailed prerequisite check workflow diagram](#detailed-prerequisite-check-workflow-diagram) section. The service checks the following device readiness attributes, and/or prerequisites:
**Serial number, model, and manufacturer.**
Checks if the serial number already exists in the Windows Autopatch’s managed device database.
**If the device is Intune-managed or not.**
Windows Autopatch looks to see **if the Azure AD device ID has an Intune device ID associated with it**.
If **yes**, it means this device is enrolled into Intune.
If **not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.
**If the device is not managed by Intune**, the Windows Autopatch service can't gather device attributes such as operating system version, Intune enrollment date, device name and other attributes. When this happens, the Windows Autopatch service uses the Azure AD device attributes gathered and saved to its memory in **step 3a**.
Once it has the device attributes gathered from Azure AD in **step 3a**, the device is flagged with the **Prerequisite failed** status, then added to the **Not ready** tab so the IT admin can review the reason(s) the device wasn't registered into Windows Autopatch. The IT admin will remediate these devices. In this case, the IT admin should check why the device wasn’t enrolled into Intune.
A common reason is when the Azure AD device ID is stale, it doesn’t have an Intune device ID associated with it anymore. To remediate, [clean up any stale Azure AD device records from your tenant](windows-autopatch-register-devices.md#clean-up-dual-state-of-hybrid-azure-ad-joined-and-azure-registered-devices-in-your-azure-ad-tenant).
**If the device is managed by Intune**, the Windows Autopatch prerequisite check function continues to the next prerequisite check, which evaluates whether the device has checked into Intune in the last 28 days.
**If the device is a Windows device or not.**
Windows Autopatch looks to see if the Azure AD device ID has an Intune device ID associated with it.
**If yes**, it means this device is enrolled into Intune.
**If not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.
**Windows Autopatch checks the Windows SKU family**. The SKU must be either:
**Enterprise**
**Pro**
**Pro Workstation**
**If the device meets the operating system requirements**, Windows Autopatch checks whether the device is either:
**Only managed by Intune.**
If the device is only managed by Intune, the device is marked as Passed all prerequisites.
**Co-managed by both Configuration Manager and Intune.**
If the device is co-managed by both Configuration Manager and Intune, an additional prerequisite check is evaluated to determine if the device satisfies the co-management-enabled workloads required by Windows Autopatch to manage devices in a co-managed state. The required co-management workloads evaluated in this step are:
**Windows Updates Policies**
**Device Configuration**
**Office Click to Run**
If Windows Autopatch determines that one of these workloads isn’t enabled on the device, the service marks the device as **Prerequisite failed** and moves the device to the **Not Ready** tab.
|
+| **Step 4: Check prerequisites** | The Windows Autopatch prerequisite function makes an Intune Graph API call to sequentially validate device readiness attributes required for the registration process. For detailed information, see the [Detailed prerequisite check workflow diagram](#detailed-prerequisite-check-workflow-diagram) section. The service checks the following device readiness attributes, and/or prerequisites:
**Serial number, model, and manufacturer.**
Checks if the serial number already exists in the Windows Autopatch’s managed device database.
**If the device is Intune-managed or not.**
Windows Autopatch looks to see **if the Azure AD device ID has an Intune device ID associated with it**.
If **yes**, it means this device is enrolled into Intune.
If **not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.
**If the device is not managed by Intune**, the Windows Autopatch service can't gather device attributes such as operating system version, Intune enrollment date, device name and other attributes. When this happens, the Windows Autopatch service uses the Azure AD device attributes gathered and saved to its memory in **step 3a**.
Once it has the device attributes gathered from Azure AD in **step 3a**, the device is flagged with the **Prerequisite failed** status, then added to the **Not registered** tab so the IT admin can review the reason(s) the device wasn't registered into Windows Autopatch. The IT admin will remediate these devices. In this case, the IT admin should check why the device wasn’t enrolled into Intune.
A common reason is when the Azure AD device ID is stale, it doesn’t have an Intune device ID associated with it anymore. To remediate, [clean up any stale Azure AD device records from your tenant](windows-autopatch-register-devices.md#clean-up-dual-state-of-hybrid-azure-ad-joined-and-azure-registered-devices-in-your-azure-ad-tenant).
**If the device is managed by Intune**, the Windows Autopatch prerequisite check function continues to the next prerequisite check, which evaluates whether the device has checked into Intune in the last 28 days.
**If the device is a Windows device or not.**
Windows Autopatch looks to see if the Azure AD device ID has an Intune device ID associated with it.
**If yes**, it means this device is enrolled into Intune.
**If not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.
**Windows Autopatch checks the Windows SKU family**. The SKU must be either:
**Enterprise**
**Pro**
**Pro Workstation**
**If the device meets the operating system requirements**, Windows Autopatch checks whether the device is either:
**Only managed by Intune.**
If the device is only managed by Intune, the device is marked as Passed all prerequisites.
**Co-managed by both Configuration Manager and Intune.**
If the device is co-managed by both Configuration Manager and Intune, an additional prerequisite check is evaluated to determine if the device satisfies the co-management-enabled workloads required by Windows Autopatch to manage devices in a co-managed state. The required co-management workloads evaluated in this step are:
**Windows Updates Policies**
**Device Configuration**
**Office Click to Run**
If Windows Autopatch determines that one of these workloads isn’t enabled on the device, the service marks the device as **Prerequisite failed** and moves the device to the **Not registered** tab.
|
| **Step 5: Calculate deployment ring assignment** | Once the device passes all prerequisites described in **step #4**, Windows Autopatch starts its deployment ring assignment calculation. The following logic is used to calculate the Windows Autopatch deployment ring assignment:
If the Windows Autopatch tenant’s existing managed device size is **≤ 200**, the deployment ring assignment is **First (5%)**, **Fast (15%)**, remaining devices go to the **Broad ring (80%)**.
If the Windows Autopatch tenant’s existing managed device size is **>200**, the deployment ring assignment will be **First (1%)**, **Fast (9%)**, remaining devices go to the **Broad ring (90%)**.
|
| **Step 6: Assign devices to a deployment ring group** | Once the deployment ring calculation is done, Windows Autopatch assigns devices to one of the following deployment ring groups:
The Windows Autopatch device registration process doesn’t automatically assign devices to the Test ring represented by the Azure AD group (Modern Workplace Devices-Windows Autopatch-Test). It’s important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.
|
| **Step 7: Assign devices to an Azure AD group** | Windows Autopatch also assigns devices to the following Azure AD groups when certain conditions apply:
**Modern Workplace Devices - All**
This group has all devices managed by Windows Autopatch.
When registering **Windows 10 devices**, use **Modern Workplace Devices Dynamic - Windows 10**
This group has all devices managed by Windows Autopatch and that have Windows 10 installed.
When registering **Windows 11 devices**, use **Modern Workplace Devices Dynamic - Windows 11**
This group has all devices managed by Windows Autopatch and that have Windows 11 installed.
When registering **virtual devices**, use **Modern Workplace Devices - Virtual Machine**
This group has all virtual devices managed by Windows Autopatch.
|
| **Step 8: Post-device registration** | In post-device registration, three actions occur:
Windows Autopatch adds devices to its managed database.
Flags devices as **Active** in the **Ready** tab.
The Azure AD device ID of the device successfully registered is added into the Microsoft Cloud Managed Desktop Extension’s allowlist. Windows Autopatch installs the Microsoft Cloud Managed Desktop Extension agent once devices are registered, so the agent can communicate back to the Microsoft Cloud Managed Desktop Extension service.
The agent is the **Modern Workplace - Autopatch Client setup** PowerShell script that was created during the Windows Autopatch tenant enrollment process. The script is executed once devices are successfully registered into the Windows Autopatch service.
|
-| **Step 9: Review device registration status** | IT admins review the device registration status in both the **Ready** and **Not ready** tabs.
If the device was **successfully registered**, the device shows up in the **Ready** tab.
If **not**, the device shows up in the **Not ready** tab.
|
+| **Step 9: Review device registration status** | IT admins review the device registration status in both the **Ready** and **Not registered** tabs.
If the device was **successfully registered**, the device shows up in the **Ready** tab.
If **not**, the device shows up in the **Not registered** tab.
|
| **Step 10: End of registration workflow** | This is the end of the Windows Autopatch device registration workflow. |
## Detailed prerequisite check workflow diagram
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
new file mode 100644
index 0000000000..ad127f56ad
--- /dev/null
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
@@ -0,0 +1,102 @@
+---
+title: Post-device registration readiness checks
+description: This article details how post-device registration readiness checks are performed in Windows Autopatch
+ms.date: 09/16/2022
+ms.prod: w11
+ms.technology: windows
+ms.topic: conceptual
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+msreviewer: andredm7
+---
+
+# Post-device registration readiness checks (public preview)
+
+> [!IMPORTANT]
+> This feature is in "public preview". It is being actively developed, and may not be complete. They're made available on a “Preview” basis. You can test and use these features in production environments and scenarios, and provide feedback.
+
+One of the most expensive aspects of the software update management process is to make sure devices are always healthy to receive and report software updates for each software update release cycle.
+
+Having a way of measuring, quickly detecting and remediating when something goes wrong with on-going change management processes is important; it helps mitigate high Helpdesk ticket volumes, reduces cost, and improves overall update management results.
+
+Windows Autopatch provides proactive device readiness information about devices that are and aren't ready to be fully managed by the service. IT admins can easily detect and fix device-related issues that are preventing them from achieving their update management compliance report goals.
+
+## Device readiness scenarios
+
+Device readiness in Windows Autopatch is divided into two different scenarios:
+
+| Scenario | Description |
+| ----- | ----- |
+| Prerequisite checks | Ensures devices follow software-based requirements before being registered with the service. |
+| Post-device registration readiness checks | Provides continuous monitoring of device health for registered devices.
IT admins can easily detect and remediate configuration mismatches in their environments or issues that prevent devices from having one or more software update workloads (Windows quality, feature updates, Microsoft Office, Microsoft Teams, or Microsoft Edge) fully managed by the Windows Autopatch service. Configuration mismatches can leave devices in a vulnerable state, out of compliance and exposed to security threats.
|
+
+### Device readiness checks available for each scenario
+
+| Required device readiness (prerequisite checks) prior to device registration (powered by Intune Graph API) | Required post-device registration readiness checks (powered by Microsoft Cloud Managed Desktop Extension) |
+| ----- | ----- |
+|
Windows OS (build, architecture and edition)
Managed by either Intune or ConfigMgr co-management
ConfigMgr co-management workloads
Last communication with Intune
Personal or non-Windows devices
|
Windows OS (build, architecture and edition)
Windows updates & Office Group Policy Object (GPO) versus Intune mobile device management (MDM) policy conflict
Bind network endpoints (Microsoft Defender, Microsoft Teams, Microsoft Edge, Microsoft Office)
Internet connectivity
|
+
+The status of each post-device registration readiness check is shown in the Windows Autopatch’s Devices blade under the **Not ready** tab. You can take appropriate action(s) on devices that aren't ready to be fully managed by the Windows Autopatch service.
+
+## About the three tabs in the Devices blade
+
+You deploy software updates to secure your environment, but these deployments only reach healthy and active devices. Unhealthy or not ready devices affect the overall software update compliance. Figuring out device health can be challenging and disruptive to the end user when IT can’t obtain proactive data sent by the device to the service for IT admins to proactively detect, troubleshoot, and fix issues.
+
+Windows Autopatch has three tabs within its Devices blade. Each tab is designed to provide a different set of device readiness statuses so IT admins know where to go to monitor, and troubleshoot potential device health issues:
+
+| Tab | Description |
+| ----- | ----- |
+| Ready | This tab only lists devices with the **Active** status. Devices with the **Active** status successfully:
Passed the prerequisite checks.
Registered with Windows Autopatch.
This tab also lists devices that have passed all postdevice registration readiness checks. |
+| Not ready | This tab only lists devices with the **Readiness failed** and **Inactive** status.
**Readiness failed status**: Devices that didn’t pass one or more post-device registration readiness checks.
**Inactive**: Devices that haven’t communicated with the Microsoft Endpoint Manager-Intune service in the last 28 days.
|
+| Not registered | Only lists devices with the **Prerequisite failed** status in it. Devices with the **Prerequisite failed** status didn’t pass one or more prerequisite checks during the device registration process. |
+
+## Details about the post-device registration readiness checks
+
+A healthy or active device in Windows Autopatch is:
+
+- Online
+- Actively sending data
+- Passes all post-device registration readiness checks
+
+The post-device registration readiness checks are powered by the **Microsoft Cloud Managed Desktop Extension**. It's installed right after devices are successfully registered with Windows Autopatch. The **Microsoft Cloud Managed Desktop Extension** has the Device Readiness Check Plugin. The Device Readiness Check Plugin is responsible for performing the readiness checks and reporting the results back to the service. The **Microsoft Cloud Managed Desktop Extension** is a subcomponent of the overall Windows Autopatch service.
+
+The following list of post-device registration readiness checks is performed in Windows Autopatch:
+
+| Check | Description |
+| ----- | ----- |
+| **Windows OS build, architecture, and edition** | Checks to see if devices support Windows 1809+ build (10.0.17763), 64-bit architecture and either Pro or Enterprise SKUs. |
+| **Windows update policies managed via Microsoft Endpoint Manager-Intune** | Checks to see if devices have Windows Updates policies managed via Microsoft Endpoint Manager-Intune (MDM). |
+| **Windows update policies managed via Group Policy Object (GPO)** | Checks to see if devices have Windows update policies managed via GPO. Windows Autopatch doesn’t support Windows update policies managed via GPOs. Windows update must be managed via Microsoft Endpoint Manager-Intune. |
+| **Microsoft Office update policy managed via Group Policy Object (GPO)** | Checks to see if devices have Microsoft Office updates policies managed via GPO. Windows Autopatch doesn’t support Microsoft Office update policies managed via GPOs. Office updates must be managed via Microsoft Endpoint Manager-Intune or another Microsoft Office policy management method where Office update bits are downloaded directly from the Office Content Delivery Network (CDN). |
+| **Windows Autopatch network endpoints** | There's a set of [network endpoints](../prepare/windows-autopatch-configure-network.md) that Windows Autopatch services must be able to reach for the various aspects of the Windows Autopatch service. |
+| **Microsoft Teams network endpoints** | There's a set of [network endpoints](../prepare/windows-autopatch-configure-network.md) that devices with Microsoft Teams must be able to reach for software updates management. |
+| **Microsoft Edge network endpoints** | There's a set of [network endpoints](../prepare/windows-autopatch-configure-network.md) that devices with Microsoft Edge must be able to reach for software updates management. |
+| **Internet connectivity** | Checks to see if a device has internet connectivity to communicate with Microsoft cloud services. Windows Autopatch uses the PingReply class. Windows Autopatch tries to ping at least three different Microsoft’s public URLs two times each, to confirm that ping results aren't coming from the device’s cache. |
+
+## Post-device registration readiness checks workflow
+
+See the following diagram for the post-device registration readiness checks workflow:
+
+:::image type="content" source="../media/windows-autopatch-post-device-registration-readiness-checks.png" alt-text="Post-device registration readiness checks" lightbox="../media/windows-autopatch-post-device-registration-readiness-checks.png":::
+
+| Step | Description |
+| ----- | ----- |
+| **Steps 1-7** | For more information, see the [Device registration overview diagram](windows-autopatch-device-registration-overview.md).|
+| **Step 8: Perform readiness checks** |
Once devices are successfully registered with Windows Autopatch, the devices are added to the **Ready** tab.
The Microsoft Cloud Managed Desktop Extension agent performs readiness checks against devices in the **Ready** tab every 24 hours.
|
+| **Step 9: Check readiness status** |
The Microsoft Cloud Managed Desktop Extension service evaluates the readiness results gathered by its agent.
The readiness results are sent from the Microsoft Cloud Managed Desktop Extension service component to the Device Readiness component within the Windows Autopatch’s service.
|
+| **Step 10: Add devices to the Not ready** | When devices don’t pass one or more readiness checks, even if they’re registered with Windows Autopatch, they’re added to the **Not ready** tab so IT admins can remediate devices based on Windows Autopatch recommendations. |
+| **Step 11: IT admin understands what the issue is and remediates** | The IT admin checks and remediates issues in the Devices blade (**Not ready** tab). It can take up to 24 hours for devices to show back up into the **Ready** tab. |
+
+## FAQ
+
+| Question | Answer |
+| ----- | ----- |
+| **How frequent are the post-device registration readiness checks performed?** |
The **Microsoft Cloud Managed Desktop Extension** agent collects device readiness statuses when it runs (once a day).
Once the agent collects results for the post-device registration readiness checks, it generates readiness results in the device in the `%programdata%\Microsoft\CMDExtension\Plugins\DeviceReadinessPlugin\Logs\DRCResults.json.log`.
The readiness results are sent over to the **Microsoft Cloud Managed Desktop Extension service**.
The **Microsoft Cloud Managed Desktop Extension** service component sends the readiness results to the Device Readiness component. The results appear in the Windows Autopatch Devices blade (**Not ready** tab).
|
+| **What to expect when one or more checks fail?** | Devices are automatically sent to the **Ready** tab once they're successfully registered with Windows Autopatch. When devices don’t meet one or more post-device registration readiness checks, the devices are moved to the **Not ready** tab. IT admins can learn about these devices and take appropriate actions to remediate them. Windows Autopatch will provide information about the failure and how to potentially remediate devices.
Once devices are remediated, it can take up to **24 hours** to show up in the **Ready** tab.
|
+
+## Additional resources
+
+- [Device registration overview](windows-autopatch-device-registration-overview.md)
+- [Register your devices](windows-autopatch-register-devices.md)
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
index 61a5e35dfe..ddd32f7d97 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
@@ -1,7 +1,7 @@
---
title: Register your devices
description: This article details how to register devices in Autopatch
-ms.date: 08/08/2022
+ms.date: 09/07/2022
ms.prod: w11
ms.technology: windows
ms.topic: how-to
@@ -28,7 +28,13 @@ Windows Autopatch can take over software update management control of devices th
### About the use of an Azure AD group to register devices
-You must choose what devices to manage with Windows Autopatch by either adding them through direct membership or by nesting other Azure AD dynamic/assigned groups into the **Windows Autopatch Device Registration** Azure AD assigned group. Windows Autopatch automatically runs its discover devices function every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices.
+You must choose what devices to manage with Windows Autopatch by adding them to the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can be added using the following methods:
+
+- Direct membership
+- Nesting other Azure AD dynamic/assigned groups
+- [Bulk add/import group members](/azure/active-directory/enterprise-users/groups-bulk-import-members)
+
+Windows Autopatch automatically runs its discover devices function every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices.
> [!NOTE]
> Devices that are intended to be managed by the Windows Autopatch service **must** be added into the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can only be added to this group if they have an Azure AD device ID. Windows Autopatch scans the Azure AD group hourly to discover newly added devices to be registered. You can also use the **Discover devices** button in either the **Ready** or **Not ready** tab to register devices on demand.
@@ -78,14 +84,26 @@ To be eligible for Windows Autopatch management, devices must meet a minimum set
For more information, see [Windows Autopatch Prerequisites](../prepare/windows-autopatch-prerequisites.md).
-## About the Ready and Not ready tabs
+## About the Ready, Not ready and Not registered tabs
-Windows Autopatch introduces a new user interface to help IT admins detect and troubleshoot device readiness statuses seamlessly with actionable in-UI device readiness reports for unregistered devices or unhealthy devices.
+Windows Autopatch has three tabs within its device blade. Each tab is designed to provide a different set of device readiness status so IT admin knows where to go to monitor, and troubleshoot potential device health issues.
-| Tab | Purpose |
-| ----- | ----- |
-| Ready | The purpose of the Ready tab is to show devices that were successfully registered to the Windows Autopatch service. |
-| Not ready | The purpose of the Not ready tab is to help you identify and remediate devices that don't meet the pre-requisite checks to register into the Windows Autopatch service. This tab only shows devices that didn't successfully register into Windows Autopatch. |
+| Device blade tab | Purpose | Expected device readiness status |
+| ----- | ----- | ----- |
+| Ready | The purpose of this tab is to show devices that were successfully registered with the Windows Autopatch service. | Active |
+| Not ready | The purpose of this tab is to help you identify and remediate devices that failed to pass one or more post-device registration readiness checks. Devices showing up in this tab were successfully registered with Windows Autopatch. However, these devices aren't ready to have one or more software update workloads managed by the service. | Readiness failed and/or Inactive |
+| Not registered | The purpose of this tab is to help you identify and remediate devices that don't meet one or more prerequisite checks to successfully register with the Windows Autopatch service. | Pre-requisites failed |
+
+## Device readiness statuses
+
+See all possible device readiness statuses in Windows Autopatch:
+
+| Readiness status | Description | Device blade tab |
+| ----- | ----- | ----- |
+| Active | Devices with this status successfully passed all prerequisite checks and subsequently successfully registered with Windows Autopatch. Additionally, devices with this status successfully passed all post-device registration readiness checks. | Ready |
+| Readiness failed | Devices with this status haven't passed one or more post-device registration readiness checks. These devices aren't ready to have one or more software update workloads managed by Windows Autopatch. | Not ready |
+| Inactive | Devices with this status haven't communicated with Microsoft Endpoint Manager-Intune in the last 28 days. | Not ready |
+| Pre-requisites failed | Devices with this status haven't passed one or more pre-requisite checks and haven't successfully registered with Windows Autopatch | Not registered |
## Built-in roles required for device registration
@@ -117,18 +135,18 @@ Since existing Windows 365 Cloud PCs already have an existing Azure AD device ID
**To register devices with Windows Autopatch:**
1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
-2. Select **Windows Autopatch** from the left navigation menu.
-3. Select **Devices**.
-4. Select either the **Ready** or the **Not ready** tab, then select the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens.
+2. Select **Devices** from the left navigation menu.
+3. Under the **Windows Autopatch** section, select **Devices**.
+4. Select either the **Ready** or the **Not registered** tab, then select the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens.
5. Add either devices through direct membership, or other Azure AD dynamic or assigned groups as nested groups in the **Windows Autopatch Device Registration** group.
> [!NOTE]
-> The **Windows Autopatch Device Registration** hyperlink is in the center of the Ready tab when there's no devices registered with the Windows Autopatch service. Once you have one or more devices registered with the Windows Autopatch service, the **Windows Autopatch Device registration** hyperlink is at the top of both **Ready** and **Not ready** tabs.
+> The **Windows Autopatch Device Registration** hyperlink is in the center of the Ready tab when there's no devices registered with the Windows Autopatch service. Once you have one or more devices registered with the Windows Autopatch service, the **Windows Autopatch Device registration** hyperlink is at the top of both **Ready** and **Not registered** tabs.
Once devices or other Azure AD groups (either dynamic or assigned) containing devices are added to the **Windows Autopatch Device Registration** group, Windows Autopatch's device discovery hourly function discovers these devices, and runs software-based prerequisite checks to try to register them with its service.
> [!TIP]
-> You can also use the **Discover Devices** button in either the **Ready** or **Not ready** tab to discover devices from the **Windows Autopatch Device Registration** Azure AD group on demand.
+> You can also use the **Discover Devices** button in either one of the **Ready**, **Not ready**, or **Not registered** device blade tabs to discover devices from the **Windows Autopatch Device Registration** Azure AD group on demand. On demand means you don't have to wait for Windows Autopatch to discover devices from the Azure AD group on your behalf.
### Windows Autopatch on Windows 365 Enterprise Workloads
@@ -148,6 +166,7 @@ Windows 365 Enterprise gives IT admins the option to register devices with the W
1. Select **Create**. Now your newly provisioned Windows 365 Enterprise Cloud PCs will automatically be enrolled and managed by Windows Autopatch.
For more information, see [Create a Windows 365 Provisioning Policy](/windows-365/enterprise/create-provisioning-policy).
+
### Contact support for device registration-related incidents
Support is available either through Windows 365, or the Windows Autopatch Service Engineering team for device registration-related incidents.
diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png
index 3abdb9288e..f5a8284a8c 100644
Binary files a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png and b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png differ
diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-post-device-registration-readiness-checks.png b/windows/deployment/windows-autopatch/media/windows-autopatch-post-device-registration-readiness-checks.png
new file mode 100644
index 0000000000..c6abcd6790
Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-autopatch-post-device-registration-readiness-checks.png differ
diff --git a/windows/deployment/windows-autopatch/media/windows-quality-update-grace-period.png b/windows/deployment/windows-autopatch/media/windows-quality-update-grace-period.png
index 043e275574..4e347dc3cf 100644
Binary files a/windows/deployment/windows-autopatch/media/windows-quality-update-grace-period.png and b/windows/deployment/windows-autopatch/media/windows-quality-update-grace-period.png differ
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md
index 15a138fcdf..50e4fd586e 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md
@@ -37,7 +37,7 @@ In this example, we'll be discussing a device in the First ring. The Autopatch s
In the following example, the user schedules the restart and is notified 15 minutes prior to the scheduled restart time. The user can reschedule, if necessary, but isn't able to reschedule past the deadline.
-:::image type="content" source="../media/windows-feature-typical-update-experience.png" alt-text="Typical Windows feature update experience":::
+:::image type="content" source="../media/windows-feature-typical-update-experience.png" alt-text="Typical Windows feature update experience" lightbox="../media/windows-feature-typical-update-experience.png":::
### Feature update deadline forces an update
@@ -45,7 +45,7 @@ The following example builds on the scenario outlined in the typical user experi
The deadline specified in the update policy is five days. Therefore, once this deadline is passed, the device will ignore the active hours and force a restart to complete the installation. The user will receive a 15-minute warning, after which, the device will install the update and restart.
-:::image type="content" source="../media/windows-feature-force-update.png" alt-text="Force Windows feature update":::
+:::image type="content" source="../media/windows-feature-force-update.png" alt-text="Force Windows feature update" lightbox="../media/windows-feature-force-update.png":::
### Feature update grace period
@@ -53,7 +53,7 @@ In the following example, the user is on holiday and the device is offline beyon
Since the deadline has already passed, the device is granted a two-day grace period to install the update and restart. The user will be notified of a pending installation and given options to choose from. Once the two-day grace period has expired, the user is forced to restart with a 15-minute warning notification.
-:::image type="content" source="../media/windows-feature-update-grace-period.png" alt-text="Window feature update grace period":::
+:::image type="content" source="../media/windows-feature-update-grace-period.png" alt-text="Windows feature update grace period" lightbox="../media/windows-feature-update-grace-period.png":::
## Servicing window
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md
index 8e6075fd7e..1f19a0fd64 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md
@@ -46,7 +46,7 @@ The final release schedule is communicated prior to release and may vary a littl
| Fast | Release start + 60 days |
| Broad | Release start + 90 days |
-:::image type="content" source="../media/windows-feature-release-process-timeline.png" alt-text="Windows feature release timeline":::
+:::image type="content" source="../media/windows-feature-release-process-timeline.png" alt-text="Windows feature release timeline" lightbox="../media/windows-feature-release-process-timeline.png":::
## New devices to Windows Autopatch
@@ -64,7 +64,7 @@ When releasing a feature update, there are two policies that are configured by t
| Ring | Target version (DSS) Policy | Feature update deferral | Feature update deadline | Feature update grace period |
| ----- | ----- | ----- | ----- | ----- |
| Test | 21H2 | 0 | 5 | 0 |
-| First | 21H2 | 0 | 5 | 0 |
+| First | 21H2 | 0 | 5 | 2 |
| Fast | 21H2 | 0 | 5 | 2 |
| Broad | 21H2 | 0 | 5 | 2 |
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
index 2515a08a9a..9fa7e60794 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
@@ -27,3 +27,7 @@ After you've completed enrollment in Windows Autopatch, some management settings
| Setting | Description |
| ----- | ----- |
| Update rings for Windows 10 or later | For any update rings for Windows 10 or later policies you've created, exclude the **Modern Workplace Devices - All** Azure AD group from each policy. For more information, see [Create and assign update rings](/mem/intune/protect/windows-10-update-rings#create-and-assign-update-rings).
Windows Autopatch will also have created some update ring policies. all of which The policies will have "**Modern Workplace**" in the name. For example:
Modern Workplace Update Policy [Broad]-[Windows Autopatch]
Modern Workplace Update Policy [Fast]-[Windows Autopatch]
Modern Workplace Update Policy [First]-[Windows Autopatch]
Modern Workplace Update Policy [Test]-[Windows Autopatch]
When you update your own policies, ensure that you don't exclude the **Modern Workplace Devices - All** Azure AD group from the policies that Windows Autopatch created.
**To resolve the Not ready result:**
After enrolling into Autopatch, make sure that any update ring policies you have **exclude** the **Modern Workplace Devices - All** Azure Active Directory (AD) group.For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).
**To resolve the Advisory result:**
Make sure that any update ring policies you have **exclude** the **Modern Workplace Devices - All** Azure Active Directory (AD) group.
If you have assigned Azure AD user groups to these policies, make sure that any update ring policies you have also **exclude** the **Modern Workplace - All** Azure AD group that you add your Windows Autopatch users to (or an equivalent group).
For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).
|
+
+## Windows Autopatch configurations
+
+Windows Autopatch deploys, manages and maintains all configurations related to the operation of the service, as described in [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). Don't make any changes to any of the Windows Autopatch configurations.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
index ddefb5977c..d3ef9e518e 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
@@ -33,7 +33,7 @@ For a device to be eligible for Microsoft 365 Apps for enterprise updates, as a
All devices registered for Windows Autopatch will receive updates from the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview). This practice provides your users with new features each month, and they'll receive just one update per month on a predictable release schedule. Updates are released on the second Tuesday of the month; these updates can include feature, security, and quality updates. These updates occur automatically and are pulled directly from the Office Content Delivery Network (CDN).
-Unlike Windows update, the Office CDN doesn't make the update available to all devices at once. Over the course of the release, the Office CDN gradually makes the update available to the whole population of devices. Windows Autopatch doesn't control the order in which updates are offered to devices across your estate. After the update has been downloaded, there's a three-day [update deadline](/deployoffice/configure-update-settings-microsoft-365-apps) that specifies how long the user has until the user must apply the update.
+Unlike Windows update, the Office CDN doesn't make the update available to all devices at once. Over the course of the release, the Office CDN gradually makes the update available to the whole population of devices. Windows Autopatch doesn't control the order in which updates are offered to devices across your estate. After the update has been downloaded, there's a seven day [update deadline](/deployoffice/configure-update-settings-microsoft-365-apps) that specifies how long the user has until the user must apply the update.
## Update rings
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md
index 983a41a940..3169d13cff 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md
@@ -40,13 +40,16 @@ During the [tenant enrollment process](../prepare/windows-autopatch-enroll-tenan
Each deployment ring has a different set of update deployment policies to control the updates rollout.
+> [!WARNING]
+> Adding or importing devices into any of these groups directly is not supported and doing so might cause an unexpected impact on the Windows Autopatch service. To move devices between these groups, see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings).
+
> [!IMPORTANT]
> Windows Autopatch device registration doesn't assign devices to its test deployment ring (**Modern Workplace Devices-Windows Autopatch-Test**). This is intended to prevent devices that are essential to a business from being affected or devices that are used by executives from receiving early software update deployments.
Also, during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md), Windows Autopatch assigns each device being registered to one of its deployment rings so that the service has the proper representation of the device diversity across the organization in each deployment ring. The deployment ring distribution is designed to release software update deployments to as few devices as possible to get the signals needed to make a quality evaluation of a given update deployment.
> [!NOTE]
-> Windows Autopatch deployment rings only apply to Windows quality updates. Additionally, you can't create additional deployment rings or use your own for devices managed by the Windows Autopatch service.
+> You can't create additional deployment rings or use your own for devices managed by the Windows Autopatch service.
### Deployment ring calculation logic
@@ -58,7 +61,7 @@ The Windows Autopatch deployment ring calculation happens during the [device reg
| Deployment ring | Default device balancing percentage | Description |
| ----- | ----- | ----- |
-| Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring. The recommended number of devices in this ring, based upon your environment size, is as follows:
**0–500** devices: minimum **one** device.
**500–5000** devices: minimum **five** devices.
**5000+** devices: minimum **50** devices.
Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. |
+| Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring following the required procedure. For more information on these procedures, see [Moving devices in between deployment rings](/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management#moving-devices-in-between-deployment-rings). The recommended number of devices in this ring, based upon your environment size, is as follows:
**0–500** devices: minimum **one** device.
**500–5000** devices: minimum **five** devices.
**5000+** devices: minimum **50** devices.
Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. |
| First | **1%** | The First ring is the first group of production users to receive a change.
This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization.
Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.|
| Fast | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.
The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.
|
| Broad | Either **80%** or **90%** | The Broad ring is the last group of users to receive software update deployments. Since it contains most of the devices registered with Windows Autopatch, it favors stability over speed in an software update deployment.|
@@ -80,7 +83,10 @@ When the assignment is complete, the **Ring assigned by** column changes to **Ad
> [!NOTE]
> You can only move devices to other deployment rings when they're in an active state in the **Ready** tab.
If you don't see the **Ring assigned by column** change to **Pending** in Step 5, check to see whether the device exists in Microsoft Endpoint Manager-Intune or not by searching for it in its device blade. For more information, see [Device details in Intune](/mem/intune/remote-actions/device-inventory).
-
+
+> [!WARNING]
+> Moving devices between deployment rings through directly changing Azure AD group membership isn't supported and may cause unintended configuration conflicts within the Windows Autopatch service. To avoid service interruption to devices, use the **Assign device to ring** action described previously to move devices between deployment rings.
+
## Automated deployment ring remediation functions
Windows Autopatch monitors device membership in its deployment rings, except for the **Modern Workplace Devices-Windows Autopatch-Test** ring, to provide automated deployment ring remediation functions to mitigate the risk of not having its managed devices being part of one of its deployment rings. These automated functions help mitigate risk of potentially having devices in a vulnerable state, and exposed to security threats in case they're not receiving update deployments due to either:
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md
index 555d20ee68..b83dc059df 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md
@@ -36,7 +36,7 @@ Once the deferral period has passed, the device will download the update and not
In the following example, the user schedules the restart and is notified 15 minutes prior to the scheduled restart time. The user can reschedule, if necessary, but isn't able to reschedule past the deadline.
-:::image type="content" source="../media/windows-quality-typical-update-experience.png" alt-text="Typical windows quality update experience":::
+:::image type="content" source="../media/windows-quality-typical-update-experience.png" alt-text="Typical windows quality update experience" lightbox="../media/windows-quality-typical-update-experience.png":::
### Quality update deadline forces an update
@@ -48,7 +48,7 @@ In the following example, the user:
The deadline specified in the update policy is five days. Therefore, once this deadline is passed, the device will ignore the [active hours](#servicing-window) and force a restart to complete the update installation. The user will receive a 15-minute warning, after which, the device will install the update and restart.
-:::image type="content" source="../media/windows-quality-force-update.png" alt-text="Force Windows quality update":::
+:::image type="content" source="../media/windows-quality-force-update.png" alt-text="Force Windows quality update" lightbox="../media/windows-quality-force-update.png":::
### Quality update grace period
@@ -56,7 +56,7 @@ In the following example, the user is on holiday and the device is offline beyon
Since the deadline has already passed, the device is granted a two-day grace period to install the update and restart. The user will be notified of a pending installation and given options to choose from. Once the two-day grace period has expired, the user is forced to restart with a 15-minute warning notification.
-:::image type="content" source="../media/windows-quality-update-grace-period.png" alt-text="Windows quality update grace period":::
+:::image type="content" source="../media/windows-quality-update-grace-period.png" alt-text="Windows quality update grace period" lightbox="../media/windows-quality-update-grace-period.png":::
## Servicing window
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md
index c7c96c2575..a8da5aeb86 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md
@@ -50,7 +50,7 @@ To release updates to devices in a gradual manner, Windows Autopatch deploys a s
Windows Autopatch configures these policies differently across update rings to gradually release the update to devices in your estate. Devices in the Test ring receive changes first and devices in the Broad ring receive changes last. For more information, see [Windows Autopatch deployment rings](../operate/windows-autopatch-update-management.md#windows-autopatch-deployment-rings).
-:::image type="content" source="../media/release-process-timeline.png" alt-text="Release process timeline":::
+:::image type="content" source="../media/release-process-timeline.png" alt-text="Release process timeline" lightbox="../media/release-process-timeline.png":::
## Expedited releases
@@ -74,10 +74,6 @@ If we pause the release, a policy will be deployed which prevents devices from u
You can pause or resume a Windows quality update from the Release management tab in Microsoft Endpoint Manager.
-## Rollback
-
-Windows Autopatch will rollback updates if we detect a [significant issue with a release](../operate/windows-autopatch-wqu-signals.md).
-
## Incidents and outages
If devices in your tenant aren't meeting the [service level objective](../operate/windows-autopatch-wqu-overview.md#service-level-objective) for Windows quality updates, an incident will be raised, and the Windows Autopatch Service Engineering Team will work to bring the devices back into compliance.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md
index cf052fbba4..d8b16b880a 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md
@@ -40,9 +40,9 @@ The update is released to the Test ring on the second Tuesday of the month. Thos
## Device reliability signals
-Windows Autopatch monitors devices for a set of core reliability metrics as a part of the service.
+Windows Autopatch monitors devices for a set of core reliability metrics as a part of the service.
-The service then uses statistical models to assess if there are significant differences between the two Windows versions. To make a statistically significant assessment, Windows Autopatch requires that at least 500 devices have upgraded to the new version.
+The service then uses statistical models to assess if there are significant differences between the two Windows versions. To make a statistically significant assessment, Windows Autopatch requires that at least 500 devices in your tenant have upgraded to the new version.
As more devices update, the confidence of the analysis increases and gives us a clearer picture of release quality. If we determine that the user experience is impaired, Autopatch will either post a customer advisory or pause the release, depending on the criticality of the update.
@@ -51,8 +51,8 @@ Autopatch monitors the following reliability signals:
| Device reliability signal | Description |
| ----- | ----- |
| Blue screens | These events are highly disruptive to end users so are closely watched. |
-| Overall app reliability | Tracks the total number of app crashes and freezes on a device. A known issue with this measure is that if one app becomes 10% more reliable and another becomes 10% less reliable then it shows up as a flat line in the measure. |
-| Microsoft Office reliability | Tracks the number of Office crashes or freezes per application per device. |
+| Overall app reliability | Tracks the total number of app crashes and freezes on a device. A known limitation with this measure is that if one app becomes 10% more reliable and another becomes 10% less reliable then it shows up as a flat line in the measure. |
+| Microsoft Office reliability | Tracks the number of Office crashes and freezes per application per device. |
| Microsoft Edge reliability | Tracks the number of Microsoft Edge crashes and freezes per device. |
| Microsoft Teams reliability | Tracks the number of Microsoft Teams crashes and freezes per device. |
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
index 54b36ea6ce..0ab881bf82 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
@@ -4,7 +4,7 @@ metadata:
description: Answers to frequently asked questions about Windows Autopatch.
ms.prod: w11
ms.topic: faq
- ms.date: 08/08/2022
+ ms.date: 08/26/2022
audience: itpro
ms.localizationpriority: medium
manager: dougeby
@@ -51,7 +51,7 @@ sections:
- [Switch workloads for device configuration, Windows Update and Microsoft 365 Apps from Configuration Manager to Intune](/mem/configmgr/comanage/how-to-switch-workloads) (minimum Pilot Intune. Pilot collection must contain the devices you want to register into Autopatch.)
- question: What are the licensing requirements for Windows Autopatch?
answer: |
- - Windows Autopatch is included with Window 10/11 Enterprise E3 or higher. For more information, see [More about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses).
+ - Windows Autopatch is included with Window 10/11 Enterprise E3 or higher (user-based only). For more information, see [More about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses).
- [Azure AD Premium](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses) (for Co-management)
- [Microsoft Intune](/mem/intune/fundamentals/licenses) (includes Configuration Manager 2010 or greater via co-management)
- question: Are there hardware requirements for Windows Autopatch?
@@ -67,21 +67,22 @@ sections:
No, Windows 365 Enterprise Cloud PC's support all features of Windows Autopatch. For more information, see [Virtual devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#virtual-devices).
- question: Do my Cloud PCs appear any differently in the Windows Autopatch admin center?
answer: |
- Cloud PC displays the model as the license type you have provisioned. For more information, see [Virtual devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#virtual-devices).
+ Cloud PC displays the model as the license type you have provisioned. For more information, see [Windows Autopatch on Windows 365 Enterprise Workloads](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#windows-autopatch-on-windows-365-enterprise-workloads).
- question: Can I run Autopatch on my Windows 365 Business Workloads?
answer: |
- No. Autopatch is only available on enterprise workloads. For more information, see [Virtual devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#virtual-devices).
+ No. Autopatch is only available on enterprise workloads. For more information, see [Windows Autopatch on Windows 365 Enterprise Workloads](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#windows-autopatch-on-windows-365-enterprise-workloads).
- name: Update Management
questions:
- question: What systems does Windows Autopatch update?
answer: |
- Windows 10/11 quality updates: Windows Autopatch manages all aspects of update rings.
+ - Windows 10/11 feature updates: Windows Autopatch manages all aspects of update rings.
- Microsoft 365 Apps for enterprise updates: All devices registered for Windows Autopatch will receive updates from the Monthly Enterprise Channel.
- Microsoft Edge: Windows Autopatch configures eligible devices to benefit from Microsoft Edge's progressive rollouts on the Stable channel and will provide support for issues with Microsoft Edge updates.
- Microsoft Teams: Windows Autopatch allows eligible devices to benefit from the standard automatic update channels and will provide support for issues with Teams updates.
- question: What does Windows Autopatch do to ensure updates are done successfully?
answer: |
- For Windows quality updates, updates are applied to device in the Test ring first. The devices are evaluated, and then rolled out to the First, Fast then Broad rings. There's an evaluation period at each progression. This process is dependent on customer testing and verification of all updates during these rollout stages. The outcome is to ensure that registered devices are always up to date and disruption to business operations is minimized to free up your IT department from that ongoing task.
+ For Windows quality updates, updates are applied to devices in the Test ring first. The devices are evaluated, and then rolled out to the First, Fast then Broad rings. There's an evaluation period at each progression. This process is dependent on customer testing and verification of all updates during these rollout stages. The outcome is to ensure that registered devices are always up to date and disruption to business operations is minimized to free up your IT department from that ongoing task.
- question: What happens if there's an issue with an update?
answer: |
Autopatch relies on the following capabilities to help resolve update issues:
@@ -98,7 +99,7 @@ sections:
No, you can't customize update scheduling. However, you can specify [active hours](../operate/windows-autopatch-wqu-end-user-exp.md#servicing-window) to prevent users from updating during business hours.
- question: Does Autopatch support include and exclude groups, or dynamic groups to define deployment ring membership?
answer: |
- Windows autopatch doesn't support managing update deployment ring membership using your Azure AD groups. For more information, see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings).
+ Windows Autopatch doesn't support managing update deployment ring membership using your Azure AD groups. For more information, see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings).
- question: Does Autopatch have two release cadences per update or are there two release cadences per-ring?
answer: |
The release cadences are defined based on the update type. For example, a [regular cadence](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases) (for a Windows quality update would be a gradual rollout from the Test ring to the Broad ring over 14 days whereas an [expedited release](../operate/windows-autopatch-wqu-overview.md#expedited-releases) would roll out more rapidly.
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
index abbe0e525e..0b64d2adfa 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
@@ -1,7 +1,7 @@
---
title: Prerequisites
description: This article details the prerequisites needed for Windows Autopatch
-ms.date: 08/04/2022
+ms.date: 09/16/2022
ms.prod: w11
ms.technology: windows
ms.topic: conceptual
@@ -24,12 +24,12 @@ Getting started with Windows Autopatch has been designed to be easy. This articl
| Licensing | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium and Microsoft Intune are required. For details about the specific service plans, see [more about licenses](#more-about-licenses).
For more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).
For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the [Product Terms site](https://www.microsoft.com/licensing/terms/). |
| Connectivity | All Windows Autopatch devices require connectivity to multiple Microsoft service endpoints from the corporate network.
For the full list of required IPs and URLs, see [Configure your network](../prepare/windows-autopatch-configure-network.md). |
| Azure Active Directory | Azure Active Directory must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Azure Active Directory Connect to enable Hybrid Azure Active Directory join.
For more information, see [Azure Active Directory Connect](/azure/active-directory/hybrid/whatis-azure-ad-connect) and [Hybrid Azure Active Directory join](/azure/active-directory/devices/howto-hybrid-azure-ad-join)
For more information on supported Azure Active Directory Connect versions, see [Azure AD Connect:Version release history](/azure/active-directory/hybrid/reference-connect-version-history).
|
-| Device management | Windows Autopatch devices must be managed by Microsoft Intune. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.
At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see Co-management requirements for Windows Autopatch below.
Other device management prerequisites include:
Devices must be corporate-owned. Windows bring-your-own-devices (BYOD) are blocked during device registration prerequisite checks.
Devices must be managed by either Intune or Configuration Manager Co-management. Devices only managed by Configuration Manager aren't supported.
Devices must be in communication with Microsoft Intune in the **last 28 days**. Otherwise, the devices won't be registered with Autopatch.
Devices must be connected to the internet.
Devices must have a **Serial number**, **Model** and **Manufacturer**. Device emulators that don't generate this information fail to meet **Intune or Cloud-attached** prerequisite check.
See [Register your devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices) for more details on device prerequisites and on how the device registration process works.
For more information on co-management, see [Co-management for Windows devices](/mem/configmgr/comanage/overview).
|
+| Device management | Windows Autopatch devices must be managed by Microsoft Intune. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.
At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see [co-management requirements for Windows Autopatch](#configuration-manager-co-management-requirements).
Other device management prerequisites include:
Devices must be corporate-owned. Windows bring-your-own-devices (BYOD) are blocked during device registration prerequisite checks.
Devices must be managed by either Intune or Configuration Manager co-management. Devices only managed by Configuration Manager aren't supported.
Devices must be in communication with Microsoft Intune in the **last 28 days**. Otherwise, the devices won't be registered with Autopatch.
Devices must be connected to the internet.
Devices must have a **Serial number**, **Model** and **Manufacturer**. Device emulators that don't generate this information fail to meet **Intune or Cloud-attached** prerequisite check.
See [Register your devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices) for more details on device prerequisites and on how the device registration process works.
For more information on co-management, see [co-management for Windows devices](/mem/configmgr/comanage/overview).
|
| Data and privacy | For more information on Windows Autopatch privacy practices, see [Windows Autopatch Privacy](../references/windows-autopatch-privacy.md). |
## More about licenses
-Windows Autopatch is included with Window 10/11 Enterprise E3 or higher. The following are the other licenses that grant entitlement to Windows Autopatch:
+Windows Autopatch is included with Window 10/11 Enterprise E3 or higher (user-based only). The following are the service plan SKUs that are eligible for Windows Autopatch:
| License | ID | GUID number |
| ----- | ----- | ------|
@@ -45,13 +45,13 @@ The following Windows OS 10 editions, 1809 builds and architecture are supported
- Windows 10 (1809+)/11 Enterprise
- Windows 10 (1809+)/11 Pro for Workstations
-## Configuration Manager Co-management requirements
+## Configuration Manager co-management requirements
Windows Autopatch fully supports co-management. The following co-management requirements apply:
- Use a currently supported [Configuration Manager version](/mem/configmgr/core/servers/manage/updates#supported-versions).
-- ConfigMgr must be [cloud-attached with Intune (Co-management)](/mem/configmgr/cloud-attach/overview) and must have the following Co-management workloads enabled:
- - Set the [Windows Update workload](/mem/configmgr/comanage/workloads#windows-update-policies) to Pilot Intune or Intune.
+- ConfigMgr must be [cloud-attached with Intune (co-management)](/mem/configmgr/cloud-attach/overview) and must have the following co-management workloads enabled:
+ - Set the [Windows Update policies workload](/mem/configmgr/comanage/workloads#windows-update-policies) to Pilot Intune or Intune.
- Set the [Device configuration workload](/mem/configmgr/comanage/workloads#device-configuration) to Pilot Intune or Intune.
- Set the [Office Click-to-Run apps workload](/mem/configmgr/comanage/workloads#office-click-to-run-apps) to Pilot Intune or Intune.
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
index ab4daa7fe2..698612aa82 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
@@ -14,6 +14,11 @@ msreviewer: hathind
# Changes made at tenant enrollment
+The following configuration details are provided as information to help you understand the changes made to your tenant when enrolling into the Windows Autopatch service.
+
+> [!IMPORTANT]
+> The service manages and maintains the following configuration items. Don't change, edit, add to, or remove any of the configurations. Doing so might cause unintended configuration conflicts and impact the Windows Autopatch service.
+
## Service principal
Windows Autopatch will create a service principal in your tenant allowing the service to establish an identity and restrict access to what resources the service has access to within the tenant. For more information, see [Application and service principal objects in Azure Active Directory](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object). The service principal created by Windows Autopatch is:
@@ -29,10 +34,10 @@ Windows Autopatch will create Azure Active Directory groups that are required to
| Modern Workplace-All | All Modern Workplace users |
| Modern Workplace - Windows 11 Pre-Release Test Devices | Device group for Windows 11 Pre-Release testing. |
| Modern Workplace Devices-All | All Modern Workplace devices |
-| Modern Workplace Devices-Windows Autopatch-Test | Immediate ring for device rollout |
-| Modern Workplace Devices-Windows Autopatch-First | First production ring for early adopters |
-| Modern Workplace Devices-Windows Autopatch-Fast | Fast ring for quick rollout and adoption |
-| Modern Workplace Devices-Windows Autopatch-Broad | Final ring for broad rollout into an organization |
+| Modern Workplace Devices-Windows Autopatch-Test | Deployment ring for testing update deployments prior production rollout |
+| Modern Workplace Devices-Windows Autopatch-First | First production deployment ring for early adopters |
+| Modern Workplace Devices-Windows Autopatch-Fast | Fast deployment ring for quick rollout and adoption |
+| Modern Workplace Devices-Windows Autopatch-Broad | Final deployment ring for broad rollout into the organization |
| Modern Workplace Devices Dynamic - Windows 10 | Microsoft Managed Desktop Devices with Windows 10
Modern Workplace - Telemetry Settings for Windows 10
|
| Modern Workplace Roles - Service Administrator | All users granted access to Modern Workplace Service Administrator Role |
@@ -132,4 +137,4 @@ Windows Autopatch creates an enterprise application in your tenant. This enterpr
| Script | Description |
| ----- | ----- |
-| Modern Workplace - Autopatch Client Setup | Installs necessary client components for the Windows Autopatch service |
+| Modern Workplace - Autopatch Client Setup v1.1 | Installs necessary client components for the Windows Autopatch service |
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md
index ee8956decd..c90d19fae5 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md
@@ -20,7 +20,7 @@ Windows Autopatch is a cloud service for enterprise customers designed to keep e
Windows Autopatch provides its service to enterprise customers, and properly administers customers' enrolled devices by using data from various sources.
-The sources include Azure Active Directory (AD), Microsoft Intune, and Microsoft Windows 10/11. The sources provide a comprehensive view of the devices that Windows Autopatch manages. The service also uses these Microsoft services to enable Windows Autopatch to provide IT as a Service (ITaaS) capabilities:
+The sources include Azure Active Directory (Azure AD), Microsoft Intune, and Microsoft Windows 10/11. The sources provide a comprehensive view of the devices that Windows Autopatch manages.
| Data source | Purpose |
| ------ | ------ |
@@ -74,7 +74,7 @@ Microsoft Windows Update for Business uses data from Windows diagnostics to anal
## Microsoft Azure Active Directory
-Identifying data used by Windows Autopatch is stored by Azure Active Directory (Azure AD) in a geographical location. The geographical location is based on the location provided by the organization upon subscribing to Microsoft online services, such as Microsoft Apps for Enterprise and Azure. For more information on where your Azure AD data is located, see [Azure Active Directory - Where is your data located?](https://msit.powerbi.com/view?r=eyJrIjoiODdjOWViZDctMWRhZS00ODUzLWI4MmQtNWM5NjBkZTBkNjFlIiwidCI6IjcyZjk4OGJmLTg2ZjEtNDFhZi05MWFiLTJkN2NkMDExZGI0NyIsImMiOjV9)
+Identifying data used by Windows Autopatch is stored by Azure Active Directory (AD) in a geographical location. The geographical location is based on the location provided by the organization upon subscribing to Microsoft online services, such as Microsoft Apps for Enterprise and Azure. For more information on where your Azure AD data is located, see [Azure Active Directory - Where is your data located?](https://msit.powerbi.com/view?r=eyJrIjoiODdjOWViZDctMWRhZS00ODUzLWI4MmQtNWM5NjBkZTBkNjFlIiwidCI6IjcyZjk4OGJmLTg2ZjEtNDFhZi05MWFiLTJkN2NkMDExZGI0NyIsImMiOjV9)
## Microsoft Intune
diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
index 0164891a96..b8fe13f82f 100644
--- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
+++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
@@ -419,15 +419,9 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B
> [!IMPORTANT]
> If you've already registered your VM (or device) using Intune, then skip this step.
-Optional: see the following video for an overview of the process.
-
-
-
-> [!video https://www.youtube.com/embed/IpLIZU_j7Z0]
-
First, you need a Microsoft Store for Business account. You can use the same one you created above for Intune, or follow [these instructions](/microsoft-store/windows-store-for-business-overview) to create a new one.
-Next, to sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) with your test account, select **Sign in** on the upper-right-corner of the main page.
+Next, to sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/store) with your test account, select **Sign in** on the upper-right-corner of the main page.
Select **Manage** from the top menu, then select the **Windows Autopilot Deployment Program** link under the **Devices** card. See the following example:
@@ -528,8 +522,6 @@ Select **OK**, and then select **Create**.
If you already created and assigned a profile via Intune with the steps immediately above, then skip this section.
-A [video](https://www.youtube.com/watch?v=IpLIZU_j7Z0) is available that covers the steps required to create and assign profiles in Microsoft Store for Business. These steps are also summarized below.
-
First, sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/manage/dashboard) using the Intune account you initially created for this lab.
Select **Manage** from the top menu, then select **Devices** from the left navigation tree.
diff --git a/windows/device-security/docfx.json b/windows/device-security/docfx.json
deleted file mode 100644
index ce2b043c43..0000000000
--- a/windows/device-security/docfx.json
+++ /dev/null
@@ -1,61 +0,0 @@
-{
- "build": {
- "content": [
- {
- "files": [
- "**/*.md",
- "**/*.yml"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**",
- "README.md",
- "LICENSE",
- "LICENSE-CODE",
- "ThirdPartyNotices"
- ]
- }
- ],
- "resource": [
- {
- "files": [
- "**/*.png",
- "**/*.jpg",
- "**/*.gif"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**"
- ]
- }
- ],
- "overwrite": [],
- "externalReference": [],
- "globalMetadata": {
- "recommendations": true,
- "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
- "ms.technology": "windows",
- "ms.topic": "article",
- "ms.date": "04/05/2017",
- "_op_documentIdPathDepotMapping": {
- "./": {
- "depot_name": "MSDN.win-device-security",
- "folder_relative_path_in_docset": "./"
- }
- },
- "contributors_to_exclude": [
- "rjagiewich",
- "traya1",
- "rmca14",
- "claydetels19",
- "jborsecnik",
- "tiburd",
- "garycentric"
- ]
- },
- "fileMetadata": {},
- "template": [],
- "dest": "win-device-security",
- "markdownEngineName": "markdig"
- }
-}
diff --git a/windows/eulas/docfx.json b/windows/eulas/docfx.json
deleted file mode 100644
index 2834682ce7..0000000000
--- a/windows/eulas/docfx.json
+++ /dev/null
@@ -1,57 +0,0 @@
-{
- "build": {
- "content": [
- {
- "files": [
- "**/*.md",
- "**/*.yml"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**",
- "_themes/**",
- "_themes.pdf/**",
- "README.md",
- "LICENSE",
- "LICENSE-CODE",
- "ThirdPartyNotices"
- ]
- }
- ],
- "resource": [
- {
- "files": [
- "**/*.png",
- "**/*.jpg"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**",
- "_themes/**",
- "_themes.pdf/**"
- ]
- }
- ],
- "overwrite": [],
- "externalReference": [],
- "globalMetadata": {
- "recommendations": true,
- "breadcrumb_path": "/windows/eulas/breadcrumb/toc.json",
- "extendBreadcrumb": true,
- "feedback_system": "None",
- "contributors_to_exclude": [
- "rjagiewich",
- "traya1",
- "rmca14",
- "claydetels19",
- "jborsecnik",
- "tiburd",
- "garycentric"
- ]
- },
- "fileMetadata": {},
- "template": [],
- "dest": "eula-vsts",
- "markdownEngineName": "markdig"
- }
-}
\ No newline at end of file
diff --git a/windows/hub/WaaS-infographic.pdf b/windows/hub/WaaS-infographic.pdf
deleted file mode 100644
index cb1ef988a1..0000000000
Binary files a/windows/hub/WaaS-infographic.pdf and /dev/null differ
diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json
index 461e6028a8..508d741a9b 100644
--- a/windows/hub/docfx.json
+++ b/windows/hub/docfx.json
@@ -22,8 +22,7 @@
"**/*.png",
"**/*.jpg",
"**/*.svg",
- "**/*.gif",
- "**/*.pdf"
+ "**/*.gif"
],
"exclude": [
"**/obj/**",
diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index 3ef3314bf4..0794c284fd 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -105,7 +105,7 @@ conceptualContent:
- url: /windows/configuration/provisioning-packages/provisioning-packages
itemType: how-to-guide
text: Use Provisioning packages to configure new devices
- - url: /windows/configuration/windows-10-accessibility-for-itpros
+ - url: /windows/configuration/windows-accessibility-for-itpros
itemType: overview
text: Accessibility information for IT Pros
- url: /windows/configuration/customize-start-menu-layout-windows-11
diff --git a/windows/keep-secure/docfx.json b/windows/keep-secure/docfx.json
deleted file mode 100644
index aa250a2f5c..0000000000
--- a/windows/keep-secure/docfx.json
+++ /dev/null
@@ -1,57 +0,0 @@
-{
- "build": {
- "content": [
- {
- "files": [
- "**/*.md",
- "**/*.yml"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**",
- "README.md",
- "LICENSE",
- "LICENSE-CODE",
- "ThirdPartyNotices"
- ]
- }
- ],
- "resource": [
- {
- "files": [
- "**/*.png",
- "**/*.jpg"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**"
- ]
- }
- ],
- "overwrite": [],
- "externalReference": [],
- "globalMetadata": {
- "recommendations": true,
- "feedback_system": "None",
- "_op_documentIdPathDepotMapping": {
- "./": {
- "depot_name": "MSDN.keep-secure",
- "folder_relative_path_in_docset": "./"
- }
- },
- "contributors_to_exclude": [
- "rjagiewich",
- "traya1",
- "rmca14",
- "claydetels19",
- "jborsecnik",
- "tiburd",
- "garycentric"
- ]
- },
- "fileMetadata": {},
- "template": [],
- "dest": "keep-secure",
- "markdownEngineName": "markdig"
- }
-}
diff --git a/windows/known-issues/docfx.json b/windows/known-issues/docfx.json
deleted file mode 100644
index 2119242b44..0000000000
--- a/windows/known-issues/docfx.json
+++ /dev/null
@@ -1,58 +0,0 @@
-{
- "build": {
- "content": [
- {
- "files": [
- "**/*.md",
- "**/*.yml"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**",
- "_themes/**",
- "_themes.pdf/**",
- "README.md",
- "LICENSE",
- "LICENSE-CODE",
- "ThirdPartyNotices"
- ]
- }
- ],
- "resource": [
- {
- "files": [
- "**/*.png",
- "**/*.jpg"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**",
- "_themes/**",
- "_themes.pdf/**"
- ]
- }
- ],
- "overwrite": [],
- "externalReference": [],
- "globalMetadata": {
- "recommendations": true,
- "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
- "feedback_system": "GitHub",
- "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
- "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
- "contributors_to_exclude": [
- "rjagiewich",
- "traya1",
- "rmca14",
- "claydetels19",
- "jborsecnik",
- "tiburd",
- "garycentric"
- ]
- },
- "fileMetadata": {},
- "template": [],
- "dest": "known-issues",
- "markdownEngineName": "markdig"
- }
-}
\ No newline at end of file
diff --git a/windows/manage/TOC.yml b/windows/manage/TOC.yml
deleted file mode 100644
index 892ce64421..0000000000
--- a/windows/manage/TOC.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-- name: Test
- href: test.md
diff --git a/windows/manage/docfx.json b/windows/manage/docfx.json
deleted file mode 100644
index c5275101bf..0000000000
--- a/windows/manage/docfx.json
+++ /dev/null
@@ -1,56 +0,0 @@
-{
- "build": {
- "content": [
- {
- "files": [
- "**/*.md",
- "**/*.yml"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**",
- "README.md",
- "LICENSE",
- "LICENSE-CODE",
- "ThirdPartyNotices"
- ]
- }
- ],
- "resource": [
- {
- "files": [
- "**/*.png",
- "**/*.jpg"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**"
- ]
- }
- ],
- "overwrite": [],
- "externalReference": [],
- "globalMetadata": {
- "recommendations": true,
- "_op_documentIdPathDepotMapping": {
- "./": {
- "depot_name": "MSDN.windows-manage",
- "folder_relative_path_in_docset": "./"
- }
- },
- "contributors_to_exclude": [
- "rjagiewich",
- "traya1",
- "rmca14",
- "claydetels19",
- "jborsecnik",
- "tiburd",
- "garycentric"
- ]
- },
- "fileMetadata": {},
- "template": [],
- "dest": "windows-manage",
- "markdownEngineName": "markdig"
- }
-}
diff --git a/windows/manage/test.md b/windows/manage/test.md
deleted file mode 100644
index 36d16a3f6b..0000000000
--- a/windows/manage/test.md
+++ /dev/null
@@ -1,19 +0,0 @@
----
-title: Test
-description: Test
-ms.prod: w11
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: dstrome
-ms.author: dstrome
-ms.reviewer:
-manager: dstrome
-ms.topic: article
----
-
-# Test
-
-## Deployment planning
-
-This article provides guidance to help you plan for Windows 11 in your organization.
-
diff --git a/windows/media/ModernSecureDeployment/Deploy-CleanInstallation.pdf b/windows/media/ModernSecureDeployment/Deploy-CleanInstallation.pdf
deleted file mode 100644
index 557f45193a..0000000000
Binary files a/windows/media/ModernSecureDeployment/Deploy-CleanInstallation.pdf and /dev/null differ
diff --git a/windows/media/ModernSecureDeployment/Deploy-InplaceUpgrade.pdf b/windows/media/ModernSecureDeployment/Deploy-InplaceUpgrade.pdf
deleted file mode 100644
index d01542ed2b..0000000000
Binary files a/windows/media/ModernSecureDeployment/Deploy-InplaceUpgrade.pdf and /dev/null differ
diff --git a/windows/media/ModernSecureDeployment/Deploy-WindowsAutoPilot.pdf b/windows/media/ModernSecureDeployment/Deploy-WindowsAutoPilot.pdf
deleted file mode 100644
index 87110d6b3e..0000000000
Binary files a/windows/media/ModernSecureDeployment/Deploy-WindowsAutoPilot.pdf and /dev/null differ
diff --git a/windows/media/ModernSecureDeployment/ProtectionSolutions.pdf b/windows/media/ModernSecureDeployment/ProtectionSolutions.pdf
deleted file mode 100644
index 8d04e66910..0000000000
Binary files a/windows/media/ModernSecureDeployment/ProtectionSolutions.pdf and /dev/null differ
diff --git a/windows/media/ModernSecureDeployment/Series-ModernAndSecureWindowsDeployment.pdf b/windows/media/ModernSecureDeployment/Series-ModernAndSecureWindowsDeployment.pdf
deleted file mode 100644
index 86529c1665..0000000000
Binary files a/windows/media/ModernSecureDeployment/Series-ModernAndSecureWindowsDeployment.pdf and /dev/null differ
diff --git a/windows/media/ModernSecureDeployment/WindowsServicing.pdf b/windows/media/ModernSecureDeployment/WindowsServicing.pdf
deleted file mode 100644
index 19a419e3a9..0000000000
Binary files a/windows/media/ModernSecureDeployment/WindowsServicing.pdf and /dev/null differ
diff --git a/windows/plan/docfx.json b/windows/plan/docfx.json
deleted file mode 100644
index 9a47bdcced..0000000000
--- a/windows/plan/docfx.json
+++ /dev/null
@@ -1,56 +0,0 @@
-{
- "build": {
- "content": [
- {
- "files": [
- "**/*.md",
- "**/*.yml"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**",
- "README.md",
- "LICENSE",
- "LICENSE-CODE",
- "ThirdPartyNotices"
- ]
- }
- ],
- "resource": [
- {
- "files": [
- "**/*.png",
- "**/*.jpg"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**"
- ]
- }
- ],
- "overwrite": [],
- "externalReference": [],
- "globalMetadata": {
- "recommendations": true,
- "_op_documentIdPathDepotMapping": {
- "./": {
- "depot_name": "MSDN.windows-plan",
- "folder_relative_path_in_docset": "./"
- }
- },
- "contributors_to_exclude": [
- "rjagiewich",
- "traya1",
- "rmca14",
- "claydetels19",
- "jborsecnik",
- "tiburd",
- "garycentric"
- ]
- },
- "fileMetadata": {},
- "template": [],
- "dest": "windows-plan",
- "markdownEngineName": "markdig"
- }
-}
diff --git a/windows/privacy/docfx.json b/windows/privacy/docfx.json
index a0c9217603..79774ab7cc 100644
--- a/windows/privacy/docfx.json
+++ b/windows/privacy/docfx.json
@@ -21,6 +21,7 @@
"files": [
"**/*.png",
"**/*.jpg",
+ "**/*.svg",
"**/*.gif"
],
"exclude": [
diff --git a/windows/privacy/index.yml b/windows/privacy/index.yml
index e518d55a86..dee456d738 100644
--- a/windows/privacy/index.yml
+++ b/windows/privacy/index.yml
@@ -13,9 +13,9 @@ metadata:
ms.collection:
- M365-security-compliance
- highpri
- author: dansimp
- ms.author: dansimp
- manager: dansimp
+ author: DHB-MSFT
+ ms.author: danbrown
+ manager: dougeby
ms.date: 09/08/2021 #Required; mm/dd/yyyy format.
ms.localizationpriority: high
@@ -45,17 +45,17 @@ productDirectory:
# Card
- title: Windows 11 required diagnostic data
# imageSrc should be square in ratio with no whitespace
- imageSrc: https://docs.microsoft.com/media/common/i_extend.svg
+ imageSrc: /media/common/i_extend.svg
summary: Learn more about basic Windows diagnostic data events and fields collected.
- url: required-windows-11-diagnostic-events-and-fields.md
+ url: required-diagnostic-events-fields-windows-11-22H2.md
# Card
- title: Windows 10 required diagnostic data
- imageSrc: https://docs.microsoft.com/media/common/i_build.svg
+ imageSrc: /media/common/i_build.svg
summary: See what changes Windows is making to align to the new data collection taxonomy
url: required-windows-diagnostic-data-events-and-fields-2004.md
# Card
- title: Optional diagnostic data
- imageSrc: https://docs.microsoft.com/media/common/i_get-started.svg
+ imageSrc: /media/common/i_get-started.svg
summary: Get examples of the types of optional diagnostic data collected from Windows
url: windows-diagnostic-data.md
@@ -68,50 +68,50 @@ productDirectory:
# # Card
# - title: cardtitle1
# links:
-# - url: file1.md OR https://docs.microsoft.com/file1
+# - url: file1.md OR https://learn.microsoft.com/file1
# itemType: itemType
# text: linktext1
-# - url: file2.md OR https://docs.microsoft.com/file2
+# - url: file2.md OR https://learn.microsoft.com/file2
# itemType: itemType
# text: linktext2
-# - url: file3.md OR https://docs.microsoft.com/file3
+# - url: file3.md OR https://learn.microsoft.com/file3
# itemType: itemType
# text: linktext3
# # footerLink (optional)
# footerLink:
-# url: filefooter.md OR https://docs.microsoft.com/filefooter
+# url: filefooter.md OR https://learn.microsoft.com/filefooter
# text: See more
# # Card
# - title: cardtitle2
# links:
-# - url: file1.md OR https://docs.microsoft.com/file1
+# - url: file1.md OR https://learn.microsoft.com/file1
# itemType: itemType
# text: linktext1
-# - url: file2.md OR https://docs.microsoft.com/file2
+# - url: file2.md OR https://learn.microsoft.com/file2
# itemType: itemType
# text: linktext2
-# - url: file3.md OR https://docs.microsoft.com/file3
+# - url: file3.md OR https://learn.microsoft.com/file3
# itemType: itemType
# text: linktext3
# # footerLink (optional)
# footerLink:
-# url: filefooter.md OR https://docs.microsoft.com/filefooter
+# url: filefooter.md OR https://learn.microsoft.com/filefooter
# text: See more
# # Card
# - title: cardtitle3
# links:
-# - url: file1.md OR https://docs.microsoft.com/file1
+# - url: file1.md OR https://learn.microsoft.com/file1
# itemType: itemType
# text: linktext1
-# - url: file2.md OR https://docs.microsoft.com/file2
+# - url: file2.md OR https://learn.microsoft.com/file2
# itemType: itemType
# text: linktext2
-# - url: file3.md OR https://docs.microsoft.com/file3
+# - url: file3.md OR https://learn.microsoft.com/file3
# itemType: itemType
# text: linktext3
# # footerLink (optional)
# footerLink:
-# url: filefooter.md OR https://docs.microsoft.com/filefooter
+# url: filefooter.md OR https://learn.microsoft.com/filefooter
# text: See more
# # tools section (optional)
@@ -122,15 +122,15 @@ productDirectory:
# # Card
# - title: cardtitle1
# # imageSrc should be square in ratio with no whitespace
-# imageSrc: ./media/index/image1.svg OR https://docs.microsoft.com/media/logos/image1.svg
+# imageSrc: ./media/index/image1.svg OR https://learn.microsoft.com/media/logos/image1.svg
# url: file1.md
# # Card
# - title: cardtitle2
-# imageSrc: ./media/index/image2.svg OR https://docs.microsoft.com/media/logos/image2.svg
+# imageSrc: ./media/index/image2.svg OR https://learn.microsoft.com/media/logos/image2.svg
# url: file2.md
# # Card
# - title: cardtitle3
-# imageSrc: ./media/index/image3.svg OR https://docs.microsoft.com/media/logos/image3.svg
+# imageSrc: ./media/index/image3.svg OR https://learn.microsoft.com/media/logos/image3.svg
# url: file3.md
# additionalContent section (optional)
@@ -144,15 +144,15 @@ productDirectory:
# # Card
# - title: cardtitle1
# summary: cardsummary1
-# url: file1.md OR https://docs.microsoft.com/file1
+# url: file1.md OR https://learn.microsoft.com/file1
# # Card
# - title: cardtitle2
# summary: cardsummary2
-# url: file1.md OR https://docs.microsoft.com/file2
+# url: file1.md OR https://learn.microsoft.com/file2
# # Card
# - title: cardtitle3
# summary: cardsummary3
-# url: file1.md OR https://docs.microsoft.com/file3
+# url: file1.md OR https://learn.microsoft.com/file3
# # footer (optional)
# footer: "footertext [linktext](/footerfile)"
@@ -181,4 +181,4 @@ additionalContent:
- text: Support for GDPR Accountability on Service Trust Portal
url: https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted
# footer (optional)
- # footer: "footertext [linktext](/footerfile)"
\ No newline at end of file
+ # footer: "footertext [linktext](/footerfile)"
diff --git a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
new file mode 100644
index 0000000000..aa6f04328c
--- /dev/null
+++ b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
@@ -0,0 +1,3459 @@
+---
+description: Learn more about the Windows 11, version 22H2 diagnostic data gathered.
+title: Required diagnostic events and fields for Windows 11, version 22H2
+keywords: privacy, telemetry
+ms.prod: w10
+localizationpriority: high
+author: DHB-MSFT
+ms.author: danbrown
+manager: dougeby
+ms.collection: M365-security-compliance
+ms.topic: article
+audience: ITPro
+ms.date: 09/20/2022
+---
+
+
+# Required diagnostic events and fields for Windows 11, version 22H2
+
+ **Applies to**
+
+- Windows 11, version 22H2
+
+Required diagnostic data gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store.
+
+Required diagnostic data helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems.
+
+Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief description is provided for each field. Every event generated includes common data, which collects device data.
+
+You can learn more about Windows functional and diagnostic data through these articles:
+
+- [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md)
+- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md)
+- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
+- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
+- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
+- [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)
+- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
+- [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
+
+
+
+
+## Appraiser events
+
+### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount
+
+This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to ensure that the records present on the server match what is present on the client. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **DatasourceApplicationFile_CO21H2Setup** The total number of objects of this type present on this device.
+- **DatasourceDevicePnp_CO21H2Setup** The total number of objects of this type present on this device.
+- **DatasourceDriverPackage_CO21H2Setup** The total number of objects of this type present on this device.
+- **DataSourceMatchingInfoBlock_CO21H2Setup** The total number of objects of this type present on this device.
+- **DataSourceMatchingInfoPassive_CO21H2Setup** The total number of objects of this type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_CO21H2Setup** The total number of objects of this type present on this device.
+- **DatasourceSystemBios_20H1Setup** The count of the number of this particular object type present on this device.
+- **DatasourceSystemBios_CO21H2Setup** The total number of objects of this type present on this device.
+- **DecisionApplicationFile_CO21H2Setup** The total number of objects of this type present on this device.
+- **DecisionDevicePnp_CO21H2Setup** The total number of objects of this type present on this device.
+- **DecisionDriverPackage_CO21H2Setup** The total number of objects of this type present on this device.
+- **DecisionMatchingInfoBlock_CO21H2Setup** The total number of objects of this type present on this device.
+- **DecisionMatchingInfoPassive_CO21H2Setup** The total number of objects of this type present on this device.
+- **DecisionMatchingInfoPostUpgrade_CO21H2Setup** The total number of objects of this type present on this device.
+- **DecisionMediaCenter_CO21H2Setup** The total number of objects of this type present on this device.
+- **DecisionSModeState_CO21H2Setup** The total number of objects of this type present on this device.
+- **DecisionSystemBios_20H1Setup** The total number of objects of this type present on this device.
+- **DecisionSystemBios_CO21H2Setup** The total number of objects of this type present on this device.
+- **DecisionSystemDiskSize_CO21H2Setup** The total number of objects of this type present on this device.
+- **DecisionSystemMemory_CO21H2Setup** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuCores_CO21H2Setup** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuModel_CO21H2Setup** The total number of objects of this type present on this device.
+- **DecisionSystemProcessorCpuSpeed_CO21H2Setup** The total number of objects of this type present on this device.
+- **DecisionTest_CO21H2Setup** The total number of objects of this type present on this device.
+- **DecisionTpmVersion_CO21H2Setup** The total number of objects of this type present on this device.
+- **DecisionUefiSecureBoot_CO21H2Setup** The total number of objects of this type present on this device.
+- **InventoryApplicationFile** The count of the number of this particular object type present on this device.
+- **InventoryLanguagePack** The count of the number of this particular object type present on this device.
+- **InventoryMediaCenter** The count of the number of this particular object type present on this device.
+- **InventorySystemBios** The count of the number of this particular object type present on this device.
+- **InventoryTest** The count of the number of this particular object type present on this device.
+- **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device.
+- **PCFP** The count of the number of this particular object type present on this device.
+- **SystemMemory** The count of the number of this particular object type present on this device.
+- **SystemProcessorCompareExchange** The count of the number of this particular object type present on this device.
+- **SystemProcessorLahfSahf** The count of the number of this particular object type present on this device.
+- **SystemProcessorNx** The total number of objects of this type present on this device.
+- **SystemProcessorPrefetchW** The total number of objects of this type present on this device.
+- **SystemProcessorSse2** The total number of objects of this type present on this device.
+- **SystemTouch** The count of the number of this particular object type present on this device.
+- **SystemWim** The total number of objects of this type present on this device.
+- **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device.
+- **SystemWlan** The total number of objects of this type present on this device.
+- **Wmdrm_CO21H2Setup** The total number of objects of this type present on this device.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd
+
+This event represents the basic metadata about specific application files installed on the system. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file that is generating the events.
+- **AvDisplayName** If the app is an anti-virus app, this is its display name.
+- **CompatModelIndex** The compatibility prediction for this file.
+- **HasCitData** Indicates whether the file is present in CIT data.
+- **HasUpgradeExe** Indicates whether the anti-virus app has an upgrade.exe file.
+- **IsAv** Is the file an anti-virus reporting EXE?
+- **ResolveAttempted** This will always be an empty string when sending diagnostic data.
+- **SdbEntries** An array of fields that indicates the SDB entries that apply to this file.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove
+
+This event indicates that the DatasourceApplicationFile object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync
+
+This event indicates that a new set of DatasourceApplicationFileAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove
+
+This event indicates that the DatasourceDevicePnp object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync
+
+This event indicates that a new set of DatasourceDevicePnpAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageRemove
+
+This event indicates that the DatasourceDriverPackage object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync
+
+This event indicates that a new set of DatasourceDriverPackageAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd
+
+This event sends blocking data about any compatibility blocking entries on the system that are not directly related to specific applications or devices, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **SdbEntries** Deprecated in RS3.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove
+
+This event indicates that the DataSourceMatchingInfoBlock object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd
+
+This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **SdbEntries** Deprecated in RS3.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd
+
+This event sends compatibility database information about the BIOS to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **SdbEntries** Deprecated in RS3.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync
+
+This event indicates that a new set of DatasourceSystemBiosAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
+### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove
+
+This event indicates that the DecisionApplicationFile object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd
+
+This event sends compatibility decision data about a Plug and Play (PNP) device to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **AssociatedDriverIsBlocked** Is the driver associated with this PNP device blocked?
+- **AssociatedDriverWillNotMigrate** Will the driver associated with this plug-and-play device migrate?
+- **BlockAssociatedDriver** Should the driver associated with this PNP device be blocked?
+- **BlockingDevice** Is this PNP device blocking upgrade?
+- **BlockUpgradeIfDriverBlocked** Is the PNP device both boot critical and does not have a driver included with the OS?
+- **BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork** Is this PNP device the only active network device?
+- **DisplayGenericMessage** Will a generic message be shown during Setup for this PNP device?
+- **DisplayGenericMessageGated** Indicates whether a generic message will be shown during Setup for this PNP device.
+- **DriverAvailableInbox** Is a driver included with the operating system for this PNP device?
+- **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update?
+- **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device?
+- **DriverBlockOverridden** Is there is a driver block on the device that has been overridden?
+- **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device?
+- **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS?
+- **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade?
+- **SdbDriverBlockOverridden** Is there an SDB block on the PNP device that blocks upgrade, but that block was overridden?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove
+
+This event indicates that the DecisionDriverPackage object represented by the objectInstanceId is no longer present. This event is used to make compatibility decisions about driver packages to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync
+
+The DecisionDriverPackageStartSync event indicates that a new set of DecisionDriverPackageAdd events will be sent. This event is used to make compatibility decisions about driver packages to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd
+
+This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **BlockingApplication** Are there are any application issues that interfere with upgrade due to matching info blocks?
+- **DisplayGenericMessage** Will a generic message be shown for this block?
+- **NeedsUninstallAction** Does the user need to take an action in setup due to a matching info block?
+- **SdbBlockUpgrade** Is a matching info block blocking upgrade?
+- **SdbBlockUpgradeCanReinstall** Is a matching info block blocking upgrade, but has the can reinstall tag?
+- **SdbBlockUpgradeUntilUpdate** Is a matching info block blocking upgrade but has the until update tag?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove
+
+This event indicates that the DecisionMatchingInfoBlock object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync
+
+This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd
+
+This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **BlockingApplication** Are there any application issues that interfere with upgrade due to matching info blocks?
+- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown due to matching info blocks.
+- **MigApplication** Is there a matching info block with a mig for the current mode of upgrade?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove
+
+This event Indicates that the DecisionMatchingInfoPassive object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync
+
+This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd
+
+This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **NeedsInstallPostUpgradeData** Will the file have a notification after upgrade to install a replacement for the app?
+- **NeedsNotifyPostUpgradeData** Should a notification be shown for this file after upgrade?
+- **NeedsReinstallPostUpgradeData** Will the file have a notification after upgrade to reinstall the app?
+- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the compatibility database (but is not blocking upgrade).
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSModeStateAdd
+
+This event sends true/false compatibility decision data about the S mode state. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **Blocking** Appraiser decision about eligibility to upgrade.
+- **LockdownMode** S mode lockdown mode.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSModeStateStartSync
+
+The DecisionSModeStateStartSync event indicates that a new set of DecisionSModeStateAdd events will be sent. This event is used to make compatibility decisions about the S mode state. Microsoft uses this information to understand and address problems regarding the S mode state for computers receiving updates. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync
+
+This event indicates that a new set of DecisionSystemBiosAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuModelStartSync
+
+The DecisionSystemProcessorCpuModelStartSync event indicates that a new set of DecisionSystemProcessorCpuModelAdd events will be sent. This event is used to make compatibility decisions about the CPU. Microsoft uses this information to understand and address problems regarding the CPU for computers receiving updates. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionTpmVersionStartSync
+
+The DecisionTpmVersionStartSync event indicates that a new set of DecisionTpmVersionAdd events will be sent. This event is used to make compatibility decisions about the TPM. Microsoft uses this information to understand and address problems regarding the TPM for computers receiving updates. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionUefiSecureBootAdd
+
+This event collects information about data on support and state of UEFI Secure boot. UEFI is a verification mechanism for ensuring that code launched by firmware is trusted. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **Blocking** Appraiser upgradeability decision when checking for UEFI support.
+- **SecureBootCapable** Is UEFI supported?
+- **SecureBootEnabled** Is UEFI enabled?
+
+
+### Microsoft.Windows.Appraiser.General.GatedRegChange
+
+This event sends data about the results of running a set of quick-blocking instructions, to help keep Windows up to date.
+
+The following fields are available:
+
+- **NewData** The data in the registry value after the scan completed.
+- **OldData** The previous data in the registry value before the scan ran.
+- **PCFP** An ID for the system calculated by hashing hardware identifiers.
+- **RegKey** The registry key name for which a result is being sent.
+- **RegValue** The registry value for which a result is being sent.
+- **Time** The client time of the event.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd
+
+This event represents the basic metadata about a file on the system. The file must be part of an app and either have a block in the compatibility database or be part of an antivirus program. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **AvDisplayName** If the app is an antivirus app, this is its display name.
+- **AvProductState** Indicates whether the antivirus program is turned on and the signatures are up to date.
+- **BinaryType** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64.
+- **BinFileVersion** An attempt to clean up FileVersion at the client that tries to place the version into 4 octets.
+- **BinProductVersion** An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets.
+- **BoeProgramId** If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata.
+- **CompanyName** The company name of the vendor who developed this file.
+- **FileId** A hash that uniquely identifies a file.
+- **FileVersion** The File version field from the file metadata under Properties -> Details.
+- **HasUpgradeExe** Indicates whether the antivirus app has an upgrade.exe file.
+- **IsAv** Indicates whether the file an antivirus reporting EXE.
+- **LinkDate** The date and time that this file was linked on.
+- **LowerCaseLongPath** The full file path to the file that was inventoried on the device.
+- **Name** The name of the file that was inventoried.
+- **ProductName** The Product name field from the file metadata under Properties -> Details.
+- **ProductVersion** The Product version field from the file metadata under Properties -> Details.
+- **ProgramId** A hash of the Name, Version, Publisher, and Language of an application used to identify it.
+- **Size** The size of the file (in hexadecimal bytes).
+
+
+### Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove
+
+This event indicates that the InventoryApplicationFile object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync
+
+This event indicates that a new set of InventoryApplicationFileAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd
+
+This event sends data about the number of language packs installed on the system, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **HasLanguagePack** Indicates whether this device has 2 or more language packs.
+- **LanguagePackCount** The number of language packs are installed.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync
+
+This event indicates that a new set of InventoryLanguagePackAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryMediaCenterAdd
+
+This event sends true/false data about decision points used to understand whether Windows Media Center is used on the system, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **EverLaunched** Has Windows Media Center ever been launched?
+- **HasConfiguredTv** Has the user configured a TV tuner through Windows Media Center?
+- **HasExtendedUserAccounts** Are any Windows Media Center Extender user accounts configured?
+- **HasWatchedFolders** Are any folders configured for Windows Media Center to watch?
+- **IsDefaultLauncher** Is Windows Media Center the default app for opening music or video files?
+- **IsPaid** Is the user running a Windows Media Center edition that implies they paid for Windows Media Center?
+- **IsSupported** Does the running OS support Windows Media Center?
+
+
+### Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync
+
+This event indicates that a new set of InventoryMediaCenterAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd
+
+This event sends basic metadata about the BIOS to determine whether it has a compatibility block. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **biosDate** The release date of the BIOS in UTC format.
+- **BiosDate** The release date of the BIOS in UTC format.
+- **biosName** The name field from Win32_BIOS.
+- **BiosName** The name field from Win32_BIOS.
+- **manufacturer** The manufacturer field from Win32_ComputerSystem.
+- **Manufacturer** The manufacturer field from Win32_ComputerSystem.
+- **model** The model field from Win32_ComputerSystem.
+- **Model** The model field from Win32_ComputerSystem.
+
+
+### Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync
+
+This event indicates that a new set of InventorySystemBiosAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser binary (executable) generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove
+
+This event indicates that the InventoryUplevelDriverPackage object is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync
+
+This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.RunContext
+
+This event is sent at the beginning of an appraiser run, the RunContext indicates what should be expected in the following data payload. This event is used with the other Appraiser events to make compatibility decisions to keep Windows up to date.
+
+The following fields are available:
+
+- **AppraiserBranch** The source branch in which the currently running version of Appraiser was built.
+- **AppraiserProcess** The name of the process that launched Appraiser.
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **Context** Indicates what mode Appraiser is running in. Example: Setup or Telemetry.
+- **PCFP** An ID for the system calculated by hashing hardware identifiers.
+- **Subcontext** Indicates what categories of incompatibilities appraiser is scanning for. Can be N/A, Resolve, or a semicolon-delimited list that can include App, Dev, Sys, Gat, or Rescan.
+- **Time** The client time of the event.
+
+
+### Microsoft.Windows.Appraiser.General.SystemMemoryAdd
+
+This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **Blocking** Is the device from upgrade due to memory restrictions?
+- **MemoryRequirementViolated** Was a memory requirement violated?
+- **pageFile** The current committed memory limit for the system or the current process, whichever is smaller (in bytes).
+- **ram** The amount of memory on the device.
+- **ramKB** The amount of memory (in KB).
+- **virtual** The size of the user-mode portion of the virtual address space of the calling process (in bytes).
+- **virtualKB** The amount of virtual memory (in KB).
+
+
+### Microsoft.Windows.Appraiser.General.SystemMemoryStartSync
+
+This event indicates that a new set of SystemMemoryAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeAdd
+
+This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **Blocking** Is the upgrade blocked due to the processor?
+- **CompareExchange128Support** Does the CPU support CompareExchange128?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync
+
+This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd
+
+This event sends data indicating whether the system supports the LAHF & SAHF CPU requirement, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **Blocking** Is the upgrade blocked due to the processor?
+- **LahfSahfSupport** Does the CPU support LAHF/SAHF?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync
+
+This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd
+
+This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **Blocking** Is the upgrade blocked due to the processor?
+- **NXDriverResult** The result of the driver used to do a non-deterministic check for NX support.
+- **NXProcessorSupport** Does the processor support NX?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync
+
+This event indicates that a new set of SystemProcessorNxAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd
+
+This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **Blocking** Is the upgrade blocked due to the processor?
+- **PrefetchWSupport** Does the processor support PrefetchW?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync
+
+This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync
+
+This event indicates that a new set of SystemProcessorSse2Add events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemTouchAdd
+
+This event sends data indicating whether the system supports touch, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **IntegratedTouchDigitizerPresent** Is there an integrated touch digitizer?
+- **MaximumTouches** The maximum number of touch points supported by the device hardware.
+
+
+### Microsoft.Windows.Appraiser.General.SystemTouchStartSync
+
+This event indicates that a new set of SystemTouchAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWimAdd
+
+This event sends data indicating whether the operating system is running from a compressed Windows Imaging Format (WIM) file, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **IsWimBoot** Is the current operating system running from a compressed WIM file?
+- **RegistryWimBootValue** The raw value from the registry that is used to indicate if the device is running from a WIM.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWimStartSync
+
+This event indicates that a new set of SystemWimAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd
+
+This event sends data indicating whether the current operating system is activated, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **WindowsIsLicensedApiValue** The result from the API that's used to indicate if operating system is activated.
+- **WindowsNotActivatedDecision** Is the current operating system activated?
+
+
+### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync
+
+This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWlanAdd
+
+This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **Blocking** Is the upgrade blocked because of an emulated WLAN driver?
+- **HasWlanBlock** Does the emulated WLAN driver have an upgrade block?
+- **WlanEmulatedDriver** Does the device have an emulated WLAN driver?
+- **WlanExists** Does the device support WLAN at all?
+- **WlanModulePresent** Are any WLAN modules present?
+- **WlanNativeDriver** Does the device have a non-emulated WLAN driver?
+
+
+### Microsoft.Windows.Appraiser.General.SystemWlanStartSync
+
+This event indicates that a new set of SystemWlanAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.TelemetryRunHealth
+
+This event indicates the parameters and result of a diagnostic data run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date.
+
+The following fields are available:
+
+- **AppraiserBranch** The source branch in which the version of Appraiser that is running was built.
+- **AppraiserDataVersion** The version of the data files being used by the Appraiser diagnostic data run.
+- **AppraiserProcess** The name of the process that launched Appraiser.
+- **AppraiserVersion** The file version (major, minor and build) of the Appraiser DLL, concatenated without dots.
+- **AuxFinal** Obsolete, always set to false.
+- **AuxInitial** Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app.
+- **CountCustomSdbs** The number of custom Sdbs used by Appraiser.
+- **CustomSdbGuids** Guids of the custom Sdbs used by Appraiser; Semicolon delimited list.
+- **DeadlineDate** A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan.
+- **EnterpriseRun** Indicates whether the diagnostic data run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter.
+- **FullSync** Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent.
+- **InboxDataVersion** The original version of the data files before retrieving any newer version.
+- **IndicatorsWritten** Indicates if all relevant UEX indicators were successfully written or updated.
+- **InventoryFullSync** Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent.
+- **PCFP** An ID for the system calculated by hashing hardware identifiers.
+- **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal.
+- **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row.
+- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device.
+- **RunDate** The date that the diagnostic data run was stated, expressed as a filetime.
+- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data on an infrequent schedule and only from machines at diagnostic data levels higher than Basic.
+- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information.
+- **RunResult** The hresult of the Appraiser diagnostic data run.
+- **ScheduledUploadDay** The day scheduled for the upload.
+- **SendingUtc** Indicates whether the Appraiser client is sending events during the current diagnostic data run.
+- **StoreHandleIsNotNull** Obsolete, always set to false
+- **TelementrySent** Indicates whether diagnostic data was successfully sent.
+- **ThrottlingUtc** Indicates whether the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also diagnostic data reliability.
+- **Time** The client time of the event.
+- **VerboseMode** Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging.
+- **WhyFullSyncWithoutTablePrefix** Indicates the reason or reasons that a full sync was generated.
+
+
+### Microsoft.Windows.Appraiser.General.WmdrmAdd
+
+This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data does not indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **BlockingApplication** Same as NeedsDismissAction.
+- **NeedsDismissAction** Indicates if a dismissible message is needed to warn the user about a potential loss of data due to DRM deprecation.
+- **WmdrmApiResult** Raw value of the API used to gather DRM state.
+- **WmdrmCdRipped** Indicates if the system has any files encrypted with personal DRM, which was used for ripped CDs.
+- **WmdrmIndicators** WmdrmCdRipped OR WmdrmPurchased.
+- **WmdrmInUse** WmdrmIndicators AND dismissible block in setup was not dismissed.
+- **WmdrmNonPermanent** Indicates if the system has any files with non-permanent licenses.
+- **WmdrmPurchased** Indicates if the system has any files with permanent licenses.
+
+
+## Census events
+
+### Census.App
+
+This event sends version data about the Apps running on this device, to help keep Windows up to date.
+
+The following fields are available:
+
+- **AppraiserTaskEnabled** Whether the Appraiser task is enabled.
+- **CensusVersion** The version of Census that generated the current data for this device.
+
+
+### Census.Enterprise
+
+This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of the use and integration of devices in an enterprise, cloud, and server environment. The data collected with this event is used to help keep Windows secure.
+
+The following fields are available:
+
+- **AADDeviceId** Azure Active Directory device ID.
+- **AzureOSIDPresent** Represents the field used to identify an Azure machine.
+- **AzureVMType** Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs.
+- **CDJType** Represents the type of cloud domain joined for the machine.
+- **CommercialId** Represents the GUID for the commercial entity which the device is a member of. Will be used to reflect insights back to customers.
+- **ContainerType** The type of container, such as process or virtual machine hosted.
+- **EnrollmentType** Defines the type of MDM enrollment on the device.
+- **HashedDomain** The hashed representation of the user domain used for login.
+- **IsCloudDomainJoined** Is this device joined to an Azure Active Directory (AAD) tenant? true/false
+- **IsDERequirementMet** Represents if the device can do device encryption.
+- **IsDeviceProtected** Represents if Device protected by BitLocker/Device Encryption
+- **IsEDPEnabled** Represents if Enterprise data protected on the device.
+- **IsMDMEnrolled** Whether the device has been MDM Enrolled or not.
+- **MDMServiceProvider** A hash of the specific MDM authority, such as Microsoft Intune, that is managing the device.
+- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
+- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment.
+- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
+- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier
+
+
+### Census.Memory
+
+This event sends data about the memory on the device, including ROM and RAM. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **TotalPhysicalRAM** Represents the physical memory (in MB).
+- **TotalVisibleMemory** Represents the memory that is not reserved by the system.
+
+
+### Census.Network
+
+This event sends data about the mobile and cellular network used by the device (mobile service provider, network, device ID, and service cost factors). The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CellularModemHWInstanceId0** HardwareInstanceId of the embedded Mobile broadband modem, as reported and used by PnP system to identify the WWAN modem device in Windows system. Empty string (null string) indicates that this property is unknown for telemetry.
+- **IMEI0** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage.
+- **IMEI1** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage.
+- **MCC0** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **MCC1** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **MNC0** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **MNC1** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **MobileOperatorNetwork0** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage.
+- **MobileOperatorNetwork1** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage.
+- **ModemOptionalCapabilityBitMap0** A bit map of optional capabilities in modem, such as eSIM support.
+- **NetworkAdapterGUID** The GUID of the primary network adapter.
+- **SPN0** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage.
+- **SPN1** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage.
+- **SupportedDataClassBitMap0** A bit map of the supported data classes (i.g, 5g 4g...) that the modem is capable of.
+- **SupportedDataSubClassBitMap0** A bit map of data subclasses that the modem is capable of.
+
+
+### Census.OS
+
+This event sends data about the operating system such as the version, locale, update service configuration, when and how it was originally installed, and whether it is a virtual device. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **ActivationChannel** Retrieves the retail license key or Volume license key for a machine.
+- **AssignedAccessStatus** Kiosk configuration mode.
+- **CompactOS** Indicates if the Compact OS feature from Win10 is enabled.
+- **DeveloperUnlockStatus** Represents if a device has been developer unlocked by the user or Group Policy.
+- **DeviceTimeZone** The time zone that is set on the device. Example: Pacific Standard Time
+- **GenuineState** Retrieves the ID Value specifying the OS Genuine check.
+- **InstallationType** Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update).
+- **InstallLanguage** The first language installed on the user machine.
+- **IsDeviceRetailDemo** Retrieves if the device is running in demo mode.
+- **IsEduData** Returns Boolean if the education data policy is enabled.
+- **IsPortableOperatingSystem** Retrieves whether OS is running Windows-To-Go
+- **IsSecureBootEnabled** Retrieves whether Boot chain is signed under UEFI.
+- **LanguagePacks** The list of language packages installed on the device.
+- **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store.
+- **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine.
+- **OSEdition** Retrieves the version of the current OS.
+- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc
+- **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC).
+- **OSSKU** Retrieves the Friendly Name of OS Edition.
+- **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines.
+- **OSSubscriptionTypeId** Returns boolean for enterprise subscription feature for selected PRO machines.
+- **OSUILocale** Retrieves the locale of the UI that is currently used by the OS.
+- **ProductActivationResult** Returns Boolean if the OS Activation was successful.
+- **ProductActivationTime** Returns the OS Activation time for tracking piracy issues.
+- **ProductKeyID2** Retrieves the License key if the machine is updated with a new license key.
+- **RACw7Id** Retrieves the Microsoft Reliability Analysis Component (RAC) Win7 Identifier. RAC is used to monitor and analyze system usage and reliability.
+- **ServiceMachineIP** Retrieves the IP address of the KMS host used for anti-piracy.
+- **ServiceMachinePort** Retrieves the port of the KMS host used for anti-piracy.
+- **ServiceProductKeyID** Retrieves the License key of the KMS
+- **SharedPCMode** Returns Boolean for education devices used as shared cart
+- **Signature** Retrieves if it is a signature machine sold by Microsoft store.
+- **SLICStatus** Whether a SLIC table exists on the device.
+- **SLICVersion** Returns OS type/version from SLIC table.
+
+
+### Census.Speech
+
+This event is used to gather basic speech settings on the device. The data collected with this event is used to help keep Windows secure.
+
+The following fields are available:
+
+- **AboveLockEnabled** Cortana setting that represents if Cortana can be invoked when the device is locked.
+- **GPAllowInputPersonalization** Indicates if a Group Policy setting has enabled speech functionalities.
+- **HolographicSpeechInputDisabled** Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user.
+- **HolographicSpeechInputDisabledRemote** Indicates if a remote policy has disabled speech functionalities for the HMD devices.
+- **KeyVer** Version information for the census speech event.
+- **KWSEnabled** Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS).
+- **MDMAllowInputPersonalization** Indicates if an MDM policy has enabled speech functionalities.
+- **RemotelyManaged** Indicates if the device is being controlled by a remote administrator (MDM or Group Policy) in the context of speech functionalities.
+- **SpeakerIdEnabled** Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice.
+- **SpeechServicesEnabled** Windows setting that represents whether a user is opted-in for speech services on the device.
+- **SpeechServicesValueSource** Indicates the deciding factor for the effective online speech recognition privacy policy settings: remote admin, local admin, or user preference.
+
+
+### Census.UserDisplay
+
+This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **InternalPrimaryDisplayLogicalDPIX** Retrieves the logical DPI in the x-direction of the internal display.
+- **InternalPrimaryDisplayLogicalDPIY** Retrieves the logical DPI in the y-direction of the internal display.
+- **InternalPrimaryDisplayPhysicalDPIX** Retrieves the physical DPI in the x-direction of the internal display.
+- **InternalPrimaryDisplayPhysicalDPIY** Retrieves the physical DPI in the y-direction of the internal display.
+- **InternalPrimaryDisplayResolutionHorizontal** Retrieves the number of pixels in the horizontal direction of the internal display.
+- **InternalPrimaryDisplayResolutionVertical** Retrieves the number of pixels in the vertical direction of the internal display.
+- **InternalPrimaryDisplaySizePhysicalH** Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches .
+- **InternalPrimaryDisplaySizePhysicalY** Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches
+- **NumberofExternalDisplays** Retrieves the number of external displays connected to the machine
+- **NumberofInternalDisplays** Retrieves the number of internal displays in a machine.
+- **VRAMDedicated** Retrieves the video RAM in MB.
+- **VRAMDedicatedSystem** Retrieves the amount of memory on the dedicated video card.
+- **VRAMSharedSystem** Retrieves the amount of RAM memory that the video card can use.
+
+
+### Census.Xbox
+
+This event sends data about the Xbox Console, such as Serial Number and DeviceId, to help keep Windows up to date.
+
+The following fields are available:
+
+- **XboxConsolePreferredLanguage** Retrieves the preferred language selected by the user on Xbox console.
+- **XboxConsoleSerialNumber** Retrieves the serial number of the Xbox console.
+- **XboxLiveDeviceId** Retrieves the unique device ID of the console.
+- **XboxLiveSandboxId** Retrieves the developer sandbox ID if the device is internal to Microsoft.
+
+
+## Code Integrity events
+
+### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.IsRegionDisabledLanguage
+
+Fires when an incompatible language pack is detected.
+
+The following fields are available:
+
+- **Language** String containing the incompatible language pack detected.
+
+
+## Common data extensions
+
+### Common Data Extensions.app
+
+Describes the properties of the running application. This extension could be populated by a client app or a web app.
+
+The following fields are available:
+
+- **asId** An integer value that represents the app session. This value starts at 0 on the first app launch and increments after each subsequent app launch per boot session.
+- **env** The environment from which the event was logged.
+- **expId** Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event.
+- **id** Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application.
+- **locale** The locale of the app.
+- **name** The name of the app.
+- **userId** The userID as known by the application.
+- **ver** Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app.
+
+
+### Common Data Extensions.container
+
+Describes the properties of the container for events logged within a container.
+
+The following fields are available:
+
+- **epoch** An ID that's incremented for each SDK initialization.
+- **localId** The device ID as known by the client.
+- **osVer** The operating system version.
+- **seq** An ID that's incremented for each event.
+- **type** The container type. Examples: Process or VMHost
+
+
+### Common Data Extensions.device
+
+Describes the device-related fields.
+
+The following fields are available:
+
+- **deviceClass** The device classification. For example, Desktop, Server, or Mobile.
+- **localId** A locally-defined unique ID for the device. This is not the human-readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId
+- **make** Device manufacturer.
+- **model** Device model.
+
+
+### Common Data Extensions.Envelope
+
+Represents an envelope that contains all of the common data extensions.
+
+The following fields are available:
+
+- **data** Represents the optional unique diagnostic data for a particular event schema.
+- **ext_app** Describes the properties of the running application. This extension could be populated by either a client app or a web app. See [Common Data Extensions.app](#common-data-extensionsapp).
+- **ext_container** Describes the properties of the container for events logged within a container. See [Common Data Extensions.container](#common-data-extensionscontainer).
+- **ext_device** Describes the device-related fields. See [Common Data Extensions.device](#common-data-extensionsdevice).
+- **ext_mscv** Describes the correlation vector-related fields. See [Common Data Extensions.mscv](#common-data-extensionsmscv).
+- **ext_os** Describes the operating system properties that would be populated by the client. See [Common Data Extensions.os](#common-data-extensionsos).
+- **ext_sdk** Describes the fields related to a platform library required for a specific SDK. See [Common Data Extensions.sdk](#common-data-extensionssdk).
+- **ext_user** Describes the fields related to a user. See [Common Data Extensions.user](#common-data-extensionsuser).
+- **ext_utc** Describes the fields that might be populated by a logging library on Windows. See [Common Data Extensions.utc](#common-data-extensionsutc).
+- **ext_xbl** Describes the fields related to XBOX Live. See [Common Data Extensions.xbl](#common-data-extensionsxbl).
+- **iKey** Represents an ID for applications or other logical groupings of events.
+- **name** Represents the uniquely qualified name for the event.
+- **time** Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format.
+- **ver** Represents the major and minor version of the extension.
+
+
+### Common Data Extensions.mscv
+
+Describes the correlation vector-related fields.
+
+The following fields are available:
+
+- **cV** Represents the Correlation Vector: A single field for tracking partial order of related events across component boundaries.
+
+
+### Common Data Extensions.os
+
+Describes some properties of the operating system.
+
+The following fields are available:
+
+- **bootId** An integer value that represents the boot session. This value starts at 0 on first boot after OS install and increments after every reboot.
+- **expId** Represents the experiment ID. The standard for associating a flight, such as an OS flight (pre-release build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs in Part A of the common schema.
+- **locale** Represents the locale of the operating system.
+- **name** Represents the operating system name.
+- **ver** Represents the major and minor version of the extension.
+
+
+### Common Data Extensions.sdk
+
+Used by platform specific libraries to record fields that are required for a specific SDK.
+
+The following fields are available:
+
+- **epoch** An ID that is incremented for each SDK initialization.
+- **installId** An ID that's created during the initialization of the SDK for the first time.
+- **libVer** The SDK version.
+- **seq** An ID that is incremented for each event.
+- **ver** The version of the logging SDK.
+
+
+### Common Data Extensions.user
+
+Describes the fields related to a user.
+
+The following fields are available:
+
+- **authId** This is an ID of the user associated with this event that is deduced from a token such as a Microsoft Account ticket or an XBOX token.
+- **locale** The language and region.
+- **localId** Represents a unique user identity that is created locally and added by the client. This is not the user's account ID.
+
+
+### Common Data Extensions.utc
+
+Describes the properties that could be populated by a logging library on Windows.
+
+The following fields are available:
+
+- **aId** Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW.
+- **bSeq** Upload buffer sequence number in the format: buffer identifier:sequence number
+- **cat** Represents a bitmask of the ETW Keywords associated with the event.
+- **cpId** The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer.
+- **epoch** Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server.
+- **eventFlags** Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency.
+- **flags** Represents the bitmap that captures various Windows specific flags.
+- **loggingBinary** The binary (executable, library, driver, etc.) that fired the event.
+- **mon** Combined monitor and event sequence numbers in the format: monitor sequence : event sequence
+- **op** Represents the ETW Op Code.
+- **pgName** The short form of the provider group name associated with the event.
+- **popSample** Represents the effective sample rate for this event at the time it was generated by a client.
+- **providerGuid** The ETW provider ID associated with the provider name.
+- **raId** Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW.
+- **seq** Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue. The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server.
+- **sqmId** The Windows SQM (Software Quality Metrics—a precursor of Windows 10 Diagnostic Data collection) device identifier.
+- **stId** Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID.
+- **wcmp** The Windows Shell Composer ID.
+- **wPId** The Windows Core OS product ID.
+- **wsId** The Windows Core OS session ID.
+
+
+### Common Data Extensions.xbl
+
+Describes the fields that are related to XBOX Live.
+
+The following fields are available:
+
+- **claims** Any additional claims whose short claim name hasn't been added to this structure.
+- **did** XBOX device ID
+- **dty** XBOX device type
+- **dvr** The version of the operating system on the device.
+- **eid** A unique ID that represents the developer entity.
+- **exp** Expiration time
+- **ip** The IP address of the client device.
+- **nbf** Not before time
+- **pid** A comma separated list of PUIDs listed as base10 numbers.
+- **sbx** XBOX sandbox identifier
+- **sid** The service instance ID.
+- **sty** The service type.
+- **tid** The XBOX Live title ID.
+- **tvr** The XBOX Live title version.
+- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts.
+- **xid** A list of base10-encoded XBOX User IDs.
+
+## Common data fields
+
+### Ms.Device.DeviceInventoryChange
+
+Describes the installation state for all hardware and software components available on a particular device.
+
+The following fields are available:
+
+- **action** The change that was invoked on a device inventory object.
+- **inventoryId** Device ID used for Compatibility testing
+- **objectInstanceId** Object identity which is unique within the device scope.
+- **objectType** Indicates the object type that the event applies to.
+- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object.
+
+## Component-based servicing events
+
+### CbsServicingProvider.CbsCapabilitySessionFinalize
+
+This event provides information about the results of installing or uninstalling optional Windows content from Windows Update. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **capabilities** The names of the optional content packages that were installed.
+- **clientId** The name of the application requesting the optional content.
+- **currentID** The ID of the current install session.
+- **downloadSource** The source of the download.
+- **highestState** The highest final install state of the optional content.
+- **hrLCUReservicingStatus** Indicates whether the optional content was updated to the latest available version.
+- **hrStatus** The HReturn code of the install operation.
+- **rebootCount** The number of reboots required to complete the install.
+- **retryID** The session ID that will be used to retry a failed operation.
+- **retryStatus** Indicates whether the install will be retried in the event of failure.
+- **stackBuild** The build number of the servicing stack.
+- **stackMajorVersion** The major version number of the servicing stack.
+- **stackMinorVersion** The minor version number of the servicing stack.
+- **stackRevision** The revision number of the servicing stack.
+
+
+### CbsServicingProvider.CbsLateAcquisition
+
+This event sends data to indicate if some Operating System packages could not be updated as part of an upgrade, to help keep Windows up to date.
+
+The following fields are available:
+
+- **Features** The list of feature packages that could not be updated.
+- **RetryID** The ID identifying the retry attempt to update the listed packages.
+
+
+### CbsServicingProvider.CbsQualityUpdateInstall
+
+This event reports on the performance and reliability results of installing Servicing content from Windows Update to keep Windows up to date.
+
+The following fields are available:
+
+- **buildVersion** The build version number of the update package.
+- **clientId** The name of the application requesting the optional content.
+- **corruptionHistoryFlags** A bitmask of the types of component store corruption that have caused update failures on the device.
+- **corruptionType** An enumeration listing the type of data corruption responsible for the current update failure.
+- **currentStateEnd** The final state of the package after the operation has completed.
+- **doqTimeSeconds** The time in seconds spent updating drivers.
+- **executeTimeSeconds** The number of seconds required to execute the install.
+- **failureDetails** The driver or installer that caused the update to fail.
+- **failureSourceEnd** An enumeration indicating at what phase of the update a failure occurred.
+- **hrStatusEnd** The return code of the install operation.
+- **initiatedOffline** A true or false value indicating whether the package was installed into an offline Windows Imaging Format (WIM) file.
+- **majorVersion** The major version number of the update package.
+- **minorVersion** The minor version number of the update package.
+- **originalState** The starting state of the package.
+- **overallTimeSeconds** The time (in seconds) to perform the overall servicing operation.
+- **planTimeSeconds** The time in seconds required to plan the update operations.
+- **poqTimeSeconds** The time in seconds processing file and registry operations.
+- **postRebootTimeSeconds** The time (in seconds) to do startup processing for the update.
+- **preRebootTimeSeconds** The time (in seconds) between execution of the installation and the reboot.
+- **primitiveExecutionContext** An enumeration indicating at what phase of shutdown or startup the update was installed.
+- **rebootCount** The number of reboots required to install the update.
+- **rebootTimeSeconds** The time (in seconds) before startup processing begins for the update.
+- **resolveTimeSeconds** The time in seconds required to resolve the packages that are part of the update.
+- **revisionVersion** The revision version number of the update package.
+- **rptTimeSeconds** The time in seconds spent executing installer plugins.
+- **shutdownTimeSeconds** The time (in seconds) required to do shutdown processing for the update.
+- **stackRevision** The revision number of the servicing stack.
+- **stageTimeSeconds** The time (in seconds) required to stage all files that are part of the update.
+
+
+### CbsServicingProvider.CbsSelectableUpdateChangeV2
+
+This event reports the results of enabling or disabling optional Windows Content to keep Windows up to date.
+
+The following fields are available:
+
+- **applicableUpdateState** Indicates the highest applicable state of the optional content.
+- **buildVersion** The build version of the package being installed.
+- **clientId** The name of the application requesting the optional content change.
+- **downloadSource** Indicates if optional content was obtained from Windows Update or a locally accessible file.
+- **downloadtimeInSeconds** Indicates if optional content was obtained from Windows Update or a locally accessible file.
+- **executionID** A unique ID used to identify events associated with a single servicing operation and not reused for future operations.
+- **executionSequence** A counter that tracks the number of servicing operations attempted on the device.
+- **firstMergedExecutionSequence** The value of a pervious executionSequence counter that is being merged with the current operation, if applicable.
+- **firstMergedID** A unique ID of a pervious servicing operation that is being merged with this operation, if applicable.
+- **hrDownloadResult** The return code of the download operation.
+- **hrStatusUpdate** The return code of the servicing operation.
+- **identityHash** A pseudonymized (hashed) identifier for the Windows Package that is being installed or uninstalled.
+- **initiatedOffline** Indicates whether the operation was performed against an offline Windows image file or a running instance of Windows.
+- **majorVersion** The major version of the package being installed.
+- **minorVersion** The minor version of the package being installed.
+- **packageArchitecture** The architecture of the package being installed.
+- **packageLanguage** The language of the package being installed.
+- **packageName** The name of the package being installed.
+- **rebootRequired** Indicates whether a reboot is required to complete the operation.
+- **revisionVersion** The revision number of the package being installed.
+- **stackBuild** The build number of the servicing stack binary performing the installation.
+- **stackMajorVersion** The major version number of the servicing stack binary performing the installation.
+- **stackMinorVersion** The minor version number of the servicing stack binary performing the installation.
+- **stackRevision** The revision number of the servicing stack binary performing the installation.
+- **updateName** The name of the optional Windows Operation System feature being enabled or disabled.
+- **updateStartState** A value indicating the state of the optional content before the operation started.
+- **updateTargetState** A value indicating the desired state of the optional content.
+
+
+## Diagnostic data events
+
+### TelClientSynthetic.AbnormalShutdown_0
+
+This event sends data about boot IDs for which a normal clean shutdown was not observed. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **AbnormalShutdownBootId** BootId of the abnormal shutdown being reported by this event.
+- **AbsCausedbyAutoChk** This flag is set when AutoCheck forces a device restart to indicate that the shutdown was not an abnormal shutdown.
+- **AcDcStateAtLastShutdown** Identifies if the device was on battery or plugged in.
+- **BatteryLevelAtLastShutdown** The last recorded battery level.
+- **BatteryPercentageAtLastShutdown** The battery percentage at the last shutdown.
+- **CrashDumpEnabled** Are crash dumps enabled?
+- **CumulativeCrashCount** Cumulative count of operating system crashes since the BootId reset.
+- **CurrentBootId** BootId at the time the abnormal shutdown event was being reported.
+- **Firmwaredata->ResetReasonEmbeddedController** The reset reason that was supplied by the firmware.
+- **Firmwaredata->ResetReasonEmbeddedControllerAdditional** Additional data related to reset reason provided by the firmware.
+- **Firmwaredata->ResetReasonPch** The reset reason that was supplied by the hardware.
+- **Firmwaredata->ResetReasonPchAdditional** Additional data related to the reset reason supplied by the hardware.
+- **Firmwaredata->ResetReasonSupplied** Indicates whether the firmware supplied any reset reason or not.
+- **FirmwareType** ID of the FirmwareType as enumerated in DimFirmwareType.
+- **HardwareWatchdogTimerGeneratedLastReset** Indicates whether the hardware watchdog timer caused the last reset.
+- **HardwareWatchdogTimerPresent** Indicates whether hardware watchdog timer was present or not.
+- **InvalidBootStat** This is a sanity check flag that ensures the validity of the bootstat file.
+- **LastBugCheckBootId** bootId of the last captured crash.
+- **LastBugCheckCode** Code that indicates the type of error.
+- **LastBugCheckContextFlags** Additional crash dump settings.
+- **LastBugCheckOriginalDumpType** The type of crash dump the system intended to save.
+- **LastBugCheckOtherSettings** Other crash dump settings.
+- **LastBugCheckParameter1** The first parameter with additional info on the type of the error.
+- **LastBugCheckProgress** Progress towards writing out the last crash dump.
+- **LastBugCheckVersion** The version of the information struct written during the crash.
+- **LastSuccessfullyShutdownBootId** BootId of the last fully successful shutdown.
+- **LongPowerButtonPressDetected** Identifies if the user was pressing and holding power button.
+- **LongPowerButtonPressInstanceGuid** The Instance GUID for the user state of pressing and holding the power button.
+- **OOBEInProgress** Identifies if OOBE is running.
+- **OSSetupInProgress** Identifies if the operating system setup is running.
+- **PowerButtonCumulativePressCount** How many times has the power button been pressed?
+- **PowerButtonCumulativeReleaseCount** How many times has the power button been released?
+- **PowerButtonErrorCount** Indicates the number of times there was an error attempting to record power button metrics.
+- **PowerButtonLastPressBootId** BootId of the last time the power button was pressed.
+- **PowerButtonLastPressTime** Date and time of the last time the power button was pressed.
+- **PowerButtonLastReleaseBootId** BootId of the last time the power button was released.
+- **PowerButtonLastReleaseTime** Date and time of the last time the power button was released.
+- **PowerButtonPressCurrentCsPhase** Represents the phase of Connected Standby exit when the power button was pressed.
+- **PowerButtonPressIsShutdownInProgress** Indicates whether a system shutdown was in progress at the last time the power button was pressed.
+- **PowerButtonPressLastPowerWatchdogStage** Progress while the monitor is being turned on.
+- **PowerButtonPressPowerWatchdogArmed** Indicates whether or not the watchdog for the monitor was active at the time of the last power button press.
+- **ShutdownDeviceType** Identifies who triggered a shutdown. Is it because of battery, thermal zones, or through a Kernel API.
+- **SleepCheckpoint** Provides the last checkpoint when there is a failure during a sleep transition.
+- **SleepCheckpointSource** Indicates whether the source is the EFI variable or bootstat file.
+- **SleepCheckpointStatus** Indicates whether the checkpoint information is valid.
+- **StaleBootStatData** Identifies if the data from bootstat is stale.
+- **TransitionInfoBootId** BootId of the captured transition info.
+- **TransitionInfoCSCount** l number of times the system transitioned from Connected Standby mode.
+- **TransitionInfoCSEntryReason** Indicates the reason the device last entered Connected Standby mode.
+- **TransitionInfoCSExitReason** Indicates the reason the device last exited Connected Standby mode.
+- **TransitionInfoCSInProgress** At the time the last marker was saved, the system was in or entering Connected Standby mode.
+- **TransitionInfoLastBootDiagCode** Tells us about the last boot with a diagnostic code.
+- **TransitionInfoLastBootDiagStatus** Tells us whether the last boot diagnostic code is valid.
+- **TransitionInfoLastReferenceTimeChecksum** The checksum of TransitionInfoLastReferenceTimestamp,
+- **TransitionInfoLastReferenceTimestamp** The date and time that the marker was last saved.
+- **TransitionInfoLidState** Describes the state of the laptop lid.
+- **TransitionInfoPowerButtonTimestamp** The date and time of the last time the power button was pressed.
+- **TransitionInfoSleepInProgress** At the time the last marker was saved, the system was in or entering sleep mode.
+- **TransitionInfoSleepTranstionsToOn** Total number of times the device transitioned from sleep mode.
+- **TransitionInfoSystemRunning** At the time the last marker was saved, the device was running.
+- **TransitionInfoSystemShutdownInProgress** Indicates whether a device shutdown was in progress when the power button was pressed.
+- **TransitionInfoUserShutdownInProgress** Indicates whether a user shutdown was in progress when the power button was pressed.
+- **TransitionLatestCheckpointId** Represents a unique identifier for a checkpoint during the device state transition.
+- **TransitionLatestCheckpointSeqNumber** Represents the chronological sequence number of the checkpoint.
+- **TransitionLatestCheckpointType** Represents the type of the checkpoint, which can be the start of a phase, end of a phase, or just informational.
+- **VirtualMachineId** If the operating system is on a virtual Machine, it gives the virtual Machine ID (GUID) that can be used to correlate events on the host.
+
+
+### TelClientSynthetic.AuthorizationInfo_Startup
+
+This event is fired by UTC at startup to signal what data we are allowed to collect. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise.
+- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise.
+- **CanCollectClearUserIds** True if we are allowed to collect clear user IDs, false if we can only collect omitted IDs.
+- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise.
+- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise.
+- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise.
+- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise.
+- **CanIncludeDeviceNameInDiagnosticData** True if we are allowed to add the device name to diagnostic data, false otherwise.
+- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise.
+- **CanPerformSiufEscalations** True if we can perform System Initiated User Feedback escalation collection, false otherwise.
+- **CanReportScenarios** True if we can report scenario completions, false otherwise.
+- **CanReportUifEscalations** True if we can perform User Initiated Feedback escalation collection, false otherwise.
+- **CanUseAuthenticatedProxy** True if we can use an authenticated proxy to send data, false otherwise.
+- **IsProcessorMode** True if it is Processor Mode, false otherwise.
+- **PreviousPermissions** Bitmask of previous telemetry state.
+- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise.
+
+
+### TelClientSynthetic.ConnectivityHeartBeat_0
+
+This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it sends an event. A Connectivity Heartbeat event is also sent when a device recovers from costed network to free network.
+
+The following fields are available:
+
+- **CensusExitCode** Last exit code of Census task
+- **CensusStartTime** Returns timestamp corresponding to last successful census run.
+- **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine.
+- **LastConnectivityLossTime** The FILETIME at which the last free network loss occurred.
+- **NetworkState** Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network.
+- **NoNetworkTime** Retrieves the time spent with no network (since the last time) in seconds.
+- **RestrictedNetworkTime** The total number of seconds with restricted network during this heartbeat period.
+
+
+### TelClientSynthetic.HeartBeat_5
+
+This event sends data about the health and quality of the diagnostic data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device.
+
+The following fields are available:
+
+- **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host/agent channel.
+- **CensusExitCode** The last exit code of the Census task.
+- **CensusStartTime** Time of last Census run.
+- **CensusTaskEnabled** True if Census is enabled, false otherwise.
+- **CompressedBytesUploaded** Number of compressed bytes uploaded.
+- **ConsumerDroppedCount** Number of events dropped at consumer layer of telemetry client.
+- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer.
+- **CriticalDataThrottleDroppedCount** The number of critical data sampled events that were dropped because of throttling.
+- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event DB.
+- **DbCriticalDroppedCount** Total number of dropped critical events in event DB.
+- **DbDroppedCount** Number of events dropped due to DB fullness.
+- **DbDroppedFailureCount** Number of events dropped due to DB failures.
+- **DbDroppedFullCount** Number of events dropped due to DB fullness.
+- **DecodingDroppedCount** Number of events dropped due to decoding failures.
+- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated.
+- **EtwDroppedBufferCount** Number of buffers dropped in the UTC ETW session.
+- **EtwDroppedCount** Number of events dropped at ETW layer of telemetry client.
+- **EventsPersistedCount** Number of events that reached the PersistEvent stage.
+- **EventStoreLifetimeResetCounter** Number of times event DB was reset for the lifetime of UTC.
+- **EventStoreResetCounter** Number of times event DB was reset.
+- **EventStoreResetSizeSum** Total size of event DB across all resets reports in this instance.
+- **EventsUploaded** Number of events uploaded.
+- **Flags** Flags indicating device state such as network state, battery state, and opt-in state.
+- **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full.
+- **HeartBeatSequenceNumber** The sequence number of this heartbeat.
+- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex.
+- **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel.
+- **LastEventSizeOffender** Event name of last event which exceeded max event size.
+- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex.
+- **MaxActiveAgentConnectionCount** The maximum number of active agents during this heartbeat timeframe.
+- **MaxInUseScenarioCounter** Soft maximum number of scenarios loaded by UTC.
+- **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events).
+- **PrivacyBlockedCount** The number of events blocked due to privacy settings or tags.
+- **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer.
+- **SettingsHttpAttempts** Number of attempts to contact OneSettings service.
+- **SettingsHttpFailures** The number of failures from contacting the OneSettings service.
+- **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers.
+- **TopUploaderErrors** List of top errors received from the upload endpoint.
+- **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client.
+- **UploaderErrorCount** Number of errors received from the upload endpoint.
+- **VortexFailuresTimeout** The number of timeout failures received from Vortex.
+- **VortexHttpAttempts** Number of attempts to contact Vortex.
+- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex.
+- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex.
+- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400.
+- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event.
+
+
+### TelClientSynthetic.PrivacyGuardReport
+
+Reports that the Connected User Experiences and Telemetry service encountered an event that may contain privacy data. The event contains information needed to identify and study the source event that triggered the report. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **EventEpoch** The epoch in which the source event that triggered the report was fired.
+- **EventName** The name of the source event that triggered the report.
+- **EventSeq** The sequence number of the source event that triggered the report.
+- **FieldName** The field of interest in the source event that triggered the report.
+- **IsAllowedToSend** True if the field of interest was sent unmodified in the source event that triggered the report, false if the field of interest was anonymized.
+- **IsDebug** True if the event was logged in a debug build of Windows.
+- **TelemetryApi** The application programming interface used to log the source event that triggered the report. Current values for this field can be "etw" or "rpc".
+- **TypeAsText** The type of issue detected in the source event that triggered the report. Current values for this field can be "UserName" or "DeviceName".
+
+
+## Driver installation events
+
+### Microsoft.Windows.DriverInstall.NewDevInstallDeviceEnd
+
+This event sends data about the driver installation once it is completed. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **DeviceInstanceId** The unique identifier of the device in the system.
+- **DriverUpdated** Indicates whether the driver was updated.
+- **Error** The Win32 error code of the installation.
+- **InstallDate** The date the driver was installed.
+- **InstallFlags** The driver installation flags.
+- **OptionalData** Metadata specific to WU (Windows Update) associated with the driver (flight IDs, recovery IDs, etc.)
+- **RebootRequired** Indicates whether a reboot is required after the installation.
+- **RollbackPossible** Indicates whether this driver can be rolled back.
+
+
+### Microsoft.Windows.DriverInstall.NewDevInstallDeviceStart
+
+This event sends data about the driver that the new driver installation is replacing. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **DeviceInstanceId** The unique identifier of the device in the system.
+- **FirstInstallDate** The first time a driver was installed on this device.
+- **InstallFlags** Flag indicating how driver setup was called.
+- **LastDriverDate** Date of the driver that is being replaced.
+- **LastDriverInbox** Indicates whether the previous driver was included with Windows.
+- **LastDriverInfName** Name of the INF file (the setup information file) of the driver being replaced.
+- **LastDriverPackageId** ID of the driver package installed on the device before the current install operation began. ID contains the name + architecture + hash.
+- **LastDriverVersion** The version of the driver that is being replaced.
+- **LastFirmwareDate** The date of the last firmware reported from the EFI System Resource Table (ESRT).
+- **LastFirmwareRevision** The last firmware revision number reported from EFI System Resource Table (ESRT).
+- **LastFirmwareVersion** The last firmware version reported from the EFI System Resource Table (ESRT).
+- **LastInstallDate** The date a driver was last installed on this device.
+- **LastMatchingDeviceId** The hardware ID or compatible ID that Windows last used to install the device instance.
+- **LastProblem** The previous problem code that was set on the device.
+- **LastProblemStatus** The previous problem code that was set on the device.
+- **LastSubmissionId** The driver submission identifier of the driver that is being replaced.
+
+
+## Fault Reporting events
+
+### Microsoft.Windows.FaultReporting.AppCrashEvent
+
+This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes\" by a user DO NOT emit this event.
+
+The following fields are available:
+
+- **AppName** The name of the app that has crashed.
+- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend.
+- **AppTimeStamp** The date/time stamp of the app.
+- **AppVersion** The version of the app that has crashed.
+- **ExceptionCode** The exception code returned by the process that has crashed.
+- **ExceptionOffset** The address where the exception had occurred.
+- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting.
+- **FriendlyAppName** The description of the app that has crashed, if different from the AppName. Otherwise, the process name.
+- **IsFatal** True/False to indicate whether the crash resulted in process termination.
+- **ModName** Exception module name (e.g. bar.dll).
+- **ModTimeStamp** The date/time stamp of the module.
+- **ModVersion** The version of the module that has crashed.
+- **PackageFullName** Store application identity.
+- **PackageRelativeAppId** Store application identity.
+- **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64.
+- **ProcessCreateTime** The time of creation of the process that has crashed.
+- **ProcessId** The ID of the process that has crashed.
+- **ReportId** A GUID used to identify the report. This can used to track the report across Watson.
+- **TargetAppId** The kernel reported AppId of the application being reported.
+- **TargetAppVer** The specific version of the application being reported
+- **TargetAsId** The sequence number for the hanging process.
+
+
+## Feature quality events
+
+### Microsoft.Windows.FeatureQuality.Heartbeat
+
+This event indicates the feature status heartbeat. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **Features** Array of features.
+
+
+### Microsoft.Windows.FeatureQuality.StateChange
+
+This event indicates the change of feature state. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **flightId** Flight id.
+- **state** New state.
+
+
+### Microsoft.Windows.FeatureQuality.Status
+
+This event indicates the feature status. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **featureId** Feature id.
+- **flightId** Flight id.
+- **time** Time of status change.
+- **variantId** Variant id.
+
+
+## Hang Reporting events
+
+### Microsoft.Windows.HangReporting.AppHangEvent
+
+This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events.
+
+The following fields are available:
+
+- **AppName** The name of the app that has hung.
+- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the telemetry backend.
+- **AppVersion** The version of the app that has hung.
+- **IsFatal** True/False based on whether the hung application caused the creation of a Fatal Hang Report.
+- **PackageFullName** Store application identity.
+- **PackageRelativeAppId** Store application identity.
+- **ProcessArchitecture** Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64.
+- **ProcessCreateTime** The time of creation of the process that has hung.
+- **ProcessId** The ID of the process that has hung.
+- **ReportId** A GUID used to identify the report. This can used to track the report across Watson.
+- **TargetAppId** The kernel reported AppId of the application being reported.
+- **TargetAppVer** The specific version of the application being reported.
+- **TargetAsId** The sequence number for the hanging process.
+- **TypeCode** Bitmap describing the hang type.
+- **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application.
+- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting.
+- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting.
+- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package.
+
+
+## Holographic events
+
+### Microsoft.Windows.Shell.HolographicFirstRun.AppActivated
+
+This event indicates Windows Mixed Reality Portal app activation state. This event also used to count WMR device. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **IsDemoMode** Windows Mixed Reality Portal app state of demo mode.
+- **IsDeviceSetupComplete** Windows Mixed Reality Portal app state of device setup completion.
+- **PackageVersion** Windows Mixed Reality Portal app package version.
+- **PreviousExecutionState** Windows Mixed Reality Portal app prior execution state.
+- **wilActivity** Windows Mixed Reality Portal app wilActivity ID.
+
+
+### TraceLoggingOasisUsbHostApiProvider.DeviceInformation
+
+This event provides Windows Mixed Reality device information. This event is also used to count WMR device and device type. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **BootloaderMajorVer** Windows Mixed Reality device boot loader major version.
+- **BootloaderMinorVer** Windows Mixed Reality device boot loader minor version.
+- **BootloaderRevisionNumber** Windows Mixed Reality device boot loader revision number.
+- **CalibrationBlobSize** Windows Mixed Reality device calibration blob size.
+- **CalibrationFwMajorVer** Windows Mixed Reality device calibration firmware major version.
+- **CalibrationFwMinorVer** Windows Mixed Reality device calibration firmware minor version.
+- **CalibrationFwRevNum** Windows Mixed Reality device calibration firmware revision number.
+- **DeviceInfoFlags** Windows Mixed Reality device info flags.
+- **FirmwareMajorVer** Windows Mixed Reality device firmware major version.
+- **FirmwareMinorVer** Windows Mixed Reality device firmware minor version.
+- **FirmwareRevisionNumber** Windows Mixed Reality device calibration firmware revision number.
+- **FpgaFwMajorVer** Windows Mixed Reality device FPGA firmware major version.
+- **FpgaFwMinorVer** Windows Mixed Reality device FPGA firmware minor version.
+- **FpgaFwRevisionNumber** Windows Mixed Reality device FPGA firmware revision number.
+- **FriendlyName** Windows Mixed Reality device friendly name.
+- **HashedSerialNumber** Windows Mixed Reality device hashed serial number.
+- **HeaderSize** Windows Mixed Reality device header size.
+- **HeaderVersion** Windows Mixed Reality device header version.
+- **LicenseKey** Windows Mixed Reality device header license key.
+- **Make** Windows Mixed Reality device make.
+- **ManufacturingDate** Windows Mixed Reality device manufacturing date.
+- **Model** Windows Mixed Reality device model.
+- **PresenceSensorHidVendorPage** Windows Mixed Reality device presence sensor HID vendor page.
+- **PresenceSensorHidVendorUsage** Windows Mixed Reality device presence sensor HID vendor usage.
+- **PresenceSensorUsbVid** Windows Mixed Reality device presence sensor USB VId.
+- **ProductBoardRevision** Windows Mixed Reality device product board revision number.
+- **SerialNumber** Windows Mixed Reality device serial number.
+
+
+## Inventory events
+
+### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum
+
+This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **DriverPackageExtended** A count of driverpackageextended objects in cache.
+- **InventoryAcpiPhatHealthRecord** A count of ACPI PHAT Health Record objects in cache.
+- **InventoryAcpiPhatVersionElement** A count of ACPI PHAT Version Element objects in cache.
+- **InventoryApplication** A count of application objects in cache.
+- **InventoryApplicationDriver** A count of application driver objects in cache
+- **InventoryApplicationFramework** A count of application framework objects in cache
+- **InventoryDeviceContainer** A count of device container objects in cache.
+- **InventoryDeviceInterface** A count of Plug and Play device interface objects in cache.
+- **InventoryDeviceMediaClass** A count of device media objects in cache.
+- **InventoryDevicePnp** A count of device Plug and Play objects in cache.
+- **InventoryDeviceSensor** A count of device sensor objects in cache.
+- **InventoryDeviceUsbHubClass** A count of device usb objects in cache
+- **InventoryDriverBinary** A count of driver binary objects in cache.
+- **InventoryDriverPackage** A count of device objects in cache.
+- **InventoryVersion** test
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd
+
+This event provides the basic metadata about the frameworks an application may depend on. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **FileId** A hash that uniquely identifies a file.
+- **Frameworks** The list of frameworks this file depends on.
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync
+
+This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove
+
+This event indicates that a new set of InventoryDevicePnpAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd
+
+This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and Play device). The data collected with this event is used to help keep Windows up to date and to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Categories** A comma separated list of functional categories in which the container belongs.
+- **DiscoveryMethod** The discovery method for the device container.
+- **FriendlyName** The name of the device container.
+- **InventoryVersion** The version of the inventory file generating the events.
+- **IsActive** Is the device connected, or has it been seen in the last 14 days?
+- **IsConnected** For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link.
+- **IsMachineContainer** Is the container the root device itself?
+- **IsNetworked** Is this a networked device?
+- **IsPaired** Does the device container require pairing?
+- **Manufacturer** The manufacturer name for the device container.
+- **ModelId** A unique model ID.
+- **ModelName** The model name.
+- **ModelNumber** The model number for the device container.
+- **PrimaryCategory** The primary category for the device container.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync
+
+This event indicates that a new set of InventoryDeviceContainerAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd
+
+This event retrieves information about what sensor interfaces are available on the device. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Accelerometer3D** Indicates if an Accelerator3D sensor is found.
+- **ActivityDetection** Indicates if an Activity Detection sensor is found.
+- **AmbientLight** Indicates if an Ambient Light sensor is found.
+- **Barometer** Indicates if a Barometer sensor is found.
+- **Custom** Indicates if a Custom sensor is found.
+- **EnergyMeter** Indicates if an Energy sensor is found.
+- **FloorElevation** Indicates if a Floor Elevation sensor is found.
+- **GeomagneticOrientation** Indicates if a Geo Magnetic Orientation sensor is found.
+- **GravityVector** Indicates if a Gravity Detector sensor is found.
+- **Gyrometer3D** Indicates if a Gyrometer3D sensor is found.
+- **Humidity** Indicates if a Humidity sensor is found.
+- **InventoryVersion** The version of the inventory file generating the events.
+- **LinearAccelerometer** Indicates if a Linear Accelerometer sensor is found.
+- **Magnetometer3D** Indicates if a Magnetometer3D sensor is found.
+- **Orientation** Indicates if an Orientation sensor is found.
+- **Pedometer** Indicates if a Pedometer sensor is found.
+- **Proximity** Indicates if a Proximity sensor is found.
+- **RelativeOrientation** Indicates if a Relative Orientation sensor is found.
+- **SimpleDeviceOrientation** Indicates if a Simple Device Orientation sensor is found.
+- **Temperature** Indicates if a Temperature sensor is found.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync
+
+This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove
+
+This event indicates that the InventoryDevicePnpRemove object is no longer present. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync
+
+This event indicates that a new set of InventoryDevicePnpAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceSensorAdd
+
+This event sends basic metadata about sensor devices on a machine. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+- **Manufacturer** Sensor manufacturer.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd
+
+This event sends basic metadata about the USB hubs on the device. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+- **TotalUserConnectablePorts** Total number of connectable USB ports.
+- **TotalUserConnectableTypeCPorts** Total number of connectable USB Type C ports.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync
+
+This event indicates that a new set of InventoryDriverBinaryAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd
+
+This event sends basic metadata about drive packages installed on the system. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Class** The class name for the device driver.
+- **ClassGuid** The class GUID for the device driver.
+- **Date** The driver package date.
+- **Directory** The path to the driver package.
+- **DriverInBox** Is the driver included with the operating system?
+- **FlightIds** Driver Flight IDs.
+- **Inf** The INF name of the driver package.
+- **InventoryVersion** The version of the inventory file generating the events.
+- **Provider** The provider for the driver package.
+- **RecoveryIds** Driver recovery IDs.
+- **SubmissionId** The HLK submission ID for the driver package.
+- **Version** The version of the driver package.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoRemove
+
+This event indicates that this particular data object represented by the objectInstanceId is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoStartSync
+
+This diagnostic event indicates a new sync is being generated for this object type.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd
+
+This event provides data on Unified Update Platform (UUP) products and what version they are at. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Identifier** UUP identifier
+- **LastActivatedVersion** Last activated version
+- **PreviousVersion** Previous version
+- **Source** UUP source
+- **Version** UUP version
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoStartSync
+
+This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
+### Microsoft.Windows.Inventory.Indicators.Checksum
+
+This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **ChecksumDictionary** A count of each operating system indicator.
+- **PCFP** Equivalent to the InventoryId field that is found in other core events.
+
+
+### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd
+
+This event represents the basic metadata about the OS indicators installed on the system. The data collected with this event helps ensure the device is up to date and keeps Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **IndicatorValue** The indicator value.
+
+
+### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove
+
+This event indicates that this particular data object represented by the objectInstanceId is no longer present. This event is used to understand the OS indicators installed on the system. The data collected with this event helps ensure the device is current and Windows is up to date and performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
+### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync
+
+This event indicates that this particular data object represented by the objectInstanceId is no longer present. This event is used to understand the OS indicators installed on the system. The data collected with this event helps ensure the device is current and Windows is up to date and performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
+## Kernel events
+
+### Microsoft.Windows.Kernel.PnP.AggregateClearDevNodeProblem
+
+This event is sent when a problem code is cleared from a device. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **Count** The total number of events.
+- **DeviceInstanceId** The unique identifier of the device on the system.
+- **LastProblem** The previous problem that was cleared.
+- **LastProblemStatus** The previous NTSTATUS value that was cleared.
+- **ServiceName** The name of the driver or service attached to the device.
+
+
+## Microsoft Edge events
+
+### Aria.af397ef28e484961ba48646a5d38cf54.Microsoft.WebBrowser.Installer.EdgeUpdate.Ping
+
+This Ping event sends a detailed inventory of software and hardware information about the EdgeUpdate service, Edge applications, and the current system environment including app configuration, update configuration, and hardware capabilities. This event contains Device Connectivity and Configuration, Product and Service Performance, and Software Setup and Inventory data. One or more events is sent each time any installation, update, or uninstallation occurs with the EdgeUpdate service or with Edge applications. This event is used to measure the reliability and performance of the EdgeUpdate service and if Edge applications are up to date. This is an indication that the event is designed to keep Windows secure and up to date.
+
+The following fields are available:
+
+- **appAp** Any additional parameters for the specified application. Default: ''.
+- **appAppId** The GUID that identifies the product. Compatible clients must transmit this attribute. Please see the wiki for additional information. Default: undefined.
+- **appBrandCode** The brand code under which the product was installed, if any. A brand code is a short (4-character) string used to identify installations that took place as a result of partner deals or website promotions. Default: ''.
+- **appChannel** An integer indicating the channel of the installation (i.e. Canary or Dev).
+- **appClientId** A generalized form of the brand code that can accept a wider range of values and is used for similar purposes. Default: ''.
+- **appCohort** A machine-readable string identifying the release cohort (channel) that the app belongs to. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
+- **appCohortHint** A machine-readable enum indicating that the client has a desire to switch to a different release cohort. The exact legal values are app-specific and should be shared between the server and app implementations. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
+- **appCohortName** A stable non-localized human-readable enum indicating which (if any) set of messages the app should display to the user. For example, an app with a cohort Name of 'beta' might display beta-specific branding to the user. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
+- **appConsentState** Bit flags describing the diagnostic data disclosure and response flow where 1 indicates the affirmative and 0 indicates the negative or unspecified data. Bit 1 indicates consent was given, bit 2 indicates data originated from the download page, bit 18 indicates choice for sending data about how the browser is used, and bit 19 indicates choice for sending data about websites visited.
+- **appDayOfInstall** The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. The client MAY fuzz this value to the week granularity (e.g. send '0' for 0 through 6, '7' for 7 through 13, etc.). The first communication to the server should use a special value of '-1'. A value of '-2' indicates that this value is not known. Please see the wiki for additional information. Default: '-2'.
+- **appExperiments** A key/value list of experiment identifiers. Experiment labels are used to track membership in different experimental groups, and may be set at install or update time. The experiments string is formatted as a semicolon-delimited concatenation of experiment label strings. An experiment label string is an experiment Name, followed by the '=' character, followed by an experimental label value. For example: 'crdiff=got_bsdiff;optimized=O3'. The client should not transmit the expiration date of any experiments it has, even if the server previously specified a specific expiration date. Default: ''.
+- **appInstallTime** The product install time in seconds. '0' if unknown. Default: '-1'.
+- **appInstallTimeDiffSec** The difference between the current time and the install date in seconds. '0' if unknown. Default: '-1'.
+- **appLang** The language of the product install, in IETF BCP 47 representation. Default: ''.
+- **appLastLaunchTime** The time when browser was last launched.
+- **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Please see the wiki for additional information. Default: '0.0.0.0'.
+- **appPingEventAppSize** The total number of bytes of all downloaded packages. Default: '0'.
+- **appPingEventDoneBeforeOOBEComplete** Indicates whether the install or update was completed before Windows Out of the Box Experience ends. 1 means event completed before OOBE finishes; 0 means event was not completed before OOBE finishes; -1 means the field does not apply.
+- **appPingEventDownloadMetricsCdnCCC** ISO 2 character country code that matches to the country updated binaries are delivered from. E.g.: US.
+- **appPingEventDownloadMetricsCdnCID** Numeric value used to internally track the origins of the updated binaries. For example, 2.
+- **appPingEventDownloadMetricsDownloadedBytes** For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'.
+- **appPingEventDownloadMetricsDownloader** A string identifying the download algorithm and/or stack. Example values include: 'bits', 'direct', 'winhttp', 'p2p'. Sent in events that have an event type of '14' only. Default: ''.
+- **appPingEventDownloadMetricsDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'.
+- **appPingEventDownloadMetricsError** The error code (if any) of the operation, encoded as a signed base-10 integer. Default: '0'.
+- **appPingEventDownloadMetricsServerIpHint** For events representing a download, the CDN Host IP address that corresponds to the update file server. The CDN host is controlled by Microsoft servers and always maps to IP addresses hosting *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''.
+- **appPingEventDownloadMetricsTotalBytes** For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'.
+- **appPingEventDownloadMetricsUrl** For events representing a download, the CDN URL provided by the update server for the client to download the update, the URL is controlled by Microsoft servers and always maps back to either *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''.
+- **appPingEventDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'.
+- **appPingEventErrorCode** The error code (if any) of the operation, encoded as a signed, base-10 integer. Default: '0'.
+- **appPingEventEventResult** An enum indicating the result of the event. Please see the wiki for additional information. Default: '0'.
+- **appPingEventEventType** An enum indicating the type of the event. Compatible clients MUST transmit this attribute. Please see the wiki for additional information.
+- **appPingEventExtraCode1** Additional numeric information about the operation's result, encoded as a signed, base-10 integer. Default: '0'.
+- **appPingEventInstallTimeMs** For events representing an install, the time elapsed between the start of the install and the end of the install, in milliseconds. For events representing an entire update flow, the sum of all such durations. Sent in events that have an event type of '2' and '3' only. Default: '0'.
+- **appPingEventNumBytesDownloaded** The number of bytes downloaded for the specified application. Default: '0'.
+- **appPingEventPackageCacheResult** Whether there is an existing package cached in the system to update or install. 1 means that there's a cache hit under the expected key, 2 means there's a cache hit under a different key, 0 means that there's a cache miss. -1 means the field does not apply.
+- **appPingEventSequenceId** An id that uniquely identifies particular events within one requestId. Since a request can contain multiple ping events, this field is necessary to uniquely identify each possible event.
+- **appPingEventSourceUrlIndex** For events representing a download, the position of the download URL in the list of URLs supplied by the server in a "urls" tag.
+- **appPingEventUpdateCheckTimeMs** For events representing an entire update flow, the time elapsed between the start of the update check and the end of the update check, in milliseconds. Sent in events that have an event type of '2' and '3' only. Default: '0'.
+- **appReferralHash** The hash of the referral code used to install the product. '0' if unknown. Default: '0'.
+- **appUpdateCheckIsUpdateDisabled** The state of whether app updates are restricted by group policy. True if updates have been restricted by group policy or false if they have not.
+- **appUpdateCheckTargetVersionPrefix** A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The server should not return an update instruction to a version number that does not match the prefix or complete version number. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it is not a lexical prefix (for example, '1.2.3' must match '1.2.3.4' but must not match '1.2.34'). Default: ''.
+- **appUpdateCheckTtToken** An opaque access token that can be used to identify the requesting client as a member of a trusted-tester group. If non-empty, the request should be sent over SSL or another secure protocol. Default: ''.
+- **appVersion** The version of the product install. Please see the wiki for additional information. Default: '0.0.0.0'.
+- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
+- **eventType** A string indicating the type of the event. Please see the wiki for additional information.
+- **expETag** An identifier representing all service applied configurations and experiments when current update happens. Used for testing only.
+- **hwDiskType** Device’s hardware disk type.
+- **hwHasAvx** '1' if the client's hardware supports the AVX instruction set. '0' if the client's hardware does not support the AVX instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse** '1' if the client's hardware supports the SSE instruction set. '0' if the client's hardware does not support the SSE instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse2** '1' if the client's hardware supports the SSE2 instruction set. '0' if the client's hardware does not support the SSE2 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse3** '1' if the client's hardware supports the SSE3 instruction set. '0' if the client's hardware does not support the SSE3 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse41** '1' if the client's hardware supports the SSE4.1 instruction set. '0' if the client's hardware does not support the SSE4.1 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse42** '1' if the client's hardware supports the SSE4.2 instruction set. '0' if the client's hardware does not support the SSE4.2 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSsse3** '1' if the client's hardware supports the SSSE3 instruction set. '0' if the client's hardware does not support the SSSE3 instruction set. '-1' if unknown. Default: '-1'.
+- **hwLogicalCpus** Number of logical CPUs of the device.
+- **hwPhysmemory** The physical memory available to the client, truncated down to the nearest gibibyte. '-1' if unknown. This value is intended to reflect the maximum theoretical storage capacity of the client, not including any hard drive or paging to a hard drive or peripheral. Default: '-1'.
+- **isMsftDomainJoined** '1' if the client is a member of a Microsoft domain. '0' otherwise. Default: '0'.
+- **oemProductManufacturer** The device manufacturer name.
+- **oemProductName** The product name of the device defined by device manufacturer.
+- **osArch** The architecture of the operating system (e.g. 'x86', 'x64', 'arm'). '' if unknown. Default: ''.
+- **osPlatform** The operating system family that the within which the Omaha client is running (e.g. 'win', 'mac', 'linux', 'ios', 'android'). '' if unknown. The operating system Name should be transmitted in lowercase with minimal formatting. Default: ''.
+- **osServicePack** The secondary version of the operating system. '' if unknown. Default: ''.
+- **osVersion** The primary version of the operating system. '' if unknown. Default: ''.
+- **requestCheckPeriodSec** The update interval in seconds. The value is read from the registry. Default: '-1'.
+- **requestDlpref** A comma-separated list of values specifying the preferred download URL behavior. The first value is the highest priority, further values reflect secondary, tertiary, et cetera priorities. Legal values are '' (in which case the entire list must be empty, indicating unknown or no-preference) or 'cacheable' (the server should prioritize sending URLs that are easily cacheable). Default: ''.
+- **requestDomainJoined** '1' if the machine is part of a managed enterprise domain. Otherwise '0'.
+- **requestInstallSource** A string specifying the cause of the update flow. For example: 'ondemand', or 'scheduledtask'. Default: ''.
+- **requestIsMachine** '1' if the client is known to be installed with system-level or administrator privileges. '0' otherwise. Default: '0'.
+- **requestOmahaShellVersion** The version of the Omaha installation folder. Default: ''.
+- **requestOmahaVersion** The version of the Omaha updater itself (the entity sending this request). Default: '0.0.0.0'.
+- **requestProtocolVersion** The version of the Omaha protocol. Compatible clients MUST provide a value of '3.0'. Compatible clients must always transmit this attribute. Default: undefined.
+- **requestRequestId** A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha request. Each request attempt should have (with high probability) a unique request id. Default: ''.
+- **requestSessionCorrelationVectorBase** A client generated random MS Correlation Vector base code used to correlate the update session with update and CDN servers. Default: ''.
+- **requestSessionId** A randomly-generated (uniformly distributed) GUID. Each single update flow (e.g. update check, update application, event ping sequence) should have (with high probability) a single unique session ID. Default: ''.
+- **requestTestSource** Either '', 'dev', 'qa', 'prober', 'auto', or 'ossdev'. Any value except '' indicates that the request is a test and should not be counted toward normal metrics. Default: ''.
+- **requestUid** A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha user. Each request attempt SHOULD have (with high probability) a unique request id. Default: ''.
+
+
+## OneSettings events
+
+### Microsoft.Windows.OneSettingsClient.Status
+
+This event indicates the config usage of status update. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **flightId** Flight id.
+- **time** Time.
+
+
+## OOBE events
+
+### Microsoft.Windows.Shell.Oobe.ZDP.ZdpTaskCancelled
+
+This event is the result of an attempt to cancel ZDP task.
+
+The following fields are available:
+
+- **cancelReason** Enum for source/reason to cancel.
+- **resultCode** HR result of the cancellation.
+
+
+## Other events
+
+### Microsoft.Edge.Crashpad.HangEvent
+
+This event sends simple Product and Service Performance data on a hanging/frozen Microsoft Edge browser process to help mitigate future instances of the hang.
+
+The following fields are available:
+
+- **app_name** The name of the hanging process.
+- **app_session_guid** Encodes the boot session, process, and process start time.
+- **app_version** The version of the hanging process.
+- **client_id_hash** Hash of the browser client id to help identify the installation.
+- **etag** Identifier to help identify running browser experiments.
+- **hang_source** Identifies how the hang was detected.
+- **process_type** The type of the hanging browser process, for example, gpu-process, renderer, etc.
+- **stack_hash** A hash of the hanging stack. Currently not used or set to zero.
+
+
+### Microsoft.Gaming.Critical.Error
+
+Common error event used by the Gaming Telemetry Library to provide centralized monitoring for critical errors logged by callers using the library.
+
+The following fields are available:
+
+- **callStack** List of active subroutines running during error occurrence.
+- **componentName** Friendly name meant to represent what feature area this error should be attributed to. Used for aggregations and pivots of data.
+- **customAttributes** List of custom attributes.
+- **errorCode** Error code.
+- **extendedData** JSON blob representing additional, provider-level properties common to the component.
+- **featureName** Friendly name meant to represent which feature this should be attributed to.
+- **identifier** Error identifier.
+- **message** Error message.
+- **properties** List of properties attributed to the error.
+
+
+### Microsoft.Gaming.Critical.ProviderRegistered
+
+Indicates that a telemetry provider has been registered with the Gaming Telemetry Library.
+
+The following fields are available:
+
+- **providerNamespace** The telemetry Namespace for the registered provider.
+
+
+### Microsoft.Gaming.OOBE.HDDBackup
+
+This event describes whether an External HDD back up has been found.
+
+The following fields are available:
+
+- **backupVersion** version number of backup.
+- **extendedData** JSON blob representing additional, provider-level properties common to the component.
+- **hasConsoleSettings** Indicates whether the console settings stored.
+- **hasUserSettings** Indicates whether the user settings stored.
+- **hasWirelessProfile** Indicates whether the wireless profile stored.
+- **hddBackupFound** Indicates whether hdd backup is found.
+- **osVersion** Operating system version.
+
+
+### Microsoft.Gaming.OOBE.OobeComplete
+
+This event is triggered when OOBE activation is complete.
+
+The following fields are available:
+
+- **allowAutoUpdate** Allows auto update.
+- **allowAutoUpdateApps** Allows auto update for apps.
+- **appliedTransferToken** Applied transfer token.
+- **connectionType** Connection type.
+- **curSessionId** Current session id.
+- **extendedData** JSON blob representing additional, provider-level properties common to the component.
+- **instantOn** Instant on.
+- **moobeAcceptedState** Moobe accepted state.
+- **phaseOneElapsedTimeMs** Total elapsed time in milliseconds for phase 1.
+- **phaseOneVersion** Version of phase 1.
+- **phaseTwoElapsedTimeMs** Total elapsed time in milliseconds for phase 2.
+- **phaseTwoVersion** Version of phase 2.
+- **systemUpdateRequired** Indicates whether a system update required.
+- **totalElapsedTimeMs** Total elapsed time in milliseconds of all phases.
+- **usedCloudBackup** Indicates whether cloud backup is used.
+- **usedHDDBackup** Indicates whether HDD backup is used.
+- **usedOffConsole** Indicates whether off console is used.
+
+
+### Microsoft.Gaming.OOBE.SessionStarted
+
+This event is sent at the start of OOBE session.
+
+The following fields are available:
+
+- **customAttributes** customAttributes.
+- **extendedData** extendedData.
+
+
+### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantStartState
+
+This event marks the start of an Update Assistant State. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **CV** The correlation vector.
+- **GlobalEventCounter** The global event counter for all telemetry on the device.
+- **UpdateAssistantStateDownloading** True at the start Downloading.
+- **UpdateAssistantStateInitializingApplication** True at the start of the state InitializingApplication.
+- **UpdateAssistantStateInitializingStates** True at the start of InitializingStates.
+- **UpdateAssistantStateInstalling** True at the start of Installing.
+- **UpdateAssistantStatePostInstall** True at the start of PostInstall.
+- **UpdateAssistantVersion** Current package version of UpdateAssistant.
+
+
+### MicrosoftWindowsCodeIntegrityTraceLoggingProvider.CodeIntegrityHvciSysprepHvciAlreadyEnabled
+
+This event fires when HVCI is already enabled so no need to continue auto-enablement.
+
+
+
+## Privacy consent logging events
+
+### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted
+
+This event is used to determine whether the user successfully completed the privacy consent experience. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **presentationVersion** Which display version of the privacy consent experience the user completed
+- **privacyConsentState** The current state of the privacy consent experience
+- **settingsVersion** Which setting version of the privacy consent experience the user completed
+- **userOobeExitReason** The exit reason of the privacy consent experience
+
+
+## Setup events
+
+### SetupPlatformTel.SetupPlatformTelEvent
+
+This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios, to help keep Windows up to date.
+
+The following fields are available:
+
+- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
+- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc.
+- **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time.
+
+
+## Surface events
+
+### Microsoft.Surface.Battery.Prod.BatteryInfoEvent
+
+deny
+
+The following fields are available:
+
+- **batteryData.data()** Battery performance data.
+- **BatteryDataSize:** Size of the battery performance data.
+
+
+### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_BPM
+
+This event includes the hardware level data about battery performance. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **BPMCurrentlyEngaged** Instantaneous snapshot if BPM is engaged on device.
+- **BPMExitCriteria** What is the BPM exit criteria - 20%SOC or 50%SOC?
+- **BPMHvtCountA** Current HVT count for BPM counter A.
+- **BPMHvtCountB** Current HVT count for BPM counter B.
+- **bpmOptOutLifetimeCount** BPM OptOut Lifetime Count.
+- **BPMRsocBucketsHighTemp_Values** Time in temperature range 46°C -60°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%.
+- **BPMRsocBucketsLowTemp_Values** Time in temperature range 0°C -20°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%.
+- **BPMRsocBucketsMediumHighTemp_Values** Time in temperature range 36°C -45°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%.
+- **BPMRsocBucketsMediumLowTemp_Values** Time in temperature range 21°C-35°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%.
+- **BPMTotalEngagedMinutes** Total time that BPM was engaged.
+- **BPMTotalEntryEvents** Total number of times entering BPM.
+- **ComponentId** Component ID.
+- **FwVersion** FW version that created this log.
+- **LogClass** Log Class.
+- **LogInstance** Log instance within class (1..n).
+- **LogVersion** Log MGR version.
+- **MCUInstance** Instance id used to identify multiple MCU's in a product.
+- **ProductId** Product ID.
+- **SeqNum** Sequence Number.
+- **TimeStamp** UTC seconds when log was created.
+- **Ver** Schema version.
+
+
+### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_CTT
+
+This event includes the hardware level data about battery performance. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **BPMKioskModeStartDateInSeconds** First time Battery Limit was turned on.
+- **BPMKioskModeTotalEngagedMinutes** Total time Battery Limit was on (SOC value at 50%).
+- **CTTMinSOC1day** Rolling 1 day minimum SOC. Value set to 0 initially.
+- **CTTMinSOC28day** Rolling 28 day minimum SOC. Value set to 0 initially.
+- **CTTMinSOC3day** Rolling 3 day minimum SOC. Value set to 0 initially.
+- **CTTMinSOC7day** Rolling 7 day minimum SOC. Value set to 0 initially.
+- **CTTStartDateInSeconds** Start date from when device was starting to be used.
+- **currentAuthenticationState** Current Authentication State.
+- **ProtectionPolicy** Battery limit engaged. True (0 False).
+- **SeqNum** Sequence Number.
+- **Ver** Schema version.
+- **VoltageOptimization** Current CTT reduction in mV.
+
+
+### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_GG
+
+This event includes the hardware level data about battery performance. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **cbTimeCell_Values** cb time for different cells.
+- **ComponentId** Component ID.
+- **cycleCount** Cycle Count.
+- **deltaVoltage** Delta voltage.
+- **eocChargeVoltage_Values** EOC Charge voltage values.
+- **fullChargeCapacity** Full Charge Capacity.
+- **FwVersion** FW version that created this log.
+- **lastCovEvent** Last Cov event.
+- **lastCuvEvent** Last Cuv event.
+- **LogClass** LOG_CLASS.
+- **LogInstance** Log instance within class (1..n).
+- **LogVersion** LOG_MGR_VERSION.
+- **manufacturerName** Manufacturer name.
+- **maxChargeCurrent** Max charge current.
+- **maxDeltaCellVoltage** Max delta cell voltage.
+- **maxDischargeCurrent** Max discharge current.
+- **maxTempCell** Max temp cell.
+- **maxVoltage_Values** Max voltage values.
+- **MCUInstance** Instance id used to identify multiple MCU's in a product.
+- **minTempCell** Min temp cell.
+- **minVoltage_Values** Min voltage values.
+- **numberOfCovEvents** Number of Cov events.
+- **numberOfCuvEvents** Number of Cuv events.
+- **numberOfOCD1Events** Number of OCD1 events.
+- **numberOfOCD2Events** Number of OCD2 events.
+- **numberOfQmaxUpdates** Number of Qmax updates.
+- **numberOfRaUpdates** Number of Ra updates.
+- **numberOfShutdowns** Number of shutdowns.
+- **pfStatus_Values** pf status values.
+- **ProductId** Product ID.
+- **qmax_Values** Qmax values for different cells.
+- **SeqNum** Sequence Number.
+- **TimeStamp** UTC seconds when log was created.
+- **Ver** Schema version.
+
+
+### Microsoft.Surface.Battery.Prod.BatteryInfoEventV3
+
+This event includes the hardware level data about battery performance. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **BatteryTelemetry** Hardware Level Data about battery performance.
+- **ComponentId** Component ID.
+- **FwVersion** FW version that created this log.
+- **LogClass** LOG CLASS.
+- **LogInstance** Log instance within class (1..n).
+- **LogVersion** LOG MGR VERSION.
+- **MCUInstance** Instance id used to identify multiple MCU's in a product.
+- **ProductId** ProductId ID.
+- **SeqNum** Sequence Number.
+- **TimeStamp** UTC seconds when log was created.
+- **Ver** Schema version.
+
+
+### Microsoft.Surface.SystemReset.Prod.ResetCauseEventV2
+
+This event sends reason for SAM, PCH and SoC reset. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **HostResetCause** Host reset cause.
+- **PchResetCause** PCH reset cause.
+- **SamResetCause** SAM reset cause.
+
+
+## UEFI events
+
+### Microsoft.Windows.UEFI.ESRT
+
+This event sends basic data during boot about the firmware loaded or recently installed on the machine. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **DriverFirmwareFilename** The firmware file name reported by the device hardware key.
+- **DriverFirmwareIntegrityFilename** Filename of the integrity package that is supplied in the firmware package.
+- **DriverFirmwarePolicy** The optional version update policy value.
+- **DriverFirmwareStatus** The firmware status reported by the device hardware key.
+- **DriverFirmwareVersion** The firmware version reported by the device hardware key.
+- **FirmwareId** The UEFI (Unified Extensible Firmware Interface) identifier.
+- **FirmwareLastAttemptStatus** The reported status of the most recent firmware installation attempt, as reported by the EFI System Resource Table (ESRT).
+- **FirmwareLastAttemptVersion** The version of the most recent attempted firmware installation, as reported by the EFI System Resource Table (ESRT).
+- **FirmwareType** The UEFI (Unified Extensible Firmware Interface) type.
+- **FirmwareVersion** The UEFI (Unified Extensible Firmware Interface) version as reported by the EFI System Resource Table (ESRT).
+- **InitiateUpdate** Indicates whether the system is ready to initiate an update.
+- **LastAttemptDate** The date of the most recent attempted firmware installation.
+- **LastAttemptStatus** The result of the most recent attempted firmware installation.
+- **LastAttemptVersion** The version of the most recent attempted firmware installation.
+- **LowestSupportedFirmwareVersion** The oldest (lowest) version of firmware supported.
+- **MaxRetryCount** The maximum number of retries, defined by the firmware class key.
+- **RetryCount** The number of attempted installations (retries), reported by the driver software key.
+- **Status** The status returned to the PnP (Plug-and-Play) manager.
+- **UpdateAttempted** Indicates if installation of the current update has been attempted before.
+
+
+## Update events
+
+### Update360Telemetry.UpdateAgentDownloadRequest
+
+This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CancelRequested** Boolean indicating whether a cancel was requested.
+- **ContainsSafeOSDUPackage** Boolean indicating whether Safe DU packages are part of the payload.
+- **DeletedCorruptFiles** Boolean indicating whether corrupt payload was deleted.
+- **DownloadComplete** Indicates if the download is complete.
+- **DownloadedSizeBundle** Cumulative size (in bytes) of the downloaded bundle content.
+- **DownloadedSizeCanonical** Cumulative size (in bytes) of downloaded canonical content.
+- **DownloadedSizeDiff** Cumulative size (in bytes) of downloaded diff content.
+- **DownloadedSizeExpress** Cumulative size (in bytes) of downloaded express content.
+- **DownloadedSizePSFX** Cumulative size (in bytes) of downloaded PSFX content.
+- **DownloadRequests** Number of times a download was retried.
+- **ErrorCode** The error code returned for the current download request phase.
+- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin.
+- **FlightId** Unique ID for each flight.
+- **InternalFailureResult** Indicates a non-fatal error from a plugin.
+- **NumberOfHops** Number of intermediate packages used to reach target version.
+- **ObjectId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360).
+- **PackageCategoriesSkipped** Indicates package categories that were skipped, if applicable.
+- **PackageCountOptional** Number of optional packages requested.
+- **PackageCountRequired** Number of required packages requested.
+- **PackageCountTotal** Total number of packages needed.
+- **PackageCountTotalBundle** Total number of bundle packages.
+- **PackageCountTotalCanonical** Total number of canonical packages.
+- **PackageCountTotalDiff** Total number of diff packages.
+- **PackageCountTotalExpress** Total number of express packages.
+- **PackageCountTotalPSFX** The total number of PSFX packages.
+- **PackageExpressType** Type of express package.
+- **PackageSizeCanonical** Size of canonical packages in bytes.
+- **PackageSizeDiff** Size of diff packages in bytes.
+- **PackageSizeExpress** Size of express packages in bytes.
+- **PackageSizePSFX** The size of PSFX packages, in bytes.
+- **RangeRequestState** Indicates the range request type used.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **Result** Outcome of the download request phase of update.
+- **SandboxTaggedForReserves** The sandbox for reserves.
+- **ScenarioId** Indicates the update scenario.
+- **SessionId** Unique value for each attempt (same value for initialize, download, install commit phases).
+- **UpdateId** Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentExpand
+
+This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CancelRequested** Boolean that indicates whether a cancel was requested.
+- **CanonicalRequestedOnError** Indicates if an error caused a reversion to a different type of compressed update (TRUE or FALSE).
+- **ElapsedTickCount** Time taken for expand phase.
+- **EndFreeSpace** Free space after expand phase.
+- **EndSandboxSize** Sandbox size after expand phase.
+- **ErrorCode** The error code returned for the current install phase.
+- **FlightId** Unique ID for each flight.
+- **ObjectId** Unique value for each Update Agent mode.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **ScenarioId** Indicates the update scenario.
+- **SessionId** Unique value for each update attempt.
+- **StartFreeSpace** Free space before expand phase.
+- **StartSandboxSize** Sandbox size after expand phase.
+- **UpdateId** Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentInitialize
+
+This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **ErrorCode** The error code returned for the current install phase.
+- **FlightId** Unique ID for each flight.
+- **FlightMetadata** Contains the FlightId and the build being flighted.
+- **ObjectId** Unique value for each Update Agent mode.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **Result** Outcome of the install phase of the update.
+- **ScenarioId** Indicates the update scenario.
+- **SessionData** String containing instructions to update agent for processing FODs and DUICs (Null for other scenarios).
+- **SessionId** Unique value for each update attempt.
+- **UpdateId** Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentInstall
+
+This event sends data for the install phase of updating Windows. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CancelRequested** Boolean to indicate whether a cancel was requested.
+- **ErrorCode** The error code returned for the current install phase.
+- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin.
+- **FlightId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360).
+- **InternalFailureResult** Indicates a non-fatal error from a plugin.
+- **ObjectId** Correlation vector value generated from the latest USO scan.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **Result** The result for the current install phase.
+- **ScenarioId** Indicates the update scenario.
+- **SessionId** Unique value for each update attempt.
+- **UpdateId** Unique ID for each update.
+- **UpdatePriority** Indicates the priority that Update Agent is requested to run in for the install phase of an update.
+
+
+### Update360Telemetry.UpdateAgentMitigationResult
+
+This event sends data indicating the result of each update agent mitigation. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **Applicable** Indicates whether the mitigation is applicable for the current update.
+- **CommandCount** The number of command operations in the mitigation entry.
+- **CustomCount** The number of custom operations in the mitigation entry.
+- **FileCount** The number of file operations in the mitigation entry.
+- **FlightId** Unique identifier for each flight.
+- **Index** The mitigation index of this particular mitigation.
+- **MitigationScenario** The update scenario in which the mitigation was executed.
+- **Name** The friendly name of the mitigation.
+- **ObjectId** Unique value for each Update Agent mode.
+- **OperationIndex** The mitigation operation index (in the event of a failure).
+- **OperationName** The friendly name of the mitigation operation (in the event of failure).
+- **RegistryCount** The number of registry operations in the mitigation entry.
+- **RelatedCV** The correlation vector value generated from the latest USO scan.
+- **Result** The HResult of this operation.
+- **ScenarioId** The update agent scenario ID.
+- **SessionId** Unique value for each update attempt.
+- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments).
+- **UpdateId** Unique ID for each Update.
+
+
+### Update360Telemetry.UpdateAgentMitigationSummary
+
+This event sends a summary of all the update agent mitigations available for an this update. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **Applicable** The count of mitigations that were applicable to the system and scenario.
+- **Failed** The count of mitigations that failed.
+- **FlightId** Unique identifier for each flight.
+- **MitigationScenario** The update scenario in which the mitigations were attempted.
+- **ObjectId** The unique value for each Update Agent mode.
+- **RelatedCV** The correlation vector value generated from the latest USO scan.
+- **Result** The HResult of this operation.
+- **ScenarioId** The update agent scenario ID.
+- **SessionId** Unique value for each update attempt.
+- **TimeDiff** The amount of time spent performing all mitigations (in 100-nanosecond increments).
+- **Total** Total number of mitigations that were available.
+- **UpdateId** Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentModeStart
+
+This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **FlightId** Unique ID for each flight.
+- **Mode** Indicates the mode that has started.
+- **ObjectId** Unique value for each Update Agent mode.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **ScenarioId** Indicates the update scenario.
+- **SessionId** Unique value for each update attempt.
+- **UpdateId** Unique ID for each update.
+- **Version** Version of update
+
+
+### Update360Telemetry.UpdateAgentPostRebootResult
+
+This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **ErrorCode** The error code returned for the current post reboot phase.
+- **FlightId** The specific ID of the Windows Insider build the device is getting.
+- **ObjectId** Unique value for each Update Agent mode.
+- **PostRebootResult** Indicates the Hresult.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
+- **SessionId** Unique value for each update attempt.
+- **UpdateId** Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentReboot
+
+This event sends information indicating that a request has been sent to suspend an update. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **ErrorCode** The error code returned for the current reboot.
+- **FlightId** Unique ID for the flight (test instance version).
+- **IsSuspendable** Indicates whether the update has the ability to be suspended and resumed at the time of reboot. When the machine is rebooted and the update is in middle of Predownload or Install and Setup.exe is running, this field is TRUE, if not its FALSE.
+- **ObjectId** The unique value for each Update Agent mode.
+- **Reason** Indicates the HResult why the machine could not be suspended. If it is successfully suspended, the result is 0.
+- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan.
+- **ScenarioId** The ID of the update scenario.
+- **SessionId** The ID of the update attempt.
+- **UpdateId** The ID of the update.
+- **UpdateState** Indicates the state of the machine when Suspend is called. For example, Install, Download, Commit.
+
+
+### Update360Telemetry.UpdateAgentSetupBoxLaunch
+
+The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **ContainsExpressPackage** Indicates whether the download package is express.
+- **FlightId** Unique ID for each flight.
+- **FreeSpace** Free space on OS partition.
+- **InstallCount** Number of install attempts using the same sandbox.
+- **ObjectId** Unique value for each Update Agent mode.
+- **Quiet** Indicates whether setup is running in quiet mode.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **SandboxSize** Size of the sandbox.
+- **ScenarioId** Indicates the update scenario.
+- **SessionId** Unique value for each update attempt.
+- **SetupLaunchAttemptCount** Indicates the count of attempts to launch setup for the current Update Agent instance.
+- **SetupMode** Mode of setup to be launched.
+- **UpdateId** Unique ID for each Update.
+- **UserSession** Indicates whether install was invoked by user actions.
+
+
+## Upgrade events
+
+### Setup360Telemetry.Finalize
+
+This event sends data indicating that the device has started the phase of finalizing the upgrade, to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData** Unique value that identifies the flight.
+- **HostOSBuildNumber** The build number of the previous OS.
+- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS).
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe
+- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended** More detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId** ID that uniquely identifies a group of events.
+- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
+
+
+### Setup360Telemetry.OsUninstall
+
+This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, it indicates the outcome of an OS uninstall. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData** Unique value that identifies the flight.
+- **HostOSBuildNumber** The build number of the previous OS.
+- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS).
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
+- **Setup360Extended** Detailed information about the phase or action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId** ID that uniquely identifies a group of events.
+- **WuId** Windows Update client ID.
+
+
+### Setup360Telemetry.PreInstallUX
+
+This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10, to help keep Windows up-to-date. Specifically, it indicates the outcome of the PreinstallUX portion of the update process.
+
+The following fields are available:
+
+- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData** Unique value that identifies the flight.
+- **HostOSBuildNumber** The build number of the previous OS.
+- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS).
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
+- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
+- **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT.
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId** A string to uniquely identify a group of events.
+- **WuId** Windows Update client ID.
+
+
+### Setup360Telemetry.Setup360MitigationResult
+
+This event sends data indicating the result of each setup mitigation. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **Applicable** TRUE if the mitigation is applicable for the current update.
+- **ClientId** In the Windows Update scenario, this is the client ID passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **CommandCount** The number of command operations in the mitigation entry.
+- **CustomCount** The number of custom operations in the mitigation entry.
+- **FileCount** The number of file operations in the mitigation entry.
+- **FlightData** The unique identifier for each flight (test release).
+- **Index** The mitigation index of this particular mitigation.
+- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE.
+- **MitigationScenario** The update scenario in which the mitigation was executed.
+- **Name** The friendly (descriptive) name of the mitigation.
+- **OperationIndex** The mitigation operation index (in the event of a failure).
+- **OperationName** The friendly (descriptive) name of the mitigation operation (in the event of failure).
+- **RegistryCount** The number of registry operations in the mitigation entry.
+- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM.
+- **Result** HResult of this operation.
+- **ScenarioId** Setup360 flow type.
+- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments).
+
+
+### Setup360Telemetry.Setup360MitigationSummary
+
+This event sends a summary of all the setup mitigations available for this update. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **Applicable** The count of mitigations that were applicable to the system and scenario.
+- **ClientId** The Windows Update client ID passed to Setup.
+- **Failed** The count of mitigations that failed.
+- **FlightData** The unique identifier for each flight (test release).
+- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE.
+- **MitigationScenario** The update scenario in which the mitigations were attempted.
+- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM.
+- **Result** HResult of this operation.
+- **ScenarioId** Setup360 flow type.
+- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments).
+- **Total** The total number of mitigations that were available.
+
+
+### Setup360Telemetry.Setup360OneSettings
+
+This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **ClientId** The Windows Update client ID passed to Setup.
+- **Count** The count of applicable OneSettings for the device.
+- **FlightData** The ID for the flight (test instance version).
+- **InstanceId** The GUID (Globally-Unique ID) that identifies each instance of setuphost.exe.
+- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings.
+- **ReportId** The Update ID passed to Setup.
+- **Result** The HResult of the event error.
+- **ScenarioId** The update scenario ID.
+- **Values** Values sent back to the device, if applicable.
+
+
+### Setup360Telemetry.UnexpectedEvent
+
+This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date.
+
+The following fields are available:
+
+- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber** The build number of the previous OS.
+- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS).
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe
+- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors.
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId** A string to uniquely identify a group of events.
+- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
+
+
+## Windows as a Service diagnostic events
+
+### Microsoft.Windows.WaaSMedic.StackDataResetPerformAction
+
+This event removes the datastore allowing for corrupt devices to reattempt an update. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **DatastoreSizeInMB** Size of Datastore.edb file. Default: -1 if not set/unknown.
+- **FreeSpaceInGB** Free space on the device before deleting the datastore. Default: -1 if not set/unknown.
+- **HrLastFailure** Error code from the failed removal.
+- **HrResetDatastore** Result of the attempted removal.
+- **HrStopGroupOfServices** Result of stopping the services.
+- **MaskServicesStopped** Bit field to indicate which services were stopped succesfully. Bit on means success. List of services: usosvc(1<<0), dosvc(1<<1), wuauserv(1<<2), bits(1<<3).
+- **NumberServicesToStop** The number of services that require manual stopping.
+
+
+### Microsoft.Windows.WaaSMedic.SummaryEvent
+
+This event provides the result of the WaaSMedic operation. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **callerApplication** The name of the calling application.
+- **capsuleCount** The number of Sediment Pack capsules.
+- **capsuleFailureCount** The number of capsule failures.
+- **detectionSummary** Result of each applicable detection that was run.
+- **featureAssessmentImpact** WaaS Assessment impact for feature updates.
+- **hrEngineBlockReason** Indicates the reason for stopping WaaSMedic.
+- **hrEngineResult** Error code from the engine operation.
+- **hrLastSandboxError** The last error sent by the WaaSMedic sandbox.
+- **initSummary** Summary data of the initialization method.
+- **isInteractiveMode** The user started a run of WaaSMedic.
+- **isManaged** Device is managed for updates.
+- **isWUConnected** Device is connected to Windows Update.
+- **noMoreActions** No more applicable diagnostics.
+- **pluginFailureCount** The number of plugins that have failed.
+- **pluginsCount** The number of plugins.
+- **qualityAssessmentImpact** WaaS Assessment impact for quality updates.
+- **remediationSummary** Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on.
+- **usingBackupFeatureAssessment** Relying on backup feature assessment.
+- **usingBackupQualityAssessment** Relying on backup quality assessment.
+- **usingCachedFeatureAssessment** WaaS Medic run did not get OS build age from the network on the previous run.
+- **usingCachedQualityAssessment** WaaS Medic run did not get OS revision age from the network on the previous run.
+- **uusVersion** The version of the UUS package.
+- **versionString** Version of the WaaSMedic engine.
+- **waasMedicRunMode** Indicates whether this was a background regular run of the medic or whether it was triggered by a user launching Windows Update Troubleshooter.
+
+
+## Windows Store events
+
+### Microsoft.Windows.StoreAgent.Telemetry.BeginGetInstalledContentIds
+
+This event is sent when an inventory of the apps installed is started to determine whether updates for those apps are available. It's used to help keep Windows up-to-date and secure.
+
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.BeginUpdateMetadataPrepare
+
+This event is sent when the Store Agent cache is refreshed with any available package updates. It's used to help keep Windows up-to-date and secure.
+
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.CompleteInstallOperationRequest
+
+This event is sent at the end of app installations or updates to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **CatalogId** The Store Product ID of the app being installed.
+- **HResult** HResult code of the action being performed.
+- **IsBundle** Is this a bundle?
+- **PackageFamilyName** The name of the package being installed.
+- **ProductId** The Store Product ID of the product being installed.
+- **SkuId** Specific edition of the item being installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense
+
+This event is sent after the license is acquired when a product is being installed. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** Includes a set of package full names for each app that is part of an atomic set.
+- **AttemptNumber** The total number of attempts to acquire this product.
+- **BundleId** The bundle ID
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **HResult** HResult code to show the result of the operation (success/failure).
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Did the user initiate the installation?
+- **IsMandatory** Is this a mandatory update?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this happening after a device restore?
+- **IsUpdate** Is this an update?
+- **ParentBundleId** The parent bundle ID (if it's part of a bundle).
+- **PFN** Product Family Name of the product being installed.
+- **ProductId** The Store Product ID for the product being installed.
+- **SystemAttemptNumber** The number of attempts by the system to acquire this product.
+- **UserAttemptNumber** The number of attempts by the user to acquire this product
+- **WUContentId** The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndDownload
+
+This event is sent after an app is downloaded to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed.
+- **AttemptNumber** Number of retry attempts before it was canceled.
+- **BundleId** The identity of the Windows Insider build associated with this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **DownloadSize** The total size of the download.
+- **ExtendedHResult** Any extended HResult error codes.
+- **HResult** The result code of the last action performed.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Is this initiated by the user?
+- **IsMandatory** Is this a mandatory installation?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this a restore of a previously acquired product?
+- **IsUpdate** Is this an update?
+- **ParentBundleId** The parent bundle ID (if it's part of a bundle).
+- **PFN** The Product Family Name of the app being download.
+- **ProductId** The Store Product ID for the product being installed.
+- **SystemAttemptNumber** The number of attempts by the system to download.
+- **UserAttemptNumber** The number of attempts by the user to download.
+- **WUContentId** The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndGetInstalledContentIds
+
+This event is sent after sending the inventory of the products installed to determine whether updates for those products are available. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **HResult** The result code of the last action performed before this operation.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndInstall
+
+This event is sent after a product has been installed to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+- **AttemptNumber** The number of retry attempts before it was canceled.
+- **BundleId** The identity of the build associated with this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **ExtendedHResult** The extended HResult error code.
+- **HResult** The result code of the last action performed.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Is this an interactive installation?
+- **IsMandatory** Is this a mandatory installation?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this automatically restoring a previously acquired product?
+- **IsUpdate** Is this an update?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** Product Family Name of the product being installed.
+- **ProductId** The Store Product ID for the product being installed.
+- **SystemAttemptNumber** The total number of system attempts.
+- **UserAttemptNumber** The total number of user attempts.
+- **WUContentId** The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates
+
+This event is sent after a scan for product updates to determine if there are packages to install. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AutoUpdateWorkScheduledWithUOTime** The time when work was first scheduled with UO. Value deleted when UO calls UnblockLowPriorityWorkItems.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **HResult** The result code of the last action performed.
+- **IsApplicability** Is this request to only check if there are any applicable packages to install?
+- **IsInteractive** Is this user requested?
+- **IsOnline** Is the request doing an online check?
+- **NumberOfApplicableUpdates** The number of packages returned by this operation.
+- **PFN** The PackageFullName of the app currently installed on the machine. This operation is scanning for an update for this app. Value will be empty if operation is scanning for updates for more than one app.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages
+
+This event is sent after searching for update packages to install. It is used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+- **AttemptNumber** The total number of retry attempts before it was canceled.
+- **BundleId** The identity of the build associated with this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **HResult** The result code of the last action performed.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Is this user requested?
+- **IsMandatory** Is this a mandatory update?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this restoring previously acquired content?
+- **IsUpdate** Is this an update?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** The name of the package or packages requested for install.
+- **ProductId** The Store Product ID for the product being installed.
+- **SystemAttemptNumber** The total number of system attempts.
+- **UserAttemptNumber** The total number of user attempts.
+- **WUContentId** The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare
+
+This event is sent after a scan for available app updates to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **HResult** The result code of the last action performed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete
+
+This event is sent at the end of an app install or update to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **CatalogId** The name of the product catalog from which this app was chosen.
+- **FailedRetry** Indicates whether the installation or update retry was successful.
+- **HResult** The HResult code of the operation.
+- **PFN** The Package Family Name of the app that is being installed or updated.
+- **ProductId** The product ID of the app that is being updated or installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate
+
+This event is sent at the beginning of an app install or update to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **CatalogId** The name of the product catalog from which this app was chosen.
+- **FulfillmentPluginId** The ID of the plugin needed to install the package type of the product.
+- **PFN** The Package Family Name of the app that is being installed or updated.
+- **PluginTelemetryData** Diagnostic information specific to the package-type plug-in.
+- **ProductId** The product ID of the app that is being updated or installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest
+
+This event is sent when a product install or update is initiated, to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **BundleId** The identity of the build associated with this product.
+- **CatalogId** If this product is from a private catalog, the Store Product ID for the product being installed.
+- **ProductId** The Store Product ID for the product being installed.
+- **SkuId** Specific edition ID being installed.
+- **VolumePath** The disk path of the installation.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.ResumeInstallation
+
+This event is sent when a product install or update is resumed (either by a user or the system), to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+- **AttemptNumber** The number of retry attempts before it was canceled.
+- **BundleId** The identity of the build associated with this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **HResult** The result code of the last action performed before this operation.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Is this user requested?
+- **IsMandatory** Is this a mandatory update?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this restoring previously acquired content?
+- **IsUpdate** Is this an update?
+- **IsUserRetry** Did the user initiate the retry?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** The name of the package or packages requested for install.
+- **PreviousHResult** The previous HResult error code.
+- **PreviousInstallState** Previous state before the installation was paused.
+- **ProductId** The Store Product ID for the product being installed.
+- **RelatedCV** Correlation Vector for the original install before it was resumed.
+- **ResumeClientId** The ID of the app that initiated the resume operation.
+- **SystemAttemptNumber** The total number of system attempts.
+- **UserAttemptNumber** The total number of user attempts.
+- **WUContentId** The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.StateTransition
+
+Products in the process of being fulfilled (installed or updated) are maintained in a list. This event is sent any time there is a change in a product's fulfillment status (pending, working, paused, cancelled, or complete), to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **CatalogId** The ID for the product being installed if the product is from a private catalog, such as the Enterprise catalog.
+- **FulfillmentPluginId** The ID of the plugin needed to install the package type of the product.
+- **HResult** The resulting HResult error/success code of this operation.
+- **NewState** The current fulfillment state of this product.
+- **PFN** The Package Family Name of the app that is being installed or updated.
+- **PluginLastStage** The most recent product fulfillment step that the plug-in has reported (different than its state).
+- **PluginTelemetryData** Diagnostic information specific to the package-type plug-in.
+- **Prevstate** The previous fulfillment state of this product.
+- **ProductId** Product ID of the app that is being updated or installed.
+
+
+## Windows Update CSP events
+
+### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable
+
+This event sends basic telemetry on whether Feature Rollback (rolling back features updates) is applicable to a device. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **current** Result of currency check.
+- **dismOperationSucceeded** Dism uninstall operation status.
+- **oSVersion** Build number of the device.
+- **paused** Indicates whether the device is paused.
+- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
+- **sacDevice** Represents the device info.
+- **wUfBConnected** Result of WUfB connection check.
+
+
+### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted
+
+This event sends basic information indicating that Feature Rollback has started. The data collected with this event is used to help keep Windows secure and up to date.
+
+
+
+## Windows Update Delivery Optimization events
+
+### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted
+
+This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **background** Is the download a background download?
+- **bytesFromCacheServer** Bytes received from a cache host.
+- **bytesFromCDN** The number of bytes received from a CDN source.
+- **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group.
+- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group.
+- **bytesFromLedbat** The number of bytes received from source using an Ledbat enabled connection.
+- **bytesFromLinkLocalPeers** The number of bytes received from local peers.
+- **bytesFromLocalCache** Bytes copied over from local (on disk) cache.
+- **bytesFromPeers** The number of bytes received from a peer in the same LAN.
+- **bytesRequested** The total number of bytes requested for download.
+- **cacheServerConnectionCount** Number of connections made to cache hosts.
+- **cdnConnectionCount** The total number of connections made to the CDN.
+- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event.
+- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered.
+- **cdnIp** The IP address of the source CDN.
+- **cdnUrl** Url of the source Content Distribution Network (CDN).
+- **congestionPrevention** Indicates a download may have been suspended to prevent network congestion.
+- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session.
+- **downlinkBps** The maximum measured available download bandwidth (in bytes per second).
+- **downlinkUsageBps** The download speed (in bytes per second).
+- **downloadMode** The download mode used for this file download session.
+- **downloadModeReason** Reason for the download.
+- **downloadModeSrc** Source of the DownloadMode setting.
+- **experimentId** When running a test, this is used to correlate with other events that are part of the same test.
+- **expiresAt** The time when the content will expire from the Delivery Optimization Cache.
+- **fileID** The ID of the file being downloaded.
+- **fileSize** The size of the file being downloaded.
+- **groupConnectionCount** The total number of connections made to peers in the same group.
+- **groupID** A GUID representing a custom group of devices.
+- **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group.
+- **isEncrypted** TRUE if the file is encrypted and will be decrypted after download.
+- **isThrottled** Event Rate throttled (event represents aggregated data).
+- **isVpn** Is the device connected to a Virtual Private Network?
+- **jobID** Identifier for the Windows Update job.
+- **lanConnectionCount** The total number of connections made to peers in the same LAN.
+- **linkLocalConnectionCount** The number of connections made to peers in the same Link-local network.
+- **numPeers** The total number of peers used for this download.
+- **numPeersLocal** The total number of local peers used for this download.
+- **predefinedCallerName** The name of the API Caller.
+- **restrictedUpload** Is the upload restricted?
+- **routeToCacheServer** The cache server setting, source, and value.
+- **rttMs** Min, Max, Avg round-trip time to the source.
+- **rttRLedbatMs** Min, Max, Avg round-trip time to a Ledbat enabled source.
+- **sessionID** The ID of the download session.
+- **sessionTimeMs** The duration of the session, in milliseconds.
+- **totalTimeMs** Duration of the download (in seconds).
+- **updateID** The ID of the update being downloaded.
+- **uplinkBps** The maximum measured available upload bandwidth (in bytes per second).
+- **uplinkUsageBps** The upload speed (in bytes per second).
+
+
+### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication
+
+This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **cdnHeaders** The HTTP headers returned by the CDN.
+- **cdnIp** The IP address of the CDN.
+- **cdnUrl** The URL of the CDN.
+- **errorCode** The error code that was returned.
+- **errorCount** The total number of times this error code was seen since the last FailureCdnCommunication event was encountered.
+- **experimentId** When running a test, this is used to correlate with other events that are part of the same test.
+- **fileID** The ID of the file being downloaded.
+- **httpStatusCode** The HTTP status code returned by the CDN.
+- **isHeadRequest** The type of HTTP request that was sent to the CDN. Example: HEAD or GET
+- **peerType** The type of peer (LAN, Group, Internet, CDN, Cache Host, etc.).
+- **requestOffset** The byte offset within the file in the sent request.
+- **requestSize** The size of the range requested from the CDN.
+- **responseSize** The size of the range response received from the CDN.
+- **sessionID** The ID of the download session.
+
+
+## Windows Update events
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentAnalysisSummary
+
+This event collects information regarding the state of devices and drivers on the system following a reboot after the install phase of the new device manifest UUP (Unified Update Platform) update scenario which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **activated** Whether the entire device manifest update is considered activated and in use.
+- **analysisErrorCount** The number of driver packages that could not be analyzed because errors occurred during analysis.
+- **flightId** Unique ID for each flight.
+- **missingDriverCount** The number of driver packages delivered by the device manifest that are missing from the system.
+- **missingUpdateCount** The number of updates in the device manifest that are missing from the system.
+- **objectId** Unique value for each diagnostics session.
+- **publishedCount** The number of drivers packages delivered by the device manifest that are published and available to be used on devices.
+- **relatedCV** Correlation vector value generated from the latest USO scan.
+- **scenarioId** Indicates the update scenario.
+- **sessionId** Unique value for each update session.
+- **summary** A summary string that contains basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match.
+- **summaryAppendError** A Boolean indicating if there was an error appending more information to the summary string.
+- **truncatedDeviceCount** The number of devices missing from the summary string because there is not enough room in the string.
+- **truncatedDriverCount** The number of driver packages missing from the summary string because there is not enough room in the string.
+- **unpublishedCount** How many drivers packages that were delivered by the device manifest that are still unpublished and unavailable to be used on devices.
+- **updateId** The unique ID for each update.
+
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentDownloadRequest
+
+This event collects information regarding the download request phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **deletedCorruptFiles** Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted.
+- **errorCode** The error code returned for the current session initialization.
+- **flightId** The unique identifier for each flight.
+- **objectId** Unique value for each Update Agent mode.
+- **packageCountOptional** Number of optional packages requested.
+- **packageCountRequired** Number of required packages requested.
+- **packageCountTotal** Total number of packages needed.
+- **packageCountTotalCanonical** Total number of canonical packages.
+- **packageCountTotalDiff** Total number of diff packages.
+- **packageCountTotalExpress** Total number of express packages.
+- **packageSizeCanonical** Size of canonical packages in bytes.
+- **packageSizeDiff** Size of diff packages in bytes.
+- **packageSizeExpress** Size of express packages in bytes.
+- **rangeRequestState** Represents the state of the download range request.
+- **relatedCV** Correlation vector value generated from the latest USO scan.
+- **result** Result of the download request phase of update.
+- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
+- **sessionId** Unique value for each Update Agent mode attempt.
+- **updateId** Unique ID for each update.
+
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInitialize
+
+This event sends data for initializing a new update session for the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **errorCode** The error code returned for the current session initialization.
+- **flightId** The unique identifier for each flight.
+- **flightMetadata** Contains the FlightId and the build being flighted.
+- **objectId** Unique value for each Update Agent mode.
+- **relatedCV** Correlation vector value generated from the latest USO scan.
+- **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled.
+- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
+- **sessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios).
+- **sessionId** Unique value for each Update Agent mode attempt.
+- **updateId** Unique ID for each update.
+
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInstall
+
+This event collects information regarding the install phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **errorCode** The error code returned for the current install phase.
+- **flightId** The unique identifier for each flight.
+- **objectId** The unique identifier for each diagnostics session.
+- **relatedCV** Correlation vector value generated from the latest USO scan.
+- **result** Outcome of the install phase of the update.
+- **scenarioId** The unique identifier for the update scenario.
+- **sessionId** The unique identifier for each update session.
+- **updateId** The unique identifier for each update.
+
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentModeStart
+
+This event sends data for the start of each mode during the process of updating device manifest assets via the UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **flightId** The unique identifier for each flight.
+- **mode** The mode that is starting.
+- **objectId** The unique value for each diagnostics session.
+- **relatedCV** Correlation vector value generated from the latest USO scan.
+- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
+- **sessionId** Unique value for each Update Agent mode attempt.
+- **updateId** Unique identifier for each update.
+
+
+### Microsoft.Windows.Update.SIHClient.TaskRunCompleted
+
+This event is a launch event for Server Initiated Healing client.
+
+The following fields are available:
+
+- **CallerApplicationName** Name of the application making the Windows Update Request. Used to identify context of the request.
+- **CmdLineArgs** Command line arguments passed in by the caller.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc).
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **UusVersion** The version of the Update Undocked Stack.
+- **WUDeviceID** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc).
+
+
+### Microsoft.Windows.Update.SIHClient.TaskRunStarted
+
+This event is a launch event for Server Initiated Healing client.
+
+The following fields are available:
+
+- **CallerApplicationName** Name of the application making the Windows Update Request. Used to identify context of the request.
+- **CmdLineArgs** Command line arguments passed in by the caller.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc).
+- **UusVersion** The version of the Update Undocked Stack.
+- **WUDeviceID** Unique device id controlled by the software distribution client.
+
+
+### Microsoft.Windows.Update.Ux.MusUpdateSettings.Derived.ClientAggregated.LaunchPageDuration
+
+This event is derived event results for the LaunchPageDuration scenario.
+
+
+
+### Microsoft.Windows.WindowsUpdate.RUXIM.ICSExit
+
+This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS) exits. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+
+
+### Microsoft.Windows.WindowsUpdate.RUXIM.ICSLaunch
+
+This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) is launched. The data collected with this event is used to help keep Windows up to date and performing properly.
+
+The following fields are available:
+
+- **CommandLine** The command line used to launch RUXIMICS.
+
+
+### Microsoft.Windows.WindowsUpdate.RUXIM.ICSOneSettingsSyncExit
+
+This event is sent when RUXIM completes checking with OneSettings to retrieve any UX interaction campaigns that may need to be displayed. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **ETagValue** eTag for sync.
+- **hrInitialize** Error, if any, that occurred while initializing OneSettings.
+- **hrQuery** Error, if any, that occurred while retrieving UX interaction campaign data from OneSettings.
+
+
+### Microsoft.Windows.WindowsUpdate.RUXIM.ICSOneSettingsSyncLaunch
+
+This event is sent when RUXIM begins checking with OneSettings to retrieve any UX interaction campaigns that may need to be displayed. The data collected with this event is used to help keep Windows up to date.
+
+
+
+## Windows Update mitigation events
+
+### Mitigation360Telemetry.MitigationCustom.FixupWimmountSysPath
+
+This event sends data specific to the FixupWimmountSysPath mitigation used for OS Updates. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightId** Unique identifier for each flight.
+- **ImagePathDefault** Default path to wimmount.sys driver defined in the system registry.
+- **ImagePathFixedup** Boolean indicating whether the wimmount.sys driver path was fixed by this mitigation.
+- **InstanceId** Unique GUID that identifies each instances of setuphost.exe.
+- **MitigationScenario** The update scenario in which the mitigations were attempted.
+- **RelatedCV** Correlation vector value.
+- **Result** HResult of this operation.
+- **ScenarioId** Setup360 flow type.
+- **ScenarioSupported** Whether the updated scenario that was passed in was supported.
+- **SessionId** The UpdateAgent “SessionId” value.
+- **UpdateId** Unique identifier for the Update.
+- **WuId** Unique identifier for the Windows Update client.
+
+
+
diff --git a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
index 0d5c7f865c..c5f8c39e62 100644
--- a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
+++ b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
@@ -1,6 +1,6 @@
---
description: Learn more about the Windows 11 diagnostic data gathered at the basic level.
-title: Required Windows 11 diagnostic events and fields
+title: Required diagnostic events and fields for Windows 11, version 21H2
ms.prod: m365-security
localizationpriority: high
author: DHB-MSFT
@@ -15,7 +15,7 @@ ms.technology: privacy
---
-# Required Windows 11 diagnostic events and fields
+# Required diagnostic events and fields for Windows 11, version 21H2
> [!IMPORTANT]
> Windows is moving to classifying the data collected from customer’s devices as either Required or Optional.
@@ -23,7 +23,7 @@ ms.technology: privacy
**Applies to**
-- Windows 11
+- Windows 11, version 21H2
Required diagnostic data gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store.
@@ -34,6 +34,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
+- [Required diagnostic events and fields for Windows 11, version 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md)
- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
diff --git a/windows/privacy/toc.yml b/windows/privacy/toc.yml
index ef92db9493..cca1091e48 100644
--- a/windows/privacy/toc.yml
+++ b/windows/privacy/toc.yml
@@ -15,7 +15,9 @@
href: Microsoft-DiagnosticDataViewer.md
- name: Required Windows diagnostic data events and fields
items:
- - name: Required Windows 11 diagnostic data events and fields
+ - name: Windows 11, version 22H2 required diagnostic events and fields
+ href: required-diagnostic-events-fields-windows-11-22H2.md
+ - name: Windows 11, version 21H2 required diagnostic events and fields
href: required-windows-11-diagnostic-events-and-fields.md
- name: Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic data events and fields
href: required-windows-diagnostic-data-events-and-fields-2004.md
diff --git a/windows/release-information/docfx.json b/windows/release-information/docfx.json
deleted file mode 100644
index c5cbdfb50a..0000000000
--- a/windows/release-information/docfx.json
+++ /dev/null
@@ -1,61 +0,0 @@
-{
- "build": {
- "content": [
- {
- "files": [
- "**/*.md",
- "**/*.yml"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**",
- "_themes/**",
- "_themes.pdf/**",
- "README.md",
- "LICENSE",
- "LICENSE-CODE",
- "ThirdPartyNotices"
- ]
- }
- ],
- "resource": [
- {
- "files": [
- "**/*.png",
- "**/*.jpg"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**",
- "_themes/**",
- "_themes.pdf/**"
- ]
- }
- ],
- "overwrite": [],
- "externalReference": [],
- "globalMetadata": {
- "recommendations": true,
- "breadcrumb_path": "/windows/release-information/breadcrumb/toc.json",
- "ms.prod": "w10",
- "ms.date": "4/30/2019",
- "audience": "ITPro",
- "titleSuffix": "Windows Release Information",
- "extendBreadcrumb": true,
- "feedback_system": "None",
- "contributors_to_exclude": [
- "rjagiewich",
- "traya1",
- "rmca14",
- "claydetels19",
- "jborsecnik",
- "tiburd",
- "garycentric"
- ]
- },
- "fileMetadata": {},
- "template": [],
- "dest": "release-information",
- "markdownEngineName": "markdig"
- }
-}
diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml
index be054e388b..9acf3787ce 100644
--- a/windows/security/TOC.yml
+++ b/windows/security/TOC.yml
@@ -5,13 +5,19 @@
href: zero-trust-windows-device-health.md
expanded: true
- name: Hardware security
- items:
+ items:
- name: Overview
href: hardware.md
+ - name: Microsoft Pluton security processor
+ items:
+ - name: Microsoft Pluton overview
+ href: information-protection/pluton/microsoft-pluton-security-processor.md
+ - name: Microsoft Pluton as TPM
+ href: information-protection/pluton/pluton-as-tpm.md
- name: Trusted Platform Module
href: information-protection/tpm/trusted-platform-module-top-node.md
- items:
- - name: Trusted Platform Module Overview
+ items:
+ - name: Trusted Platform Module overview
href: information-protection/tpm/trusted-platform-module-overview.md
- name: TPM fundamentals
href: information-protection/tpm/tpm-fundamentals.md
@@ -32,16 +38,16 @@
- name: System Guard Secure Launch and SMM protection
href: threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
- name: Enable virtualization-based protection of code integrity
- href: threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
+ href: threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
- name: Kernel DMA Protection
href: information-protection/kernel-dma-protection-for-thunderbolt.md
- name: Windows secured-core devices
href: /windows-hardware/design/device-experiences/oem-highly-secure
- name: Operating system security
- items:
+ items:
- name: Overview
href: operating-system.md
- - name: System security
+ - name: System security
items:
- name: Secure the Windows boot process
href: information-protection/secure-the-windows-10-boot-process.md
@@ -70,19 +76,19 @@
href: threat-protection/security-policy-settings/security-policy-settings.md
- name: Security auditing
href: threat-protection/auditing/security-auditing-overview.md
- - name: Encryption and data protection
+ - name: Encryption and data protection
href: encryption-data-protection.md
items:
- name: Encrypted Hard Drive
href: information-protection/encrypted-hard-drive.md
- - name: BitLocker
+ - name: BitLocker
href: information-protection/bitlocker/bitlocker-overview.md
- items:
+ items:
- name: Overview of BitLocker Device Encryption in Windows
href: information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
- name: BitLocker frequently asked questions (FAQ)
href: information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
- items:
+ items:
- name: Overview and requirements
href: information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
- name: Upgrading
@@ -128,7 +134,7 @@
- name: Protecting cluster shared volumes and storage area networks with BitLocker
href: information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
- name: Troubleshoot BitLocker
- items:
+ items:
- name: Troubleshoot BitLocker
href: information-protection/bitlocker/troubleshoot-bitlocker.md
- name: "BitLocker cannot encrypt a drive: known issues"
@@ -142,20 +148,28 @@
- name: "BitLocker configuration: known issues"
href: information-protection/bitlocker/ts-bitlocker-config-issues.md
- name: Troubleshoot BitLocker and TPM issues
- items:
+ items:
- name: "BitLocker cannot encrypt a drive: known TPM issues"
href: information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
- name: "BitLocker and TPM: other known issues"
href: information-protection/bitlocker/ts-bitlocker-tpm-issues.md
- name: Decode Measured Boot logs to track PCR changes
href: information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
+ - name: Personal Data Encryption (PDE)
+ items:
+ - name: Personal Data Encryption (PDE) overview
+ href: information-protection/personal-data-encryption/overview-pde.md
+ - name: Personal Data Encryption (PDE) (FAQ)
+ href: information-protection/personal-data-encryption/faq-pde.yml
+ - name: Configure Personal Data Encryption (PDE) in Intune
+ href: information-protection/personal-data-encryption/configure-pde-in-intune.md
- name: Configure S/MIME for Windows
- href: identity-protection/configure-s-mime.md
+ href: identity-protection/configure-s-mime.md
- name: Network security
items:
- name: VPN technical guide
href: identity-protection/vpn/vpn-guide.md
- items:
+ items:
- name: VPN connection types
href: identity-protection/vpn/vpn-connection-type.md
- name: VPN routing decisions
@@ -182,13 +196,13 @@
href: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
- name: Windows security baselines
href: threat-protection/windows-security-configuration-framework/windows-security-baselines.md
- items:
+ items:
- name: Security Compliance Toolkit
href: threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
- name: Get support
- href: threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
+ href: threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
- name: Virus & threat protection
- items:
+ items:
- name: Overview
href: threat-protection/index.md
- name: Microsoft Defender Antivirus
@@ -206,7 +220,7 @@
- name: Microsoft Defender for Endpoint
href: /microsoft-365/security/defender-endpoint
- name: More Windows security
- items:
+ items:
- name: Override Process Mitigation Options to help enforce app-related security policies
href: threat-protection/override-mitigation-options-for-app-related-security-policies.md
- name: Use Windows Event Forwarding to help with intrusion detection
@@ -215,13 +229,13 @@
href: threat-protection/block-untrusted-fonts-in-enterprise.md
- name: Windows Information Protection (WIP)
href: information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
- items:
+ items:
- name: Create a WIP policy using Microsoft Intune
href: information-protection/windows-information-protection/overview-create-wip-policy.md
- items:
+ items:
- name: Create a WIP policy in Microsoft Intune
href: information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
- items:
+ items:
- name: Deploy your WIP policy in Microsoft Intune
href: information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
- name: Associate and deploy a VPN policy for WIP in Microsoft Intune
@@ -232,7 +246,7 @@
href: information-protection/windows-information-protection/wip-app-enterprise-context.md
- name: Create a WIP policy using Microsoft Endpoint Configuration Manager
href: information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
- items:
+ items:
- name: Create and deploy a WIP policy in Configuration Manager
href: information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
- name: Create and verify an EFS Data Recovery Agent (DRA) certificate
@@ -249,7 +263,7 @@
href: information-protection/windows-information-protection/collect-wip-audit-event-logs.md
- name: General guidance and best practices for WIP
href: information-protection/windows-information-protection/guidance-and-best-practices-wip.md
- items:
+ items:
- name: Enlightened apps for use with WIP
href: information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
- name: Unenlightened and enlightened app behavior while using WIP
@@ -274,17 +288,20 @@
href: threat-protection\microsoft-defender-application-guard\md-app-guard-overview.md
- name: Windows Sandbox
href: threat-protection/windows-sandbox/windows-sandbox-overview.md
- items:
+ items:
- name: Windows Sandbox architecture
href: threat-protection/windows-sandbox/windows-sandbox-architecture.md
- name: Windows Sandbox configuration
href: threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
- name: Microsoft Defender SmartScreen overview
href: threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
+ items:
+ - name: Enhanced Phishing Protection in Microsoft Defender SmartScreen
+ href: threat-protection\microsoft-defender-smartscreen\phishing-protection-microsoft-defender-smartscreen.md
- name: Configure S/MIME for Windows
href: identity-protection\configure-s-mime.md
- name: Windows Credential Theft Mitigation Guide Abstract
- href: identity-protection\windows-credential-theft-mitigation-guide-abstract.md
+ href: identity-protection\windows-credential-theft-mitigation-guide-abstract.md
- name: User security and secured identity
items:
- name: Overview
@@ -297,7 +314,7 @@
href: identity-protection/enterprise-certificate-pinning.md
- name: Protect derived domain credentials with Credential Guard
href: identity-protection/credential-guard/credential-guard.md
- items:
+ items:
- name: How Credential Guard works
href: identity-protection/credential-guard/credential-guard-how-it-works.md
- name: Credential Guard Requirements
@@ -322,12 +339,12 @@
href: identity-protection/password-support-policy.md
- name: Access Control Overview
href: identity-protection/access-control/access-control.md
- items:
+ items:
- name: Local Accounts
href: identity-protection/access-control/local-accounts.md
- name: User Account Control
href: identity-protection/user-account-control/user-account-control-overview.md
- items:
+ items:
- name: How User Account Control works
href: identity-protection/user-account-control/how-user-account-control-works.md
- name: User Account Control security policy settings
@@ -336,10 +353,10 @@
href: identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
- name: Smart Cards
href: identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
- items:
+ items:
- name: How Smart Card Sign-in Works in Windows
href: identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
- items:
+ items:
- name: Smart Card Architecture
href: identity-protection/smart-cards/smart-card-architecture.md
- name: Certificate Requirements and Enumeration
@@ -354,7 +371,7 @@
href: identity-protection/smart-cards/smart-card-removal-policy-service.md
- name: Smart Card Tools and Settings
href: identity-protection/smart-cards/smart-card-tools-and-settings.md
- items:
+ items:
- name: Smart Cards Debugging Information
href: identity-protection/smart-cards/smart-card-debugging-information.md
- name: Smart Card Group Policy and Registry Settings
@@ -363,10 +380,10 @@
href: identity-protection/smart-cards/smart-card-events.md
- name: Virtual Smart Cards
href: identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
- items:
+ items:
- name: Understanding and Evaluating Virtual Smart Cards
href: identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
- items:
+ items:
- name: "Get Started with Virtual Smart Cards: Walkthrough Guide"
href: identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
- name: Use Virtual Smart Cards
@@ -388,7 +405,7 @@
- name: Azure Virtual Desktop
href: /azure/virtual-desktop/
- name: Security foundations
- items:
+ items:
- name: Overview
href: security-foundations.md
- name: Microsoft Security Development Lifecycle
diff --git a/windows/security/encryption-data-protection.md b/windows/security/encryption-data-protection.md
index 782617bafe..48738d546a 100644
--- a/windows/security/encryption-data-protection.md
+++ b/windows/security/encryption-data-protection.md
@@ -2,17 +2,17 @@
title: Encryption and data protection in Windows
description: Get an overview encryption and data protection in Windows 11 and Windows 10
search.appverid: MET150
-author: denisebmsft
-ms.author: deniseb
-manager: dansimp
-ms.topic: conceptual
-ms.date: 09/08/2021
-ms.prod: m365-security
-ms.technology: windows-sec
+author: frankroj
+ms.author: frankroj
+manager: aaroncz
+ms.topic: overview
+ms.date: 09/22/2022
+ms.prod: windows-client
+ms.technology: itpro-security
ms.localizationpriority: medium
ms.collection:
ms.custom:
-ms.reviewer: deepakm, rafals
+ms.reviewer: rafals
---
# Encryption and data protection in Windows client
@@ -32,8 +32,8 @@ Encrypted hard drives provide:
- Better performance: Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate with no performance degradation.
- Strong security based in hardware: Encryption is always "on" and the keys for encryption never leave the hard drive. User authentication is performed by the drive before it will unlock, independently of the operating system.
-- Ease of use: Encryption is transparent to the user, and the user does not need to enable it. Encrypted hard drives are easily erased using on-board encryption key; there is no need to re-encrypt data on the drive.
-- Lower cost of ownership: There is no need for new infrastructure to manage encryption keys, since BitLocker uses your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles do not need to be used for the encryption process.
+- Ease of use: Encryption is transparent to the user, and the user doesn't need to enable it. Encrypted hard drives are easily erased using on-board encryption key; there's no need to re-encrypt data on the drive.
+- Lower cost of ownership: There's no need for new infrastructure to manage encryption keys, since BitLocker uses your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles don't need to be used for the encryption process.
Encrypted hard drives are a new class of hard drives that are self-encrypted at a hardware level and allow for full disk hardware encryption.
@@ -45,8 +45,14 @@ BitLocker provides encryption for the operating system, fixed data, and removabl
Windows consistently improves data protection by improving existing options and providing new strategies.
+## Personal Data Encryption (PDE)
+
+(*Applies to: Windows 11, version 22H2 and later*)
+
+[!INCLUDE [Personal Data Encryption (PDE) description](information-protection/personal-data-encryption/includes/pde-description.md)]
## See also
- [Encrypted Hard Drive](information-protection/encrypted-hard-drive.md)
- [BitLocker](information-protection/bitlocker/bitlocker-overview.md)
+- [Personal Data Encryption (PDE)](information-protection/personal-data-encryption/overview-pde.md)
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index 1b61031be8..319f5a8afd 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -5,7 +5,7 @@ ms.prod: m365-security
ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
-ms.reviewer: erikdau
+ms.reviewer: zwhittington
manager: aaroncz
ms.collection:
- M365-identity-device-management
@@ -22,6 +22,24 @@ appliesto:
- ✅ Windows Server 2022
---
# Manage Windows Defender Credential Guard
+
+## Default Enablement
+
+Starting with Windows 11 Enterprise 22H2, compatible systems have Windows Defender Credential Guard turned on by default. This changes the default state of the feature in Windows, though system administrators can still modify this enablement state. Windows Defender Credential Guard can still be manually [enabled](#enable-windows-defender-credential-guard) or [disabled](#disable-windows-defender-credential-guard) via the methods documented below.
+
+### Requirements for automatic enablement
+
+Windows Defender Credential Guard will be enabled by default when a PC meets the following minimum requirements:
+
+|Component|Requirement|
+|---|---|
+|Operating System|Windows 11 Enterprise 22H2|
+|Existing Windows Defender Credential Guard Requirements|Only devices which meet the [existing hardware and software requirements](credential-guard-requirements.md#hardware-and-software-requirements) to run Windows Defender Credential Guard will have it enabled by default.|
+|Virtualization-based Security (VBS) Requirements|VBS must be enabled in order to run Windows Defender Credential Guard. Starting with Windows 11 Enterprise 22H2, devices that meet the requirements to run Windows Defender Credential Guard as well as the [minimum requirements to enable VBS](/windows-hardware/design/device-experiences/oem-vbs) will have both Windows Defender Credential Guard and VBS enabled by default.
+
+> [!NOTE]
+> If Windows Defender Credential Guard or VBS has previously been explicitly disabled, default enablement will not overwrite this setting.
+
## Enable Windows Defender Credential Guard
Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the [Hypervisor-Protected Code Integrity (HVCI) and Windows Defender Credential Guard hardware readiness tool](#enable-windows-defender-credential-guard-by-using-the-hvci-and-windows-defender-credential-guard-hardware-readiness-tool). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
index e4d7f90a39..5688ac38d1 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@@ -5,7 +5,7 @@ ms.prod: m365-security
ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
-ms.reviewer: erikdau
+ms.reviewer: zwhittington
manager: aaroncz
ms.collection:
- M365-identity-device-management
@@ -58,8 +58,8 @@ For information about Windows Defender Remote Credential Guard hardware and soft
When Windows Defender Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatibility with the reduced functionality.
> [!WARNING]
-> Enabling Windows Defender Credential Guard on domain controllers is not supported.
-> The domain controller hosts authentication services which integrate with processes isolated when Windows Defender Credential Guard is enabled, causing crashes.
+> Enabling Windows Defender Credential Guard on domain controllers is not recommended at this time.
+> Windows Defender Credential Guard does not provide any added security to domain controllers, and can cause application compatibility issues on domain controllers.
> [!NOTE]
> Windows Defender Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Windows Defender Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts).
@@ -103,9 +103,6 @@ The following tables describe baseline protections, plus protections for improve
|Firmware: **Secure firmware update process**|**Requirements**: - UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot.|UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed.|
|Software: Qualified **Windows operating system**|**Requirement**: - At least Windows 10 Enterprise or Windows Server 2016.|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard.|
-> [!IMPORTANT]
-> Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard.
-
> [!IMPORTANT]
> The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Windows Defender Credential Guard can provide.
diff --git a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
index 603dcc1d9c..c6ff98bda7 100644
--- a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
+++ b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
@@ -25,6 +25,8 @@ appliesto:
param([switch]$Capable, [switch]$Ready, [switch]$Enable, [switch]$Disable, $SIPolicyPath, [switch]$AutoReboot, [switch]$DG, [switch]$CG, [switch]$HVCI, [switch]$HLK, [switch]$Clear, [switch]$ResetVerifier)
+Set-StrictMode -Version Latest
+
$path = "C:\DGLogs\"
$LogFile = $path + "DeviceGuardCheckLog.txt"
@@ -796,7 +798,13 @@ function CheckOSArchitecture
function CheckSecureBootState
{
- $_secureBoot = Confirm-SecureBootUEFI
+ try {
+ $_secureBoot = Confirm-SecureBootUEFI
+ }
+ catch
+ {
+ $_secureBoot = $false
+ }
Log $_secureBoot
if($_secureBoot)
{
diff --git a/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md b/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md
deleted file mode 100644
index c84b17cee4..0000000000
--- a/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md
+++ /dev/null
@@ -1,42 +0,0 @@
----
-title: WebAuthn APIs
-description: Learn how to use WebAuthn APIs to enable password-less authentication for your sites and apps.
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
-ms.date: 02/15/2019
----
-# WebAuthn APIs for password-less authentication on Windows
-
-### Passwords leave your customers vulnerable. With the new WebAuthn APIs, your sites and apps can use password-less authentication.
-
-Microsoft has long been a proponent to do away with passwords.
-While working towards that goal, we'd like to introduce you to the latest Windows 10 (version 1903) W3C/FIDO2 Win32 WebAuthn platform APIs!
-These APIs allow Microsoft developer partners and the developer community to use Windows Hello and FIDO2 security keys
-as a password-less authentication mechanism for their applications on Windows devices.
-
-#### What does this mean?
-
-This opens opportunities for developers or relying parties (RPs') to enable password-less authentication.
-They can now use [Windows Hello](./index.yml) or [FIDO2 Security Keys](./microsoft-compatible-security-key.md)
-as a password-less multi-factor credential for authentication.
-
-Users of these sites can use any browser that supports WebAuthn Windows 10 APIs for password-less authentication
- and will have a familiar and consistent experience on Windows 10, no matter which browser they use to get to the RPs' site!
-
-The native Windows 10 WebAuthn APIs are currently supported by Microsoft Edge on Windows 10 1809 or later
- and latest versions of other browsers.
-
-Developers of FIDO2 authentication keys should use the new Windows 10 APIs, to enable these scenarios in a consistent way for users.
- Moreover, this enables the use of all the transports available per FIDO2 specifications - USB, NFC, and BLE
- without having to deal with the interaction and management overhead.
-This also implies browsers or apps on Windows 10 will no longer have direct access to above transports for FIDO-related messaging.
-
-#### Where can developers learn more?
-
-The new Windows 10 APIs are documented on [GitHub](https://github.com/Microsoft/webauthn)
diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
index ebbea60361..d057f242cd 100644
--- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
+++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
@@ -78,7 +78,7 @@ To allow facial recognition, you must have devices with integrated special infra
- Effective, real world FRR with Anti-spoofing or liveness detection: <10%
> [!NOTE]
->Windows Hello face authentication does not currently support wearing a mask during enrollment or authentication. Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock you device. The product group is aware of this behavior and is investigating this topic further. Please remove a mask if you are wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn’t allow you to remove a mask temporarily, please consider unenrolling from face authentication and only using PIN or fingerprint.
+>Windows Hello face authentication does not currently support wearing a mask during enrollment or authentication. Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock your device. The product group is aware of this behavior and is investigating this topic further. Please remove a mask if you are wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn’t allow you to remove a mask temporarily, please consider unenrolling from face authentication and only using PIN or fingerprint.
## Related topics
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
index 0f2c45e2f0..00e6171863 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
@@ -35,7 +35,7 @@ This guide assumes that baseline infrastructure exists which meets the requireme
- Multi-factor Authentication is required during Windows Hello for Business provisioning
- Proper name resolution, both internal and external names
- Active Directory and an adequate number of domain controllers per site to support authentication
-- Active Directory Certificate Services 2012 or later (Note: certificate services are not needed for cloud trust deployments)
+- Active Directory Certificate Services 2012 or later (Note: certificate services are not needed for cloud Kerberos trust deployments)
- One or more workstation computers running Windows 10, version 1703 or later
If you are installing a server role for the first time, ensure the appropriate server operating system is installed, updated with the latest patches, and joined to the domain. This document provides guidance to install and configure the specific roles on that server.
@@ -44,23 +44,23 @@ Do not begin your deployment until the hosting servers and infrastructure (not r
## Deployment and trust models
-Windows Hello for Business has three deployment models: Azure AD cloud only, hybrid, and on-premises. Hybrid has three trust models: *Key trust*, *certificate trust*, and *cloud trust*. On-premises deployment models only support *Key trust* and *certificate trust*.
+Windows Hello for Business has three deployment models: Azure AD cloud only, hybrid, and on-premises. Hybrid has three trust models: *Key Trust*, *Certificate Trust*, and *cloud Kerberos trust*. On-premises deployment models only support *Key Trust* and *Certificate Trust*.
Hybrid deployments are for enterprises that use Azure Active Directory. On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments that use Azure Active Directory must use the hybrid deployment model for all domains in that forest.
The trust model determines how you want users to authenticate to the on-premises Active Directory:
- The key-trust model is for enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. This still requires Active Directory Certificate Services for domain controller certificates.
-- The cloud-trust model is also for hybrid enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. This trust model is simpler to deploy than key trust and does not require Active Directory Certificate Services. We recommend using cloud trust instead of key trust if the clients in your enterprise support it.
+- The cloud-trust model is also for hybrid enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. This trust model is simpler to deploy than key trust and does not require Active Directory Certificate Services. We recommend using **cloud Kerberos trust** instead of **Key Trust** if the clients in your enterprise support it.
- The certificate-trust model is for enterprises that *do* want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today.
- The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers.
> [!Note]
-> RDP does not support authentication with Windows Hello for Business key trust or cloud trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust and cloud trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md).
+> RDP does not support authentication with Windows Hello for Business Key Trust or cloud Kerberos trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business Key Trust and cloud Kerberos trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md).
Following are the various deployment guides and models included in this topic:
-- [Hybrid Azure AD Joined Cloud Trust Deployment](hello-hybrid-cloud-trust.md)
+- [Hybrid Azure AD Joined cloud Kerberos trust Deployment](hello-hybrid-cloud-kerberos-trust.md)
- [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md)
- [Hybrid Azure AD Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md)
- [Azure AD Join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
index d995550c13..3a4f97b0d0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
@@ -69,9 +69,7 @@ If the error occurs again, check the error code against the following table to s
| 0x801C044D | Authorization token does not contain device ID. | Unjoin the device from Azure AD and rejoin. |
| | Unable to obtain user token. | Sign out and then sign in again. Check network and credentials. |
| 0x801C044E | Failed to receive user credentials input. | Sign out and then sign in again. |
-| 0xC00000BB | Your PIN or this option is temporarily unavailable.| The destination domain controller doesn't support the login method. Most often the KDC service doesn't have the proper certificate to support the login. Use a different login method.|
-
-
+| 0xC00000BB | Your PIN or this option is temporarily unavailable. | The destination domain controller doesn't support the login method. Most often the KDC service doesn't have the proper certificate to support the login. Another common cause can be the client can not verify the KDC certificate CRL. Use a different login method.|
## Errors with unknown mitigation
@@ -100,6 +98,7 @@ For errors listed in this table, contact Microsoft Support for assistance.
| 0x801C03F1 | There is no UPN in the token. |
| 0x801C044C | There is no core window for the current thread. |
| 0x801c004D | DSREG_NO_DEFAULT_ACCOUNT: NGC provisioning is unable to find the default WAM account to use to request Azure Active Directory token for provisioning. Unable to enroll a device to use a PIN for login. |
+| 0xCAA30193 | HTTP 403 Request Forbidden: it means request left the device, however either Server, proxy or firewall generated this response. |
## Related topics
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml
index 5900a1444c..88115dc1cb 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.yml
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml
@@ -29,9 +29,9 @@ sections:
- name: Ignored
questions:
- - question: What is Windows Hello for Business cloud trust?
+ - question: What is Windows Hello for Business cloud Kerberos trust?
answer: |
- Windows Hello for Business cloud trust is a new trust model that is currently in preview. This trust model will enable Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). Cloud trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [Hybrid Cloud Trust Deployment (Preview)](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust).
+ Windows Hello for Business cloud Kerberos trust is a new trust model that is currently in preview. This trust model will enable Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [Hybrid cloud Kerberos trust Deployment (Preview)](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust).
- question: What about virtual smart cards?
@@ -84,7 +84,7 @@ sections:
- question: Can I use an external Windows Hello compatible camera when my computer has a built-in Windows Hello compatible camera?
answer: |
- Yes. Starting with Windows 10, version 21H1 an external Windows Hello compatible camera can be used if a device already supports an internal Windows Hello camera. When both cameras are present, the external camera is used for face authentication. For more information, see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). However, using external Hello cameras and accessories is restricted if ESS is enabled, please see [Windows Hello Enhanced Sign-in Security](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security#pluggableperipheral-biometric-sensors).
+ Yes. Starting with Windows 10, version 21H1 an external Windows Hello compatible camera can be used if a device already supports an internal Windows Hello camera. When both cameras are present, the external camera is used for face authentication. For more information, see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). However, using external Hello cameras and accessories is restricted if ESS is enabled, please see [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security#pluggableperipheral-biometric-sensors).
- question: Can I use an external Windows Hello compatible camera or other Windows Hello compatible accessory when my laptop lid is closed or docked?
answer: |
@@ -155,7 +155,7 @@ sections:
- question: Where is Windows Hello biometrics data stored?
answer: |
- When you enroll in Windows Hello, a representation of your face called an enrollment profile is created more information can be found on [Windows Hello face authentication](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-face-authentication). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn’t roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details see [Windows Hello biometrics in the enterprise](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored).
+ When you enroll in Windows Hello, a representation of your face called an enrollment profile is created more information can be found on [Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn't roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details see [Windows Hello biometrics in the enterprise](/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored).
- question: What is the format used to store Windows Hello biometrics data on the device?
answer: |
@@ -261,5 +261,4 @@ sections:
- question: Does Windows Hello for Business work with Azure Active Directory Domain Services (Azure AD DS) clients?
answer: |
- No, Azure AD DS is a separately managed environment in Azure, and hybrid device registration with cloud Azure AD isn't available for it via Azure AD Connect. Hence, Windows Hello for Business doesn't work with Azure AD.
-
+ No, Azure AD DS is a separately managed environment in Azure, and hybrid device registration with cloud Azure AD isn't available for it via Azure AD Connect. Hence, Windows Hello for Business doesn't work with Azure AD DS.
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
index 435fe6109b..9b9e87b305 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@@ -96,8 +96,8 @@ Using Group Policy, Microsoft Intune or a compatible MDM solution, you can confi
|--- |--- |--- |
|**Functionality**|The user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned.|You must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. For more information on how to deploy the Microsoft PIN reset service and client policy, see [Connect Azure Active Directory with the PIN reset service](#connect-azure-active-directory-with-the-pin-reset-service). During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.|
|**Windows editions and versions**|Reset from settings - Windows 10, version 1703 or later, Windows 11. Reset above Lock - Windows 10, version 1709 or later, Windows 11.|Windows 10, version 1709 to 1809, Enterprise Edition. There is no licensing requirement for this feature since version 1903. Enterprise Edition and Pro edition with Windows 10, version 1903 and newer Windows 11.|
-|**Azure Active Directory Joined**|Cert Trust, Key Trust, and Cloud Trust|Cert Trust, Key Trust, and Cloud Trust|
-|**Hybrid Azure Active Directory Joined**|Cert Trust and Cloud Trust for both settings and above the lock support destructive PIN reset. Key Trust doesn't support this from above the lock screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. It does support from the settings page and the users must have a corporate network connectivity to the DC. |Cert Trust, Key Trust, and Cloud Trust for both settings and above the lock support non-destructive PIN reset. No network connection is required for the DC.|
+|**Azure Active Directory Joined**|Cert Trust, Key Trust, and cloud Kerberos trust|Cert Trust, Key Trust, and cloud Kerberos trust|
+|**Hybrid Azure Active Directory Joined**|Cert Trust and cloud Kerberos trust for both settings and above the lock support destructive PIN reset. Key Trust doesn't support this from above the lock screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. It does support from the settings page and the users must have a corporate network connectivity to the DC. |Cert Trust, Key Trust, and cloud Kerberos trust for both settings and above the lock support non-destructive PIN reset. No network connection is required for the DC.|
|**On Premises**|If ADFS is being used for on premises deployments, users must have a corporate network connectivity to federation services. |The PIN reset service relies on Azure Active Directory identities, so it is only available for Hybrid Azure Active Directory Joined and Azure Active Directory Joined devices.|
|**Additional Configuration required**|Supported by default and doesn't require configuration|Deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature On-board the Microsoft PIN reset service to respective Azure Active Directory tenant Configure Windows devices to use PIN reset using Group *Policy\MDM*.|
|**MSA/Enterprise**|MSA and Enterprise|Enterprise only.|
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
index 909df0b77b..ffaec80712 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
@@ -21,10 +21,10 @@ Windows Hello for Business authentication is passwordless, two-factor authentica
Azure Active Directory-joined devices authenticate to Azure during sign-in and can optionally authenticate to Active Directory. Hybrid Azure Active Directory-joined devices authenticate to Active Directory during sign-in, and authenticate to Azure Active Directory in the background.
- [Azure AD join authentication to Azure Active Directory](#azure-ad-join-authentication-to-azure-active-directory)
-- [Azure AD join authentication to Active Directory using Azure AD Kerberos (cloud trust preview)](#azure-ad-join-authentication-to-active-directory-using-azure-ad-kerberos-cloud-trust-preview)
+- [Azure AD join authentication to Active Directory using Azure AD Kerberos (cloud Kerberos trust)](#azure-ad-join-authentication-to-active-directory-using-azure-ad-kerberos-cloud-kerberos-trust)
- [Azure AD join authentication to Active Directory using a key](#azure-ad-join-authentication-to-active-directory-using-a-key)
- [Azure AD join authentication to Active Directory using a certificate](#azure-ad-join-authentication-to-active-directory-using-a-certificate)
-- [Hybrid Azure AD join authentication using Azure AD Kerberos (cloud trust preview)](#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-trust-preview)
+- [Hybrid Azure AD join authentication using Azure AD Kerberos (cloud Kerberos trust)](#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-kerberos-trust)
- [Hybrid Azure AD join authentication using a key](#hybrid-azure-ad-join-authentication-using-a-key)
- [Hybrid Azure AD join authentication using a certificate](#hybrid-azure-ad-join-authentication-using-a-certificate)
@@ -43,7 +43,7 @@ Azure Active Directory-joined devices authenticate to Azure during sign-in and c
|D | The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.|
|E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
-## Azure AD join authentication to Active Directory using Azure AD Kerberos (cloud trust preview)
+## Azure AD join authentication to Active Directory using Azure AD Kerberos (cloud Kerberos trust)
@@ -78,13 +78,13 @@ Azure Active Directory-joined devices authenticate to Azure during sign-in and c
> [!NOTE]
> You may have an on-premises domain federated with Azure AD. Once you have successfully provisioned Windows Hello for Business PIN/Bio on, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Azure AD to get PRT, as well as authenticate against your DC (if LOS to DC is available) to get Kerberos as mentioned previously. AD FS federation is used only when Enterprise PRT calls are placed from the client. You need to have device write-back enabled to get "Enterprise PRT" from your federation.
-## Hybrid Azure AD join authentication using Azure AD Kerberos (cloud trust preview)
+## Hybrid Azure AD join authentication using Azure AD Kerberos (cloud Kerberos trust)
| Phase | Description |
| :----: | :----------- |
-|A | Authentication begins when the user dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to winlogon. Winlogon passes the collected credentials to lsass. Lsass queries Windows Hello for Business policy to check if cloud trust is enabled. If cloud trust is enabled, Lsass passes the collected credentials to the Cloud Authentication security support provider, or Cloud AP. Cloud AP requests a nonce from Azure Active Directory. Azure AD returns a nonce.
+|A | Authentication begins when the user dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to winlogon. Winlogon passes the collected credentials to lsass. Lsass queries Windows Hello for Business policy to check if cloud Kerberos trust is enabled. If cloud Kerberos trust is enabled, Lsass passes the collected credentials to the Cloud Authentication security support provider, or Cloud AP. Cloud AP requests a nonce from Azure Active Directory. Azure AD returns a nonce.
|B | Cloud AP signs the nonce using the user's private key and returns the signed nonce to Azure AD.
|C | Azure AD validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and creates a Partial TGT from Azure AD Kerberos and returns them to Cloud AP.
|D | Cloud AP receives the encrypted PRT with session key. Using the device's private transport key, Cloud AP decrypts the session key and protects the session key using the device's TPM (if available). Cloud AP returns a successful authentication response to lsass. Lsass caches the PRT and the Partial TGT.
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
index 7d93ef16b8..6ebf241107 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
@@ -26,7 +26,7 @@ List of provisioning flows:
- [Azure AD joined provisioning in a managed environment](#azure-ad-joined-provisioning-in-a-managed-environment)
- [Azure AD joined provisioning in a federated environment](#azure-ad-joined-provisioning-in-a-federated-environment)
-- [Hybrid Azure AD joined provisioning in a cloud trust (preview) deployment in a managed environment](#hybrid-azure-ad-joined-provisioning-in-a-cloud-trust-preview-deployment-in-a-managed-environment)
+- [Hybrid Azure AD joined provisioning in a cloud Kerberos trust deployment in a managed environment](#hybrid-azure-ad-joined-provisioning-in-a-cloud-kerberos-trust-deployment-in-a-managed-environment)
- [Hybrid Azure AD joined provisioning in a key trust deployment in a managed environment](#hybrid-azure-ad-joined-provisioning-in-a-key-trust-deployment-in-a-managed-environment)
- [Hybrid Azure AD joined provisioning in a synchronous certificate trust deployment in a federated environment](#hybrid-azure-ad-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-federated-environment)
- [Domain joined provisioning in an On-premises key trust deployment](#domain-joined-provisioning-in-an-on-premises-key-trust-deployment)
@@ -62,9 +62,9 @@ List of provisioning flows:
[Return to top](#windows-hello-for-business-provisioning)
-## Hybrid Azure AD joined provisioning in a cloud trust (preview) deployment in a managed environment
+## Hybrid Azure AD joined provisioning in a cloud Kerberos trust deployment in a managed environment
-
+
[Full size image](images/howitworks/prov-haadj-cloudtrust-managed.png)
| Phase | Description |
@@ -74,7 +74,7 @@ List of provisioning flows:
| C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application which signals the end of user provisioning and the application exits. |
> [!NOTE]
-> Windows Hello for Business Cloud Trust does not require users' keys to be synced from Azure AD to AD. Users can immediately authenticate to Azure Active Directory and AD after provisioning their credential.
+> Windows Hello for Business cloud Kerberos trust does not require users' keys to be synced from Azure AD to AD. Users can immediately authenticate to Azure Active Directory and AD after provisioning their credential.
[Return to top](#windows-hello-for-business-provisioning)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
similarity index 58%
rename from windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md
rename to windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
index 8765cbc8c3..da2c3ed436 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
@@ -1,6 +1,6 @@
---
-title: Hybrid Cloud Trust Deployment (Windows Hello for Business)
-description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid cloud trust scenario.
+title: Hybrid cloud Kerberos trust Deployment (Windows Hello for Business)
+description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid cloud Kerberos trust scenario.
ms.prod: m365-security
author: paolomatarazzo
ms.author: paoloma
@@ -11,61 +11,68 @@ ms.topic: article
localizationpriority: medium
ms.date: 2/15/2022
appliesto:
-- ✅ Windows 10 21H2 and later
+- ✅ Windows 10, version 21H2 and later
- ✅ Windows 11
+- ✅ Hybrid deployment
+- ✅ Cloud Kerberos trust
---
-# Hybrid Cloud Trust Deployment (Preview)
+# Hybrid Cloud Kerberos Trust Deployment (Preview)
-Windows Hello for Business replaces username and password Windows sign-in with strong authentication using an asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid cloud trust scenario.
+Windows Hello for Business replaces username and password Windows sign-in with strong authentication using an asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid cloud Kerberos trust scenario.
-## Introduction to Cloud Trust
+## Introduction to Cloud Kerberos Trust
-The goal of the Windows Hello for Business cloud trust is to bring the simplified deployment experience of [on-premises SSO with passwordless security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises) to Windows Hello for Business. This deployment model can be used for new Windows Hello for Business deployments or existing deployments can move to this model using policy controls.
+The goal of the Windows Hello for Business cloud Kerberos trust is to bring the simplified deployment experience of [on-premises SSO with passwordless security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises) to Windows Hello for Business. This deployment model can be used for new Windows Hello for Business deployments or existing deployments can move to this model using policy controls.
-Windows Hello for Business cloud trust uses Azure Active Directory (AD) Kerberos to address pain points of the key trust deployment model:
+Windows Hello for Business cloud Kerberos trust uses Azure Active Directory (AD) Kerberos to address pain points of the key trust deployment model:
-- Windows Hello for Business cloud trust provides a simpler deployment experience because it doesn't require the deployment of public key infrastructure (PKI) or changes to existing PKI.
-- Cloud trust doesn't require syncing of public keys between Azure AD and on-premises domain controllers (DCs) for users to access on-premises resources and applications. This change means there isn't a delay between the user provisioning and being able to authenticate.
-- Deploying Windows Hello for Business cloud trust enables you to also deploy passwordless security keys with minimal extra setup.
+- Windows Hello for Business cloud Kerberos trust provides a simpler deployment experience because it doesn't require the deployment of public key infrastructure (PKI) or changes to existing PKI
+- Cloud Kerberos trust doesn't require syncing of public keys between Azure AD and on-premises domain controllers (DCs) for users to access on-premises resources and applications. This change means there isn't a delay between the user provisioning and being able to authenticate
+- Deploying Windows Hello for Business cloud Kerberos trust enables you to also deploy passwordless security keys with minimal extra setup
> [!NOTE]
-> Windows Hello for Business cloud trust is recommended instead of key trust if you meet the prerequisites to deploy cloud trust. Cloud trust is the preferred deployment model if you do not need to support certificate authentication scenarios.
+> Windows Hello for Business cloud Kerberos trust is recommended instead of key trust if you meet the prerequisites to deploy cloud Kerberos trust. Cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios.
-## Azure Active Directory Kerberos and Cloud Trust Authentication
+## Azure Active Directory Kerberos and Cloud Kerberos Trust Authentication
-Key trust and certificate trust use certificate authentication based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires PKI for DC certificates, and requires end-user certificates for certificate trust. Single sign-on (SSO) to on-premises resources from Azure AD-joined devices requires more PKI configuration to publish a certificate revocation list (CRL) to a public endpoint. Cloud trust uses Azure AD Kerberos that doesn't require any of the above PKI to get the user a TGT.
+Key trust and certificate trust use certificate authentication based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires PKI for DC certificates, and requires end-user certificates for certificate trust. Single sign-on (SSO) to on-premises resources from Azure AD-joined devices requires more PKI configuration to publish a certificate revocation list (CRL) to a public endpoint. cloud Kerberos trust uses Azure AD Kerberos that doesn't require any of the above PKI to get the user a TGT.
With Azure AD Kerberos, Azure AD can issue TGTs for one or more of your AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business and use the returned TGT for logon or to access traditional AD-based resources. Kerberos service tickets and authorization continue to be controlled by your on-premises AD DCs.
When you enable Azure AD Kerberos in a domain, an Azure AD Kerberos Server object is created in your on-premises AD. This object will appear as a Read Only Domain Controller (RODC) object but isn't associated with any physical servers. This resource is only used by Azure Active Directory to generate TGTs for your Active Directory Domain. The same rules and restrictions used for RODCs apply to the Azure AD Kerberos Server object.
-More details on how Azure AD Kerberos enables access to on-premises resources are available in our documentation on [enabling passwordless security key sign-in to on-premises resources](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). There's more information on how Azure AD Kerberos works with Windows Hello for Business cloud trust in the [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-trust-preview).
+More details on how Azure AD Kerberos enables access to on-premises resources are available in our documentation on [enabling passwordless security key sign-in to on-premises resources](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). There's more information on how Azure AD Kerberos works with Windows Hello for Business cloud Kerberos trust in the [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-kerberos-trust).
-If you're using the hybrid cloud trust deployment model, you _must_ ensure that you have adequate (one or more, depending on your authentication load) Windows Server 2016 or later read-write domain controllers in each Active Directory site where users will be authenticating for Windows Hello for Business.
+If you're using the hybrid cloud Kerberos trust deployment model, you _must_ ensure that you have adequate (one or more, depending on your authentication load) Windows Server 2016 or later read-write domain controllers in each Active Directory site where users will be authenticating for Windows Hello for Business.
## Prerequisites
| Requirement | Notes |
| --- | --- |
| Multi-factor Authentication | This requirement can be met using [Azure AD multi-factor authentication](/azure/active-directory/authentication/howto-mfa-getstarted), multi-factor authentication provided through AD FS, or a comparable solution. |
-| Patched Windows 10 version 21H2 or patched Windows 11 and later | If you're using Windows 10 21H2, KB5010415 must be installed. If you're using Windows 11 21H2, KB5010414 must be installed. There's no Windows version support difference between Azure AD joined and Hybrid Azure AD-joined devices. |
+| Patched Windows 10, version 21H2 or patched Windows 11 and later | If you're using Windows 10 21H2, KB5010415 must be installed. If you're using Windows 11 21H2, KB5010414 must be installed. There's no Windows version support difference between Azure AD joined and Hybrid Azure AD-joined devices. |
| Fully patched Windows Server 2016 or later Domain Controllers | Domain controllers should be fully patched to support updates needed for Azure AD Kerberos. If you're using Windows Server 2016, [KB3534307](https://support.microsoft.com/en-us/topic/january-23-2020-kb4534307-os-build-14393-3474-b181594e-2c6a-14ea-e75b-678efea9d27e) must be installed. If you're using Server 2019, [KB4534321](https://support.microsoft.com/en-us/topic/january-23-2020-kb4534321-os-build-17763-1012-023e84c3-f9aa-3b55-8aff-d512911c459f) must be installed. |
| Azure AD Kerberos PowerShell module | This module is used for enabling and managing Azure AD Kerberos. It's available through the [PowerShell Gallery](https://www.powershellgallery.com/packages/AzureADHybridAuthenticationManagement).|
-| Device management | Windows Hello for Business cloud trust can be managed with group policy or through mobile device management (MDM) policy. This feature is disabled by default and must be enabled using policy. |
+| Device management | Windows Hello for Business cloud Kerberos trust can be managed with group policy or through mobile device management (MDM) policy. This feature is disabled by default and must be enabled using policy. |
### Unsupported Scenarios
-The following scenarios aren't supported using Windows Hello for Business cloud trust:
+The following scenarios aren't supported using Windows Hello for Business cloud Kerberos trust:
- On-premises only deployments
- RDP/VDI scenarios using supplied credentials (RDP/VDI can be used with Remote Credential Guard or if a certificate is enrolled into the Windows Hello for Business container)
- Scenarios that require a certificate for authentication
-- Using cloud trust for "Run as"
-- Signing in with cloud trust on a Hybrid Azure AD joined device without previously signing in with DC connectivity
+- Using cloud Kerberos trust for "Run as"
+- Signing in with cloud Kerberos trust on a Hybrid Azure AD joined device without previously signing in with DC connectivity
+
+> [!NOTE]
+> The default security policy for AD does not grant permission to sign high privilege accounts on to on-premises resources with cloud Kerberos trust or FIDO2 security keys.
+>
+> To unblock the accounts, use Active Directory Users and Computers to modify the msDS-NeverRevealGroup property of the Azure AD Kerberos Computer object (CN=AzureADKerberos,OU=Domain Controllers,\).
## Deployment Instructions
-Deploying Windows Hello for Business cloud trust consists of two steps:
+Deploying Windows Hello for Business cloud Kerberos trust consists of two steps:
1. Set up Azure AD Kerberos in your hybrid environment.
1. Configure Windows Hello for Business policy and deploy it to devices.
@@ -74,74 +81,35 @@ Deploying Windows Hello for Business cloud trust consists of two steps:
If you've already deployed on-premises SSO for passwordless security key sign-in, then you've already deployed Azure AD Kerberos in your hybrid environment. You don't need to redeploy or change your existing Azure AD Kerberos deployment to support Windows Hello for Business and you can skip this section.
-If you haven't deployed Azure AD Kerberos, follow the instructions in the [Enable passwordless security key sign-in to on-premises resources by using Azure AD](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azure-ad-kerberos-powershell-module) documentation. This page includes information on how to install and use the Azure AD Kerberos Powershell module. Use the module to create an Azure AD Kerberos Server object for the domains where you want to use Windows Hello for Business cloud trust.
+If you haven't deployed Azure AD Kerberos, follow the instructions in the [Enable passwordless security key sign-in to on-premises resources by using Azure AD](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azure-ad-kerberos-powershell-module) documentation. This page includes information on how to install and use the Azure AD Kerberos Powershell module. Use the module to create an Azure AD Kerberos Server object for the domains where you want to use Windows Hello for Business cloud Kerberos trust.
### Configure Windows Hello for Business Policy
-After setting up the Azure AD Kerberos Object, Windows Hello for business cloud trust must be enabled using policy. By default, cloud trust won't be used by Hybrid Azure AD joined or Azure AD-joined devices.
+After setting up the Azure AD Kerberos Object, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
-#### Configure Using Group Policy
-
-Hybrid Azure AD joined organizations can use Windows Hello for Business Group Policy to manage the feature. Group Policy can be configured to enable users to enroll and use Windows Hello for Business.
-
-The Enable Windows Hello for Business Group Policy setting is used by Windows to determine if a user should attempt to enroll a credential. A user will only attempt enrollment if this policy is configured to enabled.
-
-You can configure the Enable Windows Hello for Business Group Policy setting for computers or users. Deploying this policy setting to computers results in all users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence.
-
-Cloud trust requires setting a dedicated policy for it to be enabled. This policy is only available as a computer configuration.
-
-> [!NOTE]
-> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows device settings to enable Windows Hello for Business in Intune](/mem/intune/protect/identity-protection-windows-settings) and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). For more information about policy conflicts, see [Policy conflicts from multiple policy sources](hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources)
-
-##### Update Group Policy Objects
-
-You may need to update your Group Policy definitions to be able to configure the cloud trust policy. You can copy the ADMX and ADML files from a Windows 10 21H2 or Windows 11 device that supports cloud trust to their respective language folder on your Group Policy management server. Windows Hello for Business settings are in the Passport.admx and Passport.adml files.
-
-You can also create a Group Policy Central Store and copy them their respective language folder. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store).
-
-##### Create the Windows Hello for Business Group Policy object
-
-Sign-in a domain controller or management workstations with *Domain Admin* equivalent credentials.
-
-1. Start the **Group Policy Management Console** (gpmc.msc).
-1. Expand the domain and select the **Group Policy Object** node in the navigation pane.
-1. Right-click **Group Policy object** and select **New**.
-1. Type *Enable Windows Hello for Business* in the name box and click **OK**.
-1. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**.
-1. In the navigation pane, expand **Policies** under **Device Configuration**.
-1. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**.
-1. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**.
-1. In the content pane, double-click **Use cloud trust for on-premises authentication**. Click **Enable** and click **OK**.
-1. *Optional but recommended*: In the content pane, double-click **Use a hardware security device**. Click **Enable** and click **OK**.
-
-This group policy should be targeted at the computer group that you've created for that you want to use Windows Hello for Business.
-
-> [!Important]
-> If the Use certificate for on-premises authentication policy is enabled, we will enforce certificate trust instead of cloud trust on the client. Please make sure that any machines that you want to use Windows Hello for Business cloud trust have this policy not configured or disabled.
-
-#### Configure Using Intune
+#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune)
Windows Hello for Business can be enabled using device enrollment or device configuration policy. Device enrollment policy is only applied at device enrollment time. Any modifications to the configuration in Intune won't apply to already enrolled devices. Device configuration policy is applied after device enrollment. Changes to this policy type in Intune are applied to already enrolled devices.
-The cloud trust policy needs to be configured using a custom template and is configured separately from enabling Windows Hello from Business.
+The cloud Kerberos trust policy needs to be configured using a custom template and is configured separately from enabling Windows Hello from Business.
-##### Create a user Group that will be targeted for Windows Hello for Business
+### Create a user Group that will be targeted for Windows Hello for Business
-If you have an existing group you want to target with Windows Hello for Business cloud trust policy, you can skip this step.
+If you have an existing group you want to target with Windows Hello for Business cloud Kerberos trust policy, you can skip this step.
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
-1. Browse to **Groups** and select **New group**.
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/)
+1. Browse to **Groups** and select **New group**
1. Configure the following group settings:
- 1. Group type: "Security"
- 1. Group name: "WHFBCloudTrustUsers" or a group name of your choosing
- 1. Membership type: Assigned
-1. Select **Members** and add users that you want to target with Windows Hello for Business cloud trust.
+ 1. Group type: **Security**
+ 1. Group name: *WHFB cloud Kerberos trust users* or a group name of your choosing
+ 1. Membership type: **Assigned**
+1. Select **Members** and add users that you want to target with Windows Hello for Business cloud Kerberos trust
-You can also create a group through the Azure portal instead of using the Microsoft Endpoint Manager admin center.
+You can also create a group through the Azure portal instead of using the Microsoft Endpoint Manager admin center
-##### Enable Windows Hello for Business
+### Enable Windows Hello for Business
-If you already enabled Windows Hello for Business for a target set of users or devices, you can skip below to configuring the cloud trust policy. Otherwise, follow the instructions at [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello) to create a Windows Hello for Business device enrollment policy.
+If you already enabled Windows Hello for Business for a target set of users or devices, you can skip below to configuring the cloud Kerberos trust policy. Otherwise, follow the instructions at [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello) to create a Windows Hello for Business device enrollment policy.
You can also follow these steps to create a device configuration policy instead of a device enrollment policy:
@@ -157,53 +125,91 @@ You can also follow these steps to create a device configuration policy instead
1. Select Next to move to **Assignments**.
1. Under Included groups, select **Add groups**.
-1. Select the user group you would like to use Windows Hello for Business cloud trust. This group may be WHFBCloudTrustUsers or a group of your choosing.
+1. Select the user group you would like to use Windows Hello for Business cloud Kerberos trust. This group may be *WHFB cloud Kerberos trust users* or a group of your choosing.
1. Select Next to move to the Applicability Rules.
1. Select Next again to move to the **Review + create** tab and select the option to create the policy.
Windows Hello for Business settings are also available in the settings catalog. For more information, see [Use the settings catalog to configure settings on Windows and macOS devices - preview](/mem/intune/configuration/settings-catalog).
-##### Configure Cloud Trust policy
+### Configure Cloud Kerberos Trust policy
-To configure the cloud trust policy, follow the steps below:
+To configure the cloud Kerberos trust policy, follow the steps below:
1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
1. Browse to Devices > Windows > Configuration Profiles > Create profile.
1. For Platform, select Windows 10 and later.
1. For Profile Type, select **Templates** and select the **Custom** Template.
-1. Name the profile with a familiar name. For example, "Windows Hello for Business cloud trust".
+1. Name the profile with a familiar name. For example, "Windows Hello for Business cloud Kerberos trust".
1. In Configuration Settings, add a new configuration with the following settings:
-
- - Name: "Windows Hello for Business cloud trust" or another familiar name
- - Description: Enable Windows Hello for Business cloud trust for sign-in and on-premises SSO.
- - OMA-URI: ./Device/Vendor/MSFT/PassportForWork/*tenant ID*/Policies/UseCloudTrustForOnPremAuth
-
- >[!IMPORTANT]
- >*Tenant ID* in the OMA-URI must be replaced with the tenant ID for your Azure AD tenant. See [How to find your Azure AD tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) for instructions on looking up your tenant ID.
-
- - Data type: Boolean
- - Value: True
-
+
+ | Setting |
+ |--------|
+ |
Name: **Windows Hello for Business cloud Kerberos trust** or another familiar name
Description (optional): *Enable Windows Hello for Business cloud Kerberos trust for sign-in and on-premises SSO*
|
+
+ >[!IMPORTANT]
+ >*Tenant ID* in the OMA-URI must be replaced with the tenant ID for your Azure AD tenant. See [How to find your Azure AD tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) for instructions on looking up your tenant ID.
+
[](./images/hello-cloud-trust-intune-large.png#lightbox)
-
+
1. Select Next to navigate to **Assignments**.
1. Under Included groups, select **Add groups**.
-1. Select the user group you would like to use Windows Hello for Business cloud trust. This group may be WHFBCloudTrustUsers or a group of your choosing.
+1. Select the user group you would like to use Windows Hello for Business cloud Kerberos trust. This group may be *WHFB cloud Kerberos trust users* or a group of your choosing.
1. Select Next to move to the Applicability Rules.
1. Select Next again to move to the **Review + create** tab and select the option to create the policy.
> [!Important]
-> If the Use certificate for on-premises authentication policy is enabled, we will enforce certificate trust instead of cloud trust on the client. Please make sure that any machines that you want to use Windows Hello for Business cloud trust have this policy not configured or disabled.
+> If the Use certificate for on-premises authentication policy is enabled, we will enforce certificate trust instead of cloud Kerberos trust on the client. Please make sure that any machines that you want to use Windows Hello for Business cloud Kerberos trust have this policy not configured or disabled.
+
+#### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
+
+Hybrid Azure AD joined organizations can use Windows Hello for Business Group Policy to manage the feature. Group Policy can be configured to enable users to enroll and use Windows Hello for Business.
+
+The Enable Windows Hello for Business Group Policy setting is used by Windows to determine if a user should attempt to enroll a credential. A user will only attempt enrollment if this policy is configured to enabled.
+
+You can configure the Enable Windows Hello for Business Group Policy setting for computers or users. Deploying this policy setting to computers results in all users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence.
+
+cloud Kerberos trust requires setting a dedicated policy for it to be enabled. This policy is only available as a computer configuration.
+
+> [!NOTE]
+> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows device settings to enable Windows Hello for Business in Intune](/mem/intune/protect/identity-protection-windows-settings) and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). For more information about policy conflicts, see [Policy conflicts from multiple policy sources](hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources)
+
+#### Update Group Policy Objects
+
+You may need to update your Group Policy definitions to be able to configure the cloud Kerberos trust policy. You can copy the ADMX and ADML files from a Windows 10 21H2 or Windows 11 device that supports cloud Kerberos trust to their respective language folder on your Group Policy management server. Windows Hello for Business settings are in the Passport.admx and Passport.adml files.
+
+You can also create a Group Policy Central Store and copy them their respective language folder. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store).
+
+#### Create the Windows Hello for Business Group Policy object
+
+Sign-in a domain controller or management workstations with *Domain Admin* equivalent credentials.
+
+1. Start the **Group Policy Management Console** (gpmc.msc).
+1. Expand the domain and select the **Group Policy Object** node in the navigation pane.
+1. Right-click **Group Policy object** and select **New**.
+1. Type *Enable Windows Hello for Business* in the name box and click **OK**.
+1. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**.
+1. In the navigation pane, expand **Policies** under **Device Configuration**.
+1. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**.
+1. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**.
+1. In the content pane, double-click **Use cloud Kerberos trust for on-premises authentication**. Click **Enable** and click **OK**.
+1. *Optional but recommended*: In the content pane, double-click **Use a hardware security device**. Click **Enable** and click **OK**.
+
+This group policy should be targeted at the computer group that you've created for that you want to use Windows Hello for Business.
+
+> [!Important]
+> If the Use certificate for on-premises authentication policy is enabled, we will enforce certificate trust instead of cloud Kerberos trust on the client. Please make sure that any machines that you want to use Windows Hello for Business cloud Kerberos trust have this policy not configured or disabled.
+
+---
## Provisioning
-The Windows Hello for Business provisioning process begins immediately after a user has signed in if certain prerequisite checks are passed. Windows Hello for Business cloud trust adds a prerequisite check for Hybrid Azure AD-joined devices when cloud trust is enabled by policy.
+The Windows Hello for Business provisioning process begins immediately after a user has signed in if certain prerequisite checks are passed. Windows Hello for Business cloud Kerberos trust adds a prerequisite check for Hybrid Azure AD-joined devices when cloud Kerberos trust is enabled by policy.
You can determine the status of the prerequisite check by viewing the **User Device Registration** admin log under **Applications and Services Logs\Microsoft\Windows**. This information is also available using the [**dsregcmd /status**](/azure/active-directory/devices/troubleshoot-device-dsregcmd) command from a console.
- 
+ 
-The cloud trust prerequisite check detects whether the user has a partial TGT before allowing provisioning to start. The purpose of this check is to validate whether Azure AD Kerberos is set up for the user's domain and tenant. If Azure AD Kerberos is set up, the user will receive a partial TGT during sign-in with one of their other unlock methods. This check has three states: Yes, No, and Not Tested. The *Not Tested* state is reported if cloud trust is not being enforced by policy or if the device is Azure AD joined.
+The cloud Kerberos trust prerequisite check detects whether the user has a partial TGT before allowing provisioning to start. The purpose of this check is to validate whether Azure AD Kerberos is set up for the user's domain and tenant. If Azure AD Kerberos is set up, the user will receive a partial TGT during sign-in with one of their other unlock methods. This check has three states: Yes, No, and Not Tested. The *Not Tested* state is reported if cloud Kerberos trust is not being enforced by policy or if the device is Azure AD joined.
This prerequisite check isn't done for provisioning on Azure AD-joined devices. If Azure AD Kerberos isn't provisioned, a user on an Azure AD joined device will still be able to sign in.
@@ -223,11 +229,11 @@ After a successful MFA, the provisioning flow asks the user to create and valida
### Sign-in
-Once a user has set up a PIN with cloud trust, it can be used immediately for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached logon can be used for subsequent unlocks without line of sight or network connectivity.
+Once a user has set up a PIN with cloud Kerberos trust, it can be used immediately for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached logon can be used for subsequent unlocks without line of sight or network connectivity.
## Troubleshooting
-If you encounter issues or want to share feedback about Windows Hello for Business cloud trust, share via the Windows Feedback Hub app by following these steps:
+If you encounter issues or want to share feedback about Windows Hello for Business cloud Kerberos trust, share via the Windows Feedback Hub app by following these steps:
1. Open **Feedback Hub**, and make sure that you're signed in.
1. Submit feedback by selecting the following categories:
@@ -236,24 +242,24 @@ If you encounter issues or want to share feedback about Windows Hello for Busine
## Frequently Asked Questions
-### Does Windows Hello for Business cloud trust work in my on-premises environment?
+### Does Windows Hello for Business cloud Kerberos trust work in my on-premises environment?
This feature doesn't work in a pure on-premises AD domain services environment.
-### Does Windows Hello for Business cloud trust work in a Windows login with RODC present in the hybrid environment?
+### Does Windows Hello for Business cloud Kerberos trust work in a Windows login with RODC present in the hybrid environment?
-Windows Hello for Business cloud trust looks for a writeable DC to exchange the partial TGT. As long as you have at least one writeable DC per site, login with cloud trust will work.
+Windows Hello for Business cloud Kerberos trust looks for a writeable DC to exchange the partial TGT. As long as you have at least one writeable DC per site, login with cloud Kerberos trust will work.
-### Do I need line of sight to a domain controller to use Windows Hello for Business cloud trust?
+### Do I need line of sight to a domain controller to use Windows Hello for Business cloud Kerberos trust?
-Windows Hello for Business cloud trust requires line of sight to a domain controller for some scenarios:
+Windows Hello for Business cloud Kerberos trust requires line of sight to a domain controller for some scenarios:
- The first sign-in or unlock with Windows Hello for Business after provisioning on a Hybrid Azure AD joined device
- When attempting to access an on-premises resource from an Azure AD joined device
-### Can I use RDP/VDI with Windows Hello for Business cloud trust?
+### Can I use RDP/VDI with Windows Hello for Business cloud Kerberos trust?
-Windows Hello for Business cloud trust cannot be used as a supplied credential with RDP/VDI. Similar to key trust, cloud trust can be used for RDP with [remote credential guard](/windows/security/identity-protection/remote-credential-guard) or if a [certificate is enrolled into Windows Hello for Business](hello-deployment-rdp-certs.md) for this purpose.
+Windows Hello for Business cloud Kerberos trust cannot be used as a supplied credential with RDP/VDI. Similar to key trust, cloud Kerberos trust can be used for RDP with [remote credential guard](/windows/security/identity-protection/remote-credential-guard) or if a [certificate is enrolled into Windows Hello for Business](hello-deployment-rdp-certs.md) for this purpose.
-### Do all my domain controllers need to be fully patched as per the prerequisites for me to use Windows Hello for Business cloud trust?
+### Do all my domain controllers need to be fully patched as per the prerequisites for me to use Windows Hello for Business cloud Kerberos trust?
-No, only the number necessary to handle the load from all cloud trust devices.
\ No newline at end of file
+No, only the number necessary to handle the load from all cloud Kerberos trust devices.
diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
index 7a9e8e62b1..0ae2e88df1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@@ -31,20 +31,20 @@ This article lists the infrastructure requirements for the different deployment
The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process.
-| Requirement | Cloud trust (Preview) Group Policy or Modern managed | Key trust Group Policy or Modern managed | Certificate trust Mixed managed | Certificate trust Modern managed |
+| Requirement | cloud Kerberos trust Group Policy or Modern managed | Key trust Group Policy or Modern managed | Certificate Trust Mixed managed | Certificate Trust Modern managed |
| --- | --- | --- | --- | --- |
| **Windows Version** | Windows 10, version 21H2 with KB5010415; Windows 11 with KB5010414; or later | Windows 10, version 1511 or later| **Hybrid Azure AD Joined:** *Minimum:* Windows 10, version 1703 *Best experience:* Windows 10, version 1709 or later (supports synchronous certificate enrollment). **Azure AD Joined:** Windows 10, version 1511 or later| Windows 10, version 1511 or later |
| **Schema Version** | No specific Schema requirement | Windows Server 2016 or later Schema | Windows Server 2016 or later Schema | Windows Server 2016 or later Schema |
| **Domain and Forest Functional Level** | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level |Windows Server 2008 R2 Domain/Forest functional level |
| **Domain Controller Version** | Windows Server 2016 or later | Windows Server 2016 or later | Windows Server 2008 R2 or later | Windows Server 2008 R2 or later |
| **Certificate Authority**| N/A | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority |
-| **AD FS Version** | N/A | N/A | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) (hybrid Azure AD joined clients), and Windows Server 2012 or later Network Device Enrollment Service (Azure AD joined) | Windows Server 2012 or later Network Device Enrollment Service |
+| **AD FS Version** | N/A | N/A | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) (hybrid Azure AD joined clients managed by Group Policy), and Windows Server 2012 or later Network Device Enrollment Service (hybrid Azure AD joined & Azure AD joined managed by MDM) | Windows Server 2012 or later Network Device Enrollment Service |
| **MFA Requirement** | Azure MFA tenant, or AD FS w/Azure MFA adapter, or AD FS w/Azure MFA Server adapter, or AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or AD FS w/Azure MFA adapter, or AD FS w/Azure MFA Server adapter, or AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or AD FS w/Azure MFA adapter, or AD FS w/Azure MFA Server adapter, or AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or AD FS w/Azure MFA adapter, or AD FS w/Azure MFA Server adapter, or AD FS w/3rd Party MFA Adapter |
| **Azure AD Connect** | N/A | Required | Required | Required |
| **Azure AD License** | Azure AD Premium, optional | Azure AD Premium, optional | Azure AD Premium, needed for device write-back | Azure AD Premium, optional. Intune license required |
> [!Important]
-> - Hybrid deployments support non-destructive PIN reset that works with certificate trust, key trust and cloud trust models.
+> - Hybrid deployments support non-destructive PIN reset that works with Certificate Trust, Key Trust and cloud Kerberos trust models.
>
> **Requirements:**
> - Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index 6a355853aa..1981ba37e3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -94,9 +94,9 @@ For details, see [How Windows Hello for Business works](hello-how-it-works.md).
## Comparing key-based and certificate-based authentication
-Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing end user certificates can continue to use PKI in combination with Windows Hello for Business. Enterprises that don't use PKI or want to reduce the effort associated with managing user certificates can rely on key-based credentials for Windows Hello. This functionality still uses certificates on the domain controllers as a root of trust. Starting with Windows 10 version 21H2, there's a feature called cloud trust for hybrid deployments, which uses Azure AD as the root of trust. Cloud trust uses key-based credentials for Windows Hello but doesn't require certificates on the domain controller.
+Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing end user certificates can continue to use PKI in combination with Windows Hello for Business. Enterprises that don't use PKI or want to reduce the effort associated with managing user certificates can rely on key-based credentials for Windows Hello. This functionality still uses certificates on the domain controllers as a root of trust. Starting with Windows 10 version 21H2, there's a feature called cloud Kerberos trust for hybrid deployments, which uses Azure AD as the root of trust. cloud Kerberos trust uses key-based credentials for Windows Hello but doesn't require certificates on the domain controller.
-Windows Hello for Business with a key, including cloud trust, doesn't support supplied credentials for RDP. RDP doesn't support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business with a key credential can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md).
+Windows Hello for Business with a key, including cloud Kerberos trust, doesn't support supplied credentials for RDP. RDP doesn't support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business with a key credential can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md).
## Learn more
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index c1dc768999..32137c8e75 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -93,7 +93,7 @@ It's fundamentally important to understand which deployment model to use for a s
A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trust types: key trust and certificate trust.
> [!NOTE]
-> Windows Hello for Business is introducing a new trust model called cloud trust in early 2022. This trust model will enable deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available.
+> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see ./hello-hybrid-cloud-kerberos-trust.md.
The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
diff --git a/windows/security/identity-protection/hello-for-business/images/webauthn-apis/webauthn-apis-fido2-overview-microsoft-version.png b/windows/security/identity-protection/hello-for-business/images/webauthn-apis/webauthn-apis-fido2-overview-microsoft-version.png
new file mode 100644
index 0000000000..49639cefcf
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/webauthn-apis/webauthn-apis-fido2-overview-microsoft-version.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/webauthn-apis/webauthn-apis-fido2-overview.png b/windows/security/identity-protection/hello-for-business/images/webauthn-apis/webauthn-apis-fido2-overview.png
new file mode 100644
index 0000000000..97ca13f648
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/webauthn-apis/webauthn-apis-fido2-overview.png differ
diff --git a/windows/security/identity-protection/hello-for-business/index.yml b/windows/security/identity-protection/hello-for-business/index.yml
index bdd841ab2c..3907b4b422 100644
--- a/windows/security/identity-protection/hello-for-business/index.yml
+++ b/windows/security/identity-protection/hello-for-business/index.yml
@@ -65,6 +65,8 @@ landingContent:
url: hello-identity-verification.md
- linkListType: how-to-guide
links:
+ - text: Hybrid Cloud Kerberos Trust Deployment
+ url: hello-hybrid-cloud-kerberos-trust.md
- text: Hybrid Azure AD Joined Key Trust Deployment
url: hello-hybrid-key-trust.md
- text: Hybrid Azure AD Joined Certificate Trust Deployment
diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
index 1e3bd031b3..2c22050ab0 100644
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -21,6 +21,8 @@
href: hello-how-it-works-provisioning.md
- name: Authentication
href: hello-how-it-works-authentication.md
+ - name: WebAuthn APIs
+ href: webauthn-apis.md
- name: How-to Guides
items:
- name: Windows Hello for Business Deployment Overview
@@ -33,8 +35,8 @@
href: hello-prepare-people-to-use.md
- name: Deployment Guides
items:
- - name: Hybrid Cloud Trust Deployment
- href: hello-hybrid-cloud-trust.md
+ - name: Hybrid Cloud Kerberos Trust Deployment
+ href: hello-hybrid-cloud-kerberos-trust.md
- name: Hybrid Azure AD Joined Key Trust
items:
- name: Hybrid Azure AD Joined Key Trust Deployment
diff --git a/windows/security/identity-protection/hello-for-business/webauthn-apis.md b/windows/security/identity-protection/hello-for-business/webauthn-apis.md
new file mode 100644
index 0000000000..26654a00e4
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/webauthn-apis.md
@@ -0,0 +1,124 @@
+---
+title: WebAuthn APIs
+description: Learn how to use WebAuthn APIs to enable passwordless authentication for your sites and apps.
+ms.prod: m365-security
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.reviewer: prsriva
+ms.collection: M365-identity-device-management
+ms.topic: article
+localizationpriority: medium
+ms.date: 09/15/2022
+appliesto:
+- ✅ Windows 10
+- ✅ Windows 11
+---
+# WebAuthn APIs for passwordless authentication on Windows
+
+Passwords can leave your customers vulnerable to data breaches and security attacks by malicious users.
+
+Microsoft has long been a proponent of passwordless authentication, and has introduced the W3C/Fast IDentity Online 2 (FIDO2) Win32 WebAuthn platform APIs in Windows 10 (version 1903).
+
+Starting in **Windows 11, version 22H2**, WebAuthn APIs support ECC algorithms.
+
+## What does this mean?
+
+By using WebAuthn APIs, developer partners and the developer community can use [Windows Hello](./index.yml) or [FIDO2 Security Keys](./microsoft-compatible-security-key.md) to implement passwordless multi-factor authentication for their applications on Windows devices.
+
+Users of these apps or sites can use any browser that supports WebAuthn APIs for passwordless authentication. Users will have a familiar and consistent experience on Windows, no matter which browser they use.
+
+Developers should use the WebAuthn APIs to support FIDO2 authentication keys in a consistent way for users. Additionally, developers can use all the transports that are available per FIDO2 specifications (USB, NFC, and BLE) while avoiding the interaction and management overhead.
+
+> [!NOTE]
+> When these APIs are in use, Windows 10 browsers or applications don't have direct access to the FIDO2 transports for FIDO-related messaging.
+
+## The big picture
+
+The Client to Authenticator Protocol 2 (CTAP2) and WebAuthn define an abstraction layer that creates an ecosystem for strongly authenticated credentials. In this ecosystem, any interoperable client (such as a native app or browser) that runs on a given client device uses a standardized method to interact with any interoperable authenticator. Interoperable authenticators include authenticators that are built into the client device (platform authenticators) and authenticators that connect to the client device by using USB, BLE, or NFC connections (roaming authenticators).
+
+The authentication process starts when the user makes a specific user gesture that indicates consent for the operation. At the request of the client, the authenticator securely creates strong cryptographic keys and stores them locally.
+
+After these client-specific keys are created, clients can request attestations for registration and authentication. The type of signature that the private key uses reflects the user gesture that was made.
+
+The following diagram shows how CTAP and WebAuthn interact. The light blue dotted arrows represent interactions that depend on the specific implementation of the platform APIs.
+
+:::image type="content" source="images/webauthn-apis/webauthn-apis-fido2-overview.png" alt-text="The diagram shows how the WebAuthn API interacts with the relying parties and the CTAPI2 API.":::
+
+*Relationships of the components that participate in passwordless authentication*
+
+A combined WebAuthn/CTAP2 dance includes the following cast of characters:
+
+- **Client device**. The *client device* is the hardware that hosts a given strong authentication. Laptops and phones are examples of client devices.
+
+- **Relying parties and clients**. *Relying parties* are web or native applications that consume strong credentials. The relying parties run on client devices.
+
+ - As a relying party, a native application can also act as a WebAuthn client to make direct WebAuthn calls.
+
+ - As a relying party, a web application can't directly interact with the WebAuthn API. The relying party must broker the deal through the browser.
+
+ > [!NOTE]
+ > The preceding diagram doesn't depict Single Sign-On (SSO) authentication. Be careful not to confuse FIDO relying parties with federated relying parties.
+
+- **WebAuthn API**. The *WebAuthn API* enables clients to make requests to authenticators. The client can request the authenticator to create a key, provide an assertion about a key, report capabilities, manage a PIN, and so on.
+
+- **CTAP2 platform/host**. The *platform* (also called the host in the CTAP2 spec) is the part of the client device that negotiates with authenticators. The platform is responsible for securely reporting the origin of the request and for calling the CTAP2 Concise Binary Object Representation (CBOR) APIs. If the platform isn't CTAP2-aware, the clients themselves take on more of the burden. In this case, the components and interactions shown in the preceding diagram may differ.
+
+- **Platform authenticator**. A *platform authenticator* usually resides on a client device. Examples of platform authenticators include fingerprint recognition technology that uses a built-in laptop fingerprint reader and facial recognition technology that uses a built-in smartphone camera. Cross-platform transport protocols such as USB, NFC or BLE can't access platform authenticators.
+
+- **Roaming authenticator**. A *roaming authenticator* can connect to multiple client devices. Client devices must use a supported transport protocol to negotiate interactions. Examples of roaming authenticators include USB security keys, BLE-enabled smartphone applications, and NFC-enabled proximity cards. Roaming authenticators can support CTAP1, CTAP2, or both protocols.
+
+Many relying parties and clients can interact with many authenticators on a single client device. A user can install multiple browsers that support WebAuthn, and might simultaneously have access to a built-in fingerprint reader, a plugged-in security key, and a BLE-enabled mobile application.
+
+## Interoperability
+
+Before WebAuthn and CTAP2, there were U2F and CTAP1. U2F is the FIDO Alliance universal second-factor specification. There are many authenticators that speak CTAP1 and manage U2F credentials. WebAuthn was designed to be interoperable with CTAP1 Authenticators. A relying party that uses WebAuthn can still use U2F credentials if the relying party doesn't require FIDO2-only functionality.
+
+FIDO2 authenticators have already been implemented and WebAuthn relying parties might require the following optional features:
+
+- Keys for multiple accounts (keys can be stored per relying party)
+- Client PIN
+- Location (the authenticator returns a location)
+- [Hash-based Message Authentication Code (HMAC)-secret](/dotnet/api/system.security.cryptography.hmac) (enables offline scenarios)
+
+The following options might be useful in the future, but haven't been observed in the wild yet:
+
+- Transactional approval
+- User verification index (servers can determine whether biometric data that's stored locally has changed over time)
+- User verification method (the authenticator returns the exact method)
+- Biometric performance bounds (the relying party can specify acceptable false acceptance and false rejection rates)
+
+## Microsoft implementation
+
+The Microsoft FIDO2 implementation has been years in the making. Software and services are implemented independently as standards-compliant entities. As of the Windows 10, version 1809 (October 2018) release, all Microsoft components use the latest WebAuthn Candidate Release. It's a stable release that's not expected to normatively change before the specification is finally ratified. Because Microsoft is among the first in the world to deploy FIDO2, some combinations of popular non-Microsoft components won't be interoperable yet.
+
+Here's an approximate layout of where the Microsoft bits go:
+
+:::image type="content" source="images/webauthn-apis/webauthn-apis-fido2-overview-microsoft-version.png" alt-text="The diagram shows how the WebAuthn API interacts with the Microsoft relying parties and the CTAPI2 API.":::
+
+*Microsoft's implementation of WebAuthn and CATP2 APIs*
+
+- **WebAuthn relying party: Microsoft Account**. If you aren't familiar with Microsoft Account, it's the sign-in service for Xbox, Outlook, and many other sites. The sign-in experience uses client-side JavaScript to trigger Microsoft Edge to talk to the WebAuthn APIs. Microsoft Account requires that authenticators have the following characteristics:
+
+ - Keys are stored locally on the authenticator and not on a remote server
+ - Offline scenarios work (enabled by using HMAC)
+ - Users can put keys for multiple user accounts on the same authenticator
+ - If it's necessary, authenticators can use a client PIN to unlock a TPM
+ > [!IMPORTANT]
+ > Because Microsoft Account requires features and extensions that are unique to FIDO2 CTAP2 authenticators, it doesn't accept CTAP1 (U2F) credentials.
+
+- **WebAuthn client: Microsoft Edge**. Microsoft Edge can handle the user interface for the WebAuthn and CTAP2 features that this article describes. It also supports the AppID extension. Microsoft Edge can interact with both CTAP1 and CTAP2 authenticators. This scope for interaction means that it can create and use both U2F and FIDO2 credentials. However, Microsoft Edge doesn't speak the U2F protocol. Therefore, relying parties must use only the WebAuthn specification. Microsoft Edge on Android doesn't support WebAuthn.
+
+ > [!NOTE]
+ > For authoritative information about Microsoft Edge support for WebAuthn and CTAP, see [Legacy Microsoft Edge developer documentation](/microsoft-edge/dev-guide/windows-integration/web-authentication).
+
+- **Platform: Windows 10, Windows 11**. Windows 10 and Windows 11 host the Win32 Platform WebAuthn APIs.
+
+- **Roaming Authenticators**. You might notice that there's no *Microsoft* roaming authenticator. The reason is because there's already a strong ecosystem of products that specialize in strong authentication, and every customer (whether corporations or individuals) has different requirements for security, ease of use, distribution, and account recovery. For more information on the ever-growing list of FIDO2-certified authenticators, see [FIDO Certified Products](https://fidoalliance.org/certification/fido-certified-products/). The list includes built-in authenticators, roaming authenticators, and even chip manufacturers who have certified designs.
+
+## Developer references
+
+The WebAuthn APIs are documented in the [Microsoft/webauthn](https://github.com/Microsoft/webauthn) GitHub repo. To understand how FIDO2 authenticators work, review the following two specifications:
+
+- [Web Authentication: An API for accessing Public Key Credentials](https://www.w3.org/TR/webauthn/) (available on the W3C site). This document is known as the WebAuthn spec.
+- [Client to Authenticator Protocol (CTAP)](https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html). This document is available at the [FIDO Alliance](http://fidoalliance.org/) site, on which hardware and platform teams are working together to solve the problem of FIDO authentication.
diff --git a/windows/security/images/icons/accessibility.svg b/windows/security/images/icons/accessibility.svg
new file mode 100644
index 0000000000..21a6b4f235
--- /dev/null
+++ b/windows/security/images/icons/accessibility.svg
@@ -0,0 +1,3 @@
+
\ No newline at end of file
diff --git a/windows/security/images/icons/group-policy.svg b/windows/security/images/icons/group-policy.svg
new file mode 100644
index 0000000000..ace95add6b
--- /dev/null
+++ b/windows/security/images/icons/group-policy.svg
@@ -0,0 +1,3 @@
+
\ No newline at end of file
diff --git a/windows/security/images/icons/intune.svg b/windows/security/images/icons/intune.svg
new file mode 100644
index 0000000000..6e0d938aed
--- /dev/null
+++ b/windows/security/images/icons/intune.svg
@@ -0,0 +1,24 @@
+
\ No newline at end of file
diff --git a/windows/security/images/icons/powershell.svg b/windows/security/images/icons/powershell.svg
new file mode 100644
index 0000000000..ab2d5152ca
--- /dev/null
+++ b/windows/security/images/icons/powershell.svg
@@ -0,0 +1,20 @@
+
\ No newline at end of file
diff --git a/windows/security/images/icons/provisioning-package.svg b/windows/security/images/icons/provisioning-package.svg
new file mode 100644
index 0000000000..dbbad7d780
--- /dev/null
+++ b/windows/security/images/icons/provisioning-package.svg
@@ -0,0 +1,3 @@
+
\ No newline at end of file
diff --git a/windows/security/images/icons/registry.svg b/windows/security/images/icons/registry.svg
new file mode 100644
index 0000000000..06ab4c09d7
--- /dev/null
+++ b/windows/security/images/icons/registry.svg
@@ -0,0 +1,22 @@
+
\ No newline at end of file
diff --git a/windows/security/images/icons/windows-os.svg b/windows/security/images/icons/windows-os.svg
new file mode 100644
index 0000000000..da64baf975
--- /dev/null
+++ b/windows/security/images/icons/windows-os.svg
@@ -0,0 +1,3 @@
+
\ No newline at end of file
diff --git a/windows/security/index.yml b/windows/security/index.yml
index 2fedb0e205..c8868f61f1 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -133,13 +133,13 @@ landingContent:
- linkListType: concept
links:
- text: Mobile device management
- url: https://docs.microsoft.com/windows/client-management/mdm/
+ url: /windows/client-management/mdm/
- text: Azure Active Directory
url: https://www.microsoft.com/security/business/identity-access-management/azure-active-directory
- text: Your Microsoft Account
url: identity-protection/access-control/microsoft-accounts.md
- text: OneDrive
- url: https://docs.microsoft.com/onedrive/onedrive
+ url: /onedrive/onedrive
- text: Family safety
url: threat-protection/windows-defender-security-center/wdsc-family-options.md
# Cards and links should be based on top customer tasks or top subjects
@@ -170,4 +170,3 @@ landingContent:
links:
- text: Windows and Privacy Compliance
url: /windows/privacy/windows-10-and-privacy-compliance
-
diff --git a/windows/security/information-protection/images/pluton/pluton-firmware-load.png b/windows/security/information-protection/images/pluton/pluton-firmware-load.png
new file mode 100644
index 0000000000..28dee91260
Binary files /dev/null and b/windows/security/information-protection/images/pluton/pluton-firmware-load.png differ
diff --git a/windows/security/information-protection/images/pluton/pluton-security-architecture.png b/windows/security/information-protection/images/pluton/pluton-security-architecture.png
new file mode 100644
index 0000000000..adab20b080
Binary files /dev/null and b/windows/security/information-protection/images/pluton/pluton-security-architecture.png differ
diff --git a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
new file mode 100644
index 0000000000..0151546bcc
--- /dev/null
+++ b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
@@ -0,0 +1,124 @@
+---
+title: Configure Personal Data Encryption (PDE) in Intune
+description: Configuring and enabling Personal Data Encryption (PDE) required and recommended policies in Intune
+
+author: frankroj
+ms.author: frankroj
+ms.reviewer: rafals
+manager: aaroncz
+ms.topic: how-to
+ms.prod: windows-client
+ms.technology: itpro-security
+ms.localizationpriority: medium
+ms.date: 09/22/2022
+---
+
+
+
+# Configure Personal Data Encryption (PDE) policies in Intune
+
+## Required prerequisites
+
+### Enable Personal Data Encryption (PDE)
+
+1. Sign into the Intune
+2. Navigate to **Devices** > **Configuration Profiles**
+3. Select **Create profile**
+4. Under **Platform**, select **Windows 10 and later**
+5. Under **Profile type**, select **Templates**
+6. Under **Template name**, select **Custom**, and then select **Create**
+7. On the ****Basics** tab:
+ 1. Next to **Name**, enter **Personal Data Encryption**
+ 2. Next to **Description**, enter a description
+8. Select **Next**
+9. On the **Configuration settings** tab, select **Add**
+10. In the **Add Row** window:
+ 1. Next to **Name**, enter **Personal Data Encryption**
+ 2. Next to **Description**, enter a description
+ 3. Next to **OMA-URI**, enter in **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
+ 4. Next to **Data type**, select **Integer**
+ 5. Next to **Value**, enter in **1**
+11. Select **Save**, and then select **Next**
+12. On the **Assignments** tab:
+ 1. Under **Included groups**, select **Add groups**
+ 2. Select the groups that the PDE policy should be deployed to
+ 3. Select **Select**
+ 4. Select **Next**
+13. On the **Applicability Rules** tab, configure if necessary and then select **Next**
+14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
+
+#### Disable Winlogon automatic restart sign-on (ARSO)
+
+1. Sign into the Intune
+2. Navigate to **Devices** > **Configuration Profiles**
+3. Select **Create profile**
+4. Under **Platform**, select **Windows 10 and later**
+5. Under **Profile type**, select **Templates**
+6. Under **Template name**, select **Administrative templates**, and then select **Create**
+7. On the ****Basics** tab:
+ 1. Next to **Name**, enter **Disable ARSO**
+ 2. Next to **Description**, enter a description
+8. Select **Next**
+9. On the **Configuration settings** tab, under **Computer Configuration**, navigate to **Windows Components** > **Windows Logon Options**
+10. Select **Sign-in and lock last interactive user automatically after a restart**
+11. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK**
+12. Select **Next**
+13. On the **Scope tags** tab, configure if necessary and then select **Next**
+12. On the **Assignments** tab:
+ 1. Under **Included groups**, select **Add groups**
+ 2. Select the groups that the ARSO policy should be deployed to
+ 3. Select **Select**
+ 4. Select **Next**
+13. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
+
+## Recommended prerequisites
+
+#### Disable crash dumps
+
+1. Sign into the Intune
+2. Navigate to **Devices** > **Configuration Profiles**
+3. Select **Create profile**
+4. Under **Platform**, select **Windows 10 and later**
+5. Under **Profile type**, select **Settings catalog**, and then select **Create**
+6. On the ****Basics** tab:
+ 1. Next to **Name**, enter **Disable Hibernation**
+ 2. Next to **Description**, enter a description
+7. Select **Next**
+8. On the **Configuration settings** tab, select **Add settings**
+9. In the **Settings picker** windows, select **Memory Dump**
+10. When the settings appear in the lower pane, under **Setting name**, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
+11. Change both **Allow Live Dump** and **Allow Crash Dump** to **Block**, and then select **Next**
+12. On the **Scope tags** tab, configure if necessary and then select **Next**
+13. On the **Assignments** tab:
+ 1. Under **Included groups**, select **Add groups**
+ 2. Select the groups that the crash dumps policy should be deployed to
+ 3. Select **Select**
+ 4. Select **Next**
+14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
+
+#### Disable hibernation
+
+1. Sign into the Intune
+2. Navigate to **Devices** > **Configuration Profiles**
+3. Select **Create profile**
+4. Under **Platform**, select **Windows 10 and later**
+5. Under **Profile type**, select **Settings catalog**, and then select **Create**
+6. On the ****Basics** tab:
+ 1. Next to **Name**, enter **Disable Hibernation**
+ 2. Next to **Description**, enter a description
+7. Select **Next**
+8. On the **Configuration settings** tab, select **Add settings**
+9. In the **Settings picker** windows, select **Power**
+10. When the settings appear in the lower pane, under **Setting name**, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
+11. Change **Allow Hibernate** to **Block**, and then select **Next**
+12. On the **Scope tags** tab, configure if necessary and then select **Next**
+13. On the **Assignments** tab:
+ 1. Under **Included groups**, select **Add groups**
+ 2. Select the groups that the hibernation policy should be deployed to
+ 3. Select **Select**
+ 4. Select **Next**
+14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
+
+## See also
+- [Personal Data Encryption (PDE)](overview-pde.md)
+- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
\ No newline at end of file
diff --git a/windows/security/information-protection/personal-data-encryption/faq-pde.yml b/windows/security/information-protection/personal-data-encryption/faq-pde.yml
new file mode 100644
index 0000000000..49b38650ce
--- /dev/null
+++ b/windows/security/information-protection/personal-data-encryption/faq-pde.yml
@@ -0,0 +1,74 @@
+### YamlMime:FAQ
+
+metadata:
+ title: Frequently asked questions for Personal Data Encryption (PDE)
+ description: Answers to common questions regarding Personal Data Encryption (PDE).
+ author: frankroj
+ ms.author: frankroj
+ ms.reviewer: rafals
+ manager: aaroncz
+ ms.topic: faq
+ ms.prod: windows-client
+ ms.technology: itpro-security
+ ms.localizationpriority: medium
+ ms.date: 09/22/2022
+
+title: Frequently asked questions for Personal Data Encryption (PDE)
+summary: |
+ Here are some answers to common questions regarding Personal Data Encryption (PDE)
+
+sections:
+ - name: Single section - ignored
+ questions:
+ - question: Can PDE encrypt entire volumes or drives?
+ answer: |
+ No. PDE only encrypts specified files.
+
+ - question: Is PDE a replacement for BitLocker?
+ answer: |
+ No. It's still recommended to encrypt all volumes with BitLocker Drive Encryption for increased security.
+
+ - question: Can an IT admin specify which files should be encrypted?
+ answer: |
+ Yes, but it can only be done using the PDE APIs.
+
+ - question: Do I need to use OneDrive as my backup provider?
+ answer: |
+ No. PDE doesn't have a requirement for a backup provider including OneDrive. However, backups are strongly recommended in case the encryption keys used by PDE are lost. OneDrive is a recommended backup provider.
+
+ - question: What is the relation between Windows Hello for Business and PDE?
+ answer: |
+ Windows Hello for Business unlocks PDE encryption keys during user sign on.
+
+ - question: Can a file be encrypted with both PDE and EFS at the same time?
+ answer: |
+ No. PDE and EFS are mutually exclusive.
+
+ - question: Can a PDE encrypted files be accessed after signing on via a Remote Desktop connection (RDP)?
+ answer: |
+ No. Accessing PDE encrypted files over RDP isn't currently supported.
+
+ - question: Can a PDE encrypted files be access via a network share?
+ answer: |
+ No. PDE encrypted files can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.
+
+ - question: How can it be determined if a file is encrypted with PDE?
+ answer: |
+ Encrypted files will show a padlock on the file's icon. Additionally, `cipher.exe` can be used to show the encryption state of the file.
+
+ - question: Can users manually encrypt and decrypt files with PDE?
+ answer: |
+ Currently users can decrypt files manually but they can't encrypt files manually.
+
+ - question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE encrypted files?
+ answer: |
+ No. PDE encryption keys are protected Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
+
+ - question: What encryption method and strength does PDE use?
+ answer: |
+ PDE uses AES-256 to encrypt files
+
+additionalContent: |
+ ## See also
+ - [Personal Data Encryption (PDE)](overview-pde.md)
+ - [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md)
\ No newline at end of file
diff --git a/windows/security/information-protection/personal-data-encryption/includes/pde-description.md b/windows/security/information-protection/personal-data-encryption/includes/pde-description.md
new file mode 100644
index 0000000000..7ca7334657
--- /dev/null
+++ b/windows/security/information-protection/personal-data-encryption/includes/pde-description.md
@@ -0,0 +1,27 @@
+---
+title: Personal Data Encryption (PDE) description
+description: Personal Data Encryption (PDE) description include file
+
+author: frankroj
+ms.author: frankroj
+ms.reviewer: rafals
+manager: aaroncz
+ms.topic: how-to
+ms.prod: windows-client
+ms.technology: itpro-security
+ms.localizationpriority: medium
+ms.date: 09/22/2022
+---
+
+
+
+Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides additional encryption features to Windows. PDE differs from BitLocker in that it encrypts individual files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.
+
+PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to files. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business.
+
+PDE is also accessibility friendly. For example, The BitLocker PIN entry screen doesn't have accessibility options. PDE however uses Windows Hello for Business, which does have accessibility features.
+
+Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business. Users will only be able to access their PDE encrypted files once they've signed into Windows using Windows Hello for Business. Additionally, PDE has the ability to also discard the encryption keys when the device is locked.
+
+> [!NOTE]
+> PDE is currently only available to developers via [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or encrypt files via PDE. Also, although there is an MDM policy that can enable PDE, there are no MDM policies that can be used to encrypt files via PDE.
diff --git a/windows/security/information-protection/personal-data-encryption/overview-pde.md b/windows/security/information-protection/personal-data-encryption/overview-pde.md
new file mode 100644
index 0000000000..90896a5bd7
--- /dev/null
+++ b/windows/security/information-protection/personal-data-encryption/overview-pde.md
@@ -0,0 +1,142 @@
+---
+title: Personal Data Encryption (PDE)
+description: Personal Data Encryption unlocks user encrypted files at user sign in instead of at boot.
+
+author: frankroj
+ms.author: frankroj
+ms.reviewer: rafals
+manager: aaroncz
+ms.topic: how-to
+ms.prod: windows-client
+ms.technology: itpro-security
+ms.localizationpriority: medium
+ms.date: 09/22/2022
+---
+
+
+
+# Personal Data Encryption (PDE)
+
+(*Applies to: Windows 11, version 22H2 and later Enterprise and Education editions*)
+
+[!INCLUDE [Personal Data Encryption (PDE) description](includes/pde-description.md)]
+
+## Prerequisites
+
+### **Required**
+ - [Azure AD joined device](/azure/active-directory/devices/concept-azure-ad-join)
+ - [Windows Hello for Business](../../identity-protection/hello-for-business/hello-overview.md)
+ - Windows 11, version 22H2 and later Enterprise and Education editions
+
+### **Not supported with PDE**
+ - [FIDO/security key authentication](../../identity-protection/hello-for-business/microsoft-compatible-security-key.md)
+ - [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-)
+ - For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](configure-pde-in-intune.md#disable-winlogon-automatic-restart-sign-on-arso)).
+ - [Windows Information Protection (WIP)](../windows-information-protection/protect-enterprise-data-using-wip.md)
+ - [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
+ - Remote Desktop connections
+
+### **Highly recommended**
+ - [BitLocker Drive Encryption](../bitlocker/bitlocker-overview.md) enabled
+ - Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to supplement BitLocker and not replace it.
+ - Backup solution such as [OneDrive](/onedrive/onedrive)
+ - In certain scenarios such as TPM resets or destructive PIN resets, the PDE encryption keys can be lost. In such scenarios, any file encrypted with PDE will no longer be accessible. The only way to recover such files would be from backup.
+ - [Windows Hello for Business PIN reset service](../../identity-protection/hello-for-business/hello-feature-pin-reset.md)
+ - Destructive PIN resets will cause PDE encryption keys to be lost. The destructive PIN reset will make any file encrypted with PDE no longer accessible after a destructive PIN reset. Files encrypted with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
+ - [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
+ - Provides additional security when authenticating with Windows Hello for Business via biometrics or PIN
+ - [Kernel and user mode crash dumps disabled](/windows/client-management/mdm/policy-csp-memorydump)
+ - Crash dumps can potentially cause the PDE encryption keys to be exposed. For greatest security, disable kernel and user mode crash dumps. For information on disabling crash dumbs via Intune, see [Disable crash dumps](configure-pde-in-intune.md#disable-crash-dumps).
+ - [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate)
+ - Hibernation files can potentially cause the PDE encryption keys to be exposed. For greatest security, disable hibernation. For information on disabling crash dumbs via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation).
+
+## PDE protection levels
+
+PDE uses AES-256 to encrypt files and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the PDE APIs.
+
+| Item | Level 1 | Level 2 |
+|---|---|---|
+| Data is accessible when user is signed in | Yes | Yes |
+| Data is accessible when user has locked their device | Yes | No |
+| Data is accessible after user signs out | No | No |
+| Data is accessible when device is shut down | No | No |
+| Decryption keys discarded | After user signs out | After user locks device or signs out |
+
+## PDE encrypted files accessibility
+
+When a file is encrypted with PDE, its icon will show a padlock. If the user hasn't signed in locally with Windows Hello for Business or an unauthorized user attempts to access a PDE encrypted file, they'll be denied access to the file.
+
+Scenarios where a user will be denied access to a PDE encrypted file include:
+
+- User has signed into Windows via a password instead of signing in with Windows Hello for Business biometric or PIN.
+- If specified via level 2 protection, when the device is locked.
+- When trying to access files on the device remotely. For example, UNC network paths.
+- Remote Desktop sessions.
+- Other users on the device who aren't owners of the file, even if they're signed in via Windows Hello for Business and have permissions to navigate to the PDE encrypted files.
+
+## How to enable PDE
+
+To enable PDE on devices, push an MDM policy to the devices with the following parameters:
+
+- Name: **Personal Data Encryption**
+- OMA-URI: **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
+- Data type: **Integer**
+- Value: **1**
+
+There's also a [PDE CSP](/windows/client-management/mdm/personaldataencryption-csp) available for MDM solutions that support it.
+
+> [!NOTE]
+> Enabling the PDE policy on devices only enables the PDE feature. It does not encrypt any files. To encrypt files, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) to create custom applications and scripts to specify which files to encrypt and at what level to encrypt the files. Additionally, files will not encrypt via the APIs until this policy has been enabled.
+
+For information on enabling PDE via Intune, see [Enable Personal Data Encryption (PDE)](configure-pde-in-intune.md#enable-personal-data-encryption-pde).
+
+## Differences between PDE and BitLocker
+
+| Item | PDE | BitLocker |
+|--|--|--|
+| Release of encryption keys | At user sign in via Windows Hello for Business | At boot |
+| Encryption keys discarded | At user sign out | At reboot |
+| Files encrypted | Individual specified files | Entire volume/drive |
+| Authentication to access encrypted file | Windows Hello for Business | When BitLocker with PIN is enabled, BitLocker PIN plus Windows sign in |
+| Accessibility | Windows Hello for Business is accessibility friendly | BitLocker with PIN doesn't have accessibility features |
+
+## Differences between PDE and EFS
+
+The main difference between encrypting files with PDE instead of EFS is the method they use to encrypt the file. PDE uses Windows Hello for Business to secure the encryption keys that encrypts the files. EFS uses certificates to secure and encrypt the files.
+
+To see if a file is encrypted with PDE or EFS:
+
+1. Open the properties of the file
+2. Under the **General** tab, select **Advanced...**
+3. In the **Advanced Attributes** windows, select **Details**
+
+For PDE encrypted files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the attribute of **On**.
+
+For EFS encrypted files, under **Users who can access this file:**, there will be a **Certificate thumbprint** next to the users with access to the file. There will also be a section at the bottom labeled **Recovery certificates for this file as defined by recovery policy:**.
+
+Encryption information including what encryption method is being used can be obtained with the command line `cipher.exe /c` command.
+
+## Disable PDE and decrypt files
+
+Currently there's no method to disable PDE via MDM policy. However, PDE can be disabled locally and files can be decrypted using `cipher.exe`.
+
+In certain scenarios a user may be able to manually decrypt a file using the following steps:
+
+1. Open the properties of the file
+2. Under the **General** tab, select **Advanced...**
+3. Uncheck the option **Encrypt contents to secure data**
+4. Select **OK**, and then **OK** again
+
+> [!Important]
+> Once a user selects to manually decrypt a file, they will not be able to manually encrypt the file again.
+
+## Windows out of box applications that support PDE
+
+Certain Windows applications support PDE out of the box. If PDE is enabled on a device, these applications will utilize PDE.
+
+- Mail
+ - Supports encrypting both email bodies and attachments
+
+## See also
+- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
+- [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md)
\ No newline at end of file
diff --git a/windows/security/information-protection/pluton/microsoft-pluton-security-processor.md b/windows/security/information-protection/pluton/microsoft-pluton-security-processor.md
new file mode 100644
index 0000000000..dc0cc09dcd
--- /dev/null
+++ b/windows/security/information-protection/pluton/microsoft-pluton-security-processor.md
@@ -0,0 +1,52 @@
+---
+title: Microsoft Pluton security processor
+description: Learn more about Microsoft Pluton security processor
+ms.reviewer:
+ms.prod: m365-security
+author: vinaypamnani-msft
+ms.author: vinpa
+manager: aaroncz
+ms.localizationpriority: medium
+ms.collection:
+ - M365-security-compliance
+ms.topic: conceptual
+ms.date: 09/15/2022
+appliesto:
+- ✅ Windows 11, version 22H2
+---
+
+# Microsoft Pluton security processor
+
+Microsoft Pluton security processor is a chip-to-cloud security technology built with [Zero Trust](/security/zero-trust/zero-trust-overview) principles at the core. Microsoft Pluton provides hardware-based root of trust, secure identity, secure attestation, and cryptographic services. Pluton technology is a combination of a secure subsystem which is part of the System on Chip (SoC) and Microsoft authored software that runs on this integrated secure subsystem.
+
+Microsoft Pluton is currently available on devices with Ryzen 7000 and Qualcomm Snapdragon® 8cx Gen 3 series processors. Microsoft Pluton can be enabled on devices with Pluton capable processors running Windows 11, version 22H2.
+
+## What is Microsoft Pluton?
+
+Designed by Microsoft and built by silicon partners, Microsoft Pluton is a secure crypto-processor built into the CPU for security at the core to ensure code integrity and the latest protection with updates delivered by Microsoft through Windows Update. Pluton protects credentials, identities, personal data and encryption keys. Information is significantly harder to be removed even if an attacker has installed malware or has complete physical possession of the PC.
+
+Microsoft Pluton is designed to provide the functionality of the Trusted Platform Module as well as deliver other security functionality beyond what is possible with the TPM 2.0 specification, and allows for additional Pluton firmware and OS features to be delivered over time via Windows Update. For more information, see [Microsoft Pluton as TPM](pluton-as-tpm.md).
+
+Pluton is built on proven technology used in Xbox and Azure Sphere, and provides hardened integrated security capabilities to Windows 11 devices in collaboration with leading silicon partners. For more information, see [Meet the Microsoft Pluton processor – The security chip designed for the future of Windows PCs](https://www.microsoft.com/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/).
+
+## Microsoft Pluton security architecture overview
+
+
+
+Pluton Security subsystem consists of the following layers:
+
+| | Description |
+|--|--|
+| **Hardware** | Pluton Security Processor is a secure element tightly integrated into the SoC subsystem. It provides a trusted execution environment while delivering cryptographic services required for protecting sensitive resources and critical items like keys, data, etc. |
+| **Firmware** | Microsoft authorized firmware provides required secure features and functionality, and exposes interfaces that operating system software and applications can use to interact with Pluton. The firmware is stored in the flash storage available on the motherboard. When the system boots, the firmware is loaded as a part of Pluton Hardware initialization. During Windows startup, a copy of this firmware (or the latest firmware obtained from Windows Update, if available) is loaded in the operating system. For additional information, see [Firmware load flow](#firmware-load-flow) |
+| **Software** | Operating system drivers and applications available to an end user to allow seamless usage of the hardware capabilities provided by the Pluton security subsystem. |
+
+## Firmware load flow
+
+When the system boots, Pluton hardware initialization is performed by loading the Pluton firmware from the Serial Peripheral Interface (SPI) flash storage available on the motherboard. During Windows startup however, the latest version of the Pluton firmware is used by the operating system. If newer firmware is not available, Windows uses the firmware that was loaded during the hardware initialization. The diagram below illustrates this process:
+
+
+
+## Related topics
+
+[Microsoft Pluton as TPM](pluton-as-tpm.md)
diff --git a/windows/security/information-protection/pluton/pluton-as-tpm.md b/windows/security/information-protection/pluton/pluton-as-tpm.md
new file mode 100644
index 0000000000..ac2cad6ed7
--- /dev/null
+++ b/windows/security/information-protection/pluton/pluton-as-tpm.md
@@ -0,0 +1,50 @@
+---
+title: Microsoft Pluton as Trusted Platform Module (TPM 2.0)
+description: Learn more about Microsoft Pluton security processor as Trusted Platform Module (TPM 2.0)
+ms.reviewer:
+ms.prod: m365-security
+author: vinaypamnani-msft
+ms.author: vinpa
+manager: aaroncz
+ms.localizationpriority: medium
+ms.collection:
+ - M365-security-compliance
+ms.topic: conceptual
+ms.date: 09/15/2022
+appliesto:
+- ✅ Windows 11, version 22H2
+---
+
+# Microsoft Pluton as Trusted Platform Module
+
+Microsoft Pluton is designed to provide the functionality of the Trusted Platform Module (TPM) thereby establishing the silicon root of trust. Microsoft Pluton supports the TPM 2.0 industry standard allowing customers to immediately benefit from the enhanced security in Windows features that rely on TPM including BitLocker, Windows Hello, and Windows Defender System Guard.
+
+As with other TPMs, credentials, encryption keys, and other sensitive information cannot be easily extracted from Pluton even if an attacker has installed malware or has complete physical possession of the device. Storing sensitive data like encryption keys securely within the Pluton processor, which is isolated from the rest of the system, helps ensure that emerging attack techniques such as speculative execution cannot access key material.
+
+Pluton also solves the major security challenge of keeping its own root-of-trust firmware up to date across the entire PC ecosystem, by delivering firmware updates from Windows Update. Today customers receive updates to their security firmware from a variety of different sources, which may make it difficult for them to apply these updates.
+
+To learn more about the TPM related scenarios that benefit from Pluton, see [TPM and Windows Features](/windows/security/information-protection/tpm/tpm-recommendations#tpm-and-windows-features).
+
+## Microsoft Pluton as a security processor alongside discrete TPM
+
+Microsoft Pluton can be used as a TPM, or in conjunction with a TPM. Although Pluton builds security directly into the CPU, device manufacturers may choose to use discrete TPM as the default TPM, while having Pluton available to the system as a security processor for use cases beyond the TPM.
+
+Pluton is integrated within the SoC subsystem, and provides a flexible, updatable platform for running firmware that implements end-to-end security functionality authored, maintained, and updated by Microsoft. We encourage users owning devices that are Pluton capable, to enable Microsoft Pluton as the default TPM.
+
+## Enable Microsoft Pluton as TPM
+
+Devices with Ryzen 7000 and Qualcomm Snapdragon® 8cx Gen 3 series processors are Pluton Capable, however enabling and providing an option to enable Pluton is at the discretion of the device manufacturer. Pluton is supported on these devices and can be enabled from the Unified Extensible Firmware Interface (UEFI) setup options for the device.
+
+UEFI setup options differ from product to product, visit the product website and check for guidance to enable Pluton as TPM.
+
+> [!WARNING]
+> If BitLocker is enabled, We recommend disabling BitLocker before changing the TPM configuration to prevent lockouts. After changing TPM configuration, re-enable BitLocker which will then bind the BitLocker keys with the Pluton TPM. Alternatively, save the BitLocker recovery key onto a USB drive.
+>
+> Windows Hello must be re-configured after switching the TPM. Setup alternate login methods before changing the TPM configuration to prevent any login issues.
+
+> [!TIP]
+> On most Lenovo devices, entering the UEFI options requires pressing Enter key at startup followed by pressing F1. In the UEFI Setup menu, select Security option, then on the Security page, select Security Chip option, to see the TPM configuration options. Under the drop-down list for Security Chip selection, select **MSFT Pluton** and click F10 to Save and Exit.
+
+## Related topics
+
+[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
index 168c3d7608..d9221e9bca 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
@@ -31,7 +31,7 @@ Application Guard uses both network isolation and application-specific settings.
These settings, located at `Computer Configuration\Administrative Templates\Network\Network Isolation`, help you define and manage your organization's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container.
> [!NOTE]
-> For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you don't need to configure network isolation policy to enable Application Guard for Microsoft Edge.
+> For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you don't need to configure network isolation policy to enable Application Guard for Microsoft Edge in managed mode.
> [!NOTE]
> You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode. Proxy servers must be a neutral resource listed in the **Domains categorized as both work and personal** policy.
@@ -56,15 +56,15 @@ These settings, located at `Computer Configuration\Administrative Templates\Wind
|Name|Supported versions|Description|Options|
|-----------|------------------|-----------|-------|
-|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher
Windows 10 Pro, 1803 or higher
Windows 11|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally: - Disable the clipboard functionality completely when Virtualization Security is enabled. - Enable copying of certain content from Application Guard into Microsoft Edge. - Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.|
-|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher
Windows 10 Pro, 1803 or higher
Windows 11|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally: - Enable Application Guard to print into the XPS format. - Enable Application Guard to print into the PDF format. - Enable Application Guard to print to locally attached printers. - Enable Application Guard to print from previously connected network printers. Employees can't search for other printers.
**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
-|Allow Persistence|Windows 10 Enterprise, 1709 or higher
Windows 10 Pro, 1803 or higher
Windows 11|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
**Disabled or not configured.** All user data within Application Guard is reset between sessions.
**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container:** 1. Open a command-line program and navigate to `Windows/System32`. 2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data. 3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
+|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher
Windows 10 Pro, 1803 or higher
Windows 11|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** This is effective only in managed mode. Turns On the clipboard functionality and lets you choose whether to additionally: - Disable the clipboard functionality completely when Virtualization Security is enabled. - Enable copying of certain content from Application Guard into Microsoft Edge. - Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.|
+|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher
Windows 10 Pro, 1803 or higher
Windows 11|Determines whether Application Guard can use the print functionality.|**Enabled.** This is effective only in managed mode. Turns On the print functionality and lets you choose whether to additionally: - Enable Application Guard to print into the XPS format. - Enable Application Guard to print into the PDF format. - Enable Application Guard to print to locally attached printers. - Enable Application Guard to print from previously connected network printers. Employees can't search for other printers.
**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
+|Allow Persistence|Windows 10 Enterprise, 1709 or higher
Windows 10 Pro, 1803 or higher
Windows 11|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
**Disabled or not configured.** All user data within Application Guard is reset between sessions.
**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container:** 1. Open a command-line program and navigate to `Windows/System32`. 2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data. 3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher
Windows 11|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering untrusted content in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options: - Enable Microsoft Defender Application Guard only for Microsoft Edge - Enable Microsoft Defender Application Guard only for Microsoft Office - Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office
**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.
**Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you are no longer required to configure network isolation policy to enable Application Guard for Edge.|
-|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher
Windows 11|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.
**Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.|
-|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher
Windows 10 Pro, 1803 or higher
Windows 11|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.
**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.|
-|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher
Windows 10 Pro, 1809 or higher
Windows 11|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.
**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.|
+|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher
Windows 11|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** This is effective only in managed mode. Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.
**Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.|
+|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher
Windows 10 Pro, 1803 or higher
Windows 11|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** This is effective only in managed mode. Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.
**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.|
+|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher
Windows 10 Pro, 1809 or higher
Windows 11|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.
**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.|
|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher
Windows 10 Pro, 1809 or higher
Windows 11|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.
**Disabled or not configured.** Certificates aren't shared with Microsoft Defender Application Guard.|
-|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher
Windows 10 Pro, 1809 or higher
Windows 11|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.
**Disabled or not configured.** event logs aren't collected from your Application Guard container.|
+|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher
Windows 10 Pro, 1809 or higher
Windows 11|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.
**Disabled or not configured.** Event logs aren't collected from your Application Guard container.|
## Application Guard support dialog settings
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
index 33f69ede20..e02cee6ffc 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
@@ -1,18 +1,15 @@
---
title: System requirements for Microsoft Defender Application Guard
description: Learn about the system requirements for installing and running Microsoft Defender Application Guard.
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
+ms.prod: windows-client
+ms.technology: itpro-security
+ms.topic: overview
ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.date: 10/20/2021
-ms.reviewer:
-manager: dansimp
-ms.custom: asr
-ms.technology: windows-sec
+author: vinaypamnani-msft
+ms.author: vinpa
+ms.date: 08/25/2022
+ms.reviewer: sazankha
+manager: aaroncz
---
# System requirements for Microsoft Defender Application Guard
@@ -31,6 +28,9 @@ The threat landscape is continually evolving. While hackers are busy developing
Your environment must have the following hardware to run Microsoft Defender Application Guard.
+> [!NOTE]
+> Application Guard currently isn't supported on Windows 11 ARM64 devices.
+
| Hardware | Description |
|--------|-----------|
| 64-bit CPU|A 64-bit computer with minimum four cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).|
@@ -45,6 +45,6 @@ Your environment must have the following hardware to run Microsoft Defender Appl
| Software | Description |
|--------|-----------|
-| Operating system | Windows 10 Enterprise edition, version 1809 or higher Windows 10 Professional edition, version 1809 or higher Windows 10 Professional for Workstations edition, version 1809 or higher Windows 10 Professional Education edition, version 1809 or higher Windows 10 Education edition, version 1809 or higher Professional editions are only supported for non-managed devices; Intune or any other third-party mobile device management (MDM) solutions aren't supported with MDAG for Professional editions. Windows 11 Education, Enterprise, and Professional |
+| Operating system | Windows 10 Enterprise edition, version 1809 or later Windows 10 Professional edition, version 1809 or later Windows 10 Professional for Workstations edition, version 1809 or later Windows 10 Professional Education edition, version 1809 or later Windows 10 Education edition, version 1809 or later Windows 11 Education, Enterprise, and Professional editions |
| Browser | Microsoft Edge |
| Management system (only for managed devices)| [Microsoft Intune](/intune/)
Your current, company-wide, non-Microsoft mobile device management (MDM) solution. For info about non-Mirosoft MDM solutions, see the documentation that came with your product. |
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
index 3f1a94a7ad..59695ee06d 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
@@ -2,8 +2,8 @@
title: Microsoft Defender SmartScreen overview
description: Learn how Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.
ms.prod: m365-security
-author: mjcaparas
-ms.author: macapara
+author: dansimp
+ms.author: dansimp
ms.localizationpriority: high
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md b/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md
new file mode 100644
index 0000000000..f2d56646e4
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md
@@ -0,0 +1,99 @@
+---
+title: Enhanced Phishing Protection in Microsoft Defender SmartScreen
+description: Learn how Enhanced Phishing Protection for Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps.
+ms.prod: m365-security
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: v-mathavale
+ms.author: v-mathavale
+audience: IT Admin
+ms.localizationpriority: medium
+ms.date: 06/21/2022
+ms.reviewer: paoloma
+manager: aaroncz
+ms.technology: windows-sec
+adobe-target: true
+appliesto:
+- ✅ Windows 11, version 22H2
+---
+
+# Enhanced Phishing Protection in Microsoft Defender SmartScreen
+
+Starting in Windows 11 22H2, Enhanced Phishing Protection in Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps.
+
+Enhanced Phishing Protection works alongside Windows security protections, and helps protect typed work or school passwords used to sign into Windows 11 in three ways:
+
+- If users type their work or school password on any Chromium browser, into a site deemed malicious by Microsoft Defender SmartScreen, Enhanced Phishing Protection will alert them. It will also prompt them to change their password so attackers can't gain access to their account
+- Reusing work or school passwords makes it easy for attackers who compromise a user's password to gain access to their other accounts. Enhanced Phishing Protection can warn users if they reuse their work or school Microsoft account password on sites and apps and prompt them to change their password
+- Since it's unsafe to store plaintext passwords in text editors, Enhanced Phishing Protection can warn users if they store their work or school password in Notepad, Word, or any Microsoft 365 Office app, and recommends they delete their password from the file
+
+## Benefits of Enhanced Phishing Protection in Microsoft Defender SmartScreen
+
+Enhanced Phishing Protection provides robust phishing protections for work or school passwords that are used to sign into Windows 11. The benefits of Enhanced Phishing Protection are:
+
+- **Anti-phishing support:** Phishing attacks trick users through convincing imitations of safe content or through credential harvesting content hosted inside trusted sites and applications. Enhanced Phishing Protection helps protect users from reported phishing sites by evaluating the URLs a site or app is connecting to, along with other characteristics, to determine if they're known to distribute or host unsafe content
+- **Secure operating system integration:** Enhanced Phishing Protection is integrated directly into the Windows 11 operating system, so it can understand users' password entry context (including process connections, URLs, certificate information, etc.) in any browser or app. Because Enhanced Phishing Protection has unparalleled insight into what is happening at the OS level, it can identify when users type their work or school password unsafely. If users do use their work or school password unsafely, the feature empowers users to change their password to minimize chances of their compromised credential being weaponized against them
+- **Unparalleled telemetry shared throughout Microsoft's security suite:** Enhanced Phishing Protection is constantly learning from phishing attacks seen throughout the entire Microsoft security stack. It works alongside other Microsoft security products, to provide a layered approach to password security, especially for organizations early in their password-less authentication journey. If your organization uses Microsoft Defender for Endpoint, you'll be able to see valuable phishing sensors data in the M365D Portal. This enables you to view Enhanced Phishing Protection alerts and reports for unsafe password usage in your environment
+- **Easy management through Group Policy and Microsoft Intune:** Enhanced Phishing Protection works with Group Policy and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Enhanced Phishing Protection, you can customize which phishing protection scenarios will show users warning dialogs. For example, the Service Enabled setting determines whether the Enhanced Phishing Protection service is on or off. The feature will be in audit mode if the other settings, which correspond to notification policies, are not enabled.
+
+## Configure Enhanced Phishing Protection for your organization
+
+Enhanced Phishing Protection can be configured via Group Policy Objects (GPO) or Configuration Service Providers (CSP) with an MDM service like Microsoft Intune. Follow the instructions below to configure your devices using either GPO or CSP.
+
+#### [✅ **GPO**](#tab/gpo)
+
+Enhanced Phishing Protection can be configured using the following Administrative Templates policy settings:
+
+|Setting|Description|
+|---------|---------|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Service Enabled |This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends telemetry through Microsoft Defender.
If you enable or don't configure this setting, Enhanced Phishing Protection is enabled in audit mode, preventing users to turn it off.
If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send telemetry, or notify users. Additionally, your users are unable to turn it on.|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Malicious|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a login URL with an invalid certificate, or into an application connecting to either a reported phishing site or a login URL with an invalid certificate.
If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password.
If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn your users if they type their work or school password into one of the malicious scenarios described above.|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Password Reuse |This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.
If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.
If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they reuse their work or school password.|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Unsafe App|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.
If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.
If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they store their password in Notepad or Microsoft 365 Office Apps.|
+
+#### [✅ **CSP**](#tab/csp)
+
+Enhanced Phishing Protection can be configured using the [WebThreatDefense CSP](/windows/client-management/mdm/policy-csp-webthreatdefense).
+
+| Setting | OMA-URI | Data type |
+|-------------------------|---------------------------------------------------------------------------|-----------|
+| **ServiceEnabled** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/ServiceEnabled` | Integer |
+| **NotifyMalicious** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyMalicious` | Integer |
+| **NotifyPasswordReuse** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyPasswordReuse` | Integer |
+| **NotifyUnsafeApp** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyUnsafeApp` | Integer |
+
+---
+
+### Recommended settings for your organization
+
+By default, Enhanced Phishing Protection is deployed in audit mode, preventing notifications to the users for any protection scenarios. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends telemetry through Microsoft Defender. Users aren't warned if they enter their work or school password into a phishing site, if they reuse their password, or if they unsafely store their password in applications. Because of this possibility, it is recommended that you configure Enhanced Phishing Protection to warn users during all protection scenarios.
+
+To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen Group Policy and MDM settings.
+
+#### [✅ **GPO**](#tab/gpo)
+
+|Group Policy setting|Recommendation|
+|---------|---------|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Service Enabled| **Enable**: Enhanced Phishing Protection is enabled in audit mode and your users are unable to turn it off.|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Malicious|**Enable**: Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a login URL with an invalid certificate, or into an application connecting to either a reported phishing site or a login URL with an invalid certificate. It encourages users to change their password.|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Password Reuse|**Enable**: Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Unsafe App|**Enable**: Enhanced Phishing Protection warns users if they store their password in Notepad and Microsoft 365 Office Apps.|
+
+#### [✅ **CSP**](#tab/csp)
+
+|MDM setting|Recommendation|
+|---------|---------|
+|ServiceEnabled|**1**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends telemetry but doesn't show any notifications to your users.|
+|NotifyMalicious|**1**: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password.|
+|NotifyPasswordReuse|**1**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password.|
+|NotifyUnsafeApp|**1**: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps.|
+
+---
+
+## Related articles
+- [Microsoft Defender SmartScreen](microsoft-defender-smartscreen-overview.md)
+- [SmartScreen Frequently Asked Questions](https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx)
+- [Threat protection](../index.md)
+- [Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md)
+- [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference.md#configuration-service-provider-reference)
diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
index f85611c594..fe15669214 100644
--- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
+++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
@@ -49,7 +49,7 @@ The general steps for expanding the S mode base policy on your Intune-managed de
- Create a new base policy using [New-CIPolicy](/powershell/module/configci/new-cipolicy?view=win10-ps&preserve-view=true)
```powershell
- New-CIPolicy -MultiplePolicyFormat -ScanPath -UserPEs -FilePath "\SupplementalPolicy.xml" -Level Publisher -Fallback Hash
+ New-CIPolicy -MultiplePolicyFormat -ScanPath -UserPEs -FilePath "\SupplementalPolicy.xml" -Level FilePublisher -Fallback SignedVersion,Publisher,Hash
```
- Change it to a supplemental policy using [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo?view=win10-ps&preserve-view=true)
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
index a7d64bd225..dcad6a2586 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
@@ -3,313 +3,309 @@
- name: About application control for Windows
href: windows-defender-application-control.md
expanded: true
- items:
+ items:
- name: WDAC and AppLocker Overview
href: wdac-and-applocker-overview.md
- items:
- - name: WDAC and AppLocker Feature Availability
- href: feature-availability.md
- - name: Virtualization-based protection of code integrity
- href: ../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
- - name: WDAC design guide
- href: windows-defender-application-control-design-guide.md
- items:
- - name: Plan for WDAC policy lifecycle management
- href: plan-windows-defender-application-control-management.md
- - name: Design your WDAC policy
- items:
- - name: Understand WDAC policy design decisions
- href: understand-windows-defender-application-control-policy-design-decisions.md
- - name: Understand WDAC policy rules and file rules
- href: select-types-of-rules-to-create.md
- items:
- - name: Allow apps installed by a managed installer
- href: configure-authorized-apps-deployed-with-a-managed-installer.md
- - name: Allow reputable apps with Intelligent Security Graph (ISG)
- href: use-windows-defender-application-control-with-intelligent-security-graph.md
- - name: Allow COM object registration
- href: allow-com-object-registration-in-windows-defender-application-control-policy.md
- - name: Use WDAC with .NET hardening
- href: use-windows-defender-application-control-with-dynamic-code-security.md
- - name: Manage packaged apps with WDAC
- href: manage-packaged-apps-with-windows-defender-application-control.md
- - name: Use WDAC to control specific plug-ins, add-ins, and modules
- href: use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
- - name: Understand WDAC policy settings
- href: understanding-wdac-policy-settings.md
- - name: Use multiple WDAC policies
- href: deploy-multiple-windows-defender-application-control-policies.md
- - name: Create your WDAC policy
- items:
- - name: Example WDAC base policies
- href: example-wdac-base-policies.md
- - name: Policy creation for common WDAC usage scenarios
- href: types-of-devices.md
- items:
- - name: Create a WDAC policy for lightly managed devices
- href: create-wdac-policy-for-lightly-managed-devices.md
- - name: Create a WDAC policy for fully managed devices
- href: create-wdac-policy-for-fully-managed-devices.md
- - name: Create a WDAC policy for fixed-workload devices
- href: create-initial-default-policy.md
- - name: Create a WDAC deny list policy
- href: create-wdac-deny-policy.md
- - name: Microsoft recommended block rules
- href: microsoft-recommended-block-rules.md
- - name: Microsoft recommended driver block rules
- href: microsoft-recommended-driver-block-rules.md
- - name: Use the WDAC Wizard tool
- href: wdac-wizard.md
- items:
- - name: Create a base WDAC policy with the Wizard
- href: wdac-wizard-create-base-policy.md
- - name: Create a supplemental WDAC policy with the Wizard
- href: wdac-wizard-create-supplemental-policy.md
- - name: Editing a WDAC policy with the Wizard
- href: wdac-wizard-editing-policy.md
- - name: Merging multiple WDAC policies with the Wizard
- href: wdac-wizard-merging-policies.md
- - name: WDAC deployment guide
- href: windows-defender-application-control-deployment-guide.md
- items:
- - name: Deploy WDAC policies with MDM
- href: deployment/deploy-windows-defender-application-control-policies-using-intune.md
- - name: Deploy WDAC policies with Configuration Manager
- href: deployment/deploy-wdac-policies-with-memcm.md
- - name: Deploy WDAC policies with script
- href: deployment/deploy-wdac-policies-with-script.md
- - name: Deploy WDAC policies with group policy
- href: deployment/deploy-windows-defender-application-control-policies-using-group-policy.md
- - name: Audit WDAC policies
- href: audit-windows-defender-application-control-policies.md
- - name: Merge WDAC policies
- href: merge-windows-defender-application-control-policies.md
- - name: Enforce WDAC policies
- href: enforce-windows-defender-application-control-policies.md
- - name: Use code signing to simplify application control for classic Windows applications
- href: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
- items:
- - name: "Optional: Use the WDAC Signing Portal in the Microsoft Store for Business"
- href: use-device-guard-signing-portal-in-microsoft-store-for-business.md
- - name: "Optional: Create a code signing cert for WDAC"
- href: create-code-signing-cert-for-windows-defender-application-control.md
- - name: Deploy catalog files to support WDAC
- href: deploy-catalog-files-to-support-windows-defender-application-control.md
- - name: Use signed policies to protect Windows Defender Application Control against tampering
- href: use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
- - name: Disable WDAC policies
- href: disable-windows-defender-application-control-policies.md
- - name: LOB Win32 Apps on S Mode
- href: LOB-win32-apps-on-s.md
- - name: WDAC operational guide
- href: windows-defender-application-control-operational-guide.md
- items:
- - name: Understanding Application Control event tags
- href: event-tag-explanations.md
- - name: Understanding Application Control event IDs
- href: event-id-explanations.md
- - name: Query WDAC events with Advanced hunting
- href: querying-application-control-events-centrally-using-advanced-hunting.md
- - name: Known Issues
- href: operations/known-issues.md
- - name: Managed installer and ISG technical reference and troubleshooting guide
- href: configure-wdac-managed-installer.md
- - name: WDAC AppId Tagging guide
- href: AppIdTagging/windows-defender-application-control-appid-tagging-guide.md
+ - name: WDAC and AppLocker Feature Availability
+ href: feature-availability.md
+ - name: Virtualization-based protection of code integrity
+ href: ../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
+- name: WDAC design guide
+ href: windows-defender-application-control-design-guide.md
+ items:
+ - name: Plan for WDAC policy lifecycle management
+ href: plan-windows-defender-application-control-management.md
+ - name: Design your WDAC policy
items:
- - name: Creating AppId Tagging Policies
- href: AppIdTagging/design-create-appid-tagging-policies.md
- - name: Deploying AppId Tagging Policies
- href: AppIdTagging/deploy-appid-tagging-policies.md
- - name: Testing and Debugging AppId Tagging Policies
- href: AppIdTagging/debugging-operational-guide-appid-tagging-policies.md
- - name: AppLocker
- href: applocker\applocker-overview.md
- items:
- - name: Administer AppLocker
- href: applocker\administer-applocker.md
- items:
- - name: Maintain AppLocker policies
- href: applocker\maintain-applocker-policies.md
- - name: Edit an AppLocker policy
- href: applocker\edit-an-applocker-policy.md
- - name: Test and update an AppLocker policy
- href: applocker\test-and-update-an-applocker-policy.md
- - name: Deploy AppLocker policies by using the enforce rules setting
- href: applocker\deploy-applocker-policies-by-using-the-enforce-rules-setting.md
- - name: Use the AppLocker Windows PowerShell cmdlets
- href: applocker\use-the-applocker-windows-powershell-cmdlets.md
- - name: Use AppLocker and Software Restriction Policies in the same domain
- href: applocker\use-applocker-and-software-restriction-policies-in-the-same-domain.md
- - name: Optimize AppLocker performance
- href: applocker\optimize-applocker-performance.md
- - name: Monitor app usage with AppLocker
- href: applocker\monitor-application-usage-with-applocker.md
- - name: Manage packaged apps with AppLocker
- href: applocker\manage-packaged-apps-with-applocker.md
- - name: Working with AppLocker rules
- href: applocker\working-with-applocker-rules.md
- items:
- - name: Create a rule that uses a file hash condition
- href: applocker\create-a-rule-that-uses-a-file-hash-condition.md
- - name: Create a rule that uses a path condition
- href: applocker\create-a-rule-that-uses-a-path-condition.md
- - name: Create a rule that uses a publisher condition
- href: applocker\create-a-rule-that-uses-a-publisher-condition.md
- - name: Create AppLocker default rules
- href: applocker\create-applocker-default-rules.md
- - name: Add exceptions for an AppLocker rule
- href: applocker\configure-exceptions-for-an-applocker-rule.md
- - name: Create a rule for packaged apps
- href: applocker\create-a-rule-for-packaged-apps.md
- - name: Delete an AppLocker rule
- href: applocker\delete-an-applocker-rule.md
- - name: Edit AppLocker rules
- href: applocker\edit-applocker-rules.md
- - name: Enable the DLL rule collection
- href: applocker\enable-the-dll-rule-collection.md
- - name: Enforce AppLocker rules
- href: applocker\enforce-applocker-rules.md
- - name: Run the Automatically Generate Rules wizard
- href: applocker\run-the-automatically-generate-rules-wizard.md
- - name: Working with AppLocker policies
- href: applocker\working-with-applocker-policies.md
- items:
- - name: Configure the Application Identity service
- href: applocker\configure-the-application-identity-service.md
- - name: Configure an AppLocker policy for audit only
- href: applocker\configure-an-applocker-policy-for-audit-only.md
- - name: Configure an AppLocker policy for enforce rules
- href: applocker\configure-an-applocker-policy-for-enforce-rules.md
- - name: Display a custom URL message when users try to run a blocked app
- href: applocker\display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
- - name: Export an AppLocker policy from a GPO
- href: applocker\export-an-applocker-policy-from-a-gpo.md
- - name: Export an AppLocker policy to an XML file
- href: applocker\export-an-applocker-policy-to-an-xml-file.md
- - name: Import an AppLocker policy from another computer
- href: applocker\import-an-applocker-policy-from-another-computer.md
- - name: Import an AppLocker policy into a GPO
- href: applocker\import-an-applocker-policy-into-a-gpo.md
- - name: Add rules for packaged apps to existing AppLocker rule-set
- href: applocker\add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
- - name: Merge AppLocker policies by using Set-ApplockerPolicy
- href: applocker\merge-applocker-policies-by-using-set-applockerpolicy.md
- - name: Merge AppLocker policies manually
- href: applocker\merge-applocker-policies-manually.md
- - name: Refresh an AppLocker policy
- href: applocker\refresh-an-applocker-policy.md
- - name: Test an AppLocker policy by using Test-AppLockerPolicy
- href: applocker\test-an-applocker-policy-by-using-test-applockerpolicy.md
- - name: AppLocker design guide
- href: applocker\applocker-policies-design-guide.md
- items:
- - name: Understand AppLocker policy design decisions
- href: applocker\understand-applocker-policy-design-decisions.md
- - name: Determine your application control objectives
- href: applocker\determine-your-application-control-objectives.md
- - name: Create a list of apps deployed to each business group
- href: applocker\create-list-of-applications-deployed-to-each-business-group.md
- items:
- - name: Document your app list
- href: applocker\document-your-application-list.md
- - name: Select the types of rules to create
- href: applocker\select-types-of-rules-to-create.md
- items:
- - name: Document your AppLocker rules
- href: applocker\document-your-applocker-rules.md
- - name: Determine the Group Policy structure and rule enforcement
- href: applocker\determine-group-policy-structure-and-rule-enforcement.md
- items:
- - name: Understand AppLocker enforcement settings
- href: applocker\understand-applocker-enforcement-settings.md
- - name: Understand AppLocker rules and enforcement setting inheritance in Group Policy
- href: applocker\understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
- - name: Document the Group Policy structure and AppLocker rule enforcement
- href: applocker\document-group-policy-structure-and-applocker-rule-enforcement.md
- - name: Plan for AppLocker policy management
- href: applocker\plan-for-applocker-policy-management.md
- - name: AppLocker deployment guide
- href: applocker\applocker-policies-deployment-guide.md
- items:
- - name: Understand the AppLocker policy deployment process
- href: applocker\understand-the-applocker-policy-deployment-process.md
- - name: Requirements for Deploying AppLocker Policies
- href: applocker\requirements-for-deploying-applocker-policies.md
- - name: Use Software Restriction Policies and AppLocker policies
- href: applocker\using-software-restriction-policies-and-applocker-policies.md
- - name: Create Your AppLocker policies
- href: applocker\create-your-applocker-policies.md
- items:
- - name: Create Your AppLocker rules
- href: applocker\create-your-applocker-rules.md
- - name: Deploy the AppLocker policy into production
- href: applocker\deploy-the-applocker-policy-into-production.md
- items:
- - name: Use a reference device to create and maintain AppLocker policies
- href: applocker\use-a-reference-computer-to-create-and-maintain-applocker-policies.md
- items:
- - name: Determine which apps are digitally signed on a reference device
- href: applocker\determine-which-applications-are-digitally-signed-on-a-reference-computer.md
- - name: Configure the AppLocker reference device
- href: applocker\configure-the-appLocker-reference-device.md
- - name: AppLocker technical reference
- href: applocker\applocker-technical-reference.md
- items:
- - name: What Is AppLocker?
- href: applocker\what-is-applocker.md
- - name: Requirements to use AppLocker
- href: applocker\requirements-to-use-applocker.md
- - name: AppLocker policy use scenarios
- href: applocker\applocker-policy-use-scenarios.md
- - name: How AppLocker works
- href: applocker\how-applocker-works-techref.md
- items:
- - name: Understanding AppLocker rule behavior
- href: applocker\understanding-applocker-rule-behavior.md
- - name: Understanding AppLocker rule exceptions
- href: applocker\understanding-applocker-rule-exceptions.md
- - name: Understanding AppLocker rule collections
- href: applocker\understanding-applocker-rule-collections.md
- - name: Understanding AppLocker allow and deny actions on rules
- href: applocker\understanding-applocker-allow-and-deny-actions-on-rules.md
- - name: Understanding AppLocker rule condition types
- href: applocker\understanding-applocker-rule-condition-types.md
- items:
- - name: Understanding the publisher rule condition in AppLocker
- href: applocker\understanding-the-publisher-rule-condition-in-applocker.md
- - name: Understanding the path rule condition in AppLocker
- href: applocker\understanding-the-path-rule-condition-in-applocker.md
- - name: Understanding the file hash rule condition in AppLocker
- href: applocker\understanding-the-file-hash-rule-condition-in-applocker.md
- - name: Understanding AppLocker default rules
- href: applocker\understanding-applocker-default-rules.md
- items:
- - name: Executable rules in AppLocker
- href: applocker\executable-rules-in-applocker.md
- - name: Windows Installer rules in AppLocker
- href: applocker\windows-installer-rules-in-applocker.md
- - name: Script rules in AppLocker
- href: applocker\script-rules-in-applocker.md
- - name: DLL rules in AppLocker
- href: applocker\dll-rules-in-applocker.md
- - name: Packaged apps and packaged app installer rules in AppLocker
- href: applocker\packaged-apps-and-packaged-app-installer-rules-in-applocker.md
- - name: AppLocker architecture and components
- href: applocker\applocker-architecture-and-components.md
- - name: AppLocker processes and interactions
- href: applocker\applocker-processes-and-interactions.md
- - name: AppLocker functions
- href: applocker\applocker-functions.md
- - name: Security considerations for AppLocker
- href: applocker\security-considerations-for-applocker.md
- - name: Tools to Use with AppLocker
- href: applocker\tools-to-use-with-applocker.md
- items:
- - name: Using Event Viewer with AppLocker
- href: applocker\using-event-viewer-with-applocker.md
- - name: AppLocker Settings
- href: applocker\applocker-settings.md
-- name: Windows security
- href: /windows/security/
-
+ - name: Understand WDAC policy design decisions
+ href: understand-windows-defender-application-control-policy-design-decisions.md
+ - name: Understand WDAC policy rules and file rules
+ href: select-types-of-rules-to-create.md
+ items:
+ - name: Allow apps installed by a managed installer
+ href: configure-authorized-apps-deployed-with-a-managed-installer.md
+ - name: Allow reputable apps with Intelligent Security Graph (ISG)
+ href: use-windows-defender-application-control-with-intelligent-security-graph.md
+ - name: Allow COM object registration
+ href: allow-com-object-registration-in-windows-defender-application-control-policy.md
+ - name: Use WDAC with .NET hardening
+ href: use-windows-defender-application-control-with-dynamic-code-security.md
+ - name: Manage packaged apps with WDAC
+ href: manage-packaged-apps-with-windows-defender-application-control.md
+ - name: Use WDAC to control specific plug-ins, add-ins, and modules
+ href: use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
+ - name: Understand WDAC policy settings
+ href: understanding-wdac-policy-settings.md
+ - name: Use multiple WDAC policies
+ href: deploy-multiple-windows-defender-application-control-policies.md
+ - name: Create your WDAC policy
+ items:
+ - name: Example WDAC base policies
+ href: example-wdac-base-policies.md
+ - name: Policy creation for common WDAC usage scenarios
+ href: types-of-devices.md
+ items:
+ - name: Create a WDAC policy for lightly managed devices
+ href: create-wdac-policy-for-lightly-managed-devices.md
+ - name: Create a WDAC policy for fully managed devices
+ href: create-wdac-policy-for-fully-managed-devices.md
+ - name: Create a WDAC policy for fixed-workload devices
+ href: create-initial-default-policy.md
+ - name: Create a WDAC deny list policy
+ href: create-wdac-deny-policy.md
+ - name: Microsoft recommended block rules
+ href: microsoft-recommended-block-rules.md
+ - name: Microsoft recommended driver block rules
+ href: microsoft-recommended-driver-block-rules.md
+ - name: Use the WDAC Wizard tool
+ href: wdac-wizard.md
+ items:
+ - name: Create a base WDAC policy with the Wizard
+ href: wdac-wizard-create-base-policy.md
+ - name: Create a supplemental WDAC policy with the Wizard
+ href: wdac-wizard-create-supplemental-policy.md
+ - name: Editing a WDAC policy with the Wizard
+ href: wdac-wizard-editing-policy.md
+ - name: Merging multiple WDAC policies with the Wizard
+ href: wdac-wizard-merging-policies.md
+- name: WDAC deployment guide
+ href: windows-defender-application-control-deployment-guide.md
+ items:
+ - name: Deploy WDAC policies with MDM
+ href: deployment/deploy-windows-defender-application-control-policies-using-intune.md
+ - name: Deploy WDAC policies with Configuration Manager
+ href: deployment/deploy-wdac-policies-with-memcm.md
+ - name: Deploy WDAC policies with script
+ href: deployment/deploy-wdac-policies-with-script.md
+ - name: Deploy WDAC policies with group policy
+ href: deployment/deploy-windows-defender-application-control-policies-using-group-policy.md
+ - name: Audit WDAC policies
+ href: audit-windows-defender-application-control-policies.md
+ - name: Merge WDAC policies
+ href: merge-windows-defender-application-control-policies.md
+ - name: Enforce WDAC policies
+ href: enforce-windows-defender-application-control-policies.md
+ - name: Use code signing to simplify application control for classic Windows applications
+ href: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
+ items:
+ - name: "Optional: Use the WDAC Signing Portal in the Microsoft Store for Business"
+ href: use-device-guard-signing-portal-in-microsoft-store-for-business.md
+ - name: "Optional: Create a code signing cert for WDAC"
+ href: create-code-signing-cert-for-windows-defender-application-control.md
+ - name: Deploy catalog files to support WDAC
+ href: deploy-catalog-files-to-support-windows-defender-application-control.md
+ - name: Use signed policies to protect Windows Defender Application Control against tampering
+ href: use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
+ - name: Disable WDAC policies
+ href: disable-windows-defender-application-control-policies.md
+ - name: LOB Win32 Apps on S Mode
+ href: LOB-win32-apps-on-s.md
+- name: WDAC operational guide
+ href: windows-defender-application-control-operational-guide.md
+ items:
+ - name: Understanding Application Control event tags
+ href: event-tag-explanations.md
+ - name: Understanding Application Control event IDs
+ href: event-id-explanations.md
+ - name: Query WDAC events with Advanced hunting
+ href: querying-application-control-events-centrally-using-advanced-hunting.md
+ - name: Known Issues
+ href: operations/known-issues.md
+ - name: Managed installer and ISG technical reference and troubleshooting guide
+ href: configure-wdac-managed-installer.md
+- name: WDAC AppId Tagging guide
+ href: AppIdTagging/windows-defender-application-control-appid-tagging-guide.md
+ items:
+ - name: Creating AppId Tagging Policies
+ href: AppIdTagging/design-create-appid-tagging-policies.md
+ - name: Deploying AppId Tagging Policies
+ href: AppIdTagging/deploy-appid-tagging-policies.md
+ - name: Testing and Debugging AppId Tagging Policies
+ href: AppIdTagging/debugging-operational-guide-appid-tagging-policies.md
+- name: AppLocker
+ href: applocker\applocker-overview.md
+ items:
+ - name: Administer AppLocker
+ href: applocker\administer-applocker.md
+ items:
+ - name: Maintain AppLocker policies
+ href: applocker\maintain-applocker-policies.md
+ - name: Edit an AppLocker policy
+ href: applocker\edit-an-applocker-policy.md
+ - name: Test and update an AppLocker policy
+ href: applocker\test-and-update-an-applocker-policy.md
+ - name: Deploy AppLocker policies by using the enforce rules setting
+ href: applocker\deploy-applocker-policies-by-using-the-enforce-rules-setting.md
+ - name: Use the AppLocker Windows PowerShell cmdlets
+ href: applocker\use-the-applocker-windows-powershell-cmdlets.md
+ - name: Use AppLocker and Software Restriction Policies in the same domain
+ href: applocker\use-applocker-and-software-restriction-policies-in-the-same-domain.md
+ - name: Optimize AppLocker performance
+ href: applocker\optimize-applocker-performance.md
+ - name: Monitor app usage with AppLocker
+ href: applocker\monitor-application-usage-with-applocker.md
+ - name: Manage packaged apps with AppLocker
+ href: applocker\manage-packaged-apps-with-applocker.md
+ - name: Working with AppLocker rules
+ href: applocker\working-with-applocker-rules.md
+ items:
+ - name: Create a rule that uses a file hash condition
+ href: applocker\create-a-rule-that-uses-a-file-hash-condition.md
+ - name: Create a rule that uses a path condition
+ href: applocker\create-a-rule-that-uses-a-path-condition.md
+ - name: Create a rule that uses a publisher condition
+ href: applocker\create-a-rule-that-uses-a-publisher-condition.md
+ - name: Create AppLocker default rules
+ href: applocker\create-applocker-default-rules.md
+ - name: Add exceptions for an AppLocker rule
+ href: applocker\configure-exceptions-for-an-applocker-rule.md
+ - name: Create a rule for packaged apps
+ href: applocker\create-a-rule-for-packaged-apps.md
+ - name: Delete an AppLocker rule
+ href: applocker\delete-an-applocker-rule.md
+ - name: Edit AppLocker rules
+ href: applocker\edit-applocker-rules.md
+ - name: Enable the DLL rule collection
+ href: applocker\enable-the-dll-rule-collection.md
+ - name: Enforce AppLocker rules
+ href: applocker\enforce-applocker-rules.md
+ - name: Run the Automatically Generate Rules wizard
+ href: applocker\run-the-automatically-generate-rules-wizard.md
+ - name: Working with AppLocker policies
+ href: applocker\working-with-applocker-policies.md
+ items:
+ - name: Configure the Application Identity service
+ href: applocker\configure-the-application-identity-service.md
+ - name: Configure an AppLocker policy for audit only
+ href: applocker\configure-an-applocker-policy-for-audit-only.md
+ - name: Configure an AppLocker policy for enforce rules
+ href: applocker\configure-an-applocker-policy-for-enforce-rules.md
+ - name: Display a custom URL message when users try to run a blocked app
+ href: applocker\display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
+ - name: Export an AppLocker policy from a GPO
+ href: applocker\export-an-applocker-policy-from-a-gpo.md
+ - name: Export an AppLocker policy to an XML file
+ href: applocker\export-an-applocker-policy-to-an-xml-file.md
+ - name: Import an AppLocker policy from another computer
+ href: applocker\import-an-applocker-policy-from-another-computer.md
+ - name: Import an AppLocker policy into a GPO
+ href: applocker\import-an-applocker-policy-into-a-gpo.md
+ - name: Add rules for packaged apps to existing AppLocker rule-set
+ href: applocker\add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
+ - name: Merge AppLocker policies by using Set-ApplockerPolicy
+ href: applocker\merge-applocker-policies-by-using-set-applockerpolicy.md
+ - name: Merge AppLocker policies manually
+ href: applocker\merge-applocker-policies-manually.md
+ - name: Refresh an AppLocker policy
+ href: applocker\refresh-an-applocker-policy.md
+ - name: Test an AppLocker policy by using Test-AppLockerPolicy
+ href: applocker\test-an-applocker-policy-by-using-test-applockerpolicy.md
+ - name: AppLocker design guide
+ href: applocker\applocker-policies-design-guide.md
+ items:
+ - name: Understand AppLocker policy design decisions
+ href: applocker\understand-applocker-policy-design-decisions.md
+ - name: Determine your application control objectives
+ href: applocker\determine-your-application-control-objectives.md
+ - name: Create a list of apps deployed to each business group
+ href: applocker\create-list-of-applications-deployed-to-each-business-group.md
+ items:
+ - name: Document your app list
+ href: applocker\document-your-application-list.md
+ - name: Select the types of rules to create
+ href: applocker\select-types-of-rules-to-create.md
+ items:
+ - name: Document your AppLocker rules
+ href: applocker\document-your-applocker-rules.md
+ - name: Determine the Group Policy structure and rule enforcement
+ href: applocker\determine-group-policy-structure-and-rule-enforcement.md
+ items:
+ - name: Understand AppLocker enforcement settings
+ href: applocker\understand-applocker-enforcement-settings.md
+ - name: Understand AppLocker rules and enforcement setting inheritance in Group Policy
+ href: applocker\understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
+ - name: Document the Group Policy structure and AppLocker rule enforcement
+ href: applocker\document-group-policy-structure-and-applocker-rule-enforcement.md
+ - name: Plan for AppLocker policy management
+ href: applocker\plan-for-applocker-policy-management.md
+ - name: AppLocker deployment guide
+ href: applocker\applocker-policies-deployment-guide.md
+ items:
+ - name: Understand the AppLocker policy deployment process
+ href: applocker\understand-the-applocker-policy-deployment-process.md
+ - name: Requirements for Deploying AppLocker Policies
+ href: applocker\requirements-for-deploying-applocker-policies.md
+ - name: Use Software Restriction Policies and AppLocker policies
+ href: applocker\using-software-restriction-policies-and-applocker-policies.md
+ - name: Create Your AppLocker policies
+ href: applocker\create-your-applocker-policies.md
+ items:
+ - name: Create Your AppLocker rules
+ href: applocker\create-your-applocker-rules.md
+ - name: Deploy the AppLocker policy into production
+ href: applocker\deploy-the-applocker-policy-into-production.md
+ items:
+ - name: Use a reference device to create and maintain AppLocker policies
+ href: applocker\use-a-reference-computer-to-create-and-maintain-applocker-policies.md
+ items:
+ - name: Determine which apps are digitally signed on a reference device
+ href: applocker\determine-which-applications-are-digitally-signed-on-a-reference-computer.md
+ - name: Configure the AppLocker reference device
+ href: applocker\configure-the-appLocker-reference-device.md
+ - name: AppLocker technical reference
+ href: applocker\applocker-technical-reference.md
+ items:
+ - name: What Is AppLocker?
+ href: applocker\what-is-applocker.md
+ - name: Requirements to use AppLocker
+ href: applocker\requirements-to-use-applocker.md
+ - name: AppLocker policy use scenarios
+ href: applocker\applocker-policy-use-scenarios.md
+ - name: How AppLocker works
+ href: applocker\how-applocker-works-techref.md
+ items:
+ - name: Understanding AppLocker rule behavior
+ href: applocker\understanding-applocker-rule-behavior.md
+ - name: Understanding AppLocker rule exceptions
+ href: applocker\understanding-applocker-rule-exceptions.md
+ - name: Understanding AppLocker rule collections
+ href: applocker\understanding-applocker-rule-collections.md
+ - name: Understanding AppLocker allow and deny actions on rules
+ href: applocker\understanding-applocker-allow-and-deny-actions-on-rules.md
+ - name: Understanding AppLocker rule condition types
+ href: applocker\understanding-applocker-rule-condition-types.md
+ items:
+ - name: Understanding the publisher rule condition in AppLocker
+ href: applocker\understanding-the-publisher-rule-condition-in-applocker.md
+ - name: Understanding the path rule condition in AppLocker
+ href: applocker\understanding-the-path-rule-condition-in-applocker.md
+ - name: Understanding the file hash rule condition in AppLocker
+ href: applocker\understanding-the-file-hash-rule-condition-in-applocker.md
+ - name: Understanding AppLocker default rules
+ href: applocker\understanding-applocker-default-rules.md
+ items:
+ - name: Executable rules in AppLocker
+ href: applocker\executable-rules-in-applocker.md
+ - name: Windows Installer rules in AppLocker
+ href: applocker\windows-installer-rules-in-applocker.md
+ - name: Script rules in AppLocker
+ href: applocker\script-rules-in-applocker.md
+ - name: DLL rules in AppLocker
+ href: applocker\dll-rules-in-applocker.md
+ - name: Packaged apps and packaged app installer rules in AppLocker
+ href: applocker\packaged-apps-and-packaged-app-installer-rules-in-applocker.md
+ - name: AppLocker architecture and components
+ href: applocker\applocker-architecture-and-components.md
+ - name: AppLocker processes and interactions
+ href: applocker\applocker-processes-and-interactions.md
+ - name: AppLocker functions
+ href: applocker\applocker-functions.md
+ - name: Security considerations for AppLocker
+ href: applocker\security-considerations-for-applocker.md
+ - name: Tools to Use with AppLocker
+ href: applocker\tools-to-use-with-applocker.md
+ items:
+ - name: Using Event Viewer with AppLocker
+ href: applocker\using-event-viewer-with-applocker.md
+ - name: AppLocker Settings
+ href: applocker\applocker-settings.md
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
index e30b2c517a..b7d7521a48 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
@@ -3,13 +3,13 @@ title: Script rules in AppLocker (Windows)
description: This article describes the file formats and available default rules for the script rule collection.
ms.assetid: fee24ca4-935a-4c5e-8a92-8cf1d134d35f
ms.reviewer:
-ms.author: macapara
+ms.author: dansimp
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: mjcaparas
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md
index f99766832e..005c1ddcc2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md
@@ -3,13 +3,13 @@ title: Understand AppLocker enforcement settings (Windows)
description: This topic describes the AppLocker enforcement settings for rule collections.
ms.assetid: 48773007-a343-40bf-8961-b3ff0a450d7e
ms.reviewer:
-ms.author: macapara
+ms.author: dansimp
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: mjcaparas
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
index 8b30f46fa9..ca600a98a7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
@@ -59,7 +59,7 @@ To familiarize yourself with creating WDAC rules from audit events, follow these
4. Use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to generate a new WDAC policy from logged audit events. This example uses a **FilePublisher** file rule level and a **Hash** fallback level. Warning messages are redirected to a text file **EventsPolicyWarnings.txt**.
```powershell
- New-CIPolicy -FilePath $EventsPolicy -Audit -Level FilePublisher -Fallback Hash –UserPEs -MultiplePolicyFormat 3> $EventsPolicyWarnings
+ New-CIPolicy -FilePath $EventsPolicy -Audit -Level FilePublisher -Fallback SignedVersion,FilePublisher,Hash –UserPEs -MultiplePolicyFormat 3> $EventsPolicyWarnings
```
> [!NOTE]
diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
index 3bb07036ab..cb5391c9a3 100644
--- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
@@ -14,7 +14,7 @@ author: jsuther1974
ms.reviewer: jogeurte
ms.author: dansimp
manager: dansimp
-ms.date: 05/12/2022
+ms.date: 08/26/2022
ms.technology: windows-sec
---
@@ -29,21 +29,21 @@ ms.technology: windows-sec
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
-Windows 10 (version 1703) introduced a new option for Windows Defender Application Control (WDAC), called _managed installer_, that helps balance security and manageability when enforcing application control policies. This option lets you automatically allow applications installed by a designated software distribution solution such as Microsoft Endpoint Configuration Manager.
+Windows Defender Application Control (WDAC) includes an option called **managed installer** that helps balance security and manageability when enforcing application control policies. This option lets you automatically allow applications installed by a designated software distribution solution, such as Microsoft Endpoint Configuration Manager (MEMCM) or Microsoft Intune.
## How does a managed installer work?
-Managed installer uses a special rule collection in **AppLocker** to designate binaries that are trusted by your organization as an authorized source for application installation. When one of these trusted binaries runs, Windows monitors the binary's process (and processes it launches) and watches for files being written to disk. As files are written, they're tagged as originating from a managed installer.
+Managed installer uses a special rule collection in **AppLocker** to designate binaries that are trusted by your organization as an authorized source for application installation. When one of these trusted binaries runs, Windows monitors the binary's process (and any child processes it launches) and watches for files being written to disk. As files are written, they're tagged as originating from a managed installer.
You can then configure WDAC to trust files that are installed by a managed installer by adding the "Enabled:Managed Installer" option to your WDAC policy. When that option is set, WDAC will check for managed installer origin information when determining whether or not to allow a binary to run. As long as there are no deny rules for the binary, WDAC will allow it to run based purely on its managed installer origin.
## Security considerations with managed installer
-Since managed installer is a heuristic-based mechanism, it doesn't provide the same security guarantees that explicit allow or deny rules do. The managed installer is best suited for use where each user operates as a standard user and where all software is deployed and installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager.
+Since managed installer is a heuristic-based mechanism, it doesn't provide the same security guarantees as explicit allow or deny rules do. Managed installer is best suited where users operate as standard user, and where all software is deployed and installed by a software distribution solution such as MEMCM.
-Users with administrator privileges, or malware running as an administrator user on the system, may be able to circumvent the intent of Windows Defender Application Control when the managed installer option is allowed.
+Users with administrator privileges, or malware running as an administrator user on the system, may be able to circumvent the intent of your WDAC policies when the managed installer option is allowed.
-If a managed installer process runs in the context of a user with standard privileges, then it's possible that standard users or malware running as standard user may be able to circumvent the intent of Windows Defender Application Control.
+If a managed installer process runs in the context of a user with standard privileges, then it's possible that standard users or malware running as standard user may be able to circumvent the intent of your WDAC policies.
Some application installers may automatically run the application at the end of the installation process. If the application runs automatically, and the installer was run by a managed installer, then the managed installer's heuristic tracking and authorization will extend to all files that are created during the first run of the application. This extension could result in unintentional authorization of an executable. To avoid that, ensure that the method of application deployment that is used as a managed installer limits running applications as part of installation.
@@ -62,9 +62,13 @@ To turn on managed installer tracking, you must:
- Create and deploy an AppLocker policy that defines your managed installer rules and enables services enforcement for executables and DLLs.
- Enable AppLocker's Application Identity and AppLockerFltr services.
+> [!NOTE]
+> MEMCM will automatically configure itself as a managed installer, and enable the required AppLocker components, if you deploy one of its inbox WDAC policies. If you are configuring MEMCM as a managed installer using any other method, additional setup is required. Use the [**ManagedInstaller** cmdline switch in your ccmsetup.exe setup](/mem/configmgr/core/clients/deploy/about-client-installation-properties#managedinstaller). Or you can deploy one of the MEMCM inbox audit mode policies alongside your custom policy.
+
### Create and deploy an AppLocker policy that defines your managed installer rules and enables services enforcement for executables and DLLs
-Currently, both the AppLocker policy creation UI in GPO Editor and the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, you can use an XML or text editor to convert an EXE rule collection policy into a ManagedInstaller rule collection.
+The AppLocker policy creation UI in GPO Editor and the AppLocker PowerShell cmdlets can't be directly used to create rules for the Managed Installer rule collection. However, you can use an XML or text editor to convert an EXE rule collection policy into a ManagedInstaller rule collection.
+
> [!NOTE]
> Only EXE file types can be designated as managed installers.
diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
index 70a4c7cad7..63d3ee3fe4 100644
--- a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
@@ -31,7 +31,7 @@ ms.technology: windows-sec
## Using fsutil to query SmartLocker EA
-Customers using Windows Defender Application Control (WDAC) with Managed Installer (MI) or Intelligent Security Graph enabled can use fsutil to determine whether a file was allowed to run by one of these features. This verification can be done by querying the EAs on a file using fsutil and looking for the KERNEL.SMARTLOCKER.ORIGINCLAIM EA. The presence of this EA indicates that either MI or ISG allowed the file to run. This EA's presence can be used in conjunction with enabling the MI and ISG logging events.
+Customers using Windows Defender Application Control (WDAC) with Managed Installer (MI) or Intelligent Security Graph (ISG) enabled can use fsutil to determine whether a file was allowed to run by one of these features. This verification can be done by querying the Extended Attributes (EAs) on a file using fsutil and looking for the KERNEL.SMARTLOCKER.ORIGINCLAIM EA. The presence of this EA indicates that either MI or ISG allowed the file to run. This EA's presence can be used in conjunction with enabling the MI and ISG logging events.
**Example:**
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md
index cd197228e8..b81414e10f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md
@@ -45,7 +45,7 @@ To create effective Windows Defender Application Control deny policies, it's cru
5. If no rule exists for the file and it's not allowed based on ISG or MI, then the file is blocked implicitly.
> [!NOTE]
-> If your Windows Defender Application Control policy does not have an explicit rule to allow or deny a binary to run, then WDAC will make a call to the cloud to determine whether the binary is familiar and safe. However, if your policy already authorizes or denies the binary, then WDAC will not make a call to the cloud. For more details, see [How does the integration between WDAC and the Intelligent Security Graph work?](use-windows-defender-application-control-with-intelligent-security-graph.md#how-does-the-integration-between-wdac-and-the-intelligent-security-graph-work).
+> If your Windows Defender Application Control policy does not have an explicit rule to allow or deny a binary to run, then WDAC will make a call to the cloud to determine whether the binary is familiar and safe. However, if your policy already authorizes or denies the binary, then WDAC will not make a call to the cloud. For more details, see [How does the integration between WDAC and the Intelligent Security Graph work?](/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph#how-does-wdac-work-with-the-isg).
## Interaction with Existing Policies
@@ -126,13 +126,13 @@ Deny rules and policies can be created using the PowerShell cmdlets or the [WDAC
### Software Publisher Based Deny Rule
```Powershell
-$DenyRules += New-CIPolicyRule -Level FilePublisher -DriverFilePath -Deny -Fallback FileName,Hash
+$DenyRules += New-CIPolicyRule -Level FilePublisher -DriverFilePath -Fallback SignedVersion,Publisher,Hash -Deny
```
### Software Attributes Based Deny Rule
```Powershell
-$DenyRules += New-CIPolicyRule -Level FileName -DriverFilePath -Deny -Fallback Hash
+$DenyRules += New-CIPolicyRule -Level FileName -DriverFilePath -Fallback Hash -Deny
```
### Hash Based Deny Rule
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
index 2d13639669..baee8a7e94 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
@@ -23,9 +23,9 @@ ms.technology: windows-sec
**Applies to:**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
@@ -118,9 +118,6 @@ Alice follows these steps to complete this task:
7. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the Windows Defender Application Control policy to a binary format:
- > [!NOTE]
- > In the sample commands below, replace the string "{InsertPolicyID}" with the actual PolicyID GUID (including braces **{ }**) found in your policy XML file.
-
```powershell
[xml]$LamnaPolicyXML = Get-Content $LamnaPolicy
$PolicyId = $LamnaPolicyXML.SiPolicy.PolicyId
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
index 9cb8de44f4..e0d19fe8da 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
@@ -13,9 +13,9 @@ audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
-ms.author: dansimp
-manager: dansimp
-ms.date: 11/15/2019
+ms.author: vinpa
+manager: aaroncz
+ms.date: 08/10/2022
ms.technology: windows-sec
---
@@ -23,21 +23,21 @@ ms.technology: windows-sec
**Applies to:**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
-This section outlines the process to create a Windows Defender Application Control (WDAC) policy for **lightly managed devices** within an organization. Typically, organizations that are new to application control will be most successful if they start with a permissive policy like the one described in this topic. Organizations can choose to harden the policy over time to achieve a stronger overall security posture on their WDAC-managed devices as described in later topics.
+This section outlines the process to create a Windows Defender Application Control (WDAC) policy for **lightly managed devices** within an organization. Typically, organizations that are new to application control will be most successful if they start with a permissive policy like the one described in this article. Organizations can choose to harden the policy over time to achieve a stronger overall security posture on their WDAC-managed devices as described in later articles.
> [!NOTE]
> Some of the Windows Defender Application Control options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs.
-As in the [previous topic](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
+As in the [previous article](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
-**Alice Pena** is the IT team lead tasked with the rollout of WDAC. Recognizing where Lamna is starting from, with loose application usage policies and a culture of maximum app flexibility for users, Alice knows that she'll need to take an incremental approach to application control and use different policies for different workloads.
+**Alice Pena** is the IT team lead tasked with the rollout of WDAC. Recognizing that Lamna currently has loose application usage policies and a culture of maximum app flexibility for users, Alice knows she'll need to take an incremental approach to application control and use different policies for different workloads.
For most users and devices, Alice wants to create an initial policy that is as relaxed as possible in order to minimize user productivity impact, while still providing security value.
@@ -58,82 +58,103 @@ Based on the above, Alice defines the pseudo-rules for the policy:
- WHQL (third-party kernel drivers)
- Windows Store signed apps
-2. **"MEMCM works”** rules that include signer and hash rules for Configuration Manager components to properly function.
-3. **Allow Managed Installer** (Configuration Manager configured as a managed installer)
-4. **Allow Intelligent Security Graph (ISG)** (reputation-based authorization)
-5. **Admin-only path rules** for the following locations:
+1. **"MEMCM works”** rules that include:
+ - Signer and hash rules for Configuration Manager components to properly function.
+ - **Allow Managed Installer** rule to authorize Configuration Manager as a managed installer.
+
+1. **Allow Intelligent Security Graph (ISG)** (reputation-based authorization)
+
+1. **Signed apps** using a certificate issued by a Windows Trusted Root Program certificate authority
+
+1. **Admin-only path rules** for the following locations:
- C:\Program Files\*
- C:\Program Files (x86)\*
- %windir%\*
## Create a custom base policy using an example WDAC base policy
-Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's lightly managed devices. Alice decides to use Configuration Manager to create the initial base policy and then customize it to meet Lamna's needs.
+Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's lightly managed devices. Alice decides to use the example `SmartAppControl.xml` to create the initial base policy and then customize it to meet Lamna's needs.
Alice follows these steps to complete this task:
-> [!NOTE]
-> If you do not use Configuration Manager or prefer to use a different [example Windows Defender Application Control base policy](example-wdac-base-policies.md) for your own policy, skip to step 2 and substitute the Configuration Manager policy path with your preferred example base policy.
-
-1. [Use Configuration Manager to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 and above, or Windows 11.
-
-2. On the client device, run the following commands in an elevated Windows PowerShell session to initialize variables:
-
- ```powershell
- $PolicyName= "Lamna_LightlyManagedClients_Audit"
- $LamnaPolicy=$env:userprofile+"\Desktop\"+$PolicyName+".xml"
- $MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml"
- ```
-
-3. Copy the policy created by Configuration Manager to the desktop:
-
- ```powershell
- cp $MEMCMPolicy $LamnaPolicy
- ```
-
-4. Give the new policy a unique ID, descriptive name, and initial version number:
-
- ```powershell
- Set-CIPolicyIdInfo -FilePath $LamnaPolicy -PolicyName $PolicyName -ResetPolicyID
- Set-CIPolicyVersion -FilePath $LamnaPolicy -Version "1.0.0.0"
- ```
-
-5. Modify the copied policy to set policy rules:
-
- ```powershell
- Set-RuleOption -FilePath $LamnaPolicy -Option 3 # Audit Mode
- Set-RuleOption -FilePath $LamnaPolicy -Option 6 # Unsigned Policy
- Set-RuleOption -FilePath $LamnaPolicy -Option 9 # Advanced Boot Menu
- Set-RuleOption -FilePath $LamnaPolicy -Option 12 # Enforce Store Apps
- Set-RuleOption -FilePath $LamnaPolicy -Option 13 # Managed Installer
- Set-RuleOption -FilePath $LamnaPolicy -Option 14 # ISG
- Set-RuleOption -FilePath $LamnaPolicy -Option 16 # No Reboot
- Set-RuleOption -FilePath $LamnaPolicy -Option 17 # Allow Supplemental
- Set-RuleOption -FilePath $LamnaPolicy -Option 19 # Dynamic Code Security
- ```
-
-6. Add rules to allow windir and Program Files directories:
-
- ```powershell
- $PathRules += New-CIPolicyRule -FilePathRule "%windir%\*"
- $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files\*"
- $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files (x86)\*"
- Merge-CIPolicy -OutputFilePath $LamnaPolicy -PolicyPaths $LamnaPolicy -Rules $PathRules
- ```
-
-7. If appropriate, add more signer or file rules to further customize the policy for your organization.
-
-8. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the WDAC policy to a binary format:
+1. On a client device, run the following commands in an elevated Windows PowerShell session to initialize variables:
> [!NOTE]
- > In the sample commands below, replace the string "{InsertPolicyID}" with the actual PolicyID GUID (including braces **{ }**) found in your policy XML file.
+ > If you prefer to use a different [example Windows Defender Application Control base policy](example-wdac-base-policies.md), substitute the example policy path with your preferred base policy in this step.
- ```powershell
- $WDACPolicyBin=$env:userprofile+"\Desktop\"+$PolicyName+"_{InsertPolicyID}.bin"
- ConvertFrom-CIPolicy $LamnaPolicy $WDACPolicyBin
- ```
+ ```powershell
+ $PolicyPath = $env:userprofile+"\Desktop\"
+ $PolicyName= "Lamna_LightlyManagedClients_Audit"
+ $LamnaPolicy=Join-Path $PolicyPath "$PolicyName.xml"
+ $ExamplePolicy=$env:windir+"\schemas\CodeIntegrity\ExamplePolicies\SmartAppControl.xml"
+ ```
-9. Upload your base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
+1. Copy the example policy to the desktop:
+
+ ```powershell
+ Copy-Item $ExamplePolicy $LamnaPolicy
+ ```
+
+1. Modify the policy to remove unsupported rule:
+
+ > [!NOTE]
+ > `SmartAppControl.xml` is available on Windows 11 version 22H2 and later. This policy includes "Enabled:Conditional Windows Lockdown Policy" rule that is unsupported for enterprise WDAC policies and must be removed. For more information, see [WDAC and Smart App Control](windows-defender-application-control.md#wdac-and-smart-app-control). If you are using an example policy other than `SmartAppControl.xml`, skip this step.
+
+ ```powershell
+ [xml]$xml = Get-Content $LamnaPolicy
+ $ns = New-Object System.Xml.XmlNamespaceManager($xml.NameTable)
+ $ns.AddNamespace("ns", $xml.DocumentElement.NamespaceURI)
+ $node = $xml.SelectSingleNode("//ns:Rules/ns:Rule[ns:Option[.='Enabled:Conditional Windows Lockdown Policy']]", $ns)
+ $node.ParentNode.RemoveChild($node)
+ $xml.Save($LamnaPolicy)
+ ```
+
+1. Give the new policy a unique ID, descriptive name, and initial version number:
+
+ ```powershell
+ Set-CIPolicyIdInfo -FilePath $LamnaPolicy -PolicyName $PolicyName -ResetPolicyID
+ Set-CIPolicyVersion -FilePath $LamnaPolicy -Version "1.0.0.0"
+ ```
+
+1. [Use Configuration Manager to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to the client device running Windows 10 version 1903 and above, or Windows 11. Merge the Configuration Manager policy with the example policy.
+
+ > [!NOTE]
+ > If you do not use Configuration Manager, skip this step.
+
+ ```powershell
+ $MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml"
+ Merge-CIPolicy -OutputFilePath $LamnaPolicy -PolicyPaths $LamnaPolicy,$MEMCMPolicy
+ Set-RuleOption -FilePath $LamnaPolicy -Option 13 # Managed Installer
+ ```
+
+1. Modify the policy to set additional policy rules:
+
+ ```powershell
+ Set-RuleOption -FilePath $LamnaPolicy -Option 3 # Audit Mode
+ Set-RuleOption -FilePath $LamnaPolicy -Option 12 # Enforce Store Apps
+ Set-RuleOption -FilePath $LamnaPolicy -Option 19 # Dynamic Code Security
+ ```
+
+1. Add rules to allow the Windows and Program Files directories:
+
+ ```powershell
+ $PathRules += New-CIPolicyRule -FilePathRule "%windir%\*"
+ $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files\*"
+ $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files (x86)\*"
+ Merge-CIPolicy -OutputFilePath $LamnaPolicy -PolicyPaths $LamnaPolicy -Rules $PathRules
+ ```
+
+1. If appropriate, add more signer or file rules to further customize the policy for your organization.
+
+1. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the Windows Defender Application Control policy to a binary format:
+
+ ```powershell
+ [xml]$policyXML = Get-Content $LamnaPolicy
+ $WDACPolicyBin = Join-Path $PolicyPath "$($PolicyName)_$($policyXML.SiPolicy.PolicyID).cip"
+ ConvertFrom-CIPolicy $LamnaPolicy $WDACPolicyBin
+ ```
+
+1. Upload your base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
At this point, Alice now has an initial policy that is ready to deploy in audit mode to the managed clients within Lamna.
@@ -141,44 +162,69 @@ At this point, Alice now has an initial policy that is ready to deploy in audit
In order to minimize user productivity impact, Alice has defined a policy that makes several trade-offs between security and user app flexibility. Some of the trade-offs include:
-- **Users with administrative access**
- By far the most impactful security trade-off, this trade-off allows the device user (or malware running with the user's privileges) to modify or remove altogether the WDAC policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer that would allow them to gain persistent app authorization for whatever apps or binaries they wish.
+- **Users with administrative access**
+
+ This is by far the most impactful security trade-off and allows the device user, or malware running with the user's privileges, to modify or remove the WDAC policy on the device. Additionally, administrators can configure any app to act as a managed installer, which would allow them to gain persistent app authorization for whatever apps or binaries they wish.
+
+ Possible mitigations:
- Possible mitigations:
- Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
- Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
- Use device attestation to detect the configuration state of WDAC at boot time and use that information to condition access to sensitive corporate resources.
-- **Unsigned policies**
- Unsigned policies can be replaced or removed without consequence by any process running as administrator. Unsigned base policies that also enable supplemental policies can have their "circle-of-trust" altered by any unsigned supplemental policy.
- Possible mitigations:
+- **Unsigned policies**
+
+ Unsigned policies can be replaced or removed without consequence by any process running as administrator. Unsigned base policies that also enable supplemental policies can have their "circle-of-trust" altered by any unsigned supplemental policy.
+
+ Possible mitigations:
+
- Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
- Limit who can elevate to administrator on the device.
-- **Managed installer**
- See [security considerations with managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md#security-considerations-with-managed-installer)
- Possible mitigations:
+- **Managed installer**
+
+ See [security considerations with managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md#security-considerations-with-managed-installer)
+
+ Possible mitigations:
+
- Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
- Limit who can elevate to administrator on the device.
-- **Intelligent Security Graph (ISG)**
- See [security considerations with the Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md#security-considerations-with-the-intelligent-security-graph)
- Possible mitigations:
- - Implement policies requiring apps are managed by IT; audit existing app usage and deploy authorized apps using a software distribution solution such as Microsoft Endpoint Manager; move from ISG to managed installer or signature-based rules.
+- **Intelligent Security Graph (ISG)**
+
+ See [security considerations with the Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md#security-considerations-with-the-isg-option)
+
+ Possible mitigations:
+
+ - Implement policies requiring that apps are managed by IT; audit existing app usage and deploy authorized apps using a software distribution solution such as Microsoft Endpoint Manager; move from ISG to managed installer or signature-based rules.
- Use a restrictive audit mode policy to audit app usage and augment vulnerability detection.
-- **Supplemental policies**
- Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction.
- Possible mitigations:
+- **Supplemental policies**
+
+ Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction.
+
+ Possible mitigations:
+
- Use signed WDAC policies that allow authorized signed supplemental policies only.
- Use a restrictive audit mode policy to audit app usage and augment vulnerability detection.
-- **FilePath rules**
- See [more information about filepath rules](select-types-of-rules-to-create.md#more-information-about-filepath-rules)
- Possible mitigations:
+- **FilePath rules**
+
+ See [more information about filepath rules](select-types-of-rules-to-create.md#more-information-about-filepath-rules)
+
+ Possible mitigations:
+
- Limit who can elevate to administrator on the device.
- Migrate from filepath rules to managed installer or signature-based rules.
+- **Signed files**
+
+ Although files that are code-signed verify the author's identity and ensures that the code has not been altered by anyone other than the author, it does not guarantee that the signed code is safe.
+
+ Possible mitigations:
+
+ - Use a reputable antimalware or antivirus software with real-time protection, such as Microsoft Defender, to protect your devices from malicious files, adware, and other threats.
+
## Up next
- [Create a Windows Defender Application Control policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
index 65565ec200..cfea5dc30f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
-ms.reviewer: isbrahm
+ms.reviewer: jgeurten
ms.author: dansimp
manager: dansimp
ms.date: 02/28/2018
@@ -49,7 +49,9 @@ To create a catalog file, you use a tool called **Package Inspector**. You must
2. Start Package Inspector, and then start scanning a local drive, for example, drive C:
- `PackageInspector.exe Start C:`
+ ```powershell
+ PackageInspector.exe Start C:
+ ```
> [!NOTE]
> Package inspector can monitor installations on any local drive. Specify the appropriate drive on the local computer.
@@ -77,13 +79,12 @@ To create a catalog file, you use a tool called **Package Inspector**. You must
For the last command, which stops Package Inspector, be sure to type the drive letter of the drive you have been scanning, for example, C:.
- `$ExamplePath=$env:userprofile+"\Desktop"`
-
- `$CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"`
-
- `$CatDefName=$ExamplePath+"\LOBApp.cdf"`
-
- `PackageInspector.exe Stop C: -Name $CatFileName -cdfpath $CatDefName`
+ ```powershell
+ $ExamplePath=$env:userprofile+"\Desktop"
+ $CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"
+ $CatDefName=$ExamplePath+"\LOBApp.cdf"
+ PackageInspector.exe Stop C: -Name $CatFileName -cdfpath $CatDefName
+ ```
>[!NOTE]
>Package Inspector catalogs the hash values for each discovered binary file. If the applications that were scanned are updated, complete this process again to trust the new binaries' hash values.
@@ -125,15 +126,18 @@ To sign the existing catalog file, copy each of the following commands into an e
1. Initialize the variables that will be used. Replace the *$ExamplePath* and *$CatFileName* variables as needed:
- `$ExamplePath=$env:userprofile+"\Desktop"`
-
- `$CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"`
+ ```powershell
+ $ExamplePath=$env:userprofile+"\Desktop"
+ $CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"
+ ```
2. Import the code signing certificate that will be used to sign the catalog file. Import it to the signing user's personal store.
3. Sign the catalog file with Signtool.exe:
- ` sign /n "ContosoDGSigningCert" /fd sha256 /v $CatFileName`
+ ```powershell
+ sign /n "ContosoDGSigningCert" /fd sha256 /v $CatFileName
+ ```
>[!NOTE]
>The *<Path to signtool.exe>* variable should be the full path to the Signtool.exe utility. *ContosoDGSigningCert* represents the subject name of the certificate that you will use to sign the catalog file. This certificate should be imported to your personal certificate store on the computer on which you are attempting to sign the catalog file.
@@ -156,16 +160,20 @@ After the catalog file is signed, add the signing certificate to a WDAC policy,
1. If you haven't already verified the catalog file digital signature, right-click the catalog file, and then click **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with the algorithm you expect.
-2. If you already have an XML policy file that you want to add the signing certificate to, skip to the next step. Otherwise, use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to create a Windows Defender Application Control policy that you'll later merge into another policy (not deploy as-is). This example creates a policy called **CatalogSignatureOnly.xml** in the location **C:\\PolicyFolder**:
+2. If you already have an XML policy file that you want to add the signing certificate to, skip to the next step. Otherwise, use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to create a Windows Defender Application Control policy that you will later merge into another policy (not deploy as-is). This example creates a policy called **CatalogSignatureOnly.xml** in the location **C:\\PolicyFolder** by scanning the system and allowlisting by signer and original filename:
- `New-CIPolicy -Level PcaCertificate -FilePath C:\PolicyFolder\CatalogSignatureOnly.xml –UserPEs`
+ ```powershell
+ New-CIPolicy -Level FilePublisher -FilePath C:\PolicyFolder\CatalogSignatureOnly.xml –UserPEs -MultiplePolicyFormat -Fallback SignedVersion,Publisher,Hash
+ ```
> [!NOTE]
> Include the **-UserPEs** parameter to ensure that the policy includes user mode code integrity.
-3. Use [Add-SignerRule](/powershell/module/configci/add-signerrule) to add the signing certificate to the WDAC policy, filling in the correct path and filenames for `` and ``:
+3. Use [Add-SignerRule](/powershell/module/configci/add-signerrule) to add the signing certificate to the WDAC policy, filling in the correct path and filenames for `` and ``:
- `Add-SignerRule -FilePath -CertificatePath -User`
+ ```powershell
+ Add-SignerRule -FilePath -CertificatePath -User
+ ```
If you used step 2 to create a new WDAC policy, and want information about merging policies together, see [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md).
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
index dbe28e8b2a..b3cffd3fb8 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
@@ -56,19 +56,19 @@ Prior to Windows 10 1903, Windows Defender Application Control only supported a
In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in [New-CIPolicy](/powershell/module/configci/new-cipolicy?preserve-view=true&view=win10-ps) results in 1) unique GUIDs being generated for the policy ID and 2) the policy type being specified as base. The below example describes the process of creating a new policy in the multiple policy format.
```powershell
-New-CIPolicy -MultiplePolicyFormat -ScanPath "" -UserPEs -FilePath ".\policy.xml" -Level Publisher -Fallback Hash
+New-CIPolicy -MultiplePolicyFormat -ScanPath "" -UserPEs -FilePath ".\policy.xml" -Level FilePublisher -Fallback SignedVersion,Publisher,Hash
```
Optionally, you can choose to make the new base policy allow for supplemental policies.
```powershell
-Set-RuleOption -FilePath -Option 17
+Set-RuleOption -FilePath ".\policy.xml" -Option 17
```
For signed base policies to allow for supplemental policies, make sure that supplemental signers are defined. Use the **Supplemental** switch in **Add-SignerRule** to provide supplemental signers.
```powershell
-Add-SignerRule -FilePath -CertificatePath [-Kernel] [-User] [-Update] [-Supplemental] [-Deny] []
+Add-SignerRule -FilePath ".\policy.xml" -CertificatePath [-Kernel] [-User] [-Update] [-Supplemental] [-Deny]
```
### Supplemental policy creation
@@ -79,12 +79,9 @@ In order to create a supplemental policy, begin by creating a new policy in the
- "BasePolicyToSupplementPath": path to base policy file that the supplemental policy applies to
```powershell
-Set-CIPolicyIdInfo [-FilePath] [-PolicyName ] [-SupplementsBasePolicyID ] [-BasePolicyToSupplementPath ] [-ResetPolicyID] [-PolicyId ] []
+Set-CIPolicyIdInfo -FilePath ".\supplemental_policy.xml" [-SupplementsBasePolicyID ] [-BasePolicyToSupplementPath ] -PolicyId -PolicyName
```
-> [!NOTE]
-> **ResetPolicyId** reverts a supplemental policy to a base policy, and resets the policy GUIDs back to a random GUID.
-
### Merging policies
When you're merging policies, the policy type and ID of the leftmost/first policy specified is used. If the leftmost is a base policy with ID \, then regardless of what the GUIDs and types are for any subsequent policies, the merged policy will be a base policy with ID \.
diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md
index 407a00c553..9db5920c58 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md
@@ -1,21 +1,16 @@
---
title: Deploy WDAC policies using Mobile Device Management (MDM) (Windows)
description: You can use an MDM like Microsoft Intune to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide.
-keywords: security, malware
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
+ms.prod: windows-client
+ms.technology: itpro-security
ms.localizationpriority: medium
-audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
-ms.author: dansimp
-manager: dansimp
+ms.author: vinpa
+manager: aaroncz
ms.date: 06/27/2022
-ms.technology: windows-sec
+ms.topic: how-to
---
# Deploy WDAC policies using Mobile Device Management (MDM)
@@ -61,13 +56,13 @@ The steps to use Intune's custom OMA-URI functionality are:
1. Know a generated policy's GUID, which can be found in the policy xml as ``
-2. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
+2. Convert the policy XML to binary format using the [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) cmdlet in order to be deployed. The binary policy may be signed or unsigned.
3. Open the Microsoft Intune portal and [create a profile with custom settings](/mem/intune/configuration/custom-settings-windows-10).
4. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings:
- - **OMA-URI**: ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy
- - **Data type**: Base64
+ - **OMA-URI**: `./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy`
+ - **Data type**: Base64 (file)
- **Certificate file**: upload your binary format policy file. You don't need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf.
> [!div class="mx-imgBorder"]
@@ -86,13 +81,13 @@ Upon deletion, policies deployed through Intune via the ApplicationControl CSP a
The steps to use Intune's Custom OMA-URI functionality to apply the [AppLocker CSP](/windows/client-management/mdm/applocker-csp) and deploy a custom WDAC policy to pre-1903 systems are:
-1. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
+1. Convert the policy XML to binary format using the [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) cmdlet in order to be deployed. The binary policy may be signed or unsigned.
2. Open the Microsoft Intune portal and [create a profile with custom settings](/mem/intune/configuration/custom-settings-windows-10).
3. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings:
- - **OMA-URI**: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity/Policy)
- - **Data type**: Base64
+ - **OMA-URI**: `./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity/Policy`
+ - **Data type**: Base64 (file)
- **Certificate file**: upload your binary format policy file
> [!NOTE]
diff --git a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
index 601db3b421..cd504ed4ee 100644
--- a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
@@ -15,7 +15,7 @@ author: jsuther1974
ms.reviewer: jogeurte
ms.author: dansimp
manager: dansimp
-ms.date: 11/15/2019
+ms.date: 08/05/2022
ms.technology: windows-sec
---
@@ -23,9 +23,9 @@ ms.technology: windows-sec
**Applies to:**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
@@ -39,7 +39,8 @@ When you create policies for use with Windows Defender Application Control (WDAC
| **DefaultWindows.xml** | This example policy is available in both audit and enforced mode. It includes rules to allow Windows, third-party hardware and software kernel drivers, and Windows Store apps. Used as the basis for all [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) policies. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
| **AllowMicrosoft.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed by the Microsoft product root certificate. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
| **AllowAll.xml** | This example policy is useful when creating a blocklist. All block policies should include rules allowing all other code to run and then add the DENY rules for your organization's needs. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
-| **AllowAll_EnableHVCI.xml** | This example policy can be used to enable [memory integrity](/windows/security/threat-protection/device-guard/memory-integrity) (also known as hypervisor-protected code integrity) using Windows Defender Application Control. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
+| **AllowAll_EnableHVCI.xml** | This example policy can be used to enable [memory integrity](https://support.microsoft.com/windows/core-isolation-e30ed737-17d8-42f3-a2a9-87521df09b78) (also known as hypervisor-protected code integrity) using Windows Defender Application Control. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
| **DenyAllAudit.xml** | ***Warning: May cause long boot time on Windows Server 2019.*** Only deploy this example policy in audit mode to track all binaries running on critical systems or to meet regulatory requirements. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
| **Device Guard Signing Service (DGSS) DefaultPolicy.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed with your organization-specific certificates issued by the DGSS. | [Device Guard Signing Service NuGet Package](https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client) |
| **MEM Configuration Manager** | Customers who use Configuration Manager can deploy a policy with Configuration Manager's built-in WDAC integration, and then use the generated policy XML as an example base policy. | %OSDrive%\Windows\CCM\DeviceGuard on a managed endpoint |
+| **SmartAppControl.xml** | This example policy includes rules based on [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) that are well-suited for lightly managed systems. This policy includes a rule that is unsupported for enterprise WDAC policies and must be removed. For more information about using this example policy, see [Create a custom base policy using an example WDAC base policy](create-wdac-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-wdac-base-policy)). | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
diff --git a/windows/security/threat-protection/windows-defender-application-control/index.yml b/windows/security/threat-protection/windows-defender-application-control/index.yml
index b39d1f45b2..5dd1e3fd49 100644
--- a/windows/security/threat-protection/windows-defender-application-control/index.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/index.yml
@@ -9,7 +9,7 @@ metadata:
# ms.subservice: Application-Control
# ms.topic: landing-page
# author: Kim Klein
-# ms.author: Jordan Geurten
+# ms.author: Jordan Geurten
# manager: Jeffrey Sutherland
# ms.update: 04/30/2021
# linkListType: overview | how-to-guide | tutorial | video
@@ -21,13 +21,15 @@ landingContent:
linkLists:
- linkListType: overview
links:
+ - text: What is Application Control?
+ url: windows-defender-application-control.md
- text: What is Windows Defender Application Control (WDAC)?
url: wdac-and-applocker-overview.md
- text: What is AppLocker?
url: applocker\applocker-overview.md
- text: WDAC and AppLocker feature availability
- url: feature-availability.md
- # Card
+ url: feature-availability.md
+ # Card
- title: Learn about Policy Design
linkLists:
- linkListType: overview
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index 498ab02284..64e6685f37 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -1,35 +1,30 @@
---
-title: Microsoft recommended block rules (Windows)
+title: Microsoft recommended block rules
description: View a list of recommended block rules, based on knowledge shared between Microsoft and the wider security community.
-keywords: security, malware
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: m365-security
-ms.technology: windows-sec
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
+ms.prod: windows-client
+ms.technology: itpro-security
ms.localizationpriority: medium
-audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
-ms.author: dansimp
-manager: dansimp
+ms.author: vinpa
+manager: aaroncz
ms.date: 09/29/2021
+ms.topic: reference
---
# Microsoft recommended block rules
**Applies to:**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
-Members of the security community* continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Windows Defender Application Control.
+Members of the security community* continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Windows Defender Application Control.
Unless your use scenarios explicitly require them, Microsoft recommends that you block the following applications. These applications or files can be used by an attacker to circumvent application allow policies, including Windows Defender Application Control:
@@ -75,7 +70,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
- wslconfig.exe
- wslhost.exe
-1 A vulnerability in bginfo.exe has been fixed in the latest version 4.22. If you use BGInfo, for security, make sure to download and run the latest version here [BGInfo 4.22](/sysinternals/downloads/bginfo). BGInfo versions earlier than 4.22 are still vulnerable and should be blocked.
+1 A vulnerability in bginfo.exe was fixed in version 4.22. If you use BGInfo, for security, make sure to download and run the latest version of [BGInfo](/sysinternals/downloads/bginfo). BGInfo versions earlier than 4.22 are still vulnerable and should be blocked.
2 If you're using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you allow msbuild.exe in your code integrity policies. However, if your reference system is an end-user device that isn't being used in a development context, we recommend that you block msbuild.exe.
@@ -87,31 +82,29 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
|---|---|
| `Alex Ionescu` | `@aionescu`|
| `Brock Mammen`| |
-| `Casey Smith` | `@subTee` |
+| `Casey Smith` | `@subTee` |
| `James Forshaw` | `@tiraniddo` |
| `Jimmy Bayne` | `@bohops` |
| `Kim Oppalfens` | `@thewmiguy` |
| `Lasse Trolle Borup` | `Langkjaer Cyber Defence` |
| `Lee Christensen` | `@tifkin_` |
-| `Matt Graeber` | `@mattifestation` |
-| `Matt Nelson` | `@enigma0x3` |
+| `Matt Graeber` | `@mattifestation` |
+| `Matt Nelson` | `@enigma0x3` |
| `Oddvar Moe` | `@Oddvarmoe` |
| `Philip Tsukerman` | `@PhilipTsukerman` |
| `Vladas Bulavas` | `Kaspersky Lab` |
| `William Easton` | `@Strawgate` |
-
-
-> [!Note]
-> This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered.
+> [!NOTE]
+> This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered.
Certain software applications may allow other code to run by design. Such applications should be blocked by your Windows Defender Application Control policy. In addition, when an application version is upgraded to fix a security vulnerability or potential Windows Defender Application Control bypass, you should add *deny* rules to your application control policies for that application’s previous, less secure versions.
-Microsoft recommends that you install the latest security updates. The June 2017 Windows updates resolve several issues in PowerShell modules that allowed an attacker to bypass Windows Defender Application Control. These modules can't be blocked by name or version, and therefore must be blocked by their corresponding hashes.
+Microsoft recommends that you install the latest security updates. For example, updates help resolve several issues in PowerShell modules that allowed an attacker to bypass Windows Defender Application Control. These modules can't be blocked by name or version, and therefore must be blocked by their corresponding hashes.
-For October 2017, we're announcing an update to system.management.automation.dll in which we're revoking older versions by hash values, instead of version rules.
+As of October 2017, system.management.automation.dll is updated to revoke earlier versions by hash values, instead of version rules.
-Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet. Beginning with the March 2019 quality update, each version of Windows requires blocking a specific version of the following files:
+Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet. As of March 2019, each version of Windows requires blocking a specific version of the following files:
- msxml3.dll
- msxml6.dll
@@ -119,6 +112,10 @@ Microsoft recommends that you block the following Microsoft-signed applications
Select the correct version of each .dll for the Windows release you plan to support, and remove the other versions. Ensure that you also uncomment them in the signing scenarios section.
+
+
+ Expand this section to see the WDAC policy XML
+
```xml
@@ -905,8 +902,8 @@ Select the correct version of each .dll for the Windows release you plan to supp
@@ -1524,9 +1521,10 @@ Select the correct version of each .dll for the Windows release you plan to supp
0
```
-
-> [!Note]
+
+
+> [!NOTE]
> To create a policy that works on both Windows 10, version 1803 and version 1809, you can create two different policies, or merge them into one broader policy.
## More information
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
index 7c16581109..130ec8b14c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
@@ -1,6 +1,6 @@
---
title: Microsoft recommended driver block rules (Windows)
-description: View a list of recommended block rules to block vulnerable third-party drivers discovered by Microsoft and the security research community.
+description: View a list of recommended block rules to block vulnerable third-party drivers discovered by Microsoft and the security research community.
keywords: security, malware, kernel mode, driver
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: m365-security
@@ -20,28 +20,49 @@ manager: dansimp
**Applies to:**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
-Microsoft has strict requirements for code running in kernel. So, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they're quickly patched and rolled out to the ecosystem. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy, which is applied to the following sets of devices:
-
-- Hypervisor-protected code integrity (HVCI) enabled devices
-- Windows 10 in S mode (S mode) devices
-
-The vulnerable driver blocklist is designed to help harden systems against third party-developed drivers across the Windows ecosystem with any of the following attributes:
+Microsoft has strict requirements for code running in kernel. So, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they're quickly patched and rolled out to the ecosystem. The vulnerable driver blocklist is designed to help harden systems against third party-developed drivers across the Windows ecosystem with any of the following attributes:
- Known security vulnerabilities that can be exploited by attackers to elevate privileges in the Windows kernel
- Malicious behaviors (malware) or certificates used to sign malware
- Behaviors that aren't malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel
-Drivers can be submitted to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). To report an issue or request a change to the vulnerable driver blocklist, including updating a block rule once a driver vulnerability has been patched, visit the [Microsoft Security Intelligence portal](https://www.microsoft.com/wdsi) or submit feedback on this article.
+Drivers can be submitted to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). For more information about driver submission, see [Improve kernel security with the new Microsoft Vulnerable and Malicious Driver Reporting Center
+](https://www.microsoft.com/security/blog/2021/12/08/improve-kernel-security-with-the-new-microsoft-vulnerable-and-malicious-driver-reporting-center/). To report an issue or request a change to the vulnerable driver blocklist, including updating a block rule once a driver vulnerability has been patched, visit the [Microsoft Security Intelligence portal](https://www.microsoft.com/wdsi) or submit feedback on this article.
+
+## Microsoft vulnerable driver blocklist
+
+
+
+Microsoft adds the vulnerable versions of the drivers to our vulnerable driver blocklist, which is automatically enabled on devices when any of the listed conditions are met:
+
+| Condition | Windows 10 or 11 | Windows 11 22H2 or later |
+|--|:--:|:--:|
+| Device has [Hypervisor-protected code integrity (HVCI)](../device-guard/enable-virtualization-based-protection-of-code-integrity.md) enabled | :heavy_check_mark: | :heavy_check_mark: |
+| Device is in [S mode](https://support.microsoft.com/windows/windows-10-and-windows-11-in-s-mode-faq-851057d6-1ee9-b9e5-c30b-93baebeebc85#WindowsVersion=Windows_11) | :heavy_check_mark: | :heavy_check_mark: |
+| Device has [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) enabled | :x: | :heavy_check_mark: |
+| Clean install of Windows | :x: | :heavy_check_mark: |
+
+> [!NOTE]
+> Microsoft vulnerable driver blocklist can also be enabled using [Windows Security](https://support.microsoft.com/windows/device-protection-in-windows-security-afa11526-de57-b1c5-599f-3a4c6a61c5e2), but the option to disable it is grayed out when HVCI or Smart App Control is enabled, or when the device is in S mode. You must disable HVCI or Smart App Control, or switch the device out of S mode, and restart the device before you can disable Microsoft vulnerable driver blocklist.
+
+## Blocking vulnerable drivers using WDAC
Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this setting isn't possible, Microsoft recommends blocking this list of drivers within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events.
+> [!IMPORTANT]
+> Microsoft also recommends enabling Attack Surface Reduction (ASR) rule [**Block abuse of exploited vulnerable signed drivers**](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#block-abuse-of-exploited-vulnerable-signed-drivers) to prevent an application from writing a vulnerable signed driver to disk. The ASR rule doesn't block a driver already existing on the system from being loaded, however enabling **Microsoft vulnerable driver blocklist** or applying this WDAC policy prevents the existing driver from being loaded.
+
+
+
+ Expand this section to see the blocklist WDAC policy XML
+
```xml
@@ -52,7 +73,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
-
+
@@ -109,7 +130,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
-
+
@@ -207,9 +228,9 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
-
+
-
+
@@ -401,7 +422,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
-
+
@@ -412,7 +433,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
-
+
@@ -421,13 +442,13 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
-
-
+
+
-
+
@@ -483,7 +504,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
-
+
@@ -525,7 +546,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
-
+
@@ -565,11 +586,11 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
-
+
-
+
@@ -579,7 +600,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
-
+
@@ -623,7 +644,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
-
+
@@ -702,12 +723,12 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
-
+
-
+
@@ -740,19 +761,19 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
-
+
-
+
-
+
-
+
-
+
@@ -774,14 +795,14 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
-
-
-
-
+
+
+
+
-
-
+
+
@@ -794,37 +815,37 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
-
-
-
-
-
+
+
+
+
+
-
-
-
+
+
+
-
+
-
-
+
+
-
+
@@ -884,7 +905,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
-
+
@@ -988,17 +1009,17 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
@@ -1166,11 +1187,11 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
-
+
-
+
@@ -1198,8 +1219,11 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
```
-
+
+
+> [!NOTE]
+> The policy listed above contains **Allow All** rules. Microsoft recommends deploying this policy alongside an existing WDAC policy instead of merging it with the existing policy. If you must use a single policy, remove the **Allow All** rules before merging it with the existing policy. For more information, see [Create a WDAC Deny Policy](create-wdac-deny-policy.md#single-policy-considerations).
## More information
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index e1f7559c0d..45ffe31061 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -10,11 +10,11 @@ ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
-author: dansimp
-ms.reviewer: isbrahm
+author: jgeurten
+ms.reviewer: jsuther1974
ms.author: dansimp
manager: dansimp
-ms.date: 06/28/2022
+ms.date: 08/29/2022
ms.technology: windows-sec
---
@@ -22,9 +22,9 @@ ms.technology: windows-sec
**Applies to:**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
@@ -70,7 +70,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
| **11 Disabled:Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is required to run HTA files, and is supported on 1709, 1803, and 1809 builds with the 2019 10C LCU or higher, and on devices with the Windows 10 May 2019 Update (1903) and higher. Using it on versions of Windows without the proper update may have unintended results. | No |
| **12 Required:Enforce Store Applications** | If this rule option is enabled, WDAC policies will also apply to Universal Windows applications. | No |
| **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a managed installer. For more information, see [Authorize apps deployed with a WDAC managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) | Yes |
-| **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). | Yes |
+| **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft's Intelligent Security Graph (ISG). | Yes |
| **15 Enabled:Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically revalidate the reputation for files that were authorized by the ISG.| No |
| **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot. NOTE: This option is only supported on Windows 10, version 1709 and above.| No |
| **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. NOTE: This option is only supported on Windows 10, version 1903 and above. | No |
@@ -88,12 +88,12 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the
| Rule level | Description |
|----------- | ----------- |
-| **Hash** | Specifies individual [Authenticode/PE image hash values](#more-information-about-hashes) for each discovered binary. This level is the most specific level, and requires more effort to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. |
+| **Hash** | Specifies individual [Authenticode/PE image hash values](#more-information-about-hashes) for each discovered binary. This level is the most specific level, and requires more effort to maintain the current product versions' hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. |
| **FileName** | Specifies the original filename for each binary. Although the hash values for an application are modified when updated, the file names are typically not. This level offers less specific security than the hash level, but it doesn't typically require a policy update when any binary is modified. |
| **FilePath** | Beginning with Windows 10 version 1903, this level allows binaries to run from specific file path locations. FilePath rules only apply to user mode binaries and can't be used to allow kernel mode drivers. More information about FilePath level rules can be found below. |
| **SignedVersion** | This level combines the publisher rule with a version number. It allows anything to run from the specified publisher with a version at or above the specified version number. |
| **Publisher** | This level combines the PcaCertificate level (typically one certificate below the root) and the common name (CN) of the leaf certificate. You can use this rule level to trust a certificate issued by a particular CA and issued to a specific company you trust (such as Intel, for device drivers). |
-| **FilePublisher** | This level combines the “FileName” attribute of the signed file, plus “Publisher” (PCA certificate with CN of leaf), plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. |
+| **FilePublisher** | This level combines the "FileName" attribute of the signed file, plus "Publisher" (PCA certificate with CN of leaf), plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. |
| **LeafCertificate** | Adds trusted signers at the individual signing certificate level. The benefit of using this level versus the individual hash level is that new versions of the product will have different hash values but typically the same signing certificate. When this level is used, no policy update would be needed to run the new version of the application. However, leaf certificates have much shorter validity periods than other certificate levels, so the Windows Defender Application Control policy must be updated whenever these certificates change. |
| **PcaCertificate** | Adds the highest available certificate in the provided certificate chain to signers. This level is typically one certificate below the root certificate because the scan doesn't validate anything beyond the certificates included in the provided signature (it doesn't go online or check local root stores). |
| **RootCertificate** | Currently unsupported. |
@@ -105,9 +105,17 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the
> When you create Windows Defender Application Control policies with [New-CIPolicy](/powershell/module/configci/new-cipolicy), you can specify a primary file rule level, by including the **-Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **-Fallback** parameter. For example, if the primary file rule level is PCACertificate, but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate.
> [!NOTE]
+>
> - WDAC only supports signer rules for RSA certificate signing keys with a maximum of 4096 bits.
> - The code uses CN for the CertSubject and CertIssuer fields in the policy. You can use the inbox certutil to look at the underlying format to ensure UTF-8 is not being used for the CN. For example, you can use printable string, IA5, or BMP.
+> [!NOTE]
+> When applicable, minimum and maximum version numbers in a file rule are referenced as MinimumFileVersion and MaximumFileVersion respectively in the policy XML.
+>
+> - Both MinimumFileVersion and MaximumFileVersion specified: For Allow rules, file with version **greater than or equal** to MinimumFileVersion and **less than or equal** to MaximumFileVersion are allowed. For Deny rules, file with version **greater than or equal** to MinimumFileVersion and **less than or equal** to MaximumFileVersion are denied.
+> - MinimumFileVersion specified without MaximumFileVersion: For Allow rules, file with version **greater than or equal** to the specified version are allowed to run. For Deny rules, file with version **less than or equal** to the specified version are blocked.
+> - MaximumFileVersion specified without MinimumFileVersion: For Allow rules, file with version **less than or equal** to the specified version are allowed to run. For Deny rules, file with version **greater than or equal** to the specified version are blocked.
+
## Example of file rule levels in use
For example, consider an IT professional in a department that runs many servers. They only want to run software signed by the companies that provide their hardware, operating system, antivirus, and other important software. They know that their servers also run an internally written application that is unsigned but is rarely updated. They want to allow this application to run.
@@ -120,6 +128,9 @@ As part of normal operations, they'll eventually install software updates, or pe
Windows Defender Application Control has a built-in file rule conflict logic that translates to precedence order. It will first process all explicit deny rules it finds. Then, it will process all explicit allow rules. If no deny or allow rule exists, WDAC will check for [Managed Installer EA](deployment/deploy-wdac-policies-with-memcm.md). Lastly, if none of these sets exist, WDAC will fall back on [ISG](use-windows-defender-application-control-with-intelligent-security-graph.md).
+> [!NOTE]
+> For others to better understand the WDAC policies that have been deployed, we recommend maintaining separate ALLOW and DENY policies on Windows 10, version 1903 and later.
+
## More information about filepath rules
Filepath rules don't provide the same security guarantees that explicit signer rules do, since they're based on mutable access permissions. Filepath rules are best suited for environments where most users are running as standard rather than admin. Path rules are best suited to allow paths that you expect will remain admin-writeable only. You may want to avoid path rules for directories where standard users can modify ACLs on the folder.
@@ -139,27 +150,27 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard
You can also use the following macros when the exact volume may vary: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`.
> [!NOTE]
-> For others to better understand the WDAC policies that has been deployed, we recommend maintaining separate ALLOW and DENY policies on Windows 10, version 1903 and later.
+> When authoring WDAC policies with Microsoft Endpoint Configuration Manager (MEMCM), you can instruct MEMCM to create rules for specified files and folders. These rules **aren't** WDAC filepath rules. Rather, MEMCM performs a one-time scan of the specified files and folders and builds rules for any binaries found in those locations at the time of that scan. File changes to those specified files and folders after that scan won't be allowed unless the MEMCM policy is reapplied.
> [!NOTE]
> There is currently a bug where MSIs cannot be allow listed in file path rules. MSIs must be allow listed using other rule types, for example, publisher rules or file attribute rules.
## More information about hashes
-WDAC uses the [Authenticode/PE image hash algorithm](https://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx) when calculating the hash of a file. Unlike the more popular, but less secure, [flat file hash](/powershell/module/microsoft.powershell.utility/get-filehash), the Authenticode hash calculation omits the file's checksum and the Certificate Table and the Attribute Certificate Table. Therefore, the Authenticode hash of a file doesn't change when the file is re-signed or timestamped, or the digital signature is removed from the file. With the help of the Authenticode hash, WDAC provides added security and less management overhead so customers don't need to revise the policy hash rules when the digital signature on the file is updated.
+WDAC uses the [Authenticode/PE image hash algorithm](https://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx) when calculating the hash of a file. Unlike the more popular, but less secure, [flat file hash](/powershell/module/microsoft.powershell.utility/get-filehash), the Authenticode hash calculation omits the file's checksum and the Certificate Table and the Attribute Certificate Table. Therefore, the Authenticode hash of a file doesn't change when the file is re-signed or timestamped, or the digital signature is removed from the file. With the help of the Authenticode hash, WDAC provides added security and less management overhead so customers don't need to revise the policy hash rules when the digital signature on the file is updated.
-The Authenticode/PE image hash can be calculated for digitally signed and unsigned files.
+The Authenticode/PE image hash can be calculated for digitally signed and unsigned files.
### Why does scan create four hash rules per XML file?
The PowerShell cmdlet will produce an Authenticode Sha1 Hash, Sha256 Hash, Sha1 Page Hash, Sha256 Page Hash.
During validation, CI will choose which hashes to calculate, depending on how the file is signed. For example, if the file is page-hash signed the entire file wouldn't get paged in to do a full sha256 authenticode, and we would just match using the first page hash.
-In the cmdlets, rather than try to predict which hash CI will use, we pre-calculate and use the four hashes (sha1/sha2 authenticode, and sha1/sha2 of first page). This method is also resilient, if the signing status of the file changes and necessary for deny rules to ensure that changing/stripping the signature doesn’t result in a different hash than what was in the policy being used by CI.
+In the cmdlets, rather than try to predict which hash CI will use, we pre-calculate and use the four hashes (sha1/sha2 authenticode, and sha1/sha2 of first page). This method is also resilient, if the signing status of the file changes and necessary for deny rules to ensure that changing/stripping the signature doesn't result in a different hash than what was in the policy being used by CI.
### Why does scan create eight hash rules for certain XML files?
-Separate rules are created for UMCI and KMCI. In some cases, files that are purely user-mode or purely kernel-mode may still generate both sets, since CI can’t always precisely determine what is purely user vs. kernel mode, and errs on the side of caution.
+Separate rules are created for UMCI and KMCI. In some cases, files that are purely user-mode or purely kernel-mode may still generate both sets, since CI can't always precisely determine what is purely user vs. kernel mode, and errs on the side of caution.
## Windows Defender Application Control filename rules
diff --git a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md
index c731e404ee..bcfc28eb19 100644
--- a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md
+++ b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md
@@ -1,21 +1,15 @@
---
title: Understanding Windows Defender Application Control (WDAC) secure settings
description: Learn about secure settings in Windows Defender Application Control.
-keywords: security, malware
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
+ms.prod: windows-client
+ms.technology: itpro-security
ms.localizationpriority: medium
-audience: ITPro
ms.collection: M365-security-compliance
author: jgeurten
-ms.reviewer: jgeurten
-ms.author: dansimp
-manager: dansimp
+ms.reviewer: vinpa
+ms.author: jogeurte
+manager: aaroncz
ms.date: 10/11/2021
-ms.technology: mde
---
# Understanding WDAC Policy Settings
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
index 0adc4cb74e..e430a2a554 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
@@ -30,31 +30,33 @@ ms.technology: windows-sec
Application control can be difficult to implement in organizations that don't deploy and manage applications through an IT-managed system. In such environments, users can acquire the applications they want to use for work, making it hard to build an effective application control policy.
-Beginning with Windows 10, version 1709, you can set an option to automatically allow applications that the Microsoft Intelligent Security Graph recognizes as having known good reputation. The ISG option helps organizations begin to implement application control even when the organization has limited control over their app ecosystem. To learn more about the Microsoft Intelligent Security Graph, see the Security section in [Major services and features in Microsoft Graph](/graph/overview-major-services).
+To reduce end-user friction and helpdesk calls, you can set Windows Defender Application Control (WDAC) to automatically allow applications that Microsoft's Intelligent Security Graph (ISG) recognizes as having known good reputation. The ISG option helps organizations begin to implement application control even when the organization has limited control over their app ecosystem. To learn more about the ISG, see the Security section in [Major services and features in Microsoft Graph](/graph/overview-major-services).
-## How does the integration between WDAC and the Intelligent Security Graph work?
+> [!WARNING]
+> Binaries that are critical to boot the system must be allowed using explicit rules in your WDAC policy. Do not rely on the ISG to authorize these files.
+>
+> The ISG option is not the recommended way to allow apps that are business critical. You should always authorize business critical apps using explicit allow rules or by installing them with a [managed installer](/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer).
-The ISG uses the same vast security intelligence and machine learning analytics that power Microsoft Defender SmartScreen and Microsoft Defender Antivirus to help classify applications as having "known good," "known bad," or "unknown" reputation. When a binary runs on a system, with Windows Defender Application Control (WDAC) enabled with the ISG option, WDAC checks the file's reputation, by sending its hash and signing information to the cloud. If the ISG reports that the file has a "known good" reputation, the $KERNEL.SMARTLOCKER.ORIGINCLAIM kernel Extended Attribute (EA) is written to the file.
+## How does WDAC work with the ISG?
-If your WDAC policy doesn't have an explicit rule to allow or deny a binary to run, then WDAC will make a call to the cloud to determine whether the binary is familiar and safe. However, if your policy already authorizes or denies the binary, then WDAC won't make a call to the cloud.
+The ISG isn't a "list" of apps. Rather, it uses the same vast security intelligence and machine learning analytics that power Microsoft Defender SmartScreen and Microsoft Defender Antivirus to help classify applications as having "known good", "known bad", or "unknown" reputation. This cloud-based AI is based on trillions of signals collected from Windows endpoints and other data sources, and processed every 24 hours. As a result, the decision from the cloud can change.
-If the file with good reputation is an application installer, its reputation will pass along to any files that it writes to disk. This way, all the files needed to install and run an app inherit the positive reputation data from the installer.
+WDAC only checks the ISG for binaries that aren't explicitly allowed or denied by your policy, and that weren't installed by a managed installer. When such a binary runs on a system with WDAC enabled with the ISG option, WDAC will check the file's reputation by sending its hash and signing information to the cloud. If the ISG reports that the file has a "known good" reputation, then the file will be allowed to run. Otherwise, it will be blocked by WDAC.
-WDAC periodically re-queries the reputation data on a file. Additionally, enterprises can specify that any cached reputation results are flushed on reboot by using the **Enabled:Invalidate EAs on Reboot** option.
+If the file with good reputation is an application installer, the installer's reputation will pass along to any files that it writes to disk. This way, all the files needed to install and run an app inherit the positive reputation data from the installer. Files authorized based on the installer's reputation will have the $KERNEL.SMARTLOCKER.ORIGINCLAIM kernel Extended Attribute (EA) written to the file.
->[!NOTE]
->Admins should make sure there is a Windows Defender Application Control policy in place to allow the system to boot and run any other authorized applications that may not be classified as being known good by the Intelligent Security Graph, such as custom line-of-business (LOB) apps. Since the Intelligent Security Graph is powered by global prevalence data, internal LOB apps may not be recognized as being known good. Other mechanisms like managed installer and explicit rules will help cover internal applications. Both Microsoft Endpoint Configuration Manager and Microsoft Endpoint Manager Intune can be used to create and push a WDAC policy to your client machines.
+WDAC periodically requeries the reputation data on a file. Additionally, enterprises can specify that any cached reputation results are flushed on reboot by using the **Enabled:Invalidate EAs on Reboot** option.
-## Configuring Intelligent Security Graph authorization for Windows Defender Application Control
+## Configuring ISG authorization for your WDAC policy
-Setting up the ISG is easy using any management solution you wish. Configuring the Microsoft Intelligent Security Graph option involves these basic steps:
+Setting up the ISG is easy using any management solution you wish. Configuring the ISG option involves these basic steps:
-- [Ensure that the Microsoft Intelligent Security Graph option is enabled in the WDAC policy XML](#ensure-that-the-intelligent-security-graph-option-is-enabled-in-the-wdac-policy-xml)
-- [Enable the necessary services to allow WDAC to use the Microsoft Intelligent Security Graph correctly on the client](#enable-the-necessary-services-to-allow-wdac-to-use-the-isg-correctly-on-the-client)
+- [Ensure that the **Enabled:Intelligent Security Graph authorization** option is set in the WDAC policy XML](#ensure-that-the-isg-option-is-set-in-the-wdac-policy-xml)
+- [Enable the necessary services to allow WDAC to use the ISG correctly on the client](#enable-the-necessary-services-to-allow-wdac-to-use-the-isg-correctly-on-the-client)
-### Ensure that the Intelligent Security Graph option is enabled in the WDAC policy XML
+### Ensure that the ISG option is set in the WDAC policy XML
-To allow apps and binaries based on the Microsoft Intelligent Security Graph, the **Enabled:Intelligent Security Graph authorization** option must be specified in the Windows Defender Application Control policy. This step can be done with the Set-RuleOption cmdlet. You should also enable the **Enabled:Invalidate EAs on Reboot** option so that ISG results are verified again after each reboot. The ISG option isn't recommended for devices that don't have regular access to the internet. The following example shows both options being set.
+To allow apps and binaries based on the Microsoft Intelligent Security Graph, the **Enabled:Intelligent Security Graph authorization** option must be specified in the WDAC policy. This step can be done with the Set-RuleOption cmdlet. You should also set the **Enabled:Invalidate EAs on Reboot** option so that ISG results are verified again after each reboot. The ISG option isn't recommended for devices that don't have regular access to the internet. The following example shows both options set.
```xml
@@ -84,50 +86,29 @@ To allow apps and binaries based on the Microsoft Intelligent Security Graph, th
### Enable the necessary services to allow WDAC to use the ISG correctly on the client
-In order for the heuristics used by the ISG to function properly, many components in Windows must be enabled. You can configure these components by running the appidtel executable in `c:\windows\system32`.
+In order for the heuristics used by the ISG to function properly, other components in Windows must be enabled. You can configure these components by running the appidtel executable in `c:\windows\system32`.
```console
appidtel start
```
-This step isn't required for Windows Defender Application Control policies deployed over MDM, as the CSP will enable the necessary components. This step is also not required when the ISG is configured using Configuration Manager's WDAC integration.
+This step isn't required for WDAC policies deployed over MDM, as the CSP will enable the necessary components. This step is also not required when the ISG is configured using Configuration Manager's WDAC integration.
-## Security considerations with the Intelligent Security Graph
+## Security considerations with the ISG option
-Since the Microsoft Intelligent Security Graph is a heuristic-based mechanism, it doesn't provide the same security guarantees that explicit allow or deny rules do. It's best suited where users operate with standard user rights and where a security monitoring solution like Microsoft Defender for Endpoint is used.
+Since the ISG is a heuristic-based mechanism, it doesn't provide the same security guarantees as explicit allow or deny rules. It's best suited where users operate with standard user rights and where a security monitoring solution like Microsoft Defender for Endpoint is used.
-Processes running with kernel privileges can circumvent WDAC by setting the ISG extended file attribute to make a binary appear to have known good reputation. Also, since the ISG option passes along reputation from application installers to the binaries they write to disk, it can over-authorize files in some cases where the installer launches the application upon completion.
+Processes running with kernel privileges can circumvent WDAC by setting the ISG extended file attribute to make a binary appear to have known good reputation.
-## Using fsutil to query SmartLocker EA
-Customers using Windows Defender Application Control (WDAC) with Managed Installer (MI) or Intelligent Security Graph enabled can use fsutil to determine whether a file was allowed to run by one of these features. This verification can be done by querying the EAs on a file using fsutil and looking for the KERNEL.SMARTLOCKER.ORIGINCLAIM EA. The presence of this EA indicates that either MI or ISG allowed the file to run. This EA's presence can be used in conjunction with enabling the MI and ISG logging events.
+Also, since the ISG option passes along reputation from app installers to the binaries they write to disk, it can over-authorize files in some cases. For example, if the installer launches the app upon completion, any files the app writes during that first run will also be allowed.
-#### Example
+## Known limitations with using the ISG
-```console
-fsutil file queryEA C:\Users\Temp\Downloads\application.exe
+Since the ISG only allows binaries that are "known good", there are cases where the ISG may be unable to predict whether legitimate software is safe to run. If that happens, the software will be blocked by WDAC. In this case, you need to allow the software with a rule in your WDAC policy, deploy a catalog signed by a certificate trusted in the WDAC policy, or install the software from a WDAC managed installer. Installers or applications that dynamically create binaries at runtime, and self-updating applications, may exhibit this symptom.
-Extended Attributes (EA) information for file C:\Users\Temp\Downloads\application.exe:
-
-Ea Buffer Offset: 410
-Ea Name: $KERNEL.SMARTLOCKER.ORIGINCLAIM
-Ea Value Length: 7e
-0000: 01 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 ................
-0010: b2 ff 10 66 bc a8 47 c7 00 d9 56 9d 3d d4 20 2a ...f..G...V.=. *
-0020: 63 a3 80 e2 d8 33 8e 77 e9 5c 8d b0 d5 a7 a3 11 c....3.w.\......
-0030: 83 00 00 00 00 00 00 00 5c 00 00 00 43 00 3a 00 ........\...C.:.
-0040: 5c 00 55 00 73 00 65 00 72 00 73 00 5c 00 6a 00 \.U.s.e.r.s.\.T.
-0050: 6f 00 67 00 65 00 75 00 72 00 74 00 65 00 2e 00 e.m.p..\D.o.w.n...
-0060: 52 00 45 00 44 00 4d 00 4f 00 4e 00 44 00 5c 00 l.o.a.d.\a.p.p.l.
-0070: 44 00 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 i.c.a.t.i.o.n..e.x.e
-```
-
-## Known limitations with using the Intelligent Security Graph
-
-Since the ISG only allows binaries that are known good, there are cases where legitimate software may be unknown to the ISG and will be blocked by Windows Defender Application Control (WDAC). In this case, you need to allow the software with a rule in your WDAC policy, deploy a catalog signed by a certificate trusted in the WDAC policy, or install the software from a WDAC managed installer. Installers or applications that dynamically create binaries at runtime, and self-updating applications, may exhibit this symptom.
-
-Packaged apps aren't supported with the Microsoft Intelligent Security Graph heuristics and will need to be separately authorized in your WDAC policy. Since packaged apps have a strong app identity and must be signed, it's straightforward to authorize these apps with your WDAC policy.
+Packaged apps aren't supported with the ISG and will need to be separately authorized in your WDAC policy. Since packaged apps have a strong app identity and must be signed, it's straightforward to [authorize packaged apps](/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control) with your WDAC policy.
The ISG doesn't authorize kernel mode drivers. The WDAC policy must have rules that allow the necessary drivers to run.
> [!NOTE]
-> A rule that explicitly denies or allows a file will take precedence over that file's reputation data. Microsoft Endpoint Manager Intune's built-in Windows Defender Application Control support includes the option to trust apps with good reputation via the Microsoft Intelligent Security Graph, but it has no option to add explicit allow or deny rules. In most circumstances, customers enforcing application control need to deploy a custom WDAC policy (which can include the Microsoft Intelligent Security Graph option if desired) using [Intune's OMA-URI functionality](deployment/deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri).
+> A rule that explicitly denies or allows a file will take precedence over that file's reputation data. Microsoft Endpoint Manager Intune's built-in WDAC support includes the option to trust apps with good reputation via the ISG, but it has no option to add explicit allow or deny rules. In most cases, customers using application control will need to deploy a custom WDAC policy (which can include the ISG option if desired) using [Intune's OMA-URI functionality](deployment/deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri).
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
index a552764722..e8ea61c23d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
@@ -46,15 +46,24 @@ Windows 10 and Windows 11 include two technologies that can be used for applicat
- **Windows Defender Application Control (WDAC)**; and
- **AppLocker**
-## In this section
+## WDAC and Smart App Control
-| Article | Description |
-| --- | --- |
-| [WDAC and AppLocker Overview](wdac-and-applocker-overview.md) | This article describes the decisions you need to make to establish the processes for managing and maintaining WDAC policies. |
-| [WDAC and AppLocker Feature Availability](feature-availability.md) | This article lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies. |
+Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) provides application control for consumers. Smart App Control is based on WDAC, allowing enterprise customers to create a policy that offers the same security and compatibility with the ability to customize it to run line-of-business (LOB) apps. To make it easier to implement this policy, an [example policy](example-wdac-base-policies.md) is provided. The example policy includes **Enabled:Conditional Windows Lockdown Policy** rule which isn't supported for WDAC enterprise policies. This rule must be removed before you use the example policy. To use this example policy as a starting point for creating your own policy, see [Create a custom base policy using an example WDAC base policy](create-wdac-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-wdac-base-policy).
+
+Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control will automatically turn off for enterprise managed devices unless the user has turned it on first. To turn Smart App Control on or off across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` to one of the values listed below. After you change the registry value, you must either restart the device or run [RefreshPolicy.exe](https://www.microsoft.com/download/details.aspx?id=102925) for the change to take effect.
+
+| Value | Description |
+|-------|-------------|
+| 0 | Off |
+| 1 | Enforce |
+| 2 | Evaluation |
+
+> [!IMPORTANT]
+> Once you turn Smart App Control off, it can't be turned on without resetting or reinstalling Windows.
## Related articles
- [WDAC design guide](windows-defender-application-control-design-guide.md)
- [WDAC deployment guide](windows-defender-application-control-deployment-guide.md)
+- [WDAC operational guide](windows-defender-application-control-operational-guide.md)
- [AppLocker overview](applocker/applocker-overview.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
index f031321396..1c50e07a18 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
@@ -84,3 +84,38 @@ As Windows 10 boots, a series of integrity measurements are taken by Windows Def
After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or Microsoft Endpoint Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources.
+## System requirements for System Guard
+
+|For Intel® vPro™ processors starting with Intel® Coffeelake, Whiskeylake, or later silicon|Description|
+|--------|-----------|
+|64-bit CPU|A 64-bit computer with minimum four cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more information about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more information about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).|
+|Trusted Platform Module (TPM) 2.0|Platforms must support a discrete TPM 2.0. Integrated/firmware TPMs aren't supported, except Intel chips that support Platform Trust Technology (PTT), which is a type of integrated hardware TPM that meets the TPM 2.0 spec.|
+|Windows DMA Protection|Platforms must meet the Windows DMA Protection Specification (all external DMA ports must be off by default until the OS explicitly powers them).|
+|SMM communication buffers| All SMM communication buffers must be implemented in EfiRuntimeServicesData, EfiRuntimeServicesCode, EfiACPIMemoryNVS, or EfiReservedMemoryType memory types. |
+|SMM Page Tables| Must NOT contain any mappings to EfiConventionalMemory (for example no OS/VMM owned memory). Must NOT contain any mappings to code sections within EfiRuntimeServicesCode. Must NOT have execute and write permissions for the same page Must allow ONLY that TSEG pages can be marked executable and the memory map must report TSEG EfiReservedMemoryType. BIOS SMI handler must be implemented such that SMM page tables are locked on every SMM entry. |
+|Modern/Connected Standby|Platforms must support Modern/Connected Standby.|
+|TPM AUX Index|Platform must set up a AUX index with index, attributes, and policy that exactly corresponds to the AUX index specified in the TXT DG with a data size of exactly 104 bytes (for SHA256 AUX data). (NameAlg = SHA256) Platforms must set up a PS (Platform Supplier) index with:
Exactly the "TXT PS2" style Attributes on creation as follows:
AuthWrite
PolicyDelete
WriteLocked
WriteDefine
AuthRead
WriteDefine
NoDa
Written
PlatformCreate
A policy of exactly PolicyCommandCode(CC = TPM2_CC_UndefineSpaceSpecial) (SHA256 NameAlg and Policy)
Size of exactly 70 bytes
NameAlg = SHA256
Also, it must have been initialized and locked (TPMA_NV_WRITTEN = 1, TPMA_NV_WRITELOCKED = 1) at time of OS launch.
PS index data DataRevocationCounters, SINITMinVersion, and PolicyControl must all be 0x00 |
+|AUX Policy|The required AUX policy must be as follows:
A = TPM2_PolicyLocality (Locality 3 & Locality 4)
B = TPM2_PolicyCommandCode (TPM_CC_NV_UndefineSpecial)
|
+|Platform firmware|Platform firmware must carry all code required to execute an Intel® Trusted Execution Technology secure launch:
Intel® SINIT ACM must be carried in the OEM BIOS
Platforms must ship with a production ACM signed by the correct production Intel® ACM signer for the platform
|
+|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. |
+
+|For AMD® processors starting with Zen2 or later silicon|Description|
+|--------|-----------|
+|64-bit CPU|A 64-bit computer with minimum four cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more information about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more information about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).|
+|Trusted Platform Module (TPM) 2.0|Platforms must support a discrete TPM 2.0 OR Microsoft Pluton TPM.|
+|Windows DMA Protection|Platforms must meet the Windows DMA Protection Specification (all external DMA ports must be off by default until the OS explicitly powers them).|
+|SMM communication buffers| All SMM communication buffers must be implemented in EfiRuntimeServicesData, EfiRuntimeServicesCode, EfiACPIMemoryNVS, or EfiReservedMemoryType memory types. |
+|SMM Page Tables| Must NOT contain any mappings to EfiConventionalMemory (for example no OS/VMM owned memory). Must NOT contain any mappings to code sections within EfiRuntimeServicesCode. Must NOT have execute and write permissions for the same page BIOS SMI handler must be implemented such that SMM page tables are locked on every SMM entry. |
+|Modern/Connected Standby|Platforms must support Modern/Connected Standby.|
+|TPM NV Index|Platform firmware must set up a TPM NV index for use by the OS with:
Handle: 0x01C101C0
Attributes:
TPMA_NV_POLICYWRITE
TPMA_NV_PPREAD
TPMA_NV_OWNERREAD
TPMA_NV_AUTHREAD
TPMA_NV_POLICYREAD
TPMA_NV_NO_DA
TPMA_NV_PLATFORMCREATE
TPMA_NV_POLICY_DELETE
A policy of:
A = TPM2_PolicyAuthorize(MSFT_DRTM_AUTH_BLOB_SigningKey)
B = TPM2_PolicyCommandCode(TPM_CC_NV_UndefineSpaceSpecial)
|
+|Platform firmware|Platform firmware must carry all code required to execute Secure Launch:
AMD® Secure Launch platforms must ship with AMD® DRTM driver devnode exposed and the AMD® DRTM driver installed
Platform must have AMD® Secure Processor Firmware Anti-Rollback protection enabled Platform must have AMD® Memory Guard enabled.|
+|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. |
+
+|For Qualcomm® processors with SD850 or later chipsets|Description|
+|--------|-----------|
+|Monitor Mode Communication|All Monitor Mode communication buffers must be implemented in either EfiRuntimeServicesData (recommended), data sections of EfiRuntimeServicesCode as described by the Memory Attributes Table, EfiACPIMemoryNVS, or EfiReservedMemoryType memory types|
+|Monitor Mode Page Tables|All Monitor Mode page tables must:
NOT contain any mappings to EfiConventionalMemory (for example no OS/VMM owned memory)
They must NOT have execute and write permissions for the same page
Platforms must only allow Monitor Mode pages marked as executable
The memory map must report Monitor Mode as EfiReservedMemoryType
Platforms must provide mechanism to protect the Monitor Mode page tables from modification
|
+|Modern/Connected Standby|Platforms must support Modern/Connected Standby.|
+|Platform firmware|Platform firmware must carry all code required to launch.|
+|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. |
diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
index 5c9e29a065..e3cc007d51 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
@@ -72,43 +72,7 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic
> [!NOTE]
-> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs).
-
-## System requirements for System Guard
-
-|For Intel® vPro™ processors starting with Intel® Coffeelake, Whiskeylake, or later silicon|Description|
-|--------|-----------|
-|64-bit CPU|A 64-bit computer with minimum four cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more information about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more information about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).|
-|Trusted Platform Module (TPM) 2.0|Platforms must support a discrete TPM 2.0. Integrated/firmware TPMs aren't supported, except Intel chips that support Platform Trust Technology (PTT), which is a type of integrated hardware TPM that meets the TPM 2.0 spec.|
-|Windows DMA Protection|Platforms must meet the Windows DMA Protection Specification (all external DMA ports must be off by default until the OS explicitly powers them).|
-|SMM communication buffers| All SMM communication buffers must be implemented in EfiRuntimeServicesData, EfiRuntimeServicesCode, EfiACPIMemoryNVS, or EfiReservedMemoryType memory types. |
-|SMM Page Tables| Must NOT contain any mappings to EfiConventionalMemory (for example no OS/VMM owned memory). Must NOT contain any mappings to code sections within EfiRuntimeServicesCode. Must NOT have execute and write permissions for the same page Must allow ONLY that TSEG pages can be marked executable and the memory map must report TSEG EfiReservedMemoryType. BIOS SMI handler must be implemented such that SMM page tables are locked on every SMM entry. |
-|Modern/Connected Standby|Platforms must support Modern/Connected Standby.|
-|TPM AUX Index|Platform must set up a AUX index with index, attributes, and policy that exactly corresponds to the AUX index specified in the TXT DG with a data size of exactly 104 bytes (for SHA256 AUX data). (NameAlg = SHA256) Platforms must set up a PS (Platform Supplier) index with:
Exactly the "TXT PS2" style Attributes on creation as follows:
AuthWrite
PolicyDelete
WriteLocked
WriteDefine
AuthRead
WriteDefine
NoDa
Written
PlatformCreate
A policy of exactly PolicyCommandCode(CC = TPM2_CC_UndefineSpaceSpecial) (SHA256 NameAlg and Policy)
Size of exactly 70 bytes
NameAlg = SHA256
Also, it must have been initialized and locked (TPMA_NV_WRITTEN = 1, TPMA_NV_WRITELOCKED = 1) at time of OS launch.
PS index data DataRevocationCounters, SINITMinVersion, and PolicyControl must all be 0x00 |
-|AUX Policy|The required AUX policy must be as follows:
A = TPM2_PolicyLocality (Locality 3 & Locality 4)
B = TPM2_PolicyCommandCode (TPM_CC_NV_UndefineSpecial)
|
-|Platform firmware|Platform firmware must carry all code required to execute an Intel® Trusted Execution Technology secure launch:
Intel® SINIT ACM must be carried in the OEM BIOS
Platforms must ship with a production ACM signed by the correct production Intel® ACM signer for the platform
|
-|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. |
-
-|For AMD® processors starting with Zen2 or later silicon|Description|
-|--------|-----------|
-|64-bit CPU|A 64-bit computer with minimum four cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more information about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more information about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).|
-|Trusted Platform Module (TPM) 2.0|Platforms must support a discrete TPM 2.0 OR Microsoft Pluton TPM.|
-|Windows DMA Protection|Platforms must meet the Windows DMA Protection Specification (all external DMA ports must be off by default until the OS explicitly powers them).|
-|SMM communication buffers| All SMM communication buffers must be implemented in EfiRuntimeServicesData, EfiRuntimeServicesCode, EfiACPIMemoryNVS, or EfiReservedMemoryType memory types. |
-|SMM Page Tables| Must NOT contain any mappings to EfiConventionalMemory (for example no OS/VMM owned memory). Must NOT contain any mappings to code sections within EfiRuntimeServicesCode. Must NOT have execute and write permissions for the same page BIOS SMI handler must be implemented such that SMM page tables are locked on every SMM entry. |
-|Modern/Connected Standby|Platforms must support Modern/Connected Standby.|
-|TPM NV Index|Platform firmware must set up a TPM NV index for use by the OS with:
Handle: 0x01C101C0
Attributes:
TPMA_NV_POLICYWRITE
TPMA_NV_PPREAD
TPMA_NV_OWNERREAD
TPMA_NV_AUTHREAD
TPMA_NV_POLICYREAD
TPMA_NV_NO_DA
TPMA_NV_PLATFORMCREATE
TPMA_NV_POLICY_DELETE
A policy of:
A = TPM2_PolicyAuthorize(MSFT_DRTM_AUTH_BLOB_SigningKey)
B = TPM2_PolicyCommandCode(TPM_CC_NV_UndefineSpaceSpecial)
|
-|Platform firmware|Platform firmware must carry all code required to execute Secure Launch:
AMD® Secure Launch platforms must ship with AMD® DRTM driver devnode exposed and the AMD® DRTM driver installed
Platform must have AMD® Secure Processor Firmware Anti-Rollback protection enabled Platform must have AMD® Memory Guard enabled.|
-|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. |
-
-|For Qualcomm® processors with SD850 or later chipsets|Description|
-|--------|-----------|
-|Monitor Mode Communication|All Monitor Mode communication buffers must be implemented in either EfiRuntimeServicesData (recommended), data sections of EfiRuntimeServicesCode as described by the Memory Attributes Table, EfiACPIMemoryNVS, or EfiReservedMemoryType memory types|
-|Monitor Mode Page Tables|All Monitor Mode page tables must:
NOT contain any mappings to EfiConventionalMemory (for example no OS/VMM owned memory)
They must NOT have execute and write permissions for the same page
Platforms must only allow Monitor Mode pages marked as executable
The memory map must report Monitor Mode as EfiReservedMemoryType
Platforms must provide mechanism to protect the Monitor Mode page tables from modification
|
-|Modern/Connected Standby|Platforms must support Modern/Connected Standby.|
-|Platform firmware|Platform firmware must carry all code required to launch.|
-|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. |
+> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [System Guard](../windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md), [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs).
> [!NOTE]
> For more information around AMD processors, see [Microsoft Security Blog: Force firmware code to be measured and attested by Secure Launch on Windows 10](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/).
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
index e42fab8ddb..5325926107 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
@@ -28,13 +28,8 @@ Windows Sandbox has the following properties:
- **Secure**: Uses hardware-based virtualization for kernel isolation. It relies on the Microsoft hypervisor to run a separate kernel that isolates Windows Sandbox from the host.
- **Efficient:** Uses the integrated kernel scheduler, smart memory management, and virtual GPU.
- > [!IMPORTANT]
- > Windows Sandbox enables network connection by default. It can be disabled using the [Windows Sandbox configuration file](/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file#networking).
-
-The following video provides an overview of Windows Sandbox.
-
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4rFAo]
-
+> [!IMPORTANT]
+> Windows Sandbox enables network connection by default. It can be disabled using the [Windows Sandbox configuration file](/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file#networking).
## Prerequisites
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
index 5e0c376121..8963229d82 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
@@ -54,7 +54,7 @@ No. SCM supported only SCAP 1.0, which wasn't updated as SCAP evolved. The new t
| Name | Build | Baseline Release Date | Security Tools |
| ---- | ----- | --------------------- | -------------- |
-| Windows 11 | [Windows 11](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-security-baseline/ba-p/2810772) | October 2021 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| Windows 11 | [22H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-version-22h2-security-baseline/ba-p/3632520) | September 2022 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| Windows 10 | [21H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-windows-10-version-21h2/ba-p/3042703) [21H1](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-version-21h1/ba-p/2362353) [20H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-and-windows-server/ba-p/1999393) [1809](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082) [1607](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) [1507](/archive/blogs/secguide/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update)| December 2021 May 2021 December 2020 October 2018 October 2016 January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
Windows 8.1 |[9600 (April Update)](/archive/blogs/secguide/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final)| October 2013| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
index 1a2434ffeb..92875c810d 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
@@ -25,14 +25,15 @@ The SCT enables administrators to effectively manage their enterprise’s Group
The Security Compliance Toolkit consists of:
- Windows 11 security baseline
-
+ - Windows 11, version 22H2
+ - Windows 11, version 21H2
- Windows 10 security baselines
- - Windows 10 Version 21H2
- - Windows 10 Version 21H1
- - Windows 10 Version 20H2
- - Windows 10 Version 1809
- - Windows 10 Version 1607
- - Windows 10 Version 1507
+ - Windows 10, version 21H2
+ - Windows 10, version 21H1
+ - Windows 10, version 20H2
+ - Windows 10, version 1809
+ - Windows 10, version 1607
+ - Windows 10, version 1507
- Windows Server security baselines
- Windows Server 2022
diff --git a/windows/threat-protection/docfx.json b/windows/threat-protection/docfx.json
deleted file mode 100644
index 5f30884997..0000000000
--- a/windows/threat-protection/docfx.json
+++ /dev/null
@@ -1,62 +0,0 @@
-{
- "build": {
- "content": [
- {
- "files": [
- "**/*.md",
- "**/*.yml"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**",
- "README.md",
- "LICENSE",
- "LICENSE-CODE",
- "ThirdPartyNotices"
- ]
- }
- ],
- "resource": [
- {
- "files": [
- "**/*.png",
- "**/*.jpg",
- "**/*.gif"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**"
- ]
- }
- ],
- "overwrite": [],
- "externalReference": [],
- "globalMetadata": {
- "recommendations": true,
- "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
- "ms.technology": "windows",
- "ms.topic": "article",
- "audience": "ITPro",
- "ms.date": "04/05/2017",
- "_op_documentIdPathDepotMapping": {
- "./": {
- "depot_name": "MSDN.win-threat-protection",
- "folder_relative_path_in_docset": "./"
- }
- },
- "contributors_to_exclude": [
- "rjagiewich",
- "traya1",
- "rmca14",
- "claydetels19",
- "jborsecnik",
- "tiburd",
- "garycentric"
- ]
- },
- "fileMetadata": {},
- "template": [],
- "dest": "win-threat-protection",
- "markdownEngineName": "markdig"
- }
-}
diff --git a/windows/update/docfx.json b/windows/update/docfx.json
deleted file mode 100644
index d577905730..0000000000
--- a/windows/update/docfx.json
+++ /dev/null
@@ -1,56 +0,0 @@
-{
- "build": {
- "content": [
- {
- "files": [
- "**/*.md",
- "**/*.yml"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**",
- "README.md",
- "LICENSE",
- "LICENSE-CODE",
- "ThirdPartyNotices"
- ]
- }
- ],
- "resource": [
- {
- "files": [
- "**/*.png",
- "**/*.jpg"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**"
- ]
- }
- ],
- "overwrite": [],
- "externalReference": [],
- "globalMetadata": {
- "recommendations": true,
- "_op_documentIdPathDepotMapping": {
- "./": {
- "depot_name": "MSDN.windows-update",
- "folder_relative_path_in_docset": "./"
- }
- },
- "contributors_to_exclude": [
- "rjagiewich",
- "traya1",
- "rmca14",
- "claydetels19",
- "jborsecnik",
- "tiburd",
- "garycentric"
- ]
- },
- "fileMetadata": {},
- "template": [],
- "dest": "windows-update",
- "markdownEngineName": "markdig"
- }
-}
diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml
index dc42004f13..6a59ce9b38 100644
--- a/windows/whats-new/TOC.yml
+++ b/windows/whats-new/TOC.yml
@@ -11,6 +11,8 @@
href: windows-11-plan.md
- name: Prepare for Windows 11
href: windows-11-prepare.md
+ - name: What's new in Windows 11, version 22H2
+ href: whats-new-windows-11-version-22h2.md
- name: Windows 10
expanded: true
items:
diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json
index 0c42863822..19bd51f371 100644
--- a/windows/whats-new/docfx.json
+++ b/windows/whats-new/docfx.json
@@ -21,6 +21,7 @@
"files": [
"**/**/*.png",
"**/**/*.jpg",
+ "**/*.svg",
"**/**/*.gif"
],
"exclude": [
diff --git a/windows/whats-new/images/windows-11-whats-new/windows-11-22h2-snap-layouts.png b/windows/whats-new/images/windows-11-whats-new/windows-11-22h2-snap-layouts.png
new file mode 100644
index 0000000000..a68a8d0888
Binary files /dev/null and b/windows/whats-new/images/windows-11-whats-new/windows-11-22h2-snap-layouts.png differ
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index d71d316113..f915846669 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -362,7 +362,7 @@ For more information about Update Compliance, see [Monitor Windows Updates with
### Accessibility
-"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in [What's new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/).
+"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](/windows/configuration/windows-accessibility-for-itpros). Also see the accessibility section in [What's new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/).
### Privacy
diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md
index 159845ee44..1067c47c88 100644
--- a/windows/whats-new/whats-new-windows-10-version-1803.md
+++ b/windows/whats-new/whats-new-windows-10-version-1803.md
@@ -155,7 +155,7 @@ For more information, see: [Windows Hello and FIDO2 Security Keys enable secure
### Accessibility
-"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in the [What’s new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/) blog post.
+"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](/windows/configuration/windows-accessibility-for-itpros). Also see the accessibility section in the [What’s new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/) blog post.
### Privacy
diff --git a/windows/whats-new/whats-new-windows-11-version-22H2.md b/windows/whats-new/whats-new-windows-11-version-22H2.md
new file mode 100644
index 0000000000..7a75c8344c
--- /dev/null
+++ b/windows/whats-new/whats-new-windows-11-version-22H2.md
@@ -0,0 +1,120 @@
+---
+title: What's new in Windows 11, version 22H2 for IT pros
+description: Learn more about what's new in Windows 11 version 21H2, including servicing updates, Windows Subsystem for Linux, the latest CSPs, and more.
+manager: dougeby
+ms.prod: w10
+ms.author: mstewart
+author: mestew
+ms.localizationpriority: medium
+ms.topic: article
+ms.collection: highpri
+ms.custom: intro-overview
+---
+
+# What's new in Windows 11, version 22H2
+
+**Applies to**: Windows 11, version 22H2
+
+Windows 11, version 22H2 is a feature update for Windows 11. It includes all features and fixes in previous cumulative updates to Windows 11, version 21H2, the original Windows 11 release version. This article lists the new and updated features IT Pros should know.
+
+Windows 11, version 22H2 follows the [Windows 11 servicing timeline](/lifecycle/faq/windows#windows-11):
+
+- **Windows 11 Professional**: Serviced for 24 months from the release date.
+- **Windows 11 Enterprise**: Serviced for 36 months from the release date.
+
+Windows 11, version 22H2 is available through Windows Server Update Services (including Configuration Manager), Windows Update for Business, and the Volume Licensing Service Center (VLSC). For more information, see [How to get the Windows 11, version 22H2 update](https://aka.ms/W11/how-to-get-22H2). Review the [Windows 11, version 22H2 Windows IT Pro blog post](https://aka.ms/new-in-22H2) to discover information about available deployment resources such as the [Windows Deployment Kit (Windows ADK)](/windows-hardware/get-started/adk-install).
+
+
+To learn more about the status of the update rollout, known issues, and new information, see [Windows release health](/windows/release-health/).
+
+## Microsoft Pluton
+
+Microsoft Pluton security processor is a chip-to-cloud security technology built with Zero Trust principles at the core. Microsoft Pluton provides hardware-based root of trust, secure identity, secure attestation, and cryptographic services. Pluton technology is a combination of a secure subsystem, which is part of the System on Chip (SoC) and Microsoft authored software that runs on this integrated secure subsystem. Microsoft Pluton can be enabled on devices with Pluton capable processors running Windows 11, version 22H2.
+
+For more information, see [Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor).
+
+## Enhanced Phishing Protection
+
+**Enhanced Phishing Protection** in **Microsoft Defender SmartScreen** helps protect Microsoft school or work passwords against phishing and unsafe usage on websites and in applications. Enhanced Phishing Protection works alongside Windows security protections to help protect Windows 11 work or school sign-in passwords.
+
+For more information, see [Enhanced Phishing Protection in Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen) and [Protect passwords with enhanced phishing protection](https://aka.ms/EnhancedPhishingProtectionBlog) in the Windows IT Pro blog.
+
+## Smart App Control
+
+**Smart App Control** adds significant protection from malware, including new and emerging threats, by blocking apps that are malicious or untrusted. **Smart App Control** also helps to block potentially unwanted apps, which are apps that may cause your device to run slowly, display unexpected ads, offer extra software you didn't want, or do other things you don't expect.
+
+For more information, see [Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md#wdac-and-smart-app-control).
+
+## Credential Guard
+
+Compatible Windows 11 Enterprise version 22H2 devices will have **Windows Defender Credential Guard** turned on by default. This changes the default state of the feature in Windows, though system administrators can still modify this enablement state.
+
+For more information, see [Manage Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard-manage).
+
+## Malicious and vulnerable driver blocking
+
+The vulnerable driver blocklist is automatically enabled on devices for the following two new conditions:
+- When Smart App Control is enabled
+- For clean installs of Windows
+
+For more information, see [recommended block rules](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules#microsoft-vulnerable-driver-blocklist).
+
+## Security hardening and threat protection
+
+Windows 11, version 22H2 supports additional protection for the Local Security Authority (LSA) process to prevent code injection that could compromise credentials.
+
+For more information, see [Configuring Additional LSA Protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection?toc=/windows/security/toc.json&bc=/windows/security/breadcrumb/toc.json).
+
+## Personal Data Encryption
+
+Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides additional encryption features to Windows. PDE differs from BitLocker in that it encrypts individual files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.
+
+PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to files. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business.
+
+For more information, see [Personal Data Encryption](/windows/security/information-protection/personal-data-encryption/overview-pde).
+
+## WebAuthn APIs support ECC
+
+Elliptic-curve cryptography (ECC) is now supported by WebAuthn APIs for Windows 11, version 22H2 clients.
+
+For more information, see [WebAuthn APIs for passwordless authentication on Windows](/windows/security/identity-protection/hello-for-business/webauthn-apis).
+
+## Stickers for Windows 11 SE, version 22H2
+
+Starting in Windows 11 SE, version 22H2, **Stickers** is a new feature that allows students to decorate their desktop with digital stickers. Students can choose from over 500 cheerful, education-friendly digital stickers. Stickers can be arranged, resized, and customized on top of the desktop background. Each student's stickers remain, even when the background changes.
+
+For more information, see [Configure Stickers for Windows 11 SE](/education/windows/edu-stickers).
+
+## Education themes
+
+Starting in Windows 11, version 22H2, you can deploy education themes to your devices. The education themes are designed for students using devices in a school. Themes allow the end user to quickly configure the look and feel of the device, with preset wallpaper, accent color, and other settings. Students can choose their own themes, making it feel the device is their own.
+
+For more information, see [Configure education themes for Windows 11](/education/windows/edu-themes).
+
+## Windows Update notifications
+
+
+The following items were added for Windows Update notifications:
+
+- You can now block user notifications for Windows Updates during active hours. This setting is especially useful for educational organizations that want to prevent Windows Update notifications from occurring during class time. For more information, see [Control restart notifications](/windows/deployment/update/waas-restart#control-restart-notifications).
+
+- The organization name now appears in the Windows Update notifications when Windows clients are associated with an Azure Active Directory tenant. For more information, see [Display organization name in Windows Update notifications](/windows/deployment/update/waas-wu-settings#bkmk_display-name).
+
+## Start menu layout
+
+Windows 11, version 22H2 now supports additional CSPs for customizing the start menu layout. These CSPs allow you to hide the app list and disable context menus.
+
+For more information, see [Supported configuration service provider (CSP) policies for Windows 11 Start menu](/windows/configuration/supported-csp-start-menu-layout-windows#existing-windows-csp-policies-that-windows-11-supports).
+
+## Improvements to task manager
+
+- A new command bar was added to each page to give access to common actions
+- Task Manager will automatically match the system wide theme configured in **Windows Settings**
+- Added an efficiency mode that allows you to limit the resource usage of a process
+- Updated the user experience for Task Manager
+
+## Windows accessibility
+
+Windows 11, version 22H2, includes additional improvements for people with disabilities: system-wide live captions, Focus sessions, voice access, and more natural voices for Narrator. For more information, see [New accessibility features coming to Windows 11](https://blogs.windows.com/windowsexperience/2022/05/10/new-accessibility-features-coming-to-windows-11/) and [How inclusion drives innovation in Windows 11](https://blogs.windows.com/windowsexperience/?p=177554).
+
+For more information, see [Accessibility information for IT professionals](/windows/configuration/windows-10-accessibility-for-itpros).
diff --git a/windows/whats-new/windows-11-overview.md b/windows/whats-new/windows-11-overview.md
index ec5cd6f23f..19c319c011 100644
--- a/windows/whats-new/windows-11-overview.md
+++ b/windows/whats-new/windows-11-overview.md
@@ -2,12 +2,14 @@
title: Windows 11 overview for administrators
description: Learn more about Windows 11. Read about the features IT professionals and administrators should know about Windows 11, including security, using apps, using Android apps, the new desktop, and deploying and servicing PCs.
ms.reviewer:
-manager: dougeby
-author: aczechowski
-ms.author: aaroncz
-ms.prod: w10
+manager: aaroncz
+author: mestew
+ms.author: mstewart
+ms.prod: windows-client
+ms.date: 09/20/2022
+ms.technology: itpro-fundamentals
ms.localizationpriority: medium
-ms.topic: article
+ms.topic: overview
ms.collection: highpri
ms.custom: intro-overview
---
@@ -100,6 +102,12 @@ For more information on the security features you can configure, manage, and enf
You can also add Snap Layouts to apps your organization creates. For more information, see [Support snap layouts for desktop apps on Windows 11](/windows/apps/desktop/modernize/apply-snap-layout-menu).
+ Starting in Windows 11, version 22H2, you can also activate snap layouts by dragging a window to the top of the screen. The feature is available for both mouse and touch.
+
+ :::image type="content" source="images/windows-11-whats-new/windows-11-22h2-snap-layouts.png" alt-text="In Windows 11, version 22H2, activate snap layouts by dragging a window to the top of the screen.":::
+
+ For more information on the end-user experience, see [Snap your windows](https://support.microsoft.com/windows/snap-your-windows-885a9b1e-a983-a3b1-16cd-c531795e6241).
+
- **Start menu**: The Start menu includes some apps that are pinned by default. You can customize the Start menu layout by pinning (and unpinning) the apps you want. For example, you can pin commonly used apps in your organization, such as Outlook, Microsoft Teams, apps your organization creates, and more.
Using policy, you can deploy your customized Start menu layout to devices in your organization. For more information, see [Customize the Start menu layout on Windows 11](/windows/configuration/customize-start-menu-layout-windows-11).
diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md
index 6b9654ecf4..2c6b25ecff 100644
--- a/windows/whats-new/windows-11-plan.md
+++ b/windows/whats-new/windows-11-plan.md
@@ -114,4 +114,4 @@ You might already be using App Assure and Test Base in your Windows 10 environme
## Also see
-[Plan to deploy updates for Windows 10 and Microsoft 365 Apps](/learn/modules/windows-plan/)
+[Plan to deploy updates for Windows 10 and Microsoft 365 Apps](/training/modules/windows-plan/)
diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md
index 84525fe130..7967b76c83 100644
--- a/windows/whats-new/windows-11-prepare.md
+++ b/windows/whats-new/windows-11-prepare.md
@@ -103,29 +103,31 @@ If you use Microsoft Endpoint Manager and have onboarded devices to Endpoint ana
## Prepare a pilot deployment
-A pilot deployment is a proof of concept that rolls out an upgrade to a select number of devices in production, before deploying it broadly across the organization.
+A pilot deployment is a proof of concept that rolls out an upgrade to a select number of devices in production, before deploying it broadly across the organization.
-At a high level, the tasks involved are:
+At a high level, the tasks involved are:
-1. Assign a group of users or devices to receive the upgrade.
-2. Implement baseline updates.
-3. Implement operational updates.
-4. Validate the deployment process.
-5. Deploy the upgrade to devices.
-6. Test and support the pilot devices.
-7. Determine broad deployment readiness based on the results of the pilot.
+1. Assign a group of users or devices to receive the upgrade.
+2. Implement baseline updates.
+3. Implement operational updates.
+4. Validate the deployment process.
+5. Deploy the upgrade to devices.
+6. Test and support the pilot devices.
+7. Determine broad deployment readiness based on the results of the pilot.
## User readiness
-Don't overlook the importance of user readiness to deliver an effective, enterprise-wide deployment of Windows 11. Windows 11 has a familiar design, but your users will see several enhancements to the overall user interface. They'll also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows 11:
-- Create a communications schedule to ensure that you provide the right message at the right time to the right groups of users, based on when they'll see the changes.
-- Draft concise emails that inform users of what changes they can expect to see. Offer tips on how to use or customize their experience. Include information about support and help desk options.
-- Update help desk manuals with screenshots of the new user interface, the out-of-box experience for new devices, and the upgrade experience for existing devices.
+Don't overlook the importance of user readiness to deliver an effective, enterprise-wide deployment of Windows 11. Windows 11 has a familiar design, but your users will see several enhancements to the overall user interface. They'll also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows 11:
+
+- Create a communications schedule to ensure that you provide the right message at the right time to the right groups of users, based on when they'll see the changes.
+- Draft concise emails that inform users of what changes they can expect to see. Offer tips on how to use or customize their experience. Include information about support and help desk options.
+- Update help desk manuals with screenshots of the new user interface, the out-of-box experience for new devices, and the upgrade experience for existing devices.
## Learn more
-See the [Stay current with Windows 10 and Microsoft 365 Apps](/learn/paths/m365-stay-current/) learning path on Microsoft Learn.
-- The learning path was created for Windows 10, but the basic principles and tasks outlined for the plan, prepare, and deploy phases also apply to your deployment of Windows 11.
+See the [Stay current with Windows 10 and Microsoft 365 Apps](/training/paths/m365-stay-current/) learning path.
+
+- The learning path was created for Windows 10, but the basic principles and tasks outlined for the plan, prepare, and deploy phases also apply to your deployment of Windows 11.
## See also