deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' into pm-20221228-whatsnew-fix

Browse Source
This commit is contained in:
Paolo Matarazzo 2022-12-28 09:16:58 -05:00 committed by GitHub
commit ec24ee1d96
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
46 changed files with 214 additions and 133 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
education/includes/education-content-updates.md
View File

@ -2,6 +2,14 @@
## Week of December 19, 2022
| Published On |Topic title | Change |
|------|------------|--------|
| 12/22/2022 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified |
## Week of December 12, 2022

130
education/windows/windows-11-se-overview.md
View File

@ -79,71 +79,71 @@ The following table lists all the applications included in Windows 11 SE and the
The following applications can also run on Windows 11 SE, and can be deployed using Intune for Education. For more information, see [Configure applications with Microsoft Intune][EDUWIN-1]
| Application | Supported version | App Type | Vendor |
|-----------------------------------------|-------------------|----------|------------------------------|
| 3d builder | 15.2.10821.1070 | Win32 | Microsoft |
|Absolute Software Endpoint Agent | 7.20.0.1 | Win32 | Absolute Software Corporation|
| AirSecure | 8.0.0 | Win32 | AIR |
| Alertus Desktop | 5.4.44.0 | Win32 | Alertus technologies |
| Brave Browser | 106.0.5249.65 | Win32 | Brave |
| Bulb Digital Portfolio | 0.0.7.0 | Store | Bulb |
| CA Secure Browser | 14.0.0 | Win32 | Cambium Development |
| Cisco Umbrella | 3.0.110.0 | Win32 | Cisco |
| CKAuthenticator | 3.6+ | Win32 | Content Keeper |
| Class Policy | 114.0.0 | Win32 | Class Policy |
| Classroom.cloud | 1.40.0004 | Win32 | NetSupport |
| CoGat Secure Browser | 11.0.0.19 | Win32 | Riverside Insights |
| Dragon Professional Individual | 15.00.100 | Win32 | Nuance Communications |
| DRC INSIGHT Online Assessments | 12.0.0.0 | Store | Data recognition Corporation |
| Duo from Cisco | 2.25.0 | Win32 | Cisco |
| e-Speaking Voice and Speech recognition | 4.4.0.8 | Win32 | e-speaking |
| Epson iProjection | 3.31 | Win32 | Epson |
| eTests | 4.0.25 | Win32 | CASAS |
| FortiClient | 7.2.0.4034+ | Win32 | Fortinet |
| Free NaturalReader | 16.1.2 | Win32 | Natural Soft |
| Ghotit Real Writer & Reader | 10.14.2.3 | Win32 | Ghotit Ltd |
| GoGuardian | 1.4.4 | Win32 | GoGuardian |
| Google Chrome | 102.0.5005.115 | Win32 | Google |
| Illuminate Lockdown Browser | 2.0.5 | Win32 | Illuminate Education |
| Immunet | 7.5.0.20795 | Win32 | Immunet |
| Impero Backdrop Client | 4.4.86 | Win32 | Impero Software |
| Inspiration 10 | 10.11 | Win32 | TechEdology Ltd |
| JAWS for Windows | 2022.2112.24 | Win32 | Freedom Scientific |
| Kite Student Portal | 9.0.0.0 | Win32 | Dynamic Learning Maps |
| Kortext | 2.3.433.0 | Store | Kortext |
| Kurzweil 3000 Assistive Learning | 20.13.0000 | Win32 | Kurzweil Educational Systems |
| LanSchool Classic | 9.1.0.46 | Win32 | Stoneware, Inc. |
| LanSchool Air | 2.0.13312 | Win32 | Stoneware, Inc. |
| Lightspeed Smart Agent | 1.9.1 | Win32 | Lightspeed Systems |
| MetaMoJi ClassRoom | 3.12.4.0 | Store | MetaMoJi Corporation |
| Microsoft Connect | 10.0.22000.1 | Store | Microsoft |
| Mozilla Firefox | 99.0.1 | Win32 | Mozilla |
| NAPLAN | 2.5.0 | Win32 | NAP |
| Netref Student | 22.2.0 | Win32 | NetRef |
| NetSupport Manager | 12.01.0014 | Win32 | NetSupport |
| NetSupport Notify | 5.10.1.215 | Win32 | NetSupport |
| NetSupport School | 14.00.0011 | Win32 | NetSupport |
| NextUp Talker | 1.0.49 | Win32 | NextUp Technologies |
| NonVisual Desktop Access | 2021.3.1 | Win32 | NV Access |
| NWEA Secure Testing Browser | 5.4.356.0 | Win32 | NWEA |
| PaperCut | 22.0.6 | Win32 | PaperCut Software International Pty Ltd |
| Pearson TestNav | 1.10.2.0 | Store | Pearson |
| Questar Secure Browser | 4.8.3.376 | Win32 | Questar, Inc |
| ReadAndWriteForWindows | 12.0.60.0 | Win32 | Texthelp Ltd. |
| Remote Desktop client (MSRDC) | 1.2.3213.0 | Win32 | Microsoft |
| Remote Help | 3.8.0.12 | Win32 | Microsoft |
| Respondus Lockdown Browser | 2.0.9.00 | Win32 | Respondus |
| Safe Exam Browser | 3.3.2.413 | Win32 | Safe Exam Browser |
| Senso.Cloud | 2021.11.15.0 | Win32 | Senso.Cloud |
| Smoothwall Monitor | 2.8.0 | Win32 | Smoothwall Ltd
| SuperNova Magnifier & Screen Reader | 21.02 | Win32 | Dolphin Computer Access |
| SuperNova Magnifier & Speech | 21.02 | Win32 | Dolphin Computer Access |
| VitalSourceBookShelf | 10.2.26.0 | Win32 | VitalSource Technologies Inc |
| Winbird | 19 | Win32 | Winbird Co., Ltd. |
| WordQ | 5.4.23 | Win32 | Mathetmots |
| Zoom | 5.9.1 (2581) | Win32 | Zoom |
| ZoomText Fusion | 2022.2109.10 | Win32 | Freedom Scientific |
| ZoomText Magnifier/Reader | 2022.2109.25 | Win32 | Freedom Scientific |
| Application | Supported version | App Type | Vendor |
|-------------------------------------------|-------------------|----------|-------------------------------------------|
| `3d builder` | `18.0.1931.0` | Win32 | `Microsoft` |
| `Absolute Software Endpoint Agent` | 7.20.0.1 | Win32 | `Absolute Software Corporation` |
| `AirSecure` | 8.0.0 | Win32 | `AIR` |
| `Alertus Desktop` | 5.4.48.0 | Win32 | `Alertus technologies` |
| `Brave Browser` | 106.0.5249.119 | Win32 | `Brave` |
| `Bulb Digital Portfolio` | 0.0.7.0 | `Store` | `Bulb` |
| `CA Secure Browser` | 14.0.0 | Win32 | `Cambium Development` |
| `Cisco Umbrella` | 3.0.110.0 | Win32 | `Cisco` |
| `CKAuthenticator` | 3.6+ | Win32 | `Content Keeper` |
| `Class Policy` | 114.0.0 | Win32 | `Class Policy` |
| `Classroom.cloud` | 1.40.0004 | Win32 | `NetSupport` |
| `CoGat Secure Browser` | 11.0.0.19 | Win32 | `Riverside Insights` |
| `Dragon Professional Individual` | 15.00.100 | Win32 | `Nuance Communications` |
| `DRC INSIGHT Online Assessments` | 12.0.0.0 | `Store` | `Data recognition Corporation` |
| `Duo from Cisco` | 3.0.0 | Win32 | `Cisco` |
| `e-Speaking Voice and Speech recognition` | 4.4.0.8 | Win32 | `e-speaking` |
| `Epson iProjection` | 3.31 | Win32 | `Epson` |
| `eTests` | 4.0.25 | Win32 | `CASAS` |
| `FortiClient` | 7.2.0.4034+ | Win32 | `Fortinet` |
| `Free NaturalReader` | 16.1.2 | Win32 | `Natural Soft` |
| `Ghotit Real Writer & Reader` | 10.14.2.3 | Win32 | `Ghotit Ltd` |
| `GoGuardian` | 1.4.4 | Win32 | `GoGuardian` |
| `Google Chrome` | 102.0.5005.115 | Win32 | `Google` |
| `Illuminate Lockdown Browser` | 2.0.5 | Win32 | `Illuminate Education` |
| `Immunet` | 7.5.8.21178 | Win32 | `Immunet` |
| `Impero Backdrop Client` | 4.4.86 | Win32 | `Impero Software` |
| `Inspiration 10` | 10.11 | Win32 | `TechEdology Ltd` |
| `JAWS for Windows` | 2022.2112.24 | Win32 | `Freedom Scientific` |
| `Kite Student Portal` | 9.0.0.0 | Win32 | `Dynamic Learning Maps` |
| `Kortext` | 2.3.433.0 | `Store` | `Kortext` |
| `Kurzweil 3000 Assistive Learning` | 20.13.0000 | Win32 | `Kurzweil Educational Systems` |
| `LanSchool Classic` | 9.1.0.46 | Win32 | `Stoneware, Inc.` |
| `LanSchool Air` | 2.0.13312 | Win32 | `Stoneware, Inc.` |
| `Lightspeed Smart Agent` | 1.9.1 | Win32 | `Lightspeed Systems` |
| `MetaMoJi ClassRoom` | 3.12.4.0 | `Store` | `MetaMoJi Corporation` |
| `Microsoft Connect` | 10.0.22000.1 | `Store` | `Microsoft` |
| `Mozilla Firefox` | 105.0.0 | Win32 | `Mozilla` |
| `NAPLAN` | 2.5.0 | Win32 | `NAP` |
| `Netref Student` | 22.2.0 | Win32 | `NetRef` |
| `NetSupport Manager` | 12.01.0014 | Win32 | `NetSupport` |
| `NetSupport Notify` | 5.10.1.215 | Win32 | `NetSupport` |
| `NetSupport School` | 14.00.0012 | Win32 | `NetSupport` |
| `NextUp Talker` | 1.0.49 | Win32 | `NextUp Technologies` |
| `NonVisual Desktop Access` | 2021.3.1 | Win32 | `NV Access` |
| `NWEA Secure Testing Browser` | 5.4.356.0 | Win32 | `NWEA` |
| `PaperCut` | 22.0.6 | Win32 | `PaperCut Software International Pty Ltd` |
| `Pearson TestNav` | 1.10.2.0 | `Store` | `Pearson` |
| `Questar Secure Browser` | 5.0.1.456 | Win32 | `Questar, Inc` |
| `ReadAndWriteForWindows` | 12.0.74 | Win32 | `Texthelp Ltd.` |
| `Remote Desktop client (MSRDC)` | 1.2.3213.0 | Win32 | `Microsoft` |
| `Remote Help` | 4.0.1.13 | Win32 | `Microsoft` |
| `Respondus Lockdown Browser` | 2.0.9.03 | Win32 | `Respondus` |
| `Safe Exam Browser` | 3.3.2.413 | Win32 | `Safe Exam Browser` |
| `Senso.Cloud` | 2021.11.15.0 | Win32 | `Senso.Cloud` |
| `Smoothwall Monitor` | 2.8.0 | Win32 | `Smoothwall Ltd` |
| `SuperNova Magnifier & Screen Reader` | 21.02 | Win32 | `Dolphin Computer Access` |
| `SuperNova Magnifier & Speech` | 21.02 | Win32 | `Dolphin Computer Access` |
| `VitalSourceBookShelf` | 10.2.26.0 | Win32 | `VitalSource Technologies Inc` |
| `Winbird` | 19 | Win32 | `Winbird Co., Ltd.` |
| `WordQ` | 5.4.23 | Win32 | `Mathetmots` |
| `Zoom` | 5.12.8 (10232) | Win32 | `Zoom` |
| `ZoomText Fusion` | 2022.2109.10 | Win32 | `Freedom Scientific` |
| `ZoomText Magnifier/Reader` | 2022.2109.25 | Win32 | `Freedom Scientific` |
## Add your own applications

4
windows/client-management/azure-active-directory-integration-with-mdm.md
View File

@ -1,6 +1,6 @@
---
title: Azure Active Directory integration with MDM
description: Azure Active Directory is the world largest enterprise cloud identity management service.
description: Azure Active Directory is the world's largest enterprise cloud identity management service.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
@ -14,7 +14,7 @@ ms.date: 12/31/2017
# Azure Active Directory integration with MDM
Azure Active Directory is the world largest enterprise cloud identity management service. Its used by organizations to access Office 365 and business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows 10 experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows integrates with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in an integrated flow.
Azure Active Directory is the world's largest enterprise cloud identity management service. Its used by organizations to access Office 365 and business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows 10 experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows integrates with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in an integrated flow.
Once a device is enrolled in MDM, the MDM:

6
windows/client-management/mdm/policy-csp-deliveryoptimization.md
View File

@ -702,11 +702,7 @@ ADMX Info:
<!--Description-->
Set this policy to restrict peer selection to a specific source. Available options are: 1 = Active Directory Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = Azure Active Directory.
When set, the Group ID will be assigned automatically from the selected source.
If you set this policy, the GroupID policy will be ignored.
The options set in this policy only apply to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored.
When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The default behavior, when neither the GroupID or GroupIDSource policies are set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored.
For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID.

2
windows/configuration/kiosk-single-app.md
View File

@ -337,7 +337,7 @@ To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then si
If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key:
`HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI`
`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI`
To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal.

6
windows/deployment/do/TOC.yml
View File

@ -1,4 +1,4 @@
- name: Delivery Optimization for Windows client and Microsoft Connected Cache
- name: Delivery Optimization for Windows and Microsoft Connected Cache
href: index.yml
- name: What's new
href: whats-new-do.md
@ -9,9 +9,9 @@
href: waas-delivery-optimization.md
- name: Delivery Optimization Frequently Asked Questions
href: waas-delivery-optimization-faq.yml
- name: Configure Delivery Optimization for Windows clients
- name: Configure Delivery Optimization for Windows
items:
- name: Windows client Delivery Optimization settings
- name: Windows Delivery Optimization settings
href: waas-delivery-optimization-setup.md#recommended-delivery-optimization-settings
- name: Configure Delivery Optimization settings using Microsoft Intune
href: /mem/intune/configuration/delivery-optimization-windows

8
windows/deployment/do/includes/waas-delivery-optimization-monitor.md
View File

@ -28,15 +28,15 @@ ms.localizationpriority: medium
| TotalBytesDownloaded | The number of bytes from any source downloaded so far |
| PercentPeerCaching |The percentage of bytes downloaded from peers versus over HTTP |
| BytesFromPeers | Total bytes downloaded from peer devices (sum of bytes downloaded from LAN, Group, and Internet Peers) |
| BytesfromHTTP | Total number of bytes received over HTTP |
| BytesfromHTTP | Total number of bytes received over HTTP. This represents all HTTP sources, which includes BytesFromCacheServer |
| Status | Current state of the operation. Possible values are: **Downloading** (download in progress); **Complete** (download completed, but is not uploading yet); **Caching** (download completed successfully and is ready to upload or uploading); **Paused** (download/upload paused by caller) |
| Priority | Priority of the download; values are **foreground** or **background** |
| BytesFromCacheServer | Total number of bytes received from cache server |
| BytesFromCacheServer | Total number of bytes received from cache server (MCC) |
| BytesFromLanPeers | Total number of bytes received from peers found on the LAN |
| BytesFromGroupPeers | Total number of bytes received from peers found in the group |
| BytesFromGroupPeers | Total number of bytes received from peers found in the group. (Note: Group mode is LAN + Group. If peers are found on the LAN, those bytes will be registered in 'BytesFromLANPeers'.) |
| BytesFromInternetPeers | Total number of bytes received from internet peers |
| BytesToLanPeers | Total number of bytes delivered from peers found on the LAN |
| BytesToGroupPeers | Total number of bytes delivered from peers found in the group |
| BytesToGroupPeers | Total number of bytes delivered from peers found in the group |
| BytesToInternetPeers | Total number of bytes delivered from peers found on the LAN |
| DownloadDuration | Total download time in seconds |
| HttpConnectionCount | |

4
windows/deployment/do/index.yml
View File

@ -1,7 +1,7 @@
### YamlMime:Landing
title: Delivery Optimization # < 60 chars
summary: Set up peer to peer downloads for Windows Updates and learn about Microsoft Connected Cache. # < 160 chars
summary: Set up peer to peer downloads for Microsoft content supported by Delivery Optimization and learn about Microsoft Connected Cache. # < 160 chars
metadata:
title: Delivery Optimization # Required; page title displayed in search results. Include the brand. < 60 chars.
@ -36,7 +36,7 @@ landingContent:
# Card (optional)
- title: Configure Delivery Optimization on Windows clients
- title: Configure Delivery Optimization on Windows
linkLists:
- linkListType: how-to-guide
links:

10
windows/deployment/do/mcc-isp-faq.yml
View File

@ -28,12 +28,18 @@ sections:
- question: What are the prerequisites and hardware requirements?
answer: |
- Azure subscription
- Hardware to host Microsoft Connected Cache:
- Hardware to host Microsoft Connected Cache
- Ubuntu 20.04 LTS on a physical server or VM of your choice.
> [!NOTE]
> The Microsoft Connected Cache is deployed and managed using Azure IoT Edge and Ubuntu 20.04 is an [Azure IoT Edge Tier 1 operating system](/azure/iot-edge/support?view=iotedge-2020-11#tier-1). Additionally, the Microsoft Connected Cache module is optimized for Ubuntu 20.04 LTS.
The following are recommended hardware configurations:
<!--Using include file, mcc-prerequisites.md, for shared content on DO monitoring-->
[!INCLUDE [Microsoft Connected Cache Prerequisites](includes/mcc-prerequisites.md)]
We have one customer who is able to achieve 40-Gbps egress rate using the following hardware specification:
We have one customer who is able to achieve mid-30s Gbps egress rate using the following hardware specification:
- Dell PowerEdge R330
- 2 x Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40 GHz, total 32 core
- 48 GB, Micron Technology 18ASF1G72PDZ-2G1A1, Speed: 2133 MT/s

4
windows/deployment/do/waas-delivery-optimization-reference.md
View File

@ -64,7 +64,7 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz
| [Delay foreground download cache server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 |
| [Delay background download cache server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 |
| [Cache Server Hostname](#cache-server-hostname) | DOCacheHost | 1809 |
| [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 1809 |
| [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 2004 |
| [Maximum Foreground Download Bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxForegroundDownloadBandwidth | 2004 |
| [Maximum Background Download Bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxBackgroundDownloadBandwidth | 2004 |
@ -146,7 +146,7 @@ Starting in Windows 10, version 1803, set this policy to restrict peer selection
- 4 = DNS Suffix
- 5 = Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5.
When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored.
When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The default behavior, when neither the GroupID or GroupIDSource policies are set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored.
### Minimum RAM (inclusive) allowed to use Peer Caching

3
windows/deployment/update/servicing-stack-updates.md
View File

@ -21,6 +21,7 @@ ms.date: 12/31/2017
- Windows 10
- Windows 11
- Windows Server
## What is a servicing stack update?
Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month.
@ -61,3 +62,5 @@ Typically, the improvements are reliability and performance improvements that do
## Simplifying on-premises deployment of servicing stack updates
With the Windows Update experience, servicing stack updates and cumulative updates are deployed together to the device. The update stack automatically orchestrates the installation, so both are applied correctly. Starting in February 2021, the cumulative update will include the latest servicing stack updates, to provide a single cumulative update payload to both Windows Server Update Services (WSUS) and Microsoft Catalog. If you use an endpoint management tool backed by WSUS, such as Configuration Manager, you will only have to select and deploy the monthly cumulative update. The latest servicing stack updates will automatically be applied correctly. Release notes and file information for cumulative updates, including those related to the servicing stack, will be in a single KB article. The combined monthly cumulative update will be available on Windows 10, version 2004 and later starting with the 2021 2C release, KB4601382.

11
windows/deployment/update/wufb-reports-configuration-intune.md
View File

@ -8,7 +8,7 @@ author: mestew
ms.author: mstewart
ms.localizationpriority: medium
ms.topic: article
ms.date: 12/05/2022
ms.date: 12/22/2022
ms.technology: itpro-updates
---
@ -27,7 +27,7 @@ This article is targeted at configuring devices enrolled to [Microsoft Intune](/
## Create a configuration profile
Create a configuration profile that will set the required policies for Windows Update for Business reports. There are two profile types that can be used to create a configuration profile for Windows Update for Business reports:
Create a configuration profile that will set the required policies for Windows Update for Business reports. There are two profile types that can be used to create a configuration profile for Windows Update for Business reports (select one):
- The [settings catalog](#settings-catalog)
- [Template](#custom-oma-uri-based-profile) for a custom OMA URI-based profile
@ -45,9 +45,12 @@ Create a configuration profile that will set the required policies for Windows U
- **Value**: Basic (*Basic is the minimum value, but it can be safely set to a higher value*)
- **Setting**: Allow Update Compliance Processing
- **Value**: Enabled
1. Recommended settings, but not required:
- **Setting**: Configure Telemetry Opt In Settings Ux
- **Value**: Disabled (*By turning this setting on you are disabling the ability for a user to potentially override the diagnostic data level of devices such that data won't be available for those devices in Windows Update for Business reports*)
- **Setting**: Configure Telemetry Opt In Change Notification
1. (*Recommended, but not required*) Allow device name to be sent in Windows Diagnostic Data. If this policy is disabled, the device name won't be sent and won't be visible in Windows Update for Business reports:
- **Setting**: Allow device name to be sent in Windows diagnostic data
- **Value**: Disabled (*By turning this setting on you are disabling notifications of diagnostic data changes*)
- **Setting**: Allow device name to be sent in Windows diagnostic data (*If this policy is disabled, the device name won't be sent and won't be visible in Windows Update for Business reports*)
- **Value**: Allowed
1. Continue through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll.

1
windows/deployment/usmt/usmt-scanstate-syntax.md
View File

@ -203,6 +203,7 @@ The following table indicates which command-line options aren't compatible with
|**/encrypt**|Required*|X|X||
|**/keyfile**|N/A||X||
|**/l**|||||
|**/listfiles**|||X||
|**/progress**|||X||
|**/r**|||X||
|**/w**|||X||

38
windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md
View File

@ -52,7 +52,24 @@ Windows Autopatch configures these policies differently across update rings to g
:::image type="content" source="../media/release-process-timeline.png" alt-text="Release process timeline" lightbox="../media/release-process-timeline.png":::
## Expedited releases
## Release management
In the Release management blade, you can:
- Track the [Windows quality update schedule](#release-schedule) for devices in the [four deployment rings](windows-autopatch-update-management.md#windows-autopatch-deployment-rings).
- [Turn off expedited Windows quality updates](#turn-off-service-driven-expedited-quality-update-releases).
- Review release announcements and knowledge based articles for regular and [Out of Band (OOB) Windows quality updates](#out-of-band-releases).
### Release schedule
For each [deployment ring](windows-autopatch-update-management.md#windows-autopatch-deployment-rings), the **Release schedule** tab contains:
- The status of the update. Releases will appear as **Active**. The update schedule is based on the values of the [Windows 10 Update Ring policies](/mem/intune/protect/windows-update-for-business-configure), which have been configured on your behalf.
- The date the update is available.
- The target completion date of the update.
- In the **Release schedule** tab, you can either [**Pause** and/or **Resume**](#pausing-and-resuming-a-release) a Windows quality update release.
### Expedited releases
Threat and vulnerability information about a new revision of Windows becomes available on the second Tuesday of each month. Windows Autopatch assesses that information shortly afterwards. If the service determines that it's critical to security, it may be expedited. The quality update is also evaluated on an ongoing basis throughout the release and Windows Autopatch may choose to expedite at any time during the release.
@ -63,10 +80,12 @@ When running an expedited release, the regular goal of 95% of devices in 21 days
| Standard release | Test<p>First<p>Fast<p>Broad | 0<p>1<p>6<p>9 | 0<p>2<p>2<p>5 | 0<p>2<p>2<p>2 |
| Expedited release | All devices | 0 | 1 | 1 |
### Turn off service-driven expedited quality update releases
#### Turn off service-driven expedited quality update releases
Windows Autopatch provides the option to turn off of service-driven expedited quality updates.
By default, the service expedites quality updates as needed. For those organizations seeking greater control, you can disable expedited quality updates for Microsoft Managed Desktop-enrolled devices using Microsoft Intune.
**To turn off service-driven expedited quality updates:**
1. Go to **[Microsoft Endpoint Manager portal](https://go.microsoft.com/fwlink/?linkid=2109431)** > **Devices**.
@ -75,9 +94,9 @@ Windows Autopatch provides the option to turn off of service-driven expedited qu
> [!NOTE]
> Windows Autopatch doesn't allow customers to request expedited releases.
## Out of Band releases
### Out of Band releases
Windows Autopatch schedules and deploys required Out of Band (OOB) updates released outside of the normal schedule. You can view the deployed OOB quality updates in the **Release Management** blade in the **[Microsoft Endpoint Manager portal](https://go.microsoft.com/fwlink/?linkid=2109431)**.
Windows Autopatch schedules and deploys required Out of Band (OOB) updates released outside of the normal schedule.
**To view deployed Out of Band quality updates:**
@ -87,13 +106,18 @@ Windows Autopatch schedules and deploys required Out of Band (OOB) updates relea
> [!NOTE]
> Announcements will be **removed** from the Release announcements tab when the next quality update is released. Further, if quality updates are paused for a deployment ring, the OOB updates will also be paused.
## Pausing and resuming a release
### Pausing and resuming a release
If Windows Autopatch detects a [significant issue with a release](../operate/windows-autopatch-wqu-signals.md), we may decide to pause that release.
If we pause the release, a policy will be deployed which prevents devices from updating while the issue is investigated. Once the issue is resolved, the release will be resumed.
In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Release management** > in the **Release schedule** tab, you can pause or resume a Windows quality update.
You can pause or resume a Windows quality update from the **Release management** tab in the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
There are two statuses associated with paused quality updates, **Service Paused** and **Customer Paused**.
| Status | Description |
| ----- | ------ |
| Service Paused | If the Microsoft Managed Desktop service has paused an update, the release will have the **Service Paused** status. You must [submit a support request](windows-autopatch-support-request.md) to resume the update. |
| Customer Paused | If you've paused an update, the release will have the **Customer Paused** status. The Microsoft Managed Desktop service can't overwrite a customer-initiated pause. You must select **Resume** to resume the update. |
## Incidents and outages

2
windows/security/identity-protection/hello-for-business/hello-faq.yml
View File

@ -94,7 +94,7 @@ sections:
- question: Can I use a convenience PIN with Azure Active Directory?
answer: |
It's currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. Convenience PIN isn't supported for Azure Active Directory user accounts (synchronized identities included). It's only supported for on-premises Domain Joined users and local account users.
It's currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. However, convenience PIN isn't supported for Azure Active Directory user accounts (synchronized identities included). It's only supported for on-premises Domain Joined users and local account users.
- question: Can I use an external Windows Hello compatible camera when my computer has a built-in Windows Hello compatible camera?
answer: |

5
windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
View File

@ -35,6 +35,11 @@ Starting with Windows 10 version 1703, the enablement of BitLocker can be trigge
For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if necessary. For older devices that aren't yet encrypted, beginning with Windows 10 version 1703, admins can use the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/) to trigger encryption and store the recovery key in Azure AD. This process and feature is applicable to Azure Hybrid AD as well.
> [!NOTE]
> To manage Bitlocker, except to enable and disable it, one of the following licenses must be assigned to your users:
> - Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, and E5).
> - Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 and A5).
## Managing workplace-joined PCs and phones
For Windows PCs and Windows Phones that are enrolled using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, the same as devices joined to Azure AD.

4
windows/security/information-protection/personal-data-encryption/overview-pde.md
View File

@ -48,11 +48,11 @@ ms.date: 12/13/2022
- [Windows Error Reporting (WER) disabled/User-mode crash dumps disabled](/windows/client-management/mdm/policy-csp-errorreporting#errorreporting-disablewindowserrorreporting)
Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For information on disabling crash dumbs via Intune, see [Disable Windows Error Reporting (WER)/Disable user-mode crash dumps](configure-pde-in-intune.md#disable-windows-error-reporting-werdisable-user-mode-crash-dumps).
Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For more information on disabling crash dumps via Intune, see [Disable Windows Error Reporting (WER)/Disable user-mode crash dumps](configure-pde-in-intune.md#disable-windows-error-reporting-werdisable-user-mode-crash-dumps).
- [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate)
Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For information on disabling crash dumbs via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation).
Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For more information on disabling crash dumps via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation).
- [Allowing users to select when a password is required when resuming from connected standby disabled](/windows/client-management/mdm/policy-csp-admx-credentialproviders#admx-credentialproviders-allowdomaindelaylock)

14
windows/security/information-protection/tpm/trusted-platform-module-overview.md
View File

@ -20,8 +20,9 @@ ms.date: 12/31/2017
**Applies to**
- Windows 11
- Windows 10
- Windows Server 2016
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
@ -74,15 +75,14 @@ Some things that you can check on the device are:
- Is SecureBoot supported and enabled?
> [!NOTE]
> Windows 11, Windows 10, Windows Server 2016, and Windows Server 2019 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1). TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected.
> Windows 11, Windows 10, Windows Server 2016, and Windows Server 2019 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows 10, version 1607. TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected.
## Supported versions for device health attestation
| TPM version | Windows 11 | Windows 10 | Windows Server 2016 | Windows Server 2019 |
|-------------|-------------|-------------|---------------------|---------------------|
| TPM 1.2 | | >= ver 1607 | >= ver 1607 | Yes |
| TPM 2.0 | Yes | Yes | Yes | Yes |
| TPM version | Windows 11 | Windows 10 | Windows Server 2022 | Windows Server 2019 | Windows Server 2016 |
|-------------|-------------|-------------|---------------------|---------------------|---------------------|
| TPM 1.2 | | >= ver 1607 | | Yes | >= ver 1607 |
| TPM 2.0 | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** |
## Related topics

6
windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
View File

@ -171,4 +171,8 @@ Resource SACLs are also useful for diagnostic scenarios. For example, administra
This category includes the following subcategories:
- [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md)
- [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md)
- [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md)
## Related topics
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)

2
windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
View File

@ -38,6 +38,6 @@ Basic security audit policy settings are found under Computer Configuration\\Win
## Related topics
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)

8
windows/security/threat-protection/auditing/event-4661.md
View File

@ -158,15 +158,15 @@ This event generates only if Success auditing is enabled for the [Audit Handle M
**Access Request Information:**
- **Transaction ID** \[Type = GUID\]: unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same the **Transaction ID**, such as “[4660](event-4660.md)(S): An object was deleted.”
- **Transaction ID** \[Type = GUID\]: unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same **Transaction ID**, such as “[4660](event-4660.md)(S): An object was deleted.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
> **Note**&nbsp;&nbsp;**GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. See “Table 13. File access codes.” for more information about file access rights. For information about SAM object access right use <https://technet.microsoft.com/> or other informational resources.
- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. For more information about file access rights, see [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes). For information about SAM object access right use <https://technet.microsoft.com/> or other informational resources.
- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the operation that was requested or performed. See “Table 13. File access codes.” for more information about file access rights. For information about SAM object access right use <https://technet.microsoft.com/> or other informational resources.
- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the operation that was requested or performed. For more information about file access rights, see [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes). For information about SAM object access right use <https://technet.microsoft.com/> or other informational resources.
- **Privileges Used for Access Check** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in the table below:
@ -218,4 +218,4 @@ For 4661(S, F): A handle to an object was requested.
> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
- You can get almost the same information from “[4662](event-4662.md): An operation was performed on an object.” There are no additional recommendations for this event in this document.
- You can get almost the same information from “[4662](event-4662.md): An operation was performed on an object.” There are no additional recommendations for this event in this document.

6
windows/security/threat-protection/auditing/event-4691.md
View File

@ -126,12 +126,12 @@ These events are generated for [ALPC Ports](/windows/win32/etw/alpc) access requ
**Access Request Information:**
- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. “Table 13. File access codes.” contains information about the most common access rights for file system objects. For information about ALPC ports access rights, use <https://technet.microsoft.com/> or other informational resources.
- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes) contains information about the most common access rights for file system objects. For information about ALPC ports access rights, use <https://technet.microsoft.com/> or other informational resources.
- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the operation that was requested or performed. See “Table 13. File access codes.” for more information about file access rights. For information about ALPC ports access rights, use <https://technet.microsoft.com/> or other informational resources.
- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the operation that was requested or performed. For more information about file access rights, see [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes). For information about ALPC ports access rights, use <https://technet.microsoft.com/> or other informational resources.
## Security Monitoring Recommendations
For 4691(S): Indirect access to an object was requested.
- Typically this event has little to no security relevance and is hard to parse or analyze. There is no recommendation for this event, unless you know exactly what you need to monitor with ALPC Ports.
- Typically this event has little to no security relevance and is hard to parse or analyze. There is no recommendation for this event, unless you know exactly what you need to monitor with ALPC Ports.

2
windows/security/threat-protection/auditing/event-5140.md
View File

@ -133,7 +133,7 @@ This event generates once per session, when first access attempt was made.
**Access Request Information:**
- **Access Mask** \[Type = HexInt32\]: the sum of hexadecimal values of requested access rights. See “Table 13. File access codes.” for different hexadecimal values for access rights. Has always “**0x1**” value for this event.
- **Access Mask** \[Type = HexInt32\]: the sum of hexadecimal values of requested access rights. See [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes) for different hexadecimal values for access rights. It always has “**0x1**” value for this event.
- **Accesses** \[Type = UnicodeString\]: the list of access rights that were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. Has always “**ReadData (or ListDirectory)**” value for this event.

4
windows/security/threat-protection/auditing/event-5145.md
View File

@ -135,7 +135,7 @@ This event generates every time network share object (file or folder) was access
**Access Request Information:**
- **Access Mask** \[Type = HexInt32\]: the sum of hexadecimal values of requested access rights. See “Table 13. File access codes.” for different hexadecimal values for access rights.
- **Access Mask** \[Type = HexInt32\]: the sum of hexadecimal values of requested access rights. See [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes) for different hexadecimal values for access rights.
- **Accesses** \[Type = UnicodeString\]: the list of access rights that were requested by **Subject\\Security ID**. These access rights depend on **Object Type**.
@ -319,4 +319,4 @@ For 5145(S, F): A network share object was checked to see whether client can be
- WRITE\_DAC
- WRITE\_OWNER
- WRITE\_OWNER

2
windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
View File

@ -82,7 +82,7 @@ Application Guard functionality is turned off by default. However, you can quick
3. Type the following command:
```
Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard
Enable-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard
```
4. Restart the device.

1
windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
View File

@ -22,6 +22,7 @@ ms.technology: itpro-security
# Account lockout duration
**Applies to**
- Windows 11
- Windows 10
Describes the best practices, location, values, and security considerations for the **Account lockout duration** security policy setting.

1
windows/security/threat-protection/security-policy-settings/account-lockout-policy.md
View File

@ -20,6 +20,7 @@ ms.technology: itpro-security
# Account Lockout Policy
**Applies to**
- Windows 11
- Windows 10
Describes the Account Lockout Policy settings and links to information about each policy setting.

1
windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md
View File

@ -22,6 +22,7 @@ ms.technology: itpro-security
# Account lockout threshold
**Applies to**
- Windows 11
- Windows 10
Describes the best practices, location, values, and security considerations for the **Account lockout threshold** security policy setting.

1
windows/security/threat-protection/security-policy-settings/account-policies.md
View File

@ -20,6 +20,7 @@ ms.technology: itpro-security
# Account Policies
**Applies to**
- Windows 11
- Windows 10
An overview of account policies in Windows and provides links to policy descriptions.

2
windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
View File

@ -94,7 +94,7 @@ The Security Compliance Manager is a downloadable tool that helps you plan, depl
**To administer security policies by using the Security Compliance Manager**
1. Download the most recent version. You can find out more info on the [Microsoft Security Guidance](/archive/blogs/secguide/) blog.
1. Download the most recent version. You can find more info on the [Microsoft Security Baselines](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines) blog.
1. Read the relevant security baseline documentation that is included in this tool.
1. Download and import the relevant security baselines. The installation process steps you through baseline selection.
1. Open the Help and follow instructions how to customize, compare, or merge your security baselines before deploying those baselines.

1
windows/security/threat-protection/security-policy-settings/audit-policy.md
View File

@ -20,6 +20,7 @@ ms.technology: itpro-security
# Audit Policy
**Applies to**
- Windows 11
- Windows 10
Provides information about basic audit policies that are available in Windows and links to information about each setting.

1
windows/security/threat-protection/security-policy-settings/enforce-password-history.md
View File

@ -20,6 +20,7 @@ ms.technology: itpro-security
# Enforce password history
**Applies to**
- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Enforce password history** security policy setting.

1
windows/security/threat-protection/security-policy-settings/maximum-password-age.md
View File

@ -20,6 +20,7 @@ ms.technology: itpro-security
# Maximum password age
**Applies to**
- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Maximum password age** security policy setting.

3
windows/security/threat-protection/security-policy-settings/minimum-password-age.md
View File

@ -19,6 +19,7 @@ ms.topic: conceptual
# Minimum password age
**Applies to**
- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Minimum password age** security policy setting.
@ -90,4 +91,4 @@ If you set a password for a user but want that user to change the password when
## Related topics
- [Password Policy](password-policy.md)
- [Password Policy](password-policy.md)

1
windows/security/threat-protection/security-policy-settings/minimum-password-length.md
View File

@ -22,6 +22,7 @@ ms.technology: itpro-security
# Minimum password length
**Applies to**
- Windows 11
- Windows 10
This article describes the recommended practices, location, values, policy management, and security considerations for the **Minimum password length** security policy setting.

1
windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
View File

@ -22,6 +22,7 @@ ms.date: 12/31/2017
# Password must meet complexity requirements
**Applies to**
- Windows 11
- Windows 10
Describes the best practices, location, values, and security considerations for the **Password must meet complexity requirements** security policy setting.

1
windows/security/threat-protection/security-policy-settings/password-policy.md
View File

@ -22,6 +22,7 @@ ms.technology: itpro-security
# Password Policy
**Applies to**
- Windows 11
- Windows 10
An overview of password policies for Windows and links to information for each policy setting.

3
windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md
View File

@ -20,6 +20,7 @@ ms.technology: itpro-security
# Reset account lockout counter after
**Applies to**
- Windows 11
- Windows 10
Describes the best practices, location, values, and security considerations for the **Reset account lockout counter after** security policy setting.
@ -76,4 +77,4 @@ If you don't configure this policy setting or if the value is configured to an i
## Related topics
- [Account Lockout Policy](account-lockout-policy.md)
- [Account Lockout Policy](account-lockout-policy.md)

1
windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md
View File

@ -20,6 +20,7 @@ ms.technology: itpro-security
# Advanced security audit policy settings for Windows 10
**Applies to**
- Windows 11
- Windows 10
Provides information about the advanced security audit policy settings that are available in Windows and the audit events that they generate.

1
windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md
View File

@ -20,6 +20,7 @@ ms.technology: itpro-security
# Store passwords using reversible encryption
**Applies to**
- Windows 11
- Windows 10
Describes the best practices, location, values, and security considerations for the **Store passwords using reversible encryption** security policy setting.

13
windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
View File

@ -398,6 +398,17 @@ The following GPO snippet performs the following tasks:
![configure event channels.](images/capi-gpo.png)
The following table also contains the six actions to configure in the GPO:
| Program/Script | Arguments |
|------------------------------------|----------------------------------------------------------------------------------------------------------|
| %SystemRoot%\System32\wevtutil.exe | sl Microsoft-Windows-CAPI2/Operational /e:true |
| %SystemRoot%\System32\wevtutil.exe | sl Microsoft-Windows-CAPI2/Operational /ms:102432768 |
| %SystemRoot%\System32\wevtutil.exe | sl "Microsoft-Windows-AppLocker/EXE and DLL" /ms:102432768 |
| %SystemRoot%\System32\wevtutil.exe | sl Microsoft-Windows-CAPI2/Operational /ca:"O:BAG:SYD:(A;;0x7;;;BA)(A;;0x2;;;AU)(A;;0x1;;;S-1-5-32-573)" |
| %SystemRoot%\System32\wevtutil.exe | sl "Microsoft-Windows-DriverFrameworks-UserMode/Operational" /e:true |
| %SystemRoot%\System32\wevtutil.exe | sl "Microsoft-Windows-DriverFrameworks-UserMode/Operational" /ms:52432896 |
## <a href="" id="bkmk-appendixd"></a>Appendix D - Minimum GPO for WEF Client configuration
Here are the minimum steps for WEF to operate:
@ -656,4 +667,4 @@ You can get more info with the following links:
- [Event Queries and Event XML](/previous-versions/bb399427(v=vs.90))
- [Event Query Schema](/windows/win32/wes/queryschema-schema)
- [Windows Event Collector](/windows/win32/wec/windows-event-collector)
- [4625(F): An account failed to log on](./auditing/event-4625.md)
- [4625(F): An account failed to log on](./auditing/event-4625.md)

11
windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
View File

@ -35,8 +35,6 @@ You must have Windows 10, version 1709 or later. The ADMX/ADML template files fo
There are two stages to using the contact card and customized notifications. First, you have to enable the contact card or custom notifications (or both), and then you must specify at least a name for your organization and one piece of contact information.
This can only be done in Group Policy.
1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
@ -47,6 +45,9 @@ This can only be done in Group Policy.
1. To enable the contact card, open the **Configure customized contact information** setting and set it to **Enabled**. Click **OK**.
> [!NOTE]
> This can only be done in Group Policy.
2. To enable the customized notifications, open the **Configure customized notifications** setting and set it to **Enabled**. Click **OK**.
5. After you've enabled the contact card or the customized notifications (or both), you must configure the **Specify contact company name** to **Enabled**. Enter your company or organization's name in the field in the **Options** section. Click **OK**.
@ -58,5 +59,7 @@ This can only be done in Group Policy.
7. Select **OK** after you configure each setting to save your changes.
>[!IMPORTANT]
>You must specify the contact company name and at least one contact method - email, phone number, or website URL. If you do not specify the contact name and a contact method the customization will not apply, the contact card will not show, and notifications will not be customized.
To enable the customized notifications and add the contact information in Intune, see [Manage device security with endpoint security policies in Microsoft Intune](/mem/intune/protect/endpoint-security-policy) and [Settings for the Windows Security experience profile in Microsoft Intune](/mem/intune/protect/antivirus-security-experience-windows-settings).
> [!IMPORTANT]
> You must specify the contact company name and at least one contact method - email, phone number, or website URL. If you do not specify the contact name and a contact method the customization will not apply, the contact card will not show, and notifications will not be customized.

8
windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
View File

@ -49,7 +49,7 @@ Windows Sandbox has the following properties:
- If you're using a virtual machine, run the following PowerShell command to enable nested virtualization:
```powershell
Set-VMProcessor -VMName \<VMName> -ExposeVirtualizationExtensions $true
Set-VMProcessor -VMName <VMName> -ExposeVirtualizationExtensions $true
```
3. Use the search bar on the task bar and type **Turn Windows Features on or off** to access the Windows Optional Features tool. Select **Windows Sandbox** and then **OK**. Restart the computer if you're prompted.
@ -57,7 +57,11 @@ Windows Sandbox has the following properties:
If the **Windows Sandbox** option is unavailable, your computer doesn't meet the requirements to run Windows Sandbox. If you think this analysis is incorrect, review the prerequisite list and steps 1 and 2.
> [!NOTE]
> To enable Sandbox using PowerShell, open PowerShell as Administrator and run **Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online**.
> To enable Sandbox using PowerShell, open PowerShell as Administrator and run the following command:
>
> ```powershell
> Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online
> ```
4. Locate and select **Windows Sandbox** on the Start menu to run it for the first time.

2
windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
View File

@ -54,7 +54,7 @@ No. SCM supported only SCAP 1.0, which wasn't updated as SCAP evolved. The new t
| Name | Build | Baseline Release Date | Security Tools |
| ---- | ----- | --------------------- | -------------- |
| Windows 11 | [22H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-version-22h2-security-baseline/ba-p/3632520) <br> | September 2022<br>|[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| Windows 10 | [22H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-10-version-22h2-security-baseline/ba-p/3655724) <br> [21H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-windows-10-version-21h2/ba-p/3042703) <br> [21H1](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-version-21h1/ba-p/2362353) <br> [20H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-and-windows-server/ba-p/1999393) <br> [1809](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082) <br> [1607](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) <br>[1507](/archive/blogs/secguide/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update)| October 2022<br>December 2021<br>May 2021<br>December 2020<br>October 2018<br>October 2016 <br>January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| Windows 10 | [22H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-10-version-22h2-security-baseline/ba-p/3655724) <br> [21H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-windows-10-version-21h2/ba-p/3042703) <br> [20H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-and-windows-server/ba-p/1999393) <br> [1809](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082) <br> [1607](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) <br>[1507](/archive/blogs/secguide/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update)| October 2022<br>December 2021<br>December 2020<br>October 2018<br>October 2016 <br>January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
Windows 8.1 |[9600 (April Update)](/archive/blogs/secguide/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final)| October 2013| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
<br />

1
windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
View File

@ -31,7 +31,6 @@ The Security Compliance Toolkit consists of:
- Windows 10 security baselines
- Windows 10, version 22H2
- Windows 10, version 21H2
- Windows 10, version 21H1
- Windows 10, version 20H2
- Windows 10, version 1809
- Windows 10, version 1607

2
windows/security/zero-trust-windows-device-health.md
View File

@ -13,7 +13,7 @@ ms.date: 12/31/2017
---
# Zero Trust and Windows device health
Organizations need a security model that more effectively adapts to the complexity of the modern work environment. IT admins need to embrace the hybrid workplace, while protecting people, devices, apps, and data wherever theyre located. Implementing a Zero Trust model for security helps addresses today's complex environments.
Organizations need a security model that more effectively adapts to the complexity of the modern work environment. IT admins need to embrace the hybrid workplace, while protecting people, devices, apps, and data wherever theyre located. Implementing a Zero Trust model for security helps address today's complex environments.
The [Zero Trust](https://www.microsoft.com/security/business/zero-trust) principles are: