diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md index ca2950ff0a..1b6cd93ec5 100644 --- a/education/includes/education-content-updates.md +++ b/education/includes/education-content-updates.md @@ -2,6 +2,14 @@ +## Week of December 19, 2022 + + +| Published On |Topic title | Change | +|------|------------|--------| +| 12/22/2022 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified | + + ## Week of December 12, 2022 diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index efb6644b18..41a3aec43a 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -79,71 +79,71 @@ The following table lists all the applications included in Windows 11 SE and the The following applications can also run on Windows 11 SE, and can be deployed using Intune for Education. For more information, see [Configure applications with Microsoft Intune][EDUWIN-1] -| Application | Supported version | App Type | Vendor | -|-----------------------------------------|-------------------|----------|------------------------------| -| 3d builder | 15.2.10821.1070 | Win32 | Microsoft | -|Absolute Software Endpoint Agent | 7.20.0.1 | Win32 | Absolute Software Corporation| -| AirSecure | 8.0.0 | Win32 | AIR | -| Alertus Desktop | 5.4.44.0 | Win32 | Alertus technologies | -| Brave Browser | 106.0.5249.65 | Win32 | Brave | -| Bulb Digital Portfolio | 0.0.7.0 | Store | Bulb | -| CA Secure Browser | 14.0.0 | Win32 | Cambium Development | -| Cisco Umbrella | 3.0.110.0 | Win32 | Cisco | -| CKAuthenticator | 3.6+ | Win32 | Content Keeper | -| Class Policy | 114.0.0 | Win32 | Class Policy | -| Classroom.cloud | 1.40.0004 | Win32 | NetSupport | -| CoGat Secure Browser | 11.0.0.19 | Win32 | Riverside Insights | -| Dragon Professional Individual | 15.00.100 | Win32 | Nuance Communications | -| DRC INSIGHT Online Assessments | 12.0.0.0 | Store | Data recognition Corporation | -| Duo from Cisco | 2.25.0 | Win32 | Cisco | -| e-Speaking Voice and Speech recognition | 4.4.0.8 | Win32 | e-speaking | -| Epson iProjection | 3.31 | Win32 | Epson | -| eTests | 4.0.25 | Win32 | CASAS | -| FortiClient | 7.2.0.4034+ | Win32 | Fortinet | -| Free NaturalReader | 16.1.2 | Win32 | Natural Soft | -| Ghotit Real Writer & Reader | 10.14.2.3 | Win32 | Ghotit Ltd | -| GoGuardian | 1.4.4 | Win32 | GoGuardian | -| Google Chrome | 102.0.5005.115 | Win32 | Google | -| Illuminate Lockdown Browser | 2.0.5 | Win32 | Illuminate Education | -| Immunet | 7.5.0.20795 | Win32 | Immunet | -| Impero Backdrop Client | 4.4.86 | Win32 | Impero Software | -| Inspiration 10 | 10.11 | Win32 | TechEdology Ltd | -| JAWS for Windows | 2022.2112.24 | Win32 | Freedom Scientific | -| Kite Student Portal | 9.0.0.0 | Win32 | Dynamic Learning Maps | -| Kortext | 2.3.433.0 | Store | Kortext | -| Kurzweil 3000 Assistive Learning | 20.13.0000 | Win32 | Kurzweil Educational Systems | -| LanSchool Classic | 9.1.0.46 | Win32 | Stoneware, Inc. | -| LanSchool Air | 2.0.13312 | Win32 | Stoneware, Inc. | -| Lightspeed Smart Agent | 1.9.1 | Win32 | Lightspeed Systems | -| MetaMoJi ClassRoom | 3.12.4.0 | Store | MetaMoJi Corporation | -| Microsoft Connect | 10.0.22000.1 | Store | Microsoft | -| Mozilla Firefox | 99.0.1 | Win32 | Mozilla | -| NAPLAN | 2.5.0 | Win32 | NAP | -| Netref Student | 22.2.0 | Win32 | NetRef | -| NetSupport Manager | 12.01.0014 | Win32 | NetSupport | -| NetSupport Notify | 5.10.1.215 | Win32 | NetSupport | -| NetSupport School | 14.00.0011 | Win32 | NetSupport | -| NextUp Talker | 1.0.49 | Win32 | NextUp Technologies | -| NonVisual Desktop Access | 2021.3.1 | Win32 | NV Access | -| NWEA Secure Testing Browser | 5.4.356.0 | Win32 | NWEA | -| PaperCut | 22.0.6 | Win32 | PaperCut Software International Pty Ltd | -| Pearson TestNav | 1.10.2.0 | Store | Pearson | -| Questar Secure Browser | 4.8.3.376 | Win32 | Questar, Inc | -| ReadAndWriteForWindows | 12.0.60.0 | Win32 | Texthelp Ltd. | -| Remote Desktop client (MSRDC) | 1.2.3213.0 | Win32 | Microsoft | -| Remote Help | 3.8.0.12 | Win32 | Microsoft | -| Respondus Lockdown Browser | 2.0.9.00 | Win32 | Respondus | -| Safe Exam Browser | 3.3.2.413 | Win32 | Safe Exam Browser | -| Senso.Cloud | 2021.11.15.0 | Win32 | Senso.Cloud | -| Smoothwall Monitor | 2.8.0 | Win32 | Smoothwall Ltd -| SuperNova Magnifier & Screen Reader | 21.02 | Win32 | Dolphin Computer Access | -| SuperNova Magnifier & Speech | 21.02 | Win32 | Dolphin Computer Access | -| VitalSourceBookShelf | 10.2.26.0 | Win32 | VitalSource Technologies Inc | -| Winbird | 19 | Win32 | Winbird Co., Ltd. | -| WordQ | 5.4.23 | Win32 | Mathetmots | -| Zoom | 5.9.1 (2581) | Win32 | Zoom | -| ZoomText Fusion | 2022.2109.10 | Win32 | Freedom Scientific | -| ZoomText Magnifier/Reader | 2022.2109.25 | Win32 | Freedom Scientific | +| Application | Supported version | App Type | Vendor | +|-------------------------------------------|-------------------|----------|-------------------------------------------| +| `3d builder` | `18.0.1931.0` | Win32 | `Microsoft` | +| `Absolute Software Endpoint Agent` | 7.20.0.1 | Win32 | `Absolute Software Corporation` | +| `AirSecure` | 8.0.0 | Win32 | `AIR` | +| `Alertus Desktop` | 5.4.48.0 | Win32 | `Alertus technologies` | +| `Brave Browser` | 106.0.5249.119 | Win32 | `Brave` | +| `Bulb Digital Portfolio` | 0.0.7.0 | `Store` | `Bulb` | +| `CA Secure Browser` | 14.0.0 | Win32 | `Cambium Development` | +| `Cisco Umbrella` | 3.0.110.0 | Win32 | `Cisco` | +| `CKAuthenticator` | 3.6+ | Win32 | `Content Keeper` | +| `Class Policy` | 114.0.0 | Win32 | `Class Policy` | +| `Classroom.cloud` | 1.40.0004 | Win32 | `NetSupport` | +| `CoGat Secure Browser` | 11.0.0.19 | Win32 | `Riverside Insights` | +| `Dragon Professional Individual` | 15.00.100 | Win32 | `Nuance Communications` | +| `DRC INSIGHT Online Assessments` | 12.0.0.0 | `Store` | `Data recognition Corporation` | +| `Duo from Cisco` | 3.0.0 | Win32 | `Cisco` | +| `e-Speaking Voice and Speech recognition` | 4.4.0.8 | Win32 | `e-speaking` | +| `Epson iProjection` | 3.31 | Win32 | `Epson` | +| `eTests` | 4.0.25 | Win32 | `CASAS` | +| `FortiClient` | 7.2.0.4034+ | Win32 | `Fortinet` | +| `Free NaturalReader` | 16.1.2 | Win32 | `Natural Soft` | +| `Ghotit Real Writer & Reader` | 10.14.2.3 | Win32 | `Ghotit Ltd` | +| `GoGuardian` | 1.4.4 | Win32 | `GoGuardian` | +| `Google Chrome` | 102.0.5005.115 | Win32 | `Google` | +| `Illuminate Lockdown Browser` | 2.0.5 | Win32 | `Illuminate Education` | +| `Immunet` | 7.5.8.21178 | Win32 | `Immunet` | +| `Impero Backdrop Client` | 4.4.86 | Win32 | `Impero Software` | +| `Inspiration 10` | 10.11 | Win32 | `TechEdology Ltd` | +| `JAWS for Windows` | 2022.2112.24 | Win32 | `Freedom Scientific` | +| `Kite Student Portal` | 9.0.0.0 | Win32 | `Dynamic Learning Maps` | +| `Kortext` | 2.3.433.0 | `Store` | `Kortext` | +| `Kurzweil 3000 Assistive Learning` | 20.13.0000 | Win32 | `Kurzweil Educational Systems` | +| `LanSchool Classic` | 9.1.0.46 | Win32 | `Stoneware, Inc.` | +| `LanSchool Air` | 2.0.13312 | Win32 | `Stoneware, Inc.` | +| `Lightspeed Smart Agent` | 1.9.1 | Win32 | `Lightspeed Systems` | +| `MetaMoJi ClassRoom` | 3.12.4.0 | `Store` | `MetaMoJi Corporation` | +| `Microsoft Connect` | 10.0.22000.1 | `Store` | `Microsoft` | +| `Mozilla Firefox` | 105.0.0 | Win32 | `Mozilla` | +| `NAPLAN` | 2.5.0 | Win32 | `NAP` | +| `Netref Student` | 22.2.0 | Win32 | `NetRef` | +| `NetSupport Manager` | 12.01.0014 | Win32 | `NetSupport` | +| `NetSupport Notify` | 5.10.1.215 | Win32 | `NetSupport` | +| `NetSupport School` | 14.00.0012 | Win32 | `NetSupport` | +| `NextUp Talker` | 1.0.49 | Win32 | `NextUp Technologies` | +| `NonVisual Desktop Access` | 2021.3.1 | Win32 | `NV Access` | +| `NWEA Secure Testing Browser` | 5.4.356.0 | Win32 | `NWEA` | +| `PaperCut` | 22.0.6 | Win32 | `PaperCut Software International Pty Ltd` | +| `Pearson TestNav` | 1.10.2.0 | `Store` | `Pearson` | +| `Questar Secure Browser` | 5.0.1.456 | Win32 | `Questar, Inc` | +| `ReadAndWriteForWindows` | 12.0.74 | Win32 | `Texthelp Ltd.` | +| `Remote Desktop client (MSRDC)` | 1.2.3213.0 | Win32 | `Microsoft` | +| `Remote Help` | 4.0.1.13 | Win32 | `Microsoft` | +| `Respondus Lockdown Browser` | 2.0.9.03 | Win32 | `Respondus` | +| `Safe Exam Browser` | 3.3.2.413 | Win32 | `Safe Exam Browser` | +| `Senso.Cloud` | 2021.11.15.0 | Win32 | `Senso.Cloud` | +| `Smoothwall Monitor` | 2.8.0 | Win32 | `Smoothwall Ltd` | +| `SuperNova Magnifier & Screen Reader` | 21.02 | Win32 | `Dolphin Computer Access` | +| `SuperNova Magnifier & Speech` | 21.02 | Win32 | `Dolphin Computer Access` | +| `VitalSourceBookShelf` | 10.2.26.0 | Win32 | `VitalSource Technologies Inc` | +| `Winbird` | 19 | Win32 | `Winbird Co., Ltd.` | +| `WordQ` | 5.4.23 | Win32 | `Mathetmots` | +| `Zoom` | 5.12.8 (10232) | Win32 | `Zoom` | +| `ZoomText Fusion` | 2022.2109.10 | Win32 | `Freedom Scientific` | +| `ZoomText Magnifier/Reader` | 2022.2109.25 | Win32 | `Freedom Scientific` | ## Add your own applications diff --git a/windows/client-management/azure-active-directory-integration-with-mdm.md b/windows/client-management/azure-active-directory-integration-with-mdm.md index e1d6f4d069..f2c906993c 100644 --- a/windows/client-management/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/azure-active-directory-integration-with-mdm.md @@ -1,6 +1,6 @@ --- title: Azure Active Directory integration with MDM -description: Azure Active Directory is the world largest enterprise cloud identity management service. +description: Azure Active Directory is the world's largest enterprise cloud identity management service. ms.reviewer: manager: aaroncz ms.author: vinpa @@ -14,7 +14,7 @@ ms.date: 12/31/2017 # Azure Active Directory integration with MDM -Azure Active Directory is the world largest enterprise cloud identity management service. It’s used by organizations to access Office 365 and business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows 10 experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows integrates with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in an integrated flow. +Azure Active Directory is the world's largest enterprise cloud identity management service. It’s used by organizations to access Office 365 and business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows 10 experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows integrates with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in an integrated flow. Once a device is enrolled in MDM, the MDM: diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index 828657eada..95f4178efd 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -702,11 +702,7 @@ ADMX Info: Set this policy to restrict peer selection to a specific source. Available options are: 1 = Active Directory Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = Azure Active Directory. -When set, the Group ID will be assigned automatically from the selected source. - -If you set this policy, the GroupID policy will be ignored. - -The options set in this policy only apply to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. +When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The default behavior, when neither the GroupID or GroupIDSource policies are set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored. For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID. diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md index 1fe629ddd5..3724425208 100644 --- a/windows/configuration/kiosk-single-app.md +++ b/windows/configuration/kiosk-single-app.md @@ -337,7 +337,7 @@ To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then si If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key: -`HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI` +`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI` To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal. diff --git a/windows/deployment/do/TOC.yml b/windows/deployment/do/TOC.yml index 07805dc6fb..6c21a68819 100644 --- a/windows/deployment/do/TOC.yml +++ b/windows/deployment/do/TOC.yml @@ -1,4 +1,4 @@ -- name: Delivery Optimization for Windows client and Microsoft Connected Cache +- name: Delivery Optimization for Windows and Microsoft Connected Cache href: index.yml - name: What's new href: whats-new-do.md @@ -9,9 +9,9 @@ href: waas-delivery-optimization.md - name: Delivery Optimization Frequently Asked Questions href: waas-delivery-optimization-faq.yml - - name: Configure Delivery Optimization for Windows clients + - name: Configure Delivery Optimization for Windows items: - - name: Windows client Delivery Optimization settings + - name: Windows Delivery Optimization settings href: waas-delivery-optimization-setup.md#recommended-delivery-optimization-settings - name: Configure Delivery Optimization settings using Microsoft Intune href: /mem/intune/configuration/delivery-optimization-windows diff --git a/windows/deployment/do/includes/waas-delivery-optimization-monitor.md b/windows/deployment/do/includes/waas-delivery-optimization-monitor.md index 2828da9932..5f75f6344a 100644 --- a/windows/deployment/do/includes/waas-delivery-optimization-monitor.md +++ b/windows/deployment/do/includes/waas-delivery-optimization-monitor.md @@ -28,15 +28,15 @@ ms.localizationpriority: medium | TotalBytesDownloaded | The number of bytes from any source downloaded so far | | PercentPeerCaching |The percentage of bytes downloaded from peers versus over HTTP | | BytesFromPeers | Total bytes downloaded from peer devices (sum of bytes downloaded from LAN, Group, and Internet Peers) | -| BytesfromHTTP | Total number of bytes received over HTTP | +| BytesfromHTTP | Total number of bytes received over HTTP. This represents all HTTP sources, which includes BytesFromCacheServer | | Status | Current state of the operation. Possible values are: **Downloading** (download in progress); **Complete** (download completed, but is not uploading yet); **Caching** (download completed successfully and is ready to upload or uploading); **Paused** (download/upload paused by caller) | | Priority | Priority of the download; values are **foreground** or **background** | -| BytesFromCacheServer | Total number of bytes received from cache server | +| BytesFromCacheServer | Total number of bytes received from cache server (MCC) | | BytesFromLanPeers | Total number of bytes received from peers found on the LAN | -| BytesFromGroupPeers | Total number of bytes received from peers found in the group | +| BytesFromGroupPeers | Total number of bytes received from peers found in the group. (Note: Group mode is LAN + Group. If peers are found on the LAN, those bytes will be registered in 'BytesFromLANPeers'.) | | BytesFromInternetPeers | Total number of bytes received from internet peers | | BytesToLanPeers | Total number of bytes delivered from peers found on the LAN | -| BytesToGroupPeers | Total number of bytes delivered from peers found in the group | +| BytesToGroupPeers | Total number of bytes delivered from peers found in the group | | BytesToInternetPeers | Total number of bytes delivered from peers found on the LAN | | DownloadDuration | Total download time in seconds | | HttpConnectionCount | | diff --git a/windows/deployment/do/index.yml b/windows/deployment/do/index.yml index 654cd9f309..5cbe1535a0 100644 --- a/windows/deployment/do/index.yml +++ b/windows/deployment/do/index.yml @@ -1,7 +1,7 @@ ### YamlMime:Landing title: Delivery Optimization # < 60 chars -summary: Set up peer to peer downloads for Windows Updates and learn about Microsoft Connected Cache. # < 160 chars +summary: Set up peer to peer downloads for Microsoft content supported by Delivery Optimization and learn about Microsoft Connected Cache. # < 160 chars metadata: title: Delivery Optimization # Required; page title displayed in search results. Include the brand. < 60 chars. @@ -36,7 +36,7 @@ landingContent: # Card (optional) - - title: Configure Delivery Optimization on Windows clients + - title: Configure Delivery Optimization on Windows linkLists: - linkListType: how-to-guide links: diff --git a/windows/deployment/do/mcc-isp-faq.yml b/windows/deployment/do/mcc-isp-faq.yml index 9c4a778d6c..74688ffae3 100644 --- a/windows/deployment/do/mcc-isp-faq.yml +++ b/windows/deployment/do/mcc-isp-faq.yml @@ -28,12 +28,18 @@ sections: - question: What are the prerequisites and hardware requirements? answer: | - Azure subscription - - Hardware to host Microsoft Connected Cache: + - Hardware to host Microsoft Connected Cache + - Ubuntu 20.04 LTS on a physical server or VM of your choice. + + > [!NOTE] + > The Microsoft Connected Cache is deployed and managed using Azure IoT Edge and Ubuntu 20.04 is an [Azure IoT Edge Tier 1 operating system](/azure/iot-edge/support?view=iotedge-2020-11#tier-1). Additionally, the Microsoft Connected Cache module is optimized for Ubuntu 20.04 LTS. + + The following are recommended hardware configurations: [!INCLUDE [Microsoft Connected Cache Prerequisites](includes/mcc-prerequisites.md)] - We have one customer who is able to achieve 40-Gbps egress rate using the following hardware specification: + We have one customer who is able to achieve mid-30s Gbps egress rate using the following hardware specification: - Dell PowerEdge R330 - 2 x Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40 GHz, total 32 core - 48 GB, Micron Technology 18ASF1G72PDZ-2G1A1, Speed: 2133 MT/s diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md index 5e04bd8f7a..6564dcd26e 100644 --- a/windows/deployment/do/waas-delivery-optimization-reference.md +++ b/windows/deployment/do/waas-delivery-optimization-reference.md @@ -64,7 +64,7 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz | [Delay foreground download cache server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 | | [Delay background download cache server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 | | [Cache Server Hostname](#cache-server-hostname) | DOCacheHost | 1809 | -| [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 1809 | +| [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 2004 | | [Maximum Foreground Download Bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxForegroundDownloadBandwidth | 2004 | | [Maximum Background Download Bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxBackgroundDownloadBandwidth | 2004 | @@ -146,7 +146,7 @@ Starting in Windows 10, version 1803, set this policy to restrict peer selection - 4 = DNS Suffix - 5 = Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5. -When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored. +When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The default behavior, when neither the GroupID or GroupIDSource policies are set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored. ### Minimum RAM (inclusive) allowed to use Peer Caching diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md index 60f042509b..f7d7f2d1b8 100644 --- a/windows/deployment/update/servicing-stack-updates.md +++ b/windows/deployment/update/servicing-stack-updates.md @@ -21,6 +21,7 @@ ms.date: 12/31/2017 - Windows 10 - Windows 11 +- Windows Server ## What is a servicing stack update? Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. @@ -61,3 +62,5 @@ Typically, the improvements are reliability and performance improvements that do ## Simplifying on-premises deployment of servicing stack updates With the Windows Update experience, servicing stack updates and cumulative updates are deployed together to the device. The update stack automatically orchestrates the installation, so both are applied correctly. Starting in February 2021, the cumulative update will include the latest servicing stack updates, to provide a single cumulative update payload to both Windows Server Update Services (WSUS) and Microsoft Catalog. If you use an endpoint management tool backed by WSUS, such as Configuration Manager, you will only have to select and deploy the monthly cumulative update. The latest servicing stack updates will automatically be applied correctly. Release notes and file information for cumulative updates, including those related to the servicing stack, will be in a single KB article. The combined monthly cumulative update will be available on Windows 10, version 2004 and later starting with the 2021 2C release, KB4601382. + + diff --git a/windows/deployment/update/wufb-reports-configuration-intune.md b/windows/deployment/update/wufb-reports-configuration-intune.md index 2d9a417660..5f07d75c3e 100644 --- a/windows/deployment/update/wufb-reports-configuration-intune.md +++ b/windows/deployment/update/wufb-reports-configuration-intune.md @@ -8,7 +8,7 @@ author: mestew ms.author: mstewart ms.localizationpriority: medium ms.topic: article -ms.date: 12/05/2022 +ms.date: 12/22/2022 ms.technology: itpro-updates --- @@ -27,7 +27,7 @@ This article is targeted at configuring devices enrolled to [Microsoft Intune](/ ## Create a configuration profile -Create a configuration profile that will set the required policies for Windows Update for Business reports. There are two profile types that can be used to create a configuration profile for Windows Update for Business reports: +Create a configuration profile that will set the required policies for Windows Update for Business reports. There are two profile types that can be used to create a configuration profile for Windows Update for Business reports (select one): - The [settings catalog](#settings-catalog) - [Template](#custom-oma-uri-based-profile) for a custom OMA URI-based profile @@ -45,9 +45,12 @@ Create a configuration profile that will set the required policies for Windows U - **Value**: Basic (*Basic is the minimum value, but it can be safely set to a higher value*) - **Setting**: Allow Update Compliance Processing - **Value**: Enabled + 1. Recommended settings, but not required: + - **Setting**: Configure Telemetry Opt In Settings Ux + - **Value**: Disabled (*By turning this setting on you are disabling the ability for a user to potentially override the diagnostic data level of devices such that data won't be available for those devices in Windows Update for Business reports*) - **Setting**: Configure Telemetry Opt In Change Notification - 1. (*Recommended, but not required*) Allow device name to be sent in Windows Diagnostic Data. If this policy is disabled, the device name won't be sent and won't be visible in Windows Update for Business reports: - - **Setting**: Allow device name to be sent in Windows diagnostic data + - **Value**: Disabled (*By turning this setting on you are disabling notifications of diagnostic data changes*) + - **Setting**: Allow device name to be sent in Windows diagnostic data (*If this policy is disabled, the device name won't be sent and won't be visible in Windows Update for Business reports*) - **Value**: Allowed 1. Continue through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll. diff --git a/windows/deployment/usmt/usmt-scanstate-syntax.md b/windows/deployment/usmt/usmt-scanstate-syntax.md index e8fd16c69f..14b65a281f 100644 --- a/windows/deployment/usmt/usmt-scanstate-syntax.md +++ b/windows/deployment/usmt/usmt-scanstate-syntax.md @@ -203,6 +203,7 @@ The following table indicates which command-line options aren't compatible with |**/encrypt**|Required*|X|X|| |**/keyfile**|N/A||X|| |**/l**||||| +|**/listfiles**|||X|| |**/progress**|||X|| |**/r**|||X|| |**/w**|||X|| diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md index 718e1126b8..2ef4799a5e 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md @@ -52,7 +52,24 @@ Windows Autopatch configures these policies differently across update rings to g :::image type="content" source="../media/release-process-timeline.png" alt-text="Release process timeline" lightbox="../media/release-process-timeline.png"::: -## Expedited releases +## Release management + +In the Release management blade, you can: + +- Track the [Windows quality update schedule](#release-schedule) for devices in the [four deployment rings](windows-autopatch-update-management.md#windows-autopatch-deployment-rings). +- [Turn off expedited Windows quality updates](#turn-off-service-driven-expedited-quality-update-releases). +- Review release announcements and knowledge based articles for regular and [Out of Band (OOB) Windows quality updates](#out-of-band-releases). + +### Release schedule + +For each [deployment ring](windows-autopatch-update-management.md#windows-autopatch-deployment-rings), the **Release schedule** tab contains: + +- The status of the update. Releases will appear as **Active**. The update schedule is based on the values of the [Windows 10 Update Ring policies](/mem/intune/protect/windows-update-for-business-configure), which have been configured on your behalf. +- The date the update is available. +- The target completion date of the update. +- In the **Release schedule** tab, you can either [**Pause** and/or **Resume**](#pausing-and-resuming-a-release) a Windows quality update release. + +### Expedited releases Threat and vulnerability information about a new revision of Windows becomes available on the second Tuesday of each month. Windows Autopatch assesses that information shortly afterwards. If the service determines that it's critical to security, it may be expedited. The quality update is also evaluated on an ongoing basis throughout the release and Windows Autopatch may choose to expedite at any time during the release. @@ -63,10 +80,12 @@ When running an expedited release, the regular goal of 95% of devices in 21 days | Standard release | Test

First

Fast

Broad | 0

1

6

9 | 0

2

2

5 | 0

2

2

2 | | Expedited release | All devices | 0 | 1 | 1 | -### Turn off service-driven expedited quality update releases +#### Turn off service-driven expedited quality update releases Windows Autopatch provides the option to turn off of service-driven expedited quality updates. +By default, the service expedites quality updates as needed. For those organizations seeking greater control, you can disable expedited quality updates for Microsoft Managed Desktop-enrolled devices using Microsoft Intune. + **To turn off service-driven expedited quality updates:** 1. Go to **[Microsoft Endpoint Manager portal](https://go.microsoft.com/fwlink/?linkid=2109431)** > **Devices**. @@ -75,9 +94,9 @@ Windows Autopatch provides the option to turn off of service-driven expedited qu > [!NOTE] > Windows Autopatch doesn't allow customers to request expedited releases. -## Out of Band releases +### Out of Band releases -Windows Autopatch schedules and deploys required Out of Band (OOB) updates released outside of the normal schedule. You can view the deployed OOB quality updates in the **Release Management** blade in the **[Microsoft Endpoint Manager portal](https://go.microsoft.com/fwlink/?linkid=2109431)**. +Windows Autopatch schedules and deploys required Out of Band (OOB) updates released outside of the normal schedule. **To view deployed Out of Band quality updates:** @@ -87,13 +106,18 @@ Windows Autopatch schedules and deploys required Out of Band (OOB) updates relea > [!NOTE] > Announcements will be **removed** from the Release announcements tab when the next quality update is released. Further, if quality updates are paused for a deployment ring, the OOB updates will also be paused. -## Pausing and resuming a release +### Pausing and resuming a release If Windows Autopatch detects a [significant issue with a release](../operate/windows-autopatch-wqu-signals.md), we may decide to pause that release. -If we pause the release, a policy will be deployed which prevents devices from updating while the issue is investigated. Once the issue is resolved, the release will be resumed. +In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Release management** > in the **Release schedule** tab, you can pause or resume a Windows quality update. -You can pause or resume a Windows quality update from the **Release management** tab in the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +There are two statuses associated with paused quality updates, **Service Paused** and **Customer Paused**. + +| Status | Description | +| ----- | ------ | +| Service Paused | If the Microsoft Managed Desktop service has paused an update, the release will have the **Service Paused** status. You must [submit a support request](windows-autopatch-support-request.md) to resume the update. | +| Customer Paused | If you've paused an update, the release will have the **Customer Paused** status. The Microsoft Managed Desktop service can't overwrite a customer-initiated pause. You must select **Resume** to resume the update. | ## Incidents and outages diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 7110c8ac4c..c65b98067d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -94,7 +94,7 @@ sections: - question: Can I use a convenience PIN with Azure Active Directory? answer: | - It's currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. Convenience PIN isn't supported for Azure Active Directory user accounts (synchronized identities included). It's only supported for on-premises Domain Joined users and local account users. + It's currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. However, convenience PIN isn't supported for Azure Active Directory user accounts (synchronized identities included). It's only supported for on-premises Domain Joined users and local account users. - question: Can I use an external Windows Hello compatible camera when my computer has a built-in Windows Hello compatible camera? answer: | diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index c167390523..b86eb930d8 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -35,6 +35,11 @@ Starting with Windows 10 version 1703, the enablement of BitLocker can be trigge For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if necessary. For older devices that aren't yet encrypted, beginning with Windows 10 version 1703, admins can use the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/) to trigger encryption and store the recovery key in Azure AD. This process and feature is applicable to Azure Hybrid AD as well. +> [!NOTE] +> To manage Bitlocker, except to enable and disable it, one of the following licenses must be assigned to your users: +> - Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, and E5). +> - Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 and A5). + ## Managing workplace-joined PCs and phones For Windows PCs and Windows Phones that are enrolled using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, the same as devices joined to Azure AD. diff --git a/windows/security/information-protection/personal-data-encryption/overview-pde.md b/windows/security/information-protection/personal-data-encryption/overview-pde.md index c5b9e5773f..12709e8d35 100644 --- a/windows/security/information-protection/personal-data-encryption/overview-pde.md +++ b/windows/security/information-protection/personal-data-encryption/overview-pde.md @@ -48,11 +48,11 @@ ms.date: 12/13/2022 - [Windows Error Reporting (WER) disabled/User-mode crash dumps disabled](/windows/client-management/mdm/policy-csp-errorreporting#errorreporting-disablewindowserrorreporting) - Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For information on disabling crash dumbs via Intune, see [Disable Windows Error Reporting (WER)/Disable user-mode crash dumps](configure-pde-in-intune.md#disable-windows-error-reporting-werdisable-user-mode-crash-dumps). + Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For more information on disabling crash dumps via Intune, see [Disable Windows Error Reporting (WER)/Disable user-mode crash dumps](configure-pde-in-intune.md#disable-windows-error-reporting-werdisable-user-mode-crash-dumps). - [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate) - Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For information on disabling crash dumbs via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation). + Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For more information on disabling crash dumps via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation). - [Allowing users to select when a password is required when resuming from connected standby disabled](/windows/client-management/mdm/policy-csp-admx-credentialproviders#admx-credentialproviders-allowdomaindelaylock) diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md index 82f8d5e2f2..f768669a7c 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md @@ -20,8 +20,9 @@ ms.date: 12/31/2017 **Applies to** - Windows 11 - Windows 10 -- Windows Server 2016 +- Windows Server 2022 - Windows Server 2019 +- Windows Server 2016 This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. @@ -74,15 +75,14 @@ Some things that you can check on the device are: - Is SecureBoot supported and enabled? > [!NOTE] -> Windows 11, Windows 10, Windows Server 2016, and Windows Server 2019 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1). TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected. +> Windows 11, Windows 10, Windows Server 2016, and Windows Server 2019 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows 10, version 1607. TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected. ## Supported versions for device health attestation -| TPM version | Windows 11 | Windows 10 | Windows Server 2016 | Windows Server 2019 | -|-------------|-------------|-------------|---------------------|---------------------| -| TPM 1.2 | | >= ver 1607 | >= ver 1607 | Yes | -| TPM 2.0 | Yes | Yes | Yes | Yes | - +| TPM version | Windows 11 | Windows 10 | Windows Server 2022 | Windows Server 2019 | Windows Server 2016 | +|-------------|-------------|-------------|---------------------|---------------------|---------------------| +| TPM 1.2 | | >= ver 1607 | | Yes | >= ver 1607 | +| TPM 2.0 | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | ## Related topics diff --git a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md index 7493899dfe..b4b43624b2 100644 --- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md +++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md @@ -171,4 +171,8 @@ Resource SACLs are also useful for diagnostic scenarios. For example, administra This category includes the following subcategories: - [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md) -- [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md) \ No newline at end of file +- [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md) + +## Related topics + +- [Basic security audit policy settings](basic-security-audit-policy-settings.md) diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md index fedd8a7726..aa0e4c7ea2 100644 --- a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md +++ b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md @@ -38,6 +38,6 @@ Basic security audit policy settings are found under Computer Configuration\\Win ## Related topics -- [Basic security audit policy settings](basic-security-audit-policy-settings.md) +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) diff --git a/windows/security/threat-protection/auditing/event-4661.md b/windows/security/threat-protection/auditing/event-4661.md index 383989f443..6cc68892c8 100644 --- a/windows/security/threat-protection/auditing/event-4661.md +++ b/windows/security/threat-protection/auditing/event-4661.md @@ -158,15 +158,15 @@ This event generates only if Success auditing is enabled for the [Audit Handle M **Access Request Information:** -- **Transaction ID** \[Type = GUID\]: unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same the **Transaction ID**, such as “[4660](event-4660.md)(S): An object was deleted.” +- **Transaction ID** \[Type = GUID\]: unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same **Transaction ID**, such as “[4660](event-4660.md)(S): An object was deleted.” This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”. > **Note**  **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances. -- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. See “Table 13. File access codes.” for more information about file access rights. For information about SAM object access right use or other informational resources. +- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. For more information about file access rights, see [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes). For information about SAM object access right use or other informational resources. -- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the operation that was requested or performed. See “Table 13. File access codes.” for more information about file access rights. For information about SAM object access right use or other informational resources. +- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the operation that was requested or performed. For more information about file access rights, see [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes). For information about SAM object access right use or other informational resources. - **Privileges Used for Access Check** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in the table below: @@ -218,4 +218,4 @@ For 4661(S, F): A handle to an object was requested. > **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). -- You can get almost the same information from “[4662](event-4662.md): An operation was performed on an object.” There are no additional recommendations for this event in this document. \ No newline at end of file +- You can get almost the same information from “[4662](event-4662.md): An operation was performed on an object.” There are no additional recommendations for this event in this document. diff --git a/windows/security/threat-protection/auditing/event-4691.md b/windows/security/threat-protection/auditing/event-4691.md index 62f92ce75d..9f88bf0d9b 100644 --- a/windows/security/threat-protection/auditing/event-4691.md +++ b/windows/security/threat-protection/auditing/event-4691.md @@ -126,12 +126,12 @@ These events are generated for [ALPC Ports](/windows/win32/etw/alpc) access requ **Access Request Information:** -- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. “Table 13. File access codes.” contains information about the most common access rights for file system objects. For information about ALPC ports access rights, use or other informational resources. +- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes) contains information about the most common access rights for file system objects. For information about ALPC ports access rights, use or other informational resources. -- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the operation that was requested or performed. See “Table 13. File access codes.” for more information about file access rights. For information about ALPC ports access rights, use or other informational resources. +- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the operation that was requested or performed. For more information about file access rights, see [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes). For information about ALPC ports access rights, use or other informational resources. ## Security Monitoring Recommendations For 4691(S): Indirect access to an object was requested. -- Typically this event has little to no security relevance and is hard to parse or analyze. There is no recommendation for this event, unless you know exactly what you need to monitor with ALPC Ports. \ No newline at end of file +- Typically this event has little to no security relevance and is hard to parse or analyze. There is no recommendation for this event, unless you know exactly what you need to monitor with ALPC Ports. diff --git a/windows/security/threat-protection/auditing/event-5140.md b/windows/security/threat-protection/auditing/event-5140.md index 522cf1b652..602e1d4024 100644 --- a/windows/security/threat-protection/auditing/event-5140.md +++ b/windows/security/threat-protection/auditing/event-5140.md @@ -133,7 +133,7 @@ This event generates once per session, when first access attempt was made. **Access Request Information:** -- **Access Mask** \[Type = HexInt32\]: the sum of hexadecimal values of requested access rights. See “Table 13. File access codes.” for different hexadecimal values for access rights. Has always “**0x1**” value for this event. +- **Access Mask** \[Type = HexInt32\]: the sum of hexadecimal values of requested access rights. See [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes) for different hexadecimal values for access rights. It always has “**0x1**” value for this event. - **Accesses** \[Type = UnicodeString\]: the list of access rights that were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. Has always “**ReadData (or ListDirectory)**” value for this event. diff --git a/windows/security/threat-protection/auditing/event-5145.md b/windows/security/threat-protection/auditing/event-5145.md index 02c531c5fd..7b34010d4c 100644 --- a/windows/security/threat-protection/auditing/event-5145.md +++ b/windows/security/threat-protection/auditing/event-5145.md @@ -135,7 +135,7 @@ This event generates every time network share object (file or folder) was access **Access Request Information:** -- **Access Mask** \[Type = HexInt32\]: the sum of hexadecimal values of requested access rights. See “Table 13. File access codes.” for different hexadecimal values for access rights. +- **Access Mask** \[Type = HexInt32\]: the sum of hexadecimal values of requested access rights. See [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes) for different hexadecimal values for access rights. - **Accesses** \[Type = UnicodeString\]: the list of access rights that were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. @@ -319,4 +319,4 @@ For 5145(S, F): A network share object was checked to see whether client can be - WRITE\_DAC - - WRITE\_OWNER \ No newline at end of file + - WRITE\_OWNER diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md index 765a61fcb9..5c6c2ea1b2 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md @@ -82,7 +82,7 @@ Application Guard functionality is turned off by default. However, you can quick 3. Type the following command: ``` - Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard + Enable-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard ``` 4. Restart the device. diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md index 1b179ea1d2..e6f9bec119 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md @@ -22,6 +22,7 @@ ms.technology: itpro-security # Account lockout duration **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, and security considerations for the **Account lockout duration** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md index b94691d8ce..03d4f6bba0 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md @@ -20,6 +20,7 @@ ms.technology: itpro-security # Account Lockout Policy **Applies to** +- Windows 11 - Windows 10 Describes the Account Lockout Policy settings and links to information about each policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md index d3ee1d4c05..7436c55ccd 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md @@ -22,6 +22,7 @@ ms.technology: itpro-security # Account lockout threshold **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, and security considerations for the **Account lockout threshold** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/account-policies.md b/windows/security/threat-protection/security-policy-settings/account-policies.md index 6202590a94..b3031beef7 100644 --- a/windows/security/threat-protection/security-policy-settings/account-policies.md +++ b/windows/security/threat-protection/security-policy-settings/account-policies.md @@ -20,6 +20,7 @@ ms.technology: itpro-security # Account Policies **Applies to** +- Windows 11 - Windows 10 An overview of account policies in Windows and provides links to policy descriptions. diff --git a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md index a0ceb52c49..9994324c08 100644 --- a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md +++ b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md @@ -94,7 +94,7 @@ The Security Compliance Manager is a downloadable tool that helps you plan, depl **To administer security policies by using the Security Compliance Manager** -1. Download the most recent version. You can find out more info on the [Microsoft Security Guidance](/archive/blogs/secguide/) blog. +1. Download the most recent version. You can find more info on the [Microsoft Security Baselines](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines) blog. 1. Read the relevant security baseline documentation that is included in this tool. 1. Download and import the relevant security baselines. The installation process steps you through baseline selection. 1. Open the Help and follow instructions how to customize, compare, or merge your security baselines before deploying those baselines. diff --git a/windows/security/threat-protection/security-policy-settings/audit-policy.md b/windows/security/threat-protection/security-policy-settings/audit-policy.md index 2535eda161..5130a2112d 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-policy.md +++ b/windows/security/threat-protection/security-policy-settings/audit-policy.md @@ -20,6 +20,7 @@ ms.technology: itpro-security # Audit Policy **Applies to** +- Windows 11 - Windows 10 Provides information about basic audit policies that are available in Windows and links to information about each setting. diff --git a/windows/security/threat-protection/security-policy-settings/enforce-password-history.md b/windows/security/threat-protection/security-policy-settings/enforce-password-history.md index f24a419c2e..5c1bb1ef3b 100644 --- a/windows/security/threat-protection/security-policy-settings/enforce-password-history.md +++ b/windows/security/threat-protection/security-policy-settings/enforce-password-history.md @@ -20,6 +20,7 @@ ms.technology: itpro-security # Enforce password history **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, policy management, and security considerations for the **Enforce password history** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md index b8ac0f76a4..7c99d562b8 100644 --- a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md +++ b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md @@ -20,6 +20,7 @@ ms.technology: itpro-security # Maximum password age **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, policy management, and security considerations for the **Maximum password age** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md index 76babb8a47..02c1a25fd5 100644 --- a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md +++ b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md @@ -19,6 +19,7 @@ ms.topic: conceptual # Minimum password age **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, policy management, and security considerations for the **Minimum password age** security policy setting. @@ -90,4 +91,4 @@ If you set a password for a user but want that user to change the password when ## Related topics -- [Password Policy](password-policy.md) \ No newline at end of file +- [Password Policy](password-policy.md) diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md index 54bc74dbee..cde1a5df8b 100644 --- a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md +++ b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md @@ -22,6 +22,7 @@ ms.technology: itpro-security # Minimum password length **Applies to** +- Windows 11 - Windows 10 This article describes the recommended practices, location, values, policy management, and security considerations for the **Minimum password length** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md index 6fb28222b7..c7b9c6ad9d 100644 --- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md @@ -22,6 +22,7 @@ ms.date: 12/31/2017 # Password must meet complexity requirements **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, and security considerations for the **Password must meet complexity requirements** security policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/password-policy.md b/windows/security/threat-protection/security-policy-settings/password-policy.md index 2f47a4ef2c..b4163b8525 100644 --- a/windows/security/threat-protection/security-policy-settings/password-policy.md +++ b/windows/security/threat-protection/security-policy-settings/password-policy.md @@ -22,6 +22,7 @@ ms.technology: itpro-security # Password Policy **Applies to** +- Windows 11 - Windows 10 An overview of password policies for Windows and links to information for each policy setting. diff --git a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md index d39b57a3d3..1891e3b322 100644 --- a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md +++ b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md @@ -20,6 +20,7 @@ ms.technology: itpro-security # Reset account lockout counter after **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, and security considerations for the **Reset account lockout counter after** security policy setting. @@ -76,4 +77,4 @@ If you don't configure this policy setting or if the value is configured to an i ## Related topics -- [Account Lockout Policy](account-lockout-policy.md) \ No newline at end of file +- [Account Lockout Policy](account-lockout-policy.md) diff --git a/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md b/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md index 5718da80bf..15e8e865fb 100644 --- a/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md +++ b/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md @@ -20,6 +20,7 @@ ms.technology: itpro-security # Advanced security audit policy settings for Windows 10 **Applies to** +- Windows 11 - Windows 10 Provides information about the advanced security audit policy settings that are available in Windows and the audit events that they generate. diff --git a/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md b/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md index c723c48964..93c6889650 100644 --- a/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md +++ b/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md @@ -20,6 +20,7 @@ ms.technology: itpro-security # Store passwords using reversible encryption **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, and security considerations for the **Store passwords using reversible encryption** security policy setting. diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md index 83eddad140..1fac194013 100644 --- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md +++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md @@ -398,6 +398,17 @@ The following GPO snippet performs the following tasks: ![configure event channels.](images/capi-gpo.png) +The following table also contains the six actions to configure in the GPO: + +| Program/Script | Arguments | +|------------------------------------|----------------------------------------------------------------------------------------------------------| +| %SystemRoot%\System32\wevtutil.exe | sl Microsoft-Windows-CAPI2/Operational /e:true | +| %SystemRoot%\System32\wevtutil.exe | sl Microsoft-Windows-CAPI2/Operational /ms:102432768 | +| %SystemRoot%\System32\wevtutil.exe | sl "Microsoft-Windows-AppLocker/EXE and DLL" /ms:102432768 | +| %SystemRoot%\System32\wevtutil.exe | sl Microsoft-Windows-CAPI2/Operational /ca:"O:BAG:SYD:(A;;0x7;;;BA)(A;;0x2;;;AU)(A;;0x1;;;S-1-5-32-573)" | +| %SystemRoot%\System32\wevtutil.exe | sl "Microsoft-Windows-DriverFrameworks-UserMode/Operational" /e:true | +| %SystemRoot%\System32\wevtutil.exe | sl "Microsoft-Windows-DriverFrameworks-UserMode/Operational" /ms:52432896 | + ## Appendix D - Minimum GPO for WEF Client configuration Here are the minimum steps for WEF to operate: @@ -656,4 +667,4 @@ You can get more info with the following links: - [Event Queries and Event XML](/previous-versions/bb399427(v=vs.90)) - [Event Query Schema](/windows/win32/wes/queryschema-schema) - [Windows Event Collector](/windows/win32/wec/windows-event-collector) -- [4625(F): An account failed to log on](./auditing/event-4625.md) \ No newline at end of file +- [4625(F): An account failed to log on](./auditing/event-4625.md) diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md index e7d38fb7de..1aed92dc61 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md @@ -35,8 +35,6 @@ You must have Windows 10, version 1709 or later. The ADMX/ADML template files fo There are two stages to using the contact card and customized notifications. First, you have to enable the contact card or custom notifications (or both), and then you must specify at least a name for your organization and one piece of contact information. -This can only be done in Group Policy. - 1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**. 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. @@ -47,6 +45,9 @@ This can only be done in Group Policy. 1. To enable the contact card, open the **Configure customized contact information** setting and set it to **Enabled**. Click **OK**. + > [!NOTE] + > This can only be done in Group Policy. + 2. To enable the customized notifications, open the **Configure customized notifications** setting and set it to **Enabled**. Click **OK**. 5. After you've enabled the contact card or the customized notifications (or both), you must configure the **Specify contact company name** to **Enabled**. Enter your company or organization's name in the field in the **Options** section. Click **OK**. @@ -58,5 +59,7 @@ This can only be done in Group Policy. 7. Select **OK** after you configure each setting to save your changes. ->[!IMPORTANT] ->You must specify the contact company name and at least one contact method - email, phone number, or website URL. If you do not specify the contact name and a contact method the customization will not apply, the contact card will not show, and notifications will not be customized. +To enable the customized notifications and add the contact information in Intune, see [Manage device security with endpoint security policies in Microsoft Intune](/mem/intune/protect/endpoint-security-policy) and [Settings for the Windows Security experience profile in Microsoft Intune](/mem/intune/protect/antivirus-security-experience-windows-settings). + +> [!IMPORTANT] +> You must specify the contact company name and at least one contact method - email, phone number, or website URL. If you do not specify the contact name and a contact method the customization will not apply, the contact card will not show, and notifications will not be customized. diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md index cbbc3389e5..3987f694a9 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md @@ -49,7 +49,7 @@ Windows Sandbox has the following properties: - If you're using a virtual machine, run the following PowerShell command to enable nested virtualization: ```powershell - Set-VMProcessor -VMName \ -ExposeVirtualizationExtensions $true + Set-VMProcessor -VMName -ExposeVirtualizationExtensions $true ``` 3. Use the search bar on the task bar and type **Turn Windows Features on or off** to access the Windows Optional Features tool. Select **Windows Sandbox** and then **OK**. Restart the computer if you're prompted. @@ -57,7 +57,11 @@ Windows Sandbox has the following properties: If the **Windows Sandbox** option is unavailable, your computer doesn't meet the requirements to run Windows Sandbox. If you think this analysis is incorrect, review the prerequisite list and steps 1 and 2. > [!NOTE] - > To enable Sandbox using PowerShell, open PowerShell as Administrator and run **Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online**. + > To enable Sandbox using PowerShell, open PowerShell as Administrator and run the following command: + > + > ```powershell + > Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online + > ``` 4. Locate and select **Windows Sandbox** on the Start menu to run it for the first time. diff --git a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md index d0fb618c3b..65d2045cbc 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md @@ -54,7 +54,7 @@ No. SCM supported only SCAP 1.0, which wasn't updated as SCAP evolved. The new t | Name | Build | Baseline Release Date | Security Tools | | ---- | ----- | --------------------- | -------------- | | Windows 11 | [22H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-version-22h2-security-baseline/ba-p/3632520)
| September 2022
|[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | -| Windows 10 | [22H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-10-version-22h2-security-baseline/ba-p/3655724)
[21H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-windows-10-version-21h2/ba-p/3042703)
[21H1](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-version-21h1/ba-p/2362353)
[20H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-and-windows-server/ba-p/1999393)
[1809](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082)
[1607](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016)
[1507](/archive/blogs/secguide/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update)| October 2022
December 2021
May 2021
December 2020
October 2018
October 2016
January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | +| Windows 10 | [22H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-10-version-22h2-security-baseline/ba-p/3655724)
[21H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-windows-10-version-21h2/ba-p/3042703)
[20H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-and-windows-server/ba-p/1999393)
[1809](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082)
[1607](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016)
[1507](/archive/blogs/secguide/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update)| October 2022
December 2021
December 2020
October 2018
October 2016
January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | Windows 8.1 |[9600 (April Update)](/archive/blogs/secguide/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final)| October 2013| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md index aecf0cfcc4..b08b62f673 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md @@ -31,7 +31,6 @@ The Security Compliance Toolkit consists of: - Windows 10 security baselines - Windows 10, version 22H2 - Windows 10, version 21H2 - - Windows 10, version 21H1 - Windows 10, version 20H2 - Windows 10, version 1809 - Windows 10, version 1607 diff --git a/windows/security/zero-trust-windows-device-health.md b/windows/security/zero-trust-windows-device-health.md index f23f01e7d7..d6159d39a6 100644 --- a/windows/security/zero-trust-windows-device-health.md +++ b/windows/security/zero-trust-windows-device-health.md @@ -13,7 +13,7 @@ ms.date: 12/31/2017 --- # Zero Trust and Windows device health -Organizations need a security model that more effectively adapts to the complexity of the modern work environment. IT admins need to embrace the hybrid workplace, while protecting people, devices, apps, and data wherever they’re located. Implementing a Zero Trust model for security helps addresses today's complex environments. +Organizations need a security model that more effectively adapts to the complexity of the modern work environment. IT admins need to embrace the hybrid workplace, while protecting people, devices, apps, and data wherever they’re located. Implementing a Zero Trust model for security helps address today's complex environments. The [Zero Trust](https://www.microsoft.com/security/business/zero-trust) principles are: