deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 22:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' of https://github.com/MicrosoftDocs/windows-docs-pr into copilot-xplat-8348943

Browse Source
This commit is contained in:
Meghan Stewart 2023-10-30 10:39:47 -07:00
commit f53d7ce4de
10 changed files with 116 additions and 141 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

189
education/windows/index.yml
View File

@ -15,148 +15,111 @@ metadata:
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.date: 07/28/2023
ms.date: 08/07/2023
highlightedContent:
items:
- title: Get started with Windows 11
- title: Get started with Windows 11 SE
itemType: get-started
url: /windows/whats-new/windows-11-overview
url: windows-11-se-overview.md
- title: Windows 11, version 22H2
itemType: whats-new
url: /windows/whats-new/whats-new-windows-11-version-22H2
- title: Windows 11, version 22H2 group policy settings reference
itemType: download
url: https://www.microsoft.com/en-us/download/details.aspx?id=104594
- title: Windows release health
itemType: whats-new
url: /windows/release-health
- title: Windows commercial licensing
itemType: overview
url: /windows/whats-new/windows-licensing
- title: Windows 365 documentation
itemType: overview
url: /windows-365
- title: Explore all Windows trainings and learning paths for IT pros
itemType: learn
url: https://learn.microsoft.com/en-us/training/browse/?products=windows&roles=administrator
- title: Enroll Windows client devices in Microsoft Intune
- title: Deploy applications to Windows 11 SE with Intune
itemType: how-to-guide
url: /mem/intune/fundamentals/deployment-guide-enrollment-windows
url: /education/windows/tutorial-deploy-apps-winse
productDirectory:
title: Get started
items:
- title: Hardware security
imageSrc: /media/common/i_usb.svg
- title: Learn how to deploy Windows
imageSrc: /media/common/i_deploy.svg
links:
- url: /windows/security/hardware-security/tpm/trusted-platform-module-overview
text: Trusted Platform Module
- url: /windows/security/hardware-security/pluton/microsoft-pluton-security-processor
text: Microsoft Pluton
- url: /windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows
text: Windows Defender System Guard
- url: /windows-hardware/design/device-experiences/oem-vbs
text: Virtualization-based security (VBS)
- url: /windows-hardware/design/device-experiences/oem-highly-secure-11
text: Secured-core PC
- url: /windows/security/hardware-security
text: Learn more about hardware security >
- title: OS security
imageSrc: /media/common/i_threat-protection.svg
- url: /education/windows/tutorial-school-deployment/
text: "Tutorial: deploy and manage Windows devices in a school"
- url: /education/windows/tutorial-school-deployment/enroll-autopilot
text: Enrollment in Intune with Windows Autopilot
- url: use-set-up-school-pcs-app.md
text: Deploy devices with Set up School PCs
- url: /windows/deployment
text: Learn more about Windows deployment >
- title: Learn how to secure Windows
imageSrc: /media/common/i_security-management.svg
links:
- url: /windows/security/operating-system-security
text: Trusted boot
- url: /windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center
text: Windows security settings
- url: /windows/security/operating-system-security/data-protection/bitlocker/
text: BitLocker
- url: /windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines
text: Windows security baselines
- url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/
text: MMicrosoft Defender SmartScreen
- url: /windows/security/operating-system-security
text: Learn more about OS security >
- title: Identity protection
imageSrc: /media/common/i_identity-protection.svg
links:
- url: /windows/security/identity-protection/hello-for-business
text: Windows Hello for Business
- url: /windows/security/identity-protection/credential-guard
text: Credential Guard
- url: /windows-server/identity/laps/laps-overview
text: Windows LAPS (Local Administrator Password Solution)
- url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection
text: Enhanced phishing protection with SmartScreen
- url: /education/windows/federated-sign-in
text: Federated sign-in (EDU)
- url: /windows/security/identity-protection
text: Learn more about identity protection >
- title: Application security
imageSrc: /media/common/i_queries.svg
links:
- url: /windows/security/application-security/application-control/windows-defender-application-control/
text: Windows Defender Application Control (WDAC)
- url: federated-sign-in.md
text: Configure federated sign-in for Windows devices
- url: /windows/security/application-security/application-control/user-account-control
text: User Account Control (UAC)
- url: /windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules
text: Microsoft vulnerable driver blocklist
- url: /windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview
text: Microsoft Defender Application Guard (MDAG)
- url: /windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview
text: Windows Sandbox
- url: /windows/security/application-security
text: Learn more about application security >
- title: Security foundations
imageSrc: /media/common/i_build.svg
links:
- url: /windows/security/security-foundations/certification/fips-140-validation
text: FIPS 140-2 validation
- url: /windows/security/security-foundations/certification/windows-platform-common-criteria
text: Common Criteria Certifications
- url: /windows/security/security-foundations/msft-security-dev-lifecycle
text: Microsoft Security Development Lifecycle (SDL)
- url: https://www.microsoft.com/msrc/bounty-windows-insider-preview
text: Microsoft Windows Insider Preview bounty program
- url: https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/
text: OneFuzz service
- url: /windows/security/security-foundations
text: Learn more about security foundations >
- title: Cloud security
imageSrc: /media/common/i_cloud-security.svg
links:
- url: /mem/intune/protect/security-baselines
text: Security baselines with Intune
- url: /windows/deployment/windows-autopatch
text: Windows Autopatch
- url: /windows/deployment/windows-autopilot
text: Windows Autopilot
- url: /universal-print
text: Universal Print
- url: /windows/client-management/mdm/remotewipe-csp
text: Remote wipe
- url: /windows/security/cloud-security
text: Learn more about cloud security >
- url: /windows/security
text: Learn more about Windows security >
- title: Learn how to manage Windows devices
imageSrc: /media/common/i_management.svg
links:
- url: tutorial-school-deployment/manage-overview.md
text: Manage devices with Microsoft Intune
- url: tutorial-school-deployment/manage-surface-devices.md
text: Management functionalities for Surface devices
- url: /education/windows/get-minecraft-for-education
text: Get and deploy Minecraft Education
- url: /windows/client-management
text: Learn more about Windows management >
- title: Learn how to configure Windows
imageSrc: /media/common/i_config-tools.svg
links:
- url: /education/windows/tutorial-school-deployment/configure-devices-overview
text: Configure settings and applications with Microsoft Intune
- url: /windows/configuration/set-up-shared-or-guest-pc
text: Set up a shared or guest Windows device
- url: /education/windows/take-tests-in-windows
text: Take tests and assessments in Windows
- url: set-up-school-pcs-provisioning-package.md
text: Provisioning package settings
- url: https://www.youtube.com/watch?v=2ZLup_-PhkA
text: "Video: Use the Set up School PCs App"
additionalContent:
sections:
- title: More Windows resources
items:
- title: For developers # < 60 chars (optional)
summary: Are you an app developer looking for information about developing solutions on Microsoft Education products? Start here. # < 160 chars (optional)
- items:
# Card
- title: UWP apps for education
summary: Learn how to write universal apps for education.
url: /windows/uwp/apps-for-education/
# Card
- title: Take a test API
summary: Learn how web applications can use the API to provide a locked down experience for taking tests.
url: /windows/uwp/apps-for-education/take-a-test-api
- title: Windows Server
links:
- text: Windows Server documentation
url: /windows-server
- text: What's new in Windows Server 2022?
url: /windows-server/get-started/whats-new-in-windows-server-2022
- text: Windows Server blog
url: https://cloudblogs.microsoft.com/windowsserver/
- title: Office dev center
summary: Integrate with Office 365 across devices and services to extend Microsoft enterprise-scale compliance and security to students, teachers, and staff in your education app.
url: https://developer.microsoft.com/office/
- title: Data Streamer
summary: Bring new STEM experiences into the classroom with real-time data in Excel using Data Streamer. Data Streamer can send data to Excel from a sensor or application.
url: /microsoft-365/education/data-streamer
- title: For partners # < 60 chars (optional)
summary: Looking for resources available to Microsoft Education partners? Start here. # < 160 chars (optional)
- items:
- title: Microsoft Partner Network
summary: Discover the latest news and resources for Microsoft Education products, solutions, licensing and readiness.
url: https://partner.microsoft.com/explore/education
- title: Education Partner community Yammer group
summary: Sign in with your Microsoft Partner account and join the Education Partner community private group on Yammer.
url: https://www.yammer.com/mepn/
- title: Windows product site and blogs
links:

36
windows/deployment/customize-boot-image.md
View File

@ -56,9 +56,9 @@ This walkthrough describes how to customize a Windows PE boot image including up
For this walk-through, when the Windows ADK is installed, it's only necessary to install the **Deployment Tools**. Other products, such as Microsoft Configuration Manager and Microsoft Deployment Toolkit (MDT), may require additional features installed, such as the **User State Migration Tool (USMT)**.
One of the tools installed when installing the the **Deployment Tools** feature is the **Deployment and Imaging Tools Environment** command prompt. When using the **Command Line** option to run the commands in this walk-through, make sure to run the commands from an elevated **Deployment and Imaging Tools Environment** command prompt. The **Deployment and Imaging Tools Environment** command prompt can be found in the Start Menu under **Windows Kits** > **Deployment and Imaging Tools Environment**.
One of the tools installed when installing the **Deployment Tools** feature is the **Deployment and Imaging Tools Environment** command prompt. When using the **Command Line** option to run the commands in this walk-through, make sure to run the commands from an elevated **Deployment and Imaging Tools Environment** command prompt. The **Deployment and Imaging Tools Environment** command prompt can be found in the Start Menu under **Windows Kits** > **Deployment and Imaging Tools Environment**.
The paths in this article assume the Windows ADK was installed at the default location of `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit`. If the Windows ADK was installed to a different location, then adjust the paths during the walk-through accordingly.
The paths in this article assume the Windows ADK was installed at the default location of `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit`. If the Windows ADK was installed in a different location, then adjust the paths during the walk-through accordingly.
1. Download and install the **Windows PE add-on for the Windows ADK** from [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). The **Windows PE add-on for the Windows ADK** is a separate download and install from the **Windows Assessment and Deployment Kit (Windows ADK)**. Make sure to individually download and install both.
@ -70,13 +70,13 @@ This walkthrough describes how to customize a Windows PE boot image including up
>
> - Microsoft Deployment Toolkit (MDT) doesn't support versions of Windows or the Windows ADK beyond Windows 10. If using MDT, the recommendation is to instead use the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). This version was the last version of the Windows ADK supported by MDT.
>
> - The latest versions of the **Windows PE add-on for the Windows ADK** only includes 64-bit boot images. If a 32-bit boot image is required, then the recommendation in this scenario is to also use the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). This version of the Windows ADK was the last version to include both 32-bit and 64-bit boot images.
> - The latest versions of the **Windows PE add-on for the Windows ADK** only includes a 64-bit boot image. If a 32-bit boot image is required, then the recommendation in this scenario is to also use the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). This version of the Windows ADK was the last version to include both 32-bit and 64-bit boot images.
## Step 2: Download cumulative update (CU)
1. Go to the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site and search for the latest cumulative update. The Windows version of the cumulative update should match the version of the Windows PE boot image that is being updated.
1. When searching the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site, use the search term `"<year>-<month> cumulative update for windows <x>"` where `year` is the four digit current year, `<month>` is the two digit current month, and `<x>` is the version of Windows that Windows PE is based on. Make sure to include the quotes (`"`). For example, to search for the latest cumulative update for Windows 11 in August 2023, use the search term `"2023-08 cumulative update for windows 11"`, again making sure to include the quotes. If the cumulative update hasn't been released yet for the current month, then search on the previous month.
1. When searching the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site, use the search term `"<year>-<month> cumulative update for windows <x>"` where `year` is the four-digit current year, `<month>` is the two-digit current month, and `<x>` is the version of Windows that Windows PE is based on. Make sure to include the quotes (`"`). For example, to search for the latest cumulative update for Windows 11 in August 2023, use the search term `"2023-08 cumulative update for Windows 11"`, again making sure to include the quotes. If the cumulative update hasn't been released yet for the current month, then search for the previous month.
1. Once the cumulative update has been found, download the appropriate version for the version and architecture of Windows that matches the Windows PE boot image. For example, if the version of the Windows PE boot image is Windows 11 22H2 64-bit, then download the **Cumulative Update for Windows 11 Version 22H2 for x64-based Systems** version of the update.
@ -249,7 +249,7 @@ The cumulative update installed later in this walkthrough doesn't affect drivers
> [!TIP]
>
> A full set of drivers is not needed in Windows PE boot images. Only a small subset of drivers is needed that provide basic functionality while in WinPE. In most cases, no drivers need to be added to an out of box Windows ADK boot image since it already has many drivers built in. Don't add drivers to a boot image until it is verified that they are needed. When drivers do need to be added, generally only network (NIC) drivers are needed. Occasionally, mass storage (disk) may also be needed. Some Surface devices may also need keyboard and mouse drivers.
> A full set of drivers is not needed in Windows PE boot images. Only a small subset of drivers is needed that provides basic functionality while in WinPE. In most cases, no drivers need to be added to an out-of-box Windows ADK boot image since it already has many drivers built in. Don't add drivers to a boot image until it is verified that they are needed. When drivers do need to be added, generally only network (NIC) drivers are needed. Occasionally, mass storage (disk) may also be needed. Some Surface devices may also need keyboard and mouse drivers.
> [!IMPORTANT]
>
@ -304,9 +304,9 @@ The cumulative update installed later in this walkthrough doesn't affect drivers
---
1. After adding an optional component to the boot image, make sure to also add the language specific component for that optional component.
1. After adding an optional component to the boot image, make sure to also add the language-specific component for that optional component.
Not all optional components have the language specific component. However, for optional components that do have a language specific component, make sure that the language specific component is installed.
Not all optional components have the language-specific component. However, for optional components that do have a language-specific component, make sure that the language-specific component is installed.
To check if an optional component has a language component, check the `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\<Language>\` directory to see if there's a matching language component for that optional component.
@ -507,7 +507,7 @@ DISM Package Manager: PID=<PID> TID=<TID> Failed while processing command add-pa
---
The problem occurs when the WinPE boot image that is being serviced requires installation of a servicing stack update (SSU) before installation of the cumulative update (CU) can occur. The problem usually occurs when using older Windows ADKs and older versions of Windows PE. The suggested fix is to upgrade to the latest version of the Windows ADK and Windows PE. The latest versions of the Windows ADK and Windows PE most likely don't need a servicing stack update (SSU) installed before installing the cumulative update (CU).
The problem occurs when the WinPE boot image that is being serviced requires the installation of a servicing stack update (SSU) before installation of the cumulative update (CU) can occur. The problem usually occurs when using older Windows ADKs and older versions of Windows PE. The suggested fix is to upgrade to the latest version of the Windows ADK and Windows PE. The latest versions of the Windows ADK and Windows PE most likely don't need a servicing stack update (SSU) installed before installing the cumulative update (CU).
For scenarios where older versions of the Windows ADK and Windows PE need to be used, for example when using Microsoft Deployment Toolkit (MDT), the servicing stack update needs to be installed before installing the cumulative update. The servicing stack update (SSU) is contained within the cumulative update (CU). To obtain the servicing stack update (SSU) so that it can be applied, it can be extracted from the cumulative update (CU).
@ -515,7 +515,7 @@ The following steps outline how to extract and then install the servicing stack
> [!IMPORTANT]
>
> These steps are only necessary if error `0x800f0823` occurs when installing the cumulative update (CU) to the boot image. If error `0x800f0823` didn't occur when installing the cumulative update (CU) to the boot image, then skip to the next step [Step 8: Copy boot files from mounted boot image to ADK installation path](#step-8-copy-boot-files-from-mounted-boot-image-to-adk-installation-path)
> These steps are only necessary if the error `0x800f0823` occurs when installing the cumulative update (CU) to the boot image. If error `0x800f0823` didn't occur when installing the cumulative update (CU) to the boot image, then skip to the next step [Step 8: Copy boot files from mounted boot image to ADK installation path](#step-8-copy-boot-files-from-mounted-boot-image-to-adk-installation-path)
1. Create a folder to extract the servicing stack update (SSU) into. For example, `C:\Updates\Extract`:
@ -627,7 +627,7 @@ For more information, see [Copy-Item](/powershell/module/microsoft.powershell.ma
### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line)
From an elevated command prompt, run the following command to copy the updated bootmgr boot files from the mounted boot image to the ADK installation path. These commands also back up any existing bootmgr boot files its finds. When applicable, the commands need confirmation to overwrite any existing files:
From an elevated command prompt, run the following command to copy the updated bootmgr boot files from the mounted boot image to the ADK installation path. These commands also back up any existing bootmgr boot files it finds. When applicable, the commands need confirmation to overwrite any existing files:
```cmd
copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.bak.efi"
@ -934,15 +934,15 @@ This process has the following advantages:
1. Helps manage components in the boot image. The process doesn't need to know what components may need to be removed from the boot image each time the boot image is rebuilt. Instead, it just needs to know what components need to be added to the boot image.
1. It reduces the size of the boot image that can occur when components are repeatedly added to and removed from the boot image.
1. It reduces the size of the boot image which can occur when components are repeatedly added to and removed from the boot image.
Configuration Manager updates the `boot.wim` boot image in two scenarios:
1. When Configuration Manager is upgraded between version or a hotfix roll ups (HFRUs) is applied, `boot.wim` may be updated as part of the upgrade process.
1. When Configuration Manager is upgraded between versions or a hotfix roll-up (HFRU) is applied, `boot.wim` may be updated as part of the upgrade process.
1. When selecting the option **Reload this boot image with the current Windows PE version from the Windows ADK** in the **Update Distribution Points Wizard**.
In theses scenarios, the `boot.wim` boot image is updated using the `winpe.wim` boot image from the Windows ADK as described earlier in this section. This process creates a new pristine copy of the `boot.wim` boot image using the current version of the `winpe.wim` boot image that is part of the Windows ADK.
In these scenarios, the `boot.wim` boot image is updated using the `winpe.wim` boot image from the Windows ADK as described earlier in this section. This process creates a new pristine copy of the `boot.wim` boot image using the current version of the `winpe.wim` boot image that is part of the Windows ADK.
### Which boot image should be updated with the cumulative update?
@ -954,7 +954,7 @@ The `winpe.wim` boot image from the Windows ADK should be updated because if `bo
>
> Never manually update the `boot.<package_id>.wim` boot image. In addition to facing the same issues when manually updating the `boot.wim` boot image, the `boot.<package_id>.wim` boot image will also face additional issues such as:
>
> - Any time any changes are done to the boot image, such as adding drivers, enabling the command prompt. etc, any manual changes done to the boot image, including the cumulative update, will be lost.
> - Any time any changes are done to the boot image (adding drivers, enabling the command prompt, etc.), any manual changes done to the boot image, including the cumulative update, will be lost.
>
> - Manually changing the `boot.<package_id>.wim` boot image changes the hash value of the boot image. A change in the hash value of the boot image can lead to download failures when downloading the boot image from a distribution point.
@ -993,9 +993,9 @@ For a list of all available WinPE optional components including descriptions for
After updating the `winpe.wim` boot image from the Windows ADK, generate a new `boot.wim` boot image for Configuration Manager so that it contains the cumulative update. A new `boot.wim` boot image can be generated by using the following steps:
1. Open the Microsoft Configuration manager console.
1. Open the Microsoft Configuration Manager console.
1. In the Microsoft Configuration manager console, navigate to **Software Library** > **Overview** > **Operating Systems** > **Boot Images**.
1. In the Microsoft Configuration Manager console, navigate to **Software Library** > **Overview** > **Operating Systems** > **Boot Images**.
1. In the **Boot Images** pane, select the desired boot image.
@ -1011,11 +1011,11 @@ After updating the `winpe.wim` boot image from the Windows ADK, generate a new `
1. Once the boot image finishes building, the **The task "Update Distribution Points Wizard" completed successfully**/**Completion** page appears. Select the **Close** button.
This process updates the boot image used by Configuration Manager. It also updates the boot image and the bootmgr boot files used by any PXE enabled distribution points.
This process updates the boot image used by Configuration Manager. It also updates the boot image and the bootmgr boot files used by any PXE-enabled distribution points.
> [!IMPORTANT]
>
> If there are multiple boot images used in the environment for PXE enabled distribution points, make sure to update all of the PXE enabled boot images with the same cumulative update. This will ensure that the PXE enabled distribution points all use the version of the bootmgr boot files extracted from the boot images (if applicable).
> If there are multiple boot images used in the environment for PXE-enabled distribution points, make sure to update all of the PXE-enabled boot images with the same cumulative update. This will ensure that the PXE-enabled distribution points all use the version of the bootmgr boot files extracted from the boot images (if applicable).
### Updating Configuration Manager boot media

12
windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
View File

@ -1,7 +1,7 @@
---
title: Microsoft 365 Apps for enterprise
description: This article explains how Windows Autopatch manages Microsoft 365 Apps for enterprise updates
ms.date: 06/23/2023
ms.date: 10/27/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
@ -81,7 +81,15 @@ Windows Autopatch doesn't allow you to pause or roll back an update in the Micro
## Allow or block Microsoft 365 App updates
For organizations seeking greater control, you can allow or block Microsoft 365 App updates for Windows Autopatch-enrolled devices. When the Microsoft 365 App update setting is set to **Block**, Windows Autopatch doesn't provide Microsoft 365 App updates on your behalf, and your organizations have full control over these updates. For example, you can continue to receive updates from [channels](/deployoffice/overview-update-channels) other than the default [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview).
> [!IMPORTANT]
> You must be an Intune Administrator to make changes to the setting.
For organizations seeking greater control, you can allow or block Microsoft 365 App updates for Windows Autopatch-enrolled devices.
| Microsoft 365 App setting | Description |
| ----- | ----- |
| **Allow** | When set to **Allow**, Windows Autopatch moves all Autopatch managed devices to the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview) and manages updates automatically. To manage updates manually, set the Microsoft 365 App update setting to **Block**. |
| **Block** | When set to **Block**, Windows Autopatch doesn't provide Microsoft 365 App updates on your behalf, and your organizations have full control over these updates. You can continue to receive updates from [channels](/deployoffice/overview-update-channels) other than the default [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview). |
**To allow or block Microsoft 365 App updates:**

8
windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
View File

@ -1,7 +1,7 @@
---
title: What's new 2023
description: This article lists the 2023 feature releases and any corresponding Message center post numbers.
ms.date: 10/19/2023
ms.date: 10/27/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: whats-new
@ -23,6 +23,12 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
## October 2023
### October feature releases or updates
| Article | Description |
| ----- | ----- |
| [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#microsoft-365-apps-for-enterprise-update-controls) | Added more information about the Allow setting in the [Microsoft 365 Apps for enterprise update controls](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#microsoft-365-apps-for-enterprise-update-controls) section |
## October service release
| Message center post number | Description |

2
windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
View File

@ -49,8 +49,6 @@ To enable memory integrity on Windows devices with supporting hardware throughou
Beginning with Windows 11 22H2, **Windows Security** shows a warning if memory integrity is turned off. The warning indicator also appears on the Windows Security icon in the Windows Taskbar and in the Windows Notification Center. The user can dismiss the warning from within **Windows Security**.
To proactively dismiss the memory integrity warning, you can set the **Hardware_HVCI_Off** (DWORD) registry value under `HKLM\SOFTWARE\Microsoft\Windows Security Health\State` to 0. After you change the registry value, you must restart the device for the change to take effect.
### Enable memory integrity using Intune
Enabling in Intune requires using the Code Integrity node in the [VirtualizationBasedTechnology CSP](/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology). You can configure these settings by using the [settings catalog](/mem/intune/configuration/settings-catalog).

2
windows/security/identity-protection/hello-for-business/hello-faq.yml
View File

@ -190,7 +190,7 @@ sections:
Windows Hello for Business is two-factor authentication based on the observed authentication factors of: *something you have*, *something you know*, and *something that's part of you*. Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. By using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor".
> [!NOTE]
> The Windows Hello for Business key meets Azure AD multifactor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources. For more information, see [What is a Primary Refresh Token](/azure/active-directory/devices/concept-primary-refresh-token#when-does-a-prt-get-an-mfa-claim).
> The Windows Hello for Business key meets Microsoft Entra multifactor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources. For more information, see [What is a Primary Refresh Token](/azure/active-directory/devices/concept-primary-refresh-token#when-does-a-prt-get-an-mfa-claim).
- question: Which is a better or more secure for of authentication, key or certificate?
answer: |
Both types of authentication provide the same security; one is not more secure than the other.

2
windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
View File

@ -31,7 +31,7 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in
## Microsoft Entra join authentication to Active Directory using cloud Kerberos trust
![Microsoft Entra join authentication to Azure AD.](images/howitworks/auth-aadj-cloudtrust-kerb.png)
![Microsoft Entra join authentication to Active Directory.](images/howitworks/auth-aadj-cloudtrust-kerb.png)
| Phase | Description |
| :----: | :----------- |

2
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
View File

@ -42,7 +42,7 @@ Hybrid Windows Hello for Business needs two directories:
- An on-premises Active Directory
- A Microsoft Entra tenant
The two directories must be synchronized with [Microsoft Entra Connect Sync][AZ-1], which synchronizes user accounts from the on-premises Active Directory to Azure AD.\
The two directories must be synchronized with [Microsoft Entra Connect Sync][AZ-1], which synchronizes user accounts from the on-premises Active Directory to Microsoft Entra ID.\
During the Window Hello for Business provisioning process, users register the public portion of their Windows Hello for Business credential with Microsoft Entra ID. *Microsoft Entra Connect Sync* synchronizes the Windows Hello for Business public key to Active Directory.
> [!NOTE]

2
windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
View File

@ -411,7 +411,7 @@ The following smart card-related Group Policy settings are in Computer Configura
| Group Policy setting and registry key | Default | Description |
|------------------------------------------|------------|---------------|
| Interactive logon: Require smart card<br><br>**scforceoption** | Disabled | This security policy setting requires users to sign in to a computer by using a smart card.<br><br>**Enabled** Users can sign in to the computer only by using a smart card.<br>**Disabled** Users can sign in to the computer by using any method. |
| Interactive logon: Require smart card<br><br>**scforceoption** | Disabled | This security policy setting requires users to sign in to a computer by using a smart card.<br><br>**Enabled** Users can sign in to the computer only by using a smart card.<br>**Disabled** Users can sign in to the computer by using any method.<br><br>NOTE: the Windows LAPS-managed local account is exempted from this policy when Enabled. For more information see [Windows LAPS integration with smart card policy](/windows-server/identity/laps/laps-concepts#windows-laps-integration-with-smart-card-policy).<br> |
| Interactive logon: Smart card removal behavior<br><br>**scremoveoption** | This policy setting isn't defined, which means that the system treats it as **No Action**. | This setting determines what happens when the smart card for a signed-in user is removed from the smart card reader. The options are:<br>**No Action**<br>**Lock Workstation**: The workstation is locked when the smart card is removed, so users can leave the area, take their smart card with them, and still maintain a protected session.<br>**Force Logoff**: The user is automatically signed out when the smart card is removed.<br>**Disconnect if a Remote Desktop Services session**: Removal of the smart card disconnects the session without signing out the user. The user can reinsert the smart card and resume the session later, or at another computer that's equipped with a smart card reader, without having to sign in again. If the session is local, this policy setting functions identically to the **Lock Workstation** option.<br><br>**Note**: In earlier versions of Windows Server, Remote Desktop Services was called Terminal Services. |
From the Local Security Policy Editor (secpol.msc), you can edit and apply system policies to manage credential delegation for local or domain computers.

2
windows/security/identity-protection/web-sign-in/index.md
View File

@ -25,7 +25,7 @@ This article describes how to configure Web sign-in and the supported key scenar
To use web sign-in, the clients must meet the following prerequisites:
- Windows 11, version 22H2 with [5030310][KB-1], or later
- Must be Microsoft Entra joined
- Must be [Microsoft Entra joined](/entra/identity/devices/concept-directory-join)
- Must have Internet connectivity, as the authentication is done over the Internet
[!INCLUDE [federated-sign-in](../../../../includes/licensing/web-sign-in.md)]