diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index e972f71cd6..ad456cabb0 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1197,7 +1197,7 @@ }, { "source_path": "windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md", - "redirect_url": "hhttps://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings", + "redirect_url": "/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings", "redirect_document_id": false }, { @@ -6827,7 +6827,7 @@ }, { "source_path": "windows/manage/waas-wufb-intune.md", - "redirect_url": "/windows/deployment/update/waas-wufb-intune.md", + "redirect_url": "/windows/deployment/update/waas-wufb-intune", "redirect_document_id": false }, { @@ -7277,7 +7277,7 @@ }, { "source_path": "windows/manage/application-development-for-windows-as-a-service.md", - "redirect_url": "https://msdn.microsoft.com/windows/uwp/get-started/application-development-for-windows-as-a-service", + "redirect_url": "windows/uwp/updates-and-versions/application-development-for-windows-as-a-service", "redirect_document_id": false }, { @@ -7457,7 +7457,7 @@ }, { "source_path": "windows/plan/chromebook-migration-guide.md", - "redirect_url": "edu/windows/chromebook-migration-guide", + "redirect_url": "education/windows/chromebook-migration-guide", "redirect_document_id": false }, { @@ -14412,12 +14412,12 @@ }, { "source_path": "windows/manage/sign-up-windows-store-for-business.md", - "redirect_url": "/microsoft-store/index.md", + "redirect_url": "/microsoft-store/index", "redirect_document_id": false }, { "source_path": "store-for-business/sign-up-windows-store-for-business.md", - "redirect_url": "/microsoft-store/index.md", + "redirect_url": "/microsoft-store/index", "redirect_document_id": false }, { @@ -19442,8 +19442,8 @@ }, { "source_path": "windows/security/threat-protection/intelligence/rootkits-malware.md", - "redirect_url": "/microsoft-365/security/intelligence/rootkits-malware.md", - "redirect_document_id": false + "redirect_url": "/microsoft-365/security/intelligence/rootkits-malware", + "redirect_document_id": false }, { "source_path": "windows/security/threat-protection/intelligence/safety-scanner-download.md", diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md index 932ac039fd..c7f637d5a7 100644 --- a/windows/client-management/mdm/policy-csp-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-deviceguard.md @@ -74,7 +74,7 @@ Secure Launch configuration: - 1 - Enables Secure Launch if supported by hardware - 2 - Disables Secure Launch. -For more information about System Guard, see [Introducing Windows Defender System Guard runtime attestation](https://cloudblogs.microsoft.com/microsoftsecure/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation/) and [How a hardware-based root of trust helps protect Windows 10](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows). +For more information about System Guard, see [Introducing Windows Defender System Guard runtime attestation](https://www.microsoft.com/security/blog/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation) and [How a hardware-based root of trust helps protect Windows 10](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows). @@ -256,4 +256,4 @@ The following list shows the supported values: ## Related topics -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/deployment/Windows-AutoPilot-EULA-note.md b/windows/deployment/Windows-AutoPilot-EULA-note.md index 51c49eef4b..bdcc134152 100644 --- a/windows/deployment/Windows-AutoPilot-EULA-note.md +++ b/windows/deployment/Windows-AutoPilot-EULA-note.md @@ -9,6 +9,7 @@ ms.author: frankroj manager: aaroncz ROBOTS: NOINDEX ms.topic: article +ms.technology: itpro-deploy --- # Windows Autopilot EULA dismissal – important information diff --git a/windows/deployment/add-store-apps-to-image.md b/windows/deployment/add-store-apps-to-image.md index a135edc453..ac883e80a0 100644 --- a/windows/deployment/add-store-apps-to-image.md +++ b/windows/deployment/add-store-apps-to-image.md @@ -10,6 +10,7 @@ manager: aaroncz ms.topic: article ms.custom: seo-marvel-apr2020 ms.date: 10/31/2022 +ms.technology: itpro-deploy --- # Add Microsoft Store for Business applications to a Windows 10 image diff --git a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md index f046e65d8d..0ee1248e7e 100644 --- a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md +++ b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md @@ -9,6 +9,7 @@ ms.author: frankroj ms.topic: article ms.custom: seo-marvel-apr2020 ms.date: 10/31/2022 +ms.technology: itpro-deploy --- # Configure a PXE server to load Windows PE diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md index b235598be3..f7574e0d11 100644 --- a/windows/deployment/deploy-m365.md +++ b/windows/deployment/deploy-m365.md @@ -11,6 +11,7 @@ ms.topic: article ms.collection: M365-modern-desktop ms.custom: seo-marvel-apr2020 ms.date: 10/31/2022 +ms.technology: itpro-deploy --- # Deploy Windows 10 with Microsoft 365 diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index cec1220c0b..170984a53f 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -10,6 +10,7 @@ ms.topic: article ms.custom: seo-marvel-apr2020 ms.collection: highpri ms.date: 10/31/2022 +ms.technology: itpro-deploy --- # What's new in Windows client deployment diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index 14a27656dd..efcf8b1227 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -143,8 +143,8 @@ When you configure your MDT Build Lab deployment share, you can also add applica On **MDT01**: -1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2200320258_en_US.exe) to **D:\\setup\\adobe** on MDT01. -2. Extract the .exe file that you downloaded to a .msi (ex: .\AcroRdrDC2200320258_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne). +1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2200320263_en_US.exe) to **D:\\setup\\adobe** on MDT01. +2. Extract the .exe file that you downloaded to a .msi (ex: .\AcroRdrDC2200320263_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne). 3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node. 4. Right-click the **Applications** node, and create a new folder named **Adobe**. diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md index 81b14bb1e6..51982b85d2 100644 --- a/windows/deployment/deploy.md +++ b/windows/deployment/deploy.md @@ -10,6 +10,7 @@ ms.localizationpriority: medium ms.topic: article ms.custom: seo-marvel-apr2020 ms.date: 10/31/2022 +ms.technology: itpro-deploy --- # Deploy Windows 10 diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md index 5496b1e170..5bae3977a7 100644 --- a/windows/deployment/mbr-to-gpt.md +++ b/windows/deployment/mbr-to-gpt.md @@ -10,6 +10,7 @@ ms.localizationpriority: high ms.topic: article ms.custom: seo-marvel-apr2020 ms.collection: highpri +ms.technology: itpro-deploy --- # MBR2GPT.EXE diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md index 07aa45fa9c..eaba8cdb52 100644 --- a/windows/deployment/s-mode.md +++ b/windows/deployment/s-mode.md @@ -9,6 +9,7 @@ ms.author: frankroj ms.topic: article ms.custom: seo-marvel-apr2020 ms.date: 10/31/2022 +ms.technology: itpro-deploy --- # Windows 10 in S mode - What is it? diff --git a/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md b/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md index c359ee35b7..4a9b61242e 100644 --- a/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md +++ b/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md @@ -11,6 +11,7 @@ ms.localizationpriority: medium 1. Go to the [Microsoft 365 admin center](https://admin.microsoft.com/) and sign in. 1. Expand **Health**, then select **Software Updates**. You may need to use the **Show all** option to display **Health** in the navigation menu. + - If you don't see an entry for **Software updates** in the menu, try going to this URL: [https://admin.microsoft.com/Adminportal/Home#/softwareupdates](https://admin.microsoft.com/Adminportal/Home#/softwareupdates). 1. In the **Software Updates** page, select the **Windows** tab. 1. When you select the **Windows** tab for the first time, you'll be asked to **Configure Settings**. This tab is populated by data from [Windows Update for Business reports](../wufb-reports-overview.md). Verify or supply the following information about the settings for Windows Update for Business reports: @@ -18,6 +19,5 @@ ms.localizationpriority: medium - The Log Analytics workspace 1. The initial setup can take up to 24 hours. During this time, the **Windows** tab will display that it's **Waiting for Windows Update for Business reports data**. 1. After the initial setup is complete, the **Windows** tab will display your Windows Update for Business reports data in the charts. - -> [!Tip] -> If you don't see an entry for **Software updates** in the menu, try going to this URL: [https://admin.microsoft.com/Adminportal/Home#/softwareupdates](https://admin.microsoft.com/Adminportal/Home#/softwareupdates). + > [!Note] + > The device counts in the **Windows** tab may vary from the **Microsoft 365 Apps** tab since their requirements are different. diff --git a/windows/deployment/update/media/33771278-update-deployment-status-table.png b/windows/deployment/update/media/33771278-update-deployment-status-table.png index dd070d8e21..858e340f73 100644 Binary files a/windows/deployment/update/media/33771278-update-deployment-status-table.png and b/windows/deployment/update/media/33771278-update-deployment-status-table.png differ diff --git a/windows/deployment/update/media/33771278-wufb-reports-workbook-summary.png b/windows/deployment/update/media/33771278-wufb-reports-workbook-summary.png index bf5f0272ac..87e3fd1ea4 100644 Binary files a/windows/deployment/update/media/33771278-wufb-reports-workbook-summary.png and b/windows/deployment/update/media/33771278-wufb-reports-workbook-summary.png differ diff --git a/windows/deployment/update/media/37063317-admin-center-software-updates.png b/windows/deployment/update/media/37063317-admin-center-software-updates.png index 978ef1b476..f31988b83d 100644 Binary files a/windows/deployment/update/media/37063317-admin-center-software-updates.png and b/windows/deployment/update/media/37063317-admin-center-software-updates.png differ diff --git a/windows/deployment/update/windows-update-security.md b/windows/deployment/update/windows-update-security.md index c8d0f452a3..333be3151a 100644 --- a/windows/deployment/update/windows-update-security.md +++ b/windows/deployment/update/windows-update-security.md @@ -3,12 +3,13 @@ title: Windows Update security ms.reviewer: manager: aaroncz description: Overview of the security for Windows Update. -ms.prod: w10 +ms.prod: windows-client author: mestew ms.author: mstewart ms.collection: M365-analytics ms.topic: article ms.date: 10/25/2022 +ms.technology: itpro-updates --- # Windows Update security diff --git a/windows/deployment/update/wufb-reports-enable.md b/windows/deployment/update/wufb-reports-enable.md index 3b1232d350..6f1acf7aea 100644 --- a/windows/deployment/update/wufb-reports-enable.md +++ b/windows/deployment/update/wufb-reports-enable.md @@ -54,7 +54,7 @@ Windows Update for Business reports uses an [Azure Log Analytics workspaces](/az ## Enroll into Windows Update for Business reports -Enroll into Windows Update for Business reports by configuring its settings through either the Azure Workbook or from the Microsoft 365 admin center. Completing the Windows Update for Business reports configuration removes needing to specify [`CommercialID`](update-compliance-get-started.md#get-your-commercialid), which was needed by Update Compliance, the predecessor of Windows Update for Business reports. This step is needed even if you enabled previews of Update Compliance. +Enroll into Windows Update for Business reports by configuring its settings through either the Azure Workbook or from the Microsoft 365 admin center. Completing the Windows Update for Business reports configuration removes needing to specify [`CommercialID`](update-compliance-get-started.md#get-your-commercialid), which was needed by Update Compliance, the predecessor of Windows Update for Business reports. Use one of the following methods to enroll into Windows Update for Business reports: @@ -68,6 +68,8 @@ Use one of the following methods to enroll into Windows Update for Business repo 1. In the flyout, specify which **Subscription** and **Azure Log Analytics Workspace** you want to use for Windows Update for Business reports. - If you need to create a new Log Analytics workspace, select **Create new workspace** and follow the prompts to [create a new workspace](#bkmk_workspace). 1. Select **Save settings** to save the settings and enroll into Windows Update for Business reports. + > [!Tip] + > If a `403 Forbidden` error occurs, verify the account you're using has [permissions](wufb-reports-prerequisites.md#permissions) to enroll into Windows Update for Business reports. 1. The initial setup can take up to 24 hours. During this time, the workbook will display that it's **Waiting for Windows Update for Business reports data**. ##### Enroll through the Microsoft 365 admin center diff --git a/windows/deployment/update/wufb-reports-overview.md b/windows/deployment/update/wufb-reports-overview.md index b8e4316eae..960d5ade58 100644 --- a/windows/deployment/update/wufb-reports-overview.md +++ b/windows/deployment/update/wufb-reports-overview.md @@ -42,6 +42,8 @@ Currently, Windows Update for Business reports contains the following features: - UCDeviceAlert - UCServiceUpdateStatus - UCUpdateAlert + - UCDOStatus + - UCDOAggregatedStatus - Client data collection to populate the Windows Update for Business reports tables :::image type="content" source="media/wufb-reports-query-table.png" alt-text="Screenshot of using a custom Kusto (KQL) query on Windows Update for Business reports data in Log Analytics." lightbox="media/wufb-reports-query-table.png"::: diff --git a/windows/deployment/wds-boot-support.md b/windows/deployment/wds-boot-support.md index c4d6a505ac..dfab934f9d 100644 --- a/windows/deployment/wds-boot-support.md +++ b/windows/deployment/wds-boot-support.md @@ -9,6 +9,7 @@ manager: aaroncz ms.topic: article ms.custom: seo-marvel-apr2020 ms.date: 10/31/2022 +ms.technology: itpro-deploy --- # Windows Deployment Services (WDS) boot.wim support diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md index e952e8d4f6..3d06ff84bb 100644 --- a/windows/deployment/windows-10-deployment-scenarios.md +++ b/windows/deployment/windows-10-deployment-scenarios.md @@ -8,6 +8,7 @@ ms.prod: windows-client ms.localizationpriority: medium ms.topic: article ms.date: 10/31/2022 +ms.technology: itpro-deploy --- # Windows 10 deployment scenarios diff --git a/windows/deployment/windows-10-deployment-tools-reference.md b/windows/deployment/windows-10-deployment-tools-reference.md index c3bbdbab02..fec86dadb3 100644 --- a/windows/deployment/windows-10-deployment-tools-reference.md +++ b/windows/deployment/windows-10-deployment-tools-reference.md @@ -8,6 +8,7 @@ author: frankroj ms.prod: windows-client ms.date: 10/31/2022 ms.topic: article +ms.technology: itpro-deploy --- # Windows 10 deployment tools reference diff --git a/windows/deployment/windows-10-deployment-tools.md b/windows/deployment/windows-10-deployment-tools.md index d97484dca0..e20b0e50ff 100644 --- a/windows/deployment/windows-10-deployment-tools.md +++ b/windows/deployment/windows-10-deployment-tools.md @@ -8,6 +8,7 @@ author: frankroj ms.prod: windows-client ms.date: 10/31/2022 ms.topic: article +ms.technology: itpro-deploy --- # Windows 10 deployment tools diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md index 7c6eb866b0..67864fbe6c 100644 --- a/windows/deployment/windows-10-enterprise-e3-overview.md +++ b/windows/deployment/windows-10-enterprise-e3-overview.md @@ -10,6 +10,7 @@ manager: aaroncz ms.collection: - M365-modern-desktop ms.topic: article +ms.technology: itpro-deploy --- # Windows 10/11 Enterprise E3 in CSP diff --git a/windows/deployment/windows-10-media.md b/windows/deployment/windows-10-media.md index 77ae42a8c7..6668d42e52 100644 --- a/windows/deployment/windows-10-media.md +++ b/windows/deployment/windows-10-media.md @@ -9,6 +9,7 @@ manager: aaroncz ms.author: frankroj author: frankroj ms.topic: article +ms.technology: itpro-deploy --- # Windows 10 volume license media diff --git a/windows/deployment/windows-10-missing-fonts.md b/windows/deployment/windows-10-missing-fonts.md index c15037dcff..3c0da5a490 100644 --- a/windows/deployment/windows-10-missing-fonts.md +++ b/windows/deployment/windows-10-missing-fonts.md @@ -8,6 +8,7 @@ ms.author: frankroj manager: aaroncz ms.topic: article ms.date: 10/31/2022 +ms.technology: itpro-deploy --- # How to install fonts that are missing after upgrading to Windows client @@ -43,7 +44,9 @@ For example, here are the steps to install the fonts associated with the Hebrew 1. Select **Start > Settings**. -2. In **Settings**, select **Time & language**, and then select **Region & language**. +2. For Windows 10, in **Settings**, select **Time & language**, and then select **Region & language**. + + For Windows 11, in **Settings**, select **Time & language**, and then select **Language & Region**. 3. If Hebrew isn't included in the list of languages, select the plus sign (**+**) to add a language. diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md index 9c638be5d1..89f8d25fe4 100644 --- a/windows/deployment/windows-10-poc-mdt.md +++ b/windows/deployment/windows-10-poc-mdt.md @@ -9,6 +9,7 @@ manager: aaroncz ms.author: frankroj author: frankroj ms.topic: how-to +ms.technology: itpro-deploy --- # Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit diff --git a/windows/deployment/windows-10-pro-in-s-mode.md b/windows/deployment/windows-10-pro-in-s-mode.md index 205d0bf92a..e5ceaf1248 100644 --- a/windows/deployment/windows-10-pro-in-s-mode.md +++ b/windows/deployment/windows-10-pro-in-s-mode.md @@ -10,6 +10,7 @@ ms.collection: - M365-modern-desktop ms.topic: article ms.date: 10/31/2022 +ms.technology: itpro-deploy --- # Switch to Windows 10 Pro or Enterprise from S mode diff --git a/windows/deployment/windows-adk-scenarios-for-it-pros.md b/windows/deployment/windows-adk-scenarios-for-it-pros.md index 9671840a81..f2fce638d0 100644 --- a/windows/deployment/windows-adk-scenarios-for-it-pros.md +++ b/windows/deployment/windows-adk-scenarios-for-it-pros.md @@ -8,6 +8,7 @@ ms.prod: windows-client ms.localizationpriority: medium ms.date: 10/31/2022 ms.topic: article +ms.technology: itpro-deploy --- # Windows ADK for Windows 10 scenarios for IT Pros diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md index 466e4b0aa9..d939130747 100644 --- a/windows/deployment/windows-deployment-scenarios-and-tools.md +++ b/windows/deployment/windows-deployment-scenarios-and-tools.md @@ -7,6 +7,7 @@ author: frankroj ms.prod: windows-client ms.topic: article ms.date: 10/31/2022 +ms.technology: itpro-deploy --- # Windows 10 deployment scenarios and tools diff --git a/windows/hub/index.yml b/windows/hub/index.yml index 7e8837ad3c..dc624bbd9f 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -235,7 +235,7 @@ additionalContent: - text: Intune is a family of products url: /mem/endpoint-manager-overview - text: What is Microsoft Intune? - url: /mem/what-is-intune + url: /mem/intune/fundamentals/what-is-intune - text: Microsoft Endpoint Manager simplifies upgrades to Windows 11 url: https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/endpoint-manager-simplifies-upgrades-to-windows-11/ba-p/2771886 - text: Understanding readiness for Windows 11 with Microsoft Endpoint Manager diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md index b7f90e30ad..816f36c806 100644 --- a/windows/security/information-protection/tpm/tpm-recommendations.md +++ b/windows/security/information-protection/tpm/tpm-recommendations.md @@ -56,7 +56,7 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in - For the list of algorithms that Windows supports in the platform cryptographic storage provider, see [CNG Cryptographic Algorithm Providers](/windows/win32/seccertenroll/cng-cryptographic-algorithm-providers). - - TPM 2.0 achieved ISO standardization ([ISO/IEC 11889:2015](https://blogs.microsoft.com/cybertrust/2015/06/29/governments-recognize-the-importance-of-tpm-2-0-through-iso-adoption/)). + - TPM 2.0 achieved ISO standardization ([ISO/IEC 11889:2015](https://www.microsoft.com/security/blog/2015/06/29/governments-recognize-the-importance-of-tpm-2-0-through-iso-adoption). - Use of TPM 2.0 may help eliminate the need for OEMs to make exception to standard configurations for certain countries and regions. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md index 67142745ef..6b7bda08f8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md @@ -1,6 +1,6 @@ --- title: Use AppLocker and Software Restriction Policies in the same domain (Windows) -description: This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker. +description: This article for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker. ms.assetid: 2b7e0cec-df62-49d6-a2b7-6b8e30180943 ms.reviewer: ms.author: vinpa @@ -14,7 +14,7 @@ manager: aaroncz audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 11/07/2022 ms.technology: itpro-security --- @@ -23,19 +23,16 @@ ms.technology: itpro-security **Applies to** - Windows 10 -- Windows 11 -- Windows Server 2016 and above +- Windows Server 2016 ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +This article for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker. -This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker. +> [!IMPORTANT] +> Software Restriction Policies were deprecated beginning with Windows 10 build 1803 and above, and also applies to Windows Server 2019 and above. You should use Windows Defender Application Control (WDAC) or AppLocker to control what software runs. ## Using AppLocker and Software Restriction Policies in the same domain -AppLocker is supported on systems running Windows 7 and above. Software Restriction Policies (SRP) is supported on systems running Windows Vista or earlier. You can continue to use SRP for application control on your pre-Windows 7 computers, but use AppLocker for computers running -Windows Server 2008 R2, Windows 7 and later. It's recommended that you author AppLocker and SRP rules in separate GPOs and target the GPO with SRP policies to systems running Windows Vista or earlier. When both SRP and AppLocker policies are applied to computers running Windows Server 2008 R2, -Windows 7 and later, the SRP policies are ignored. +AppLocker is supported on systems running Windows 8.1. Software Restriction Policies (SRP) is supported on systems running Windows Vista or earlier. You can continue to use SRP for application control on your pre-Windows 7 computers, but use AppLocker for computers running Windows Server 2008 R2, Windows 7 and later. It's recommended that you author AppLocker and SRP rules in separate GPOs and target the GPO with SRP policies to systems running Windows Vista or earlier. When both SRP and AppLocker policies are applied to computers running Windows Server 2008 R2, Windows 7 and later, the SRP policies are ignored. The following table compares the features and functions of Software Restriction Policies (SRP) and AppLocker. @@ -45,7 +42,7 @@ The following table compares the features and functions of Software Restriction |Policy creation|SRP policies are maintained through Group Policy and only the administrator of the GPO can update the SRP policy. The administrator on the local computer can modify the SRP policies defined in the local GPO.|AppLocker policies are maintained through Group Policy and only the administrator of the GPO can update the policy. The administrator on the local computer can modify the AppLocker policies defined in the local GPO.

AppLocker permits customization of error messages to direct users to a Web page for help.| |Policy maintenance|SRP policies must be updated by using the Local Security Policy snap-in (if the policies are created locally) or the Group Policy Management Console (GPMC).|AppLocker policies can be updated by using the Local Security Policy snap-in (if the policies are created locally), or the GPMC, or the Windows PowerShell AppLocker cmdlets.| |Policy application|SRP policies are distributed through Group Policy.|AppLocker policies are distributed through Group Policy.| -|Enforcement mode|SRP works in the “blocklist mode” where administrators can create rules for files that they don't want to allow in this Enterprise whereas the rest of the file is allowed to run by default.

SRP can also be configured in the “allowlist mode” so that by default all files are blocked and administrators need to create allow rules for files that they want to allow.|AppLocker by default works in the “allowlist mode” where only those files are allowed to run for which there's a matching allow rule.| +|Enforcement mode|SRP works in the “blocklist mode” where administrators can create rules for files that they don't want to allow in this Enterprise whereas the rest of the file is allowed to run by default.

SRP can also be configured in the “allowlist mode” so that by default all files are blocked. In "allowlist mode", administrators need to create allow rules for files that they want to run.|AppLocker by default works in the “allowlist mode” where only those files are allowed to run for which there's a matching allow rule.| |File types that can be controlled|SRP can control the following file types:
  • Executables
  • Dlls
  • Scripts
  • Windows Installers

    SRP can't control each file type separately. All SRP rules are in a single rule collection.|AppLocker can control the following file types:
  • Executables
  • Dlls
  • Scripts
  • Windows Installers
  • Packaged apps and installers

    AppLocker maintains a separate rule collection for each of the five file types.| |Designated file types|SRP supports an extensible list of file types that are considered executable. Administrators can add extensions for files that should be considered executable.|AppLocker currently supports the following file extensions:
  • Executables (.exe, .com)
  • Dlls (.ocx, .dll)
  • Scripts (.vbs, .js, .ps1, .cmd, .bat)
  • Windows Installers (.msi, .mst, .msp)
  • Packaged app installers (.appx)| |Rule types|SRP supports four types of rules:
  • Hash
  • Path
  • Signature
  • Internet zone|AppLocker supports three types of rules:
  • File hash
  • Path
  • Publisher| diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md index cea19f889b..0fdfc798f0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md @@ -12,10 +12,10 @@ ms.localizationpriority: medium audience: ITPro ms.collection: M365-security-compliance author: jsuther1974 -ms.reviewer: isbrahm +ms.reviewer: jogeurte ms.author: vinpa manager: aaroncz -ms.date: 11/20/2019 +ms.date: 11/07/2022 ms.technology: itpro-security --- @@ -60,7 +60,7 @@ Based on the above, Alice defines the pseudo-rules for the policy: - WHQL (third-party kernel drivers) - Windows Store signed apps -2. **"MEMCM works”** rules that include signer and hash rules for Configuration Manager components to properly function. +2. **"ConfigMgr works”** rules that include signer and hash rules for Configuration Manager components to properly function. 3. **Allow Managed Installer** (Configuration Manager and *LamnaITInstaller.exe* configured as a managed installer) The critical differences between this set of pseudo-rules and those pseudo-rules defined for Lamna's [lightly managed devices](create-wdac-policy-for-lightly-managed-devices.md#define-the-circle-of-trust-for-lightly-managed-devices) are: @@ -85,13 +85,13 @@ Alice follows these steps to complete this task: $PolicyPath=$env:userprofile+"\Desktop\" $PolicyName= "Lamna_FullyManagedClients_Audit" $LamnaPolicy=$PolicyPath+$PolicyName+".xml" - $MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml" + $ConfigMgrPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml" ``` 3. Copy the policy created by Configuration Manager to the desktop: ```powershell - cp $MEMCMPolicy $LamnaPolicy + cp $ConfigMgrPolicy $LamnaPolicy ``` 4. Give the new policy a unique ID, descriptive name, and initial version number: @@ -119,10 +119,9 @@ Alice follows these steps to complete this task: 7. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the Windows Defender Application Control policy to a binary format: ```powershell - [xml]$LamnaPolicyXML = Get-Content $LamnaPolicy - $PolicyId = $LamnaPolicyXML.SiPolicy.PolicyId - $LamnaPolicyBin = $PolicyPath+$PolicyId+".cip" - ConvertFrom-CIPolicy $LamnaPolicy $WDACPolicyBin + [xml]$PolicyXML = Get-Content $LamnaPolicy + $LamnaPolicyBin = Join-Path $PolicyPath "$($PolicyXML.SiPolicy.PolicyID).cip" + ConvertFrom-CIPolicy $LamnaPolicy $LamnaPolicyBin ``` 8. Upload your base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration). diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md index e8c10ae63e..7878df99b7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md @@ -12,10 +12,10 @@ ms.localizationpriority: medium audience: ITPro ms.collection: M365-security-compliance author: jsuther1974 -ms.reviewer: isbrahm +ms.reviewer: jogeurte ms.author: vinpa manager: aaroncz -ms.date: 08/10/2022 +ms.date: 11/07/2022 ms.technology: itpro-security --- @@ -35,7 +35,7 @@ This section outlines the process to create a Windows Defender Application Contr > [!NOTE] > Some of the Windows Defender Application Control options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs. -As in the [previous article](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices. +As in [Windows Defender Application Control deployment in different scenarios: types of devices](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices. **Alice Pena** is the IT team lead tasked with the rollout of WDAC. Lamna currently has loose application usage policies and a culture of maximum app flexibility for users. So, Alice knows she'll need to take an incremental approach to application control and use different policies for different workloads. @@ -58,7 +58,7 @@ Based on the above, Alice defines the pseudo-rules for the policy: - WHQL (third-party kernel drivers) - Windows Store signed apps -1. **"MEMCM works”** rules that include: +1. **"ConfigMgr works”** rules that include: - Signer and hash rules for Configuration Manager components to properly function. - **Allow Managed Installer** rule to authorize Configuration Manager as a managed installer. @@ -122,8 +122,8 @@ Alice follows these steps to complete this task: > If you do not use Configuration Manager, skip this step. ```powershell - $MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml" - Merge-CIPolicy -OutputFilePath $LamnaPolicy -PolicyPaths $LamnaPolicy,$MEMCMPolicy + $ConfigMgrPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml" + Merge-CIPolicy -OutputFilePath $LamnaPolicy -PolicyPaths $LamnaPolicy,$ConfigMgrPolicy Set-RuleOption -FilePath $LamnaPolicy -Option 13 # Managed Installer ``` @@ -149,9 +149,9 @@ Alice follows these steps to complete this task: 1. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the Windows Defender Application Control policy to a binary format: ```powershell - [xml]$policyXML = Get-Content $LamnaPolicy - $WDACPolicyBin = Join-Path $PolicyPath "$($PolicyName)_$($policyXML.SiPolicy.PolicyID).cip" - ConvertFrom-CIPolicy $LamnaPolicy $WDACPolicyBin + [xml]$PolicyXML = Get-Content $LamnaPolicy + $LamnaPolicyBin = Join-Path $PolicyPath "$($PolicyXML.SiPolicy.PolicyID).cip" + ConvertFrom-CIPolicy $LamnaPolicy $LamnaPolicyBin ``` 1. Upload your base policy XML and the associated binary to a source control solution, such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration). diff --git a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md index 8ae20cf798..2c666bad22 100644 --- a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md @@ -15,7 +15,7 @@ author: jsuther1974 ms.reviewer: jogeurte ms.author: vinpa manager: aaroncz -ms.date: 08/05/2022 +ms.date: 11/02/2022 ms.technology: itpro-security --- @@ -35,12 +35,20 @@ When you create policies for use with Windows Defender Application Control (WDAC ## Example Base Policies | **Example Base Policy** | **Description** | **Where it can be found** | -|----------------------------|---------------------------------------------------------------|--------| -| **DefaultWindows.xml** | This example policy is available in both audit and enforced mode. It includes rules to allow Windows, third-party hardware and software kernel drivers, and Windows Store apps. Used as the basis for all [Microsoft Intune](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) policies. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies | -| **AllowMicrosoft.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed by the Microsoft product root certificate. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies | -| **AllowAll.xml** | This example policy is useful when creating a blocklist. All block policies should include rules allowing all other code to run and then add the DENY rules for your organization's needs. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies | -| **AllowAll_EnableHVCI.xml** | This example policy can be used to enable [memory integrity](https://support.microsoft.com/windows/core-isolation-e30ed737-17d8-42f3-a2a9-87521df09b78) (also known as hypervisor-protected code integrity) using Windows Defender Application Control. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies | -| **DenyAllAudit.xml** | ***Warning: May cause long boot time on Windows Server 2019.*** Only deploy this example policy in audit mode to track all binaries running on critical systems or to meet regulatory requirements. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies | +|-------------------------|---------------------------------------------------------------|--------| +| **DefaultWindows_\*.xml** | This example policy is available in both audit and enforced mode. It includes rules to allow Windows, third-party hardware and software kernel drivers, and Windows Store apps. Used as the basis for all [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) policies. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_\*.xml
    %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\DefaultWindows_Audit.xml | +| **AllowMicrosoft.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed by the Microsoft product root certificate. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowMicrosoft.xml
    %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\AllowMicrosoft.xml | +| **AllowAll.xml** | This example policy is useful when creating a blocklist. All block policies should include rules allowing all other code to run and then add the DENY rules for your organization's needs. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml | +| **AllowAll_EnableHVCI.xml** | This example policy can be used to enable [memory integrity](https://support.microsoft.com/windows/core-isolation-e30ed737-17d8-42f3-a2a9-87521df09b78) (also known as hypervisor-protected code integrity) using WDAC. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll_EnableHVCI.xml | +| **DenyAllAudit.xml** | ***Warning: May cause long boot time on Windows Server 2019.*** Only deploy this example policy in audit mode to track all binaries running on critical systems or to meet regulatory requirements. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DenyAllAudit.xml | | **Device Guard Signing Service (DGSS) DefaultPolicy.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed with your organization-specific certificates issued by the DGSS. | [Device Guard Signing Service NuGet Package](https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client) | | **MEM Configuration Manager** | Customers who use Configuration Manager can deploy a policy with Configuration Manager's built-in WDAC integration, and then use the generated policy XML as an example base policy. | %OSDrive%\Windows\CCM\DeviceGuard on a managed endpoint | -| **SmartAppControl.xml** | This example policy includes rules based on [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) that are well-suited for lightly managed systems. This policy includes a rule that is unsupported for enterprise WDAC policies and must be removed. For more information about using this example policy, see [Create a custom base policy using an example WDAC base policy](create-wdac-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-wdac-base-policy)). | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies | +| **SmartAppControl.xml** | This example policy includes rules based on [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) that are well-suited for lightly managed systems. This policy includes a rule that is unsupported for enterprise WDAC policies and must be removed. For more information about using this example policy, see [Create a custom base policy using an example WDAC base policy](create-wdac-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-wdac-base-policy)). | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\SmartAppControl.xml
    %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\SignedReputable.xml | +| **Example supplemental policy** | This example policy shows how to use supplemental policy to expand the DefaultWindows_Audit.xml allow a single Microsoft-signed file. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Supplemental.xml | +| **Microsoft Recommended Block List** | This policy includes a list of Windows and Microsoft-signed code that Microsoft recommends blocking when using WDAC, if possible. | [Microsoft recommended block rules](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)
    %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\Recommended_UserMode_Blocklist.xml | +| **Microsoft recommended driver blocklist** | This policy includes rules to block known vulnerable or malicious kernel drivers. | [Microsoft recommended driver block rules](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)
    %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\RecommendedDriverBlock_Enforced.xml
    %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\Recommended_Driver_Blocklist.xml | +| **Windows S mode** | This policy includes the rules used to enforce [Windows S mode](https://support.microsoft.com/en-us/windows/windows-10-and-windows-11-in-s-mode-faq-851057d6-1ee9-b9e5-c30b-93baebeebc85). | %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\WinSiPolicy.xml.xml | +| **Windows 11 SE** | This policy includes the rules used to enforce [Windows 11 SE](/education/windows/windows-11-se-overview), a version of Windows built for use in schools. | %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\WinSEPolicy.xml.xml | + +> [!NOTE] +> Not all policies shown available at %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies can be found on all versions of Windows. diff --git a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md index f7a1d7f0a0..4da8421cfe 100644 --- a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md +++ b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md @@ -9,7 +9,7 @@ author: jgeurten ms.reviewer: aaroncz ms.author: jogeurte manager: aaroncz -ms.date: 06/27/2022 +ms.date: 11/02/2022 ms.custom: asr ms.topic: overview --- @@ -27,17 +27,17 @@ ms.topic: overview | Capability | Windows Defender Application Control | AppLocker | |-------------|------|-------------| -| Platform support | Available on Windows 10, Windows 11, and Windows Server 2016 or later | Available on Windows 8 or later | -| SKU availability | Cmdlets are available on all SKUs on 1909+ builds.
    For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs. | Policies deployed through GP are only effective on Enterprise devices.
    Policies deployed through MDM are effective on all SKUs. | -| Management solutions | |