deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

bring even with master (resolve conflict)

Browse Source
This commit is contained in:
Aaron Czechowski 2022-09-15 08:56:45 -07:00
commit f775da3963
9 changed files with 197 additions and 164 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
education/windows/images/windows-11-se.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 326 KiB

231
education/windows/windows-11-se-overview.md
View File

@ -1,5 +1,5 @@
---
title: What is Windows 11 SE
title: Windows 11 SE Overview
description: Learn more about Windows 11 SE, and the apps that are included with the operating system. Read about the features IT professionals and administrators should know about Windows 11 SE. Add and deploy your apps using Microsoft Intune for Education.
ms.prod: windows
ms.mktglfcycl: deploy
@ -8,134 +8,179 @@ ms.pagetype: mobile
ms.collection: education
author: paolomatarazzo
ms.author: paoloma
ms.date: 08/10/2022
ms.date: 09/12/2022
ms.reviewer:
manager: aaroncz
appliesto:
- ✅ <b>Windows 11 SE</b>
---
# Windows 11 SE for Education
# Windows 11 SE Overview
Windows 11 SE is a new edition of Windows that's designed for education. It runs on web-first devices that use essential education apps. Microsoft Office 365 is preinstalled (subscription sold separately).
Windows 11 SE is an edition of Windows that's designed for education. Windows SE runs on web-first devices that use essential education apps, and it comes with Microsoft Office 365 preinstalled (subscription sold separately).
For education customers seeking cost-effective devices, Microsoft Windows 11 SE is a great choice. Windows 11 SE includes the following benefits:
- A simplified and secure experience for students. Student privacy is prioritized.
- Admins remotely manage Windows 11 SE devices using [Microsoft Intune for Education](/intune-education/what-is-intune-for-education).
- It's built for low-cost devices.
- It has a curated app experience, and is designed to only run essential education apps.
- A simplified and secure experience for students, where student privacy is prioritized. With a curated allowlist of applications maintained by Microsoft, Windows SE is designed to only run essential education apps
- IT admin can remotely manage Windows 11 SE devices using [Microsoft Intune for Education][INT-1]
- It's built for low-cost devices
:::image type="content" source="./images/windows-11-se.png" alt-text="Screenshot of Windows 11 SE showing Start menu and taskbar with default layout" border="false":::
## Get Windows 11 SE
Windows 11 SE is only available preinstalled on devices from OEMs. The OEM installs Windows 11 SE, and makes the devices available for you to purchase. For example, you'll be able to purchase Microsoft Surface devices with Windows 11 SE already installed.
Windows 11 SE is only available preinstalled on devices from OEMs. OEMs install Windows 11 SE, and make the devices available for you to purchase. For example, you can purchase Microsoft Surface SE devices with Windows 11 SE already installed.
## Available apps
## Application types
Windows 11 SE comes with some preinstalled apps. The following apps can also run on Windows 11 SE, and are deployed using the [Intune for Education portal](https://intuneeducation.portal.azure.com). For more information, see [Manage devices running Windows 11 SE](/intune-education/windows-11-se-overview).
The following table lists the different application types available in Windows operating systems, detailing which application types are enabled in Windows 11 SE.
| App type | Description | Enabled | Note|
| --- | --- | :---: | ---|
|Progressive Web Apps (PWAs) | PWAs are web-based applications that can run in a browser and that can be installed as standalone apps. |✅|PWAs are enabled by default in Windows 11 SE.|
| Web apps | Web apps are web-based applications that run in a browser. | ✅ | Web apps are enabled by default in Windows 11 SE. |
|Win32| Win32 applications are Windows classic applications that may require installation |⛔| If users try to install or execute Win32 applications that haven't been allowed to run, they'll fail.|
|Universal Windows Platform (UWP)/Store apps |UWP apps are commonly obtained from the Microsoft Store and may require installation |⛔|If users try to install or execute UWP applications that haven't been allowed to run, they'll fail.|
| Application | Supported version | App Type | Vendor |
| --- | --- | --- | --- |
|AirSecure |8.0.0 |Win32 |AIR|
|Alertus Desktop |5.4.44.0 |Win32 | Alertus technologies|
|Brave Browser |1.34.80|Win32 |Brave|
|Bulb Digital Portfolio |0.0.7.0|Store|Bulb|
|Cisco Umbrella |3.0.110.0 |Win32 |Cisco|
|CKAuthenticator |3.6 |Win32 |Content Keeper|
|Class Policy |114.0.0 |Win32 |Class Policy|
|Classroom.cloud |1.40.0004 |Win32 |NetSupport|
|CoGat Secure Browser |11.0.0.19 |Win32 |Riverside Insights|
|Dragon Professional Individual |15.00.100 |Win32 |Nuance Communications|
|DRC INSIGHT Online Assessments |12.0.0.0 |Store |Data recognition Corporation|
|Duo from Cisco |2.25.0 |Win32 |Cisco|
|e-Speaking Voice and Speech recognition |4.4.0.8 |Win32 |e-speaking|
|eTests |4.0.25 |Win32 |CASAS|
|FortiClient |7.0.1.0083 |Win32 |Fortinet|
|Free NaturalReader |16.1.2 |Win32 |Natural Soft|
|GoGuardian |1.4.4 |Win32 |GoGuardian|
|Google Chrome |102.0.5005.115|Win32 |Google|
|Illuminate Lockdown Browser |2.0.5 |Win32 |Illuminate Education|
|Immunet |7.5.0.20795 |Win32 |Immunet|
|Impero Backdrop Client |4.4.86 |Win32 |Impero Software|
|JAWS for Windows |2022.2112.24 |Win32 |Freedom Scientific|
|Kite Student Portal |8.0.3.0 |Win32 |Dynamic Learning Maps|
|Kortext |2.3.433.0 |Store |Kortext|
|Kurzweil 3000 Assistive Learning |20.13.0000 |Win32 |Kurzweil Educational Systems|
|LanSchool |9.1.0.46 |Win32 |Stoneware|
|Lightspeed Smart Agent |1.9.1 |Win32 |Lightspeed Systems|
|MetaMoJi ClassRoom |3.12.4.0 |Store |MetaMoJi Corporation|
|Microsoft Connect |10.0.22000.1 |Store |Microsoft|
|Mozilla Firefox |99.0.1 |Win32 |Mozilla|
|NAPLAN |2.5.0 |Win32 |NAP|
|Netref Student |22.2.0 |Win32 |NetRef|
|NetSupport Manager |12.01.0011 |Win32 |NetSupport|
|NetSupport Notify |5.10.1.215 |Win32 |NetSupport|
|NetSupport School |14.00.0011 |Win32 |NetSupport|
|NextUp Talker |1.0.49 |Win32 |NextUp Technologies|
|NonVisual Desktop Access |2021.3.1 |Win32 |NV Access|
|NWEA Secure Testing Browser |5.4.356.0 |Win32 |NWEA|
|Pearson TestNav |1.10.2.0 |Store |Pearson|
|Questar Secure Browser |4.8.3.376 |Win32 |Questar, Inc|
|ReadAndWriteForWindows |12.0.60.0 |Win32 |Texthelp Ltd.|
|Remote Desktop client (MSRDC) |1.2.3213.0 |Win32 |Microsoft|
|Remote Help |3.8.0.12 |Win32 |Microsoft|
|Respondus Lockdown Browser |2.0.9.00 |Win32 |Respondus|
|Safe Exam Browser |3.3.2.413 |Win32 |Safe Exam Browser|
|Secure Browser |14.0.0 |Win32 |Cambium Development|
|Senso.Cloud |2021.11.15.0 |Win32|Senso.Cloud|
|SuperNova Magnifier & Screen Reader |21.02 |Win32 |Dolphin Computer Access|
|Zoom |5.9.1 (2581)|Win32 |Zoom|
|ZoomText Fusion |2022.2109.10|Win32 |Freedom Scientific|
|ZoomText Magnifier/Reader |2022.2109.25|Win32 |Freedom Scientific|
> [!IMPORTANT]
> If there are specific Win32 or UWP applications that you want to allow, work with Microsoft to get them enabled. For more information, see [Add your own applications](#add-your-own-applications).
### Enabled apps
## Applications included in Windows 11 SE
| App type | Enabled |
| --- | --- |
| Apps that run in a browser | ✔️ Apps that run in a browser, like Progressive Web Apps (PWA) and Web apps, can run on Windows 11 SE without any changes or limitations. |
| Apps that require installation | ❌ Apps that require an installation, including Microsoft Store apps and Win32 apps can't be installed. If students try to install these apps, the installation fails. <br/><br/>✔️ If there are specific installation-type apps you want to enable, then work with Microsoft to get them enabled. For more information, see [Add your own apps](#add-your-own-apps) (in this article). |
The following table lists all the applications included in Windows 11 SE and the pinning to either the Start menu or to the taskbar.
### Add your own apps
| App name | App type | Pinned to Start? | Pinned to taskbar? |
|:-----------------------------|:--------:|:----------------:|:------------------:|
| Alarm & Clock | UWP | | |
| Calculator | UWP | ✅ | |
| Camera | UWP | ✅ | |
| Microsoft Edge | Win32 | ✅ | ✅ |
| Excel | Win32 | ✅ | |
| Feedback Hub | UWP | | |
| File Explorer | Win32 | | ✅ |
| FlipGrid | PWA | | |
| Get Help | UWP | | |
| Groove Music | UWP | ✅ | |
| Maps | UWP | | |
| Minecraft: Education Edition | UWP | | |
| Movies & TV | UWP | | |
| News | UWP | | |
| Notepad | Win32 | | |
| OneDrive | Win32 | | |
| OneNote | Win32 | ✅ | |
| Outlook | PWA | ✅ | |
| Paint | Win32 | ✅ | |
| Photos | UWP | | |
| PowerPoint | Win32 | ✅ | |
| Settings | UWP | ✅ | |
| Snip & Sketch | UWP | | |
| Sticky Notes | UWP | | |
| Teams | Win32 | ✅ | |
| To Do | UWP | | |
| Whiteboard | UWP | ✅ | |
| Word | Win32 | ✅ | |
If the apps you need aren't shown in the [available apps list](#available-apps) (in this article), then you can submit an application request at [aka.ms/eduapprequest](https://aka.ms/eduapprequest). Anyone from a school district can submit the request. In the form, sign in with your school account, such as `user@contoso.edu`. We'll update you using this email account.
## Available applications
The following applications can also run on Windows 11 SE, and can be deployed using Intune for Education. For more information, see [Configure applications with Microsoft Intune][EDUWIN-1]
| Application | Supported version | App Type | Vendor |
|-----------------------------------------|-------------------|----------|------------------------------|
| AirSecure | 8.0.0 | Win32 | AIR |
| Alertus Desktop | 5.4.44.0 | Win32 | Alertus technologies |
| Brave Browser | 1.34.80 | Win32 | Brave |
| Bulb Digital Portfolio | 0.0.7.0 | Store | Bulb |
| Cisco Umbrella | 3.0.110.0 | Win32 | Cisco |
| CKAuthenticator | 3.6 | Win32 | Content Keeper |
| Class Policy | 114.0.0 | Win32 | Class Policy |
| Classroom.cloud | 1.40.0004 | Win32 | NetSupport |
| CoGat Secure Browser | 11.0.0.19 | Win32 | Riverside Insights |
| Dragon Professional Individual | 15.00.100 | Win32 | Nuance Communications |
| DRC INSIGHT Online Assessments | 12.0.0.0 | Store | Data recognition Corporation |
| Duo from Cisco | 2.25.0 | Win32 | Cisco |
| e-Speaking Voice and Speech recognition | 4.4.0.8 | Win32 | e-speaking |
| eTests | 4.0.25 | Win32 | CASAS |
| FortiClient | 7.0.1.0083 | Win32 | Fortinet |
| Free NaturalReader | 16.1.2 | Win32 | Natural Soft |
| Ghotit | 10.14.2.3 | Win32 | Ghotit Ltd |
| GoGuardian | 1.4.4 | Win32 | GoGuardian |
| Google Chrome | 102.0.5005.115 | Win32 | Google |
| Illuminate Lockdown Browser | 2.0.5 | Win32 | Illuminate Education |
| Immunet | 7.5.0.20795 | Win32 | Immunet |
| Impero Backdrop Client | 4.4.86 | Win32 | Impero Software |
| JAWS for Windows | 2022.2112.24 | Win32 | Freedom Scientific |
| Kite Student Portal | 8.0.3.0 | Win32 | Dynamic Learning Maps |
| Kortext | 2.3.433.0 | Store | Kortext |
| Kurzweil 3000 Assistive Learning | 20.13.0000 | Win32 | Kurzweil Educational Systems |
| LanSchool | 9.1.0.46 | Win32 | Stoneware |
| Lightspeed Smart Agent | 1.9.1 | Win32 | Lightspeed Systems |
| MetaMoJi ClassRoom | 3.12.4.0 | Store | MetaMoJi Corporation |
| Microsoft Connect | 10.0.22000.1 | Store | Microsoft |
| Mozilla Firefox | 99.0.1 | Win32 | Mozilla |
| NAPLAN | 2.5.0 | Win32 | NAP |
| Netref Student | 22.2.0 | Win32 | NetRef |
| NetSupport Manager | 12.01.0011 | Win32 | NetSupport |
| NetSupport Notify | 5.10.1.215 | Win32 | NetSupport |
| NetSupport School | 14.00.0011 | Win32 | NetSupport |
| NextUp Talker | 1.0.49 | Win32 | NextUp Technologies |
| NonVisual Desktop Access | 2021.3.1 | Win32 | NV Access |
| NWEA Secure Testing Browser | 5.4.356.0 | Win32 | NWEA |
| Pearson TestNav | 1.10.2.0 | Store | Pearson |
| Questar Secure Browser | 4.8.3.376 | Win32 | Questar, Inc |
| ReadAndWriteForWindows | 12.0.60.0 | Win32 | Texthelp Ltd. |
| Remote Desktop client (MSRDC) | 1.2.3213.0 | Win32 | Microsoft |
| Remote Help | 3.8.0.12 | Win32 | Microsoft |
| Respondus Lockdown Browser | 2.0.9.00 | Win32 | Respondus |
| Safe Exam Browser | 3.3.2.413 | Win32 | Safe Exam Browser |
| Secure Browser | 14.0.0 | Win32 | Cambium Development |
| Senso.Cloud | 2021.11.15.0 | Win32 | Senso.Cloud |
| SuperNova Magnifier & Screen Reader | 21.02 | Win32 | Dolphin Computer Access |
| Zoom | 5.9.1 (2581) | Win32 | Zoom |
| ZoomText Fusion | 2022.2109.10 | Win32 | Freedom Scientific |
| ZoomText Magnifier/Reader | 2022.2109.25 | Win32 | Freedom Scientific |
## Add your own applications
If the applications you need aren't in the [available applications list](#available-applications), then you can submit an application request at [aka.ms/eduapprequest](https://aka.ms/eduapprequest). Anyone from a school district can submit the request. In the form, sign in with your school account, such as `user@contoso.edu`. We'll update you using this email account.
Microsoft reviews every app request to make sure each app meets the following requirements:
- Apps can be any native Windows app type, such as a Microsoft Store app, Win32 app, `.MSIX`, `.APPX`, and more.
- Apps must be in one of the following app categories:
- Content Filtering apps
- Test Taking solutions
- Apps can be any native Windows app type, such as a Microsoft Store app, Win32 app, `.MSIX`, `.APPX`, and more
- Apps must be in one of the following app categories:
- Content Filtering apps
- Test Taking solutions
- Assistive technologies
- Classroom communication apps
- Classroom communication apps
- Essential diagnostics, management, and supportability apps
- Apps must meet the performance [requirements of Windows 11](/windows/whats-new/windows-11-requirements).
- Apps must meet the performance [requirements of Windows 11][WIN-1]
- Apps must meet the following security requirements:
- All app binaries are code-signed.
- All files include the `OriginalFileName` in the resource file header.
- All kernel drivers are WHQL-signed.
- Apps don't have an equivalent web application.
- Apps can't invoke any processes that can be used to jailbreak a device, automate jailbreaks, or present a security risk. For example, processes such as Reg.exe, CBE.exe, CMD.exe, and KD.exe are blocked on Windows 11 SE.
- All app binaries are code-signed
- All files include the `OriginalFileName` in the resource file header
- All kernel drivers are WHQL-signed
- Apps don't have an equivalent web application
- Apps can't invoke any processes that can be used to jailbreak a device, automate jailbreaks, or present a security risk. For example, processes such as Reg.exe, CBE.exe, CMD.exe, and KD.exe are blocked on Windows 11 SE
If the app meets the requirements, Microsoft works with the Independent Software Vendor (ISV) to test the app, and make sure the app works as expected on Windows 11 SE.
When the app is ready, Microsoft will update you. Then, you add the app to the [Intune for Education portal](https://intuneeducation.portal.azure.com), and [assign](/intune-education/assign-apps) it to your Windows 11 SE devices.
When the app is ready, Microsoft will update you. Then, you add the app to the Intune for Education portal, and assign it to your Windows 11 SE devices.
For more information on Intune requirements for adding education apps, see [Manage devices running Windows 11 SE](/intune-education/windows-11-se-overview).
For more information on Intune requirements for adding education apps, see [Configure applications with Microsoft Intune][EDUWIN-1].
### 0x87D300D9 error with an app
When you deploy an app using Intune for Education, you may get a `0x87D300D9` error code with a `Failed` state in the [Intune for Education portal](https://intuneeducation.portal.azure.com). If you have an app that fails with this error, then:
- Make sure the app is on the [available apps list](#available-apps) (in this article). Or, make sure your app is [approved for Windows 11 SE](#add-your-own-apps) (in this article).
- If the app is approved, then it's possible the app is packaged wrong. For more information, see [Add your own apps](#add-your-own-apps) (in this article) and [Manage devices running Windows 11 SE](/intune-education/windows-11-se-overview).
- If the app isn't approved, then it won't run on Windows 11 SE. To get apps approved, see [Add your own apps](#add-your-own-apps) (in this article). Or, use an app that runs in a web browser, such as a web app or PWA.
- Make sure the app is on the [available applications list](#available-applications). Or, make sure your app is [approved for Windows 11 SE](#add-your-own-applications)
- If the app is approved, then it's possible the app is packaged wrong. For more information, see [Add your own apps](#add-your-own-applications) and [Configure applications with Microsoft Intune][EDUWIN-1]
- If the app isn't approved, then it won't run on Windows 11 SE. To get apps approved, see [Add your own apps](#add-your-own-applications). Or, use an app that runs in a web browser, such as a web app or PWA
## Related articles
- [Use Intune for Education to manage devices running Windows 11 SE](/intune-education/windows-11-se-overview)
- [Tutorial: deploy and manage Windows devices in a school][EDUWIN-2]
[INT-1]: /intune-education/what-is-intune-for-education
[EDUWIN-1]: /education/windows/tutorial-school-deployment/configure-device-apps
[EDUWIN-2]: /education/windows/tutorial-school-deployment/
[WIN-1]: /windows/whats-new/windows-11-requirements

42
education/windows/windows-11-se-settings-list.md
View File

@ -8,7 +8,7 @@ ms.pagetype: mobile
ms.collection: education
author: paolomatarazzo
ms.author: paoloma
ms.date: 08/10/2022
ms.date: 09/12/2022
ms.reviewer:
manager: aaroncz
appliesto:
@ -25,26 +25,26 @@ This article lists the settings automatically configured. For more information o
The following table lists and describes the settings that can be changed by administrators.
| Setting | Description |
| --- | --- |
| Block manual unenrollment | Default: Blocked <br/> <br/> Users can't unenroll their devices from device management services. <br/> <br/> [Experience/AllowManualMDMUnenrollment CSP](/windows/client-management/mdm/policy-csp-experience#experience-allowmanualmdmunenrollment) |
| Allow option to Show Network | Default: Allowed <br/> <br/> Gives users the option to see the **Show Network** folder in File Explorer. |
| Allow option to Show This PC | Default: Allowed <br/> <br/> Gives user the option to see the **Show This PC** folder in File Explorer. |
| Set Allowed Folder location | Default folders: Documents, Desktop, Pictures, and Downloads <br/> <br/> Gives user access to these folders. |
| Set Allowed Storage Locations | Default: Blocks local drives and network drives <br/> <br/> Blocks user access to these storage locations. |
| Allow News and Interests | Default: Hide <br/> <br/> Hides widgets. |
| Disable advertising ID | Default: Disabled <br/> <br/> Blocks apps from using usage data to tailor advertisements. <br/> <br/> [Privacy/DisableAdvertisingId CSP](/windows/client-management/mdm/policy-csp-privacy#privacy-disableadvertisingid) |
| Visible settings pages | Default: <br/> <br/> |
| Enable App Install Control | Default: Turned On <br/><br/> Users can't download apps from the internet.<br/> <br/> [SmartScreen/EnableAppInstallControl CSP](/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol)|
| Configure Storage Sense Cloud Content Dehydration Threshold | Default: 30 days<br/> <br/> If a file hasn't been opened in 30 days, it becomes an online-only file. Online-only files can be opened when there's an internet connection. When an online-only file is opened on a device, it downloads and becomes locally available on that device. The file is available until it's unopened for the specified number of days, and becomes online-only again. <br/> <br/> [Storage/ConfigStorageSenseCloudContentDehydrationThreshold CSP](/windows/client-management/mdm/policy-csp-storage#storage-configstoragesensecloudcontentdehydrationthreshold) |
| Allow Telemetry | Default: Required Telemetry Only <br/> <br/> Sends only basic device info, including quality-related data, app compatibility, and similar data to keep the device secure and up-to-date. <br/> <br/> [System/AllowTelemetry CSP](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) |
| Allow Experimentation | Default: Disabled <br/> <br/> Microsoft can't experiment with the product to study user preferences or device behavior. <br/> <br/>[System/AllowExperimentation CSP](/windows/client-management/mdm/policy-csp-system#system-allowexperimentation) |
| Block external extensions | Default: Blocked <br/> <br/> In Microsoft Edge, users can't install external extensions. <br/> <br/> [BlockExternalExtensions](/DeployEdge/microsoft-edge-policies#blockexternalextensions) |
| Configure new tab page | Default: `Office.com` <br/> <br/> In Microsoft Edge, the new tab page defaults to `Office.com`. <br/> <br/> [Configure the new tab page URL](/DeployEdge/microsoft-edge-policies#configure-the-new-tab-page-url) |
| Configure homepage | Default: `Office.com` <br/> <br/> In Microsoft Edge, the homepage defaults to `Office.com`. <br/> <br/> [HomepageIsNewTabPage](/DeployEdge/microsoft-edge-policies#homepageisnewtabpage) |
| Prevent SmartScreen prompt override | Default: Enabled <br/> <br/> In Microsoft Edge, users can't override Windows Defender SmartScreen warnings. <br/> <br/>[PreventSmartScreenPromptOverride](/DeployEdge/microsoft-edge-policies#preventsmartscreenpromptoverride) |
| Wallpaper Image Customization | Default: <br/> <br/> Specify a jpg, jpeg, or png image to be used as the desktop image. This setting can take an http or https URL to a remote image to be downloaded, a file URL to a local image. <br/> <br/>[DesktopImageUrl](/windows/client-management/mdm/personalization-csp) |
| Lock Screen Image Customization | Default: <br/> <br/> Specify a jpg, jpeg, or png image to be used as lock screen image. This setting can take an http or https URL to a remote image to be downloaded, a file URL to a local image. <br/> <br/>[LockScreenImageUrl](/windows/client-management/mdm/personalization-csp) |
| Setting | Description | Default Value |
| --- | --- | --- |
| Block manual unenrollment | When blocked, users can't unenroll their devices from device management services. <br/> <br/> [Experience/AllowManualMDMUnenrollment CSP](/windows/client-management/mdm/policy-csp-experience#experience-allowmanualmdmunenrollment) | Blocked |
| Allow option to Show Network | When allowed, it gives users the option to see the **Show Network** folder in File Explorer. | Allowed |
| Allow option to Show This PC | When allowed, it gives users the option to see the **Show This PC** folder in File Explorer. | Allowed |
| Set Allowed Folder location | Gives user access to these folders. | Default folders: Documents, Desktop, Pictures, and Downloads |
| Set Allowed Storage Locations | Blocks user access to these storage locations. | Blocks local drives and network drives |
| Allow News and Interests | Hides widgets. | Hide |
| Disable advertising ID | Blocks apps from using usage data to tailor advertisements. <br/> <br/> [Privacy/DisableAdvertisingId CSP](/windows/client-management/mdm/policy-csp-privacy#privacy-disableadvertisingid) | Disabled |
| Visible settings pages | Default: <br/> <br/> ||
| Enable App Install Control | When enabled, users can't download apps from the internet.<br/> <br/> [SmartScreen/EnableAppInstallControl CSP](/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol)| Enabled |
| Configure Storage Sense Cloud Content Dehydration Threshold | If a file hasn't been opened in 30 days, it becomes an online-only file. Online-only files can be opened when there's an internet connection. When an online-only file is opened on a device, it downloads and becomes locally available on that device. The file is available until it's unopened for the specified number of days, and becomes online-only again. <br/> <br/> [Storage/ConfigStorageSenseCloudContentDehydrationThreshold CSP](/windows/client-management/mdm/policy-csp-storage#storage-configstoragesensecloudcontentdehydrationthreshold) | 30 days |
| Allow Telemetry | With *Required Telemetry Only*, it sends only basic device info, including quality-related data, app compatibility, and similar data to keep the device secure and up-to-date. <br/> <br/> [System/AllowTelemetry CSP](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | Required Telemetry Only |
| Allow Experimentation | When disabled, Microsoft can't experiment with the product to study user preferences or device behavior. <br/> <br/>[System/AllowExperimentation CSP](/windows/client-management/mdm/policy-csp-system#system-allowexperimentation) | Disabled |
| Block external extensions | When blocked, in Microsoft Edge users can't install external extensions. <br/> <br/> [BlockExternalExtensions](/DeployEdge/microsoft-edge-policies#blockexternalextensions) | Blocked |
| Configure new tab page | Set the new tab page defaults to a specific url. <br/> <br/> [Configure the new tab page URL](/DeployEdge/microsoft-edge-policies#configure-the-new-tab-page-url) | `Office.com` |
| Configure homepage | Set the Microsoft Edge's homepage default. <br/> <br/> [HomepageIsNewTabPage](/DeployEdge/microsoft-edge-policies#homepageisnewtabpage) | `Office.com` |
| Prevent SmartScreen prompt override | When enabled, in Microsoft Edge, users can't override Windows Defender SmartScreen warnings. <br/> <br/>[PreventSmartScreenPromptOverride](/DeployEdge/microsoft-edge-policies#preventsmartscreenpromptoverride) | Enabled |
| Wallpaper Image Customization | Specify a jpg, jpeg, or png image to be used as the desktop image. This setting can take an http or https URL to a remote image to be downloaded, a file URL to a local image. <br/> <br/>[DesktopImageUrl](/windows/client-management/mdm/personalization-csp) | Not configured |
| Lock Screen Image Customization | Specify a jpg, jpeg, or png image to be used as lock screen image. This setting can take an http or https URL to a remote image to be downloaded, a file URL to a local image. <br/> <br/>[LockScreenImageUrl](/windows/client-management/mdm/personalization-csp) | Not configured |
## Settings that can't be changed

7
windows/client-management/mdm/accounts-csp.md
View File

@ -52,8 +52,11 @@ Available naming macros:
|Macro|Description|Example|Generated Name|
|:---|:---|:---|:---|
|%RAND:<# of digits>|Generates the specified number of random digits.|Test%RAND:6%|Test123456|
|%SERIAL%|Generates the serial number derived from the device. If the serial number causes the new name to exceed the 15 character limit, the serial number will be truncated from the beginning of the sequence.|Test-Device-%SERIAL%|Test-Device-456|
|`%RAND:#%`|Generates the specified number (`#`) of random digits.|`Test%RAND:6%`|`Test123456`|
|`%SERIAL%`|Generates the serial number derived from the device. If the serial number causes the new name to exceed the 15 character limit, the serial number will be truncated from the beginning of the sequence.|`Test-Device-%SERIAL%`|`Test-Device-456`|
> [!NOTE]
> If you use these naming macros, a unique name isn't guaranteed. The generated name may still be duplicated. To reduce the likelihood of a duplicated device name, use `%RAND:#%` with a large number. With the understanding that the maximum device name is 15 characters.
Supported operation is Add.

6
windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
View File

@ -322,10 +322,8 @@ Supported operation is Get.
- Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode.
- Bit 1 - Set to 1 when the client machine is Hyper-V capable.
- Bit 2 - Set to 1 when the client machine has a valid OS license and SKU.
- Bit 3 - Set to 1 when Application Guard installed on the client machine.
- Bit 3 - Set to 1 when Application Guard is installed on the client machine.
- Bit 4 - Set to 1 when required Network Isolation Policies are configured.
> [!IMPORTANT]
> If you are deploying Application Guard via Intune, Network Isolation Policy must be configured to enable Application Guard for Microsoft Edge.
- Bit 5 - Set to 1 when the client machine meets minimum hardware requirements.
- Bit 6 - Set to 1 when system reboot is required.
@ -381,4 +379,4 @@ ADMX Info:
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
[Configuration service provider reference](configuration-service-provider-reference.md)

19
windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
View File

@ -1,18 +1,15 @@
---
title: System requirements for Microsoft Defender Application Guard
description: Learn about the system requirements for installing and running Microsoft Defender Application Guard.
ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.prod: windows-client
ms.technology: itpro-security
ms.topic: overview
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
author: vinaypamnani-msft
ms.author: vinpa
ms.date: 08/25/2022
ms.reviewer:
manager: dansimp
ms.custom: asr
ms.technology: windows-sec
ms.reviewer: sazankha
manager: aaroncz
---
# System requirements for Microsoft Defender Application Guard
@ -48,6 +45,6 @@ Your environment must have the following hardware to run Microsoft Defender Appl
| Software | Description |
|--------|-----------|
| Operating system | Windows 10 Enterprise edition, version 1809 or higher <br/> Windows 10 Professional edition, version 1809 or higher <br/> Windows 10 Professional for Workstations edition, version 1809 or higher <br/> Windows 10 Professional Education edition, version 1809 or higher <br/> Windows 10 Education edition, version 1809 or higher <br/> Professional editions are only supported for non-managed devices; Intune or any other third-party mobile device management (MDM) solutions aren't supported with MDAG for Professional editions. <br/> Windows 11 Education, Enterprise, and Professional |
| Operating system | Windows 10 Enterprise edition, version 1809 or later <br/> Windows 10 Professional edition, version 1809 or later <br/> Windows 10 Professional for Workstations edition, version 1809 or later <br/> Windows 10 Professional Education edition, version 1809 or later <br/> Windows 10 Education edition, version 1809 or later <br/> Windows 11 Education, Enterprise, and Professional editions |
| Browser | Microsoft Edge |
| Management system <br> (only for managed devices)| [Microsoft Intune](/intune/) <p> **OR** <p> [Microsoft Endpoint Configuration Manager](/configmgr/) <p> **OR** <p> [Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11)) <p> **OR** <p>Your current, company-wide, non-Microsoft mobile device management (MDM) solution. For info about non-Mirosoft MDM solutions, see the documentation that came with your product. |

2
windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
View File

@ -31,7 +31,7 @@ ms.technology: windows-sec
## Using fsutil to query SmartLocker EA
Customers using Windows Defender Application Control (WDAC) with Managed Installer (MI) or Intelligent Security Graph enabled can use fsutil to determine whether a file was allowed to run by one of these features. This verification can be done by querying the EAs on a file using fsutil and looking for the KERNEL.SMARTLOCKER.ORIGINCLAIM EA. The presence of this EA indicates that either MI or ISG allowed the file to run. This EA's presence can be used in conjunction with enabling the MI and ISG logging events.
Customers using Windows Defender Application Control (WDAC) with Managed Installer (MI) or Intelligent Security Graph (ISG) enabled can use fsutil to determine whether a file was allowed to run by one of these features. This verification can be done by querying the Extended Attributes (EAs) on a file using fsutil and looking for the KERNEL.SMARTLOCKER.ORIGINCLAIM EA. The presence of this EA indicates that either MI or ISG allowed the file to run. This EA's presence can be used in conjunction with enabling the MI and ISG logging events.
**Example:**

27
windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md
View File

@ -1,21 +1,16 @@
---
title: Deploy WDAC policies using Mobile Device Management (MDM) (Windows)
description: You can use an MDM like Microsoft Intune to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.author: vinpa
manager: aaroncz
ms.date: 06/27/2022
ms.technology: windows-sec
ms.topic: how-to
---
# Deploy WDAC policies using Mobile Device Management (MDM)
@ -61,13 +56,13 @@ The steps to use Intune's custom OMA-URI functionality are:
1. Know a generated policy's GUID, which can be found in the policy xml as `<PolicyID>`
2. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
2. Convert the policy XML to binary format using the [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) cmdlet in order to be deployed. The binary policy may be signed or unsigned.
3. Open the Microsoft Intune portal and [create a profile with custom settings](/mem/intune/configuration/custom-settings-windows-10).
4. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings:
- **OMA-URI**: ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy
- **Data type**: Base64
- **OMA-URI**: `./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy`
- **Data type**: Base64 (file)
- **Certificate file**: upload your binary format policy file. You don't need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf.
> [!div class="mx-imgBorder"]
@ -86,13 +81,13 @@ Upon deletion, policies deployed through Intune via the ApplicationControl CSP a
The steps to use Intune's Custom OMA-URI functionality to apply the [AppLocker CSP](/windows/client-management/mdm/applocker-csp) and deploy a custom WDAC policy to pre-1903 systems are:
1. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
1. Convert the policy XML to binary format using the [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) cmdlet in order to be deployed. The binary policy may be signed or unsigned.
2. Open the Microsoft Intune portal and [create a profile with custom settings](/mem/intune/configuration/custom-settings-windows-10).
3. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings:
- **OMA-URI**: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity/Policy)
- **Data type**: Base64
- **OMA-URI**: `./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity/Policy`
- **Data type**: Base64 (file)
- **Certificate file**: upload your binary format policy file
> [!NOTE]

27
windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
View File

@ -1,21 +1,16 @@
---
title: Microsoft recommended block rules (Windows)
title: Microsoft recommended block rules
description: View a list of recommended block rules, based on knowledge shared between Microsoft and the wider security community.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: m365-security
ms.technology: windows-sec
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 08/11/2022
ms.author: vinpa
manager: aaroncz
ms.date: 09/29/2021
ms.topic: reference
---
# Microsoft recommended block rules
@ -75,7 +70,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
- wslconfig.exe
- wslhost.exe
<sup>1</sup> A vulnerability in bginfo.exe has been fixed in the latest version 4.22. If you use BGInfo, for security, make sure to download and run the latest version here [BGInfo 4.22](/sysinternals/downloads/bginfo). BGInfo versions earlier than 4.22 are still vulnerable and should be blocked.
<sup>1</sup> A vulnerability in bginfo.exe was fixed in version 4.22. If you use BGInfo, for security, make sure to download and run the latest version of [BGInfo](/sysinternals/downloads/bginfo). BGInfo versions earlier than 4.22 are still vulnerable and should be blocked.
<sup>2</sup> If you're using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you allow msbuild.exe in your code integrity policies. However, if your reference system is an end-user device that isn't being used in a development context, we recommend that you block msbuild.exe.
@ -105,11 +100,11 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
Certain software applications may allow other code to run by design. Such applications should be blocked by your Windows Defender Application Control policy. In addition, when an application version is upgraded to fix a security vulnerability or potential Windows Defender Application Control bypass, you should add *deny* rules to your application control policies for that applications previous, less secure versions.
Microsoft recommends that you install the latest security updates. The June 2017 Windows updates resolve several issues in PowerShell modules that allowed an attacker to bypass Windows Defender Application Control. These modules can't be blocked by name or version, and therefore must be blocked by their corresponding hashes.
Microsoft recommends that you install the latest security updates. For example, updates help resolve several issues in PowerShell modules that allowed an attacker to bypass Windows Defender Application Control. These modules can't be blocked by name or version, and therefore must be blocked by their corresponding hashes.
For October 2017, we're announcing an update to system.management.automation.dll in which we're revoking older versions by hash values, instead of version rules.
As of October 2017, system.management.automation.dll is updated to revoke earlier versions by hash values, instead of version rules.
Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet. Beginning with the March 2019 quality update, each version of Windows requires blocking a specific version of the following files:
Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet. As of March 2019, each version of Windows requires blocking a specific version of the following files:
- msxml3.dll
- msxml6.dll