From 24120f589e9709b5fbd16ff37fc4d148f7297512 Mon Sep 17 00:00:00 2001 From: v-tappelgate <91994953+v-tappelgate@users.noreply.github.com> Date: Wed, 25 May 2022 12:00:33 -0700 Subject: [PATCH 001/288] v-tappelgate-CI-163997 Metadata fix for [CI 163997](https://dev.azure.com/contentidea/ContentIdea/_workitems/edit/163997) --- .../bitlocker/ts-bitlocker-network-unlock-issues.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md index df10782087..d10158fc36 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md @@ -4,7 +4,7 @@ description: Describes several known issues that you may encounter while using n ms.technology: windows-sec ms.prod: m365-security ms.localizationpriority: medium -author: Teresa-Motiv +author: v-tappelgate ms.author: v-tappelgate manager: kaushika ms.reviewer: kaushika From c51041b06b7d7f0baee15f3c046519363747e5e7 Mon Sep 17 00:00:00 2001 From: themar-msft <33436507+themar-msft@users.noreply.github.com> Date: Wed, 25 May 2022 14:29:25 -0700 Subject: [PATCH 002/288] Update remotewipe-csp.md --- windows/client-management/mdm/remotewipe-csp.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md index 0771489578..b26beb9800 100644 --- a/windows/client-management/mdm/remotewipe-csp.md +++ b/windows/client-management/mdm/remotewipe-csp.md @@ -40,7 +40,7 @@ RemoteWipe --------Status ``` **doWipe** -Specifies that a remote wipe of the device should be performed. The return status code indicates whether the device accepted the Exec command. +Specifies that a remote wipe of the device should be performed. A remote wipe is the equivalent of running "Reset this PC > Remove everything" from the Settings app. The return status code indicates whether the device accepted the Exec command. When used with OMA Client Provisioning, a dummy value of "1" should be included for this element. @@ -56,9 +56,9 @@ Supported operation is Exec. The information that was backed up will be restored and applied to the device when it resumes. The return status code shows whether the device accepted the Exec command. **doWipeProtected** -Added in Windows 10, version 1703. Exec on this node performs a remote wipe on the device and fully clean the internal drive. In some device configurations, this command may leave the device unable to boot. The return status code indicates whether the device accepted the Exec command. +Added in Windows 10, version 1703. Exec on this node performs a remote wipe on the device and fully clean the internal drive. Drives that are cleaned with doWipeProtected aren't expected to meet industry or government standards for data cleaning. In some device configurations, this command may leave the device unable to boot. The return status code indicates whether the device accepted the Exec command. -The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which can be easily circumvented by simply power cycling the device, doWipeProtected will keep trying to reset the device until it’s done. +The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which can be easily circumvented by simply power cycling the device, doWipeProtected will keep trying to reset the device until it’s done. Because doWipeProtected will keep trying to reset the device until it's done, use doWipeProtected in lost/stolen device scenarios. Supported operation is Exec. From 6b921fcebdd66d577717d10392f442e5de9abc69 Mon Sep 17 00:00:00 2001 From: themar-msft <33436507+themar-msft@users.noreply.github.com> Date: Tue, 31 May 2022 09:14:40 -0700 Subject: [PATCH 003/288] Update remotewipe-csp.md --- windows/client-management/mdm/remotewipe-csp.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md index b26beb9800..9e7ad1053b 100644 --- a/windows/client-management/mdm/remotewipe-csp.md +++ b/windows/client-management/mdm/remotewipe-csp.md @@ -40,14 +40,14 @@ RemoteWipe --------Status ``` **doWipe** -Specifies that a remote wipe of the device should be performed. A remote wipe is the equivalent of running "Reset this PC > Remove everything" from the Settings app. The return status code indicates whether the device accepted the Exec command. +Specifies that a remote reset of the device should be started. A remote reset is equivalent to running "Reset this PC > Remove everything" from the Settings app. The return status code indicates whether the device accepted the Exec command. If a doWipe reset is started and then interrupted, the reset will not automatically be retried. When used with OMA Client Provisioning, a dummy value of "1" should be included for this element. Supported operation is Exec. **doWipePersistProvisionedData** -Specifies that provisioning data should be backed up to a persistent location, and then a remote wipe of the device should be performed. +Specifies that provisioning data should be backed up to a persistent location, and then a remote doWipe reset of the device should be started. When used with OMA Client Provisioning, a dummy value of "1" should be included for this element. @@ -56,14 +56,14 @@ Supported operation is Exec. The information that was backed up will be restored and applied to the device when it resumes. The return status code shows whether the device accepted the Exec command. **doWipeProtected** -Added in Windows 10, version 1703. Exec on this node performs a remote wipe on the device and fully clean the internal drive. Drives that are cleaned with doWipeProtected aren't expected to meet industry or government standards for data cleaning. In some device configurations, this command may leave the device unable to boot. The return status code indicates whether the device accepted the Exec command. +Added in Windows 10, version 1703. Exec on this node performs a remote reset on the device and also fully cleans the internal drive. Drives that are cleaned with doWipeProtected aren't expected to meet industry or government standards for data cleaning. In some device configurations, this command may leave the device unable to boot. The return status code indicates whether the device accepted the Exec command. The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which can be easily circumvented by simply power cycling the device, doWipeProtected will keep trying to reset the device until it’s done. Because doWipeProtected will keep trying to reset the device until it's done, use doWipeProtected in lost/stolen device scenarios. Supported operation is Exec. **doWipePersistUserData** -Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device, and persist user accounts and data. The return status code shows whether the device accepted the Exec command. +Added in Windows 10, version 1709. Exec on this node will perform a doWipe remote reset on the device, and persist user accounts and data. The return status code shows whether the device accepted the Exec command. **AutomaticRedeployment** Added in Windows 10, version 1809. Node for the Autopilot Reset operation. From 65fd817caa8451859fb44fdf8a6e728a6666d5bb Mon Sep 17 00:00:00 2001 From: themar-msft <33436507+themar-msft@users.noreply.github.com> Date: Tue, 31 May 2022 09:18:02 -0700 Subject: [PATCH 004/288] Update remotewipe-csp.md --- windows/client-management/mdm/remotewipe-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md index 9e7ad1053b..b76855bf76 100644 --- a/windows/client-management/mdm/remotewipe-csp.md +++ b/windows/client-management/mdm/remotewipe-csp.md @@ -24,7 +24,7 @@ The table below shows the applicability of Windows: |Enterprise|Yes|Yes| |Education|Yes|Yes| -The RemoteWipe configuration service provider can be used by mobile operators DM server or enterprise management server to remotely wipe a device. The RemoteWipe configuration service provider can make the data stored in memory and hard disks difficult to recover if the device is remotely wiped after being lost or stolen. +The RemoteWipe configuration service provider can be used by mobile operators DM server or enterprise management server to remotely reset a device. The RemoteWipe configuration service provider can make the data stored in memory and hard disks difficult to recover if the device is remotely reset after being lost or stolen. The following example shows the RemoteWipe configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning. Enterprise IT Professionals can update these settings by using the Exchange Server. ``` From f3e1565cbce5521c3a7503b67d911878389ce7b8 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Mon, 6 Jun 2022 15:11:11 +0530 Subject: [PATCH 005/288] Improper acronyms review updates-03 --- ...ct-data-using-enterprise-site-discovery.md | 6 +- ...ct-data-using-enterprise-site-discovery.md | 6 +- education/windows/change-history-edu.md | 2 +- .../mdm/applicationcontrol-csp.md | 2 +- windows/client-management/mdm/dmclient-csp.md | 2 +- .../mdm/dmclient-ddf-file.md | 6 +- .../mdm/enterprisedesktopappmanagement-csp.md | 2 +- .../mdm/mdm-enrollment-of-windows-devices.md | 4 +- .../mdm/policy-csp-admx-tpm.md | 2 +- ...update-compliance-delivery-optimization.md | 2 +- ...-compliance-schema-waasdeploymentstatus.md | 2 +- ...ate-compliance-schema-waasinsiderstatus.md | 2 +- ...date-compliance-schema-waasupdatestatus.md | 2 +- .../update-compliance-schema-wudostatus.md | 2 +- ...ndows-diagnostic-events-and-fields-1703.md | 8 +- ...ndows-diagnostic-events-and-fields-1709.md | 8 +- ...ndows-diagnostic-events-and-fields-1803.md | 8 +- ...ndows-diagnostic-events-and-fields-1809.md | 26 ++-- ...ndows-diagnostic-events-and-fields-1903.md | 30 ++-- ...windows-11-diagnostic-events-and-fields.md | 138 +++++++++--------- ...-diagnostic-data-events-and-fields-2004.md | 30 ++-- .../hello-hybrid-aadj-sso.md | 4 +- .../bitlocker-management-for-enterprises.md | 2 +- ...e-wdac-policy-for-fully-managed-devices.md | 2 +- ...wdac-policy-for-lightly-managed-devices.md | 2 +- .../best-practices-configuring.md | 3 +- 26 files changed, 152 insertions(+), 151 deletions(-) diff --git a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md index 10d59733dd..9e5e461261 100644 --- a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md +++ b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md @@ -352,14 +352,14 @@ You can collect your hardware inventory using the using the Systems Management S Your environment is now ready to collect your hardware inventory and review the sample reports. ## View the sample reports with your collected data -The sample reports, **SCCM Report Sample – ActiveX.rdl** and **SCCM Report Sample – Site Discovery.rdl**, work with System Center 2012, so you can review your collected data. +The sample reports, **Configuration Manager Report Sample – ActiveX.rdl** and **Configuration Manager Report Sample – Site Discovery.rdl**, work with System Center 2012, so you can review your collected data. -### SCCM Report Sample – ActiveX.rdl +### Configuration Manager Report Sample – ActiveX.rdl Gives you a list of all of the ActiveX-related sites visited by the client computer. ![ActiveX.rdl report, lists all ActiveX-related sites visited by the client computer.](images/configmgractivexreport.png) -### SCCM Report Sample – Site Discovery.rdl +### Configuration Manager Report Sample – Site Discovery.rdl Gives you a list of all of the sites visited by the client computer. ![Site Discovery.rdl report, lists all websites visited by the client computer.](images/ie-site-discovery-sample-report.png) diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md index 8cef068687..63709888c6 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md +++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md @@ -356,14 +356,14 @@ You can collect your hardware inventory using the using the Systems Management S Your environment is now ready to collect your hardware inventory and review the sample reports. ## View the sample reports with your collected data -The sample reports, **SCCM Report Sample – ActiveX.rdl** and **SCCM Report Sample – Site Discovery.rdl**, work with System Center 2012, so you can review your collected data. +The sample reports, **Configuration Manager Report Sample – ActiveX.rdl** and **Configuration Manager Report Sample – Site Discovery.rdl**, work with System Center 2012, so you can review your collected data. -### SCCM Report Sample – ActiveX.rdl +### Configuration Manager Report Sample – ActiveX.rdl Gives you a list of all of the ActiveX-related sites visited by the client computer. ![ActiveX.rdl report, lists all ActiveX-related sites visited by the client computer.](images/configmgractivexreport.png) -### SCCM Report Sample – Site Discovery.rdl +### Configuration Manager Report Sample – Site Discovery.rdl Gives you a list of all of the sites visited by the client computer. ![Site Discovery.rdl report, lists all websites visited by the client computer.](images/ie-site-discovery-sample-report.png) diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md index 9a828c6755..68e0429bb0 100644 --- a/education/windows/change-history-edu.md +++ b/education/windows/change-history-edu.md @@ -135,7 +135,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also | New or changed topic | Description| | --- | --- | | [Windows 10 editions for education customers](windows-editions-for-education-customers.md) | New. Learn about the two editions in Windows 10, version 1607 that's designed for the needs of K-12 institutions. | -|[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)|New. Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, AD DS, and Microsoft Azure AD, use SCCM, Intune, and Group Policy to manage devices. | +|[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)|New. Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, AD DS, and Microsoft Azure AD, use Configuration Manager, Intune, and Group Policy to manage devices. | ## June 2016 diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index 02eb0f514c..a34f03cbd5 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -302,7 +302,7 @@ An example of Delete command is: ## PowerShell and WMI Bridge Usage Guidance -The ApplicationControl CSP can also be managed locally from PowerShell or via Microsoft Endpoint Manager Configuration Manager's (MEMCM, formerly known as SCCM) task sequence scripting by using the [WMI Bridge Provider](./using-powershell-scripting-with-the-wmi-bridge-provider.md). +The ApplicationControl CSP can also be managed locally from PowerShell or via Microsoft Endpoint Manager Configuration Manager's task sequence scripting by using the [WMI Bridge Provider](./using-powershell-scripting-with-the-wmi-bridge-provider.md). ### Setup for using the WMI Bridge diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md index 3a3752cebe..47a19b5424 100644 --- a/windows/client-management/mdm/dmclient-csp.md +++ b/windows/client-management/mdm/dmclient-csp.md @@ -473,7 +473,7 @@ Default is 1, meaning the MDM enrollment is the “winning” authority for conf Support operations are Get and Set. **Provider/*ProviderID*/LinkedEnrollment/Enroll** -This is an execution node and will trigger a silent MMP-C enrollment, using the AAD device token pulled from the AADJ’ed device. There is no user interaction needed. +This is an execution node and will trigger a silent MMP-C enrollment, using the Azure Active Directory device token pulled from the Azure AD-joined device. There is no user interaction needed. Support operation is Exec. diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md index 9121cdc2b4..7c517ea512 100644 --- a/windows/client-management/mdm/dmclient-ddf-file.md +++ b/windows/client-management/mdm/dmclient-ddf-file.md @@ -1661,7 +1661,7 @@ The XML below is for Windows 10, version 1803. 0 - Device Only. This node determines whether or not the MDM progress page is blocking in the AADJ or DJ++ case, as well as which remediation options are available. + Device Only. This node determines whether or not the MDM progress page is blocking in the Azure Active Directory-joined or DJ++ case, as well as which remediation options are available. @@ -1740,7 +1740,7 @@ The XML below is for Windows 10, version 1803. true - Device only. This node decides wheter or not the MDM device progress page skips after AADJ or Hybrid AADJ in OOBE. + Device only. This node decides whether or not the MDM device progress page skips after Azure Active Directory-joined or Hybrid Azure AD-joined in OOBE. @@ -1766,7 +1766,7 @@ The XML below is for Windows 10, version 1803. false - Device only. This node decides wheter or not the MDM user progress page skips after AADJ or DJ++ after user login. + Device only. This node decides wheter or not the MDM user progress page skips after Azure Active Directory-joined or DJ++ after user login. diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md index 8fe5f44ab9..4b5ab02de2 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md @@ -376,7 +376,7 @@ For Intune standalone environment, the MSI package will determine the MSI execut |User|Install the MSI per-user
LocURI contains a User prefix, such as ./User|Install the MSI per-device
LocURI contains a Device prefix, such as ./Device|Install the MSI per-user
LocURI contains a User prefix, such as ./User| |System|Install the MSI per-user
LocURI contains a User prefix, such as ./User|Install the MSI per-device
LocURI contains a Device prefix, such as ./Device|Install the MSI per-user
LocURI contains a User prefix, such as ./User| -The following table applies to SCCM hybrid environment. +The following table applies to Configuration Manager hybrid environment: |Target|Per-user MSI|Per-machine MSI|Dual mode MSI| |--- |--- |--- |--- | diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md index 632623eed5..e5f2f80774 100644 --- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md @@ -274,7 +274,7 @@ The deep link used for connecting your device to work will always use the follow | Parameter | Description | Supported Value for Windows 10| |-----------|--------------------------------------------------------------|----------------------------------------------| -| mode | Describes which mode will be executed in the enrollment app. Added in Windows 10, version 1607| Mobile Device Management (MDM), Adding Work Account (AWA), and Azure Active Directory Joined (AADJ). | +| mode | Describes which mode will be executed in the enrollment app. Added in Windows 10, version 1607| Mobile Device Management (MDM), Adding Work Account (AWA), and Azure Active Directory-joined. | |username | Specifies the email address or UPN of the user who should be enrolled into MDM. Added in Windows 10, version 1703. | string | | servername | Specifies the MDM server URL that will be used to enroll the device. Added in Windows 10, version 1703. | string| | accesstoken | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used as a token to validate the enrollment request. Added in Windows 10, version 1703. | string | @@ -283,7 +283,7 @@ The deep link used for connecting your device to work will always use the follow | ownership | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to determine whether the device is BYOD or Corp Owned. Added in Windows 10, version 1703. | 1, 2, or 3. Where "1" means ownership is unknown, "2" means the device is personally owned, and "3" means the device is corporate-owned | > [!NOTE] -> AWA and AADJ values for mode are only supported on Windows 10, version 1709 and later. +> AWA and Azure Active Directory-joined values for mode are only supported on Windows 10, version 1709 and later. ### Connect to MDM using a deep link diff --git a/windows/client-management/mdm/policy-csp-admx-tpm.md b/windows/client-management/mdm/policy-csp-admx-tpm.md index bee67da425..35fe568d58 100644 --- a/windows/client-management/mdm/policy-csp-admx-tpm.md +++ b/windows/client-management/mdm/policy-csp-admx-tpm.md @@ -327,7 +327,7 @@ ADMX Info: -This Policy enables Device Health Attestation reporting (DHA-report) on supported devices. It enables supported devices to send Device Health Attestation related information (device boot logs, PCR values, TPM certificate, etc.) to Device Health Attestation Service (DHA-Service) every time a device starts. Device Health Attestation Service validates the security state and health of the devices, and makes the findings accessible to enterprise administrators via a cloud based reporting portal. This policy is independent of DHA reports that are initiated by device manageability solutions (like MDM or SCCM), and won't interfere with their workflows. +This Policy enables Device Health Attestation reporting (DHA-report) on supported devices. It enables supported devices to send Device Health Attestation related information (device boot logs, PCR values, TPM certificate, etc.) to Device Health Attestation Service (DHA-Service) every time a device starts. Device Health Attestation Service validates the security state and health of the devices, and makes the findings accessible to enterprise administrators via a cloud based reporting portal. This policy is independent of DHA reports that are initiated by device manageability solutions (like MDM or Configuration Manager), and won't interfere with their workflows. diff --git a/windows/deployment/update/update-compliance-delivery-optimization.md b/windows/deployment/update/update-compliance-delivery-optimization.md index bc2ce23a6f..2cdda7c206 100644 --- a/windows/deployment/update/update-compliance-delivery-optimization.md +++ b/windows/deployment/update/update-compliance-delivery-optimization.md @@ -49,4 +49,4 @@ The table breaks down the number of bytes from each download source into specifi The download sources that could be included are: - LAN Bytes: Bytes downloaded from LAN Peers which are other devices on the same local network - Group Bytes: Bytes downloaded from Group Peers which are other devices that belong to the same Group (available when the "Group" download mode is used) -- HTTP Bytes: Non-peer bytes. The HTTP download source can be Microsoft Servers, Windows Update Servers, a WSUS server or an SCCM Distribution Point for Express Updates. +- HTTP Bytes: Non-peer bytes. The HTTP download source can be Microsoft Servers, Windows Update Servers, a WSUS server or an Configuration Manager Distribution Point for Express Updates. diff --git a/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md index 116ada644d..3daf7dc079 100644 --- a/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md +++ b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md @@ -20,7 +20,7 @@ WaaSDeploymentStatus records track a specific update's installation progress on |Field |Type |Example |Description | |-|-|-----|------------------------| |**Computer** |[string](/azure/kusto/query/scalar-data-types/string) |`JohnPC-Contoso` |User or Organization-provided device name. If this appears as '#', then Device Name may not be sent through telemetry. To enable Device Name to be sent with telemetry, see [Enroll devices in Update Compliance](update-compliance-get-started.md#enroll-devices-in-update-compliance). | -|**ComputerID** |[string](/azure/kusto/query/scalar-data-types/string) |`g:6755412281299915` |Microsoft Global Device Identifier. This is an internal identifier used by Microsoft. A connection to the end-user Managed Service Account (MSA) service is required for this identifier to be populated; no device data will be present in Update Compliance without this identifier. | +|**ComputerID** |[string](/azure/kusto/query/scalar-data-types/string) |`g:6755412281299915` |Microsoft Global Device Identifier. This is an internal identifier used by Microsoft. A connection to the end-user managed service account is required for this identifier to be populated; no device data will be present in Update Compliance without this identifier. | |**DeferralDays** |[int](/azure/kusto/query/scalar-data-types/int) |`0` |The deferral policy for this content type or `UpdateCategory` (Windows `Feature` or `Quality`). | |**DeploymentError** |[string](/azure/kusto/query/scalar-data-types/string) |`Disk Error` |A readable string describing the error, if any. If empty, there is either no string matching the error or there is no error. | |**DeploymentErrorCode** |[int](/azure/kusto/query/scalar-data-types/int) |`8003001E` |Microsoft internal error code for the error, if any. If empty, there is either no error or there is *no error code*, meaning that the issue raised does not correspond to an error, but some inferred issue. | diff --git a/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md b/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md index 92aa00c0d8..2bfbab07ac 100644 --- a/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md +++ b/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md @@ -21,7 +21,7 @@ WaaSInsiderStatus records contain device-centric data and acts as the device rec |Field |Type |Example |Description | |--|--|---|--| |**Computer** |[string](/azure/kusto/query/scalar-data-types/string) |`JohnPC-Contoso` |User or Organization-provided device name. If this value appears as '#', then Device Name may not be sent through telemetry. To enable Device Name to be sent with telemetry, see [Enabling Device Name in Telemetry](./update-compliance-get-started.md). | -|**ComputerID** |[string](/azure/kusto/query/scalar-data-types/string) |`g:6755412281299915` |Microsoft Global Device Identifier. This value is an internal identifier used by Microsoft. A connection to the end-user Managed Service Account (MSA) service is required for this identifier to be populated; no device data will be present in Update Compliance without this identifier. | +|**ComputerID** |[string](/azure/kusto/query/scalar-data-types/string) |`g:6755412281299915` |Microsoft Global Device Identifier. This value is an internal identifier used by Microsoft. A connection to the end-user managed service account is required for this identifier to be populated; no device data will be present in Update Compliance without this identifier. | |**OSArchitecture** |[string](/azure/kusto/query/scalar-data-types/string) |`amd64` |The architecture of the Operating System. | |**OSName** |[string](/azure/kusto/query/scalar-data-types/string) |`Windows 10` |The name of the Operating System. This value will always be Windows 10 for Update Compliance. | |**OSVersion** |[string](/azure/kusto/query/scalar-data-types/string) |`1909` |The version of Windows 10. This value typically is of the format of the year of the version's release, following the month. In this example, `1909` corresponds to 2019-09 (September). This value maps to the `Major` portion of OSBuild. | diff --git a/windows/deployment/update/update-compliance-schema-waasupdatestatus.md b/windows/deployment/update/update-compliance-schema-waasupdatestatus.md index 9e0d7a5b83..52b4b8c580 100644 --- a/windows/deployment/update/update-compliance-schema-waasupdatestatus.md +++ b/windows/deployment/update/update-compliance-schema-waasupdatestatus.md @@ -20,7 +20,7 @@ WaaSUpdateStatus records contain device-centric data and acts as the device reco |Field |Type |Example |Description | |--|-|----|------------------------| |**Computer** |[string](/azure/kusto/query/scalar-data-types/string) |`JohnPC-Contoso` |User or Organization-provided device name. If this appears as '#', then Device Name may not be sent through telemetry. To enable Device Name to be sent with telemetry, see [Enabling Device Name in Telemetry](./update-compliance-get-started.md). | -|**ComputerID** |[string](/azure/kusto/query/scalar-data-types/string) |`g:6755412281299915` |Microsoft Global Device Identifier. This is an internal identifier used by Microsoft. A connection to the end-user Managed Service Account (MSA) service is required for this identifier to be populated; no device data will be present in Update Compliance without this identifier. | +|**ComputerID** |[string](/azure/kusto/query/scalar-data-types/string) |`g:6755412281299915` |Microsoft Global Device Identifier. This is an internal identifier used by Microsoft. A connection to the end-user managed service account is required for this identifier to be populated; no device data will be present in Update Compliance without this identifier. | |**DownloadMode** |[string](/azure/kusto/query/scalar-data-types/string) |`Simple (99)` |The device's Delivery Optimization DownloadMode. To learn about possible values, see [Delivery Optimization Reference - Download mode](../do/waas-delivery-optimization-reference.md#download-mode) | |**FeatureDeferralDays** |[int](/azure/kusto/query/scalar-data-types/int) |`0` |The on-client Windows Update for Business Deferral Policy days.
- **<0**: A value below 0 indicates the policy is disabled.
- **0**: A value of 0 indicates the policy is enabled, but the deferral period is zero days.
- **1+**: A value of 1 and above indicates the deferral setting, in days. | |**FeaturePauseDays** |[int](/azure/kusto/query/scalar-data-types/int) |`0` |*Deprecated* This provides the count of days left in a pause | diff --git a/windows/deployment/update/update-compliance-schema-wudostatus.md b/windows/deployment/update/update-compliance-schema-wudostatus.md index 566ef0650a..82ab3a457c 100644 --- a/windows/deployment/update/update-compliance-schema-wudostatus.md +++ b/windows/deployment/update/update-compliance-schema-wudostatus.md @@ -25,7 +25,7 @@ These fields are briefly described in this article, to learn more about Delivery |Field |Type |Example |Description | |-|-|-|-| |**Computer** |[string](/azure/kusto/query/scalar-data-types/string) |`JohnPC-Contoso` |User or Organization-provided device name. If this appears as '#', then Device Name may not be sent through telemetry. To enable Device Name to be sent with telemetry, see [Enabling Device Name in Telemetry](./update-compliance-get-started.md). | -|**ComputerID** |[string](/azure/kusto/query/scalar-data-types/string) |`g:6755412281299915` |Microsoft Global Device Identifier. This is an internal identifier used by Microsoft. A connection to the end-user Managed Service Account (MSA) service is required for this identifier to be populated; no device data will be present in Update Compliance without this identifier. | +|**ComputerID** |[string](/azure/kusto/query/scalar-data-types/string) |`g:6755412281299915` |Microsoft Global Device Identifier. This is an internal identifier used by Microsoft. A connection to the end-user managed service account is required for this identifier to be populated; no device data will be present in Update Compliance without this identifier. | |**City** |[string](/azure/kusto/query/scalar-data-types/string) | |Approximate city device was in while downloading content, based on IP Address. | |**Country** |[string](/azure/kusto/query/scalar-data-types/string) | |Approximate country device was in while downloading content, based on IP Address. | |**ISP** |[string](/azure/kusto/query/scalar-data-types/string) | |The Internet Service Provider estimation. | diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index fe5f9e9510..501abd7c9d 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -1314,9 +1314,9 @@ The following fields are available: - **IsEDPEnabled** Represents if Enterprise data protected on the device. - **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. - **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID -- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise System Center Configuration Manager (SCCM) environment. +- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise System Center Configuration Manager environment. - **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. -- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier. +- **SystemCenterID** The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier. ### Census.Firmware @@ -3140,7 +3140,7 @@ The following fields are available: - **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin. - **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled. - **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS. -- **RemediationShellDeviceSccm** TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager). +- **RemediationShellDeviceSccm** TRUE if the device is managed by Microsoft System Center Configuration Manager. - **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely. - **RemediationTargetMachine** Indicates whether the device is a target of the specified fix. - **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task. @@ -4412,7 +4412,7 @@ The following fields are available: - **DeviceIsMdmManaged** This device is MDM managed. - **IsNetworkAvailable** If the device network is not available. - **IsNetworkMetered** If network is metered. -- **IsSccmManaged** This device is SCCM managed. +- **IsSccmManaged** This device is managed by Configuration Manager . - **NewlyInstalledOs** OS is newly installed quiet period. - **PausedByPolicy** Updates are paused by policy. - **RecoveredFromRS3** Previously recovered from RS3. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index f20bf940f2..8563594473 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -1382,9 +1382,9 @@ The following fields are available: - **IsEDPEnabled** Represents if Enterprise data protected on the device. - **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. - **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID -- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment. +- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise Configuration Manager environment. - **ServerFeatures** Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. -- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier +- **SystemCenterID** The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier ### Census.Firmware @@ -3148,7 +3148,7 @@ The following fields are available: - **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin. - **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled. - **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS. -- **RemediationShellDeviceSccm** TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager). +- **RemediationShellDeviceSccm** TRUE if the device is managed by Microsoft System Center Configuration Manager. - **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely. - **RemediationTargetMachine** Indicates whether the device is a target of the specified fix. - **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task. @@ -4257,7 +4257,7 @@ The following fields are available: - **DeviceIsMdmManaged** This device is MDM managed. - **IsNetworkAvailable** If the device network is not available. - **IsNetworkMetered** If network is metered. -- **IsSccmManaged** This device is SCCM managed. +- **IsSccmManaged** This device is managed by Configuration Manager. - **NewlyInstalledOs** OS is newly installed quiet period. - **PausedByPolicy** Updates are paused by policy. - **RecoveredFromRS3** Previously recovered from RS3. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index fc82f5a509..1131c7979c 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -1439,9 +1439,9 @@ The following fields are available: - **IsEDPEnabled** Represents if Enterprise data protected on the device. - **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. - **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID -- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment. +- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise Configuration Manager environment. - **ServerFeatures** Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. -- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier +- **SystemCenterID** The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier ### Census.Firmware @@ -4550,7 +4550,7 @@ The following fields are available: - **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin. - **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled. - **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS. -- **RemediationShellDeviceSccm** TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager). +- **RemediationShellDeviceSccm** TRUE if the device is managed by Microsoft System Center Configuration Manager. - **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely. - **RemediationTargetMachine** Indicates whether the device is a target of the specified fix. - **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task. @@ -5492,7 +5492,7 @@ The following fields are available: - **DeviceIsMdmManaged** This device is MDM managed. - **IsNetworkAvailable** If the device network is not available. - **IsNetworkMetered** If network is metered. -- **IsSccmManaged** This device is SCCM managed. +- **IsSccmManaged** This device is managed by Configuration Manager. - **NewlyInstalledOs** OS is newly installed quiet period. - **PausedByPolicy** Updates are paused by policy. - **RecoveredFromRS3** Previously recovered from RS3. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index e660f2df49..8e1ae7ee99 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -2171,9 +2171,9 @@ The following fields are available: - **IsEDPEnabled** Represents if Enterprise data protected on the device. - **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. - **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID -- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment. +- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise Configuration Manager environment. - **ServerFeatures** Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. -- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier +- **SystemCenterID** The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier ### Census.Firmware @@ -3362,7 +3362,7 @@ The following fields are available: - **IsDeviceNetworkMetered** Indicates whether the device is connected to a metered network. - **IsDeviceOobeBlocked** Indicates whether user approval is required to install updates on the device. - **IsDeviceRequireUpdateApproval** Indicates whether user approval is required to install updates on the device. -- **IsDeviceSccmManaged** Indicates whether the device is running the Microsoft SCCM (System Center Configuration Manager) to keep the operating system and applications up to date. +- **IsDeviceSccmManaged** Indicates whether the device is running the Microsoft System Center Configuration Manager to keep the operating system and applications up to date. - **IsDeviceUninstallActive** Indicates whether the OS (operating system) on the device was recently updated. - **IsDeviceUpdateNotificationLevel** Indicates whether the device has a set policy to control update notifications. - **IsDeviceUpdateServiceManaged** Indicates whether the device uses WSUS (Windows Server Update Services). @@ -6058,7 +6058,7 @@ The following fields are available: - **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS. - **RemediationShellDeviceProSku** Indicates whether a Windows 10 Professional edition is detected. - **RemediationShellDeviceQualityUpdatesPaused** Indicates whether Quality Updates are paused on the device. -- **RemediationShellDeviceSccm** TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager). +- **RemediationShellDeviceSccm** TRUE if the device is managed by Microsoft System Center Configuration Manager. - **RemediationShellDeviceSedimentMutexInUse** Indicates whether the Sediment Pack mutual exclusion object (mutex) is in use. - **RemediationShellDeviceSetupMutexInUse** Indicates whether device setup is in progress. - **RemediationShellDeviceWuRegistryBlocked** Indicates whether the Windows Update is blocked on the device via the registry. @@ -6820,7 +6820,7 @@ The following fields are available: - **IsSuccessFailurePostReboot** Indicates whether the update succeeded and then failed after a restart. - **IsWUfBDualScanEnabled** Indicates whether Windows Update for Business dual scan is enabled on the device. - **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. - **MergedUpdate** Indicates whether the OS update and a BSP update merged for installation. - **MsiAction** The stage of MSI installation where it failed. - **MsiProductCode** The unique identifier of the MSI installer. @@ -6875,9 +6875,9 @@ The following fields are available: - **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. - **IsFirmware** Indicates whether an update was a firmware update. - **IsSuccessFailurePostReboot** Indicates whether an initial success was a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **IsWUfBDualScanEnabled** Flag indicating whether Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicating whether Windows Update for Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. - **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. - **ProcessName** Process name of the caller who initiated API calls into the software distribution client. - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. @@ -6936,8 +6936,8 @@ The following fields are available: - **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. - **IsFirmware** Indicates whether an update was a firmware update. - **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. +- **IsWUfBDualScanEnabled** Flag indicating whether Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicating whether Windows Update for Business is enabled on the device. - **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. - **ProcessName** Process name of the caller who initiated API calls into the software distribution client. - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. @@ -9570,7 +9570,7 @@ The following fields are available: - **UnifiedInstallerDeviceAADJoinedHresult** The result code after checking if device is AAD joined. - **UnifiedInstallerDeviceInDssPolicy** Boolean indicating whether the device is found to be in a DSS policy. - **UnifiedInstallerDeviceInDssPolicyHresult** The result code for checking whether the device is found to be in a DSS policy. -- **UnifiedInstallerDeviceIsAADJoined** Boolean indicating whether a device is AADJ. +- **UnifiedInstallerDeviceIsAADJoined** Boolean indicating whether a device is Azure Active Directory-joined. - **UnifiedInstallerDeviceIsAdJoined** Boolean indicating whether a device is AD joined. - **UnifiedInstallerDeviceIsAdJoinedHresult** The result code for checking whether a device is AD joined. - **UnifiedInstallerDeviceIsEducationSku** Boolean indicating whether a device is Education SKU. @@ -9582,8 +9582,8 @@ The following fields are available: - **UnifiedInstallerDeviceIsMdmManagedHresult** The result code from checking whether a device is MDM managed. - **UnifiedInstallerDeviceIsProSku** Boolean indicating whether a device is Pro SKU. - **UnifiedInstallerDeviceIsProSkuHresult** The result code from checking whether a device is Pro SKU. -- **UnifiedInstallerDeviceIsSccmManaged** Boolean indicating whether a device is SCCM managed. -- **UnifiedInstallerDeviceIsSccmManagedHresult** The result code from checking whether a device is SCCM managed. +- **UnifiedInstallerDeviceIsSccmManaged** Boolean indicating whether a device is managed by Configuration Manager. +- **UnifiedInstallerDeviceIsSccmManagedHresult** The result code from checking whether a device is managed by Configuration Manager. - **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is Windows Update for Business managed. - **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is Windows Update for Business managed. - **UnifiedInstallerPlatformResult** The result code from checking what platform type the device is. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 2dd8d27ae5..7f3e3d6a3e 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -2355,9 +2355,9 @@ The following fields are available: - **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. - **MDMServiceProvider** A hash of the specific MDM authority, such as Microsoft Intune, that is managing the device. - **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID -- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment. +- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise Configuration Manager environment. - **ServerFeatures** Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. -- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier +- **SystemCenterID** The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier ### Census.Firmware @@ -3623,7 +3623,7 @@ The following fields are available: - **IsDeviceNetworkMetered** Indicates whether the device is connected to a metered network. - **IsDeviceOobeBlocked** Indicates whether the OOBE (Out of Box Experience) is blocked on the device. - **IsDeviceRequireUpdateApproval** Indicates whether user approval is required to install updates on the device. -- **IsDeviceSccmManaged** Indicates whether the device is running the Microsoft SCCM (System Center Configuration Manager) to keep the operating system and applications up to date. +- **IsDeviceSccmManaged** Indicates whether the device is running the Microsoft System Center Configuration Manager to keep the operating system and applications up to date. - **IsDeviceUninstallActive** Indicates whether the OS (operating system) on the device was recently updated. - **IsDeviceUpdateNotificationLevel** Indicates whether the device has a set policy to control update notifications. - **IsDeviceUpdateServiceManaged** Indicates whether the device uses WSUS (Windows Server Update Services). @@ -6242,7 +6242,7 @@ The following fields are available: - **UnifiedInstallerDeviceAADJoinedHresult** The result code after checking if device is AAD joined. - **UnifiedInstallerDeviceInDssPolicy** Boolean indicating whether the device is found to be in a DSS policy. - **UnifiedInstallerDeviceInDssPolicyHresult** The result code for checking whether the device is found to be in a DSS policy. -- **UnifiedInstallerDeviceIsAADJoined** Boolean indicating whether a device is AADJ. +- **UnifiedInstallerDeviceIsAADJoined** Boolean indicating whether a device is Azure Active Directory-joined. - **UnifiedInstallerDeviceIsAdJoined** Boolean indicating whether a device is AD joined. - **UnifiedInstallerDeviceIsAdJoinedHresult** The result code for checking whether a device is AD joined. - **UnifiedInstallerDeviceIsEducationSku** Boolean indicating whether a device is Education SKU. @@ -6255,8 +6255,8 @@ The following fields are available: - **UnifiedInstallerDeviceIsMdmManagedHresult** The result code from checking whether a device is MDM managed. - **UnifiedInstallerDeviceIsProSku** Boolean indicating whether a device is Pro SKU. - **UnifiedInstallerDeviceIsProSkuHresult** The result code from checking whether a device is Pro SKU. -- **UnifiedInstallerDeviceIsSccmManaged** Boolean indicating whether a device is SCCM managed. -- **UnifiedInstallerDeviceIsSccmManagedHresult** The result code from checking whether a device is SCCM managed. +- **UnifiedInstallerDeviceIsSccmManaged** Boolean indicating whether a device is managed by Configuration Manager. +- **UnifiedInstallerDeviceIsSccmManagedHresult** The result code from checking whether a device is managed by Configuration Manager. - **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is Windows Update for Business managed. - **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is Windows Update for Business managed. - **UnifiedInstallerPlatformResult** The result code from checking what platform type the device is. @@ -6614,7 +6614,7 @@ The following fields are available: - **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. - **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. - **IsWUfBFederatedScanDisabled** Indicates if Windows Update for Business federated scan is disabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. - **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce - **MSIError** The last error that was encountered during a scan for updates. - **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6 @@ -6739,7 +6739,7 @@ The following fields are available: - **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update - **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. - **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. - **NetworkCost** A flag indicating the cost of the network (congested, fixed, variable, over data limit, roaming, etc.) used for downloading the update content. - **NetworkCostBitMask** Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.) - **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered." @@ -6873,7 +6873,7 @@ The following fields are available: - **IsSuccessFailurePostReboot** Indicates whether the update succeeded and then failed after a restart. - **IsWUfBDualScanEnabled** Indicates whether Windows Update for Business dual scan is enabled on the device. - **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. - **MergedUpdate** Indicates whether the OS update and a BSP update merged for installation. - **MsiAction** The stage of MSI installation where it failed. - **MsiProductCode** The unique identifier of the MSI installer. @@ -6928,9 +6928,9 @@ The following fields are available: - **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. - **IsFirmware** Indicates whether an update was a firmware update. - **IsSuccessFailurePostReboot** Indicates whether an initial success was a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **IsWUfBDualScanEnabled** Flag indicating whether Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicating whether Windows Update for Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. - **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. - **ProcessName** Process name of the caller who initiated API calls into the software distribution client. - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. @@ -6990,9 +6990,9 @@ The following fields are available: - **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. - **IsFirmware** Indicates whether an update was a firmware update. - **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **IsWUfBDualScanEnabled** Flag indicating whether Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicating whether Windows Update for Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. - **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. - **ProcessName** Process name of the caller who initiated API calls into the software distribution client. - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. diff --git a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md index 084f8f8a9e..61f0ee30c2 100644 --- a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md +++ b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md @@ -1885,9 +1885,9 @@ The following fields are available: - **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. - **MDMServiceProvider** A hash of the specific MDM authority, such as Microsoft Intune, that is managing the device. - **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID -- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment. +- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise Configuration Manager environment. - **ServerFeatures** Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. -- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier +- **SystemCenterID** The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier ### Census.Firmware @@ -4871,7 +4871,7 @@ The following fields are available: - **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. - **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. - **IsWUfBFederatedScanDisabled** Indicates if Windows Update for Business federated scan is disabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. - **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce - **MSIError** The last error that was encountered during a scan for updates. - **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6 @@ -4965,7 +4965,7 @@ The following fields are available: - **IPVersion** Indicates whether the download took place over IPv4 or IPv6. - **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. - **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. - **NetworkCost** A flag indicating the cost of the network (congested, fixed, variable, over data limit, roaming, etc.) used for downloading the update content. - **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered." - **PackageFullName** The package name of the content. @@ -5075,7 +5075,7 @@ The following fields are available: - **IsSuccessFailurePostReboot** Indicates whether the update succeeded and then failed after a restart. - **IsWUfBDualScanEnabled** Indicates whether Windows Update for Business dual scan is enabled on the device. - **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. - **MergedUpdate** Indicates whether the OS update and a BSP update merged for installation. - **MsiAction** The stage of MSI installation where it failed. - **MsiProductCode** The unique identifier of the MSI installer. @@ -5127,9 +5127,9 @@ The following fields are available: - **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. - **IsFirmware** Indicates whether an update was a firmware update. - **IsSuccessFailurePostReboot** Indicates whether an initial success was a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **IsWUfBDualScanEnabled** Flag indicating whether Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicating whether Windows Update for Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. - **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. - **ProcessName** Process name of the caller who initiated API calls into the software distribution client. - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. @@ -5192,9 +5192,9 @@ The following fields are available: - **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. - **IsFirmware** Indicates whether an update was a firmware update. - **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **IsWUfBDualScanEnabled** Flag indicating whether Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicating whether Windows Update for Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. - **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. - **ProcessName** Process name of the caller who initiated API calls into the software distribution client. - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. @@ -6811,9 +6811,9 @@ The following fields are available: - **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. - **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. - **IPVersion** Indicates whether download took place on IPv4 or IPv6 (0-Unknown, 1-IPv4, 2-IPv6). -- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag indicated is WU-For-Business target version is enabled on the device. +- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag indicated is Windows Update for Business target version is enabled on the device. - **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce. - **NumberOfApplicationsCategoryScanEvaluated** Number of categories (apps) for which an app update scan checked. - **NumberOfLoop** Number of roundtrips the scan required. @@ -6859,9 +6859,9 @@ The following fields are available: - **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. - **IntentPFNs** Intended application-set metadata for atomic update scenarios. - **IPVersion** Indicates whether download took place on IPv4 or IPv6 (0-Unknown, 1-IPv4, 2-IPv6). -- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag indicated is WU-For-Business target version is enabled on the device. +- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag indicated is Windows Update for Business target version is enabled on the device. - **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce. - **MSIError** The last error encountered during a scan for updates. - **NetworkConnectivityDetected** 0 when IPv4 is detected, 1 when IPv6 is detected. @@ -6901,9 +6901,9 @@ The following fields are available: - **ExtendedStatusCode** Indicates the purpose of the event - whether because scan started, succeeded, failed, etc. - **FeatureUpdatePause** Failed Parse actions. - **IPVersion** Indicates whether download took place on IPv4 or IPv6 (0-Unknown, 1-IPv4, 2-IPv6). -- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag indicated is WU-for-Business targeted version is enabled on the device. +- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag indicated is Windows Update for Business targeted version is enabled on the device. - **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce. - **NumberOfApplicationsCategoryScanEvaluated** Number of categories (apps) for which an app update scan checked. - **NumberOfLoop** Number of roundtrips the scan required. @@ -6962,10 +6962,10 @@ The following fields are available: - **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. - **EventInstanceID** A globally unique identifier for event instance. - **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device. -- **IsWUfBFederatedScanDisabled** Flag indicated is WU-for-Business FederatedScan is disabled on the device. -- **IsWUfBTargetVersionEnabled** Flag indicated is WU-for-Business targeted version is enabled on the device. +- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device. +- **IsWUfBFederatedScanDisabled** Flag indicated is Windows Update for Business FederatedScan is disabled on the device. +- **IsWUfBTargetVersionEnabled** Flag indicated is Windows Update for Business targeted version is enabled on the device. - **ProcessName** Process name of the caller who initiated API calls into the software distribution client. - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. - **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. @@ -6999,9 +6999,9 @@ The following fields are available: - **FeatureUpdatePausePeriod** Pause duration configured for feature OS updates on the device, in days. - **IntentPFNs** Intended application-set metadata for atomic update scenarios. - **IPVersion** Indicates whether download took place on IPv4 or IPv6 (0-Unknown, 1-IPv4, 2-IPv6). -- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag indicated is WU-for-Business targeted version is enabled on the device. +- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag indicated is Windows Update for Business targeted version is enabled on the device. - **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce. - **NumberOfApplicableUpdates** Number of updates which were ultimately deemed applicable to the system after detection process is complete. - **NumberOfApplicationsCategoryScanEvaluated** Number of categories (apps) for which an app update scan checked. @@ -7136,9 +7136,9 @@ The following fields are available: - **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. - **HostName** Identifies the hostname. - **IPVersion** Identifies the IP Connection Type version. -- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. - **NetworkCost** Identifies the network cost. - **NetworkRestrictionStatus** When download is done, identifies whether network switch happened to restricted. - **PackageFullName** Package name of the content. @@ -7192,9 +7192,9 @@ The following fields are available: - **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. - **HostName** Identifies the hostname. - **IPVersion** Identifies the IP Connection Type version. -- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. - **NetworkCost** Identifies the network cost. - **NetworkRestrictionStatus** When download is done, identifies whether network switch happened to restricted. - **PackageFullName** The package name of the content. @@ -7234,9 +7234,9 @@ The following fields are available: - **FlightBuildNumber** Indicates the build number of that flight. - **FlightId** The specific id of the flight the device is getting. - **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag indicated is WU-for-Business targeted version is enabled on the device. +- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag indicated is Windows Update for Business targeted version is enabled on the device. - **PackageFullName** The package name of the content. - **ProcessName** Process name of the caller who initiated API calls into the software distribution client. - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. @@ -7269,9 +7269,9 @@ The following fields are available: - **FlightBuildNumber** Indicates the build number of that flight. - **FlightId** The specific id of the flight the device is getting. - **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag indicated is WU-for-Business targeted version is enabled on the device. +- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag indicated is Windows Update for Business targeted version is enabled on the device. - **PackageFullName** The package name of the content. - **ProcessName** Process name of the caller who initiated API calls into the software distribution client. - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. @@ -7317,9 +7317,9 @@ The following fields are available: - **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. - **HostName** The hostname URL the content is downloading from. - **IPVersion** Indicates whether download took place on IPv4 or IPv6 (0-Unknown, 1-IPv4, 2-IPv6) -- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag indicated is WU-for-Business targeted version is enabled on the device. +- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag indicated is Windows Update for Business targeted version is enabled on the device. - **NetworkCost** A flag indicating the cost of the network being used for downloading the update content. That could be one of the following values0x0 : Unkown0x1 : Network cost is unrestricted0x2 : Network cost is fixed0x4 : Network cost is variable0x10000 : Network cost over data limit0x20000 : Network cost congested0x40000 : Network cost roaming0x80000 : Network cost approaching data limit. - **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be “metered”. - **PackageFullName** The package name of the content. @@ -7360,9 +7360,9 @@ The following fields are available: - **FlightBuildNumber** Indicates the build number of that flight. - **FlightId** The specific id of the flight the device is getting. - **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. - **PackageFullName** The package name of the content. - **ProcessName** Process name of the caller who initiated API calls into the software distribution client. - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. @@ -7409,9 +7409,9 @@ The following fields are available: - **IsFinalOutcomeEvent** Indicates if this event signal the end of the update/upgrade process. - **IsFirmware** Indicates whether an update was a firmware update. - **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. - **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. - **MsiAction** Stage of MSI installation where it failed. - **MsiProductCode** Unique identifier of the MSI installer. @@ -7465,9 +7465,9 @@ The following fields are available: - **IsFinalOutcomeEvent** Indicates if this event signal the end of the update/upgrade process. - **IsFirmware** Indicates whether an update was a firmware update. - **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. - **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. - **MsiAction** Stage of MSI installation where it failed. - **MsiProductCode** Unique identifier of the MSI installer. @@ -7521,9 +7521,9 @@ The following fields are available: - **IsFinalOutcomeEvent** Indicates if this event signal the end of the update/upgrade process. - **IsFirmware** Indicates whether an update was a firmware update. - **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. - **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. - **MsiAction** Stage of MSI installation where it failed. - **MsiProductCode** Unique identifier of the MSI installer. @@ -7577,9 +7577,9 @@ The following fields are available: - **IsFinalOutcomeEvent** Indicates if this event signal the end of the update/upgrade process. - **IsFirmware** Indicates whether an update was a firmware update. - **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. - **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. - **MsiAction** Stage of MSI installation where it failed. - **MsiProductCode** Unique identifier of the MSI installer. @@ -7633,9 +7633,9 @@ The following fields are available: - **IsFinalOutcomeEvent** Indicates if this event signal the end of the update/upgrade process. - **IsFirmware** Indicates whether an update was a firmware update. - **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. - **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. - **MsiAction** Stage of MSI installation where it failed. - **MsiProductCode** Unique identifier of the MSI installer. @@ -7686,9 +7686,9 @@ The following fields are available: - **IsFinalOutcomeEvent** Indicates if this event signal the end of the update/upgrade process. - **IsFirmware** Indicates whether an update was a firmware update. - **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. - **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. - **ProcessName** Process name of the caller who initiated API calls into the software distribution client. - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. @@ -7735,9 +7735,9 @@ The following fields are available: - **IsFinalOutcomeEvent** Indicates if this event signal the end of the update/upgrade process. - **IsFirmware** Indicates whether an update was a firmware update. - **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. - **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. - **ProcessName** Process name of the caller who initiated API calls into the software distribution client. - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. @@ -7784,9 +7784,9 @@ The following fields are available: - **IsFinalOutcomeEvent** Indicates if this event signal the end of the update/upgrade process. - **IsFirmware** Indicates whether an update was a firmware update. - **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. - **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. - **ProcessName** Process name of the caller who initiated API calls into the software distribution client. - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md index b37678708d..a8a77f6f06 100644 --- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md +++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md @@ -1891,9 +1891,9 @@ The following fields are available: - **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. - **MDMServiceProvider** A hash of the specific MDM authority, such as Microsoft Intune, that is managing the device. - **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID -- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment. +- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise Configuration Manager environment. - **ServerFeatures** Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. -- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier +- **SystemCenterID** The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier ### Census.Firmware @@ -4854,7 +4854,7 @@ The following fields are available: - **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. - **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. - **IsWUfBFederatedScanDisabled** Indicates if Windows Update for Business federated scan is disabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. - **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce - **MSIError** The last error that was encountered during a scan for updates. - **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6 @@ -4971,7 +4971,7 @@ The following fields are available: - **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update - **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. - **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. - **NetworkCost** A flag indicating the cost of the network (congested, fixed, variable, over data limit, roaming, etc.) used for downloading the update content. - **NetworkCostBitMask** Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.) - **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered." @@ -5093,7 +5093,7 @@ The following fields are available: - **IsSuccessFailurePostReboot** Indicates whether the update succeeded and then failed after a restart. - **IsWUfBDualScanEnabled** Indicates whether Windows Update for Business dual scan is enabled on the device. - **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. - **MergedUpdate** Indicates whether the OS update and a BSP update merged for installation. - **MsiAction** The stage of MSI installation where it failed. - **MsiProductCode** The unique identifier of the MSI installer. @@ -5145,9 +5145,9 @@ The following fields are available: - **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. - **IsFirmware** Indicates whether an update was a firmware update. - **IsSuccessFailurePostReboot** Indicates whether an initial success was a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **IsWUfBDualScanEnabled** Flag indicating whether Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicating whether Windows Update for Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. - **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. - **ProcessName** Process name of the caller who initiated API calls into the software distribution client. - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. @@ -5210,9 +5210,9 @@ The following fields are available: - **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. - **IsFirmware** Indicates whether an update was a firmware update. - **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **IsWUfBDualScanEnabled** Flag indicating whether Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicating whether Windows Update for Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. - **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. - **ProcessName** Process name of the caller who initiated API calls into the software distribution client. - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. @@ -5774,7 +5774,7 @@ The following fields are available: - **UnifiedInstallerDeviceAADJoinedHresult** The result code after checking if device is AAD joined. - **UnifiedInstallerDeviceInDssPolicy** Boolean indicating whether the device is found to be in a DSS policy. - **UnifiedInstallerDeviceInDssPolicyHresult** The result code for checking whether the device is found to be in a DSS policy. -- **UnifiedInstallerDeviceIsAADJoined** Boolean indicating whether a device is AADJ. +- **UnifiedInstallerDeviceIsAADJoined** Boolean indicating whether a device is Azure Active Directory-joined. - **UnifiedInstallerDeviceIsAdJoined** Boolean indicating whether a device is AD joined. - **UnifiedInstallerDeviceIsAdJoinedHresult** The result code for checking whether a device is AD joined. - **UnifiedInstallerDeviceIsEducationSku** Boolean indicating whether a device is Education SKU. @@ -5787,8 +5787,8 @@ The following fields are available: - **UnifiedInstallerDeviceIsMdmManagedHresult** The result code from checking whether a device is MDM managed. - **UnifiedInstallerDeviceIsProSku** Boolean indicating whether a device is Pro SKU. - **UnifiedInstallerDeviceIsProSkuHresult** The result code from checking whether a device is Pro SKU. -- **UnifiedInstallerDeviceIsSccmManaged** Boolean indicating whether a device is SCCM managed. -- **UnifiedInstallerDeviceIsSccmManagedHresult** The result code from checking whether a device is SCCM managed. +- **UnifiedInstallerDeviceIsSccmManaged** Boolean indicating whether a device is managed by Configuration Manager. +- **UnifiedInstallerDeviceIsSccmManagedHresult** The result code from checking whether a device is managed by Configuration Manager. - **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is Windows Update for Business managed. - **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is Windows Update for Business managed. - **UnifiedInstallerPlatformResult** The result code from checking what platform type the device is. @@ -5829,7 +5829,7 @@ The following fields are available: - **CV** Correlation vector. - **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. - **PackageVersion** Current package version of remediation. -- **UpdateHealthToolsDeviceSccmManaged** Device is managed by SCCM. +- **UpdateHealthToolsDeviceSccmManaged** Device is managed by Configuration Manager. - **UpdateHealthToolsDeviceUbrChanged** 1 if the Ubr just changed, 0 otherwise. - **UpdateHealthToolsDeviceUri** The URI to be used for push notifications on this device. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md index ddff708e26..87265d9ffb 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md @@ -35,8 +35,8 @@ When using a key, the on-premises environment needs an adequate distribution of When using a certificate, the on-premises environment can use Windows Server 2008 R2 and later domain controllers, which removes the Windows Server 2016 domain controller requirement. However, single-sign on using a certificate requires additional infrastructure to issue a certificate when the user enrolls for Windows Hello for Business. Azure AD joined devices enroll certificates using Microsoft Intune or a compatible Mobile Device Management (MDM). Microsoft Intune and Windows Hello for Business use the Network Device Enrollment Services (NDES) role and support Microsoft Intune connector. -To deploy single sign-on for Azure AD joined devices using keys, read and follow [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md). -To deploy single sign-on for Azure AD joined devices using certificates, read and follow [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md) and then [Using Certificates for AADJ On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md). +To deploy single sign-on for Azure Active Directory-joined devices using keys, read and follow [Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md). +To deploy single sign-on for Azure Active Directory-joined devices using certificates, read and follow [Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md) and then [Using Certificates for Azure Active Directory-joined On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md). ## Related topics diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index c3f40de8e2..e5df19b1b9 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -30,7 +30,7 @@ Though much Windows BitLocker [documentation](bitlocker-overview.md) has been pu ## Managing domain-joined computers and moving to cloud -Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](/configmgr/osd/understand/task-sequence-steps#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](/configmgr/osd/understand/task-sequence-steps#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](./bitlocker-group-policy-settings.md). +Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 or later can use an existing task sequence to [pre-provision BitLocker](/configmgr/osd/understand/task-sequence-steps#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](/configmgr/osd/understand/task-sequence-steps#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use Configuration Manager to pre-set any desired [BitLocker Group Policy](./bitlocker-group-policy-settings.md). Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](/lifecycle/products/?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201%2F) or they can receive extended support until April 2026. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the [PowerShell examples](#powershell-examples) to see how to store recovery keys in Azure Active Directory (Azure AD). diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md index f088c8d7f9..b8a04808f4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md @@ -49,7 +49,7 @@ Alice identifies the following key factors to arrive at the "circle-of-trust" fo - All clients are managed by Microsoft Endpoint Manager (MEM) either with Configuration Manager (MEMCM) standalone or hybrid mode with Intune; > [!NOTE] -> Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager (SCCM) +> Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager. - Most, but not all, apps are deployed using MEMCM; - Sometimes, IT staff install apps directly to these devices without using MEMCM; diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md index a173ced569..57d270f1b2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md @@ -49,7 +49,7 @@ Alice identifies the following key factors to arrive at the "circle-of-trust" fo - All clients are managed by Microsoft Endpoint Manager (MEM) either with Configuration Manager (MEMCM) standalone or hybrid mode with Intune; > [!NOTE] - > Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager (SCCM). + > Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager. - Some, but not all, apps are deployed using MEMCM; - Most users are local administrators on their devices; diff --git a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md index aa02076a04..20bc578f08 100644 --- a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md +++ b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md @@ -141,9 +141,10 @@ See also [Checklist: Creating Inbound Firewall Rules](./checklist-creating-inbou ## Establish local policy merge and application rules Firewall rules can be deployed: + 1. Locally using the Firewall snap-in (**WF.msc**) 2. Locally using PowerShell -3. Remotely using Group Policy if the device is a member of an Active Directory Name, System Center Configuration Manager (SCCM), or Intune (using workplace join) +3. Remotely using Group Policy if the device is a member of an Active Directory Name, System Center Configuration Manager, or Intune (using workplace join) Rule merging settings control how rules from different policy sources can be combined. Administrators can configure different merge behaviors for Domain, Private, and Public profiles. From a4a0cc9076ae17c0cd7987e981a3f81874a4501f Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Mon, 6 Jun 2022 17:32:42 +0530 Subject: [PATCH 006/288] Update required-windows-11-diagnostic-events-and-fields.md --- ...required-windows-11-diagnostic-events-and-fields.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md index 61f0ee30c2..f3407346b7 100644 --- a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md +++ b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md @@ -79,7 +79,7 @@ The following fields are available: - **PackageSpecifiers** The map of Intelligent Delivery region specifiers present in the installing package. - **PlanId** The ID of the streaming plan being used to install the content. - **ProductId** The product ID of the application associated with this event. -- **RelatedCv** The related correlation vector. This optional value contains the correlation vector for this install if the Cv value is representing an actiuon tracked by a correlation vector. +- **RelatedCv** The related correlation vector. This optional value contains the correlation vector for this install if the Cv value is representing an action tracked by a correlation vector. - **RequestSpecifiers** The map of Intelligent Delivery region specifiers requested by the system/user/title as a part of the install activity. - **SourceHardwareID** The hardware ID of the source device, if it is external storage. Empty if not an external storage device. - **SourcePath** The source path we are installing from. May be a CDN (Content Delivery Network) or a local disk drive. @@ -488,7 +488,7 @@ The following fields are available: - **SdbBlockUpgradeUntilUpdate** The file is tagged as blocking upgrade in the SDB. If the app is updated, the upgrade can proceed. - **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the SDB. It does not block upgrade. - **SdbReinstallUpgradeWarn** The file is tagged as needing to be reinstalled after upgrade with a warning in the SDB. It does not block upgrade. -- **SoftBlock** The file is softblocked in the SDB and has a warning. +- **SoftBlock** The file is soft blocked in the SDB and has a warning. ### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove @@ -1775,7 +1775,7 @@ The following fields are available: - **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device. - **RunDate** The date that the diagnostic data run was stated, expressed as a filetime. - **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data on an infrequent schedule and only from machines at diagnostic data levels higher than Basic. -- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information. +- **RunOnline** Indicates if appraiser was able to connect to Windows Update and therefore is making decisions using up-to-date driver coverage information. - **RunResult** The hresult of the Appraiser diagnostic data run. - **ScheduledUploadDay** The day scheduled for the upload. - **SendingUtc** Indicates whether the Appraiser client is sending events during the current diagnostic data run. @@ -1861,7 +1861,7 @@ The following fields are available: - **InternalBatteryCapacityCurrent** Represents the battery's current fully charged capacity in mWh (or relative). Compare this value to DesignedCapacity  to estimate the battery's wear. - **InternalBatteryCapacityDesign** Represents the theoretical capacity of the battery when new, in mWh. - **InternalBatteryNumberOfCharges** Provides the number of battery charges. This is used when creating new products and validating that existing products meets targeted functionality performance. -- **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value. +- **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected. Boolean value. ### Census.Enterprise @@ -1874,7 +1874,7 @@ The following fields are available: - **AzureOSIDPresent** Represents the field used to identify an Azure machine. - **AzureVMType** Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs. - **CDJType** Represents the type of cloud domain joined for the machine. -- **CommercialId** Represents the GUID for the commercial entity which the device is a member of.  Will be used to reflect insights back to customers. +- **CommercialId** Represents the GUID for the commercial entity that the device is a member of.  Will be used to reflect insights back to customers. - **ContainerType** The type of container, such as process or virtual machine hosted. - **EnrollmentType** Defines the type of MDM enrollment on the device. - **HashedDomain** The hashed representation of the user domain used for login. From 6159c3367bb3c5745dc3a6962daa0ca81f34fc85 Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Mon, 6 Jun 2022 18:57:23 +0300 Subject: [PATCH 007/288] M365 Business Premium update path https://github.com/MicrosoftDocs/windows-itpro-docs/issues/10407 --- windows/deployment/windows-10-subscription-activation.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 2b534e585f..42fc531050 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -30,6 +30,8 @@ Windows 10 Pro supports the Subscription Activation feature, enabling users to With Windows 10, version 1903 and later, the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education or Windows 11 Pro Education to the Enterprise grade editions for educational institutions—**Windows 10 Education** or **Windows 11 Education**. +If you have devices that are licensed for Windows 7, 8, and 8.1 Professional, Microsoft 365 Business Premium provides an upgrade to Windows 10 Pro, which is the prerequisite for deploying [Windows 10 Business](https://docs.microsoft.com/en-us/microsoft-365/business-premium/microsoft-365-business-faqs?view=o365-worldwide#what-is-windows-10-business). + The Subscription Activation feature eliminates the need to manually deploy Enterprise or Education edition images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering Generic Volume License Keys (GVLKs), and subsequently rebooting client devices. See the following topics: From be82ff62eac57144df9429d6bee8bc43bf5c305b Mon Sep 17 00:00:00 2001 From: themar-msft <33436507+themar-msft@users.noreply.github.com> Date: Mon, 6 Jun 2022 10:32:03 -0700 Subject: [PATCH 008/288] Update remotewipe-csp.md --- .../client-management/mdm/remotewipe-csp.md | 20 +++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md index b76855bf76..c00be2ffd3 100644 --- a/windows/client-management/mdm/remotewipe-csp.md +++ b/windows/client-management/mdm/remotewipe-csp.md @@ -34,20 +34,23 @@ RemoteWipe ----doWipePersistProvisionedData ----doWipeProtected ----doWipePersistUserData +----doWipeCloud +----doWipeCloudPersistUserData +----doWipeCloudPersistProvisionedData ----AutomaticRedeployment --------doAutomaticRedeployment --------LastError --------Status ``` **doWipe** -Specifies that a remote reset of the device should be started. A remote reset is equivalent to running "Reset this PC > Remove everything" from the Settings app. The return status code indicates whether the device accepted the Exec command. If a doWipe reset is started and then interrupted, the reset will not automatically be retried. +Specifies that a remote reset of the device should be started. A remote reset is equivalent to running "Reset this PC > Remove everything" from the Settings app, with Clean Data set to No and Delete Files set to Yes. The return status code indicates whether the device accepted the Exec command. If a doWipe reset is started and then interrupted, depending on how far the reset progressed, the PC can roll back to the pre-reset state. When used with OMA Client Provisioning, a dummy value of "1" should be included for this element. Supported operation is Exec. **doWipePersistProvisionedData** -Specifies that provisioning data should be backed up to a persistent location, and then a remote doWipe reset of the device should be started. +Specifies that provisioning packages in ProgramData\Microsoft\Provisioning folder will be retained and applied to the OS after the reset. When used with OMA Client Provisioning, a dummy value of "1" should be included for this element. @@ -58,12 +61,21 @@ The information that was backed up will be restored and applied to the device wh **doWipeProtected** Added in Windows 10, version 1703. Exec on this node performs a remote reset on the device and also fully cleans the internal drive. Drives that are cleaned with doWipeProtected aren't expected to meet industry or government standards for data cleaning. In some device configurations, this command may leave the device unable to boot. The return status code indicates whether the device accepted the Exec command. -The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which can be easily circumvented by simply power cycling the device, doWipeProtected will keep trying to reset the device until it’s done. Because doWipeProtected will keep trying to reset the device until it's done, use doWipeProtected in lost/stolen device scenarios. +The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which can be easily circumvented by simply power cycling the device, if a reset that uses doWipeProtected is interrupted, upon restart it will clean the PC's disk partitions. Because doWipeProtected will clean the partitions in case of failure or interruption, use doWipeProtected in lost/stolen device scenarios. Supported operation is Exec. **doWipePersistUserData** -Added in Windows 10, version 1709. Exec on this node will perform a doWipe remote reset on the device, and persist user accounts and data. The return status code shows whether the device accepted the Exec command. +Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device, and persist user accounts and data. This setting is equivalent to selecting “Keep my files” when manually starting a reset from the Settings app. The return status code shows whether the device accepted the Exec command. + +**DoWipeCloud** +Performs a DoWipe remote reset, but downloads the OS payload from Windows Update instead of the local Windows recovery environment. + +**DoWipeCloudPersistUserData** +Performs a DoWipe remote reset, but downloads the OS payload from Windows Update instead of the local Windows recovery environment. + +**DoWipeCloudPersistProvisionedData** +Performs a DoWipe remote reset, but downloads the OS payload from Windows Update instead of the local Windows recovery environment. **AutomaticRedeployment** Added in Windows 10, version 1809. Node for the Autopilot Reset operation. From 5a0922f0aaddacf3b0abddbfb7822d9cf644326e Mon Sep 17 00:00:00 2001 From: themar-msft <33436507+themar-msft@users.noreply.github.com> Date: Mon, 6 Jun 2022 10:36:14 -0700 Subject: [PATCH 009/288] Update remotewipe-csp.md --- windows/client-management/mdm/remotewipe-csp.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md index c00be2ffd3..71cbd89d31 100644 --- a/windows/client-management/mdm/remotewipe-csp.md +++ b/windows/client-management/mdm/remotewipe-csp.md @@ -43,14 +43,14 @@ RemoteWipe --------Status ``` **doWipe** -Specifies that a remote reset of the device should be started. A remote reset is equivalent to running "Reset this PC > Remove everything" from the Settings app, with Clean Data set to No and Delete Files set to Yes. The return status code indicates whether the device accepted the Exec command. If a doWipe reset is started and then interrupted, depending on how far the reset progressed, the PC can roll back to the pre-reset state. +Specifies that a remote reset of the device should be started. A remote reset is equivalent to running "Reset this PC > Remove everything" from the Settings app, with **Clean Data** set to No and **Delete Files** set to Yes. The return status code indicates whether the device accepted the Exec command. If a doWipe reset is started and then interrupted, depending on how far the reset progressed, the PC can roll back to the pre-reset state. When used with OMA Client Provisioning, a dummy value of "1" should be included for this element. Supported operation is Exec. **doWipePersistProvisionedData** -Specifies that provisioning packages in ProgramData\Microsoft\Provisioning folder will be retained and applied to the OS after the reset. +Specifies that provisioning packages in the `%SystemDrive%\ProgramData\Microsoft\Provisioning` folder will be retained and then applied to the OS after the reset. When used with OMA Client Provisioning, a dummy value of "1" should be included for this element. @@ -66,7 +66,7 @@ The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which Supported operation is Exec. **doWipePersistUserData** -Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device, and persist user accounts and data. This setting is equivalent to selecting “Keep my files” when manually starting a reset from the Settings app. The return status code shows whether the device accepted the Exec command. +Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device, and persist user accounts and data. This setting is equivalent to selecting "Reset this PC > Keep my files" when manually starting a reset from the Settings app. The return status code shows whether the device accepted the Exec command. **DoWipeCloud** Performs a DoWipe remote reset, but downloads the OS payload from Windows Update instead of the local Windows recovery environment. From 4dd6d377b583e71ce35a3d0526fcab5d2d5e822a Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Tue, 7 Jun 2022 08:51:06 +0300 Subject: [PATCH 010/288] Update windows/deployment/windows-10-subscription-activation.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/deployment/windows-10-subscription-activation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 42fc531050..a9a1139765 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -30,7 +30,7 @@ Windows 10 Pro supports the Subscription Activation feature, enabling users to With Windows 10, version 1903 and later, the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education or Windows 11 Pro Education to the Enterprise grade editions for educational institutions—**Windows 10 Education** or **Windows 11 Education**. -If you have devices that are licensed for Windows 7, 8, and 8.1 Professional, Microsoft 365 Business Premium provides an upgrade to Windows 10 Pro, which is the prerequisite for deploying [Windows 10 Business](https://docs.microsoft.com/en-us/microsoft-365/business-premium/microsoft-365-business-faqs?view=o365-worldwide#what-is-windows-10-business). +If you have devices that are licensed for Windows 7, 8, and 8.1 Professional, Microsoft 365 Business Premium provides an upgrade to Windows 10 Pro, which is the prerequisite for deploying [Windows 10 Business](/microsoft-365/business-premium/microsoft-365-business-faqs?view=o365-worldwide#what-is-windows-10-business). The Subscription Activation feature eliminates the need to manually deploy Enterprise or Education edition images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering Generic Volume License Keys (GVLKs), and subsequently rebooting client devices. From 31a2c426943eae7b1369558d564d8dfef0d824c9 Mon Sep 17 00:00:00 2001 From: Michael Nady Date: Wed, 8 Jun 2022 09:50:49 +0200 Subject: [PATCH 011/288] #10340 #10340 the feedback was about stressing that a step is not needed for Windows Server 2019. I discovered that this is already mentioned in the article, so I made that statement bold to make it stand out. --- .../hello-for-business/hello-cert-trust-validate-ad-prereq.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md index 53a69d9ca8..35d754ebe4 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md @@ -25,7 +25,9 @@ ms.reviewer: - On-premises deployment - Certificate trust -The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema. If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the **Updating the Schema** and **Create the KeyCredential Admins Security Global Group** steps. +The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema. + +**If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the 'Updating the Schema' and 'Create the KeyCredential Admins Security Global Group' steps below.** Manually updating Active Directory uses the command-line utility **adprep.exe** located at **\:\support\adprep** on the Windows Server 2016 or later DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role. From fe0b1343e3c29d31b131c78396dd6c9584f67566 Mon Sep 17 00:00:00 2001 From: Michael Nady Date: Wed, 8 Jun 2022 10:11:58 +0200 Subject: [PATCH 012/288] #10356 #10356 I followed the discussion on the original post and I implemented these changes accordingly --- .../hello-for-business/hello-cert-trust-policy-settings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md index 18e5489911..dc18e09acc 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md @@ -60,7 +60,7 @@ The Group Policy object contains the policy settings needed to trigger Windows H 3. Right-click **Group Policy object** and select **New**. 4. Type *Enable Windows Hello for Business* in the name box and click **OK**. 5. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. -6. In the navigation pane, expand **Policies** under **User Configuration**. +6. In the navigation pane, expand **Policies** under **User Configuration** (this the only option for for Windows Server 2016, but for Windows Server 2019 and later this step can also be done in **Computer Configuration**). 7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**. 8. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**. 9. Double-click **Use certificate for on-premises authentication**. Click **Enable** and click **OK**. Close the **Group Policy Management Editor**. @@ -70,7 +70,7 @@ The Group Policy object contains the policy settings needed to trigger Windows H 1. Start the **Group Policy Management Console** (gpmc.msc). 2. Expand the domain and select the **Group Policy Object** node in the navigation pane. 3. Right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. -4. In the navigation pane, expand **Policies** under **User Configuration**. +4. In the navigation pane, expand **Policies** under **User Configuration** (this the only option for for Windows Server 2016, but for Windows Server 2019 and later this step can also be done in **Computer Configuration**). 5. Expand **Windows Settings > Security Settings**, and click **Public Key Policies**. 6. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**. 7. Select **Enabled** from the **Configuration Model** list. From 14d52784f84f4299207d60613f2914945f51575a Mon Sep 17 00:00:00 2001 From: Florian Stosse Date: Wed, 8 Jun 2022 17:05:19 +0200 Subject: [PATCH 013/288] Fix indentation in XML code block --- .../microsoft-recommended-block-rules.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md index 0fbd505f00..ddc280cfb4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md @@ -162,7 +162,7 @@ Select the correct version of each .dll for the Windows release you plan to supp - + @@ -877,7 +877,7 @@ Select the correct version of each .dll for the Windows release you plan to supp - + @@ -905,10 +905,10 @@ Select the correct version of each .dll for the Windows release you plan to supp + + + + --> From 8422c4ed7ae744192f99f7ccfb881260fedddc0e Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Wed, 8 Jun 2022 21:28:21 +0530 Subject: [PATCH 014/288] added curly brackets as per user report #10583, I added curly brackets. but i could not able add the correct screenshot. --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 8ca6538d48..74765dffac 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -251,7 +251,7 @@ You can use Group Policy to deploy an administrative template policy setting to :::image type="content" source="images/passwordless/gpmc-exclude-credential-providers.png" alt-text="The Group Policy Management Editor displaying the location of 'Logon' node and the policy setting 'Exclude credential providers'."::: -The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is `60b78e88-ead8-445c-9cfd-0b87f74ea6cd`. +The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is `{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}`. :::image type="content" source="images/passwordless/exclude-credential-providers-properties.png" alt-text="Properties of the policy setting 'Exclude credential providers'."::: From 76a1a78899f4f14af0caa4ad18efd3fb9fa2524e Mon Sep 17 00:00:00 2001 From: Mark Renoden Date: Fri, 10 Jun 2022 11:10:50 +1000 Subject: [PATCH 015/288] Update hello-hybrid-cloud-trust.md Adding a clarification for the 2016+ Domain Controller requirements. --- .../hello-for-business/hello-hybrid-cloud-trust.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md index a86fb2633a..cfc435c989 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md @@ -48,6 +48,8 @@ When you enable Azure AD Kerberos in a domain, an Azure AD Kerberos Server objec More details on how Azure AD Kerberos enables access to on-premises resources are available in our documentation on [enabling passwordless security key sign-in to on-premises resources](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). There's more information on how Azure AD Kerberos works with Windows Hello for Business cloud trust in the [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-trust-preview). +If using the hybrid cloud trust deployment model, you MUST ensure that you have adequate (1 or more, depending on your authentication load) Windows Server 2016 or later Read-Write Domain Controllers in each Active Directory site where users will be authenticating for Windows Hello for Business. + ## Prerequisites | Requirement | Notes | From 6519ec617ac73aa271cc60b156a0717497feed97 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Fri, 10 Jun 2022 11:22:24 +0500 Subject: [PATCH 016/288] Update use-windows-defender-application-control-with-dynamic-code-security.md --- ...defender-application-control-with-dynamic-code-security.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md index b1ace98992..ecf7941e63 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md @@ -24,7 +24,7 @@ Historically, Windows Defender Application Control (WDAC) has restricted the set Security researchers have found that some .NET applications may be used to circumvent those controls by using .NET’s capabilities to load libraries from external sources or generate new code on the fly. Beginning with Windows 10, version 1803, or Windows 11, WDAC features a new capability, called *Dynamic Code Security* to verify code loaded by .NET at runtime. -When the Dynamic Code Security option is enabled, WDAC policy is applied to libraries that .NET loads from external sources. +When the Dynamic Code Security option is enabled, WDAC policy is applied to libraries that .NET loads from external sources (any non-local sources, such as Internet or network share). Additionally, it detects tampering in code generated to disk by .NET and blocks loading code that has been tampered with. Dynamic Code Security is not enabled by default because existing policies may not account for externally loaded libraries. @@ -39,4 +39,4 @@ To enable Dynamic Code Security, add the following option to the `` secti -``` \ No newline at end of file +``` From 55e8d06d7f24e423d0b58077342beb178737c5fe Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Fri, 10 Jun 2022 11:58:59 +0500 Subject: [PATCH 017/288] Update system-failure-recovery-options.md --- .../system-failure-recovery-options.md | 60 ++++++++++++++++++- 1 file changed, 59 insertions(+), 1 deletion(-) diff --git a/windows/client-management/system-failure-recovery-options.md b/windows/client-management/system-failure-recovery-options.md index 777b9fa6ec..5ea73e75a2 100644 --- a/windows/client-management/system-failure-recovery-options.md +++ b/windows/client-management/system-failure-recovery-options.md @@ -184,6 +184,63 @@ To specify that you don't want to overwrite any previous kernel or complete memo - Set the **Overwrite** DWORD value to **0**. +#### Automatic Memory Dump + +The default option. An Automatic Memory Dump contains the same information as a Kernel Memory Dump. The difference between the two is in the way that Windows sets the size of the system paging file. If the system paging file size is set to **System managed size**, and the kernel-mode crash dump is set to **Automatic Memory Dump**, then Windows can set the size of the paging file to less than the size of RAM. In this case, Windows sets the size of the paging file large enough to ensure that a kernel memory dump can be captured most of the time. + +If the computer crashes and the paging file is not large enough to capture a kernel memory dump, Windows increases the size of the paging file to at least the size of RAM. For more details, see [Automatic Memory Dump](/windows-hardware/drivers/debugger/automatic-memory-dump). + +To specify that you want to use a automatic memory dump file, run the following command or modify the registry value: + +- ```cmd + wmic recoveros set DebugInfoType = 7 + ``` + +- Set the **CrashDumpEnabled** DWORD value to **7**. + +To specify that you want to use a file as your memory dump file, run the following command or modify the registry value: + +- ```cmd + wmic recoveros set DebugFilePath = + ``` + +- Set the **DumpFile** Expandable String Value to \. + +To specify that you don't want to overwrite any previous kernel or complete memory dump files, run the following command or modify the registry value: + +- ```cmd + wmic recoveros set OverwriteExistingDebugFile = 0 + ``` + +- Set the **Overwrite** DWORD value to **0**. + +#### Active Memory Dump + +An Active Memory Dump is similar to a Complete Memory Dump, but it filters out pages that are not likely to be relevant to troubleshooting problems on the host machine. Because of this filtering, it is typically significantly smaller than a complete memory dump. + +This dump file does include any memory allocated to user-mode applications. It also includes memory allocated to the Windows kernel and hardware abstraction layer, as well as memory allocated to kernel-mode drivers and other kernel-mode programs. The dump includes active pages mapped into the kernel or user space that are useful for debugging, as well as selected Pagefile-backed Transition, Standby, and Modified pages such as the memory allocated with VirtualAlloc or page-file backed sections. Active dumps do not include pages on the free and zeroed lists, the file cache, guest VM pages and various other types of memory that are not likely to be useful during debugging. For more details, see [Active Memory Dump](windows-hardware/drivers/debugger/active-memory-dump). + +To specify that you want to use an active memory dump file, modify the registry value: + +- Set the **CrashDumpEnabled** DWORD value to **1**. +- Set the **FilterPages** DWORD value to **1**. + +To specify that you want to use a file as your memory dump file, run the following command or modify the registry value: + +- ```cmd + wmic recoveros set DebugFilePath = + ``` + +- Set the DumpFile Expandable String Value to \. + +To specify that you don't want to overwrite any previous kernel or complete memory dump files, run the following command or modify the registry value: + +- ```cmd + wmic recoveros set OverwriteExistingDebugFile = 0 + ``` + +- Set the **Overwrite** DWORD value to **0**. + >[!Note] >If you contact Microsoft Support about a Stop error, you might be asked for the memory dump file that is generated by the Write Debugging Information option. @@ -192,6 +249,7 @@ To view system failure and recovery settings for your local computer, type **wmi >[!Note] >To successfully use these Wmic.exe command line examples, you must be logged on by using a user account that has administrative rights on the computer. If you are not logged on by using a user account that has administrative rights on the computer, use the **/user:user_name** and **/password:password** switches. + ### Tips - To take advantage of the dump file feature, your paging file must be on the boot volume. If you've moved the paging file to another volume, you must move it back to the boot volume before you use this feature. @@ -202,4 +260,4 @@ To view system failure and recovery settings for your local computer, type **wmi ## References -[Varieties of Kernel-Mode Dump Files](/windows-hardware/drivers/debugger/varieties-of-kernel-mode-dump-files) \ No newline at end of file +[Varieties of Kernel-Mode Dump Files](/windows-hardware/drivers/debugger/varieties-of-kernel-mode-dump-files) From 6208eafa2a95d677e4dc4786e0f323cda7e73ca3 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Fri, 10 Jun 2022 13:23:58 +0500 Subject: [PATCH 018/288] Update hello-feature-dynamic-lock.md --- .../hello-for-business/hello-feature-dynamic-lock.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md index 7025fb4173..6f5edfb03b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md @@ -25,6 +25,9 @@ ms.reviewer: Dynamic lock enables you to configure Windows devices to automatically lock when Bluetooth paired device signal falls below the maximum Received Signal Strength Indicator (RSSI) value. This makes it more difficult for someone to gain access to your device if you step away from your PC and forget to lock it. +>[!IMPORTANT] +>The feature only locks the computer if Bluetooth signal falls and the system is idle. If the system is not idle (for example, intruder got access **before** Bluetooth signal falls below the limit), it will not be locked. Therefor, dynamic lock is an additional barrier, it does not replace the need to lock the computer by user, it only reduces the probability of someone gaining access if user forgets to lock it. + You configure the dynamic lock policy using Group Policy. You can locate the policy setting at **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**. The name of the policy is **Configure dynamic lock factors**. The Group Policy Editor, when the policy is enabled, creates a default signal rule policy with the following value: From 7988ab83f21442598b2662347f40873f07234643 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Fri, 10 Jun 2022 15:12:39 +0530 Subject: [PATCH 019/288] Update enhanced-diagnostic-data-windows-analytics-events-and-fields.md --- ...anced-diagnostic-data-windows-analytics-events-and-fields.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md index ee2bf8af2f..79c4fe1d56 100644 --- a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md +++ b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md @@ -119,7 +119,7 @@ Collects Office metadata through UTC to compare with equivalent data collected t Applicable to all Win32 applications. Helps us understand the status of the update process of the office suite (Success or failure with error details). - **build:** App version -- **channel:** Is this part of GA Channel or SAC-T? +- **channel:** Is this part of GA Channel? - **errorCode:** What error occurred during the upgrade process? - **errorMessage:** what was the error message during the upgrade process? - **status:** Was the upgrade successful or not? From 3076f8f4fe897cf27b6f47f11b21ad7068b2e634 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Fri, 10 Jun 2022 15:33:56 +0530 Subject: [PATCH 020/288] Update enhanced-diagnostic-data-windows-analytics-events-and-fields.md --- ...anced-diagnostic-data-windows-analytics-events-and-fields.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md index 79c4fe1d56..53773edc54 100644 --- a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md +++ b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md @@ -210,7 +210,7 @@ This event is fired when the telemetry engine within an office application has p - **SessionID:** ID of the session ## Microsoft.Office.TelemetryEngine.ShutdownStart -This event is fired when the telemetry engine within an office application been uninitialized, and the application is shutting down. Useful for understanding whether a particular crash is happening during an app-shutdown, and could potentially lead in data loss or not. +This event is fired when the telemetry engine within an office application has been uninitialized, and the application is shutting down. Useful for understanding whether a particular crash is happening during an app-shutdown, and could potentially lead in data loss or not. - **appVersionBuild:** Third part of the version *.*.XXXXX.* - **appVersionMajor:** First part of the version X.*.*.* From a16337c48f4ef972dc3b6c937b503f685b879688 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 12 Jun 2022 15:03:13 +0500 Subject: [PATCH 021/288] Update windows/client-management/system-failure-recovery-options.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/system-failure-recovery-options.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/system-failure-recovery-options.md b/windows/client-management/system-failure-recovery-options.md index 5ea73e75a2..8758e25c63 100644 --- a/windows/client-management/system-failure-recovery-options.md +++ b/windows/client-management/system-failure-recovery-options.md @@ -186,7 +186,7 @@ To specify that you don't want to overwrite any previous kernel or complete memo #### Automatic Memory Dump -The default option. An Automatic Memory Dump contains the same information as a Kernel Memory Dump. The difference between the two is in the way that Windows sets the size of the system paging file. If the system paging file size is set to **System managed size**, and the kernel-mode crash dump is set to **Automatic Memory Dump**, then Windows can set the size of the paging file to less than the size of RAM. In this case, Windows sets the size of the paging file large enough to ensure that a kernel memory dump can be captured most of the time. +This is the default option. An Automatic Memory Dump contains the same information as a Kernel Memory Dump. The difference between the two is in the way that Windows sets the size of the system paging file. If the system paging file size is set to **System managed size**, and the kernel-mode crash dump is set to **Automatic Memory Dump**, then Windows can set the size of the paging file to less than the size of RAM. In this case, Windows sets the size of the paging file large enough to ensure that a kernel memory dump can be captured most of the time. If the computer crashes and the paging file is not large enough to capture a kernel memory dump, Windows increases the size of the paging file to at least the size of RAM. For more details, see [Automatic Memory Dump](/windows-hardware/drivers/debugger/automatic-memory-dump). From f796ba6826e724296c97c01156087fa500963e5b Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 12 Jun 2022 15:03:23 +0500 Subject: [PATCH 022/288] Update windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-feature-dynamic-lock.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md index 6f5edfb03b..cd2812800e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md @@ -25,8 +25,8 @@ ms.reviewer: Dynamic lock enables you to configure Windows devices to automatically lock when Bluetooth paired device signal falls below the maximum Received Signal Strength Indicator (RSSI) value. This makes it more difficult for someone to gain access to your device if you step away from your PC and forget to lock it. ->[!IMPORTANT] ->The feature only locks the computer if Bluetooth signal falls and the system is idle. If the system is not idle (for example, intruder got access **before** Bluetooth signal falls below the limit), it will not be locked. Therefor, dynamic lock is an additional barrier, it does not replace the need to lock the computer by user, it only reduces the probability of someone gaining access if user forgets to lock it. +> [!IMPORTANT] +> The feature only locks the computer if the Bluetooth signal falls and the system is idle. If the system is not idle (for example, the intruder got access **before** the Bluetooth signal falls below the limit), it will not be locked. Therefore, the dynamic lock feature is an additional barrier, it does not replace the need to lock the computer by the user, it only reduces the probability of someone gaining access if the user forgets to lock it. You configure the dynamic lock policy using Group Policy. You can locate the policy setting at **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**. The name of the policy is **Configure dynamic lock factors**. From 165ca3756c3e03ed6f75fd8a60654ad8a9d364a5 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 12 Jun 2022 15:03:28 +0500 Subject: [PATCH 023/288] Update windows/client-management/system-failure-recovery-options.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/system-failure-recovery-options.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/system-failure-recovery-options.md b/windows/client-management/system-failure-recovery-options.md index 8758e25c63..a69c702060 100644 --- a/windows/client-management/system-failure-recovery-options.md +++ b/windows/client-management/system-failure-recovery-options.md @@ -216,7 +216,7 @@ To specify that you don't want to overwrite any previous kernel or complete memo #### Active Memory Dump -An Active Memory Dump is similar to a Complete Memory Dump, but it filters out pages that are not likely to be relevant to troubleshooting problems on the host machine. Because of this filtering, it is typically significantly smaller than a complete memory dump. +An Active Memory Dump is similar to a Complete Memory Dump, but it filters out pages that are not likely to be relevant to troubleshooting problems on the host machine. Because of this filtering, it is typically significantly smaller than a Complete Memory Dump. This dump file does include any memory allocated to user-mode applications. It also includes memory allocated to the Windows kernel and hardware abstraction layer, as well as memory allocated to kernel-mode drivers and other kernel-mode programs. The dump includes active pages mapped into the kernel or user space that are useful for debugging, as well as selected Pagefile-backed Transition, Standby, and Modified pages such as the memory allocated with VirtualAlloc or page-file backed sections. Active dumps do not include pages on the free and zeroed lists, the file cache, guest VM pages and various other types of memory that are not likely to be useful during debugging. For more details, see [Active Memory Dump](windows-hardware/drivers/debugger/active-memory-dump). From feabf31b3a21c580174a37b7f3c1e9d4900a7a17 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 12 Jun 2022 15:03:32 +0500 Subject: [PATCH 024/288] Update windows/client-management/system-failure-recovery-options.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/system-failure-recovery-options.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/system-failure-recovery-options.md b/windows/client-management/system-failure-recovery-options.md index a69c702060..3f77ed5794 100644 --- a/windows/client-management/system-failure-recovery-options.md +++ b/windows/client-management/system-failure-recovery-options.md @@ -190,7 +190,7 @@ This is the default option. An Automatic Memory Dump contains the same informati If the computer crashes and the paging file is not large enough to capture a kernel memory dump, Windows increases the size of the paging file to at least the size of RAM. For more details, see [Automatic Memory Dump](/windows-hardware/drivers/debugger/automatic-memory-dump). -To specify that you want to use a automatic memory dump file, run the following command or modify the registry value: +To specify that you want to use an automatic memory dump file, run the following command or modify the registry value: - ```cmd wmic recoveros set DebugInfoType = 7 From 670514fa1b5c2eb7750148d930f5284f6818408f Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 12 Jun 2022 15:03:38 +0500 Subject: [PATCH 025/288] Update windows/client-management/system-failure-recovery-options.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/system-failure-recovery-options.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/system-failure-recovery-options.md b/windows/client-management/system-failure-recovery-options.md index 3f77ed5794..b1cbad90d2 100644 --- a/windows/client-management/system-failure-recovery-options.md +++ b/windows/client-management/system-failure-recovery-options.md @@ -218,7 +218,7 @@ To specify that you don't want to overwrite any previous kernel or complete memo An Active Memory Dump is similar to a Complete Memory Dump, but it filters out pages that are not likely to be relevant to troubleshooting problems on the host machine. Because of this filtering, it is typically significantly smaller than a Complete Memory Dump. -This dump file does include any memory allocated to user-mode applications. It also includes memory allocated to the Windows kernel and hardware abstraction layer, as well as memory allocated to kernel-mode drivers and other kernel-mode programs. The dump includes active pages mapped into the kernel or user space that are useful for debugging, as well as selected Pagefile-backed Transition, Standby, and Modified pages such as the memory allocated with VirtualAlloc or page-file backed sections. Active dumps do not include pages on the free and zeroed lists, the file cache, guest VM pages and various other types of memory that are not likely to be useful during debugging. For more details, see [Active Memory Dump](windows-hardware/drivers/debugger/active-memory-dump). +This dump file includes any memory allocated to user-mode applications. It also includes memory allocated to the Windows kernel and hardware abstraction layer, as well as memory allocated to kernel-mode drivers and other kernel-mode programs. The dump includes active pages mapped into the kernel or user space that are useful for debugging, as well as selected Pagefile-backed Transition, Standby, and Modified pages such as the memory allocated with VirtualAlloc or page-file-backed sections. Active dumps do not include pages on the free and zeroed lists, the file cache, guest VM pages, and various other types of memory that are not likely to be useful during debugging. For more details, see [Active Memory Dump](windows-hardware/drivers/debugger/active-memory-dump). To specify that you want to use an active memory dump file, modify the registry value: From 18551c254f1571b2333af303c2a5d86ea8712114 Mon Sep 17 00:00:00 2001 From: Michael Nady Date: Sun, 12 Jun 2022 15:25:10 +0200 Subject: [PATCH 026/288] Update windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-cert-trust-policy-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md index dc18e09acc..8c6cd85e3c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md @@ -60,7 +60,7 @@ The Group Policy object contains the policy settings needed to trigger Windows H 3. Right-click **Group Policy object** and select **New**. 4. Type *Enable Windows Hello for Business* in the name box and click **OK**. 5. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. -6. In the navigation pane, expand **Policies** under **User Configuration** (this the only option for for Windows Server 2016, but for Windows Server 2019 and later this step can also be done in **Computer Configuration**). +6. In the navigation pane, expand **Policies** under **User Configuration** (this is the only option for Windows Server 2016, but for Windows Server 2019 and later this step can also be done in **Computer Configuration**). 7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**. 8. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**. 9. Double-click **Use certificate for on-premises authentication**. Click **Enable** and click **OK**. Close the **Group Policy Management Editor**. From 66e81da09ddfc8d17f485cdaf3672a1a4afedae7 Mon Sep 17 00:00:00 2001 From: Michael Nady Date: Sun, 12 Jun 2022 15:25:18 +0200 Subject: [PATCH 027/288] Update windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-cert-trust-policy-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md index 8c6cd85e3c..8e344e9b31 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md @@ -70,7 +70,7 @@ The Group Policy object contains the policy settings needed to trigger Windows H 1. Start the **Group Policy Management Console** (gpmc.msc). 2. Expand the domain and select the **Group Policy Object** node in the navigation pane. 3. Right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. -4. In the navigation pane, expand **Policies** under **User Configuration** (this the only option for for Windows Server 2016, but for Windows Server 2019 and later this step can also be done in **Computer Configuration**). +4. In the navigation pane, expand **Policies** under **User Configuration** (this is the only option for Windows Server 2016, but for Windows Server 2019 and later this step can also be done in **Computer Configuration**). 5. Expand **Windows Settings > Security Settings**, and click **Public Key Policies**. 6. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**. 7. Select **Enabled** from the **Configuration Model** list. From dd4b16cba7cdccecf9eddab29a6c877c1b8db510 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Mon, 13 Jun 2022 11:44:46 +0530 Subject: [PATCH 028/288] Updated as per feedback --- ...ct-data-using-enterprise-site-discovery.md | 8 +++---- ...ct-data-using-enterprise-site-discovery.md | 8 +++---- ...he-internet-explorer-11-blocker-toolkit.md | 2 +- .../ie11-faq/faq-ie11-blocker-toolkit.yml | 4 ++-- .../windows/chromebook-migration-guide.md | 2 +- .../app-v/appv-capacity-planning.md | 2 +- .../app-v/appv-supported-configurations.md | 2 +- .../mdm/applicationcontrol-csp.md | 4 ++-- .../ue-v/uev-deploy-required-features.md | 2 +- .../configuration/ue-v/uev-sync-methods.md | 2 +- windows/deployment/deploy-windows-to-go.md | 2 +- ...oyment-considerations-for-windows-to-go.md | 2 +- ...ndows-to-go-frequently-asked-questions.yml | 2 +- .../update-compliance-configuration-mem.md | 2 +- .../upgrade/resolution-procedures.md | 2 +- .../demonstrate-deployment-on-vm.md | 2 +- ...ndows-diagnostic-events-and-fields-1703.md | 4 ++-- ...ndows-diagnostic-events-and-fields-1709.md | 2 +- ...ndows-diagnostic-events-and-fields-1803.md | 2 +- ...ndows-diagnostic-events-and-fields-1809.md | 4 ++-- ...ndows-diagnostic-events-and-fields-1903.md | 2 +- .../retired/hello-how-it-works.md | 2 +- .../bitlocker-management-for-enterprises.md | 2 +- .../deploy-appid-tagging-policies.md | 4 ++-- ...-apps-deployed-with-a-managed-installer.md | 2 +- .../create-wdac-deny-policy.md | 2 +- ...e-wdac-policy-for-fully-managed-devices.md | 22 ++++++++----------- ...wdac-policy-for-lightly-managed-devices.md | 20 +++++++---------- .../deploy-wdac-policies-with-memcm.md | 12 +++++----- .../example-wdac-base-policies.md | 2 +- .../feature-availability.md | 2 +- .../types-of-devices.md | 5 +---- ...ication-control-policy-design-decisions.md | 2 +- ...control-with-intelligent-security-graph.md | 4 ++-- 34 files changed, 66 insertions(+), 77 deletions(-) diff --git a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md index 9e5e461261..91c262c502 100644 --- a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md +++ b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md @@ -138,7 +138,7 @@ Before you can start to collect your data, you must run the provided PowerShell -OR- - Collect your hardware inventory using the MOF Editor with a .MOF import file.

-OR- -- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) +- Collect your hardware inventory using the SMS\DEF.MOF file (Configuration Manager 2007 only) ### WMI only: Running the PowerShell script to compile the .MOF file and to update security privileges You need to set up your computers for data collection by running the provided PowerShell script (IETelemetrySetUp.ps1) to compile the .mof file and to update security privileges for the new WMI classes. @@ -235,7 +235,7 @@ After you’ve collected your data, you’ll need to get the local files off of -OR- - Collect your hardware inventory using the MOF Editor with a .MOF import file.

-OR- -- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) +- Collect your hardware inventory using the SMS\DEF.MOF file (Configuration Manager 2007 only) ### Collect your hardware inventory using the MOF Editor while connected to a client device You can collect your hardware inventory using the MOF Editor, while you’re connected to your client devices. @@ -277,8 +277,8 @@ You can collect your hardware inventory using the MOF Editor and a .MOF import f 4. Click **OK** to close the default windows.
Your environment is now ready to collect your hardware inventory and review the sample reports. -### Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) -You can collect your hardware inventory using the using the Systems Management Server (SMS\DEF.MOF) file. Editing this file lets you collect your data for System Center Configuration Manager 2007. If you aren’t using this version of Configuration Manager, you won’t want to use this option. +### Collect your hardware inventory using the SMS\DEF.MOF file (Configuration Manager 2007 only) +You can collect your hardware inventory using the using the Systems Management Server (SMS\DEF.MOF) file. Editing this file lets you collect your data for Configuration Manager 2007. If you aren’t using this version of Configuration Manager, you won’t want to use this option. **To collect your inventory** diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md index 63709888c6..24265e0261 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md +++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md @@ -142,7 +142,7 @@ Before you can start to collect your data, you must run the provided PowerShell -OR- - Collect your hardware inventory using the MOF Editor with a .MOF import file.

-OR- -- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) +- Collect your hardware inventory using the SMS\DEF.MOF file (Configuration Manager 2007 only) ### WMI only: Running the PowerShell script to compile the .MOF file and to update security privileges You need to set up your computers for data collection by running the provided PowerShell script (IETelemetrySetUp.ps1) to compile the .mof file and to update security privileges for the new WMI classes. @@ -239,7 +239,7 @@ After you’ve collected your data, you’ll need to get the local files off of -OR- - Collect your hardware inventory using the MOF Editor with a .MOF import file.

-OR- -- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) +- Collect your hardware inventory using the SMS\DEF.MOF file (Configuration Manager 2007 only) ### Collect your hardware inventory using the MOF Editor while connected to a client device You can collect your hardware inventory using the MOF Editor, while you’re connected to your client devices. @@ -281,8 +281,8 @@ You can collect your hardware inventory using the MOF Editor and a .MOF import f 4. Click **OK** to close the default windows.
Your environment is now ready to collect your hardware inventory and review the sample reports. -### Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) -You can collect your hardware inventory using the using the Systems Management Server (SMS\DEF.MOF) file. Editing this file lets you collect your data for System Center Configuration Manager 2007. If you aren’t using this version of Configuration Manager, you won’t want to use this option. +### Collect your hardware inventory using the SMS\DEF.MOF file (Configuration Manager 2007 only) +You can collect your hardware inventory using the using the Systems Management Server (SMS\DEF.MOF) file. Editing this file lets you collect your data for Configuration Manager 2007. If you aren’t using this version of Configuration Manager, you won’t want to use this option. **To collect your inventory** diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md index 3ec3c7c763..13e84a6792 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md +++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md @@ -75,7 +75,7 @@ If you use Automatic Updates in your company, but want to stop your users from a > [!NOTE] >The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](../ie11-faq/faq-for-it-pros-ie11.yml). -- **Use an update management solution to control update deployment.** If you already use an update management solution, like [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [System Center 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682129(v=technet.10)), you should use that instead of the Internet Explorer Blocker Toolkit. +- **Use an update management solution to control update deployment.** If you already use an update management solution, like [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682129(v=technet.10)), you should use that instead of the Internet Explorer Blocker Toolkit. > [!NOTE] > If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company. diff --git a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.yml b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.yml index 178595abf4..618ec339b5 100644 --- a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.yml +++ b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.yml @@ -22,7 +22,7 @@ summary: | Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit. > [!Important] - > If you administer your company’s environment using an update management solution, such as Windows Server Update Services (WSUS) or System Center 2012 Configuration Manager, you don’t need to use the Internet Explorer 11 Blocker Toolkit. Update management solutions let you completely manage your Windows Updates and Microsoft Updates, including your Internet Explorer 11 deployment. + > If you administer your company’s environment using an update management solution, such as Windows Server Update Services (WSUS) or Configuration Manager, you don’t need to use the Internet Explorer 11 Blocker Toolkit. Update management solutions let you completely manage your Windows Updates and Microsoft Updates, including your Internet Explorer 11 deployment. - [Automatic updates delivery process](/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit#automatic-updates-delivery-process) @@ -47,7 +47,7 @@ sections: - question: | Whtools cI use to manage Windows Updates and Microsoft Updates in my company? answer: | - We encourage anyone who wants full control over their company’s deployment of Windows Updates and Microsoft Updates, to use [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), a free tool for users of Windows Server. You calso use the more advanced configuration management tool, [System Center 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682041(v=technet.10)). + We encourage anyone who wants full control over their company’s deployment of Windows Updates and Microsoft Updates, to use [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), a free tool for users of Windows Server. You calso use the more advanced configuration management tool, [Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682041(v=technet.10)). - question: | How long does the blocker mechanism work? diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md index 37e9cba645..6ecad551d4 100644 --- a/education/windows/chromebook-migration-guide.md +++ b/education/windows/chromebook-migration-guide.md @@ -485,7 +485,7 @@ Table 9. Management systems and deployment resources |--- |--- | |Windows provisioning packages|

  • [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package)
  • [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd)
  • [Step-By-Step: Building Windows 10 Provisioning Packages](/archive/blogs/canitpro/step-by-step-building-windows-10-provisioning-packages)| |Group Policy|
  • [Core Network Companion Guide: Group Policy Deployment](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj899807(v=ws.11))
  • [Deploying Group Policy](/previous-versions/windows/it-pro/windows-server-2003/cc737330(v=ws.10))"| -|Configuration Manager|
  • [Site Administration for System Center 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg681983(v=technet.10))
  • [Deploying Clients for System Center 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg699391(v=technet.10))| +|Configuration Manager|
  • [Site Administration for Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg681983(v=technet.10))
  • [Deploying Clients for Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg699391(v=technet.10))| |Intune|
  • [Set up and manage devices with Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=690262)
  • [System Center 2012 R2 Configuration Manager &amp; Windows Intune](/learn/?l=fCzIjVKy_6404984382)| |MDT|
  • [Step-By-Step: Installing Windows 8.1 From A USB Key](/archive/blogs/canitpro/step-by-step-installing-windows-8-1-from-a-usb-key)| diff --git a/windows/application-management/app-v/appv-capacity-planning.md b/windows/application-management/app-v/appv-capacity-planning.md index 969926e2ed..1b99178358 100644 --- a/windows/application-management/app-v/appv-capacity-planning.md +++ b/windows/application-management/app-v/appv-capacity-planning.md @@ -34,7 +34,7 @@ You can also manage your App-V environment using an electronic software distribu * **Standalone model**—The standalone model allows virtual applications to be Windows Installer-enabled for distribution without streaming. App-V in Standalone mode only needs the sequencer and the client; no extra components are required. Applications are prepared for virtualization using a process called sequencing. For more information, see [Planning for the App-V Sequencer and Client deployment](appv-planning-for-sequencer-and-client-deployment.md). The standalone model is recommended for the following scenarios: * When there are disconnected remote users who can't connect to the App-V infrastructure. - * When you're running a software management system, such as System Center 2012 Configuration Manager. + * When you're running a software management system, such as Configuration Manager. * When network bandwidth limitations inhibit electronic software distribution. * **Full infrastructure model**—The full infrastructure model provides for software distribution, management, and reporting capabilities; it also includes the streaming of applications across the network. The App-V full infrastructure model consists of one or more App-V management servers that can be used to publish applications to all clients. Publishing places the virtual application icons and shortcuts on the target computer. It can also stream applications to local users. For more information about how to install the management server, see [Planning for App-V Server deployment](appv-planning-for-appv-server-deployment.md). The full infrastructure model is recommended for the following scenarios: diff --git a/windows/application-management/app-v/appv-supported-configurations.md b/windows/application-management/app-v/appv-supported-configurations.md index 071879bc7c..2522c24732 100644 --- a/windows/application-management/app-v/appv-supported-configurations.md +++ b/windows/application-management/app-v/appv-supported-configurations.md @@ -119,7 +119,7 @@ See the Windows or Windows Server documentation for the hardware requirements. ## Supported versions of Microsoft Endpoint Configuration Manager -The App-V client works with Configuration Manager versions starting with Technical Preview for System Center Configuration Manager, version 1606. +The App-V client works with Configuration Manager versions starting with Technical Preview for Configuration Manager, version 1606. ## Related articles diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index 2975a094c7..8440d7e79f 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -152,7 +152,7 @@ Value type is char. ## Microsoft Endpoint Manager (MEM) Intune Usage Guidance -For customers using Intune standalone or hybrid management with Microsoft Endpoint Manager Configuration Manager (MEMCM) to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune). +For customers using Intune standalone or hybrid management with Microsoft Endpoint Configuration Manager (MEMCM) to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune). ## Generic MDM Server Usage Guidance @@ -301,7 +301,7 @@ An example of Delete command is: ## PowerShell and WMI Bridge Usage Guidance -The ApplicationControl CSP can also be managed locally from PowerShell or via Microsoft Endpoint Manager Configuration Manager's task sequence scripting by using the [WMI Bridge Provider](./using-powershell-scripting-with-the-wmi-bridge-provider.md). +The ApplicationControl CSP can also be managed locally from PowerShell or via Configuration Manager's task sequence scripting by using the [WMI Bridge Provider](./using-powershell-scripting-with-the-wmi-bridge-provider.md). ### Setup for using the WMI Bridge diff --git a/windows/configuration/ue-v/uev-deploy-required-features.md b/windows/configuration/ue-v/uev-deploy-required-features.md index 22cfb858c0..b41463da76 100644 --- a/windows/configuration/ue-v/uev-deploy-required-features.md +++ b/windows/configuration/ue-v/uev-deploy-required-features.md @@ -49,7 +49,7 @@ The settings storage location is defined by setting the SettingsStoragePath conf - Through [Group Policy](uev-configuring-uev-with-group-policy-objects.md) settings -- With the [System Center Configuration Pack](uev-configuring-uev-with-system-center-configuration-manager.md) for UE-V +- With the [Configuration Manager Pack](uev-configuring-uev-with-system-center-configuration-manager.md) for UE-V - With [Windows PowerShell or Windows Management Instrumentation (WMI)](uev-administering-uev-with-windows-powershell-and-wmi.md) diff --git a/windows/configuration/ue-v/uev-sync-methods.md b/windows/configuration/ue-v/uev-sync-methods.md index 31ae2008ce..47ddb1c82a 100644 --- a/windows/configuration/ue-v/uev-sync-methods.md +++ b/windows/configuration/ue-v/uev-sync-methods.md @@ -31,7 +31,7 @@ You can configure the sync method in these ways: - Through [Group Policy](uev-configuring-uev-with-group-policy-objects.md) settings -- With the [System Center Configuration Pack](uev-configuring-uev-with-system-center-configuration-manager.md) for UE-V +- With the [Configuration Manager Pack](uev-configuring-uev-with-system-center-configuration-manager.md) for UE-V - With [Windows PowerShell or Windows Management Instrumentation (WMI)](uev-administering-uev-with-windows-powershell-and-wmi.md) diff --git a/windows/deployment/deploy-windows-to-go.md b/windows/deployment/deploy-windows-to-go.md index 9846a41bcf..d4f4c27135 100644 --- a/windows/deployment/deploy-windows-to-go.md +++ b/windows/deployment/deploy-windows-to-go.md @@ -39,7 +39,7 @@ The following is a list of items that you should be aware of before you start th * When running a Windows To Go workspace, always shutdown the workspace before unplugging the drive. -* System Center 2012 Configuration Manager SP1 and later includes support for user self-provisioning of Windows To Go drives. You can download Configuration Manager for evaluation from the [Microsoft TechNet Evaluation Center](https://go.microsoft.com/fwlink/p/?LinkId=618746). For more information on this deployment option, see [How to Provision Windows To Go in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/jj651035(v=technet.10)). +* Configuration Manager SP1 and later includes support for user self-provisioning of Windows To Go drives. You can download Configuration Manager for evaluation from the [Microsoft TechNet Evaluation Center](https://go.microsoft.com/fwlink/p/?LinkId=618746). For more information on this deployment option, see [How to Provision Windows To Go in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/jj651035(v=technet.10)). * If you are planning on using a USB drive duplicator to duplicate Windows To Go drives, do not configure offline domain join or BitLocker on the drive. diff --git a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md index 397f230051..986659ce39 100644 --- a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md +++ b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md @@ -61,7 +61,7 @@ DirectAccess can be used to ensure that the user can log in with their domain cr ### Image deployment and drive provisioning considerations -The Image Deployment process can be accomplished either by a centralized IT process for your organization or by individual users creating their own Windows To Go workspaces. You must have local Administrator access and access to a Windows 10 Enterprise or Windows 10 Education image to create a Windows To Go workspace, or you must be using System Center 2012 Configuration Manager Service Pack 1 or later to distribute Windows To Go workspaces to users. The image deployment process takes a blank USB drive and a Windows 10 Enterprise image (WIM) and turns it into a Windows To Go drive. +The Image Deployment process can be accomplished either by a centralized IT process for your organization or by individual users creating their own Windows To Go workspaces. You must have local Administrator access and access to a Windows 10 Enterprise or Windows 10 Education image to create a Windows To Go workspace, or you must be using Configuration Manager Service Pack 1 or later to distribute Windows To Go workspaces to users. The image deployment process takes a blank USB drive and a Windows 10 Enterprise image (WIM) and turns it into a Windows To Go drive. ![windows to go image deployment.](images/wtg-image-deployment.gif) diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml index 468fb48151..f57d4eedc3 100644 --- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml +++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml @@ -162,7 +162,7 @@ sections: - question: | Can the user self-provision Windows To Go? answer: | - Yes, if the user has administrator permissions they can self-provision a Windows To Go drive using the Windows To Go Creator wizard which is included in Windows 10 Enterprise, Windows 10 Education and Windows 10 Professional. Additionally, System Center 2012 Configuration Manager SP1 and later releases includes support for user self-provisioning of Windows To Go drives. Configuration Manager can be downloaded for evaluation from the [Microsoft TechNet Evaluation Center](https://go.microsoft.com/fwlink/p/?LinkID=618746). + Yes, if the user has administrator permissions they can self-provision a Windows To Go drive using the Windows To Go Creator wizard which is included in Windows 10 Enterprise, Windows 10 Education and Windows 10 Professional. Additionally, Configuration Manager SP1 and later releases includes support for user self-provisioning of Windows To Go drives. Configuration Manager can be downloaded for evaluation from the [Microsoft TechNet Evaluation Center](https://go.microsoft.com/fwlink/p/?LinkID=618746). - question: | How can Windows To Go be managed in an organization? diff --git a/windows/deployment/update/update-compliance-configuration-mem.md b/windows/deployment/update/update-compliance-configuration-mem.md index 8d47eba6f3..8422a69d5e 100644 --- a/windows/deployment/update/update-compliance-configuration-mem.md +++ b/windows/deployment/update/update-compliance-configuration-mem.md @@ -25,7 +25,7 @@ ms.topic: article > [!NOTE] > As of May 10, 2021, a new policy is required to use Update Compliance: "Allow Update Compliance Processing." For more details, see the Mobile Device Management policies and Group policies tables. -This article is specifically targeted at configuring devices enrolled to [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) for Update Compliance, within MEM itself. Configuring devices for Update Compliance in MEM breaks down to the following steps: +This article is specifically targeted at configuring devices enrolled to [Microsoft Endpoint Manager (MEM)](/mem/endpoint-manager-overview) for Update Compliance, within MEM itself. Configuring devices for Update Compliance in MEM breaks down to the following steps: 1. [Create a configuration profile](#create-a-configuration-profile) for devices you want to enroll, that contains settings for all the MDM policies that must be configured. 2. [Deploy the configuration script](#deploy-the-configuration-script) as a Win32 app to those same devices, so additional checks can be performed to ensure devices are correctly configured. diff --git a/windows/deployment/upgrade/resolution-procedures.md b/windows/deployment/upgrade/resolution-procedures.md index aa86279555..5efc901351 100644 --- a/windows/deployment/upgrade/resolution-procedures.md +++ b/windows/deployment/upgrade/resolution-procedures.md @@ -84,7 +84,7 @@ See the following general troubleshooting procedures associated with a result co |0x80070522|The user doesn’t have required privilege or credentials to upgrade.|Ensure that you've signed in as a local administrator or have local administrator privileges.| |0xC1900107|A cleanup operation from a previous installation attempt is still pending and a system reboot is required in order to continue the upgrade.|Restart the device and run setup again. If restarting the device doesn't resolve the issue, then use the Disk Cleanup utility to clean up the temporary files and the System files. For more information, see [Disk cleanup in Windows 10](https://support.microsoft.com/windows/disk-cleanup-in-windows-8a96ff42-5751-39ad-23d6-434b4d5b9a68).| |0xC1900209|The user has chosen to cancel because the system doesn't pass the compatibility scan to install the update. Setup.exe will report this error when it can upgrade the machine with user data but cannot migrate installed applications.|Incompatible software is blocking the upgrade process. Uninstall the application and try the upgrade again. See [Windows 10 Pre-Upgrade Validation using SETUP.EXE](/archive/blogs/mniehaus/windows-10-pre-upgrade-validation-using-setup-exe) for more information.

    You can also download the Windows Assessment and Deployment Kit (ADK) for Windows 10 and install Application Compatibility Tools.| -|0x8007002|This error is specific to upgrades using System Center 2012 Configuration Manager R2 SP1 CU3 (5.00.8238.1403)|Analyze the SMSTS.log and verify that the upgrade is failing on "Apply Operating system" Phase: Error 80072efe DownloadFileWithRanges() failed. 80072efe. ApplyOperatingSystem (0x0760)

    The error 80072efe means that the connection with the server was terminated abnormally.

    To resolve this issue, try the OS Deployment test on a client in same VLAN as the Configuration Manager server. Check the network configuration for random client-server connection issues happening on the remote VLAN.| +|0x8007002|This error is specific to upgrades using Configuration Manager R2 SP1 CU3 (5.00.8238.1403)|Analyze the SMSTS.log and verify that the upgrade is failing on "Apply Operating system" Phase: Error 80072efe DownloadFileWithRanges() failed. 80072efe. ApplyOperatingSystem (0x0760)

    The error 80072efe means that the connection with the server was terminated abnormally.

    To resolve this issue, try the OS Deployment test on a client in same VLAN as the Configuration Manager server. Check the network configuration for random client-server connection issues happening on the remote VLAN.| |0x80240FFF|Occurs when update synchronization fails. It can occur when you're using Windows Server Update Services on its own or when it's integrated with Microsoft Endpoint Configuration Manager. If you enable update synchronization before you install hotfix 3095113, WSUS doesn't recognize the Upgrades classification and instead treats the upgrade like a regular update.|You can prevent this by installing hotfix 3095113 before you enable update synchronization. However, if you have already run into this problem, do the following:

    1. Disable the Upgrades classification.
    2. Install hotfix 3095113.
    3. Delete previously synched updates.
    4. Enable the Upgrades classification.
    5. Perform a full synch.

    For detailed information on how to run these steps check out How to delete upgrades in WSUS.| |0x8007007E|Occurs when update synchronization fails because you don't have hotfix 3095113 installed before you enable update synchronization. Specifically, the CopyToCache operation fails on clients that have already downloaded the upgrade because Windows Server Update Services has bad metadata related to the upgrade. It can occur when you're using standalone Windows Server Update Services or when WSUS is integrated with Microsoft Endpoint Configuration Manager.|Use the following steps to repair Windows Server Update Services. You must run these steps on each WSUS server that synched metadata before you installed the hotfix.

    Stop the Windows Update service.

  • Sign in as a user with administrative privileges, and then do the following:
  • Open Administrative Tools from the Control Panel.
  • Double-click Services.
  • Find the Windows Update service, right-click it, and then select Stop. If prompted, enter your credentials.

    Delete all files and folders under c:\Windows\SoftwareDistribution\DataStore.

    Restart the Windows Update service.| diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md index b942f83a14..d568f05eef 100644 --- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md +++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md @@ -613,7 +613,7 @@ To use the device (or VM) for other purposes after completion of this lab, you n ### Delete (deregister) Autopilot device -You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure AD), log into the MEM admin center, then go to **Intune > Devices > All Devices**. Select the device you want to delete, then select the **Delete** button along the top menu. +You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure AD), log into the Microsoft Endpoint Manager admin center, then go to **Intune > Devices > All Devices**. Select the device you want to delete, then select the **Delete** button along the top menu. > [!div class="mx-imgBorder"] > ![Delete device step 1.](images/delete-device1.png) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index cd1cb3afe6..c2f6129519 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -1314,7 +1314,7 @@ The following fields are available: - **IsEDPEnabled** Represents if Enterprise data protected on the device. - **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. - **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID -- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise System Center Configuration Manager environment. +- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise Configuration Manager environment. - **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. - **SystemCenterID** The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier. @@ -3140,7 +3140,7 @@ The following fields are available: - **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin. - **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled. - **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS. -- **RemediationShellDeviceSccm** TRUE if the device is managed by Microsoft System Center Configuration Manager. +- **RemediationShellDeviceSccm** TRUE if the device is managed by Configuration Manager. - **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely. - **RemediationTargetMachine** Indicates whether the device is a target of the specified fix. - **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 6a19d4f822..079490dd99 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -3148,7 +3148,7 @@ The following fields are available: - **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin. - **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled. - **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS. -- **RemediationShellDeviceSccm** TRUE if the device is managed by Microsoft System Center Configuration Manager. +- **RemediationShellDeviceSccm** TRUE if the device is managed by Configuration Manager. - **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely. - **RemediationTargetMachine** Indicates whether the device is a target of the specified fix. - **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index cf9e96bf73..912861438f 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -4550,7 +4550,7 @@ The following fields are available: - **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin. - **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled. - **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS. -- **RemediationShellDeviceSccm** TRUE if the device is managed by Microsoft System Center Configuration Manager. +- **RemediationShellDeviceSccm** TRUE if the device is managed by Configuration Manager. - **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely. - **RemediationTargetMachine** Indicates whether the device is a target of the specified fix. - **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index e1d9c05c8c..645690fd3d 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -3362,7 +3362,7 @@ The following fields are available: - **IsDeviceNetworkMetered** Indicates whether the device is connected to a metered network. - **IsDeviceOobeBlocked** Indicates whether user approval is required to install updates on the device. - **IsDeviceRequireUpdateApproval** Indicates whether user approval is required to install updates on the device. -- **IsDeviceSccmManaged** Indicates whether the device is running the Microsoft System Center Configuration Manager to keep the operating system and applications up to date. +- **IsDeviceSccmManaged** Indicates whether the device is running the Configuration Manager to keep the operating system and applications up to date. - **IsDeviceUninstallActive** Indicates whether the OS (operating system) on the device was recently updated. - **IsDeviceUpdateNotificationLevel** Indicates whether the device has a set policy to control update notifications. - **IsDeviceUpdateServiceManaged** Indicates whether the device uses WSUS (Windows Server Update Services). @@ -6058,7 +6058,7 @@ The following fields are available: - **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS. - **RemediationShellDeviceProSku** Indicates whether a Windows 10 Professional edition is detected. - **RemediationShellDeviceQualityUpdatesPaused** Indicates whether Quality Updates are paused on the device. -- **RemediationShellDeviceSccm** TRUE if the device is managed by Microsoft System Center Configuration Manager. +- **RemediationShellDeviceSccm** TRUE if the device is managed by Configuration Manager. - **RemediationShellDeviceSedimentMutexInUse** Indicates whether the Sediment Pack mutual exclusion object (mutex) is in use. - **RemediationShellDeviceSetupMutexInUse** Indicates whether device setup is in progress. - **RemediationShellDeviceWuRegistryBlocked** Indicates whether the Windows Update is blocked on the device via the registry. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 69a1cecb22..c474b2d518 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -3623,7 +3623,7 @@ The following fields are available: - **IsDeviceNetworkMetered** Indicates whether the device is connected to a metered network. - **IsDeviceOobeBlocked** Indicates whether the OOBE (Out of Box Experience) is blocked on the device. - **IsDeviceRequireUpdateApproval** Indicates whether user approval is required to install updates on the device. -- **IsDeviceSccmManaged** Indicates whether the device is running the Microsoft System Center Configuration Manager to keep the operating system and applications up to date. +- **IsDeviceSccmManaged** Indicates whether the device is running the Configuration Manager to keep the operating system and applications up to date. - **IsDeviceUninstallActive** Indicates whether the OS (operating system) on the device was recently updated. - **IsDeviceUpdateNotificationLevel** Indicates whether the device has a set policy to control update notifications. - **IsDeviceUpdateServiceManaged** Indicates whether the device uses WSUS (Windows Server Update Services). diff --git a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md index 7a06722124..a3f4153369 100644 --- a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md @@ -99,7 +99,7 @@ Windows Hello depends on having compatible IDPs available to it. As of this writ - Use an existing Windows-based PKI centered around Active Directory Certificate Services. This option requires additional infrastructure, including a way to issue certificates to users. You can use NDES to register devices directly, or Microsoft Intune where it’s available to manage mobile device participation in Windows Hello. - The normal discovery mechanism that clients use to find domain controllers and global catalogs relies on Domain Name System (DNS) SRV records, but those records don’t contain version data. Windows 10 computers will query DNS for SRV records to find all available Active Directory servers, and then query each server to identify those that can act as Windows Hello IDPs. The number of authentication requests your users generate, where your users are located, and the design of your network all drive the number of Windows Server 2016 domain controllers required. -- Azure AD can act as an IDP either by itself or alongside an on-premises AD DS forest. Organizations that use Azure AD can register devices directly without having to join them to a local domain by using the capabilities the Azure AD Device Registration service provides. In addition to the IDP, Windows Hello requires an MDM system. This system can be the cloud-based Intune if you use Azure AD, or an on-premises System Center Configuration Manager deployment that meets the system requirements described in the Deployment requirements section of this document. +- Azure AD can act as an IDP either by itself or alongside an on-premises AD DS forest. Organizations that use Azure AD can register devices directly without having to join them to a local domain by using the capabilities the Azure AD Device Registration service provides. In addition to the IDP, Windows Hello requires an MDM system. This system can be the cloud-based Intune if you use Azure AD, or an on-premises Configuration Manager deployment that meets the system requirements described in the Deployment requirements section of this document. ## Related topics diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index e5df19b1b9..1b234aad34 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -30,7 +30,7 @@ Though much Windows BitLocker [documentation](bitlocker-overview.md) has been pu ## Managing domain-joined computers and moving to cloud -Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 or later can use an existing task sequence to [pre-provision BitLocker](/configmgr/osd/understand/task-sequence-steps#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](/configmgr/osd/understand/task-sequence-steps#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use Configuration Manager to pre-set any desired [BitLocker Group Policy](./bitlocker-group-policy-settings.md). +Companies that image their own computers using Configuration Manager can use an existing task sequence to [pre-provision BitLocker](/configmgr/osd/understand/task-sequence-steps#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](/configmgr/osd/understand/task-sequence-steps#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use Configuration Manager to pre-set any desired [BitLocker Group Policy](./bitlocker-group-policy-settings.md). Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](/lifecycle/products/?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201%2F) or they can receive extended support until April 2026. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the [PowerShell examples](#powershell-examples) to see how to store recovery keys in Azure Active Directory (Azure AD). diff --git a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md index 8c2b314e2b..86efc39597 100644 --- a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md @@ -32,7 +32,7 @@ ms.technology: windows-sec Similar to Windows Defender Application Control (WDAC) policies, WDAC AppId Tagging policies can be deployed locally and to your managed endpoints several ways. Once you've created your AppId Tagging policy, use one of the following methods to deploy: 1. [Deploy AppId Tagging Policies with MDM](#deploy-appid-tagging-policies-with-mdm) -1. [Deploy policies with MEMCM](#deploy-appid-tagging-policies-with-memcm) +1. [Deploy policies with Microsoft Endpoint Configuration Manager](#deploy-appid-tagging-policies-with-memcm) 1. [Deploy policies using scripting](#deploy-appid-tagging-policies-via-scripting) 1. [Deploy using the ApplicationControl CSP](#deploying-policies-via-the-applicationcontrol-csp) @@ -42,7 +42,7 @@ Custom AppId Tagging policies can be deployed to endpoints using [the OMA-URI fe ## Deploy AppId Tagging Policies with MEMCM -Custom AppId Tagging policies can deployed via MEMCM using the [deployment task sequences](/deployment/deploy-windows-defender-application-control-policies-with-memcm.md#deploy-custom-wdac-policies-using-packagesprograms-or-task-sequences), policies can be deployed to your managed endpoints and users. +Custom AppId Tagging policies can deployed via Configuration Manager using the [deployment task sequences](/deployment/deploy-windows-defender-application-control-policies-with-memcm.md#deploy-custom-wdac-policies-using-packagesprograms-or-task-sequences), policies can be deployed to your managed endpoints and users. ### Deploy AppId Tagging Policies via Scripting diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md index 7f1f74be4f..e7fccafbfd 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md @@ -125,7 +125,7 @@ Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerS ``` -4. Verify your AppLocker policy. The following example shows a complete AppLocker policy that sets Microsoft Endpoint Config Manager (MEMCM)and Microsoft Endpoint Manager Intune as managed installers. Only those AppLocker rule collections that have actual rules defined are included in the final XML. This ensures the policy will merge successfully on devices which may already have an AppLocker policy in place. +4. Verify your AppLocker policy. The following example shows a complete AppLocker policy that sets Configuration Manager and Microsoft Endpoint Manager Intune as managed installers. Only those AppLocker rule collections that have actual rules defined are included in the final XML. This ensures the policy will merge successfully on devices which may already have an AppLocker policy in place. ```xml diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md index a5b01bd9ff..b5aca1e44a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md @@ -157,7 +157,7 @@ Policies should be thoroughly evaluated and first rolled out in audit mode befor 1. Mobile Device Management (MDM): [Deploy Windows Defender Application Control (WDAC) policies using Mobile Device Management (MDM) (Windows)](deploy-windows-defender-application-control-policies-using-intune.md) -2. Microsoft Endpoint Configuration Manager (MEMCM): [Deploy Windows Defender Application Control (WDAC) policies by using Microsoft Endpoint Configuration Manager (MEMCM) (Windows)](deployment/deploy-wdac-policies-with-memcm.md) +2. Configuration Manager: [Deploy Windows Defender Application Control (WDAC) policies by using Configuration Manager (Windows)](deployment/deploy-wdac-policies-with-memcm.md) 3. Scripting [Deploy Windows Defender Application Control (WDAC) policies using script (Windows)](deployment/deploy-wdac-policies-with-script.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md index d777bcb8fe..283ec90d38 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md @@ -46,13 +46,9 @@ Alice previously created a policy for the organization's lightly managed devices Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's fully managed devices: - All clients are running Windows 10 version 1903 or above or Windows 11; -- All clients are managed by Microsoft Endpoint Manager (MEM) either with Configuration Manager (MEMCM) standalone or hybrid mode with Intune; - -> [!NOTE] -> Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager. - -- Most, but not all, apps are deployed using MEMCM; -- Sometimes, IT staff install apps directly to these devices without using MEMCM; +- All clients are managed by Microsoft Endpoint Manager either with Configuration Manager or with Intune; +- Most, but not all, apps are deployed using Configuration Manager; +- Sometimes, IT staff install apps directly to these devices without using Configuration Manager; - All users except IT are standard users on these devices. Alice's team develops a simple console application, called *LamnaITInstaller.exe*, which will become the authorized way for IT staff to install apps directly to devices. *LamnaITInstaller.exe* allows the IT pro to launch another process, such as an app installer. Alice will configure *LamnaITInstaller.exe* as an additional managed installer for WDAC and allows her to remove the need for filepath rules. @@ -64,8 +60,8 @@ Based on the above, Alice defines the pseudo-rules for the policy: - WHQL (3rd party kernel drivers) - Windows Store signed apps -2. **"MEMCM works”** rules that include signer and hash rules for MEMCM components to properly function -3. **Allow Managed Installer** (MEMCM and *LamnaITInstaller.exe* configured as a managed installer) +2. **"MEMCM works”** rules that include signer and hash rules for Configuration Manager components to properly function. +3. **Allow Managed Installer** (Configuration Manager and *LamnaITInstaller.exe* configured as a managed installer) The critical differences between this set of pseudo-rules and those defined for Lamna's [lightly managed devices](create-wdac-policy-for-lightly-managed-devices.md#define-the-circle-of-trust-for-lightly-managed-devices) are: @@ -74,14 +70,14 @@ The critical differences between this set of pseudo-rules and those defined for ## Create a custom base policy using an example WDAC base policy -Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's fully-managed devices. She decides to use MEMCM to create the initial base policy and then customize it to meet Lamna's needs. +Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's fully-managed devices. She decides to use Configuration Manager to create the initial base policy and then customize it to meet Lamna's needs. Alice follows these steps to complete this task: > [!NOTE] -> If you do not use MEMCM or prefer to use a different [example Windows Defender Application Control base policy](example-wdac-base-policies.md) for your own policy, skip to step 2 and substitute the MEMCM policy path with your preferred example base policy. +> If you do not use Configuration Manager or prefer to use a different [example Windows Defender Application Control base policy](example-wdac-base-policies.md) for your own policy, skip to step 2 and substitute the Configuration Manager policy path with your preferred example base policy. -1. [Use MEMCM to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 or above, or Windows 11. +1. [Use Configuration Manager to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 or above, or Windows 11. 2. On the client device, run the following commands in an elevated Windows PowerShell session to initialize variables: @@ -91,7 +87,7 @@ Alice follows these steps to complete this task: $MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml" ``` -3. Copy the policy created by MEMCM to the desktop: +3. Copy the policy created by Configuration Manager to the desktop: ```powershell cp $MEMCMPolicy $LamnaPolicy diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md index 90b3e0fd6e..8ed966bba8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md @@ -46,12 +46,8 @@ For the majority of users and devices, Alice wants to create an initial policy t Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's lightly managed devices, which currently include most end-user devices: - All clients are running Windows 10 version 1903 and above, or Windows 11; -- All clients are managed by Microsoft Endpoint Manager (MEM) either with Configuration Manager (MEMCM) standalone or hybrid mode with Intune; - - > [!NOTE] - > Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager. - -- Some, but not all, apps are deployed using MEMCM; +- All clients are managed by Microsoft Endpoint Manager either with Configuration Manager or with Intune. +- Some, but not all, apps are deployed using Configuration Manager; - Most users are local administrators on their devices; - Some teams may need additional rules to authorize specific apps that don't apply generally to all other users. @@ -62,8 +58,8 @@ Based on the above, Alice defines the pseudo-rules for the policy: - WHQL (3rd party kernel drivers) - Windows Store signed apps -2. **"MEMCM works”** rules which include signer and hash rules for MEMCM components to properly function -3. **Allow Managed Installer** (MEMCM configured as a managed installer) +2. **"MEMCM works”** rules which include signer and hash rules for Configuration Manager components to properly function +3. **Allow Managed Installer** (Configuration Manager configured as a managed installer) 4. **Allow Intelligent Security Graph (ISG)** (reputation-based authorization) 5. **Admin-only path rules** for the following locations: - C:\Program Files\* @@ -72,14 +68,14 @@ Based on the above, Alice defines the pseudo-rules for the policy: ## Create a custom base policy using an example WDAC base policy -Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's lightly managed devices. She decides to use MEMCM to create the initial base policy and then customize it to meet Lamna's needs. +Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's lightly managed devices. She decides to use Configuration Manager to create the initial base policy and then customize it to meet Lamna's needs. Alice follows these steps to complete this task: > [!NOTE] -> If you do not use MEMCM or prefer to use a different [example Windows Defender Application Control base policy](example-wdac-base-policies.md) for your own policy, skip to step 2 and substitute the MEMCM policy path with your preferred example base policy. +> If you do not use Configuration Manager or prefer to use a different [example Windows Defender Application Control base policy](example-wdac-base-policies.md) for your own policy, skip to step 2 and substitute the Configuration Manager policy path with your preferred example base policy. -1. [Use MEMCM to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 and above, or Windows 11. +1. [Use Configuration Manager to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 and above, or Windows 11. 2. On the client device, run the following commands in an elevated Windows PowerShell session to initialize variables: @@ -89,7 +85,7 @@ Alice follows these steps to complete this task: $MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml" ``` -3. Copy the policy created by MEMCM to the desktop: +3. Copy the policy created by Configuration Manager to the desktop: ```powershell cp $MEMCMPolicy $LamnaPolicy diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md index 4c931b2732..856b95f0a8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md @@ -31,18 +31,18 @@ You can use Microsoft Endpoint Configuration Manager (MEMCM) to configure Window ## Use MEMCM's built-in policies -MEMCM includes native support for WDAC, which allows you to configure Windows 10 and Windows 11 client computers with a policy that will only allow: +Configuration Manager includes native support for WDAC, which allows you to configure Windows 10 and Windows 11 client computers with a policy that will only allow: - Windows components - Microsoft Store apps -- Apps installed by MEMCM (MEMCM self-configured as a managed installer) +- Apps installed by Configuration Manager (Configuration Manager self-configured as a managed installer) - [Optional] Reputable apps as defined by the Intelligent Security Graph (ISG) -- [Optional] Apps and executables already installed in admin-definable folder locations that MEMCM will allow through a one-time scan during policy creation on managed endpoints. +- [Optional] Apps and executables already installed in admin-definable folder locations that Configuration Manager will allow through a one-time scan during policy creation on managed endpoints. -Note that MEMCM does not remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable Windows Defender Application Control (WDAC) altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot or wait for the next reboot. +Note that Configuration Manager does not remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable Windows Defender Application Control (WDAC) altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot or wait for the next reboot. -For more information on using MEMCM's native WDAC policies, see [Windows Defender Application Control management with Configuration Manager](/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager). +For more information on using Configuration Manager's native WDAC policies, see [Windows Defender Application Control management with Configuration Manager](/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager). ## Deploy custom WDAC policies using Packages/Programs or Task Sequences -Using MEMCM's built-in policies can be a helpful starting point, but customers may find the circle-of-trust options available in MEMCM too limiting. To define your own circle-of-trust, you can use MEMCM to deploy custom WDAC policies using [script-based deployment](deploy-wdac-policies-with-script.md) via Software Distribution Packages and Programs or Operating System Deployment Task Sequences. +Using Configuration Manager's built-in policies can be a helpful starting point, but customers may find the circle-of-trust options available in Configuration Manager too limiting. To define your own circle-of-trust, you can use Configuration Manager to deploy custom WDAC policies using [script-based deployment](deploy-wdac-policies-with-script.md) via Software Distribution Packages and Programs or Operating System Deployment Task Sequences. diff --git a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md index bd792e1029..441c4694e4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md @@ -42,4 +42,4 @@ When you create policies for use with Windows Defender Application Control (WDAC | **AllowAll_EnableHVCI.xml** | This example policy can be used to enable [memory integrity](/windows/security/threat-protection/device-guard/memory-integrity) (also known as hypervisor-protected code integrity) using Windows Defender Application Control. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies | | **DenyAllAudit.xml** | ***Warning: May cause long boot time on Windows Server 2019.*** Only deploy this example policy in audit mode to track all binaries running on critical systems or to meet regulatory requirements. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies | | **Device Guard Signing Service (DGSS) DefaultPolicy.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed with your organization-specific certificates issued by the DGSS. | [Device Guard Signing Service NuGet Package](https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client) | -| **MEM Configuration Manager** | Customers who use MEM Configuration Manager (MEMCM) can deploy a policy with MEMCM's built-in WDAC integration, and then use the generated policy XML as an example base policy. | %OSDrive%\Windows\CCM\DeviceGuard on a managed endpoint | +| **MEM Configuration Manager** | Customers who use Configuration Manager can deploy a policy with Configuration Manager's built-in WDAC integration, and then use the generated policy XML as an example base policy. | %OSDrive%\Windows\CCM\DeviceGuard on a managed endpoint | diff --git a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md index 0435921894..d51eeb7f4d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md +++ b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md @@ -34,7 +34,7 @@ ms.technology: windows-sec |-------------|------|-------------| | Platform support | Available on Windows 10, Windows 11, and Windows Server 2016 or later | Available on Windows 8 or later | | SKU availability | Cmdlets are available on all SKUs on 1909+ builds.
    For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs. | Policies deployed through GP are only effective on Enterprise devices.
    Policies deployed through MDM are effective on all SKUs. | -| Management solutions |

    • [Intune](./deploy-windows-defender-application-control-policies-using-intune.md) (limited built-in policies or custom policy deployment via OMA-URI)
    • [Microsoft Endpoint Manager Configuration Manager (MEMCM)](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via Software Distribution)
    • [Group Policy](./deploy-windows-defender-application-control-policies-using-group-policy.md)
    • PowerShell
    |