Merge pull request #10820 from MicrosoftDocs/main

[AutoPublish] main to live - 04/28 15:31 PDT | 04/29 04:01 IST

windows/client-management/enterprise-app-management.md

@@ -1,11 +1,11 @@
 ---
-title: Enterprise app management
+title: Manage apps
 description: This article covers one of the key mobile device management (MDM) features for managing the lifecycle of apps across Windows devices.
 ms.topic: article
 ms.date: 07/08/2024
 ---
 
-# Enterprise app management
+# Manage apps
 
 This article discusses one of the key features of Windows' Mobile Device Management (MDM) capabilities: the ability to manage apps' lifecycle on all Windows devices. This includes both Store and non-Store apps, which can be managed natively through MDM.
 

windows/hub/zone-pivot-groups.yml

@@ -16,3 +16,13 @@ groups:
     title: Windows Pro Edu/Education
   - id: windows-ent
     title: Windows Pro/Enterprise
+- id: windows-versions-insider-11-10
+  title: Windows versions
+  prompt: "Select the Windows version you want to learn about:"
+  pivots:
+  - id: windows-insider
+    title: Windows Insider
+  - id: windows-11
+    title: Windows 11
+  - id: windows-10
+    title: Windows 10

windows/security/operating-system-security/data-protection/bitlocker/index.md

@@ -2,7 +2,7 @@
 title: BitLocker overview
 description: Learn about BitLocker practical applications and requirements.
 ms.topic: overview
-ms.date: 12/05/2024
+ms.date: 04/28/2025
 ---
 
 # BitLocker overview
@@ -21,8 +21,8 @@ In *addition* to the TPM, BitLocker can lock the normal startup process until th
 
 On devices that don't have a TPM, BitLocker can still be used to encrypt the operating system drive. This implementation requires the user to either:
 
-- use a startup key, which is a file stored on a removable drive that is used to start the device, or when resuming from hibernation
+- Use a startup key, which is a file stored on a removable drive that is used to start the device, or when resuming from hibernation.
-- use a password. This option isn't secure since it's subject to brute force attacks as there isn't a password lockout logic. As such, the password option is discouraged and disabled by default
+- Use a password. This option isn't secure since it's subject to brute force attacks as there isn't a password lockout logic. As such, the password option is discouraged and disabled by default.
 
 Both options don't provide the preboot system integrity verification offered by BitLocker with a TPM.
 
@@ -53,9 +53,9 @@ Both options don't provide the preboot system integrity verification offered by
 
 BitLocker has the following requirements:
 
-- For BitLocker to use the system integrity check provided by a TPM, the device must have TPM 1.2 or later versions. If a device doesn't have a TPM, saving a startup key on a removable drive is mandatory when enabling BitLocker
+- For BitLocker to use the system integrity check provided by a TPM, the device must have TPM 1.2 or later versions. If a device doesn't have a TPM, saving a startup key on a removable drive is mandatory when enabling BitLocker.
-- A device with a TPM must also have a *Trusted Computing Group* (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the preboot startup, and it must include support for *TCG-specified Static Root of Trust Measurement*. A computer without a TPM doesn't require TCG-compliant firmware
+- A device with a TPM must also have a *Trusted Computing Group* (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the preboot startup, and it must include support for *TCG-specified Static Root of Trust Measurement*. A computer without a TPM doesn't require TCG-compliant firmware.
-- The system BIOS or UEFI firmware (for TPM and non-TPM devices) must support the USB mass storage device class, and reading files on a USB drive in the preboot environment
+- The system BIOS or UEFI firmware (for TPM and non-TPM devices) must support the USB mass storage device class, and reading files on a USB drive in the preboot environment.
 
     > [!NOTE]
     > TPM 2.0 is not supported in *Legacy* and *Compatibility Support Module (CSM)* modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as native UEFI only. The Legacy and CSM options must be disabled. For added security, enable the *secure boot* feature.
@@ -63,12 +63,12 @@ BitLocker has the following requirements:
     > Installed operating system on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool [`mbr2gpt.exe`][WIN-1] before changing the BIOS mode, which prepares the OS and the disk to support UEFI.
 
 - The hard disk must be partitioned with at least two drives:
-  - The *operating system drive* (or boot drive) contains the OS and its support files. It must be formatted with the NTFS file system
+  - The *operating system drive* (or boot drive) contains the OS and its support files. It must be formatted with the NTFS file system.
   - The *system drive* contains files required to boot, decrypt, and load the operating system. BitLocker isn't enabled on this drive. For BitLocker to work, the system drive:
-    - must not be encrypted
+    - must not be encrypted.
-    - must differ from the operating system drive
+    - must differ from the operating system drive.
-    - must be formatted with the FAT32 file system on computers that use UEFI-based firmware, or with the NTFS file system on computers that use BIOS firmware
+    - must be formatted with the FAT32 file system on computers that use UEFI-based firmware, or with the NTFS file system on computers that use BIOS firmware.
-    - it's recommended that to be approximately 350 MB in size. After BitLocker is turned on, it should have approximately 250 MB of free space
+    - it's recommended that to be approximately 350 MB in size. After BitLocker is turned on, it should have approximately 250 MB of free space.
 
     > [!IMPORTANT]
     > When installed on a new device, Windows automatically creates the partitions that are required for BitLocker.
@@ -93,11 +93,11 @@ BitLocker has the following requirements:
 
 Unlike a standard BitLocker implementation, device encryption is enabled automatically so that the device is always protected. When a clean installation of Windows is completed and the out-of-box experience is finished, the device is prepared for first use. As part of this preparation, device encryption is initialized on the OS drive and fixed data drives on the computer with a clear key that is the equivalent of standard BitLocker suspended state. In this state, the drive is shown with a warning icon in Windows Explorer. The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up.
 
-- If the device is Microsoft Entra joined or Active Directory domain joined, the clear key is removed once the recovery key is successfully backed up to Microsoft Entra ID or Active Directory Domain Services (AD DS). The following policy settings must be enabled for the recovery key to be backed up: [Choose how BitLocker-protected operating system drives can be recovered](configure.md?tabs=os#choose-how-bitlocker-protected-operating-system-drives-can-be-recovered)
+- If the device is Microsoft Entra joined or Active Directory domain joined, the clear key is removed once the recovery key is successfully backed up to Microsoft Entra ID or Active Directory Domain Services (AD DS). The following policy settings must be enabled for the recovery key to be backed up: [Choose how BitLocker-protected operating system drives can be recovered](configure.md?tabs=os#choose-how-bitlocker-protected-operating-system-drives-can-be-recovered).
-  - For Microsoft Entra joined devices: the recovery password is created automatically when the user authenticates to Microsoft Entra ID, then the recovery key is backed up to Microsoft Entra ID, the TPM protector is created, and the clear key is removed
+  - For Microsoft Entra joined devices: the recovery password is created automatically when the user authenticates to Microsoft Entra ID, then the recovery key is backed up to Microsoft Entra ID, the TPM protector is created, and the clear key is removed.
-  - For AD DS joined devices: the recovery password is created automatically when the computer joins the domain. The recovery key is then backed up to AD DS, the TPM protector is created, and the clear key is removed
+  - For AD DS joined devices: the recovery password is created automatically when the computer joins the domain. The recovery key is then backed up to AD DS, the TPM protector is created, and the clear key is removed.
-- If the device isn't Microsoft Entra joined or Active Directory domain joined, a Microsoft account with administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user is guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using their Microsoft account credentials
+- If the device isn't Microsoft Entra joined or Active Directory domain joined, a Microsoft account with administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user is guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using their Microsoft account credentials.
-- If a device uses only local accounts, then it remains unprotected even though the data is encrypted
+- If a device uses only local accounts, then it remains unprotected even though the data is encrypted.
 
 > [!IMPORTANT]
 > Device encryption uses the `XTS-AES 128-bit` encryption method, by default. In case you configure a policy setting to use a different encryption method, you can use the Enrollment Status Page to avoid the device to begin encryption with the default method. BitLocker has a logic that doesn't start encrypting until the end of OOBE, after the Enrollment Status Page device configuration phase is complete. This logic gives a device enough time to receive the BitLocker policy settings before starting encryption.
@@ -112,11 +112,14 @@ You can check whether a device meets requirements for device encryption in the S
 |-|-|
 |Device Encryption Support | Meets prerequisites|
 
+> [!NOTE]
+> If Windows detects user activity during encryption, automatic device encryption might be delayed or temporarily halted; this is particularly true if the device is operating on battery to conserve power.
+
 ### Difference between BitLocker and device encryption
 
-- Device encryption turns on BitLocker automatically on device encryption-qualifying devices, with the recovery key automatically backed up to Microsoft Entra ID, AD DS, or the user's Microsoft account
+- Device encryption turns on BitLocker automatically on device encryption-qualifying devices, with the recovery key automatically backed up to Microsoft Entra ID, AD DS, or the user's Microsoft account.
-- Device encryption adds a device encryption setting in the Settings app, which can be used to turn device encryption on or off
+- Device encryption adds a device encryption setting in the Settings app, which can be used to turn device encryption on or off.
-  - The Settings UI doesn't show device encryption enabled until encryption is complete
+  - The Settings UI doesn't show device encryption enabled until encryption is complete.
 
 :::image type="content" source="images/settings-device-encryption.png" alt-text="Screenshot of the Settings app showing the device encryption panel." border="False":::
 

windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md

@@ -1,29 +1,30 @@
 ---
 title: Available Microsoft Defender SmartScreen settings
 description: A list of all available settings for Microsoft Defender SmartScreen using Group Policy and mobile device management (MDM) settings.
-ms.date: 04/15/2025
+ms.date: 04/28/2025
 ms.topic: reference
 ---
 
 # Available Microsoft Defender SmartScreen settings
 
-Microsoft Defender SmartScreen works with Intune, Group Policy, and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Microsoft Defender SmartScreen, you can show users a warning page and let them continue to the site, or you can block the site entirely.
+Microsoft Defender SmartScreen respects Intune, Group Policy, and mobile device management (MDM) settings. You can configure Microsoft Defender SmartScreen to block suspicious content entirely, or show users a warning but allow them to continue to load the content.
 
 See [Windows settings to protect devices using Intune](/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-smartscreen-settings) for the controls you can use in Intune.
 
-> [!NOTE]
-> For a list of settings available for Enhanced phishing protection, see [Enhanced phishing protection](enhanced-phishing-protection.md#configure-enhanced-phishing-protection-for-your-organization).
-
 ## Group Policy settings
 
 SmartScreen uses registry-based Administrative Template policy settings.
 
 |Setting|Description|
 |---|--- |
-|Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure Windows Defender SmartScreen | This policy setting turns on Microsoft Defender SmartScreen. <br/><br/>If you enable this setting, it turns on Microsoft Defender SmartScreen and your users are unable to turn it off. Additionally, when enabling this feature, you must also pick whether Microsoft Defender SmartScreen should Warn your users or Warn and prevent bypassing the message (effectively blocking the user from the site).<br/><br/>If you disable this setting, it turns off Microsoft Defender SmartScreen and your users are unable to turn it on. <br/><br/>If you don't configure this setting, your users can decide whether to use Microsoft Defender SmartScreen.|
+|Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure Windows Defender SmartScreen | This policy setting controls Microsoft Defender SmartScreen's Application Reputation ("Check apps and files") feature.<br/><br/>If you enable this setting, it turns on Microsoft Defender SmartScreen and your users are unable to turn it off. When enabling this feature, you must pick whether users may choose to ignore warnings and run an unknown or malicious program.<br/><br/>If you disable this setting, it turns off Microsoft Defender SmartScreen and your users are unable to turn it on.<br/><br/>If you don't configure this setting, your users can decide whether to use Microsoft Defender SmartScreen's Application Reputation feature.|
-|Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure App Install Control| This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.<br/><br/>This setting doesn't protect against malicious content from USB devices, network shares, or other non-internet sources.<br/><br/>**Important:**  Using a trustworthy browser helps ensure that these protections work as expected.|
+|Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure App Install Control| This policy setting allows you to control whether users can install downloaded apps from outside of the Microsoft Store.<br/><br/>This setting does not impact opening files from USB devices, local network shares, or other non-internet sources.|
-|Administrative Templates > Windows Components > Windows Defender SmartScreen > Microsoft Edge > Configure Windows Defender SmartScreen | This policy setting lets you configure whether to turn on Windows Defender SmartScreen. Windows Defender SmartScreen provides warning messages to help protect your users from potential phishing scams and malicious software. By default, Windows Defender SmartScreen is turned on. <br><br>If you enable this setting, Windows Defender SmartScreen is turned on, and users can't turn it off. <br><br>If you disable this setting, Windows Defender SmartScreen is turned off, and users can't turn it on. <br><br>If you don't configure this setting, users can choose whether to use Windows Defender SmartScreen. |
+|Administrative Templates > Microsoft Edge > SmartScreen settings > Configure Microsoft Defender SmartScreen | This policy setting lets you configure Microsoft Defender SmartScreen in the Microsoft Edge web browser. Microsoft Defender SmartScreen provides warning messages to help protect your users from potential phishing sites, tech scams, and malicious software. By default, Microsoft Defender SmartScreen is turned on.<br><br>If you enable this setting, Microsoft Defender SmartScreen is turned on, and users can't turn it off.<br><br>If you disable this setting, Microsoft Defender SmartScreen is turned off, and users can't turn it on. <br><br>If you don't configure this setting, users can choose whether to use Microsoft Defender SmartScreen.|
-|Administrative Templates > Windows Components > Windows Defender SmartScreen > Microsoft Edge > Prevent bypassing Windows Defender SmartScreen prompts for sites | This policy setting lets you decide whether users can override the Windows Defender SmartScreen warnings about potentially malicious websites. <br><br>If you enable this setting, users can't ignore Windows Defender SmartScreen warnings and they're blocked from continuing to the site. <br><br>If you disable or don't configure this setting, users can ignore Windows Defender SmartScreen warnings and continue to the site. |
+|Administrative Templates > Microsoft Edge > SmartScreen settings > Prevent bypassing Windows Defender SmartScreen prompts for sites | This policy setting lets you decide whether users can override  Microsoft Defender SmartScreen warnings about potentially malicious websites.<br><br>If you enable this setting, users can't ignore Microsoft Defender SmartScreen warnings and will be blocked from continuing to suspicious sites. <br><br>If you disable or don't configure this setting, users can ignore Microsoft Defender SmartScreen warnings and continue to suspicious sites. |
+|Administrative Templates > Microsoft Edge > SmartScreen settings > Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads | This policy setting lets you decide whether users can override Microsoft Defender SmartScreen warnings about unverified (potentially malicious) downloads.<br><br>If you enable this setting, users can't ignore Microsoft Defender SmartScreen warnings and will be blocked from downloading unverified files. <br><br>If you disable or don't configure this setting, users can ignore Microsoft Defender SmartScreen warnings and download unverified files. |
+
+> [!NOTE]
+> To install the Administrative Templates ADMX file for Microsoft Edge browser policies, see [Configure Microsoft Edge](/deployedge/configure-microsoft-edge).
 
 ## MDM settings
 
@@ -38,15 +39,16 @@ If you manage your policies using Microsoft Intune, use these MDM policy setting
 
 ## Recommended Group Policy and MDM settings for your organization
 
-By default, Microsoft Defender SmartScreen lets users bypass warnings. Unfortunately, this feature can let users continue to an unsafe site or to continue to download an unsafe file, even after being warned. Because of this possibility, we strongly recommend that you set up Microsoft Defender SmartScreen to block high-risk interactions instead of providing just a warning.
+By default, Microsoft Defender SmartScreen allows users to bypass warnings, which allows users to continue to an unsafe site or run an unsafe file, even after being warned. Because of this possibility, we strongly recommend that you set up Microsoft Defender SmartScreen to block high-risk interactions instead of providing just a warning.
 
 To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen Group Policy and MDM settings.
 
 | Group Policy setting | Recommendation |
 |--|--|
-| Administrative Templates > Windows Components > Microsoft Edge > Configure Windows Defender SmartScreen | **Enable.**  Turns on Microsoft Defender SmartScreen. |
-| Administrative Templates > Windows Components > Microsoft Edge > Prevent bypassing Windows Defender SmartScreen prompts for sites | **Enable.**  Stops users from ignoring warning messages and continuing to a potentially malicious website. |
 | Administrative Templates > Windows Components > Explorer > Configure Windows Defender SmartScreen | **Enable with the Warn and prevent bypass option.**  Stops users from ignoring warning messages about malicious files downloaded from the Internet. |
+| Administrative Templates > Microsoft Edge > SmartScreen settings > Configure Microsoft Defender SmartScreen | **Enable.**  Turns on Microsoft Defender SmartScreen. |
+| Administrative Templates > Microsoft Edge > Prevent bypassing Windows Defender SmartScreen prompts for sites | **Enable.**  Stops users from ignoring warning messages and continuing to a potentially malicious website. |
+|Administrative Templates > Microsoft Edge > Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads  |**Enable.**  Stops users from ignoring warning messages and downloading an unverified file |
 
 | MDM setting | Recommendation |
 |--|--|
@@ -55,3 +57,6 @@ To better help you protect your organization, we recommend turning on and using
 | Browser/PreventSmartScreenPromptOverrideForFiles | **1.**  Stops users from ignoring warning messages and continuing to download potentially malicious files. |
 | SmartScreen/EnableSmartScreenInShell | **1.**  Turns on Microsoft Defender SmartScreen in Windows.<br/><br/>Requires at least Windows 10, version 1703. |
 | SmartScreen/PreventOverrideForFilesInShell | **1.**  Stops users from ignoring warning messages about malicious files downloaded from the Internet.<br/><br/>Requires at least Windows 10, version 1703. |
+
+> [!NOTE]
+> For a list of settings available for Enhanced phishing protection, see [Enhanced phishing protection](enhanced-phishing-protection.md#configure-enhanced-phishing-protection-for-your-organization).