From 500119aca17a98d6d8789904d9b864a1798477de Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Mon, 1 Apr 2024 14:22:25 -0700
Subject: [PATCH 01/29] dep-diracc-8713507
---
windows/whats-new/deprecated-features.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md
index 662ade9a57..f71e20f198 100644
--- a/windows/whats-new/deprecated-features.md
+++ b/windows/whats-new/deprecated-features.md
@@ -1,7 +1,7 @@
---
title: Deprecated features in the Windows client
description: Review the list of features that Microsoft is no longer actively developing in Windows 10 and Windows 11.
-ms.date: 03/25/2024
+ms.date: 04/02/2024
ms.service: windows-client
ms.subservice: itpro-fundamentals
ms.localizationpriority: medium
@@ -47,6 +47,7 @@ The features in this article are no longer being actively developed, and might b
| Feature | Details and mitigation | Deprecation announced |
|---|---|---|
+| DirectAccess | DirectAccess is deprecated and will be removed in a future release of Windows. We recommend [migrating from DirectAccess to Always On VPN](/windows-server/remote/remote-access/da-always-on-vpn-migration/da-always-on-migration-overview). | April 2024 |
| NPLogonNotify and NPPasswordChangeNotify APIs | Starting in Windows 11, version 24H2, the inclusion of password payload in MPR notifications is set to disabled by default through group policy in [NPLogonNotify](/windows/win32/api/npapi/nf-npapi-nplogonnotify) and [NPPasswordChangeNotify](/windows/win32/api/npapi/nf-npapi-nppasswordchangenotify) APIs. The APIs may be removed in a future release. The primary reason for disabling this feature is to enhance security. When enabled, these APIs allow the caller to retrieve a users password, presenting potential risks for password exposure and harvesting by malicious users. To include password payload in MPR notifications, set the [EnableMPRNotifications](/windows/client-management/mdm/policy-csp-windowslogon#enablemprnotifications) policy to `enabled`.| March 2024 |
| TLS server authentication certificates using RSA keys with key lengths shorter than 2048 bits | Support for certificates using RSA keys with key lengths shorter than 2048 bits will be deprecated. Internet standards and regulatory bodies disallowed the use of 1024-bit keys in 2013, recommending specifically that RSA keys should have a key length of 2048 bits or longer. For more information, see [Transitioning of Cryptographic Algorithms and Key Sizes - Discussion Paper (nist.gov)](https://csrc.nist.gov/CSRC/media/Projects/Key-Management/documents/transitions/Transitioning_CryptoAlgos_070209.pdf). This deprecation focuses on ensuring that all RSA certificates used for TLS server authentication must have key lengths greater than or equal to 2048 bits to be considered valid by Windows. TLS certificates issued by enterprise or test certification authorities (CA) aren't impacted with this change. However, we recommend that they be updated to RSA keys greater than or equal to 2048 bits as a security best practice. This change is necessary to preserve security of Windows customers using certificates for authentication and cryptographic purposes.| March 2024|
| Test Base | [Test Base for Microsoft 365](/microsoft-365/test-base/overview), an Azure cloud service for application testing, is deprecated. The service will be retired in the future and will be no longer available for use after retirement. | March 2024 |
From 5bff88a358c00b09cd53d7bb57c338d8953e4cd5 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Tue, 4 Jun 2024 11:35:41 -0700
Subject: [PATCH 02/29] rm-ga-wufbr
---
.../update/includes/wufb-reports-admin-center-permissions.md | 1 -
1 file changed, 1 deletion(-)
diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
index a698c7f33b..e51ed03e62 100644
--- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
+++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
@@ -19,7 +19,6 @@ Accessing Windows Update for Business reports typcially requires permissions fro
To [enroll](../wufb-reports-enable.md#bkmk_enroll) into Windows Update for Business reports from the [Azure portal](https://portal.azure.com) or the [Microsoft 365 admin center](https://admin.microsoft.com) requires one of the following roles:
-- [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator) Microsoft Entra role
- [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator) Microsoft Entra role
- [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator) Microsoft Entra role
- [Policy and profile manager](/mem/intune/fundamentals/role-based-access-control#built-in-roles) Microsoft Intune role
From 41330a9c80531a109496c5aaecc31a2c979d2cb4 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Thu, 6 Jun 2024 07:21:42 -0400
Subject: [PATCH 03/29] updates to XSDs
---
windows/configuration/assigned-access/xsd.md | 32 ++++++++++++++++++--
1 file changed, 30 insertions(+), 2 deletions(-)
diff --git a/windows/configuration/assigned-access/xsd.md b/windows/configuration/assigned-access/xsd.md
index 209c3fb81d..5db2eacec8 100644
--- a/windows/configuration/assigned-access/xsd.md
+++ b/windows/configuration/assigned-access/xsd.md
@@ -259,7 +259,7 @@ Here's the Assigned Access XSD for the features added in Windows 11, version 21H
## Windows 10, version 1909 additions
-Here's the Assigned Access XSD for the features added in Windows 10, version 1909:
+Here are the Assigned Access XSDs for the features added in Windows 10, version 1909:
```xml
```
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
## Windows 10, version 1809 additions
Here's the Assigned Access XSD for the features added in Windows 10, version 1809:
@@ -331,4 +359,4 @@ Here's the Assigned Access XSD for the features added in Windows 10, version 180
-```
\ No newline at end of file
+```
From d8f7cf6e9cd7f3f6cf46e76f861392ab82d7f0ab Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Thu, 6 Jun 2024 07:27:05 -0400
Subject: [PATCH 04/29] removed line
---
windows/configuration/assigned-access/xsd.md | 1 -
1 file changed, 1 deletion(-)
diff --git a/windows/configuration/assigned-access/xsd.md b/windows/configuration/assigned-access/xsd.md
index 5db2eacec8..5cd75dccbe 100644
--- a/windows/configuration/assigned-access/xsd.md
+++ b/windows/configuration/assigned-access/xsd.md
@@ -293,7 +293,6 @@ Here are the Assigned Access XSDs for the features added in Windows 10, version
```
```xml
-
Date: Thu, 6 Jun 2024 09:53:32 -0700
Subject: [PATCH 05/29] Updates from PMs
---
...tial-services-and-connected-experiences.md | 81 ++++++++++---------
1 file changed, 44 insertions(+), 37 deletions(-)
diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md
index 21beba4c56..9e32c8732e 100644
--- a/windows/privacy/essential-services-and-connected-experiences.md
+++ b/windows/privacy/essential-services-and-connected-experiences.md
@@ -7,7 +7,7 @@ ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: laurawi
-ms.date: 06/28/2021
+ms.date: 06/06/2024
ms.collection: highpri
ms.topic: reference
---
@@ -36,42 +36,47 @@ Although enterprise admins can turn off most essential services, we recommend, w
| **Essential service** | **Description** |
| --- | --- |
-|Authentication|The authentication service is required to enable sign in to work or school accounts. It validates a user’s identity and provides access to multiple apps and system components like OneDrive and activity history. Using a work or school account to sign in to Windows enables Microsoft to provide a consistent experience across your devices. If the authentication service is turned off, many apps and components may lose functionality and users may not be able to sign in.
To turn it off, see [Microsoft Account](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#12-microsoft-account).|
+|Authentication|The authentication service is required to enable sign in to work or school accounts. It validates a user’s identity and provides access to multiple apps and system components like OneDrive and Activity History. Using a work or school account to sign in to Windows enables Microsoft to provide a consistent experience across your devices. If the authentication service is turned off, many apps and components may lose functionality and users may not be able to sign in.
To turn it off, see [Microsoft Account](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#12-microsoft-account).|
|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates that are publicly known to be fraudulent. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
If automatic updates are turned off, applications and websites may stop working because they didn't receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.
To turn it off, see [Automatic Root Certificates Update](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update).|
-| Services Configuration | Services Configuration is used by Windows components and apps, such as the telemetry service, to dynamically update their configuration. If you turn off this service, apps using this service may stop working.
To turn it off, see [Services Configuration](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#31-services-configuration).|
-| Licensing | Licensing services are used for the activation of Windows, and apps purchased from the Microsoft Store. If you disable the Windows License Manager Service or the Software Protection Platform Service, it may prevent activation of genuine Windows and store applications.
To turn off licensing services, see [License Manager](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#9-license-manager) and [Software Protection Platform](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#19-software-protection-platform).|
-| Networking | Networking in Windows provides connectivity to and from your devices to the local intranet and internet. If you turn off networking, Windows devices will lose network connectivity.
To turn off Network Adapters, see [Disable-NetAdapter](/powershell/module/netadapter/disable-netadapter).|
-| Device setup | The first time a user sets up a new device, the Windows out-of-box experience (OOBE) guides the user through the steps to accept the license agreement, connect to the internet, sign in to (or sign up for) a Microsoft account, and takes care of other important tasks. Most settings can also be changed after setup is completed.
To customize the initial setup experience, see [Customize Setup](/windows-hardware/customize/desktop/customize-oobe).|
-| Diagnostic Data | Microsoft collects diagnostic data including error data about your devices with the help of the telemetry service. Diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows behaves in the real world, focus on user priorities, find and fix problems, and improve services. This data allows Microsoft to improve the Windows experience. Setting diagnostic data to off means important information to help fix issues and improve quality won't be available to Microsoft.
To turn it off, see [Telemetry Services](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1816-feedback--diagnostics).|
-| Update | Windows Update ensures devices are kept up to date and secure by downloading the latest updates and security patches for Windows. This service also enables users to download apps from the Microsoft Store and keep them up to date. Turning off Windows Update will potentially leave your Windows devices in a vulnerable state and more prone to security threats.
Other services like Device metadata retrieval and Font streaming also ensure that the content on your devices is kept up to date.
To turn off updates, see [Windows Update](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#29-windows-update), [Device Metadata Retrieval](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#4-device-metadata-retrieval), and [Font Streaming](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#6-font-streaming).|
-| Microsoft Store | Microsoft Store enables users to purchase and download apps, games, and digital content. The Store also enables the developers of these apps to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to store apps in a power-efficient and dependable way. The Store can also revoke malicious apps.
To turn it off, see [Microsoft Store](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#26-microsoft-store).|
|Device Management |Device management includes Mobile Device Management (MDM), which helps IT pros manage company security policies and business applications. A built-in management component can communicate with the management server. If this is turned off, the device may no longer be compliant with company policy and the user might lose access to company resources.
[Learn more about Mobile Device Management](/windows/client-management/mdm-overview) |
+|Device setup | The first time a user sets up a new device, the Windows out-of-box experience (OOBE) guides the user through the steps to accept the license agreement, connect to the internet, sign in to (or sign up for) a Microsoft account, and takes care of other important tasks. Most settings can also be changed after setup is completed.
To customize the initial setup experience, see [Customize Setup](/windows-hardware/customize/desktop/customize-oobe).|
+|Licensing | Licensing services are used for the activation of Windows, and apps purchased from the Microsoft Store. If you disable the Windows License Manager Service or the Software Protection Platform Service, it may prevent activation of genuine Windows and store applications.
To turn off licensing services, see [License Manager](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#9-license-manager) and [Software Protection Platform](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#19-software-protection-platform).|
+|Microsoft Store | Microsoft Store enables users to purchase and download apps, games, and digital content. The Store also enables the developers of these apps to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to store apps in a power-efficient and dependable way. The Store can also revoke malicious apps.
To turn it off, see [Microsoft Store](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#26-microsoft-store).|
+|Networking | Networking in Windows provides connectivity to and from your devices to the local intranet and internet. If you turn off networking, Windows devices will lose network connectivity.
To turn off Network Adapters, see [Disable-NetAdapter](/powershell/module/netadapter/disable-netadapter).|
+|Services Configuration | Services Configuration is used by Windows components and apps, such as the telemetry service, to dynamically update their configuration. If you turn off this service, apps using this service may stop working.
To turn it off, see [Services Configuration](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#31-services-configuration).|
+|Update | Windows Update ensures devices are kept up to date and secure by downloading the latest updates and security patches for Windows. This service also enables users to download apps from the Microsoft Store and keep them up to date. Turning off Windows Update will potentially leave your Windows devices in a vulnerable state and more prone to security threats.
Other services like Device metadata retrieval and Font streaming also ensure that the content on your devices is kept up to date.
To turn off updates, see [Windows Update](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#29-windows-update), [Device Metadata Retrieval](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#4-device-metadata-retrieval), and [Font Streaming](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#6-font-streaming).|
## Windows connected experiences
| **Connected experience** | **Description** |
| --- | --- |
-|Activity History|Activity History shows a history of activities a user has performed and can even synchronize activities across multiple devices for the same user. Synchronization across devices only works when a user signs in with the same account.
To turn it off, see [Activity History](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#1822-activity-history). |
+|Activity History|Activity History shows a history of activities a user has performed and can even synchronize activities across multiple devices for the same user. Synchronization across devices only works when a user signs in with the same account. This feature is available in versions of Windows released prior to January 2024, and has been discontinued in new versions of Windows.
To turn it off, see [Activity History](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#1822-activity-history). |
+|BitLocker|BitLocker is a Windows security feature that provides encryption for entire device volumes, addressing the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices.|
|Cloud Clipboard|Cloud Clipboard enables users to copy images and text across all Windows devices when they sign in with the same account. Users can paste from their clipboard history and also pin items.
To turn it off, see [Cloud Clipboard](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#30-cloud-clipboard). |
-| Date and Time | The Windows Time service is used to synchronize and maintain the most accurate date and time on your devices. It's installed by default and starts automatically on devices that are part of a domain. It can be started manually on other devices. If this service is stopped, date and time synchronization will be unavailable and any services that explicitly depend on it will fail to start.
To turn it off, see [Date and Time](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#3-date--time). |
-| Delivery Optimization | Delivery Optimization is a cloud-managed, peer-to-peer client and a downloader service for Windows updates, upgrades, and applications to an organization's networked devices. Delivery Optimization allows devices to download updates from alternate sources, such as other peers on the network, in addition to Microsoft servers. This helps when you have a limited or unreliable Internet connection and reduces the bandwidth needed to keep all your organization's devices up to date.
If you have Delivery Optimization Peer-to-Peer option turned on, devices on your network may send and receive updates and apps to other devices on your local network, if you choose, or to devices on the Internet. By default, devices running Windows will only use Delivery Optimization to get and receive updates for devices and apps on your local network.
To turn it off, see [Delivery Optimization](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#28-delivery-optimization). |
-| Emojis and more | The Emoji and more menu allows users to insert a variety of content like emoji, kaomoji, GIFs, symbols, and clipboard history. This connected experience is new in Windows 11.
To turn it off, see [Emojis availability](/windows/client-management/mdm/policy-csp-textinput). |
-| Find My Device | Find My Device is a feature that can help users locate their Windows device if it's lost or stolen. This feature only works if a Microsoft account is used to sign in to the device, the user is an administrator on the device, and when location is turned on for the device. Users can find their device by logging in to [https://account.microsoft.com/devices](https://account.microsoft.com/devices) under the Find My Device tab.
To turn it off, see [Find My Device](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#5-find-my-device). |
-| Location services | The device location setting enables certain Windows features such as auto setting the time zone or Find My Device to function properly. When the device location setting is enabled, the Microsoft location service will use a combination of global positioning service (GPS), nearby wireless access points, cell towers, and IP address to determine the device’s location. Depending on the capabilities of the device, its location can be determined with varying degrees of accuracy and may in some cases be determined precisely.
To turn it off, see [Location services](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#182-location). |
-| Microsoft Defender Antivirus | Microsoft Defender Antivirus provides cloud-delivered protection against new and emerging threats for the devices in your organization. Turning off Microsoft Defender Antivirus will potentially leave your Windows devices in a vulnerable state and more prone to security threats.
To turn it off, see [Microsoft Defender Antivirus](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#bkmk-defender). |
-| Microsoft Defender SmartScreen | Microsoft Defender SmartScreen is a feature of Windows, Internet Explorer, and Microsoft Edge. It helps protect users against phishing or malware websites and applications, and the downloading of potentially malicious files. Turning off Microsoft Defender SmartScreen means you can't block a website or warn users they may be accessing a malicious site.
To turn it off, see [Microsoft Defender SmartScreen](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#241-microsoft-defender-smartscreen). |
-| OneDrive | OneDrive is a cloud storage system that allows you to save your files and photos, and access them from any device, anywhere.
To turn off OneDrive, see [OneDrive](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#16-onedrive). |
-| Troubleshooting Service | Windows troubleshooting service will automatically fix critical issues like corrupt settings that keep critical services from running. The service will also make adjustments to work with your hardware, or make other specific changes required for Windows to operate with the hardware, apps, and settings you’ve selected. In addition, it will recommend troubleshooting for other problems that aren’t critical to normal Windows operation but might impact your experience.
To turn it off, see [Troubleshooting service](/windows/client-management/mdm/policy-csp-troubleshooting). |
-| Voice Typing | Voice typing (also referred to as Windows dictation in earlier versions of Windows) allows users to write text by speaking by using Microsoft’s online speech recognition technology.
To turn it off, see [Speech recognition](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#186-speech). |
-| Windows backup | When settings synchronization is turned on, a user's settings are synced across all Windows devices when they sign in with the same account.
To turn it off, see [Sync your settings](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-sync-your-settings). |
-| Windows Dashboard Widgets | Windows Dashboard widget is a dynamic view that shows users personalized content like news, weather, their calendar and to-do list, and recent photos. It provides a quick glance view, which allows users to be productive without needing to go to multiple apps or websites. This connected experience is new in Windows 11. |
-| Windows Insider Program | The Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to builds of Windows. Once you've registered for the program, you can run Insider Preview builds on as many devices as you want, each in the channel of your choice. Learn how to join the Windows Insider program by visiting the program’s [website](https://insider.windows.com/).
To turn it off, see [Windows Insider Program](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#7-insider-preview-builds). |
-| Windows Search | Windows Search lets users use the search box on the taskbar to find what they're looking for, whether it’s on their device, in the cloud, or on the web. Windows Search can provide results for items from the device (including apps, settings, and files), the users account (including OneDrive, SharePoint, and other Microsoft services), and the internet.
To turn it off, see [Windows Search](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#2-cortana-and-search). |
-| Windows Spotlight | Windows Spotlight displays new background images on the lock screen each day. Additionally, it provides feature suggestions, fun facts, and tips on the lock screen background.
Administrators can turn off Windows Spotlight features to prevent users from using the Windows Spotlight background.
To turn it off, see [Windows Spotlight](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#25-windows-spotlight). |
+|Custom dictionary|Custom dictionary allows users to get better text suggestions by creating a custom dictionary using the user's typing and handwriting info.|
+|Date and Time | The Windows Time service is used to synchronize and maintain the most accurate date and time on your devices. It's installed by default and starts automatically on devices that are part of a domain. It can be started manually on other devices. If this service is stopped, date and time synchronization will be unavailable and any services that explicitly depend on it will fail to start.
To turn it off, see [Date and Time](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#3-date--time). |
+|Delivery Optimization | Delivery Optimization is a cloud-managed, peer-to-peer client and a downloader service for Windows updates, upgrades, and applications to an organization's networked devices. Delivery Optimization allows devices to download updates from alternate sources, such as other peers on the network, in addition to Microsoft servers. This helps when you have a limited or unreliable Internet connection and reduces the bandwidth needed to keep all your organization's devices up to date.
If you have Delivery Optimization Peer-to-Peer option turned on, devices on your network may send and receive updates and apps to other devices on your local network, if you choose, or to devices on the Internet. By default, devices running Windows will only use Delivery Optimization to get and receive updates for devices and apps on your local network.
To turn it off, see [Delivery Optimization](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#28-delivery-optimization). |
+|Emojis and more | The Emoji and more menu allows users to insert a variety of content like emoji, kaomoji, GIFs, symbols, and clipboard history. This connected experience is new in Windows 11.
To turn it off, see [Emojis availability](/windows/client-management/mdm/policy-csp-textinput). |
+|Find My Device | Find My Device is a feature that can help users locate their Windows device if it's lost or stolen. This feature only works if a Microsoft account is used to sign in to the device, the user is an administrator on the device, and when location is turned on for the device. Users can find their device by logging in to [https://account.microsoft.com/devices](https://account.microsoft.com/devices) under the Find My Device tab.
To turn it off, see [Find My Device](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#5-find-my-device). |
+|Get Started|Get Started is an app on Windows 11 to help complete device setup and learn about new features on Windows.|
+|Input Method Editor (IME)|IME is a Windows feature that allows you to type East Asian languages such as Japanese, Chinese Simplified, Chinese Traditional, Korean, Indic, Vietnamese, as well as rule-based languages like Tamil, Adlam, and Osage.|
+|Location services | The device location setting enables certain Windows features such as auto setting the time zone or Find My Device to function properly. When the device location setting is enabled, the Microsoft location service will use a combination of global positioning service (GPS), nearby wireless access points, cell towers, and IP address to determine the device’s location. Depending on the capabilities of the device, its location can be determined with varying degrees of accuracy and may in some cases be determined precisely.
To turn it off, see [Location services](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#182-location). |
+|Microsoft Defender Antivirus | Microsoft Defender Antivirus provides cloud-delivered protection against new and emerging threats for the devices in your organization. Turning off Microsoft Defender Antivirus will potentially leave your Windows devices in a vulnerable state and more prone to security threats.
To turn it off, see [Microsoft Defender Antivirus](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#bkmk-defender). |
+|Microsoft Defender SmartScreen | Microsoft Defender SmartScreen is a feature of Windows, Internet Explorer, and Microsoft Edge. It helps protect users against phishing or malware websites and applications, and the downloading of potentially malicious files. Turning off Microsoft Defender SmartScreen means you can't block a website or warn users they may be accessing a malicious site.
To turn it off, see [Microsoft Defender SmartScreen](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#241-microsoft-defender-smartscreen). |
+|Phone Link|Phone Link lets you find your mobile device notifications, messages, photos, mobile app list, and other mobile content from your Windows PC.|
+|Troubleshooting Service | Windows troubleshooting service will automatically fix critical issues like corrupt settings that keep critical services from running. The service will also make adjustments to work with your hardware, or make other specific changes required for Windows to operate with the hardware, apps, and settings you’ve selected. In addition, it will recommend troubleshooting for other problems that aren’t critical to normal Windows operation but might impact your experience.
To turn it off, see [Troubleshooting service](/windows/client-management/mdm/policy-csp-troubleshooting). |
+|Voice Typing | Voice typing (also referred to as Windows dictation in earlier versions of Windows) allows users to write text by speaking by using Microsoft’s online speech recognition technology.
To turn it off, see [Speech recognition](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#186-speech). |
+|Windows Autopilot|Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. Windows Autopilot can be used to deploy Windows PCs or HoloLens 2 devices. The client experiences that ship as part of Windows are specific to the Out-of-Box Experience (OOBE).|
+|Windows Backup | When settings synchronization is turned on, a user's settings are synced across all Windows devices when they sign in with the same account.
To turn it off, see [Sync your settings](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-sync-your-settings). |
+|Windows Dashboard Widgets | Windows Dashboard widget is a dynamic view that shows users personalized content like news, weather, their calendar and to-do list, and recent photos. It provides a quick glance view, which allows users to be productive without needing to go to multiple apps or websites. This connected experience is new in Windows 11. |
+|Windows Hello|Windows Hello includes components for collecting and storing private key credentials for Windows logon. |
+|Windows Insider Program | The Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to builds of Windows. Once you've registered for the program, you can run Insider Preview builds on as many devices as you want, each in the channel of your choice. Learn how to join the Windows Insider program by visiting the program’s [website](https://insider.windows.com/).
To turn it off, see [Windows Insider Program](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#7-insider-preview-builds). |
+|Windows Search | Windows Search lets users use the search box on the taskbar to find what they're looking for, whether it’s on their device, in the cloud, or on the web. Windows Search can provide results for items from the device (including apps, settings, and files), the users account (including OneDrive, SharePoint, and other Microsoft services), and the internet.
To turn it off, see [Windows Search](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#2-cortana-and-search). |
+|Windows Spotlight | Windows Spotlight displays new background images on the lock screen each day. Additionally, it provides feature suggestions, fun facts, and tips on the lock screen background.
Administrators can turn off Windows Spotlight features to prevent users from using the Windows Spotlight background.
To turn it off, see [Windows Spotlight](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#25-windows-spotlight). |
## Microsoft Edge essential services and connected experiences
-Windows ships with Microsoft Edge and Internet Explorer on Windows devices. Microsoft Edge is the default browser and is recommended for the best web browsing experience. You can find details on all of Microsoft Edge's connected experiences and essential services [here](/microsoft-edge/privacy-whitepaper). To turn off specific Microsoft Edge feature, see [Microsoft Edge](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge).
+Windows ships with Microsoft Edge and Internet Explorer on Windows devices. Microsoft Edge is the default browser and is recommended for the best web browsing experience. You can find details on all of Microsoft Edge's connected experiences and essential services [here](/microsoft-edge/privacy-whitepaper). To turn off specific Microsoft Edge features, see [Microsoft Edge](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge).
## IE essential services and connected experiences
@@ -82,29 +87,30 @@ Internet Explorer shares many of the Windows essential services listed above. Th
| **Connected experience** | **Description** |
| --- | --- |
+|Accelerators | Accelerators are menu options in Internet Explorer that help automate common browser-related tasks. In Internet Explorer, when you right-click selected text, Accelerators appear in the list of available options. For example, if you select a word, you can use the "Translate with Bing" Accelerator to obtain a translation of that word. |
|ActiveX Filtering|ActiveX controls are small apps that allow websites to provide content such as videos and games, and let users interact with controls like toolbars and stock tickers. However, these apps can sometimes malfunction, and in some cases, they might be used to collect information from user devices, install software without a user's agreement, or be used to control a device remotely without a user's permission. ActiveX Filtering in Internet Explorer prevents sites from installing and using these apps, which can help keep users safer as they browse, but it can also affect the user experience of certain sites as interactive content might not work when ActiveX Filtering is on. Note: To further enhance security, Internet Explorer also allows you to block out-of-date ActiveX controls. |
+|Address Bar and Search suggestions | With search suggestions enabled, users will be offered suggested search terms as they type in the Address Bar. As users type information, it will be sent to the default search provider. |
+|Auto-complete feature for web addresses | The auto-complete feature suggests possible matches when users are typing web addresses in the browser address bar. |
+|Compatibility logging | This feature is designed for use by developers and IT professionals to determine the compatibility of their websites with Internet Explorer. It's disabled by default and needs to be enabled to start logging Internet Explorer events in the Windows Event Viewer. These events describe failures that might have happened on the site and can include information about specific controls and webpages that failed. |
+|Compatibility View | Compatibility View helps make websites designed for older browsers look better when viewed in Internet Explorer. The compatibility view setting allows you to choose whether an employee can fix website display problems they encounter while browsing. |
+|Flip ahead | Flip ahead enables users to flip through web content quickly by swiping across the page or by clicking forward. When flip ahead is turned on, web browsing history is periodically sent to Microsoft. If you turn off this setting, users will no longer be able swipe across a screen or click forward to go to the next pre-loaded page of a website. |
+|Pinning websites to Start | When a user pins a website to the Start menu, it displays as a tile similar to the way apps are displayed. Like Microsoft Store apps, website tiles might display updates if the website has been designed to do so. For example, an online email website might send updates to the tile indicating how many new messages a user has. |
|Suggested Sites|Suggested Sites is an online experience that recommends websites, images, or videos a user might be interested in. When Suggested Sites is turned on, a user’s web browsing history is periodically sent to Microsoft.|
-| Address Bar and Search suggestions | With search suggestions enabled, users will be offered suggested search terms as they type in the Address Bar. As users type information, it will be sent to the default search provider. |
-| Auto-complete feature for web addresses | The auto-complete feature suggests possible matches when users are typing web addresses in the browser address bar. |
-| Compatibility logging | This feature is designed for use by developers and IT professionals to determine the compatibility of their websites with Internet Explorer. It's disabled by default and needs to be enabled to start logging Internet Explorer events in the Windows Event Viewer. These events describe failures that might have happened on the site and can include information about specific controls and webpages that failed. |
-| Compatibility View | Compatibility View helps make websites designed for older browsers look better when viewed in Internet Explorer. The compatibility view setting allows you to choose whether an employee can fix website display problems they encounter while browsing. |
-| Flip ahead | Flip ahead enables users to flip through web content quickly by swiping across the page or by clicking forward. When flip ahead is turned on, web browsing history is periodically sent to Microsoft. If you turn off this setting, users will no longer be able swipe across a screen or click forward to go to the next pre-loaded page of a website. |
-| Web Slices | A Web Slice enables users to subscribe to and automatically receive updates to content directly within a web page. Disabling the RSS Feeds setting will turn off background synchronization for feeds and Web Slices. |
-| Accelerators | Accelerators are menu options in Internet Explorer that help automate common browser-related tasks. In Internet Explorer, when you right-click selected text, Accelerators appear in the list of available options. For example, if you select a word, you can use the "Translate with Bing" Accelerator to obtain a translation of that word. |
-| Pinning websites to Start | When a user pins a website to the Start menu, it displays as a tile similar to the way apps are displayed. Like Microsoft Store apps, website tiles might display updates if the website has been designed to do so. For example, an online email website might send updates to the tile indicating how many new messages a user has. |
+|Web Slices | A Web Slice enables users to subscribe to and automatically receive updates to content directly within a web page. Disabling the RSS Feeds setting will turn off background synchronization for feeds and Web Slices. |
## Related links
- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
-- [Connected Experiences in Office](/deployoffice/privacy/connected-experiences)
-- [Essential Services in Office](/deployoffice/privacy/essential-services)
+- [Connected experiences in Office](/deployoffice/privacy/connected-experiences)
+- [Essential services for Office](/deployoffice/privacy/essential-services)
To view endpoints for Windows Enterprise, see:
- [Manage connection endpoints for Windows 11](manage-windows-11-endpoints.md)
-- [Manage connection endpoints for Windows 10, version 21H1](manage-windows-21H1-endpoints.md)
- [Manage connection endpoints for Windows 10, version 21H2](manage-windows-21H2-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 21H1](manage-windows-21H1-endpoints.md)
- [Manage connection endpoints for Windows 10, version 20H2](manage-windows-20h2-endpoints.md)
+- [Manage connection endpoints for Windows 10 version 2004](manage-windows-2004-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
@@ -114,6 +120,7 @@ To view endpoints for non-Enterprise Windows editions, see:
- [Windows 11 connection endpoints for non-Enterprise editions](windows-11-endpoints-non-enterprise-editions.md)
- [Windows 10, version 21H1, connection endpoints for non-Enterprise editions](windows-endpoints-21H1-non-enterprise-editions.md)
- [Windows 10, version 20H2, connection endpoints for non-Enterprise editions](windows-endpoints-20H2-non-enterprise-editions.md)
+- [Windows 10, version 2004, connection endpoints for non-Enterprise editions](windows-endpoints-2004-non-enterprise-editions.md)
- [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md)
- [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md)
- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md)
From 73978f4f57001bff5f2e7656bb1971ac23d48376 Mon Sep 17 00:00:00 2001
From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com>
Date: Thu, 6 Jun 2024 10:25:48 -0700
Subject: [PATCH 06/29] Update some links
---
...tial-services-and-connected-experiences.md | 36 ++++++++++---------
1 file changed, 19 insertions(+), 17 deletions(-)
diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md
index 9e32c8732e..178eec3ccb 100644
--- a/windows/privacy/essential-services-and-connected-experiences.md
+++ b/windows/privacy/essential-services-and-connected-experiences.md
@@ -40,11 +40,11 @@ Although enterprise admins can turn off most essential services, we recommend, w
|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates that are publicly known to be fraudulent. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
If automatic updates are turned off, applications and websites may stop working because they didn't receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.
To turn it off, see [Automatic Root Certificates Update](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update).|
|Device Management |Device management includes Mobile Device Management (MDM), which helps IT pros manage company security policies and business applications. A built-in management component can communicate with the management server. If this is turned off, the device may no longer be compliant with company policy and the user might lose access to company resources.
[Learn more about Mobile Device Management](/windows/client-management/mdm-overview) |
|Device setup | The first time a user sets up a new device, the Windows out-of-box experience (OOBE) guides the user through the steps to accept the license agreement, connect to the internet, sign in to (or sign up for) a Microsoft account, and takes care of other important tasks. Most settings can also be changed after setup is completed.
To customize the initial setup experience, see [Customize Setup](/windows-hardware/customize/desktop/customize-oobe).|
-|Licensing | Licensing services are used for the activation of Windows, and apps purchased from the Microsoft Store. If you disable the Windows License Manager Service or the Software Protection Platform Service, it may prevent activation of genuine Windows and store applications.
To turn off licensing services, see [License Manager](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#9-license-manager) and [Software Protection Platform](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#19-software-protection-platform).|
-|Microsoft Store | Microsoft Store enables users to purchase and download apps, games, and digital content. The Store also enables the developers of these apps to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to store apps in a power-efficient and dependable way. The Store can also revoke malicious apps.
To turn it off, see [Microsoft Store](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#26-microsoft-store).|
+|Licensing | Licensing services are used for the activation of Windows, and apps purchased from the Microsoft Store. If you disable the Windows License Manager Service or the Software Protection Platform Service, it may prevent activation of genuine Windows and store applications.
To turn off licensing services, see [License Manager](manage-connections-from-windows-operating-system-components-to-microsoft-services#9-license-manager) and [Software Protection Platform](manage-connections-from-windows-operating-system-components-to-microsoft-services#19-software-protection-platform).|
+|Microsoft Store | Microsoft Store enables users to purchase and download apps, games, and digital content. The Store also enables the developers of these apps to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to store apps in a power-efficient and dependable way. The Store can also revoke malicious apps.
To turn it off, see [Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services#26-microsoft-store).|
|Networking | Networking in Windows provides connectivity to and from your devices to the local intranet and internet. If you turn off networking, Windows devices will lose network connectivity.
To turn off Network Adapters, see [Disable-NetAdapter](/powershell/module/netadapter/disable-netadapter).|
-|Services Configuration | Services Configuration is used by Windows components and apps, such as the telemetry service, to dynamically update their configuration. If you turn off this service, apps using this service may stop working.
To turn it off, see [Services Configuration](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#31-services-configuration).|
-|Update | Windows Update ensures devices are kept up to date and secure by downloading the latest updates and security patches for Windows. This service also enables users to download apps from the Microsoft Store and keep them up to date. Turning off Windows Update will potentially leave your Windows devices in a vulnerable state and more prone to security threats.
Other services like Device metadata retrieval and Font streaming also ensure that the content on your devices is kept up to date.
To turn off updates, see [Windows Update](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#29-windows-update), [Device Metadata Retrieval](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#4-device-metadata-retrieval), and [Font Streaming](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#6-font-streaming).|
+|Services Configuration | Services Configuration is used by Windows components and apps, such as the telemetry service, to dynamically update their configuration. If you turn off this service, apps using this service may stop working.
To turn it off, see [Services Configuration](manage-connections-from-windows-operating-system-components-to-microsoft-services#31-services-configuration).|
+|Update | Windows Update ensures devices are kept up to date and secure by downloading the latest updates and security patches for Windows. This service also enables users to download apps from the Microsoft Store and keep them up to date. Turning off Windows Update will potentially leave your Windows devices in a vulnerable state and more prone to security threats.
Other services like Device metadata retrieval and Font streaming also ensure that the content on your devices is kept up to date.
To turn off updates, see [Windows Update](manage-connections-from-windows-operating-system-components-to-microsoft-services#29-windows-update), [Device metadata retrieval](manage-connections-from-windows-operating-system-components-to-microsoft-services#4-device-metadata-retrieval), and [Font streaming](manage-connections-from-windows-operating-system-components-to-microsoft-services#6-font-streaming).|
## Windows connected experiences
@@ -54,29 +54,31 @@ Although enterprise admins can turn off most essential services, we recommend, w
|BitLocker|BitLocker is a Windows security feature that provides encryption for entire device volumes, addressing the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices.|
|Cloud Clipboard|Cloud Clipboard enables users to copy images and text across all Windows devices when they sign in with the same account. Users can paste from their clipboard history and also pin items.
To turn it off, see [Cloud Clipboard](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#30-cloud-clipboard). |
|Custom dictionary|Custom dictionary allows users to get better text suggestions by creating a custom dictionary using the user's typing and handwriting info.|
-|Date and Time | The Windows Time service is used to synchronize and maintain the most accurate date and time on your devices. It's installed by default and starts automatically on devices that are part of a domain. It can be started manually on other devices. If this service is stopped, date and time synchronization will be unavailable and any services that explicitly depend on it will fail to start.
To turn it off, see [Date and Time](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#3-date--time). |
-|Delivery Optimization | Delivery Optimization is a cloud-managed, peer-to-peer client and a downloader service for Windows updates, upgrades, and applications to an organization's networked devices. Delivery Optimization allows devices to download updates from alternate sources, such as other peers on the network, in addition to Microsoft servers. This helps when you have a limited or unreliable Internet connection and reduces the bandwidth needed to keep all your organization's devices up to date.
If you have Delivery Optimization Peer-to-Peer option turned on, devices on your network may send and receive updates and apps to other devices on your local network, if you choose, or to devices on the Internet. By default, devices running Windows will only use Delivery Optimization to get and receive updates for devices and apps on your local network.
To turn it off, see [Delivery Optimization](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#28-delivery-optimization). |
+|Date and Time | The Windows Time service is used to synchronize and maintain the most accurate date and time on your devices. It's installed by default and starts automatically on devices that are part of a domain. It can be started manually on other devices. If this service is stopped, date and time synchronization will be unavailable and any services that explicitly depend on it will fail to start.
To turn it off, see [Date and Time](manage-connections-from-windows-operating-system-components-to-microsoft-services#3-date--time). |
+|Delivery Optimization | Delivery Optimization is a cloud-managed, peer-to-peer client and a downloader service for Windows updates, upgrades, and applications to an organization's networked devices. Delivery Optimization allows devices to download updates from alternate sources, such as other peers on the network, in addition to Microsoft servers. This helps when you have a limited or unreliable Internet connection and reduces the bandwidth needed to keep all your organization's devices up to date.
If you have Delivery Optimization Peer-to-Peer option turned on, devices on your network may send and receive updates and apps to other devices on your local network, if you choose, or to devices on the Internet. By default, devices running Windows will only use Delivery Optimization to get and receive updates for devices and apps on your local network.
To turn it off, see [Delivery Optimization](manage-connections-from-windows-operating-system-components-to-microsoft-services#28-delivery-optimization). |
|Emojis and more | The Emoji and more menu allows users to insert a variety of content like emoji, kaomoji, GIFs, symbols, and clipboard history. This connected experience is new in Windows 11.
To turn it off, see [Emojis availability](/windows/client-management/mdm/policy-csp-textinput). |
-|Find My Device | Find My Device is a feature that can help users locate their Windows device if it's lost or stolen. This feature only works if a Microsoft account is used to sign in to the device, the user is an administrator on the device, and when location is turned on for the device. Users can find their device by logging in to [https://account.microsoft.com/devices](https://account.microsoft.com/devices) under the Find My Device tab.
To turn it off, see [Find My Device](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#5-find-my-device). |
+|Find My Device | Find My Device is a feature that can help users locate their Windows device if it's lost or stolen. This feature only works if a Microsoft account is used to sign in to the device, the user is an administrator on the device, and when location is turned on for the device. Users can find their device by logging in to [https://account.microsoft.com/devices](https://account.microsoft.com/devices) under the Find My Device tab.
To turn it off, see [Find My Device](manage-connections-from-windows-operating-system-components-to-microsoft-services#5-find-my-device). |
|Get Started|Get Started is an app on Windows 11 to help complete device setup and learn about new features on Windows.|
|Input Method Editor (IME)|IME is a Windows feature that allows you to type East Asian languages such as Japanese, Chinese Simplified, Chinese Traditional, Korean, Indic, Vietnamese, as well as rule-based languages like Tamil, Adlam, and Osage.|
-|Location services | The device location setting enables certain Windows features such as auto setting the time zone or Find My Device to function properly. When the device location setting is enabled, the Microsoft location service will use a combination of global positioning service (GPS), nearby wireless access points, cell towers, and IP address to determine the device’s location. Depending on the capabilities of the device, its location can be determined with varying degrees of accuracy and may in some cases be determined precisely.
To turn it off, see [Location services](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#182-location). |
-|Microsoft Defender Antivirus | Microsoft Defender Antivirus provides cloud-delivered protection against new and emerging threats for the devices in your organization. Turning off Microsoft Defender Antivirus will potentially leave your Windows devices in a vulnerable state and more prone to security threats.
To turn it off, see [Microsoft Defender Antivirus](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#bkmk-defender). |
-|Microsoft Defender SmartScreen | Microsoft Defender SmartScreen is a feature of Windows, Internet Explorer, and Microsoft Edge. It helps protect users against phishing or malware websites and applications, and the downloading of potentially malicious files. Turning off Microsoft Defender SmartScreen means you can't block a website or warn users they may be accessing a malicious site.
To turn it off, see [Microsoft Defender SmartScreen](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#241-microsoft-defender-smartscreen). |
+|Location services | The device location setting enables certain Windows features such as auto setting the time zone or Find My Device to function properly. When the device location setting is enabled, the Microsoft location service will use a combination of global positioning service (GPS), nearby wireless access points, cell towers, and IP address to determine the device’s location. Depending on the capabilities of the device, its location can be determined with varying degrees of accuracy and may in some cases be determined precisely.
To turn it off, see [Location services](manage-connections-from-windows-operating-system-components-to-microsoft-services#182-location). |
+|Microsoft Defender Antivirus | Microsoft Defender Antivirus provides cloud-delivered protection against new and emerging threats for the devices in your organization. Turning off Microsoft Defender Antivirus will potentially leave your Windows devices in a vulnerable state and more prone to security threats.
To turn it off, see [Microsoft Defender Antivirus](manage-connections-from-windows-operating-system-components-to-microsoft-services#24-microsoft-defender-antivirus). |
+|Microsoft Defender SmartScreen | Microsoft Defender SmartScreen is a feature of Windows, Internet Explorer, and Microsoft Edge. It helps protect users against phishing or malware websites and applications, and the downloading of potentially malicious files. Turning off Microsoft Defender SmartScreen means you can't block a website or warn users they may be accessing a malicious site.
To turn it off, see [Microsoft Defender SmartScreen](manage-connections-from-windows-operating-system-components-to-microsoft-services#241-microsoft-defender-smartscreen). |
|Phone Link|Phone Link lets you find your mobile device notifications, messages, photos, mobile app list, and other mobile content from your Windows PC.|
|Troubleshooting Service | Windows troubleshooting service will automatically fix critical issues like corrupt settings that keep critical services from running. The service will also make adjustments to work with your hardware, or make other specific changes required for Windows to operate with the hardware, apps, and settings you’ve selected. In addition, it will recommend troubleshooting for other problems that aren’t critical to normal Windows operation but might impact your experience.
To turn it off, see [Troubleshooting service](/windows/client-management/mdm/policy-csp-troubleshooting). |
-|Voice Typing | Voice typing (also referred to as Windows dictation in earlier versions of Windows) allows users to write text by speaking by using Microsoft’s online speech recognition technology.
To turn it off, see [Speech recognition](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#186-speech). |
+|Voice Typing | Voice typing (also referred to as Windows dictation in earlier versions of Windows) allows users to write text by speaking by using Microsoft’s online speech recognition technology.
To turn it off, see [Speech recognition](manage-connections-from-windows-operating-system-components-to-microsoft-services#186-speech). |
|Windows Autopilot|Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. Windows Autopilot can be used to deploy Windows PCs or HoloLens 2 devices. The client experiences that ship as part of Windows are specific to the Out-of-Box Experience (OOBE).|
-|Windows Backup | When settings synchronization is turned on, a user's settings are synced across all Windows devices when they sign in with the same account.
To turn it off, see [Sync your settings](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-sync-your-settings). |
+|Windows Backup | When settings synchronization is turned on, a user's settings are synced across all Windows devices when they sign in with the same account.
To turn it off, see [Sync your settings](manage-connections-from-windows-operating-system-components-to-microsoft-services#21-sync-your-settings). |
|Windows Dashboard Widgets | Windows Dashboard widget is a dynamic view that shows users personalized content like news, weather, their calendar and to-do list, and recent photos. It provides a quick glance view, which allows users to be productive without needing to go to multiple apps or websites. This connected experience is new in Windows 11. |
|Windows Hello|Windows Hello includes components for collecting and storing private key credentials for Windows logon. |
-|Windows Insider Program | The Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to builds of Windows. Once you've registered for the program, you can run Insider Preview builds on as many devices as you want, each in the channel of your choice. Learn how to join the Windows Insider program by visiting the program’s [website](https://insider.windows.com/).
To turn it off, see [Windows Insider Program](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#7-insider-preview-builds). |
-|Windows Search | Windows Search lets users use the search box on the taskbar to find what they're looking for, whether it’s on their device, in the cloud, or on the web. Windows Search can provide results for items from the device (including apps, settings, and files), the users account (including OneDrive, SharePoint, and other Microsoft services), and the internet.
To turn it off, see [Windows Search](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#2-cortana-and-search). |
-|Windows Spotlight | Windows Spotlight displays new background images on the lock screen each day. Additionally, it provides feature suggestions, fun facts, and tips on the lock screen background.
Administrators can turn off Windows Spotlight features to prevent users from using the Windows Spotlight background.
To turn it off, see [Windows Spotlight](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#25-windows-spotlight). |
+|Windows Insider Program | The Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to builds of Windows. Once you've registered for the program, you can run Insider Preview builds on as many devices as you want, each in the channel of your choice. Learn how to join the Windows Insider program by visiting the program’s [website](https://www.microsoft.com/windowsinsider/).
To turn it off, see [Windows Insider Program](manage-connections-from-windows-operating-system-components-to-microsoft-services#7-insider-preview-builds). |
+|Windows Search | Windows Search lets users use the search box on the taskbar to find what they're looking for, whether it’s on their device, in the cloud, or on the web. Windows Search can provide results for items from the device (including apps, settings, and files), the users account (including OneDrive, SharePoint, and other Microsoft services), and the internet.
To turn it off, see [Windows Search](manage-connections-from-windows-operating-system-components-to-microsoft-services#2-cortana-and-search). |
+|Windows Spotlight | Windows Spotlight displays new background images on the lock screen each day. Additionally, it provides feature suggestions, fun facts, and tips on the lock screen background.
Administrators can turn off Windows Spotlight features to prevent users from using the Windows Spotlight background.
To turn it off, see [Windows Spotlight](manage-connections-from-windows-operating-system-components-to-microsoft-services#25-personalized-experiences). |
## Microsoft Edge essential services and connected experiences
-Windows ships with Microsoft Edge and Internet Explorer on Windows devices. Microsoft Edge is the default browser and is recommended for the best web browsing experience. You can find details on all of Microsoft Edge's connected experiences and essential services [here](/microsoft-edge/privacy-whitepaper). To turn off specific Microsoft Edge features, see [Microsoft Edge](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge).
+Windows ships with Microsoft Edge and Internet Explorer on Windows devices. Microsoft Edge is the default browser and is recommended for the best web browsing experience.
+
+You can find details on all of Microsoft Edge's connected experiences and essential services [here](/microsoft-edge/privacy-whitepaper). To turn off specific Microsoft Edge features, see [Microsoft Edge](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge).
## IE essential services and connected experiences
@@ -98,7 +100,7 @@ Internet Explorer shares many of the Windows essential services listed above. Th
|Suggested Sites|Suggested Sites is an online experience that recommends websites, images, or videos a user might be interested in. When Suggested Sites is turned on, a user’s web browsing history is periodically sent to Microsoft.|
|Web Slices | A Web Slice enables users to subscribe to and automatically receive updates to content directly within a web page. Disabling the RSS Feeds setting will turn off background synchronization for feeds and Web Slices. |
-## Related links
+## Related articles
- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
- [Connected experiences in Office](/deployoffice/privacy/connected-experiences)
From d5408f04a20e02afa598914331829f5e1694c77d Mon Sep 17 00:00:00 2001
From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com>
Date: Thu, 6 Jun 2024 10:35:28 -0700
Subject: [PATCH 07/29] Fix link formatting (missing .md)
---
...tial-services-and-connected-experiences.md | 30 +++++++++----------
1 file changed, 15 insertions(+), 15 deletions(-)
diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md
index 178eec3ccb..6d314f9b80 100644
--- a/windows/privacy/essential-services-and-connected-experiences.md
+++ b/windows/privacy/essential-services-and-connected-experiences.md
@@ -40,11 +40,11 @@ Although enterprise admins can turn off most essential services, we recommend, w
|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates that are publicly known to be fraudulent. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
If automatic updates are turned off, applications and websites may stop working because they didn't receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.
To turn it off, see [Automatic Root Certificates Update](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update).|
|Device Management |Device management includes Mobile Device Management (MDM), which helps IT pros manage company security policies and business applications. A built-in management component can communicate with the management server. If this is turned off, the device may no longer be compliant with company policy and the user might lose access to company resources.
[Learn more about Mobile Device Management](/windows/client-management/mdm-overview) |
|Device setup | The first time a user sets up a new device, the Windows out-of-box experience (OOBE) guides the user through the steps to accept the license agreement, connect to the internet, sign in to (or sign up for) a Microsoft account, and takes care of other important tasks. Most settings can also be changed after setup is completed.
To customize the initial setup experience, see [Customize Setup](/windows-hardware/customize/desktop/customize-oobe).|
-|Licensing | Licensing services are used for the activation of Windows, and apps purchased from the Microsoft Store. If you disable the Windows License Manager Service or the Software Protection Platform Service, it may prevent activation of genuine Windows and store applications.
To turn off licensing services, see [License Manager](manage-connections-from-windows-operating-system-components-to-microsoft-services#9-license-manager) and [Software Protection Platform](manage-connections-from-windows-operating-system-components-to-microsoft-services#19-software-protection-platform).|
-|Microsoft Store | Microsoft Store enables users to purchase and download apps, games, and digital content. The Store also enables the developers of these apps to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to store apps in a power-efficient and dependable way. The Store can also revoke malicious apps.
To turn it off, see [Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services#26-microsoft-store).|
+|Licensing | Licensing services are used for the activation of Windows, and apps purchased from the Microsoft Store. If you disable the Windows License Manager Service or the Software Protection Platform Service, it may prevent activation of genuine Windows and store applications.
To turn off licensing services, see [License Manager](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#9-license-manager) and [Software Protection Platform](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#19-software-protection-platform).|
+|Microsoft Store | Microsoft Store enables users to purchase and download apps, games, and digital content. The Store also enables the developers of these apps to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to store apps in a power-efficient and dependable way. The Store can also revoke malicious apps.
To turn it off, see [Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store).|
|Networking | Networking in Windows provides connectivity to and from your devices to the local intranet and internet. If you turn off networking, Windows devices will lose network connectivity.
To turn off Network Adapters, see [Disable-NetAdapter](/powershell/module/netadapter/disable-netadapter).|
-|Services Configuration | Services Configuration is used by Windows components and apps, such as the telemetry service, to dynamically update their configuration. If you turn off this service, apps using this service may stop working.
To turn it off, see [Services Configuration](manage-connections-from-windows-operating-system-components-to-microsoft-services#31-services-configuration).|
-|Update | Windows Update ensures devices are kept up to date and secure by downloading the latest updates and security patches for Windows. This service also enables users to download apps from the Microsoft Store and keep them up to date. Turning off Windows Update will potentially leave your Windows devices in a vulnerable state and more prone to security threats.
Other services like Device metadata retrieval and Font streaming also ensure that the content on your devices is kept up to date.
To turn off updates, see [Windows Update](manage-connections-from-windows-operating-system-components-to-microsoft-services#29-windows-update), [Device metadata retrieval](manage-connections-from-windows-operating-system-components-to-microsoft-services#4-device-metadata-retrieval), and [Font streaming](manage-connections-from-windows-operating-system-components-to-microsoft-services#6-font-streaming).|
+|Services Configuration | Services Configuration is used by Windows components and apps, such as the telemetry service, to dynamically update their configuration. If you turn off this service, apps using this service may stop working.
To turn it off, see [Services Configuration](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#31-services-configuration).|
+|Update | Windows Update ensures devices are kept up to date and secure by downloading the latest updates and security patches for Windows. This service also enables users to download apps from the Microsoft Store and keep them up to date. Turning off Windows Update will potentially leave your Windows devices in a vulnerable state and more prone to security threats.
Other services like Device metadata retrieval and Font streaming also ensure that the content on your devices is kept up to date.
To turn off updates, see [Windows Update](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#29-windows-update), [Device metadata retrieval](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval), and [Font streaming](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#6-font-streaming).|
## Windows connected experiences
@@ -54,25 +54,25 @@ Although enterprise admins can turn off most essential services, we recommend, w
|BitLocker|BitLocker is a Windows security feature that provides encryption for entire device volumes, addressing the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices.|
|Cloud Clipboard|Cloud Clipboard enables users to copy images and text across all Windows devices when they sign in with the same account. Users can paste from their clipboard history and also pin items.
To turn it off, see [Cloud Clipboard](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#30-cloud-clipboard). |
|Custom dictionary|Custom dictionary allows users to get better text suggestions by creating a custom dictionary using the user's typing and handwriting info.|
-|Date and Time | The Windows Time service is used to synchronize and maintain the most accurate date and time on your devices. It's installed by default and starts automatically on devices that are part of a domain. It can be started manually on other devices. If this service is stopped, date and time synchronization will be unavailable and any services that explicitly depend on it will fail to start.
To turn it off, see [Date and Time](manage-connections-from-windows-operating-system-components-to-microsoft-services#3-date--time). |
-|Delivery Optimization | Delivery Optimization is a cloud-managed, peer-to-peer client and a downloader service for Windows updates, upgrades, and applications to an organization's networked devices. Delivery Optimization allows devices to download updates from alternate sources, such as other peers on the network, in addition to Microsoft servers. This helps when you have a limited or unreliable Internet connection and reduces the bandwidth needed to keep all your organization's devices up to date.
If you have Delivery Optimization Peer-to-Peer option turned on, devices on your network may send and receive updates and apps to other devices on your local network, if you choose, or to devices on the Internet. By default, devices running Windows will only use Delivery Optimization to get and receive updates for devices and apps on your local network.
To turn it off, see [Delivery Optimization](manage-connections-from-windows-operating-system-components-to-microsoft-services#28-delivery-optimization). |
+|Date and Time | The Windows Time service is used to synchronize and maintain the most accurate date and time on your devices. It's installed by default and starts automatically on devices that are part of a domain. It can be started manually on other devices. If this service is stopped, date and time synchronization will be unavailable and any services that explicitly depend on it will fail to start.
To turn it off, see [Date and Time](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#3-date--time). |
+|Delivery Optimization | Delivery Optimization is a cloud-managed, peer-to-peer client and a downloader service for Windows updates, upgrades, and applications to an organization's networked devices. Delivery Optimization allows devices to download updates from alternate sources, such as other peers on the network, in addition to Microsoft servers. This helps when you have a limited or unreliable Internet connection and reduces the bandwidth needed to keep all your organization's devices up to date.
If you have Delivery Optimization Peer-to-Peer option turned on, devices on your network may send and receive updates and apps to other devices on your local network, if you choose, or to devices on the Internet. By default, devices running Windows will only use Delivery Optimization to get and receive updates for devices and apps on your local network.
To turn it off, see [Delivery Optimization](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#28-delivery-optimization). |
|Emojis and more | The Emoji and more menu allows users to insert a variety of content like emoji, kaomoji, GIFs, symbols, and clipboard history. This connected experience is new in Windows 11.
To turn it off, see [Emojis availability](/windows/client-management/mdm/policy-csp-textinput). |
-|Find My Device | Find My Device is a feature that can help users locate their Windows device if it's lost or stolen. This feature only works if a Microsoft account is used to sign in to the device, the user is an administrator on the device, and when location is turned on for the device. Users can find their device by logging in to [https://account.microsoft.com/devices](https://account.microsoft.com/devices) under the Find My Device tab.
To turn it off, see [Find My Device](manage-connections-from-windows-operating-system-components-to-microsoft-services#5-find-my-device). |
+|Find My Device | Find My Device is a feature that can help users locate their Windows device if it's lost or stolen. This feature only works if a Microsoft account is used to sign in to the device, the user is an administrator on the device, and when location is turned on for the device. Users can find their device by logging in to [https://account.microsoft.com/devices](https://account.microsoft.com/devices) under the Find My Device tab.
To turn it off, see [Find My Device](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#5-find-my-device). |
|Get Started|Get Started is an app on Windows 11 to help complete device setup and learn about new features on Windows.|
|Input Method Editor (IME)|IME is a Windows feature that allows you to type East Asian languages such as Japanese, Chinese Simplified, Chinese Traditional, Korean, Indic, Vietnamese, as well as rule-based languages like Tamil, Adlam, and Osage.|
-|Location services | The device location setting enables certain Windows features such as auto setting the time zone or Find My Device to function properly. When the device location setting is enabled, the Microsoft location service will use a combination of global positioning service (GPS), nearby wireless access points, cell towers, and IP address to determine the device’s location. Depending on the capabilities of the device, its location can be determined with varying degrees of accuracy and may in some cases be determined precisely.
To turn it off, see [Location services](manage-connections-from-windows-operating-system-components-to-microsoft-services#182-location). |
-|Microsoft Defender Antivirus | Microsoft Defender Antivirus provides cloud-delivered protection against new and emerging threats for the devices in your organization. Turning off Microsoft Defender Antivirus will potentially leave your Windows devices in a vulnerable state and more prone to security threats.
To turn it off, see [Microsoft Defender Antivirus](manage-connections-from-windows-operating-system-components-to-microsoft-services#24-microsoft-defender-antivirus). |
-|Microsoft Defender SmartScreen | Microsoft Defender SmartScreen is a feature of Windows, Internet Explorer, and Microsoft Edge. It helps protect users against phishing or malware websites and applications, and the downloading of potentially malicious files. Turning off Microsoft Defender SmartScreen means you can't block a website or warn users they may be accessing a malicious site.
To turn it off, see [Microsoft Defender SmartScreen](manage-connections-from-windows-operating-system-components-to-microsoft-services#241-microsoft-defender-smartscreen). |
+|Location services | The device location setting enables certain Windows features such as auto setting the time zone or Find My Device to function properly. When the device location setting is enabled, the Microsoft location service will use a combination of global positioning service (GPS), nearby wireless access points, cell towers, and IP address to determine the device’s location. Depending on the capabilities of the device, its location can be determined with varying degrees of accuracy and may in some cases be determined precisely.
To turn it off, see [Location services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#182-location). |
+|Microsoft Defender Antivirus | Microsoft Defender Antivirus provides cloud-delivered protection against new and emerging threats for the devices in your organization. Turning off Microsoft Defender Antivirus will potentially leave your Windows devices in a vulnerable state and more prone to security threats.
To turn it off, see [Microsoft Defender Antivirus](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#24-microsoft-defender-antivirus). |
+|Microsoft Defender SmartScreen | Microsoft Defender SmartScreen is a feature of Windows, Internet Explorer, and Microsoft Edge. It helps protect users against phishing or malware websites and applications, and the downloading of potentially malicious files. Turning off Microsoft Defender SmartScreen means you can't block a website or warn users they may be accessing a malicious site.
To turn it off, see [Microsoft Defender SmartScreen](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#241-microsoft-defender-smartscreen). |
|Phone Link|Phone Link lets you find your mobile device notifications, messages, photos, mobile app list, and other mobile content from your Windows PC.|
|Troubleshooting Service | Windows troubleshooting service will automatically fix critical issues like corrupt settings that keep critical services from running. The service will also make adjustments to work with your hardware, or make other specific changes required for Windows to operate with the hardware, apps, and settings you’ve selected. In addition, it will recommend troubleshooting for other problems that aren’t critical to normal Windows operation but might impact your experience.
To turn it off, see [Troubleshooting service](/windows/client-management/mdm/policy-csp-troubleshooting). |
-|Voice Typing | Voice typing (also referred to as Windows dictation in earlier versions of Windows) allows users to write text by speaking by using Microsoft’s online speech recognition technology.
To turn it off, see [Speech recognition](manage-connections-from-windows-operating-system-components-to-microsoft-services#186-speech). |
+|Voice Typing | Voice typing (also referred to as Windows dictation in earlier versions of Windows) allows users to write text by speaking by using Microsoft’s online speech recognition technology.
To turn it off, see [Speech recognition](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#186-speech). |
|Windows Autopilot|Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. Windows Autopilot can be used to deploy Windows PCs or HoloLens 2 devices. The client experiences that ship as part of Windows are specific to the Out-of-Box Experience (OOBE).|
-|Windows Backup | When settings synchronization is turned on, a user's settings are synced across all Windows devices when they sign in with the same account.
To turn it off, see [Sync your settings](manage-connections-from-windows-operating-system-components-to-microsoft-services#21-sync-your-settings). |
+|Windows Backup | When settings synchronization is turned on, a user's settings are synced across all Windows devices when they sign in with the same account.
To turn it off, see [Sync your settings](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#21-sync-your-settings). |
|Windows Dashboard Widgets | Windows Dashboard widget is a dynamic view that shows users personalized content like news, weather, their calendar and to-do list, and recent photos. It provides a quick glance view, which allows users to be productive without needing to go to multiple apps or websites. This connected experience is new in Windows 11. |
|Windows Hello|Windows Hello includes components for collecting and storing private key credentials for Windows logon. |
-|Windows Insider Program | The Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to builds of Windows. Once you've registered for the program, you can run Insider Preview builds on as many devices as you want, each in the channel of your choice. Learn how to join the Windows Insider program by visiting the program’s [website](https://www.microsoft.com/windowsinsider/).
To turn it off, see [Windows Insider Program](manage-connections-from-windows-operating-system-components-to-microsoft-services#7-insider-preview-builds). |
-|Windows Search | Windows Search lets users use the search box on the taskbar to find what they're looking for, whether it’s on their device, in the cloud, or on the web. Windows Search can provide results for items from the device (including apps, settings, and files), the users account (including OneDrive, SharePoint, and other Microsoft services), and the internet.
To turn it off, see [Windows Search](manage-connections-from-windows-operating-system-components-to-microsoft-services#2-cortana-and-search). |
-|Windows Spotlight | Windows Spotlight displays new background images on the lock screen each day. Additionally, it provides feature suggestions, fun facts, and tips on the lock screen background.
Administrators can turn off Windows Spotlight features to prevent users from using the Windows Spotlight background.
To turn it off, see [Windows Spotlight](manage-connections-from-windows-operating-system-components-to-microsoft-services#25-personalized-experiences). |
+|Windows Insider Program | The Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to builds of Windows. Once you've registered for the program, you can run Insider Preview builds on as many devices as you want, each in the channel of your choice. Learn how to join the Windows Insider program by visiting the program’s [website](https://www.microsoft.com/windowsinsider/).
To turn it off, see [Windows Insider Program](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#7-insider-preview-builds). |
+|Windows Search | Windows Search lets users use the search box on the taskbar to find what they're looking for, whether it’s on their device, in the cloud, or on the web. Windows Search can provide results for items from the device (including apps, settings, and files), the users account (including OneDrive, SharePoint, and other Microsoft services), and the internet.
To turn it off, see [Windows Search](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#2-cortana-and-search). |
+|Windows Spotlight | Windows Spotlight displays new background images on the lock screen each day. Additionally, it provides feature suggestions, fun facts, and tips on the lock screen background.
Administrators can turn off Windows Spotlight features to prevent users from using the Windows Spotlight background.
To turn it off, see [Windows Spotlight](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#25-personalized-experiences). |
## Microsoft Edge essential services and connected experiences
From 8e0acc3b585420bef95b7d8551476c9ab2b2cb24 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Fri, 7 Jun 2024 07:47:11 -0700
Subject: [PATCH 08/29] update CM branding
---
windows/deployment/update/update-other-microsoft-products.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/deployment/update/update-other-microsoft-products.md b/windows/deployment/update/update-other-microsoft-products.md
index 0d05bd2cd3..f4d26b82ec 100644
--- a/windows/deployment/update/update-other-microsoft-products.md
+++ b/windows/deployment/update/update-other-microsoft-products.md
@@ -11,7 +11,7 @@ manager: aaroncz
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 03/14/2024
+ms.date: 06/07/2024
---
# Update other Microsoft products
@@ -44,6 +44,7 @@ The following is a list of other Microsoft products that might be updated:
- Microsoft Advanced Threat Analytics
- Microsoft Application Virtualization
- Microsoft Azure StorSimple
+- Microsoft Configuration Manager
- Microsoft Dynamics CRM
- Microsoft Information Protection
- Microsoft Lync Server and Microsoft Lync
@@ -59,7 +60,6 @@ The following is a list of other Microsoft products that might be updated:
- Skype for Business
- SQL
- System Center Application Controller
-- System Center Configuration Manager
- System Center Data Protection Manager
- System Center Operations Manager
- System Center Orchestrator
From 1a1160df1a5aa794ce507060202c5355f4ee2076 Mon Sep 17 00:00:00 2001
From: "Vinay Pamnani (from Dev Box)"
Date: Fri, 7 Jun 2024 09:44:34 -0600
Subject: [PATCH 09/29] Address UUF feedback
---
windows/client-management/client-tools/quick-assist.md | 6 +++---
.../applocker/rule-collection-extensions.md | 4 ++--
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/windows/client-management/client-tools/quick-assist.md b/windows/client-management/client-tools/quick-assist.md
index 496dfd0024..397791e335 100644
--- a/windows/client-management/client-tools/quick-assist.md
+++ b/windows/client-management/client-tools/quick-assist.md
@@ -20,7 +20,7 @@ Quick Assist is an application that enables a person to share their [Windows](#i
## Before you begin
-All that's required to use Quick Assist is suitable network and internet connectivity. No roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn't have to authenticate.
+All you need to use Quick Assist is suitable network and internet connectivity. No roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn't have to authenticate.
### Authentication
@@ -99,7 +99,7 @@ In some scenarios, the helper does require the sharer to respond to application
### Install Quick Assist from the Microsoft Store
1. Download the new version of Quick Assist by visiting the [Microsoft Store](https://apps.microsoft.com/store/detail/quick-assist/9P7BP5VNWKX5).
-1. In the Microsoft Store, select **Get in Store app**. Then, give permission to install Quick Assist. When the installation is complete, **Get** changes to **Open**. :::image type="content" source="images/quick-assist-get.png" lightbox="images/quick-assist-get.png" alt-text="Microsoft Store window showing the Quick Assist app with a button labeled get in the bottom right corner.":::
+1. In the Microsoft Store, select **View in store**, then install Quick Assist. When the installation is complete, **Install** changes to **Open**.
For more information, visit [Install Quick Assist](https://support.microsoft.com/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca).
@@ -113,7 +113,7 @@ To install Quick Assist offline, you need to download your APPXBUNDLE and unenco
1. Start **Windows PowerShell** with Administrative privileges
1. In PowerShell, change the directory to the location where you saved the file in step 1: `cd `
-1. Run the following command to install Quick Assist: `Add-AppxProvisionedPackage -Online -PackagePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe.AppxBundle" -LicensePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe_4bc27046-84c5-8679-dcc7-d44c77a47dd0.xml"`
+1. To install Quick Assist, run the following command: `Add-AppxProvisionedPackage -Online -PackagePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe.AppxBundle" -LicensePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe_4bc27046-84c5-8679-dcc7-d44c77a47dd0.xml"`
1. After Quick Assist is installed, run this command to confirm that Quick Assist is installed for the user: `Get-AppxPackage *QuickAssist* -AllUsers`
### Microsoft Edge WebView2
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/rule-collection-extensions.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/rule-collection-extensions.md
index 4b31cb39d6..f8756d82ac 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/rule-collection-extensions.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/rule-collection-extensions.md
@@ -6,7 +6,7 @@ ms.collection:
- must-keep
ms.topic: conceptual
ms.localizationpriority: medium
-ms.date: 12/23/2023
+ms.date: 06/07/2024
---
# AppLocker rule collection extensions
@@ -35,4 +35,4 @@ To apply AppLocker policy to nonuser processes, set ```` in the ```` section as shown in the preceding XML fragment.
+When using AppLocker to control nonuser processes, your policy must allow all Windows system code or your device might behave unexpectedly. To automatically allow all system code that is part of Windows, set ```` in the ```` section as shown in the preceding XML fragment.
From f5963a72d6d52a21a2288d695257b9a539663828 Mon Sep 17 00:00:00 2001
From: "Vinay Pamnani (from Dev Box)"
Date: Fri, 7 Jun 2024 10:13:34 -0600
Subject: [PATCH 10/29] Update ms.topic
---
.../diagnose-provisioning-packages.md | 2 +-
...can-use-configuration-service-providers.md | 2 +-
.../provision-pcs-for-initial-deployment.md | 2 +-
.../provision-pcs-with-apps.md | 2 +-
.../provisioning-apply-package.md | 2 +-
.../provisioning-command-line.md | 2 +-
.../provisioning-create-package.md | 2 +-
.../provisioning-how-it-works.md | 2 +-
.../provisioning-install-icd.md | 2 +-
.../provisioning-multivariant.md | 2 +-
.../provisioning-packages.md | 2 +-
.../provisioning-powershell.md | 2 +-
.../provisioning-script-to-install-app.md | 2 +-
.../provisioning-uninstall-package.md | 2 +-
...nd-windows-defender-application-control.md | 2 +-
...perational-guide-appid-tagging-policies.md | 22 +++++-----
.../deploy-appid-tagging-policies.md | 2 +-
.../design-create-appid-tagging-policies.md | 28 ++++++-------
.../AppIdTagging/wdac-appid-tagging-guide.md | 10 ++---
.../deployment/audit-wdac-policies.md | 2 +-
...deploy-wdac-policies-using-group-policy.md | 2 +-
.../deploy-wdac-policies-with-script.md | 2 +-
.../deployment/disable-wdac-policies.md | 2 +-
.../deployment/enforce-wdac-policies.md | 2 +-
.../deployment/merge-wdac-policies.md | 2 +-
...-com-object-registration-in-wdac-policy.md | 6 +--
.../design/common-wdac-use-cases.md | 4 +-
...-apps-deployed-with-a-managed-installer.md | 8 ++--
.../design/create-wdac-deny-policy.md | 2 +-
...te-wdac-policy-using-reference-computer.md | 2 +-
.../design/deploy-multiple-wdac-policies.md | 2 +-
.../design/manage-packaged-apps-with-wdac.md | 2 +-
...icrosoft-recommended-driver-block-rules.md | 2 +-
.../design/plan-wdac-management.md | 4 +-
.../design/script-enforcement.md | 2 +-
.../design/select-types-of-rules-to-create.md | 2 +-
...understand-wdac-policy-design-decisions.md | 8 ++--
.../understanding-wdac-policy-settings.md | 2 +-
...l-specific-plug-ins-add-ins-and-modules.md | 4 +-
...se-wdac-with-intelligent-security-graph.md | 42 +++++++++----------
.../design/wdac-and-dotnet.md | 6 +--
.../operations/event-tag-explanations.md | 2 +-
.../operations/inbox-wdac-policies.md | 2 +-
.../operations/known-issues.md | 6 +--
...events-centrally-using-advanced-hunting.md | 6 +--
.../wdac-and-applocker-overview.md | 2 +-
.../windows-sandbox-architecture.md | 2 +-
...indows-sandbox-configure-using-wsb-file.md | 2 +-
.../windows-sandbox-overview.md | 2 +-
.../mbsa-removal-and-guidance.md | 2 +-
.../wdsc-account-protection.md | 2 +-
.../wdsc-app-browser-control.md | 2 +-
.../wdsc-customize-contact-information.md | 2 +-
.../wdsc-device-performance-health.md | 2 +-
.../wdsc-device-security.md | 2 +-
.../wdsc-family-options.md | 2 +-
.../wdsc-firewall-network-protection.md | 2 +-
.../wdsc-hide-notifications.md | 2 +-
.../wdsc-virus-threat-protection.md | 2 +-
.../windows-defender-security-center.md | 2 +-
...iew-of-threat-mitigations-in-windows-10.md | 2 +-
61 files changed, 125 insertions(+), 125 deletions(-)
diff --git a/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md b/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md
index 7efc313edb..53a0f7861e 100644
--- a/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md
+++ b/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md
@@ -1,7 +1,7 @@
---
title: Diagnose Provisioning Packages
description: Diagnose general failures in provisioning.
-ms.topic: article
+ms.topic: troubleshooting
ms.date: 01/18/2023
---
diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
index e88f25ff70..a535175bf7 100644
--- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
+++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
@@ -1,7 +1,7 @@
---
title: Configuration service providers for IT pros
description: Describes how IT pros and system administrators can use configuration service providers (CSPs) to configure devices.
-ms.topic: article
+ms.topic: how-to
ms.date: 12/31/2017
---
diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
index 7d869e903f..97dec0c215 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
@@ -1,7 +1,7 @@
---
title: Provision PCs with common settings
description: Create a provisioning package to apply common settings to a PC running Windows 10.
-ms.topic: article
+ms.topic: how-to
ms.date: 12/31/2017
---
diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
index 99f20c85aa..fd7134875e 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
@@ -1,7 +1,7 @@
---
title: Provision PCs with apps
description: Learn how to install multiple Universal Windows Platform (UWP) apps and Windows desktop applications (Win32) in a provisioning package.
-ms.topic: article
+ms.topic: how-to
ms.date: 12/31/2017
---
diff --git a/windows/configuration/provisioning-packages/provisioning-apply-package.md b/windows/configuration/provisioning-packages/provisioning-apply-package.md
index d4e5be28f7..2f8bb266e1 100644
--- a/windows/configuration/provisioning-packages/provisioning-apply-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-apply-package.md
@@ -1,7 +1,7 @@
---
title: Apply a provisioning package
description: Provisioning packages can be applied to a device during initial setup (OOBE) and after (runtime).
-ms.topic: article
+ms.topic: how-to
ms.date: 12/31/2017
---
diff --git a/windows/configuration/provisioning-packages/provisioning-command-line.md b/windows/configuration/provisioning-packages/provisioning-command-line.md
index 9ebacde2fb..686b79ac68 100644
--- a/windows/configuration/provisioning-packages/provisioning-command-line.md
+++ b/windows/configuration/provisioning-packages/provisioning-command-line.md
@@ -1,7 +1,7 @@
---
title: Windows Configuration Designer command-line interface
description: Learn more about the ICD syntax, switches, and arguments that you can use in the Windows Configuration Designer command-line interface for Windows10/11 client devices.
-ms.topic: article
+ms.topic: how-to
ms.date: 12/31/2017
---
diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md
index d09f0ee4b9..0824710f19 100644
--- a/windows/configuration/provisioning-packages/provisioning-create-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-create-package.md
@@ -1,7 +1,7 @@
---
title: Create a provisioning package
description: Learn how to create a provisioning package for Windows 10/11, which lets you quickly configure a device without having to install a new image.
-ms.topic: article
+ms.topic: how-to
ms.date: 12/31/2017
---
diff --git a/windows/configuration/provisioning-packages/provisioning-how-it-works.md b/windows/configuration/provisioning-packages/provisioning-how-it-works.md
index dc714cbc36..24c02a6557 100644
--- a/windows/configuration/provisioning-packages/provisioning-how-it-works.md
+++ b/windows/configuration/provisioning-packages/provisioning-how-it-works.md
@@ -1,7 +1,7 @@
---
title: How provisioning works in Windows 10/11
description: Learn more about how provisioning package work on Windows client devices. A provisioning package (.ppkg) is a container for a collection of configuration settings.
-ms.topic: article
+ms.topic: conceptual
ms.date: 12/31/2017
---
diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md
index bfb515538f..9b572cde75 100644
--- a/windows/configuration/provisioning-packages/provisioning-install-icd.md
+++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md
@@ -1,7 +1,7 @@
---
title: Install Windows Configuration Designer
description: Learn how to install and use Windows Configuration Designer so you can easily configure devices running Windows 10/11.
-ms.topic: article
+ms.topic: how-to
ms.reviewer: kevinsheehan
ms.date: 12/31/2017
---
diff --git a/windows/configuration/provisioning-packages/provisioning-multivariant.md b/windows/configuration/provisioning-packages/provisioning-multivariant.md
index 64da06a98c..6ecb125be7 100644
--- a/windows/configuration/provisioning-packages/provisioning-multivariant.md
+++ b/windows/configuration/provisioning-packages/provisioning-multivariant.md
@@ -1,7 +1,7 @@
---
title: Create a provisioning package with multivariant settings
description: Create a provisioning package with multivariant settings to customize the provisioned settings for defined conditions.
-ms.topic: article
+ms.topic: how-to
ms.date: 12/31/2017
---
diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md
index 13e86abb25..050fc24beb 100644
--- a/windows/configuration/provisioning-packages/provisioning-packages.md
+++ b/windows/configuration/provisioning-packages/provisioning-packages.md
@@ -2,7 +2,7 @@
title: Provisioning packages overview
description: With Windows 10 and Windows 11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Learn about what provisioning packages, are and what they do.
ms.reviewer: kevinsheehan
-ms.topic: article
+ms.topic: conceptual
ms.date: 12/31/2017
---
diff --git a/windows/configuration/provisioning-packages/provisioning-powershell.md b/windows/configuration/provisioning-packages/provisioning-powershell.md
index 4c938d7786..e5e7ea6019 100644
--- a/windows/configuration/provisioning-packages/provisioning-powershell.md
+++ b/windows/configuration/provisioning-packages/provisioning-powershell.md
@@ -1,7 +1,7 @@
---
title: PowerShell cmdlets for provisioning Windows 10/11
description: Learn more about the Windows PowerShell cmdlets that you can use with Provisioning packages on Windows10/11 client desktop devices.
-ms.topic: article
+ms.topic: conceptual
ms.date: 12/31/2017
---
diff --git a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md
index 199616a94e..c9aff98df4 100644
--- a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md
+++ b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md
@@ -1,7 +1,7 @@
---
title: Use a script to install a desktop app in provisioning packages
description: With Windows 10/11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
-ms.topic: article
+ms.topic: how-to
ms.date: 12/31/2017
---
diff --git a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md
index 9a75ffc29b..6615407051 100644
--- a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md
@@ -1,7 +1,7 @@
---
title: Uninstall a provisioning package - reverted settings
description: This article lists the settings that are reverted when you uninstall a provisioning package on Windows 10/11 desktop client devices.
-ms.topic: article
+ms.topic: conceptual
ms.date: 12/31/2017
---
diff --git a/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md b/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
index 05fed4e21e..239ddd052c 100644
--- a/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
+++ b/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
@@ -6,7 +6,7 @@ author: vinaypamnani-msft
ms.author: vinpa
manager: aaroncz
ms.date: 03/26/2024
-ms.topic: article
+ms.topic: conceptual
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md
index b8552a63ca..1507fc348c 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md
@@ -3,7 +3,7 @@ title: Testing and Debugging AppId Tagging Policies
description: Testing and Debugging AppId Tagging Policies to ensure your policies are deployed successfully.
ms.localizationpriority: medium
ms.date: 04/29/2022
-ms.topic: article
+ms.topic: troubleshooting
---
# Testing and Debugging AppId Tagging Policies
@@ -11,28 +11,28 @@ ms.topic: article
> [!NOTE]
> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
-After deployment of the WDAC AppId Tagging policy, WDAC will log a 3099 policy deployed event in the [Event Viewer logs](../operations/event-id-explanations.md). You first should ensure that the policy has been successfully deployed onto the system by verifying the presence of the 3099 event.
+After deployment of the WDAC AppId Tagging policy, WDAC will log a 3099 policy deployed event in the [Event Viewer logs](../operations/event-id-explanations.md). You first should ensure that the policy has been successfully deployed onto the system by verifying the presence of the 3099 event.
## Verifying Tags on Running Processes
-After verifying the policy has been deployed, the next step is to verify that the application processes you expect to pass the AppId Tagging policy have your tag set. Note that processes running at the time of policy deployment will need to be restarted since Windows Defender Application Control (WDAC) can only tag processes created after the policy has been deployed.
+After verifying the policy has been deployed, the next step is to verify that the application processes you expect to pass the AppId Tagging policy have your tag set. Note that processes running at the time of policy deployment will need to be restarted since Windows Defender Application Control (WDAC) can only tag processes created after the policy has been deployed.
-1. Download and Install the Windows Debugger
+1. Download and Install the Windows Debugger
- [Microsoft's WinDbg Preview application](https://www.microsoft.com/store/productId/9PGJGD53TN86) can be downloaded from the Store and used to verify tags on running processes.
+ [Microsoft's WinDbg Preview application](https://www.microsoft.com/store/productId/9PGJGD53TN86) can be downloaded from the Store and used to verify tags on running processes.
2. Get the Process ID (PID) of the process under validation
- Using Task Manager, or an equivalent process monitoring tool, locate the PID of the process you wish to inspect. In the example below, we've located the PID for the running process for Microsoft Edge to be 2260. The PID will be used in the next step.
+ Using Task Manager, or an equivalent process monitoring tool, locate the PID of the process you wish to inspect. In the example below, we've located the PID for the running process for Microsoft Edge to be 2260. The PID will be used in the next step.
- 
+ 
3. Use WinDbg to inspect the process
- After opening WinDbg. select File followed by `Attach to Process`, and select the process with the PID identified in the step prior. Finally, select `Attach` to connect to the process.
+ After opening WinDbg. select File followed by `Attach to Process`, and select the process with the PID identified in the step prior. Finally, select `Attach` to connect to the process.
- 
+ 
- Lastly, in the textbox, type `!token` and then press the Enter key to dump the security attributes on the process, including the _POLICYAPPID://_ followed by the key you set in the policy, and its corresponding value in the Value[0] field.
+ Lastly, in the textbox, type `!token` and then press the Enter key to dump the security attributes on the process, including the _POLICYAPPID://_ followed by the key you set in the policy, and its corresponding value in the Value[0] field.
- 
+ 
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
index e8af7434cc..7f0824cace 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
@@ -3,7 +3,7 @@ title: Deploying Windows Defender Application Control AppId tagging policies
description: How to deploy your WDAC AppId tagging policies locally and globally within your managed environment.
ms.localizationpriority: medium
ms.date: 04/29/2022
-ms.topic: article
+ms.topic: conceptual
---
# Deploying Windows Defender Application Control AppId tagging policies
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/design-create-appid-tagging-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/design-create-appid-tagging-policies.md
index a677075cdb..4b7e1e6b2f 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/design-create-appid-tagging-policies.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/design-create-appid-tagging-policies.md
@@ -3,7 +3,7 @@ title: Create your Windows Defender Application Control AppId Tagging Policies
description: Create your Windows Defender Application Control AppId tagging policies for Windows devices.
ms.localizationpriority: medium
ms.date: 04/29/2022
-ms.topic: article
+ms.topic: conceptual
---
# Creating your WDAC AppId Tagging Policies
@@ -17,12 +17,12 @@ You can use the Windows Defender Application Control (WDAC) Wizard and the Power
1. Create a new base policy using the templates:
- Start with the Policy Creator task and select Multiple Policy Format and Base Policy. Select the Base Template to use for the policy. The following example shows beginning with the [Default Windows Mode](../design/wdac-wizard-create-base-policy.md#template-base-policies) template and build on top of these rules.
+ Start with the Policy Creator task and select Multiple Policy Format and Base Policy. Select the Base Template to use for the policy. The following example shows beginning with the [Default Windows Mode](../design/wdac-wizard-create-base-policy.md#template-base-policies) template and build on top of these rules.
-
+
> [!NOTE]
- > If your AppId Tagging Policy does build off the base templates or does not allow Windows in-box processes, you will notice significant performance regressions, especially during boot. For this reason, it is strongly recommended to build off the base templates.
+ > If your AppId Tagging Policy does build off the base templates or does not allow Windows in-box processes, you will notice significant performance regressions, especially during boot. For this reason, it is strongly recommended to build off the base templates.
For more information on the issue, see the [AppId Tagging Known Issue](../operations/known-issues.md#slow-boot-and-performance-with-custom-policies).
2. Set the following rule-options using the Wizard toggles:
@@ -31,13 +31,13 @@ You can use the Windows Defender Application Control (WDAC) Wizard and the Power
3. Create custom rules:
- Selecting the `+ Custom Rules` button opens the Custom Rules panel. The Wizard supports five types of file rules:
+ Selecting the `+ Custom Rules` button opens the Custom Rules panel. The Wizard supports five types of file rules:
- - Publisher rules: Create a rule based off the signing certificate hierarchy. Additionally, the original filename and version can be combined with the signing certificate for added security.
- - Path rules: Create a rule based off the path to a file or a parent folder path. Path rules support wildcards.
+ - Publisher rules: Create a rule based off the signing certificate hierarchy. Additionally, the original filename and version can be combined with the signing certificate for added security.
+ - Path rules: Create a rule based off the path to a file or a parent folder path. Path rules support wildcards.
- File attribute rules: Create a rule based off a file's immutable properties like the original filename, file description, product name or internal name.
- Package app name rules: Create a rule based off the package family name of an appx/msix.
- - Hash rules: Create a rule based off the PE Authenticode hash of a file.
+ - Hash rules: Create a rule based off the PE Authenticode hash of a file.
For more information on creating new policy file rules, see the guidelines provided in the [creating policy file rules section](../design/wdac-wizard-create-base-policy.md#creating-custom-file-rules).
@@ -48,9 +48,9 @@ You can use the Windows Defender Application Control (WDAC) Wizard and the Power
```powershell
Set-CIPolicyIdInfo -ResetPolicyID -FilePath .\AppIdPolicy.xml -AppIdTaggingPolicy -AppIdTaggingKey "MyKey" -AppIdTaggingValue "MyValue"
```
- The policyID GUID is returned by the PowerShell command if successful.
+ The policyID GUID is returned by the PowerShell command if successful.
-## Create the policy using PowerShell
+## Create the policy using PowerShell
Using this method, you create an AppId Tagging policy directly using the WDAC PowerShell commands. These PowerShell commands are only available on the supported platforms listed in [AppId Tagging Guide](wdac-appid-tagging-guide.md). In an elevate PowerShell instance:
@@ -72,20 +72,20 @@ Using this method, you create an AppId Tagging policy directly using the WDAC Po
Set-RuleOption -Option 18 .\AppIdPolicy.xml # (Optional) Disable FilePath Rule Protection
```
- If you're using filepath rules, you may want to set option 18. Otherwise, there's no need.
-
+ If you're using filepath rules, you may want to set option 18. Otherwise, there's no need.
+
4. Set the name and ID on the policy, which is helpful for future debugging:
```powershell
Set-CIPolicyIdInfo -ResetPolicyId -PolicyName "MyPolicyName" -PolicyId "MyPolicyId" -AppIdTaggingPolicy -FilePath ".\AppIdPolicy.xml"
```
- The policyID GUID is returned by the PowerShell command if successful.
+ The policyID GUID is returned by the PowerShell command if successful.
## Deploy for Local Testing
After creating your AppId Tagging policy in the above steps, you can deploy the policy to your local machine for testing before broadly deploying the policy to your endpoints:
-1. Depending on your deployment method, convert the xml to binary:
+1. Depending on your deployment method, convert the xml to binary:
```powershell
Convertfrom-CIPolicy .\policy.xml ".\{PolicyIDGUID}.cip"
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/wdac-appid-tagging-guide.md b/windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/wdac-appid-tagging-guide.md
index 2d94e08d99..c7ba6859ae 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/wdac-appid-tagging-guide.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/wdac-appid-tagging-guide.md
@@ -3,7 +3,7 @@ title: Designing, creating, managing and troubleshooting Windows Defender Applic
description: How to design, create, manage and troubleshoot your WDAC AppId Tagging policies
ms.localizationpriority: medium
ms.date: 04/27/2022
-ms.topic: article
+ms.topic: conceptual
---
# WDAC Application ID (AppId) Tagging guide
@@ -13,17 +13,17 @@ ms.topic: article
## AppId Tagging Feature Overview
-The Application ID (AppId) Tagging Policy feature, while based off Windows Defender Application Control (WDAC), does not control whether applications will run. AppId Tagging policies can be used to mark the processes of the running application with a customizable tag defined in the policy. Application processes that pass the AppId policy will receive the tag while failing applications won't.
+The Application ID (AppId) Tagging Policy feature, while based off Windows Defender Application Control (WDAC), does not control whether applications will run. AppId Tagging policies can be used to mark the processes of the running application with a customizable tag defined in the policy. Application processes that pass the AppId policy will receive the tag while failing applications won't.
## AppId Tagging Feature Availability
-The WDAC AppId Tagging feature is available on the following versions of the Windows platform:
+The WDAC AppId Tagging feature is available on the following versions of the Windows platform:
-Client:
+Client:
- Windows 10 20H1, 20H2 and 21H1 versions only
- Windows 11
-Server:
+Server:
- Windows Server 2022
## In this section
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/deployment/audit-wdac-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/deployment/audit-wdac-policies.md
index 98ac6cf37d..fa463a999a 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/deployment/audit-wdac-policies.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/deployment/audit-wdac-policies.md
@@ -3,7 +3,7 @@ title: Use audit events to create WDAC policy rules
description: Audits allow admins to discover apps, binaries, and scripts that should be added to the WDAC policy.
ms.localizationpriority: medium
ms.date: 05/03/2018
-ms.topic: article
+ms.topic: conceptual
---
# Use audit events to create WDAC policy rules
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-using-group-policy.md b/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-using-group-policy.md
index aed9b36b5b..78a686dada 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-using-group-policy.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-using-group-policy.md
@@ -3,7 +3,7 @@ title: Deploy WDAC policies via Group Policy
description: Windows Defender Application Control (WDAC) policies can easily be deployed and managed with Group Policy. Learn how by following this step-by-step guide.
ms.localizationpriority: medium
ms.date: 01/23/2023
-ms.topic: article
+ms.topic: how-to
---
# Deploy Windows Defender Application Control policies by using Group Policy
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
index a96124b086..6910b03b04 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
@@ -3,7 +3,7 @@ title: Deploy Windows Defender Application Control (WDAC) policies using script
description: Use scripts to deploy Windows Defender Application Control (WDAC) policies. Learn how with this step-by-step guide.
ms.manager: jsuther
ms.date: 01/23/2023
-ms.topic: article
+ms.topic: how-to
ms.localizationpriority: medium
---
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/deployment/disable-wdac-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/deployment/disable-wdac-policies.md
index 5c4d60cfa8..2685a6db1d 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/deployment/disable-wdac-policies.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/deployment/disable-wdac-policies.md
@@ -3,7 +3,7 @@ title: Remove Windows Defender Application Control policies
description: Learn how to disable both signed and unsigned Windows Defender Application Control policies, within Windows and within the BIOS.
ms.localizationpriority: medium
ms.date: 11/04/2022
-ms.topic: article
+ms.topic: how-to
---
# Remove Windows Defender Application Control (WDAC) policies
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/deployment/enforce-wdac-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/deployment/enforce-wdac-policies.md
index 9000c01d85..07bc66c51a 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/deployment/enforce-wdac-policies.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/deployment/enforce-wdac-policies.md
@@ -3,7 +3,7 @@ title: Enforce Windows Defender Application Control (WDAC) policies
description: Learn how to switch a WDAC policy from audit to enforced mode.
ms.manager: jsuther
ms.date: 04/22/2021
-ms.topic: article
+ms.topic: how-to
ms.localizationpriority: medium
---
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/deployment/merge-wdac-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/deployment/merge-wdac-policies.md
index 20bf91ea2a..d1b96ca2d6 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/deployment/merge-wdac-policies.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/deployment/merge-wdac-policies.md
@@ -3,7 +3,7 @@ title: Merge Windows Defender Application Control policies (WDAC)
description: Learn how to merge WDAC policies as part of your policy lifecycle management.
ms.manager: jsuther
ms.date: 04/22/2021
-ms.topic: article
+ms.topic: how-to
ms.localizationpriority: medium
---
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/allow-com-object-registration-in-wdac-policy.md b/windows/security/application-security/application-control/windows-defender-application-control/design/allow-com-object-registration-in-wdac-policy.md
index ad1b478b40..fc9395851d 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/allow-com-object-registration-in-wdac-policy.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/allow-com-object-registration-in-wdac-policy.md
@@ -3,7 +3,7 @@ title: Allow COM object registration in a WDAC policy
description: You can allow COM object registration in a Windows Defender Application Control policy.
ms.localizationpriority: medium
ms.date: 04/05/2023
-ms.topic: article
+ms.topic: how-to
---
# Allow COM object registration in a Windows Defender Application Control policy
@@ -153,11 +153,11 @@ The table that follows describes the list of COM objects that are inherently tru
| scrrun.dll | 0D43FE01-F093-11CF-8940-00A0C9054228 |
| vbscript.dll | 3F4DACA4-160D-11D2-A8E9-00104B365C9F |
| WEX.Logger.Log | 70B46225-C474-4852-BB81-48E0D36F9A5A |
-| TE.Common.TestData | 1d68f3c0-b5f8-4abd-806a-7bc57cdce35a |
+| TE.Common.TestData | 1d68f3c0-b5f8-4abd-806a-7bc57cdce35a |
| TE.Common.RuntimeParameters | 9f3d4048-6028-4c5b-a92d-01bc977af600 |
| TE.Common.Verify | e72cbabf-8e48-4d27-b14e-1f347f6ec71a |
| TE.Common.Interruption | 5850ba6f-ce72-46d4-a29b-0d3d9f08cc0b |
-| msxml6.dll | 2933BF90-7B36-11d2-B20E-00C04F983E60 |
+| msxml6.dll | 2933BF90-7B36-11d2-B20E-00C04F983E60 |
| msxml6.dll | ED8C108E-4349-11D2-91A4-00C04F7969E8 |
| mmcndmgr.dll | ADE6444B-C91F-4E37-92A4-5BB430A33340 |
| puiobj.dll | B021FF57-A928-459C-9D6C-14DED0C9BED2 |
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/common-wdac-use-cases.md b/windows/security/application-security/application-control/windows-defender-application-control/design/common-wdac-use-cases.md
index 2d96cac781..7f203efaf7 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/common-wdac-use-cases.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/common-wdac-use-cases.md
@@ -3,7 +3,7 @@ title: Policy creation for common WDAC usage scenarios
description: Develop a plan for deploying Windows Defender Application Control (WDAC) in your organization based on these common scenarios.
ms.localizationpriority: medium
ms.date: 04/05/2023
-ms.topic: article
+ms.topic: conceptual
---
# Windows Defender Application Control deployment in different scenarios: types of devices
@@ -15,7 +15,7 @@ Typically, deployment of Windows Defender Application Control (WDAC) happens bes
## Types of devices
-| Type of device | How WDAC relates to this type of device |
+| Type of device | How WDAC relates to this type of device |
|------------------------------------|------------------------------------------------------|
| **Lightly managed devices**: Company-owned, but users are free to install software. Devices are required to run organization's antivirus solution and client management tools. | Windows Defender Application Control can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. |
| **Fully managed devices**: Allowed software is restricted by IT department. Users can request for more software, or install from a list of applications provided by IT department. Examples: locked-down, company-owned desktops and laptops. | An initial baseline Windows Defender Application Control policy can be established and enforced. Whenever the IT department approves more applications, it updates the WDAC policy and (for unsigned LOB applications) the catalog. |
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/application-security/application-control/windows-defender-application-control/design/configure-authorized-apps-deployed-with-a-managed-installer.md
index 6154ff435d..ff3b5d8fa8 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/configure-authorized-apps-deployed-with-a-managed-installer.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/configure-authorized-apps-deployed-with-a-managed-installer.md
@@ -3,7 +3,7 @@ title: Allow apps deployed with a WDAC managed installer
description: Explains how to configure a custom Managed Installer.
ms.localizationpriority: medium
ms.date: 02/02/2023
-ms.topic: article
+ms.topic: how-to
---
# Automatically allow apps deployed by a managed installer with Windows Defender Application Control
@@ -78,7 +78,7 @@ The AppLocker policy creation UI in GPO Editor and the AppLocker PowerShell cmdl
```
3. Manually edit your AppLocker policy and add the EXE and DLL rule collections with at least one rule for each. To ensure your policy can be safely applied on systems that may already have an active AppLocker policy, we recommend using a benign DENY rule to block a fake binary and set the rule collection's EnforcementMode to AuditOnly. Additionally, since many installation processes rely on services, you need to enable services tracking for each of those rule collections. The following example shows a partial AppLocker policy with the EXE and DLL rule collection configured as recommended.
-
+
```xml
@@ -147,7 +147,7 @@ The AppLocker policy creation UI in GPO Editor and the AppLocker PowerShell cmdl
-
+
@@ -183,7 +183,7 @@ The AppLocker policy creation UI in GPO Editor and the AppLocker PowerShell cmdl
```console
appidtel.exe start [-mionly]
```
-
+
Specify "-mionly" if you don't plan to use the Intelligent Security Graph (ISG).
> [!NOTE]
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/create-wdac-deny-policy.md b/windows/security/application-security/application-control/windows-defender-application-control/design/create-wdac-deny-policy.md
index 3dcec18e4f..3e76a698d2 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/create-wdac-deny-policy.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/create-wdac-deny-policy.md
@@ -3,7 +3,7 @@ title: Create WDAC Deny Policy
description: Explains how to create WDAC deny policies
ms.localizationpriority: medium
ms.date: 12/31/2017
-ms.topic: article
+ms.topic: how-to
---
# Guidance on Creating WDAC Deny Policies
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/create-wdac-policy-using-reference-computer.md b/windows/security/application-security/application-control/windows-defender-application-control/design/create-wdac-policy-using-reference-computer.md
index 77a4402365..4b7a2f317b 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/create-wdac-policy-using-reference-computer.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/create-wdac-policy-using-reference-computer.md
@@ -3,7 +3,7 @@ title: Create a WDAC policy using a reference computer
description: To create a Windows Defender Application Control (WDAC) policy that allows all code installed on a reference computer within your organization, follow this guide.
ms.localizationpriority: medium
ms.date: 08/08/2022
-ms.topic: article
+ms.topic: how-to
---
# Create a WDAC policy using a reference computer
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies.md
index 38c5700dab..621718eb69 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies.md
@@ -3,7 +3,7 @@ title: Use multiple Windows Defender Application Control Policies
description: Windows Defender Application Control supports multiple code integrity policies for one device.
ms.localizationpriority: medium
ms.date: 04/15/2024
-ms.topic: article
+ms.topic: how-to
---
# Use multiple Windows Defender Application Control Policies
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/manage-packaged-apps-with-wdac.md b/windows/security/application-security/application-control/windows-defender-application-control/design/manage-packaged-apps-with-wdac.md
index db1a336471..d136e3824b 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/manage-packaged-apps-with-wdac.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/manage-packaged-apps-with-wdac.md
@@ -3,7 +3,7 @@ title: Manage packaged apps with WDAC
description: Packaged apps, also known as Universal Windows apps, allow you to control the entire app by using a single Windows Defender Application Control (WDAC) rule.
ms.localizationpriority: medium
ms.date: 03/01/2023
-ms.topic: article
+ms.topic: how-to
---
# Manage Packaged Apps with Windows Defender Application Control
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md b/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md
index 5b5d018a69..c99e4f6e9e 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md
@@ -6,7 +6,7 @@ ms.collection:
- tier3
- must-keep
ms.date: 01/24/2024
-ms.topic: article
+ms.topic: how-to
---
# Microsoft recommended driver block rules
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/plan-wdac-management.md b/windows/security/application-security/application-control/windows-defender-application-control/design/plan-wdac-management.md
index c1eee0110d..caebc2c6c3 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/plan-wdac-management.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/plan-wdac-management.md
@@ -3,7 +3,7 @@ title: Plan for WDAC policy management
description: Learn about the decisions you need to make to establish the processes for managing and maintaining Windows Defender Application Control policies.
ms.localizationpriority: medium
ms.date: 11/22/2023
-ms.topic: article
+ms.topic: conceptual
---
# Plan for Windows Defender Application Control lifecycle policy management
@@ -25,7 +25,7 @@ Most Windows Defender Application Control policies will evolve over time and pro
4. Repeat steps 2-3 until the remaining block events meet expectations.
5. [Generate the enforced mode version](/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies) of the policy. In enforced mode, files that the policy doesn't allow are prevented from running and corresponding block events are generated.
6. [Deploy the enforced mode policy](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide) to intended devices. We recommend using staged rollouts for enforced policies to detect and respond to issues before deploying the policy broadly.
-7. Repeat steps 1-6 anytime the desired "circle-of-trust" changes.
+7. Repeat steps 1-6 anytime the desired "circle-of-trust" changes.
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/script-enforcement.md b/windows/security/application-security/application-control/windows-defender-application-control/design/script-enforcement.md
index 4a1aaf70e2..8ebfc6ca57 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/script-enforcement.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/script-enforcement.md
@@ -3,7 +3,7 @@ title: Understand WDAC script enforcement
description: WDAC script enforcement
ms.manager: jsuther
ms.date: 05/26/2023
-ms.topic: article
+ms.topic: conceptual
ms.localizationpriority: medium
---
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md b/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md
index ea4260f8c1..ce2f7e2e2f 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md
@@ -3,7 +3,7 @@ title: Understand Windows Defender Application Control (WDAC) policy rules and f
description: Learn how WDAC policy rules and file rules can control your Windows 10 and Windows 11 computers.
ms.localizationpriority: medium
ms.date: 11/22/2023
-ms.topic: article
+ms.topic: conceptual
---
# Understand Windows Defender Application Control (WDAC) policy rules and file rules
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/understand-wdac-policy-design-decisions.md b/windows/security/application-security/application-control/windows-defender-application-control/design/understand-wdac-policy-design-decisions.md
index 026cd262be..abaeda5f34 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/understand-wdac-policy-design-decisions.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/understand-wdac-policy-design-decisions.md
@@ -3,10 +3,10 @@ title: Understand Windows Defender Application Control policy design decisions
description: Understand Windows Defender Application Control policy design decisions.
ms.localizationpriority: medium
ms.date: 02/08/2018
-ms.topic: article
+ms.topic: conceptual
---
-# Understand Windows Defender Application Control policy design decisions
+# Understand Windows Defender Application Control policy design decisions
> [!NOTE]
> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
@@ -56,8 +56,8 @@ Traditional Win32 apps on Windows can run without being digitally signed. This p
| Possible answers | Design considerations |
| - | - |
| All apps used in your organization must be signed. | Organizations that enforce [codesigning](../deployment/use-code-signing-for-better-control-and-protection.md) for all executable code are best-positioned to protect their Windows computers from malicious code execution. Windows Defender Application Control rules can be created to authorize apps and binaries from the organization's internal development teams and from trusted independent software vendors (ISV). |
-| Apps used in your organization don't need to meet any codesigning requirements. | Organizations can [use built-in Windows tools](../deployment/deploy-catalog-files-to-support-wdac.md) to add organization-specific App Catalog signatures to existing apps as a part of the app deployment process, which can be used to authorize code execution. Solutions like Microsoft Intune offer multiple ways to distribute signed App Catalogs. |
-
+| Apps used in your organization don't need to meet any codesigning requirements. | Organizations can [use built-in Windows tools](../deployment/deploy-catalog-files-to-support-wdac.md) to add organization-specific App Catalog signatures to existing apps as a part of the app deployment process, which can be used to authorize code execution. Solutions like Microsoft Intune offer multiple ways to distribute signed App Catalogs. |
+
### Are there specific groups in your organization that need customized application control policies?
Most business teams or departments have specific security requirements that pertain to data access and the applications used to access that data. Consider the scope of the project for each group and the group's priorities before you deploy application control policies for the entire organization. There's overhead in managing policies that might lead you to choose between broad, organization-wide policies and multiple team-specific policies.
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/understanding-wdac-policy-settings.md b/windows/security/application-security/application-control/windows-defender-application-control/design/understanding-wdac-policy-settings.md
index 0c615d15e5..6f2f154463 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/understanding-wdac-policy-settings.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/understanding-wdac-policy-settings.md
@@ -3,7 +3,7 @@ title: Understanding Windows Defender Application Control (WDAC) secure settings
description: Learn about secure settings in Windows Defender Application Control.
ms.localizationpriority: medium
ms.date: 04/05/2023
-ms.topic: article
+ms.topic: conceptual
---
# Understanding WDAC Policy Settings
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/use-wdac-policy-to-control-specific-plug-ins-add-ins-and-modules.md b/windows/security/application-security/application-control/windows-defender-application-control/design/use-wdac-policy-to-control-specific-plug-ins-add-ins-and-modules.md
index 7fa7fe71a2..d46c2de5a6 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/use-wdac-policy-to-control-specific-plug-ins-add-ins-and-modules.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/use-wdac-policy-to-control-specific-plug-ins-add-ins-and-modules.md
@@ -3,10 +3,10 @@ title: Use a Windows Defender Application Control policy to control specific plu
description: WDAC policies can be used not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps.
ms.localizationpriority: medium
ms.date: 11/02/2022
-ms.topic: article
+ms.topic: how-to
---
-# Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules
+# Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/use-wdac-with-intelligent-security-graph.md b/windows/security/application-security/application-control/windows-defender-application-control/design/use-wdac-with-intelligent-security-graph.md
index ee718c6bff..02cd2f93cd 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/use-wdac-with-intelligent-security-graph.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/use-wdac-with-intelligent-security-graph.md
@@ -1,9 +1,9 @@
---
title: Authorize reputable apps with the Intelligent Security Graph (ISG)
-description: Automatically authorize applications that Microsoft’s ISG recognizes as having known good reputation.
+description: Automatically authorize applications that Microsoft's ISG recognizes as having known good reputation.
ms.localizationpriority: medium
ms.date: 12/31/2017
-ms.topic: article
+ms.topic: how-to
---
# Authorize reputable apps with the Intelligent Security Graph (ISG)
@@ -42,29 +42,29 @@ Setting up the ISG is easy using any management solution you wish. Configuring t
To allow apps and binaries based on the Microsoft Intelligent Security Graph, the **Enabled:Intelligent Security Graph authorization** option must be specified in the WDAC policy. This step can be done with the Set-RuleOption cmdlet. You should also set the **Enabled:Invalidate EAs on Reboot** option so that ISG results are verified again after each reboot. The ISG option isn't recommended for devices that don't have regular access to the internet. The following example shows both options set.
```xml
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
-
+
-
-
-
-
-
-
-
+
+
+
+
+
+
+
```
### Enable the necessary services to allow WDAC to use the ISG correctly on the client
@@ -91,7 +91,7 @@ Since the ISG only allows binaries that are "known good", there are cases where
Packaged apps aren't supported with the ISG and will need to be separately authorized in your WDAC policy. Since packaged apps have a strong app identity and must be signed, it's straightforward to [authorize packaged apps](/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control) with your WDAC policy.
-The ISG doesn't authorize kernel mode drivers. The WDAC policy must have rules that allow the necessary drivers to run.
+The ISG doesn't authorize kernel mode drivers. The WDAC policy must have rules that allow the necessary drivers to run.
> [!NOTE]
> A rule that explicitly denies or allows a file will take precedence over that file's reputation data. Microsoft Intune's built-in WDAC support includes the option to trust apps with good reputation via the ISG, but it has no option to add explicit allow or deny rules. In most cases, customers using application control will need to deploy a custom WDAC policy (which can include the ISG option if desired) using [Intune's OMA-URI functionality](../deployment/deploy-wdac-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri).
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-and-dotnet.md b/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-and-dotnet.md
index b0ec0ebfe9..f99639f8fd 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-and-dotnet.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-and-dotnet.md
@@ -3,7 +3,7 @@ title: Windows Defender Application Control and .NET
description: Understand how WDAC and .NET work together and use Dynamic Code Security to verify code loaded by .NET at runtime.
ms.localizationpriority: medium
ms.date: 11/22/2023
-ms.topic: article
+ms.topic: conceptual
---
# Windows Defender Application Control (WDAC) and .NET
@@ -41,7 +41,7 @@ Additionally, customers can precompile for deployment only to prevent an allowed
To enable Dynamic Code Security, add the following option to the `` section of your WDAC policy:
```xml
-
-
+
+
```
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations.md b/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations.md
index 7fb31cd8a4..298b965229 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations.md
@@ -3,7 +3,7 @@ title: Understanding Application Control event tags
description: Learn what different Windows Defender Application Control event tags signify.
ms.localizationpriority: medium
ms.date: 05/09/2023
-ms.topic: article
+ms.topic: conceptual
---
# Understanding Application Control event tags
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/operations/inbox-wdac-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/operations/inbox-wdac-policies.md
index 9edd163212..c8432d0129 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/operations/inbox-wdac-policies.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/operations/inbox-wdac-policies.md
@@ -3,7 +3,7 @@ title: Inbox WDAC policies
description: This article describes the inbox WDAC policies that may be active on a device.
ms.manager: jsuther
ms.date: 03/10/2023
-ms.topic: article
+ms.topic: conceptual
ms.localizationpriority: medium
---
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md b/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md
index 2522308d55..f33e99121c 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md
@@ -3,7 +3,7 @@ title: WDAC Admin Tips & Known Issues
description: WDAC Known Issues
ms.manager: jsuther
ms.date: 04/15/2024
-ms.topic: article
+ms.topic: troubleshooting
ms.localizationpriority: medium
---
@@ -84,7 +84,7 @@ msiexec -i https://download.microsoft.com/download/2/E/3/2E3A1E42-8F50-4396-9E7E
As a workaround, download the MSI file and run it locally:
```console
-msiexec -i c:\temp\Windows10_Version_1511_ADMX.msi
+msiexec -i c:\temp\Windows10_Version_1511_ADMX.msi
```
### Slow boot and performance with custom policies
@@ -93,7 +93,7 @@ WDAC evaluates all processes that run, including inbox Windows processes. You ca
#### AppId Tagging policy considerations
-AppId Tagging policies that aren't built upon the WDAC base templates or don't allow the Windows in-box signers might cause a significant increase in boot times (~2 minutes).
+AppId Tagging policies that aren't built upon the WDAC base templates or don't allow the Windows in-box signers might cause a significant increase in boot times (~2 minutes).
If you can't allowlist the Windows signers or build off the WDAC base templates, add the following rule to your policies to improve the performance:
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/operations/querying-application-control-events-centrally-using-advanced-hunting.md b/windows/security/application-security/application-control/windows-defender-application-control/operations/querying-application-control-events-centrally-using-advanced-hunting.md
index f6671dc740..c17adb2b1c 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/operations/querying-application-control-events-centrally-using-advanced-hunting.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/operations/querying-application-control-events-centrally-using-advanced-hunting.md
@@ -3,10 +3,10 @@ title: Query Application Control events with Advanced Hunting
description: Learn how to query Windows Defender Application Control events across your entire organization by using Advanced Hunting.
ms.localizationpriority: medium
ms.date: 03/01/2022
-ms.topic: article
+ms.topic: troubleshooting
---
-# Querying Application Control events centrally using Advanced hunting
+# Querying Application Control events centrally using Advanced hunting
A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode.
While Event Viewer helps to see the impact on a single system, IT Pros want to gauge it across many systems.
@@ -65,7 +65,7 @@ The query results can be used for several important functions related to managin
Query Example #2: Query to determine audit blocks in the past seven days
```
-DeviceEvents
+DeviceEvents
| where ActionType startswith "AppControlExecutableAudited"
| where Timestamp > ago(7d)
|project DeviceId, // the device ID where the audit block happened
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/wdac-and-applocker-overview.md b/windows/security/application-security/application-control/windows-defender-application-control/wdac-and-applocker-overview.md
index 5e998b8788..81042f2926 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/wdac-and-applocker-overview.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/wdac-and-applocker-overview.md
@@ -3,7 +3,7 @@ title: WDAC and AppLocker Overview
description: Compare Windows application control technologies.
ms.localizationpriority: medium
ms.date: 01/03/2024
-ms.topic: article
+ms.topic: conceptual
---
# Windows Defender Application Control and AppLocker Overview
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-architecture.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-architecture.md
index 399efd6820..0da205053a 100644
--- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-architecture.md
+++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-architecture.md
@@ -1,7 +1,7 @@
---
title: Windows Sandbox architecture
description: Windows Sandbox architecture
-ms.topic: article
+ms.topic: conceptual
ms.date: 03/26/2024
---
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
index 50526dc308..6420d0019f 100644
--- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
+++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
@@ -1,7 +1,7 @@
---
title: Windows Sandbox configuration
description: Windows Sandbox configuration
-ms.topic: article
+ms.topic: how-to
ms.date: 03/26/2024
---
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md
index 1a0695eb98..adf405569f 100644
--- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md
+++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md
@@ -1,7 +1,7 @@
---
title: Windows Sandbox
description: Windows Sandbox overview
-ms.topic: article
+ms.topic: conceptual
ms.date: 03/26/2024
---
diff --git a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/mbsa-removal-and-guidance.md b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/mbsa-removal-and-guidance.md
index 8faa272dca..e68c6df87a 100644
--- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/mbsa-removal-and-guidance.md
+++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/mbsa-removal-and-guidance.md
@@ -3,7 +3,7 @@ title: Guide to removing Microsoft Baseline Security Analyzer (MBSA)
description: This article documents the removal of Microsoft Baseline Security Analyzer (MBSA) and provides alternative solutions.
ms.localizationpriority: medium
ms.date: 07/11/2023
-ms.topic: article
+ms.topic: conceptual
---
# What is Microsoft Baseline Security Analyzer and its uses?
diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md
index 6f077f8f37..2dba2d4677 100644
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md
@@ -2,7 +2,7 @@
title: Account protection in Windows Security
description: Use the Account protection section to manage security for your account and sign in to Microsoft.
ms.date: 08/11/2023
-ms.topic: article
+ms.topic: how-to
---
diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control.md
index 6ede491eeb..375aeb3fa0 100644
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control.md
@@ -2,7 +2,7 @@
title: App & browser control in Windows Security
description: Use the App & browser control section to see and configure Windows Defender SmartScreen and Exploit protection settings.
ms.date: 08/11/2023
-ms.topic: article
+ms.topic: how-to
---
# App and browser control
diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-customize-contact-information.md
index 70c71bc872..4bf296c839 100644
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-customize-contact-information.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-customize-contact-information.md
@@ -2,7 +2,7 @@
title: Customize Windows Security contact information in Windows Security
description: Provide information to your employees on how to contact your IT department when a security issue occurs
ms.date: 08/11/2023
-ms.topic: article
+ms.topic: how-to
---
# Customize the Windows Security settings for your organization
diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health.md
index b34941e7bb..a15b5f11b6 100644
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health.md
@@ -2,7 +2,7 @@
title: Device & performance health in Windows Security
description: Use the Device & performance health section to see the status of the machine and note any storage, update, battery, driver, or hardware configuration issues
ms.date: 07/31/2023
-ms.topic: article
+ms.topic: how-to
---
diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security.md
index 0c75434023..e47d41fc91 100644
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security.md
@@ -2,7 +2,7 @@
title: Device security in Windows Security
description: Use the Device security section to manage security built into your device, including Virtualization-based security.
ms.date: 08/11/2023
-ms.topic: article
+ms.topic: how-to
---
# Device security
diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options.md
index 7ba7b42e75..50f38d64dd 100644
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options.md
@@ -2,7 +2,7 @@
title: Family options in Windows Security
description: Learn how to hide the Family options section of Windows Security for enterprise environments. Family options aren't intended for business environments.
ms.date: 08/11/2023
-ms.topic: article
+ms.topic: how-to
---
diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection.md
index 3ac877ec3f..0070445c0d 100644
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection.md
@@ -2,7 +2,7 @@
title: Firewall and network protection in Windows Security
description: Use the Firewall & network protection section to see the status of and make changes to firewalls and network connections for the machine.
ms.date: 08/11/2023
-ms.topic: article
+ms.topic: how-to
---
# Firewall and network protection
diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications.md
index 6e0c20b83c..5e330d95a0 100644
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications.md
@@ -2,7 +2,7 @@
title: Hide notifications from Windows Security
description: Prevent Windows Security notifications from appearing on user endpoints
ms.date: 07/31/2023
-ms.topic: article
+ms.topic: how-to
---
# Hide Windows Security notifications
diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection.md
index cc0979c845..f48a985759 100644
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection.md
@@ -2,7 +2,7 @@
title: Virus and threat protection in Windows Security
description: Use the Virus & threat protection section to see and configure Microsoft Defender Antivirus, Controlled folder access, and 3rd-party AV products.
ms.date: 08/11/2023
-ms.topic: article
+ms.topic: conceptual
---
# Virus and threat protection
diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md
index a316bca4b5..2feb4cecb2 100644
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md
@@ -2,7 +2,7 @@
title: Windows Security
description: Windows Security brings together common Windows security features into one place.
ms.date: 08/11/2023
-ms.topic: article
+ms.topic: conceptual
---
# Windows Security
diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
index 61a3073fa1..564b83b498 100644
--- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
+++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
@@ -6,7 +6,7 @@ author: aczechowski
ms.author: aaroncz
manager: aaroncz
ms.date: 12/31/2017
-ms.topic: article
+ms.topic: conceptual
---
# Mitigate threats by using Windows 10 security features
From c75d0204127a1b9069964361abd8c93f8a2ff38b Mon Sep 17 00:00:00 2001
From: "Vinay Pamnani (from Dev Box)"
Date: Fri, 7 Jun 2024 10:36:56 -0600
Subject: [PATCH 11/29] Acro-updates
---
.../provisioning-command-line.md | 14 +++++++-------
.../AppIdTagging/wdac-appid-tagging-guide.md | 16 ++++++++--------
2 files changed, 15 insertions(+), 15 deletions(-)
diff --git a/windows/configuration/provisioning-packages/provisioning-command-line.md b/windows/configuration/provisioning-packages/provisioning-command-line.md
index 686b79ac68..12a10ae502 100644
--- a/windows/configuration/provisioning-packages/provisioning-command-line.md
+++ b/windows/configuration/provisioning-packages/provisioning-command-line.md
@@ -1,13 +1,13 @@
---
-title: Windows Configuration Designer command-line interface
-description: Learn more about the ICD syntax, switches, and arguments that you can use in the Windows Configuration Designer command-line interface for Windows10/11 client devices.
+title: Windows Configuration Designer command line interface
+description: Learn more about the ICD syntax, switches, and arguments that you can use in the Windows Configuration Designer command line interface for Windows10/11 client devices.
ms.topic: how-to
ms.date: 12/31/2017
---
-# Windows Configuration Designer command-line interface (reference)
+# Windows Configuration Designer command line interface (reference)
-You can use the Windows Configuration Designer command-line interface (CLI) to automate the building of provisioning packages.
+You can use the Windows Configuration Designer command line interface (CLI) to automate the building of provisioning packages.
- IT pros can use the Windows Configuration Designer CLI to require less retooling of existing processes. You must run the Windows Configuration Designer CLI from a command window with administrator privileges.
@@ -30,10 +30,10 @@ icd.exe /Build-ProvisioningPackage /CustomizationXML: /PackagePath:
| --- | --- | --- |
| /CustomizationXML | No | Specifies the path to a Windows provisioning XML file that contains the customization assets and settings. For more information, see Windows provisioning answer file. |
| /PackagePath | Yes | Specifies the path and the package name where the built provisioning package will be saved. |
-| /StoreFile | NoSee Important note. | For partners using a settings store other than the default store(s) used by Windows Configuration Designer, use this parameter to specify the path to one or more comma-separated Windows settings store file. By default, if you don't specify a settings store file, the settings store that's common to all Windows editions will be loaded by Windows Configuration Designer.**Important** If you use this parameter, you must not use /MSPackageRoot or /OEMInputXML. |
+| /StoreFile | NoSee Important note. | For partners using a settings store other than the default store(s) used by Windows Configuration Designer, use this parameter to specify the path to one or more comma-separated Windows settings store file. By default, if you don't specify a settings store file, the settings store that's common to all Windows editions is loaded by Windows Configuration Designer.**Important** If you use this parameter, you must not use /MSPackageRoot or /OEMInputXML. |
| /Variables | No | Specifies a semicolon separated `` and `` macro pair. The format for the argument must be `=`. |
-| Encrypted | No | Denotes whether the provisioning package should be built with encryption. Windows Configuration Designer autogenerates the decryption password and includes this information in the output.Precede with `+` for encryption, or `-` for no encryption. The default is no encryption. |
-| Overwrite | No | Denotes whether to overwrite an existing provisioning package.Precede with + to overwrite an existing package or - if you don't want to overwrite an existing package. The default is false (don't overwrite). |
+| Encrypted | No | Denotes whether the provisioning package should be built with encryption. Windows Configuration Designer autogenerates the decryption password and includes this information in the output. Precede with `+` for encryption, or `-` for no encryption. The default is no encryption. |
+| Overwrite | No | Denotes whether to overwrite an existing provisioning package. Precede with + to overwrite an existing package or - if you don't want to overwrite an existing package. The default is false (don't overwrite). |
| /? | No | Lists the switches and their descriptions for the command-line tool or for certain commands. |
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/wdac-appid-tagging-guide.md b/windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/wdac-appid-tagging-guide.md
index c7ba6859ae..4dc0da5aba 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/wdac-appid-tagging-guide.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/AppIdTagging/wdac-appid-tagging-guide.md
@@ -1,6 +1,6 @@
---
-title: Designing, creating, managing and troubleshooting Windows Defender Application Control AppId Tagging policies
-description: How to design, create, manage and troubleshoot your WDAC AppId Tagging policies
+title: Designing, creating, managing, and troubleshooting Windows Defender Application Control AppId Tagging policies
+description: How to design, create, manage, and troubleshoot your WDAC AppId Tagging policies
ms.localizationpriority: medium
ms.date: 04/27/2022
ms.topic: conceptual
@@ -13,14 +13,14 @@ ms.topic: conceptual
## AppId Tagging Feature Overview
-The Application ID (AppId) Tagging Policy feature, while based off Windows Defender Application Control (WDAC), does not control whether applications will run. AppId Tagging policies can be used to mark the processes of the running application with a customizable tag defined in the policy. Application processes that pass the AppId policy will receive the tag while failing applications won't.
+The Application ID (AppId) Tagging Policy feature, while based off Windows Defender Application Control (WDAC), doesn't control whether applications run. AppId Tagging policies can be used to mark the processes of the running application with a customizable tag defined in the policy. Application processes that pass the AppId policy receive the tag while failing applications don't.
## AppId Tagging Feature Availability
The WDAC AppId Tagging feature is available on the following versions of the Windows platform:
Client:
-- Windows 10 20H1, 20H2 and 21H1 versions only
+- Windows 10 20H1, 20H2, and 21H1 versions only
- Windows 11
Server:
@@ -28,8 +28,8 @@ Server:
## In this section
-| Topic | Description |
+| article | Description |
| - | - |
-| [Designing and Creating AppId Policies](design-create-appid-tagging-policies.md) | This topic covers how to design and create AppId Tagging policies. |
-| [Deploying AppId Policies](deploy-appid-tagging-policies.md) | This topic covers how to deploy AppId Tagging policies. |
-| [Debugging AppId Policies](debugging-operational-guide-appid-tagging-policies.md) | This topic covers how to debug and view events from AppId Tagging policies. |
+| [Designing and Creating AppId Policies](design-create-appid-tagging-policies.md) | This article covers how to design and create AppId Tagging policies. |
+| [Deploying AppId Policies](deploy-appid-tagging-policies.md) | This article covers how to deploy AppId Tagging policies. |
+| [Debugging AppId Policies](debugging-operational-guide-appid-tagging-policies.md) | This article covers how to debug and view events from AppId Tagging policies. |
From c2c5d757ac4edc39e6e1e26e664d814e269c0877 Mon Sep 17 00:00:00 2001
From: "[cmknox]" <[cmknox@gmail.com]>
Date: Fri, 7 Jun 2024 12:21:03 -0600
Subject: [PATCH 12/29] Add subnet for restricted peers
---
.../deployment/do/waas-delivery-optimization-reference.md | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md
index 9c90b088c4..f17d4c5f5b 100644
--- a/windows/deployment/do/waas-delivery-optimization-reference.md
+++ b/windows/deployment/do/waas-delivery-optimization-reference.md
@@ -37,7 +37,7 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz
| [Download mode](#download-mode) | DODownloadMode | 1511 | Default is configured to LAN(1). The Group [Download mode](#download-mode) (2) combined with [Group ID](#group-id), enables administrators to create custom device groups that share content between devices in the group.|
| [Group ID](#group-id) | DOGroupID | 1511 | Used with Group [Download mode](#download-mode). If not configured, check [GroupIDSource](#select-the-source-of-group-ids). When GroupID or GroupIDSource policies aren't configured, the GroupID is defined as the AD Site (1), Authenticated domain SID (2) or Microsoft Entra tenant ID (5), in that order. |
| [Select the source of Group IDs](#select-the-source-of-group-ids) | DOGroupIDSource | 1803 | If not configured, check [Group ID](#group-id). When the GroupID or GroupIDSource policies aren't configured, the Group is defined as the AD Site (1), Authenticated domain SID (2) or Microsoft Entra tenant ID (5), in that order. |
-| [Select a method to restrict peer selection](#select-a-method-to-restrict-peer-selection) | DORestrictPeerSelectionBy | 1803 | Starting in Windows 11, a new option to use 'Local discovery (DNS-SD)' is available to configure via this policy. |
+| [Select a method to restrict peer selection](#select-a-method-to-restrict-peer-selection) | DORestrictPeerSelectionBy | 1803 | Windows 10 - default isn't configured. Windows 11 - default peer selection is restricted to the Subnet only in LAN [Download mode](#download-mode) (1). |
| [Minimum RAM (inclusive) allowed to use peer caching](#minimum-ram-inclusive-allowed-to-use-peer-caching) | DOMinRAMAllowedToPeer | 1703 | Default value is 4 GB. |
| [Minimum disk size allowed to use peer caching](#minimum-disk-size-allowed-to-use-peer-caching) | DOMinDiskSizeAllowedToPeer | 1703 | Default value is 32 GB. |
| [Max cache age](#max-cache-age) | DOMaxCacheAge | 1511 | Default value is 259,200 seconds (three days). |
@@ -235,10 +235,12 @@ MDM Setting: **DORestrictPeerSelectionBy**
Starting in Windows 10, version 1803, configure this policy to restrict peer selection via selected option. In Windows 11, the 'Local Peer Discovery' option was introduced to restrict peer discovery to the local network. Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. These options apply to both Download Modes LAN (1) and Group (2) and therefore means there's no peering between subnets.
-If Group mode is configured, Delivery Optimization connects to locally discovered peers that are also part of the same Group (have the same Group ID).
+If Group mode is configured, Delivery Optimization connects to locally discovered peers that are also part of the same Group (have the same Group ID) and prevents devices that aren't using the same Group ID from participating.
In Windows 11, the Local Peer Discovery (DNS-SD) option can be configured via MDM or Group Policy. However, in Windows 10, this feature can be enabled by setting the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\DORestrictPeerSelectionBy` value to **2**.
+The default behaviors differ between Windows 10 and Windows 11. In Windows 10, there is no restriction configured. In Windows 11, the default peer selection is restricted to the Subnet only in LAN [Download mode](#download-mode) (1)
+
### Delay foreground download from HTTP (in secs)
MDM Setting: **DODelayForegroundDownloadFromHttp**
From 68a58b006096f03ccede5448fb53dd76f6531762 Mon Sep 17 00:00:00 2001
From: Rebecca Agiewich
Date: Fri, 7 Jun 2024 14:37:31 -0700
Subject: [PATCH 13/29] change
---
windows/deployment/do/waas-delivery-optimization-reference.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md
index f17d4c5f5b..185766cfc6 100644
--- a/windows/deployment/do/waas-delivery-optimization-reference.md
+++ b/windows/deployment/do/waas-delivery-optimization-reference.md
@@ -96,7 +96,7 @@ More options available that control the impact Delivery Optimization has on your
#### Policies to prioritize the use of peer-to-peer and cache server sources
-When Delivery Optimization client is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client connects to both MCC and peers in parallel. If the desired content can't be obtained from MCC or peers, Delivery Optimization will automatically fallback to the HTTP source to get the requested content. There are four settings that allow you to prioritize peer-to-peer or MCC sources by delaying the immediate fallback to HTTP source, which is the default behavior.
+When Delivery Optimization client is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client connects to both MCC and peers in parallel. If the desired content can't be obtained from MCC or peers, Delivery Optimization will automatically fall back to the HTTP source to get the requested content. There are four settings that allow you to prioritize peer-to-peer or MCC sources by delaying the immediate fallback to HTTP source, which is the default behavior.
##### Peer-to-peer delay fallback settings
From 3fbf2b77939bc85bc2943e0c852b32f3d8f75294 Mon Sep 17 00:00:00 2001
From: sabieler
Date: Sat, 8 Jun 2024 16:47:26 +0000
Subject: [PATCH 14/29] Added Security intelligence updates for Microsoft
Defender Antivirus and other Microsoft antimalware
Added Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware to the other update list. (https://www.microsoft.com/en-us/wdsi/defenderupdates)
Moved "Windows Admin Center" alphabetically down in the list.
---
.../update/update-other-microsoft-products.md | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/windows/deployment/update/update-other-microsoft-products.md b/windows/deployment/update/update-other-microsoft-products.md
index f4d26b82ec..f71f77a7f1 100644
--- a/windows/deployment/update/update-other-microsoft-products.md
+++ b/windows/deployment/update/update-other-microsoft-products.md
@@ -1,16 +1,16 @@
---
-title: Update other Microsoft products
+title: Update other Microsoft products
titleSuffix: Windows Update for Business
-description: List of other Microsoft products that are updated when install updates for other Microsoft products (allowmuupdateservice) is used.
+description: List of other Microsoft products that are updated when install updates for other Microsoft products (allowmuupdateservice) is used.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: reference
author: mestew
ms.author: mstewart
manager: aaroncz
-appliesto:
+appliesto:
- ✅ Windows 11
-- ✅ Windows 10
+- ✅ Windows 10
ms.date: 06/07/2024
---
@@ -53,9 +53,9 @@ The following is a list of other Microsoft products that might be updated:
- Microsoft StreamInsight
- Mobile and IoT
- MSRC
-- Office 2016 (MSI versions of Office)
+- Office 2016 (MSI versions of Office)
- PlayReady
-- Windows Admin Center
+- Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware
- Silverlight
- Skype for Business
- SQL
@@ -65,6 +65,7 @@ The following is a list of other Microsoft products that might be updated:
- System Center Orchestrator
- System Center Virtual Machine Manager
- Visual Studio
+- Windows Admin Center
- Windows Azure Hyper-V Recovery Manager
- Windows Azure Pack - Web Sites
- Windows Azure Pack
From d929c5489f600bd34921e3ac097537d502938777 Mon Sep 17 00:00:00 2001
From: Samantha Robertson
Date: Mon, 10 Jun 2024 12:44:34 -0700
Subject: [PATCH 15/29] Update windows-11-plan.md
---
windows/whats-new/windows-11-plan.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md
index d8b9301431..a32a7baeb6 100644
--- a/windows/whats-new/windows-11-plan.md
+++ b/windows/whats-new/windows-11-plan.md
@@ -10,6 +10,7 @@ ms.topic: conceptual
ms.collection:
- highpri
- tier1
+ - essentials-get-started
ms.subservice: itpro-fundamentals
ms.date: 02/06/2024
appliesto:
From 486b725a974d34a32da494e18cb6632aaffcc481 Mon Sep 17 00:00:00 2001
From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com>
Date: Mon, 10 Jun 2024 15:13:00 -0700
Subject: [PATCH 16/29] Metadata change
Conceptual to Reference
Some Acrolinx inspired changes
---
...ponents-to-microsoft-services-using-MDM.md | 18 ++++++------
...system-components-to-microsoft-services.md | 29 +++++++++----------
2 files changed, 23 insertions(+), 24 deletions(-)
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
index 45d6b7c45e..e664498af2 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
@@ -8,7 +8,7 @@ author: DHB-MSFT
ms.author: danbrown
manager: laurawi
ms.date: 05/15/2019
-ms.topic: conceptual
+ms.topic: reference
---
# Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services using Microsoft Intune MDM Server
@@ -19,7 +19,7 @@ ms.topic: conceptual
- Windows 10 Enterprise 1903 version and newer
-This article describes the network connections that Windows 10 and Windows 11 components make to Microsoft and the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier ([OMA URI](/intune/custom-settings-windows-10)) policies available to IT Professionals using Microsoft Intune to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
+This article describes the network connections that Windows 10 and Windows 11 components make to Microsoft and the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier ([OMA URI](/intune/custom-settings-windows-10)) policies available to IT Professionals using Microsoft Intune to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it's possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
>[!IMPORTANT]
>- The Allowed Traffic endpoints for an MDM configuration are here: [Allowed Traffic](#bkmk-mdm-allowedtraffic)
@@ -32,11 +32,11 @@ This article describes the network connections that Windows 10 and Windows 11 co
>[!Warning]
>If a user executes the "Reset this PC" command (Settings -> Update & Security -> Recovery) with the "Remove Everything" option the >Windows Restricted Traffic Limited Functionality settings will need to be re-applied in order re-restrict the device's egress traffic. >To do this the client must be re-enrolled to the Microsoft Intune service. Egress traffic may occur during the period prior to the re->application of the Restricted Traffic Limited Functionality settings. If the user executes a "Reset this PC" with the "Keep my files" >option the Restricted Traffic Limited Functionality settings are retained on the device, and therefore the client will remain in a >Restricted Traffic configuration during and after the "Keep my files" reset, and no re-enrollment is required.
-For more information on Microsoft Intune please see [Transform IT service delivery for your modern workplace](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune?rtc=1) and [Microsoft Intune documentation](/intune/).
+For more information on Microsoft Intune, see [Transform IT service delivery for your modern workplace](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune?rtc=1) and [Microsoft Intune documentation](/intune/).
For detailed information about managing network connections to Microsoft services using Windows Settings, Group Policies and Registry settings see [Manage connections from Windows operating system components to Microsoft services](./manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
-We are always striving to improve our documentation and welcome your feedback. You can provide feedback by sending email to **telmhelp**@**microsoft.com**.
+We're always striving to improve our documentation and welcome your feedback. You can provide feedback by sending email to **telmhelp**@**microsoft.com**.
## Settings for Windows 10 Enterprise edition 1903 and later and Windows 11
@@ -46,7 +46,7 @@ The following table lists management options for each setting.
For Windows 10 and Windows 11, the following MDM policies are available in the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
1. **Automatic Root Certificates Update**
- 1. MDM Policy: There is intentionally no MDM available for Automatic Root Certificate Update. This MDM does not exist since it would prevent the operation and management of MDM management of devices.
+ 1. MDM Policy: There's intentionally no MDM available for Automatic Root Certificate Update. This MDM doesn't exist since it would prevent the operation and management of MDM management of devices.
1. **Cortana and Search**
1. MDM Policy: [Experience/AllowCortana](/windows/client-management/mdm/policy-csp-experience#experience-allowcortana). Choose whether to let Cortana install and run on the device. **Set to 0 (zero)**
@@ -77,10 +77,10 @@ For Windows 10 and Windows 11, the following MDM policies are available in the [
1. **\\**
1. **Live Tiles**
- 1. MDM Policy: [Notifications/DisallowTileNotification](/windows/client-management/mdm/policy-csp-notifications). This policy setting turns off tile notifications. If you enable this policy setting applications and system features will not be able to update their tiles and tile badges in the Start screen. **Integer value 1**
+ 1. MDM Policy: [Notifications/DisallowTileNotification](/windows/client-management/mdm/policy-csp-notifications). This policy setting turns off tile notifications. If you enable this policy setting applications and system features won't be able to update their tiles and tile badges in the Start screen. **Integer value 1**
1. **Mail synchronization**
- 1. MDM Policy: [Accounts/AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountconnection). Specifies whether the user is allowed to use an Microsoft account for non-email related connection authentication and services. **Set to 0 (zero)**
+ 1. MDM Policy: [Accounts/AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountconnection). Specifies whether the user is allowed to use a Microsoft account for non-email related connection authentication and services. **Set to 0 (zero)**
1. **Microsoft Account**
1. MDM Policy: [Accounts/AllowMicrosoftAccountSignInAssistant](/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountsigninassistant). Disable the Microsoft Account Sign-In Assistant. **Set to 0 (zero)**
@@ -94,7 +94,7 @@ For Windows 10 and Windows 11, the following MDM policies are available in the [
1. MDM Policy: [Browser/AllowSmartScreen](/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen). Choose whether Windows Defender SmartScreen is turned on or off. **Set to 0 (zero)**
1. **Network Connection Status Indicator**
- 1. [Connectivity/DisallowNetworkConnectivityActiveTests](/windows/client-management/mdm/policy-csp-connectivity#connectivity-disallownetworkconnectivityactivetests). Note: After you apply this policy you must restart the device for the policy setting to take effect. **Set to 1 (one)**
+ 1. [Connectivity/DisallowNetworkConnectivityActiveTests](/windows/client-management/mdm/policy-csp-connectivity#connectivity-disallownetworkconnectivityactivetests). Note: After you apply this policy, you must restart the device for the policy setting to take effect. **Set to 1 (one)**
1. **Offline maps**
1. MDM Policy: [AllowOfflineMapsDownloadOverMeteredConnection](/windows/client-management/mdm/policy-csp-maps). Allows the download and update of map data over metered connections. **Set to 0 (zero)**
@@ -102,7 +102,7 @@ For Windows 10 and Windows 11, the following MDM policies are available in the [
1. **OneDrive**
1. MDM Policy: [DisableOneDriveFileSync](/windows/client-management/mdm/policy-csp-system#system-disableonedrivefilesync). Allows IT Admins to prevent apps and features from working with files on OneDrive. **Set to 1 (one)**
- 1. Ingest the ADMX - To get the latest OneDrive ADMX file you need an up-to-date Windows 10 or Windows 11 client. The ADMX files are located under the following path: %LocalAppData%\Microsoft\OneDrive\ there's a folder with the current OneDrive build (e.g. "18.162.0812.0001"). There is a folder named "adm" which contains the admx and adml policy definition files.
+ 1. Ingest the ADMX - To get the latest OneDrive ADMX file you need an up-to-date Windows 10 or Windows 11 client. The ADMX files are located under the following path: %LocalAppData%\Microsoft\OneDrive\ there's a folder with the current OneDrive build (for example "18.162.0812.0001"). There's a folder named "adm" which contains the admx and adml policy definition files.
1. MDM Policy: Prevent Network Traffic before User SignIn. **PreventNetworkTrafficPreUserSignIn**. The OMA-URI value is: **./Device/Vendor/MSFT/Policy/Config/OneDriveNGSC\~Policy\~OneDriveNGSC/PreventNetworkTrafficPreUserSignIn**, Data type: **String**, Value: **\**
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index e5ca2312fd..8d8aa99a85 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -8,8 +8,7 @@ author: DHB-MSFT
ms.author: danbrown
manager: laurawi
ms.date: 03/07/2016
-ms.collection: highpri
-ms.topic: conceptual
+ms.topic: reference
---
# Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services
@@ -21,9 +20,9 @@ ms.topic: conceptual
- Windows Server 2016
- Windows Server 2019
-This article describes the network connections that Windows 10 and Windows 11 components make to Microsoft and the Windows Settings, Group Policies and registry settings available to IT Professionals to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
+This article describes the network connections that Windows 10 and Windows 11 components make to Microsoft and the Windows Settings, Group Policies and registry settings available to IT Professionals to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it's possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
-Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://download.microsoft.com/download/D/9/0/D905766D-FEDA-43E5-86ED-8987CEBD8D89/WindowsRTLFB.zip) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 and Windows 11 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Microsoft Defender Antivirus are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly.
+Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://download.microsoft.com/download/D/9/0/D905766D-FEDA-43E5-86ED-8987CEBD8D89/WindowsRTLFB.zip) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 and Windows 11 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Microsoft Defender Antivirus are fully up to date**. Failure to do so may result in errors or unexpected behavior. You shouldn't extract this package to the windows\system32 folder because it will not apply correctly.
> [!IMPORTANT]
> - The downloadable Windows 10, version 1903 scripts/settings can be used on Windows 10, version 1909 devices.
@@ -38,9 +37,9 @@ Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline]
> - To restrict a device effectively (first time or subsequently), it is recommended to apply the Restricted Traffic Limited Functionality Baseline settings package in offline mode.
> - During update or upgrade of Windows, egress traffic may occur.
-To use Microsoft Intune cloud-based device management for restricting traffic please refer to the [Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services using Microsoft Intune MDM Server](manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm.md).
+To use Microsoft Intune cloud-based device management for restricting traffic, refer to the [Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services using Microsoft Intune MDM Server](manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm.md).
-We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting **telmhelp**@**microsoft.com**.
+We're always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting **telmhelp**@**microsoft.com**.
## Management options for each setting
@@ -397,7 +396,7 @@ If you're running Windows 10, version 1607, Windows Server 2016, or later:
### 7. Insider Preview builds
The Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to releases of Windows 10 and Windows 11. This setting stops communication with the Windows Insider Preview service that checks for new builds.
-Windows Insider Preview builds only apply to Windows 10 and Windows 11 and are not available for Windows Server 2016.
+Windows Insider Preview builds only apply to Windows 10 and Windows 11 and aren't available for Windows Server 2016.
> [!NOTE]
@@ -689,7 +688,7 @@ To turn off OneDrive in your organization:
### 17. Preinstalled apps
-Some preinstalled apps get content before they are opened to ensure a great experience. You can remove these using the steps in this section.
+Some preinstalled apps get content before they're opened to ensure a great experience. You can remove these using the steps in this section.
To remove the News app:
@@ -1766,7 +1765,7 @@ If you're running Windows 10, version 1607 or later, or Windows 11, you need to:
You can turn off the ability to launch apps from the Microsoft Store that were preinstalled or downloaded.
This will also turn off automatic app updates, and the Microsoft Store will be disabled.
-In addition, new email accounts cannot be created by clicking **Settings** > **Accounts** > **Email & app accounts** > **Add an account**.
+In addition, new email accounts can't be created by clicking **Settings** > **Accounts** > **Email & app accounts** > **Add an account**.
On Windows Server 2016, this will block Microsoft Store calls from Universal Windows Apps.
- **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Microsoft Store**.
@@ -1795,7 +1794,7 @@ You can turn off apps for websites, preventing customers who visit websites that
### 28. Delivery Optimization
-Delivery Optimization is the downloader of Windows updates, Microsoft Store apps, Office and other content from Microsoft. Delivery Optimization can also download from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization Peer-to-Peer option turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet.
+Delivery Optimization is the downloader of Windows updates, Microsoft Store apps, Office, and other content from Microsoft. Delivery Optimization can also download from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization Peer-to-Peer option turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet.
By default, PCs running Windows 10 or Windows 11 will only use Delivery Optimization to get and receive updates for PCs and apps on your local network.
@@ -1848,15 +1847,15 @@ You can turn off Windows Update by setting the following registry entries:
-and-
-- Add a REG_SZ value named **WUServer** to **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and ensure it is blank with a space character **" "**.
+- Add a REG_SZ value named **WUServer** to **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and ensure it's blank with a space character **" "**.
-and-
-- Add a REG_SZ value named **WUStatusServer** to **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and ensure it is blank with a space character **" "**.
+- Add a REG_SZ value named **WUStatusServer** to **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and ensure it's blank with a space character **" "**.
-and-
-- Add a REG_SZ value named **UpdateServiceUrlAlternate** to **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and ensure it is blank with a space character **" "**.
+- Add a REG_SZ value named **UpdateServiceUrlAlternate** to **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and ensure it's blank with a space character **" "**.
-and-
@@ -1879,12 +1878,12 @@ You can turn off Windows Update by setting the following registry entries:
- Set the Group Policy **User Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Remove access to use all Windows Update features** to **Enabled** and then set **Computer Configurations** to **0 (zero)**.
-You can turn off automatic updates by doing the following. This is not recommended.
+You can turn off automatic updates by doing the following. This isn't recommended.
- Add a REG_DWORD value named **AutoDownload** to **HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsStore\\WindowsUpdate** and set the value to 5.
-For China releases of Windows 10 there is one additional Regkey to be set to prevent traffic:
+For China releases of Windows 10 there's one additional Regkey to be set to prevent traffic:
- Add a REG_DWORD value named **HapDownloadEnabled** to **HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LexiconUpdate\\loc_0804** and set the **value to 0 (zero)**.
From f247b79724b6abc17908ee8885cbc6c6e472509e Mon Sep 17 00:00:00 2001
From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com>
Date: Mon, 10 Jun 2024 15:22:45 -0700
Subject: [PATCH 17/29] Update metadata
---
windows/privacy/essential-services-and-connected-experiences.md | 1 -
1 file changed, 1 deletion(-)
diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md
index 6d314f9b80..0c59bcd158 100644
--- a/windows/privacy/essential-services-and-connected-experiences.md
+++ b/windows/privacy/essential-services-and-connected-experiences.md
@@ -8,7 +8,6 @@ author: DHB-MSFT
ms.author: danbrown
manager: laurawi
ms.date: 06/06/2024
-ms.collection: highpri
ms.topic: reference
---
From 0f0b2ef62bff29884f583bbbb0b3ab91580e2053 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 11 Jun 2024 14:04:45 -0400
Subject: [PATCH 18/29] WHfB updates
---
.../identity-protection/hello-for-business/how-it-works.md | 5 +++++
.../identity-protection/hello-for-business/rdp-sign-in.md | 6 +++++-
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/how-it-works.md b/windows/security/identity-protection/hello-for-business/how-it-works.md
index f08348d61a..95bc613cdc 100644
--- a/windows/security/identity-protection/hello-for-business/how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/how-it-works.md
@@ -227,6 +227,11 @@ For more information, see [What is a Primary Refresh Token][ENTRA-2].
Changing a user account password doesn't affect sign-in or unlock, since Windows Hello for Business uses a key or certificate.
+> [!NOTE]
+> If you change the user's password from a Microsoft Entra hybrid joined device, the Windows Hello for Business cache is invalidated. To update the cache, the user must log off and then log back on.
+>
+> To change a user's password, the device must be able to communicate with a domain controller.
+
## Next steps
> [!div class="nextstepaction"]
diff --git a/windows/security/identity-protection/hello-for-business/rdp-sign-in.md b/windows/security/identity-protection/hello-for-business/rdp-sign-in.md
index 72c3fffd3f..c8a7d312ad 100644
--- a/windows/security/identity-protection/hello-for-business/rdp-sign-in.md
+++ b/windows/security/identity-protection/hello-for-business/rdp-sign-in.md
@@ -1,7 +1,7 @@
---
title: Remote Desktop sign-in with Windows Hello for Business
description: Learn how to configure Remote Desktop (RDP) sign-in with Windows Hello for Business.
-ms.date: 04/23/2024
+ms.date: 06/11/2024
ms.topic: how-to
---
@@ -273,6 +273,10 @@ While users appreciate the convenience of biometrics, and administrators value t
For more information, see [Use Windows Hello for Business certificates as smart card certificate](policy-settings.md#use-windows-hello-for-business-certificates-as-smart-card-certificates)
+## Known issues
+
+There's a known issue when attempting to perform TLS 1.3 client authentication with a Hello certificate via RDP. The authentication fails with the error: ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED. Microsoft is aware of this issue and investigating possible solutions.
+
[MEM-1]: /mem/intune/protect/certificates-scep-configure
From 67e65b672c8bad54b1d9eb821a5d99630300cacf Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 12 Jun 2024 08:02:07 -0400
Subject: [PATCH 19/29] password expiration issue
---
.../hello-for-business/how-it-works.md | 12 +++++++++---
.../hello-for-business/rdp-sign-in.md | 2 +-
2 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/how-it-works.md b/windows/security/identity-protection/hello-for-business/how-it-works.md
index 95bc613cdc..fc2d4b3ddf 100644
--- a/windows/security/identity-protection/hello-for-business/how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/how-it-works.md
@@ -227,9 +227,15 @@ For more information, see [What is a Primary Refresh Token][ENTRA-2].
Changing a user account password doesn't affect sign-in or unlock, since Windows Hello for Business uses a key or certificate.
-> [!NOTE]
-> If you change the user's password from a Microsoft Entra hybrid joined device, the Windows Hello for Business cache is invalidated. To update the cache, the user must log off and then log back on.
->
+However, when users are required to change their password (for example, due to password expiration policies), then they won't be notified of the password change requirement when signing in with Windows Hello. This might cause failures to authenticate to Active Directory-protected resources. To mitigate the issue consider one of the following options:
+
+- Disable password expiration for the user accounts
+- As an alternative to password expiration policies, consider adopting [PIN expiration policies](policy-settings?tabs=pin#expiration)
+- If password expiration is an organization's requirement, instruct the users to change their passwords regularly or when they receive authentication failure messages. Users can reset their password by:
+ - Using the Ctrl + Alt + Del > **Change a password** option
+ - Sign in with their password. If the password must be changed, Windows prompts the user to update it
+
+> [!IMPORTANT]
> To change a user's password, the device must be able to communicate with a domain controller.
## Next steps
diff --git a/windows/security/identity-protection/hello-for-business/rdp-sign-in.md b/windows/security/identity-protection/hello-for-business/rdp-sign-in.md
index c8a7d312ad..97e372d620 100644
--- a/windows/security/identity-protection/hello-for-business/rdp-sign-in.md
+++ b/windows/security/identity-protection/hello-for-business/rdp-sign-in.md
@@ -275,7 +275,7 @@ For more information, see [Use Windows Hello for Business certificates as smart
## Known issues
-There's a known issue when attempting to perform TLS 1.3 client authentication with a Hello certificate via RDP. The authentication fails with the error: ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED. Microsoft is aware of this issue and investigating possible solutions.
+There's a known issue when attempting to perform TLS 1.3 client authentication with a Hello certificate via RDP. The authentication fails with the error: `ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED`. Microsoft is investigating possible solutions.
From 55e9a1d73b8641c3324464093facab67215aa001 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 12 Jun 2024 08:29:34 -0400
Subject: [PATCH 20/29] removed insider note for disablepostlogonprovisioning
---
.../includes/use-windows-hello-for-business.md | 10 ----------
1 file changed, 10 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business.md b/windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business.md
index d850382fae..34185c8503 100644
--- a/windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business.md
+++ b/windows/security/identity-protection/hello-for-business/includes/use-windows-hello-for-business.md
@@ -16,16 +16,6 @@ Select the option *Don't start Windows Hello provisioning after sign-in* when yo
- If you select *Don't start Windows Hello provisioning after sign-in*, Windows Hello for Business doesn't automatically start provisioning after the user has signed in
- If you don't select *Don't start Windows Hello provisioning after sign-in*, Windows Hello for Business automatically starts provisioning after the user has signed in
-:::row:::
-:::column span="1":::
-:::image type="content" source="../../../images/insider.png" alt-text="Logo of Windows Insider." border="false":::
-:::column-end:::
-:::column span="3":::
-> [!IMPORTANT]
->This policy setting is available via CSP only for [Windows Insider Preview builds](/windows-insider/).
-:::column-end:::
-:::row-end:::
-
| | Path |
|--|--|
| **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/`[UsePassportForWork](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciesusepassportforwork)
`./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/`[DisablePostLogonProvisioning](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciesdisablepostlogonprovisioning)|
From 2a90f96c3588b750e94c8801dbf094627d2e7367 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 12 Jun 2024 13:14:02 -0400
Subject: [PATCH 21/29] updates
---
.../identity-protection/hello-for-business/how-it-works.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/how-it-works.md b/windows/security/identity-protection/hello-for-business/how-it-works.md
index fc2d4b3ddf..659f4a0e25 100644
--- a/windows/security/identity-protection/hello-for-business/how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/how-it-works.md
@@ -230,7 +230,7 @@ Changing a user account password doesn't affect sign-in or unlock, since Windows
However, when users are required to change their password (for example, due to password expiration policies), then they won't be notified of the password change requirement when signing in with Windows Hello. This might cause failures to authenticate to Active Directory-protected resources. To mitigate the issue consider one of the following options:
- Disable password expiration for the user accounts
-- As an alternative to password expiration policies, consider adopting [PIN expiration policies](policy-settings?tabs=pin#expiration)
+- As an alternative to password expiration policies, consider adopting [PIN expiration policies](policy-settings.md?tabs=pin#expiration)
- If password expiration is an organization's requirement, instruct the users to change their passwords regularly or when they receive authentication failure messages. Users can reset their password by:
- Using the Ctrl + Alt + Del > **Change a password** option
- Sign in with their password. If the password must be changed, Windows prompts the user to update it
From 40b25734a5c73ab32c81c1039121942be566ba89 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Wed, 12 Jun 2024 16:02:44 -0700
Subject: [PATCH 22/29] manage=cpw-note-pwa
---
windows/client-management/manage-windows-copilot.md | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md
index 3faee22933..cdfa61e0a3 100644
--- a/windows/client-management/manage-windows-copilot.md
+++ b/windows/client-management/manage-windows-copilot.md
@@ -3,7 +3,7 @@ title: Manage Copilot in Windows
description: Learn how to manage Copilot in Windows for commercial environments using MDM and group policy. Learn about the chat providers available to Copilot in Windows.
ms.topic: how-to
ms.subservice: windows-copilot
-ms.date: 03/21/2024
+ms.date: 06/12/2024
ms.author: mstewart
author: mestew
ms.collection:
@@ -18,16 +18,20 @@ appliesto:
>**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0).
+> [!Note]
+> - This article along with the [TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) policy listed isn't for the [new Copilot experience](https://blogs.windows.com/windows-insider/2024/05/31/announcing-windows-11-insider-preview-build-26120-751-dev-channel/) that is currently in some Windows Insider builds such as [Windows 11, version 24H2 in the Release Preview channel](https://blogs.windows.com/windows-insider/2024/05/22/releasing-windows-11-version-24h2-to-the-release-preview-channel/).
+
Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop and is designed to help users get things done in Windows. Copilot in Windows can perform common tasks in Windows like changing Windows settings, which makes it different from the browser-based [Copilot in Edge](/copilot/edge). However, both user experiences, Copilot in Windows and Copilot in Edge, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since it's possible for users to copy and paste sensitive information into the chat.
-> [!Note]
-> - Copilot in Windows is currently available as a preview. We will continue to experiment with new ideas and methods using your feedback.
-> - Copilot in Windows (in preview) is available in select global markets and will be rolled out to additional markets over time. [Learn more](https://www.microsoft.com/windows/copilot-ai-features#faq).
## Configure Copilot in Windows for commercial environments
At a high level, managing and configuring Copilot in Windows for your organization involves the following steps:
+> [!Note]
+> - Copilot in Windows is currently available as a preview. We will continue to experiment with new ideas and methods using your feedback.
+> - Copilot in Windows (in preview) is available in select global markets and will be rolled out to additional markets over time. [Learn more](https://www.microsoft.com/windows/copilot-ai-features#faq).
+
1. Understand the [available chat provider platforms for Copilot in Windows](#chat-provider-platforms-for-copilot-in-windows)
1. [Configure the chat provider platform](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) used by Copilot in Windows
1. Ensure the [Copilot in Windows user experience](#ensure-the-copilot-in-windows-user-experience-is-enabled) is enabled
From f5c9e93e03c80445ce26e307b40404388c2c8382 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Wed, 12 Jun 2024 16:09:05 -0700
Subject: [PATCH 23/29] manage=cpw-note-pwa
---
windows/client-management/manage-windows-copilot.md | 2 +-
windows/client-management/mdm/policy-csp-windowsai.md | 3 +++
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md
index cdfa61e0a3..0dca7cc8aa 100644
--- a/windows/client-management/manage-windows-copilot.md
+++ b/windows/client-management/manage-windows-copilot.md
@@ -19,7 +19,7 @@ appliesto:
>**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0).
> [!Note]
-> - This article along with the [TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) policy listed isn't for the [new Copilot experience](https://blogs.windows.com/windows-insider/2024/05/31/announcing-windows-11-insider-preview-build-26120-751-dev-channel/) that is currently in some Windows Insider builds such as [Windows 11, version 24H2 in the Release Preview channel](https://blogs.windows.com/windows-insider/2024/05/22/releasing-windows-11-version-24h2-to-the-release-preview-channel/).
+> - This article along with the [TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) policy listed isn't for the [new Copilot experience](https://blogs.windows.com/windows-insider/2024/05/31/announcing-windows-11-insider-preview-build-26120-751-dev-channel/) that is currently in some Windows Insider builds such as [Windows 11, version 24H2 in the Release Preview channel](https://blogs.windows.com/windows-insider/2024/05/22/releasing-windows-11-version-24h2-to-the-release-preview-channel/).
Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop and is designed to help users get things done in Windows. Copilot in Windows can perform common tasks in Windows like changing Windows settings, which makes it different from the browser-based [Copilot in Edge](/copilot/edge). However, both user experiences, Copilot in Windows and Copilot in Edge, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since it's possible for users to copy and paste sensitive information into the chat.
diff --git a/windows/client-management/mdm/policy-csp-windowsai.md b/windows/client-management/mdm/policy-csp-windowsai.md
index cf79d817d1..38ad01c865 100644
--- a/windows/client-management/mdm/policy-csp-windowsai.md
+++ b/windows/client-management/mdm/policy-csp-windowsai.md
@@ -164,6 +164,9 @@ This policy setting allows you to turn off Windows Copilot.
+
+> [!Note]
+> - The TurnOffWindowsCopilot policy listed isn't for the [new Copilot experience](https://blogs.windows.com/windows-insider/2024/05/31/announcing-windows-11-insider-preview-build-26120-751-dev-channel/) that is currently in some Windows Insider builds such as [Windows 11, version 24H2 in the Release Preview channel](https://blogs.windows.com/windows-insider/2024/05/22/releasing-windows-11-version-24h2-to-the-release-preview-channel/).
From 7df56d8c6f83dcda3e8c2277c8e44573b2b52ae8 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Thu, 13 Jun 2024 12:21:57 -0700
Subject: [PATCH 24/29] manage-CPW
---
windows/client-management/manage-windows-copilot.md | 4 ++--
windows/client-management/mdm/policy-csp-windowsai.md | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md
index 0dca7cc8aa..46d7c8c8dc 100644
--- a/windows/client-management/manage-windows-copilot.md
+++ b/windows/client-management/manage-windows-copilot.md
@@ -3,7 +3,7 @@ title: Manage Copilot in Windows
description: Learn how to manage Copilot in Windows for commercial environments using MDM and group policy. Learn about the chat providers available to Copilot in Windows.
ms.topic: how-to
ms.subservice: windows-copilot
-ms.date: 06/12/2024
+ms.date: 06/13/2024
ms.author: mstewart
author: mestew
ms.collection:
@@ -19,7 +19,7 @@ appliesto:
>**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0).
> [!Note]
-> - This article along with the [TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) policy listed isn't for the [new Copilot experience](https://blogs.windows.com/windows-insider/2024/05/31/announcing-windows-11-insider-preview-build-26120-751-dev-channel/) that is currently in some Windows Insider builds such as [Windows 11, version 24H2 in the Release Preview channel](https://blogs.windows.com/windows-insider/2024/05/22/releasing-windows-11-version-24h2-to-the-release-preview-channel/).
+> - This article and the [TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) policy isn't for the [new Copilot experience](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/evolving-copilot-in-windows-for-your-workforce/ba-p/4141999) that's in some [Windows Insider builds](https://blogs.windows.com/windows-insider/2024/05/22/releasing-windows-11-version-24h2-to-the-release-preview-channel/) and that will be gradually rolling out to Windows 11 and Windows 10 devices.
Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop and is designed to help users get things done in Windows. Copilot in Windows can perform common tasks in Windows like changing Windows settings, which makes it different from the browser-based [Copilot in Edge](/copilot/edge). However, both user experiences, Copilot in Windows and Copilot in Edge, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since it's possible for users to copy and paste sensitive information into the chat.
diff --git a/windows/client-management/mdm/policy-csp-windowsai.md b/windows/client-management/mdm/policy-csp-windowsai.md
index 38ad01c865..85b838a4c2 100644
--- a/windows/client-management/mdm/policy-csp-windowsai.md
+++ b/windows/client-management/mdm/policy-csp-windowsai.md
@@ -1,7 +1,7 @@
---
title: WindowsAI Policy CSP
description: Learn more about the WindowsAI Area in Policy CSP.
-ms.date: 05/20/2024
+ms.date: 06/13/2024
---
@@ -166,7 +166,7 @@ This policy setting allows you to turn off Windows Copilot.
> [!Note]
-> - The TurnOffWindowsCopilot policy listed isn't for the [new Copilot experience](https://blogs.windows.com/windows-insider/2024/05/31/announcing-windows-11-insider-preview-build-26120-751-dev-channel/) that is currently in some Windows Insider builds such as [Windows 11, version 24H2 in the Release Preview channel](https://blogs.windows.com/windows-insider/2024/05/22/releasing-windows-11-version-24h2-to-the-release-preview-channel/).
+> - The TurnOffWindowsCopilot policy isn't for the [new Copilot experience](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/evolving-copilot-in-windows-for-your-workforce/ba-p/4141999) that's in some [Windows Insider builds](https://blogs.windows.com/windows-insider/2024/05/22/releasing-windows-11-version-24h2-to-the-release-preview-channel/) and that will be gradually rolling out to Windows 11 and Windows 10 devices.
From b3be6aefb8eba5f30e1975f1e0e723200081275b Mon Sep 17 00:00:00 2001
From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com>
Date: Thu, 13 Jun 2024 12:45:22 -0700
Subject: [PATCH 25/29] Update punctuation in smartscreen endpoint references
Add "." after "*" to make consistent with other articles
---
windows/privacy/manage-windows-11-endpoints.md | 2 +-
windows/privacy/manage-windows-1903-endpoints.md | 2 +-
windows/privacy/manage-windows-1909-endpoints.md | 2 +-
windows/privacy/manage-windows-2004-endpoints.md | 4 ++--
windows/privacy/manage-windows-20H2-endpoints.md | 2 +-
windows/privacy/manage-windows-21H1-endpoints.md | 2 +-
windows/privacy/manage-windows-21h2-endpoints.md | 2 +-
7 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/windows/privacy/manage-windows-11-endpoints.md b/windows/privacy/manage-windows-11-endpoints.md
index 17c75eb970..bc67c5abe7 100644
--- a/windows/privacy/manage-windows-11-endpoints.md
+++ b/windows/privacy/manage-windows-11-endpoints.md
@@ -101,7 +101,7 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec
||The following endpoint is used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users can't sign in with Microsoft accounts. |TLSv1.2/HTTPS/HTTP|login.live.com|
|Microsoft Defender Antivirus|||[Learn how to turn off traffic to all of the following endpoint(s) for Microsoft Defender Antivirus.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)|
||The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device won't use Cloud-based Protection.|TLSv1.2/HTTPS|wdcp.microsoft.com|
-||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications won't appear.|HTTPS|*smartscreen-prod.microsoft.com|
+||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications won't appear.|HTTPS|*.smartscreen-prod.microsoft.com|
|||HTTPS/HTTP|checkappexec.microsoft.com|
|||TLSv1.2/HTTP|ping-edge.smartscreen.microsoft.com|
|||HTTP|data-edge.smartscreen.microsoft.com|
diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md
index f1f01ca287..4ac562a487 100644
--- a/windows/privacy/manage-windows-1903-endpoints.md
+++ b/windows/privacy/manage-windows-1903-endpoints.md
@@ -147,7 +147,7 @@ The following methodology was used to derive these network endpoints:
|||HTTPS|wdcp.microsoft.com|
|||HTTPS|definitionupdates.microsoft.com|
|||HTTPS|go.microsoft.com|
-||The following endpoints are used for Windows Defender Smartscreen reporting and notifications. If you turn off traffic for these endpoints, Smartscreen notifications won't appear.|HTTPS|*smartscreen.microsoft.com|
+||The following endpoints are used for Windows Defender Smartscreen reporting and notifications. If you turn off traffic for these endpoints, Smartscreen notifications won't appear.|HTTPS|*.smartscreen.microsoft.com|
|||HTTPS|smartscreen-sn3p.smartscreen.microsoft.com|
|||HTTPS|unitedstates.smartscreen-prod.microsoft.com|
|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips won't be downloaded. For more information, see Windows Spotlight.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)|
diff --git a/windows/privacy/manage-windows-1909-endpoints.md b/windows/privacy/manage-windows-1909-endpoints.md
index 3e1a8148e2..29a794c18b 100644
--- a/windows/privacy/manage-windows-1909-endpoints.md
+++ b/windows/privacy/manage-windows-1909-endpoints.md
@@ -100,7 +100,7 @@ The following methodology was used to derive these network endpoints:
|||HTTPS|config.teams.microsoft.com|
|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device won't use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)|
|||HTTPS/TLS v1.2|wdcp.microsoft.com|
-||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications won't appear.|HTTPS/TLS v1.2|*smartscreen-prod.microsoft.com|
+||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications won't appear.|HTTPS/TLS v1.2|*.smartscreen-prod.microsoft.com|
|||HTTPS|checkappexec.microsoft.com|
|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips won't be downloaded. For more information, see Windows Spotlight.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)|
|||HTTPS/TLS v1.2|arc.msn.com|
diff --git a/windows/privacy/manage-windows-2004-endpoints.md b/windows/privacy/manage-windows-2004-endpoints.md
index 31541d49e0..f9101f343c 100644
--- a/windows/privacy/manage-windows-2004-endpoints.md
+++ b/windows/privacy/manage-windows-2004-endpoints.md
@@ -97,8 +97,8 @@ The following methodology was used to derive these network endpoints:
|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device won't use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)|
|||TLSv1.2|wdcp.microsoft.com|
|||HTTPS|go.microsoft.com|
-||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications won't appear.|HTTPS|*smartscreen-prod.microsoft.com|
-|||HTTPS|*smartscreen.microsoft.com |
+||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications won't appear.|HTTPS|*.smartscreen-prod.microsoft.com|
+|||HTTPS|*.smartscreen.microsoft.com |
|||HTTPS|checkappexec.microsoft.com|
|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips won't be downloaded. For more information, see Windows Spotlight.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)|
|||TLSv1.2|arc.msn.com|
diff --git a/windows/privacy/manage-windows-20H2-endpoints.md b/windows/privacy/manage-windows-20H2-endpoints.md
index 24cc4f16d4..2c635eb019 100644
--- a/windows/privacy/manage-windows-20H2-endpoints.md
+++ b/windows/privacy/manage-windows-20H2-endpoints.md
@@ -110,7 +110,7 @@ The following methodology was used to derive these network endpoints:
|||TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device won't use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)|
|||HTTPS/TLSv1.2|wdcp.microsoft.com|
-||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications won't appear.|HTTPS|*smartscreen-prod.microsoft.com|
+||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications won't appear.|HTTPS|*.smartscreen-prod.microsoft.com|
|||HTTPS/HTTP|checkappexec.microsoft.com|
|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips won't be downloaded. For more information, see Windows Spotlight.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)|
|||TLSv1.2/HTTPS/HTTP|arc.msn.com|
diff --git a/windows/privacy/manage-windows-21H1-endpoints.md b/windows/privacy/manage-windows-21H1-endpoints.md
index 3e0d4e7336..ad7ef8acb4 100644
--- a/windows/privacy/manage-windows-21H1-endpoints.md
+++ b/windows/privacy/manage-windows-21H1-endpoints.md
@@ -110,7 +110,7 @@ The following methodology was used to derive these network endpoints:
|||TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device won't use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)|
|||HTTPS/TLSv1.2|wdcp.microsoft.com|
-||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications won't appear.|HTTPS|*smartscreen-prod.microsoft.com|
+||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications won't appear.|HTTPS|*.smartscreen-prod.microsoft.com|
|||HTTPS/HTTP|checkappexec.microsoft.com|
|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips won't be downloaded. For more information, see Windows Spotlight.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)|
|||TLSv1.2/HTTPS/HTTP|arc.msn.com|
diff --git a/windows/privacy/manage-windows-21h2-endpoints.md b/windows/privacy/manage-windows-21h2-endpoints.md
index 458536998a..1ad4793f0a 100644
--- a/windows/privacy/manage-windows-21h2-endpoints.md
+++ b/windows/privacy/manage-windows-21h2-endpoints.md
@@ -108,7 +108,7 @@ The following methodology was used to derive these network endpoints:
|||TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device won't use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)|
|||HTTPS/TLSv1.2|wdcp.microsoft.com|
-||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications won't appear.|HTTPS|*smartscreen-prod.microsoft.com|
+||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications won't appear.|HTTPS|*.smartscreen-prod.microsoft.com|
|||HTTPS/HTTP|checkappexec.microsoft.com|
|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips won't be downloaded. For more information, see Windows Spotlight.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)|
|||TLSv1.2/HTTPS/HTTP|arc.msn.com|
From ef06a8e095b34287b798aa9eefe1ba3736ab0be1 Mon Sep 17 00:00:00 2001
From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com>
Date: Thu, 13 Jun 2024 12:55:22 -0700
Subject: [PATCH 26/29] Update punctuation in displaycard endpoint references
Add "*" for consistency across articles
---
windows/privacy/manage-windows-11-endpoints.md | 2 +-
windows/privacy/manage-windows-1909-endpoints.md | 2 +-
windows/privacy/manage-windows-20H2-endpoints.md | 2 +-
windows/privacy/manage-windows-21H1-endpoints.md | 2 +-
windows/privacy/manage-windows-21h2-endpoints.md | 2 +-
.../windows-endpoints-1909-non-enterprise-editions.md | 6 +++---
.../windows-endpoints-2004-non-enterprise-editions.md | 4 ++--
7 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/windows/privacy/manage-windows-11-endpoints.md b/windows/privacy/manage-windows-11-endpoints.md
index bc67c5abe7..7c41ff3d2a 100644
--- a/windows/privacy/manage-windows-11-endpoints.md
+++ b/windows/privacy/manage-windows-11-endpoints.md
@@ -119,7 +119,7 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec
||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|TLSv1.2/HTTPS|*.wns.windows.com|
||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
||The following endpoint is used to get Microsoft Store analytics.|HTTPS|manage.devcenter.microsoft.com|
-||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps can't be installed or updated from the Microsoft Store.|TLSv1.2/HTTPS/HTTP|displaycatalog.mp.microsoft.com|
+||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps can't be installed or updated from the Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com|
|||HTTP|share.microsoft.com|
||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
|Microsoft To Do|||[Learn how to turn off traffic to all of the following endpoint(s) for Microsoft To Do.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
diff --git a/windows/privacy/manage-windows-1909-endpoints.md b/windows/privacy/manage-windows-1909-endpoints.md
index 29a794c18b..033748df75 100644
--- a/windows/privacy/manage-windows-1909-endpoints.md
+++ b/windows/privacy/manage-windows-1909-endpoints.md
@@ -78,7 +78,7 @@ The following methodology was used to derive these network endpoints:
||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLS v1.2|1storecatalogrevocation.storequality.microsoft.com|
|||HTTPS|storecatalogrevocation.storequality.microsoft.com|
||The following endpoint is used to get Microsoft Store analytics.|HTTPS|manage.devcenter.microsoft.com|
-||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps can't be installed or updated from the Microsoft Store.|HTTPS|displaycatalog.mp.microsoft.com/*|
+||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps can't be installed or updated from the Microsoft Store.|HTTPS|*displaycatalog.mp.microsoft.com/*|
|Network Connection Status Indicator (NCSI)|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi)|
||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTP|www.msftconnecttest.com*|
|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
diff --git a/windows/privacy/manage-windows-20H2-endpoints.md b/windows/privacy/manage-windows-20H2-endpoints.md
index 2c635eb019..8ae07104f4 100644
--- a/windows/privacy/manage-windows-20H2-endpoints.md
+++ b/windows/privacy/manage-windows-20H2-endpoints.md
@@ -85,7 +85,7 @@ The following methodology was used to derive these network endpoints:
||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|TLSv1.2/HTTPS|*.wns.windows.com|
||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
||The following endpoint is used to get Microsoft Store analytics.|HTTPS|manage.devcenter.microsoft.com|
-||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps can't be installed or updated from the Microsoft Store.|TLSv1.2/HTTPS/HTTP|displaycatalog.mp.microsoft.com|
+||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps can't be installed or updated from the Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com|
|||HTTP|share.microsoft.com|
||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
|Network Connection Status Indicator (NCSI)|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi)|
diff --git a/windows/privacy/manage-windows-21H1-endpoints.md b/windows/privacy/manage-windows-21H1-endpoints.md
index ad7ef8acb4..0d0e1bd833 100644
--- a/windows/privacy/manage-windows-21H1-endpoints.md
+++ b/windows/privacy/manage-windows-21H1-endpoints.md
@@ -85,7 +85,7 @@ The following methodology was used to derive these network endpoints:
||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|TLSv1.2/HTTPS|*.wns.windows.com|
||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
||The following endpoint is used to get Microsoft Store analytics.|HTTPS|manage.devcenter.microsoft.com|
-||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps can't be installed or updated from the Microsoft Store.|TLSv1.2/HTTPS/HTTP|displaycatalog.mp.microsoft.com|
+||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps can't be installed or updated from the Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com|
|||HTTP|share.microsoft.com|
||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
|Network Connection Status Indicator (NCSI)|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi)|
diff --git a/windows/privacy/manage-windows-21h2-endpoints.md b/windows/privacy/manage-windows-21h2-endpoints.md
index 1ad4793f0a..029867e536 100644
--- a/windows/privacy/manage-windows-21h2-endpoints.md
+++ b/windows/privacy/manage-windows-21h2-endpoints.md
@@ -83,7 +83,7 @@ The following methodology was used to derive these network endpoints:
||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|TLSv1.2/HTTPS|*.wns.windows.com|
||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
||The following endpoint is used to get Microsoft Store analytics.|HTTPS|manage.devcenter.microsoft.com|
-||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps can't be installed or updated from the Microsoft Store.|TLSv1.2/HTTPS/HTTP|displaycatalog.mp.microsoft.com|
+||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps can't be installed or updated from the Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com|
|||HTTP|share.microsoft.com|
||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
|Network Connection Status Indicator (NCSI)|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi)|
diff --git a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
index 25290f4d99..f62bc8e598 100644
--- a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
@@ -48,7 +48,7 @@ The following methodology was used to derive the network endpoints:
|config.teams.microsoft.com|HTTPS|Used for Microsoft Teams application
|*dl.delivery.mp.microsoft.com|HTTP|Used to download operating system patches, updates, and apps from Microsoft Store
|*.tlu.dl.delivery.mp.microsoft.com|HTTP|Used to download operating system patches, updates, and apps from Microsoft Store
-|displaycatalog.mp.microsoft.com/*|HTTP/TLS v1.2|Used to communicate with Microsoft Store
+|\*displaycatalog.mp.microsoft.com/*|HTTP/TLS v1.2|Used to communicate with Microsoft Store
|evoke-windowsservices-tas.msedge.net|HTTP/TLS v1.2|Used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser
|fe2cr.update.microsoft.com|HTTPS/TLS v1.2|Enables connections to Windows Update, Microsoft Update, and the online services of the Store
|fe3cr.delivery.mp.microsoft.com|HTTPS/TLS v1.2|Used to download operating system patches, updates, and apps from Microsoft Store
@@ -115,7 +115,7 @@ The following methodology was used to derive the network endpoints:
|config.edge.skype.com|HTTP/TLS v1.2|Used to retrieve Skype configuration values
|config.teams.microsoft.com|HTTPS|Used for Microsoft Teams application
|ctldl.windowsupdate.com|HTTP|Used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available
-|displaycatalog.mp.microsoft.com*|HTTP/TLS v1.2|Microsoft Store
+|\*displaycatalog.mp.microsoft.com*|HTTP/TLS v1.2|Microsoft Store
|fe2cr.update.microsoft.com|HTTPS/TLS v1.2|Windows Update
|fe3cr.delivery.mp.microsoft.com|HTTPS/TLS v1.2|Windows Update
|slscr.update.microsoft.com|HTTPS/TLS v1.2|Windows Update
@@ -176,7 +176,7 @@ The following methodology was used to derive the network endpoints:
|fe3cr.delivery.mp.microsoft.com|HTTPS/TLS v1.2|Windows Update
|tsfe.trafficshaping.dsp.mp.microsoft.com|HTTP/TLS v1.2|Windows Update
|officehomeblobs.blob.core.windows.net|HTTP|Windows Telemetry
-|displaycatalog.mp.microsoft.com/*|HTTP/TLS v1.2|Microsoft Store
+|\*displaycatalog.mp.microsoft.com/*|HTTP/TLS v1.2|Microsoft Store
|img-prod-cms-rt-microsoft-com.akamaized.net|HTTP|Used to communicate with Microsoft Store
|config.teams.microsoft.com|HTTPS|Teams
|api.asm.skype.com|TLS v1.2|Used to retrieve Skype configuration values
diff --git a/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md b/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md
index 2f3dc02c9e..bfe4a21c48 100644
--- a/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md
@@ -54,7 +54,7 @@ The following methodology was used to derive the network endpoints:
|crl.microsoft.com|HTTPS|Skype
|ctldl.windowsupdate.com|HTTP|Certificate Trust List
|da.xboxservices.com|HTTPS|Microsoft Edge
-|displaycatalog.mp.microsoft.com|HTTPS|Microsoft Store
+|*displaycatalog.mp.microsoft.com|HTTPS|Microsoft Store
|dmd.metaservices.microsoft.com|HTTP|Device Authentication
|evoke-windowsservices-tas.msedge.net|TLSv1.2|Photos app
|fs.microsoft.com|TLSv1.2|Maps application
@@ -109,7 +109,7 @@ The following methodology was used to derive the network endpoints:
|ctldl.windowsupdate.com|HTTP|Certificate Trust List
|d2i2wahzwrm1n5.cloudfront.net|HTTPS|Microsoft Edge
|da.xboxservices.com|HTTPS|Microsoft Edge
-|displaycatalog.mp.microsoft.com|HTTPS|Microsoft Store
+|*displaycatalog.mp.microsoft.com|HTTPS|Microsoft Store
|dlassets-ssl.xboxlive.com|HTTPS|Xbox Live
|dmd.metaservices.microsoft.com|HTTP|Device Authentication
|evoke-windowsservices-tas.msedge.net|TLSv1.2|Photos app
From 20920f36e242c5a4fece4ab70ce1b9045ec0cdc3 Mon Sep 17 00:00:00 2001
From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com>
Date: Thu, 13 Jun 2024 13:02:52 -0700
Subject: [PATCH 27/29] Fix formatting
---
windows/privacy/manage-windows-1909-endpoints.md | 2 +-
.../privacy/windows-endpoints-1909-non-enterprise-editions.md | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/privacy/manage-windows-1909-endpoints.md b/windows/privacy/manage-windows-1909-endpoints.md
index 033748df75..7e47f156a7 100644
--- a/windows/privacy/manage-windows-1909-endpoints.md
+++ b/windows/privacy/manage-windows-1909-endpoints.md
@@ -78,7 +78,7 @@ The following methodology was used to derive these network endpoints:
||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLS v1.2|1storecatalogrevocation.storequality.microsoft.com|
|||HTTPS|storecatalogrevocation.storequality.microsoft.com|
||The following endpoint is used to get Microsoft Store analytics.|HTTPS|manage.devcenter.microsoft.com|
-||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps can't be installed or updated from the Microsoft Store.|HTTPS|*displaycatalog.mp.microsoft.com/*|
+||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps can't be installed or updated from the Microsoft Store.|HTTPS|*displaycatalog.mp.microsoft.com|
|Network Connection Status Indicator (NCSI)|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi)|
||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTP|www.msftconnecttest.com*|
|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
diff --git a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
index f62bc8e598..8b479a788b 100644
--- a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
@@ -48,7 +48,7 @@ The following methodology was used to derive the network endpoints:
|config.teams.microsoft.com|HTTPS|Used for Microsoft Teams application
|*dl.delivery.mp.microsoft.com|HTTP|Used to download operating system patches, updates, and apps from Microsoft Store
|*.tlu.dl.delivery.mp.microsoft.com|HTTP|Used to download operating system patches, updates, and apps from Microsoft Store
-|\*displaycatalog.mp.microsoft.com/*|HTTP/TLS v1.2|Used to communicate with Microsoft Store
+|\*displaycatalog.mp.microsoft.com|HTTP/TLS v1.2|Used to communicate with Microsoft Store
|evoke-windowsservices-tas.msedge.net|HTTP/TLS v1.2|Used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser
|fe2cr.update.microsoft.com|HTTPS/TLS v1.2|Enables connections to Windows Update, Microsoft Update, and the online services of the Store
|fe3cr.delivery.mp.microsoft.com|HTTPS/TLS v1.2|Used to download operating system patches, updates, and apps from Microsoft Store
@@ -176,7 +176,7 @@ The following methodology was used to derive the network endpoints:
|fe3cr.delivery.mp.microsoft.com|HTTPS/TLS v1.2|Windows Update
|tsfe.trafficshaping.dsp.mp.microsoft.com|HTTP/TLS v1.2|Windows Update
|officehomeblobs.blob.core.windows.net|HTTP|Windows Telemetry
-|\*displaycatalog.mp.microsoft.com/*|HTTP/TLS v1.2|Microsoft Store
+|\*displaycatalog.mp.microsoft.com|HTTP/TLS v1.2|Microsoft Store
|img-prod-cms-rt-microsoft-com.akamaized.net|HTTP|Used to communicate with Microsoft Store
|config.teams.microsoft.com|HTTPS|Teams
|api.asm.skype.com|TLS v1.2|Used to retrieve Skype configuration values
From fce9641e06130d4e467cc9f9d5cd33710beb1063 Mon Sep 17 00:00:00 2001
From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com>
Date: Thu, 13 Jun 2024 13:08:39 -0700
Subject: [PATCH 28/29] Remove extra "*"
---
.../privacy/windows-endpoints-1909-non-enterprise-editions.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
index 8b479a788b..90d651940c 100644
--- a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
@@ -115,7 +115,7 @@ The following methodology was used to derive the network endpoints:
|config.edge.skype.com|HTTP/TLS v1.2|Used to retrieve Skype configuration values
|config.teams.microsoft.com|HTTPS|Used for Microsoft Teams application
|ctldl.windowsupdate.com|HTTP|Used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available
-|\*displaycatalog.mp.microsoft.com*|HTTP/TLS v1.2|Microsoft Store
+|*displaycatalog.mp.microsoft.com|HTTP/TLS v1.2|Microsoft Store
|fe2cr.update.microsoft.com|HTTPS/TLS v1.2|Windows Update
|fe3cr.delivery.mp.microsoft.com|HTTPS/TLS v1.2|Windows Update
|slscr.update.microsoft.com|HTTPS/TLS v1.2|Windows Update
From 717dd7502b1226a47d2ba6dcf280e3b73b65fd54 Mon Sep 17 00:00:00 2001
From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com>
Date: Thu, 13 Jun 2024 15:09:43 -0700
Subject: [PATCH 29/29] Minor changes
---
.../essential-services-and-connected-experiences.md | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md
index 0c59bcd158..a1a6c53040 100644
--- a/windows/privacy/essential-services-and-connected-experiences.md
+++ b/windows/privacy/essential-services-and-connected-experiences.md
@@ -7,7 +7,7 @@ ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: laurawi
-ms.date: 06/06/2024
+ms.date: 06/13/2024
ms.topic: reference
---
@@ -35,7 +35,7 @@ Although enterprise admins can turn off most essential services, we recommend, w
| **Essential service** | **Description** |
| --- | --- |
-|Authentication|The authentication service is required to enable sign in to work or school accounts. It validates a user’s identity and provides access to multiple apps and system components like OneDrive and Activity History. Using a work or school account to sign in to Windows enables Microsoft to provide a consistent experience across your devices. If the authentication service is turned off, many apps and components may lose functionality and users may not be able to sign in.
To turn it off, see [Microsoft Account](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#12-microsoft-account).|
+|Authentication|The authentication service is required to enable sign in to work or school accounts. It validates a user’s identity and provides access to multiple apps and system components like Activity History. Using a work or school account to sign in to Windows enables Microsoft to provide a consistent experience across your devices. If the authentication service is turned off, many apps and components may lose functionality and users may not be able to sign in.
To turn it off, see [Microsoft Account](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#12-microsoft-account).|
|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates that are publicly known to be fraudulent. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
If automatic updates are turned off, applications and websites may stop working because they didn't receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.
To turn it off, see [Automatic Root Certificates Update](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update).|
|Device Management |Device management includes Mobile Device Management (MDM), which helps IT pros manage company security policies and business applications. A built-in management component can communicate with the management server. If this is turned off, the device may no longer be compliant with company policy and the user might lose access to company resources.
[Learn more about Mobile Device Management](/windows/client-management/mdm-overview) |
|Device setup | The first time a user sets up a new device, the Windows out-of-box experience (OOBE) guides the user through the steps to accept the license agreement, connect to the internet, sign in to (or sign up for) a Microsoft account, and takes care of other important tasks. Most settings can also be changed after setup is completed.
To customize the initial setup experience, see [Customize Setup](/windows-hardware/customize/desktop/customize-oobe).|
@@ -61,7 +61,7 @@ Although enterprise admins can turn off most essential services, we recommend, w
|Input Method Editor (IME)|IME is a Windows feature that allows you to type East Asian languages such as Japanese, Chinese Simplified, Chinese Traditional, Korean, Indic, Vietnamese, as well as rule-based languages like Tamil, Adlam, and Osage.|
|Location services | The device location setting enables certain Windows features such as auto setting the time zone or Find My Device to function properly. When the device location setting is enabled, the Microsoft location service will use a combination of global positioning service (GPS), nearby wireless access points, cell towers, and IP address to determine the device’s location. Depending on the capabilities of the device, its location can be determined with varying degrees of accuracy and may in some cases be determined precisely.
To turn it off, see [Location services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#182-location). |
|Microsoft Defender Antivirus | Microsoft Defender Antivirus provides cloud-delivered protection against new and emerging threats for the devices in your organization. Turning off Microsoft Defender Antivirus will potentially leave your Windows devices in a vulnerable state and more prone to security threats.
To turn it off, see [Microsoft Defender Antivirus](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#24-microsoft-defender-antivirus). |
-|Microsoft Defender SmartScreen | Microsoft Defender SmartScreen is a feature of Windows, Internet Explorer, and Microsoft Edge. It helps protect users against phishing or malware websites and applications, and the downloading of potentially malicious files. Turning off Microsoft Defender SmartScreen means you can't block a website or warn users they may be accessing a malicious site.
To turn it off, see [Microsoft Defender SmartScreen](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#241-microsoft-defender-smartscreen). |
+|Microsoft Defender SmartScreen | Microsoft Defender SmartScreen is a feature of Windows and Microsoft Edge. It helps protect users against phishing or malware websites and applications, and the downloading of potentially malicious files. Turning off Microsoft Defender SmartScreen means you can't block a website or warn users they may be accessing a malicious site.
To turn it off, see [Microsoft Defender SmartScreen](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#241-microsoft-defender-smartscreen). |
|Phone Link|Phone Link lets you find your mobile device notifications, messages, photos, mobile app list, and other mobile content from your Windows PC.|
|Troubleshooting Service | Windows troubleshooting service will automatically fix critical issues like corrupt settings that keep critical services from running. The service will also make adjustments to work with your hardware, or make other specific changes required for Windows to operate with the hardware, apps, and settings you’ve selected. In addition, it will recommend troubleshooting for other problems that aren’t critical to normal Windows operation but might impact your experience.
To turn it off, see [Troubleshooting service](/windows/client-management/mdm/policy-csp-troubleshooting). |
|Voice Typing | Voice typing (also referred to as Windows dictation in earlier versions of Windows) allows users to write text by speaking by using Microsoft’s online speech recognition technology.
To turn it off, see [Speech recognition](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#186-speech). |
@@ -75,7 +75,7 @@ Although enterprise admins can turn off most essential services, we recommend, w
## Microsoft Edge essential services and connected experiences
-Windows ships with Microsoft Edge and Internet Explorer on Windows devices. Microsoft Edge is the default browser and is recommended for the best web browsing experience.
+Windows ships with Microsoft Edge on Windows devices. Microsoft Edge is the default browser and is recommended for the best web browsing experience.
You can find details on all of Microsoft Edge's connected experiences and essential services [here](/microsoft-edge/privacy-whitepaper). To turn off specific Microsoft Edge features, see [Microsoft Edge](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge).