From 4767b1cead72b08451d5640f1367c33c9ae2a021 Mon Sep 17 00:00:00 2001 From: Lee Yan Date: Fri, 17 May 2024 15:53:59 -0700 Subject: [PATCH 01/61] Update policy-csp-devicelock.md Adding a doc note per comment in bug below to reduce customer calls: https://microsoft.visualstudio.com/OS/_workitems/edit/39320736 DeviceLock/DevicePasswordExpiration is not supported through MDMWinsOverGP. --- windows/client-management/mdm/policy-csp-devicelock.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index 1dea6a8e0c..02737a3f65 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -431,6 +431,9 @@ Specifies whether device lock is enabled. > - MaxInactivityTimeDeviceLock +[!NOTE] +DevicePasswordExpiration is not supported through MDMWinsOverGP. + **Description framework properties**: From 90919fda244728014069405fdfec0b1629ed0a59 Mon Sep 17 00:00:00 2001 From: "Steve DiAcetis (MSFT)" <52939067+SteveDiAcetis@users.noreply.github.com> Date: Thu, 13 Jun 2024 12:28:01 -0700 Subject: [PATCH 02/61] Update media-dynamic-update.md Changes to introduce checkpoint cumulative update. --- windows/deployment/update/media-dynamic-update.md | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index baae39d605..7ddf8d7fa0 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -13,7 +13,7 @@ appliesto: - ✅ Windows 11 - ✅ Windows 10 - ✅ Windows Server -ms.date: 12/05/2023 +ms.date: 06/20/2024 --- # Update Windows installation media with Dynamic Update @@ -38,10 +38,10 @@ Devices must be able to connect to the internet to obtain Dynamic Updates. In so ## Acquire Dynamic Update packages -You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https://catalog.update.microsoft.com). At that site, use the search bar in the upper right to find the Dynamic Update packages for a particular release. The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the updates. Check various parts of the results to be sure you've identified the needed files. The following tables show the key values to search for or look for in the results. +You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https://catalog.update.microsoft.com). At that site, use the search bar in the upper right to find the Dynamic Update packages for a particular release. The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the updates. Check various parts of the results to be sure you've identified the files needed. The following tables show the key values to search for or look for in the results. ### Windows 11, version 22H2 Dynamic Update packages -**Title** can distinguish each Dynamic Package. Cumulative updates have the servicing stack embedded. The servicing stack is published only if necessary for a given cumulative update. +**Title** can distinguish each Dynamic Package. Latest cumulative updates have the servicing stack embedded. The servicing stack is published only if necessary for a given cumulative update. | Update packages |Title | |-----------------------------------|---------------------------------------------------------------| @@ -75,7 +75,7 @@ If you want to customize the image with additional languages or Features on Dema ## Update Windows installation media -Properly updating the installation media involves a large number of actions operating on several different targets (image files). Some actions are repeated on different targets. The target images files include: +Properly updating the installation media involves many actions operating on several different targets (image files). Some actions are repeated on different targets. The target images files include: - Windows Preinstallation Environment (WinPE): a small operating system used to install, deploy, and repair Windows operating systems - Windows Recovery Environment (WinRE): repairs common causes of unbootable operating systems. WinRE is based on WinPE and can be customized with additional drivers, languages, optional packages, and other troubleshooting or diagnostic tools. @@ -119,6 +119,13 @@ You don't have to add more languages and features to the image to accomplish the Optional Components, along with the .NET feature, can be installed offline, however doing so creates pending operations that require the device to restart. As a result, the call to perform image cleanup would fail. There are two options to avoid the cleanup failure. One option is to skip the image cleanup step, though that results in a larger install.wim. Another option is to install the .NET and Optional Components in a step after cleanup but before export. This is the option in the sample script. By doing this, you'll have to start with the original install.wim (with no pending actions) when you maintain or update the image the next time (for example, the next month). + +### Checkpoint cumulative updates +Starting with Windows 11, version 24H2, the latest cumulative update may have a prerequisite cumulative update that is required to be installed first. These are known as checkpoint cumulative updates. In these cases, the cumulative update file level differentials are based on a previous cumulative update instead of the Windows RTM release. The benefit is a smaller update package and faster installation. + +To install the checkpoint(s) when servicing the Windows OS (steps 9 & 12) and WinPE (steps 17 & 23), call Add-WindowsPackage with the target cumulative update. The folder from PackagePath will be used to discover and install one or more checkpoints as needed. Only .MSU packages with a revision <= the target cumulative update will be processed. If you are not customizing the image with additional languages and/or optional features, then separate calls to Add-WindowsPackage (checkpoint cumulative updates first) can be used for steps 9 & 17 above. Separate calls cannot be used for steps 12 and 23. + + ## Windows PowerShell scripts to apply Dynamic Updates to an existing image These examples are for illustration only, and therefore lack error handling. The script assumes that the following packages are stored locally in this folder structure: From db4e2de3175eb035b1842caacbaf9888ea510ef9 Mon Sep 17 00:00:00 2001 From: "Steve DiAcetis (MSFT)" <52939067+SteveDiAcetis@users.noreply.github.com> Date: Thu, 13 Jun 2024 13:11:11 -0700 Subject: [PATCH 03/61] Update media-dynamic-update.md --- windows/deployment/update/media-dynamic-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index 7ddf8d7fa0..35c6c2a8d2 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -86,7 +86,7 @@ This table shows the correct sequence for applying the various tasks to the file |Task |WinRE (winre.wim) |Operating system (install.wim) | WinPE (boot.wim) | New media | |-----------------------------------|-------------------|--------------------------------|------------------|-----------| -|Add servicing stack Dynamic Update | 1 | 9 | 17 | | +|Add servicing stack Dynamic Update | 1 | 9 | 17 | | |Add language pack | 2 | 10 | 18 | | |Add localized optional packages | 3 | | 19 | | |Add font support | 4 | | 20 | | From 16c7f1992c83d86c857354ca33f18247c69064e6 Mon Sep 17 00:00:00 2001 From: "Steve DiAcetis (MSFT)" <52939067+SteveDiAcetis@users.noreply.github.com> Date: Fri, 21 Jun 2024 10:28:45 -0700 Subject: [PATCH 04/61] Update media-dynamic-update.md Changes for checkpoints, and setuphost.exe --- .../deployment/update/media-dynamic-update.md | 139 ++++++++++-------- 1 file changed, 79 insertions(+), 60 deletions(-) diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index 35c6c2a8d2..d16fc5f901 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -13,7 +13,7 @@ appliesto: - ✅ Windows 11 - ✅ Windows 10 - ✅ Windows Server -ms.date: 06/20/2024 +ms.date: 06/28/2024 --- # Update Windows installation media with Dynamic Update @@ -157,12 +157,13 @@ $LANG_FONT_CAPABILITY = "jpan" # If you are using this script for Windows 10, modify to mount and use the LANGPACK ISO. $FOD_ISO_PATH = "C:\mediaRefresh\packages\FOD-PACKAGES_OEM_PT1_amd64fre_MULTI.iso" -# Declare Dynamic Update packages -$LCU_PATH = "C:\mediaRefresh\packages\LCU.msu" -$SSU_PATH = "C:\mediaRefresh\packages\SSU_DU.msu" -$SETUP_DU_PATH = "C:\mediaRefresh\packages\Setup_DU.cab" -$SAFE_OS_DU_PATH = "C:\mediaRefresh\packages\SafeOS_DU.cab" -$DOTNET_CU_PATH = "C:\mediaRefresh\packages\DotNet_CU.msu" +# Declare Dynamic Update packages. A dedicated folder is used for the latest cumulative update, and as needed +# checkpoint cumulative updates. +$LCU_PATH = "C:\mediaRefresh\packages\CU\LCU.msu" +$SSU_PATH = "C:\mediaRefresh\packages\Other\SSU_DU.msu" +$SETUP_DU_PATH = "C:\mediaRefresh\packages\Other\Setup_DU.cab" +$SAFE_OS_DU_PATH = "C:\mediaRefresh\packages\Other\SafeOS_DU.cab" +$DOTNET_CU_PATH = "C:\mediaRefresh\packages\Other\DotNet_CU.msu" # Declare folders for mounted images and temp files $MEDIA_OLD_PATH = "C:\mediaRefresh\oldMedia" @@ -218,14 +219,14 @@ This process is repeated for each edition of Windows within the main operating s # Update each main OS Windows image including the Windows Recovery Environment (WinRE) # -# Get the list of images contained within WinPE +# Get the list of images contained within the main OS $WINOS_IMAGES = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim" Foreach ($IMAGE in $WINOS_IMAGES) { # first mount the main OS image Write-Output "$(Get-TS): Mounting main OS, image index $($IMAGE.ImageIndex)" - Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim" -Index $IMAGE.ImageIndex -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null + Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim" -Index $IMAGE.ImageIndex -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null if ($IMAGE.ImageIndex -eq "1") { @@ -244,19 +245,22 @@ Foreach ($IMAGE in $WINOS_IMAGES) { # Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published seperately; the combined # cumulative update should be used for this step. However, in hopefully rare cases, there may breaking change in the combined # cumulative update format, that requires a standalone servicing stack update to be published, and installed first before the - # combined cumulative update can be installed. + # combined cumulative update can be installed. # This is the code to handle the rare case that the SSU is published and required for the combined cumulative update # Write-Output "$(Get-TS): Adding package $SSU_PATH" - # Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null + # Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null # Now, attempt the combined cumulative update. # There is a known issue where the servicing stack update is installed, but the cumulative update will fail. This error should # be caught and ignored, as the last step will be to apply the Safe OS update and thus the image will be left with the correct # packages installed. + + Write-Output "$(Get-TS): Adding package $LCU_PATH to WinRE" try { + Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $LCU_PATH | Out-Null } Catch @@ -277,29 +281,27 @@ Foreach ($IMAGE in $WINOS_IMAGES) { # update. This second approach is commented out below. # Write-Output "$(Get-TS): Adding package $SSU_PATH" - # Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null + # Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null # # Optional: Add the language to recovery environment # # Install lp.cab cab - Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH" - Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null + Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH to WinRE" + Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null # Install language cabs for each optional package installed $WINRE_INSTALLED_OC = Get-WindowsPackage -Path $WINRE_MOUNT Foreach ($PACKAGE in $WINRE_INSTALLED_OC) { - if ( ($PACKAGE.PackageState -eq "Installed") ` - -and ($PACKAGE.PackageName.startsWith("WinPE-")) ` - -and ($PACKAGE.ReleaseType -eq "FeaturePack") ) { + if ( ($PACKAGE.PackageState -eq "Installed") -and ($PACKAGE.PackageName.startsWith("WinPE-")) -and ($PACKAGE.ReleaseType -eq "FeaturePack") ) { $INDEX = $PACKAGE.PackageName.IndexOf("-Package") if ($INDEX -ge 0) { $OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab" if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) { $OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB - Write-Output "$(Get-TS): Adding package $OC_CAB_PATH" + Write-Output "$(Get-TS): Adding package $OC_CAB_PATH to WinRE" Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $OC_CAB_PATH -ErrorAction stop | Out-Null } } @@ -308,7 +310,7 @@ Foreach ($IMAGE in $WINOS_IMAGES) { # Add font support for the new language if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) { - Write-Output "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH" + Write-Output "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH to WinRE" Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_FONT_SUPPORT_PATH -ErrorAction stop | Out-Null } @@ -316,16 +318,16 @@ Foreach ($IMAGE in $WINOS_IMAGES) { if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) { if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) { - Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH" + Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH to WinRE" Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null - Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH" + Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH to WinRE" Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_LANG_PATH -ErrorAction stop | Out-Null } } # Add Safe OS - Write-Output "$(Get-TS): Adding package $SAFE_OS_DU_PATH" + Write-Output "$(Get-TS): Adding package $SAFE_OS_DU_PATH to WinRE" Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SAFE_OS_DU_PATH -ErrorAction stop | Out-Null # Perform image cleanup @@ -354,54 +356,54 @@ Foreach ($IMAGE in $WINOS_IMAGES) { # includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and Windows 11, version 22H2 are examples. In these # cases, the servicing stack update is not published seperately; the combined cumulative update should be used for this step. However, in hopefully # rare cases, there may breaking change in the combined cumulative update format, that requires a standalone servicing stack update to be published, - # and installed first before the combined cumulative update can be installed. + # and installed first before the combined cumulative update can be installed. # This is the code to handle the rare case that the SSU is published and required for the combined cumulative update # Write-Output "$(Get-TS): Adding package $SSU_PATH" - # Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH | Out-Null + # Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH | Out-Null # Now, attempt the combined cumulative update. Unlike WinRE and WinPE, we don't need to check for error 0x8007007e - Write-Output "$(Get-TS): Adding package $LCU_PATH" - Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH | Out-Null + Write-Output "$(Get-TS): Adding package $LCU_PATH to main OS, index $($IMAGE.ImageIndex)" + Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH | Out-Null # The second approach for Step 18 is for Windows releases that have not adopted the combined cumulative update # but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU # update. This second approach is commented out below. - # Write-Output "$(Get-TS): Adding package $SSU_PATH" - # Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH | Out-Null + # Write-Output "$(Get-TS): Adding package $SSU_PATH to main OS, index $($IMAGE.ImageIndex)" + # Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH | Out-Null # Optional: Add language to main OS - Write-Output "$(Get-TS): Adding package $OS_LP_PATH" - Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $OS_LP_PATH -ErrorAction stop | Out-Null + Write-Output "$(Get-TS): Adding package $OS_LP_PATH to main OS, index $($IMAGE.ImageIndex)" + Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $OS_LP_PATH -ErrorAction stop | Out-Null # Optional: Add a Features on Demand to the image - Write-Output "$(Get-TS): Adding language FOD: Language.Fonts.Jpan~~~und-JPAN~0.0.1.0" + Write-Output "$(Get-TS): Adding language FOD: Language.Fonts.Jpan~~~und-JPAN~0.0.1.0 to main OS, index $($IMAGE.ImageIndex)" Add-WindowsCapability -Name "Language.Fonts.$LANG_FONT_CAPABILITY~~~und-$LANG_FONT_CAPABILITY~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null - Write-Output "$(Get-TS): Adding language FOD: Language.Basic~~~$LANG~0.0.1.0" + Write-Output "$(Get-TS): Adding language FOD: Language.Basic~~~$LANG~0.0.1.0 to main OS, index $($IMAGE.ImageIndex)" Add-WindowsCapability -Name "Language.Basic~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null - Write-Output "$(Get-TS): Adding language FOD: Language.OCR~~~$LANG~0.0.1.0" + Write-Output "$(Get-TS): Adding language FOD: Language.OCR~~~$LANG~0.0.1.0 to main OS, index $($IMAGE.ImageIndex)" Add-WindowsCapability -Name "Language.OCR~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null - Write-Output "$(Get-TS): Adding language FOD: Language.Handwriting~~~$LANG~0.0.1.0" + Write-Output "$(Get-TS): Adding language FOD: Language.Handwriting~~~$LANG~0.0.1.0 to main OS, index $($IMAGE.ImageIndex)" Add-WindowsCapability -Name "Language.Handwriting~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null - Write-Output "$(Get-TS): Adding language FOD: Language.TextToSpeech~~~$LANG~0.0.1.0" + Write-Output "$(Get-TS): Adding language FOD: Language.TextToSpeech~~~$LANG~0.0.1.0 to main OS, index $($IMAGE.ImageIndex)" Add-WindowsCapability -Name "Language.TextToSpeech~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null - Write-Output "$(Get-TS): Adding language FOD:Language.Speech~~~$LANG~0.0.1.0" + Write-Output "$(Get-TS): Adding language FOD: Language.Speech~~~$LANG~0.0.1.0 to main OS, index $($IMAGE.ImageIndex)" Add-WindowsCapability -Name "Language.Speech~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null # Note: If I wanted to enable additional Features on Demand, I'd add these here. # Add latest cumulative update - Write-Output "$(Get-TS): Adding package $LCU_PATH" + Write-Output "$(Get-TS): Adding package $LCU_PATH to main OS, index $($IMAGE.ImageIndex)" Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null # Perform image cleanup - Write-Output "$(Get-TS): Performing image cleanup on main OS" + Write-Output "$(Get-TS): Performing image cleanup on main OS, index $($IMAGE.ImageIndex)" DISM /image:$MAIN_OS_MOUNT /cleanup-image /StartComponentCleanup | Out-Null # @@ -410,11 +412,11 @@ Foreach ($IMAGE in $WINOS_IMAGES) { # the image to be booted, and thus if we tried to cleanup after installation, it would fail. # - Write-Output "$(Get-TS): Adding NetFX3~~~~" + Write-Output "$(Get-TS): Adding NetFX3~~~~ to main OS, index $($IMAGE.ImageIndex)" Add-WindowsCapability -Name "NetFX3~~~~" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null # Add .NET Cumulative Update - Write-Output "$(Get-TS): Adding package $DOTNET_CU_PATH" + Write-Output "$(Get-TS): Adding package $DOTNET_CU_PATH to main OS, index $($IMAGE.ImageIndex)" Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $DOTNET_CU_PATH -ErrorAction stop | Out-Null # Dismount @@ -427,6 +429,7 @@ Foreach ($IMAGE in $WINOS_IMAGES) { } Move-Item -Path $WORKING_PATH"\install2.wim" -Destination $MEDIA_NEW_PATH"\sources\install.wim" -Force -ErrorAction stop | Out-Null + ``` ### Update WinPE @@ -445,7 +448,7 @@ Foreach ($IMAGE in $WINPE_IMAGES) { # update WinPE Write-Output "$(Get-TS): Mounting WinPE, image index $($IMAGE.ImageIndex)" - Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex -Path $WINPE_MOUNT -ErrorAction stop | Out-Null + Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex -Path $WINPE_MOUNT -ErrorAction stop | Out-Null # Add servicing stack update (Step 9 from the table) @@ -455,11 +458,11 @@ Foreach ($IMAGE in $WINPE_IMAGES) { # Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published separately; the combined # cumulative update should be used for this step. However, in hopefully rare cases, there may breaking change in the combined # cumulative update format, that requires a standalone servicing stack update to be published, and installed first before the - # combined cumulative update can be installed. + # combined cumulative update can be installed. # This is the code to handle the rare case that the SSU is published and required for the combined cumulative update # Write-Output "$(Get-TS): Adding package $SSU_PATH" - # Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH | Out-Null + # Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH | Out-Null # Now, attempt the combined cumulative update. # There is a known issue where the servicing stack update is installed, but the cumulative update will fail. @@ -468,6 +471,7 @@ Foreach ($IMAGE in $WINPE_IMAGES) { try { + Write-Output "$(Get-TS): Adding package $LCU_PATH to WinPE, image index $($IMAGE.ImageIndex)" Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $LCU_PATH | Out-Null } Catch @@ -488,19 +492,17 @@ Foreach ($IMAGE in $WINPE_IMAGES) { # update. This second approach is commented out below. # Write-Output "$(Get-TS): Adding package $SSU_PATH" - # Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH | Out-Null + # Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH | Out-Null # Install lp.cab cab - Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH" - Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null + Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH to WinPE, image index $($IMAGE.ImageIndex)" + Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null # Install language cabs for each optional package installed $WINPE_INSTALLED_OC = Get-WindowsPackage -Path $WINPE_MOUNT Foreach ($PACKAGE in $WINPE_INSTALLED_OC) { - if ( ($PACKAGE.PackageState -eq "Installed") ` - -and ($PACKAGE.PackageName.startsWith("WinPE-")) ` - -and ($PACKAGE.ReleaseType -eq "FeaturePack") ) { + if ( ($PACKAGE.PackageState -eq "Installed") -and ($PACKAGE.PackageName.startsWith("WinPE-")) -and ($PACKAGE.ReleaseType -eq "FeaturePack") ) { $INDEX = $PACKAGE.PackageName.IndexOf("-Package") if ($INDEX -ge 0) { @@ -508,7 +510,7 @@ Foreach ($IMAGE in $WINPE_IMAGES) { $OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab" if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) { $OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB - Write-Output "$(Get-TS): Adding package $OC_CAB_PATH" + Write-Output "$(Get-TS): Adding package $OC_CAB_PATH to WinPE, image index $($IMAGE.ImageIndex)" Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $OC_CAB_PATH -ErrorAction stop | Out-Null } } @@ -517,7 +519,7 @@ Foreach ($IMAGE in $WINPE_IMAGES) { # Add font support for the new language if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) { - Write-Output "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH" + Write-Output "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH to WinPE, image index $($IMAGE.ImageIndex)" Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_FONT_SUPPORT_PATH -ErrorAction stop | Out-Null } @@ -525,10 +527,10 @@ Foreach ($IMAGE in $WINPE_IMAGES) { if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) { if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) { - Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH" + Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH to WinPE, image index $($IMAGE.ImageIndex)" Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null - Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH" + Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH to WinPE, image index $($IMAGE.ImageIndex)" Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_SPEECH_TTS_LANG_PATH -ErrorAction stop | Out-Null } } @@ -540,11 +542,11 @@ Foreach ($IMAGE in $WINPE_IMAGES) { } # Add latest cumulative update - Write-Output "$(Get-TS): Adding package $LCU_PATH" - Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null + Write-Output "$(Get-TS): Adding package $LCU_PATH to WinPE, image index $($IMAGE.ImageIndex)" + Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null # Perform image cleanup - Write-Output "$(Get-TS): Performing image cleanup on WinPE" + Write-Output "$(Get-TS): Performing image cleanup on WinPE, image index $($IMAGE.ImageIndex)" DISM /image:$WINPE_MOUNT /cleanup-image /StartComponentCleanup /ResetBase /Defer | Out-Null if ($IMAGE.ImageIndex -eq "2") { @@ -552,6 +554,18 @@ Foreach ($IMAGE in $WINPE_IMAGES) { # Save setup.exe for later use. This will address possible binary mismatch with the version in the main OS \sources folder Copy-Item -Path $WINPE_MOUNT"\sources\setup.exe" -Destination $WORKING_PATH"\setup.exe" -Force -ErrorAction stop | Out-Null + # Save setuphost.exe for later use. This will address possible binary mismatch with the version in the main OS \sources folder + # This is only required starting with Windows 11 version 24H2 + $TEMP = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex + if ($TEMP.Version -ge "10.0.26100.0000") { + + Copy-Item -Path $WINPE_MOUNT"\sources\setuphost.exe" -Destination $WORKING_PATH"\setuphost.exe" -Force -ErrorAction stop | Out-Null + } + else { + + Write-Output "$(Get-TS): Skipping copy of setuphost.exe; image version $($TEMP.Version)" + } + # Save serviced boot manager files later copy to the root media. Copy-Item -Path $WINPE_MOUNT"\Windows\boot\efi\bootmgfw.efi" -Destination $WORKING_PATH"\bootmgfw.efi" -Force -ErrorAction stop | Out-Null Copy-Item -Path $WINPE_MOUNT"\Windows\boot\efi\bootmgr.efi" -Destination $WORKING_PATH"\bootmgr.efi" -Force -ErrorAction stop | Out-Null @@ -587,21 +601,26 @@ cmd.exe /c $env:SystemRoot\System32\expand.exe $SETUP_DU_PATH -F:* $MEDIA_NEW_PA Write-Output "$(Get-TS): Copying $WORKING_PATH\setup.exe to $MEDIA_NEW_PATH\sources\setup.exe" Copy-Item -Path $WORKING_PATH"\setup.exe" -Destination $MEDIA_NEW_PATH"\sources\setup.exe" -Force -ErrorAction stop | Out-Null +# Copy setuphost.exe from boot.wim, saved earlier. +if (Test-Path -Path $WORKING_PATH"\setuphost.exe") { + + Write-Output "$(Get-TS): Copying $WORKING_PATH\setuphost.exe to $MEDIA_NEW_PATH\sources\setuphost.exe" + Copy-Item -Path $WORKING_PATH"\setuphost.exe" -Destination $MEDIA_NEW_PATH"\sources\setuphost.exe" -Force -ErrorAction stop | Out-Null +} # Copy bootmgr files from boot.wim, saved earlier. $MEDIA_NEW_FILES = Get-ChildItem $MEDIA_NEW_PATH -Force -Recurse -Filter b*.efi Foreach ($File in $MEDIA_NEW_FILES){ - if (($File.Name -ieq "bootmgfw.efi") -or ` - ($File.Name -ieq "bootx64.efi") -or ` - ($File.Name -ieq "bootia32.efi") -or ` - ($File.Name -ieq "bootaa64.efi")) + if (($File.Name -ieq "bootmgfw.efi") -or ($File.Name -ieq "bootx64.efi") -or ($File.Name -ieq "bootia32.efi") -or ($File.Name -ieq "bootaa64.efi")) { + Write-Output "$(Get-TS): Copying $WORKING_PATH\bootmgfw.efi to $($File.FullName)" Copy-Item -Path $WORKING_PATH"\bootmgfw.efi" -Destination $File.FullName -Force -ErrorAction stop | Out-Null } elseif ($File.Name -ieq "bootmgr.efi") { + Write-Output "$(Get-TS): Copying $WORKING_PATH\bootmgr.efi to $($File.FullName)" Copy-Item -Path $WORKING_PATH"\bootmgr.efi" -Destination $File.FullName -Force -ErrorAction stop | Out-Null } From b268654d3f8b1a4d908b84a0e26711053afd2222 Mon Sep 17 00:00:00 2001 From: "Steve DiAcetis (MSFT)" <52939067+SteveDiAcetis@users.noreply.github.com> Date: Tue, 25 Jun 2024 09:13:42 -0700 Subject: [PATCH 05/61] Update media-dynamic-update.md --- windows/deployment/update/media-dynamic-update.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index d16fc5f901..1412f342e5 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -123,7 +123,7 @@ Optional Components, along with the .NET feature, can be installed offline, howe ### Checkpoint cumulative updates Starting with Windows 11, version 24H2, the latest cumulative update may have a prerequisite cumulative update that is required to be installed first. These are known as checkpoint cumulative updates. In these cases, the cumulative update file level differentials are based on a previous cumulative update instead of the Windows RTM release. The benefit is a smaller update package and faster installation. -To install the checkpoint(s) when servicing the Windows OS (steps 9 & 12) and WinPE (steps 17 & 23), call Add-WindowsPackage with the target cumulative update. The folder from PackagePath will be used to discover and install one or more checkpoints as needed. Only .MSU packages with a revision <= the target cumulative update will be processed. If you are not customizing the image with additional languages and/or optional features, then separate calls to Add-WindowsPackage (checkpoint cumulative updates first) can be used for steps 9 & 17 above. Separate calls cannot be used for steps 12 and 23. +To install the checkpoint(s) when servicing the Windows OS (steps 9 & 12) and WinPE (steps 17 & 23), call Add-WindowsPackage with the target cumulative update. The folder from PackagePath will be used to discover and install one or more checkpoints as needed. Only the target cumulative update and checkpoint cumulative updates should be in the PackagePath folder. Cumulative update packages with a revision <= the target cumulative update will be processed. If you are not customizing the image with additional languages and/or optional features, then separate calls to Add-WindowsPackage (checkpoint cumulative updates first) can be used for steps 9 & 17 above. Separate calls cannot be used for steps 12 and 23. ## Windows PowerShell scripts to apply Dynamic Updates to an existing image @@ -557,7 +557,7 @@ Foreach ($IMAGE in $WINPE_IMAGES) { # Save setuphost.exe for later use. This will address possible binary mismatch with the version in the main OS \sources folder # This is only required starting with Windows 11 version 24H2 $TEMP = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex - if ($TEMP.Version -ge "10.0.26100.0000") { + if ($TEMP.Version -ge "10.0.26100") { Copy-Item -Path $WINPE_MOUNT"\sources\setuphost.exe" -Destination $WORKING_PATH"\setuphost.exe" -Force -ErrorAction stop | Out-Null } From 46f4ff201412d40177864afcdbd0ccca09d937f1 Mon Sep 17 00:00:00 2001 From: Kavya N <168478594+kavyamsft@users.noreply.github.com> Date: Tue, 25 Jun 2024 14:50:01 -0700 Subject: [PATCH 06/61] Learn Editor: Update windows-sandbox-overview.md --- .../windows-sandbox/windows-sandbox-overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md index adf405569f..a59d65972c 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md @@ -35,8 +35,8 @@ Windows Sandbox has the following properties: - At least two CPU cores (four cores with hyper-threading recommended) > [!NOTE] -> Windows Sandbox is currently not supported on Windows Home edition - +> Windows Sandbox is currently not supported on Windows Home edition. +> Beginning in Windows 11 24H2, or build version 26100, all inbox store apps like calculator, photos, notepad and terminal will not be available inside Windows Sandbox. Ability to use the apps will be added soon. ## Installation 1. Ensure that your machine is using Windows 10 Pro or Enterprise, build version 18305 or Windows 11. From 2ab6eedfca821a9c9af503111de1d4519c86f657 Mon Sep 17 00:00:00 2001 From: "Steve DiAcetis (MSFT)" <52939067+SteveDiAcetis@users.noreply.github.com> Date: Wed, 26 Jun 2024 17:15:02 -0700 Subject: [PATCH 08/61] Update media-dynamic-update.md --- windows/deployment/update/media-dynamic-update.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index 1412f342e5..7744433e14 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -61,7 +61,7 @@ You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https |Latest cumulative update | YYYY-MM Cumulative Update for Windows 11 | | | |Servicing stack Dynamic Update | YYYY-MM Servicing Stack Update for Windows 11 Version 21H2 | | | -### For Windows 10, version 22H2 Dynamic Update packages +### Windows 10, version 22H2 Dynamic Update packages **Title**, **Product** and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update. | Update packages |Title |Product |Description | @@ -123,7 +123,7 @@ Optional Components, along with the .NET feature, can be installed offline, howe ### Checkpoint cumulative updates Starting with Windows 11, version 24H2, the latest cumulative update may have a prerequisite cumulative update that is required to be installed first. These are known as checkpoint cumulative updates. In these cases, the cumulative update file level differentials are based on a previous cumulative update instead of the Windows RTM release. The benefit is a smaller update package and faster installation. -To install the checkpoint(s) when servicing the Windows OS (steps 9 & 12) and WinPE (steps 17 & 23), call Add-WindowsPackage with the target cumulative update. The folder from PackagePath will be used to discover and install one or more checkpoints as needed. Only the target cumulative update and checkpoint cumulative updates should be in the PackagePath folder. Cumulative update packages with a revision <= the target cumulative update will be processed. If you are not customizing the image with additional languages and/or optional features, then separate calls to Add-WindowsPackage (checkpoint cumulative updates first) can be used for steps 9 & 17 above. Separate calls cannot be used for steps 12 and 23. +To install the checkpoint(s) when servicing the Windows OS (steps 9 & 12) and WinPE (steps 17 & 23), call `Add-WindowsPackage` with the target cumulative update. The folder from `-PackagePath` will be used to discover and install one or more checkpoints as needed. Only the target cumulative update and checkpoint cumulative updates should be in the `-PackagePath` folder. Cumulative update packages with a revision <= the target cumulative update will be processed. If you are not customizing the image with additional languages and/or optional features, then separate calls to `Add-WindowsPackage` (checkpoint cumulative updates first) can be used for steps 9 & 17 above. Separate calls cannot be used for steps 12 and 23. ## Windows PowerShell scripts to apply Dynamic Updates to an existing image From a8b6a453bac12bc288e67a9771d2e5fcaaa11a3c Mon Sep 17 00:00:00 2001 From: "Steve DiAcetis (MSFT)" <52939067+SteveDiAcetis@users.noreply.github.com> Date: Thu, 27 Jun 2024 10:00:41 -0700 Subject: [PATCH 09/61] Update media-dynamic-update.md --- windows/deployment/update/media-dynamic-update.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index 7744433e14..cc8bcdaca8 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -40,8 +40,8 @@ Devices must be able to connect to the internet to obtain Dynamic Updates. In so You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https://catalog.update.microsoft.com). At that site, use the search bar in the upper right to find the Dynamic Update packages for a particular release. The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the updates. Check various parts of the results to be sure you've identified the files needed. The following tables show the key values to search for or look for in the results. -### Windows 11, version 22H2 Dynamic Update packages -**Title** can distinguish each Dynamic Package. Latest cumulative updates have the servicing stack embedded. The servicing stack is published only if necessary for a given cumulative update. +### Windows 11, version 22H2 and later Dynamic Update packages +**Title** can distinguish each Dynamic Package. Latest cumulative updates have the servicing stack embedded. The servicing stack is published only if necessary for a given cumulative update.Titles below are for Windows 11, version 22H2. Windows 11, version 23H2 and 24H2 have a similar format. | Update packages |Title | |-----------------------------------|---------------------------------------------------------------| From 7730b540f7cfa963fe8fe04e449a906412ac1a2d Mon Sep 17 00:00:00 2001 From: "Steve DiAcetis (MSFT)" <52939067+SteveDiAcetis@users.noreply.github.com> Date: Mon, 1 Jul 2024 09:46:22 -0700 Subject: [PATCH 10/61] Update media-dynamic-update.md --- windows/deployment/update/media-dynamic-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index cc8bcdaca8..486c52e3e7 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -557,7 +557,7 @@ Foreach ($IMAGE in $WINPE_IMAGES) { # Save setuphost.exe for later use. This will address possible binary mismatch with the version in the main OS \sources folder # This is only required starting with Windows 11 version 24H2 $TEMP = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex - if ($TEMP.Version -ge "10.0.26100") { + if ([System.Version]$TEMP.Version -ge [System.Version]"10.0.26100") { Copy-Item -Path $WINPE_MOUNT"\sources\setuphost.exe" -Destination $WORKING_PATH"\setuphost.exe" -Force -ErrorAction stop | Out-Null } From bd05c07c94dbc9a74c51258f2bae65a82b6a0537 Mon Sep 17 00:00:00 2001 From: "Steve DiAcetis (MSFT)" <52939067+SteveDiAcetis@users.noreply.github.com> Date: Mon, 8 Jul 2024 14:36:19 -0700 Subject: [PATCH 11/61] Update media-dynamic-update.md --- windows/deployment/update/media-dynamic-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index 486c52e3e7..cab9d7dee8 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -13,7 +13,7 @@ appliesto: - ✅ Windows 11 - ✅ Windows 10 - ✅ Windows Server -ms.date: 06/28/2024 +ms.date: 07/10/2024 --- # Update Windows installation media with Dynamic Update From a5f03be45bc2b90f1ef309c6c8a47351d2a6cbc1 Mon Sep 17 00:00:00 2001 From: "Vinay Pamnani (from Dev Box)" Date: Wed, 10 Jul 2024 16:47:47 -0600 Subject: [PATCH 12/61] OS Security freshness --- .../block-untrusted-fonts-in-enterprise.md | 12 +- ...tions-for-app-related-security-policies.md | 26 +-- ...arding-to-assist-in-intrusion-detection.md | 150 +++++++++--------- .../get-support-for-security-baselines.md | 2 +- .../mbsa-removal-and-guidance.md | 4 +- .../security-compliance-toolkit-10.md | 2 +- .../windows-security-baselines.md | 4 +- .../operating-system-security/index.md | 2 +- .../cryptography-certificate-mgmt.md | 4 +- ...-the-health-of-windows-10-based-devices.md | 68 ++++---- .../secure-the-windows-10-boot-process.md | 8 +- .../system-security/trusted-boot.md | 8 +- .../available-settings.md | 58 +++---- .../enhanced-phishing-protection.md | 6 +- .../microsoft-defender-smartscreen/index.md | 2 +- 15 files changed, 175 insertions(+), 181 deletions(-) diff --git a/windows/security/operating-system-security/device-management/block-untrusted-fonts-in-enterprise.md b/windows/security/operating-system-security/device-management/block-untrusted-fonts-in-enterprise.md index 75a3f08635..fc6df9c4a9 100644 --- a/windows/security/operating-system-security/device-management/block-untrusted-fonts-in-enterprise.md +++ b/windows/security/operating-system-security/device-management/block-untrusted-fonts-in-enterprise.md @@ -3,12 +3,12 @@ title: Block untrusted fonts in an enterprise description: To help protect your company from attacks that may originate from untrusted or attacker controlled font files, we've created the Blocking Untrusted Fonts feature. ms.localizationpriority: medium ms.topic: how-to -ms.date: 12/22/2023 +ms.date: 07/10/2024 --- # Block untrusted fonts in an enterprise -To help protect your company from attacks that may originate from untrusted or attacker-controlled font files, we've created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the `%windir%\Fonts` directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process. +To help protect your company from attacks that may originate from untrusted or attacker-controlled font files, you can block untrusted fonts. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the `%windir%\Fonts` directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process. ## What does this mean for me? @@ -44,11 +44,11 @@ Use Group Policy or the registry to turn this feature on, off, or to use audit m **To turn on and use the Blocking Untrusted Fonts feature through Group Policy** 1. Open the Group Policy editor (gpedit.msc) and go to `Computer Configuration\Administrative Templates\System\Mitigation Options\Untrusted Font Blocking`. -2. Click **Enabled** to turn on the feature, and then click one of the following **Mitigation Options**: +2. Select **Enabled** to turn on the feature, and then select one of the following **Mitigation Options**: - **Block untrusted fonts and log events.** Turns on the feature, blocking untrusted fonts and logging installation attempts to the event log. - **Do not block untrusted fonts.** Turns on the feature, but doesn't block untrusted fonts nor does it log installation attempts to the event log. - **Log events without blocking untrusted fonts**. Turns on the feature, logging installation attempts to the event log, but not blocking untrusted fonts. -3. Click **OK**. +3. Select **OK**. **To turn on and use the Blocking Untrusted Fonts feature through the registry** @@ -56,7 +56,7 @@ To turn this feature on, off, or to use audit mode: 1. Open the registry editor (regedit.exe) and go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\`. 2. If the **MitigationOptions** key isn't there, right-click and add a new **QWORD (64-bit) Value**, renaming it to **MitigationOptions**. -3. Right click on the **MitigationOptions** key, and then click **Modify**. The **Edit QWORD (64-bit) Value** box opens. +3. Right select on the **MitigationOptions** key, and then select **Modify**. The **Edit QWORD (64-bit) Value** box opens. 4. Make sure the **Base** option is **Hexadecimal**, and then update the **Value data**, making sure you keep your existing value, like in the important note below: - **To turn this feature on.** Type **1000000000000**. - **To turn this feature off.** Type **2000000000000**. @@ -114,7 +114,7 @@ After you figure out the problematic fonts, you can try to fix your apps in two **To fix your apps by installing the problematic fonts (recommended)** -On each computer with the app installed, right-click on the font name and click **Install**. The font should automatically install into your `%windir%\Fonts` directory. If it doesn't, you'll need to manually copy the font files into the **Fonts** directory and run the installation from there. +On each computer with the app installed, right-click on the font name and select **Install**. The font should automatically install into your `%windir%\Fonts` directory. If it doesn't, you need to manually copy the font files into the **Fonts** directory and run the installation from there. **To fix your apps by excluding processes** diff --git a/windows/security/operating-system-security/device-management/override-mitigation-options-for-app-related-security-policies.md b/windows/security/operating-system-security/device-management/override-mitigation-options-for-app-related-security-policies.md index ada9f32a4e..6ebc5f4369 100644 --- a/windows/security/operating-system-security/device-management/override-mitigation-options-for-app-related-security-policies.md +++ b/windows/security/operating-system-security/device-management/override-mitigation-options-for-app-related-security-policies.md @@ -3,7 +3,7 @@ title: Override Process Mitigation Options description: How to use Group Policy to override individual Process Mitigation Options settings and to help enforce specific app-related security policies. ms.localizationpriority: medium ms.topic: how-to -ms.date: 12/22/2023 +ms.date: 07/10/2024 --- # Override Process Mitigation Options to help enforce app-related security policies @@ -13,10 +13,10 @@ Windows includes group policy-configurable "Process Mitigation Options" that add > [!IMPORTANT] > We recommend trying these mitigations in a test lab before deploying to your organization, to determine if they interfere with your organization's required apps. -The Group Policy settings in this topic are related to three types of process mitigations. All three types are on by default for 64-bit applications, but by using the Group Policy settings described in this topic, you can configure more protections. The types of process mitigations are: +The Group Policy settings in this article are related to three types of process mitigations. All three types are on by default for 64-bit applications, but by using the Group Policy settings described in this article, you can configure more protections. The types of process mitigations are: -- **Data Execution Prevention (DEP)** is a system-level memory protection feature that enables the operating system to mark one or more pages of memory as non-executable, preventing code from being run from that region of memory, to help prevent exploitation of buffer overruns. DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. For more information, see [Data Execution Prevention](../../threat-protection/overview-of-threat-mitigations-in-windows-10.md#data-execution-prevention). -- **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they've been compiled with the latest improvements. For more information, see [Structured Exception Handling Overwrite Protection](../../threat-protection/overview-of-threat-mitigations-in-windows-10.md#structured-exception-handling-overwrite-protection). +- **Data Execution Prevention (DEP)** is a system-level memory protection feature that enables the operating system to mark one or more pages of memory as nonexecutable, preventing code from being run from that region of memory, to help prevent exploitation of buffer overruns. DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. For more information, see [Data Execution Prevention](../../threat-protection/overview-of-threat-mitigations-in-windows-10.md#data-execution-prevention). +- **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they're compiled with the latest improvements. For more information, see [Structured Exception Handling Overwrite Protection](../../threat-protection/overview-of-threat-mitigations-in-windows-10.md#structured-exception-handling-overwrite-protection). - **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time to mitigate against malware that's designed to attack specific memory locations, where specific DLLs are expected to be loaded. For more information, see [Address Space Layout Randomization](../../threat-protection/overview-of-threat-mitigations-in-windows-10.md#address-space-layout-randomization). To find more ASLR protections in the table below, look for `IMAGES` or `ASLR`. The following procedure describes how to use Group Policy to override individual **Process Mitigation Options** settings. @@ -27,7 +27,7 @@ The following procedure describes how to use Group Policy to override individual ![Screenshot of the Group Policy editor: Process Mitigation Options with setting enabled and Show button active.](images/gp-process-mitigation-options.png) -2. Click **Enabled**, and then in the **Options** area, click **Show** to open the **Show Contents** box, where you'll be able to add your apps and the appropriate bit flag values, as shown in the [Setting the bit field](#setting-the-bit-field) and [Example](#example) sections of this topic. +2. Select **Enabled**, and then in the **Options** area, select **Show** to open the **Show Contents** box, where you can add your apps and the appropriate bit flag values, as shown in the [Setting the bit field](#setting-the-bit-field) and [Example](#example) sections of this article. > [!IMPORTANT] > For each app you want to include, you must include: @@ -45,14 +45,14 @@ Here's a visual representation of the bit flag locations for the various Process Where the bit flags are read from right to left and are defined as: -| Flag | Bit location | Setting | Details | -|------|--------------|-----------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| A | 0 | `PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE (0x00000001)` | Turns on Data Execution Prevention (DEP) for child processes. | -| B | 1 | `PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE (0x00000002)` | Turns on DEP-ATL thunk emulation for child processes. DEP-ATL thunk emulation lets the system intercept non-executable (NX) faults that originate from the Active Template Library (ATL) thunk layer, and then emulate and handle the instructions so the process can continue to run. | -| C | 2 | `PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE (0x00000004)` | Turns on Structured Exception Handler Overwrite Protection (SEHOP) for child processes. SEHOP helps to block exploits that use the Structured Exception Handler (SEH) overwrite technique. | -| D | 8 | `PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON (0x00000100)` | Uses the force Address Space Layout Randomization (ASLR) setting to act as though an image base collision happened at load time, forcibly rebasing images that aren't dynamic base compatible. Images without the base relocation section won't be loaded if relocations are required. | -| E | 15 | `PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON (0x00010000)` | Turns on the bottom-up randomization policy, which includes stack randomization options and causes a random location to be used as the lowest user address. | -| F | 16 | `PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF (0x00020000)` | Turns off the bottom-up randomization policy, which includes stack randomization options and causes a random location to be used as the lowest user address. | +| Flag | Bit location | Setting | Details | +|--|--|--|--| +| A | 0 | `PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE (0x00000001)` | Turns on Data Execution Prevention (DEP) for child processes. | +| B | 1 | `PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE (0x00000002)` | Turns on DEP-ATL thunk emulation for child processes. DEP-ATL thunk emulation lets the system intercept nonexecutable (NX) faults that originate from the Active Template Library (ATL) thunk layer, and then emulate and handle the instructions so the process can continue to run. | +| C | 2 | `PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE (0x00000004)` | Turns on Structured Exception Handler Overwrite Protection (SEHOP) for child processes. SEHOP helps to block exploits that use the Structured Exception Handler (SEH) overwrite technique. | +| D | 8 | `PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON (0x00000100)` | Uses the force Address Space Layout Randomization (ASLR) setting to act as though an image base collision happened at load time, forcibly rebasing images that aren't dynamic base compatible. Images without the base relocation section aren't loaded if relocations are required. | +| E | 15 | `PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON (0x00010000)` | Turns on the bottom-up randomization policy, which includes stack randomization options and causes a random location to be used as the lowest user address. | +| F | 16 | `PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF (0x00020000)` | Turns off the bottom-up randomization policy, which includes stack randomization options and causes a random location to be used as the lowest user address. | ### Example diff --git a/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection.md index 100c5b8c1f..370ae5677a 100644 --- a/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection.md +++ b/windows/security/operating-system-security/device-management/use-windows-event-forwarding-to-assist-in-intrusion-detection.md @@ -3,14 +3,14 @@ title: Use Windows Event Forwarding to help with intrusion detection description: Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. ms.localizationpriority: medium ms.topic: how-to -ms.date: 12/22/2023 +ms.date: 07/10/2024 --- # Use Windows Event Forwarding to help with intrusion detection Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. -Windows Event Forwarding (WEF) reads any operational or administrative event log on a device in your organization and forwards the events you choose to a Windows Event Collector (WEC) server. +Windows Event Forwarding (WEF) reads any operational or administrative event logged on a device in your organization and forwards the events you choose to a Windows Event Collector (WEC) server. To accomplish this functionality, there are two different subscriptions published to client devices - the Baseline subscription and the suspect subscription. The Baseline subscription enrolls all devices in your organization, and a Suspect subscription only includes devices that have been added by you. The Suspect subscription collects more events to help build context for system activity and can quickly be updated to accommodate new events and/or scenarios as needed without impacting baseline operations. @@ -35,12 +35,12 @@ For the minimum recommended audit policy and registry system ACL settings, see [ > [!NOTE] > These are only minimum values need to meet what the WEF subscription selects. -From a WEF subscription management perspective, the event queries provided should be used in two separate subscriptions for ease of maintenance; only machines meeting specific criteria would be allowed access to the targeted subscription, this access would be determined by an algorithm or an analysts' direction. All devices should have access to the Baseline subscription. +From a WEF subscription management perspective, the event queries provided should be used in two separate subscriptions for ease of maintenance; only machines meeting specific criteria would be allowed access to the targeted subscription. This access would be determined by an algorithm or an analysts' direction. All devices should have access to the Baseline subscription. This system of dual subscription means you would create two base subscriptions: -- **Baseline WEF subscription**. Events collected from all hosts; these events include some role-specific events, which will only be emitted by those machines. -- **Targeted WEF subscription**. Events collected from a limited set of hosts due to unusual activity and/or heightened awareness for those systems. +- **Baseline WEF subscription**. Events collected from all hosts; these events include some role-specific events, which will only be emitted by those machines. +- **Targeted WEF subscription**. Events collected from a limited set of hosts due to unusual activity and/or heightened awareness for those systems. Each using the respective event query below. For the Targeted subscription, enabling the "read existing events" option should be set to true to allow collection of existing events from systems. By default, WEF subscriptions will only forward events generated after the WEF subscription was received by the client. @@ -58,7 +58,7 @@ The longer answer is: The **Eventlog-forwardingPlugin/Operational** event channe ### Is WEF Push or Pull? -A WEF subscription can be configured to be pushed or pulled, but not both. The simplest, most flexible IT deployment with the greatest scalability can be achieved by using a push, or source initiated, subscription. WEF clients are configured by using a GPO and the built-in forwarding client is activated. For pull, collector initiated, the subscription on the WEC server is pre-configured with the names of the WEF Client devices from which events are to be selected. Those clients are to be configured ahead of time to allow the credentials used in the subscription to access their event logs remotely (normally by adding the credential to the **Event Log Readers** built-in local security group.) A useful scenario: closely monitoring a specific set of machines. +A WEF subscription can be configured to be pushed or pulled, but not both. The simplest, most flexible IT deployment with the greatest scalability can be achieved by using a push, or source initiated, subscription. WEF clients are configured by using a GPO and the built-in forwarding client is activated. For pull, collector initiated, the subscription on the WEC server is preconfigured with the names of the WEF Client devices from which events are to be selected. Those clients are to be configured ahead of time to allow the credentials used in the subscription to access their event logs remotely (normally by adding the credential to the **Event Log Readers** built-in local security group.) A useful scenario: closely monitoring a specific set of machines. ### Will WEF work over VPN or RAS? @@ -67,7 +67,7 @@ WEF handles VPN, RAS, and DirectAccess scenarios well and will reconnect and sen ### How is client progress tracked? The WEC server maintains in its registry the bookmark information and last heartbeat time for each event source for each WEF subscription. When an event source reconnects to a WEC server, the last bookmark position is sent to the device to use as a starting point to resume forwarding events. If a -WEF client has no events to send, the WEF client will connect periodically to send a Heartbeat to the WEC server to indicate it's active. This heartbeat value can be individually configured for each subscription. +WEF client has no events to send, the WEF client connects periodically to send a Heartbeat to the WEC server to indicate it's active. This heartbeat value can be individually configured for each subscription. ### Will WEF work in an IPv4, IPv6, or mixed IPv4/IPv6 environment? @@ -130,19 +130,19 @@ For collector initiated subscriptions: The subscription contains the list of mac ### Can a client communicate to multiple WEF Event Collectors? -Yes. If you desire a High-Availability environment, configure multiple WEC servers with the same subscription configuration and publish both WEC Server URIs to WEF clients. WEF Clients will forward events simultaneously to the configured subscriptions on the WEC servers, if they have the appropriate access. +Yes. If you desire a High-Availability environment, configure multiple WEC servers with the same subscription configuration and publish both WEC Server URIs to WEF clients. WEF Clients forward events simultaneously to the configured subscriptions on the WEC servers, if they have the appropriate access. ### What are the WEC server's limitations? There are three factors that limit the scalability of WEC servers. The general rule for a stable WEC server on commodity hardware is planning for a total of 3,000 events per second on average for all configured subscriptions. -- **Disk I/O**. The WEC server doesn't process or validate the received event, but rather buffers the received event and then logs it to a local event log file (EVTX file). The speed of logging to the EVTX file is limited by the disk write speed. Isolating the EVTX file to its own array or using high speed disks can increase the number of events per second that a single WEC server can receive. -- **Network Connections**. While a WEF source doesn't maintain a permanent, persistent connection to the WEC server, it doesn't immediately disconnect after sending its events. This leniency means that the number of WEF sources that can simultaneously connect to the WEC server is limited to the open TCP ports available on the WEC server. -- **Registry size**. For each unique device that connects to a WEF subscription, there's a registry key (corresponding to the FQDN of the WEF Client) created to store bookmark and source heartbeat information. If this information isn't pruned to remove inactive clients, this set of registry keys can grow to an unmanageable size over time. +- **Disk I/O**. The WEC server doesn't process or validate the received event, but rather buffers the received event and then logs it to a local event log file (EVTX file). The speed of logging to the EVTX file is limited by the disk write speed. Isolating the EVTX file to its own array or using high speed disks can increase the number of events per second that a single WEC server can receive. +- **Network Connections**. While a WEF source doesn't maintain a permanent, persistent connection to the WEC server, it doesn't immediately disconnect after sending its events. This leniency means that the number of WEF sources that can simultaneously connect to the WEC server is limited to the open TCP ports available on the WEC server. +- **Registry size**. For each unique device that connects to a WEF subscription, there's a registry key (corresponding to the FQDN of the WEF Client) created to store bookmark and source heartbeat information. If this information isn't pruned to remove inactive clients, this set of registry keys can grow to an unmanageable size over time. - - When a subscription has >1000 WEF sources connect to it over its operational lifetime, also known as lifetime WEF sources, Event Viewer can become unresponsive for a few minutes when selecting the **Subscriptions** node in the left-navigation, but will function normally afterwards. - - At >50,000 lifetime WEF sources, Event Viewer is no longer an option and wecutil.exe (included with Windows) must be used to configure and manage subscriptions. - - At >100,000 lifetime WEF sources, the registry won't be readable and the WEC server will likely have to be rebuilt. + - When a subscription has >1000 WEF sources connect to it over its operational lifetime, also known as lifetime WEF sources, Event Viewer can become unresponsive for a few minutes when selecting the **Subscriptions** node in the left-navigation, but will function normally afterwards. + - At >50,000 lifetime WEF sources, Event Viewer is no longer an option and wecutil.exe (included with Windows) must be used to configure and manage subscriptions. + - At >100,000 lifetime WEF sources, the registry won't be readable and the WEC server will likely have to be rebuilt. ## Subscription information @@ -158,56 +158,56 @@ The subscription is essentially a collection of query statements applied to the To gain the most value out of the baseline subscription, we recommend having the following requirements set on the device to ensure that the clients are already generating the required events to be forwarded off the system. -- Apply a security audit policy that is a super-set of the recommended minimum audit policy. For more info, see [Appendix A - Minimum Recommended minimum Audit Policy](#bkmk-appendixa). This policy ensures that the security event log is generating the required events. -- Apply at least an Audit-Only AppLocker policy to devices. +- Apply a security audit policy that is a super-set of the recommended minimum audit policy. For more info, see [Appendix A - Minimum Recommended minimum Audit Policy](#bkmk-appendixa). This policy ensures that the security event log is generating the required events. +- Apply at least an Audit-Only AppLocker policy to devices. - - If you're already allowing or restricting events by using AppLocker, then this requirement is met. - - AppLocker events contain useful information, such as file hash and digital signature information for executables and scripts. + - If you're already allowing or restricting events by using AppLocker, then this requirement is met. + - AppLocker events contain useful information, such as file hash and digital signature information for executables and scripts. -- Enable disabled event channels and set the minimum size for modern event files. -- Currently, there's no GPO template for enabling or setting the maximum size for the modern event files. This threshold must be defined by using a GPO. For more info, see [Appendix C - Event Channel Settings (enable and Channel Access) methods](#bkmk-appendixc). +- Enable disabled event channels and set the minimum size for modern event files. +- Currently, there's no GPO template for enabling or setting the maximum size for the modern event files. This threshold must be defined by using a GPO. For more info, see [Appendix C - Event Channel Settings (enable and Channel Access) methods](#bkmk-appendixc). The annotated event query can be found in the following. For more info, see [Appendix F - Annotated Suspect Subscription Event Query](#bkmk-appendixf). -- Anti-malware events from Microsoft Antimalware or Windows Defender. These events can be configured for any given anti-malware product easily if it writes to the Windows event log. +- Anti-malware events from Windows Security. These events can be configured for any given anti-malware product easily if it writes to the Windows event log. - Security event log Process Create events. - AppLocker Process Create events (EXE, script, packaged App installation and execution). - Registry modification events. For more info, see [Appendix B - Recommended minimum Registry System ACL Policy](#bkmk-appendixb). - OS startup and shutdown - - Startup events include operating system version, service pack level, QFE version, and boot mode. + - Startup events include operating system version, service pack level, QFE version, and boot mode. - Service install - - Includes what the name of the service, the image path, and who installed the service. + - Includes what the name of the service, the image path, and who installed the service. - Certificate Authority audit events - - These events are only applicable on systems with the Certificate Authority role installed. - - Logs certificate requests and responses. + - These events are only applicable on systems with the Certificate Authority role installed. + - Logs certificate requests and responses. - User profile events - - Use of a temporary profile or unable to create a user profile may indicate an intruder is interactively logging into a device but not wanting to leave a persistent profile behind. + - Use of a temporary profile or unable to create a user profile may indicate an intruder is interactively logging into a device but not wanting to leave a persistent profile behind. - Service start failure - - Failure codes are localized, so you have to check the message DLL for values. + - Failure codes are localized, so you have to check the message DLL for values. - Network share access events - - Filter out IPC$ and /NetLogon file shares, which are expected and noisy. + - Filter out IPC$ and /NetLogon file shares, which are expected and noisy. - System shutdown initiate requests - - Find out what initiated the restart of a device. + - Find out what initiated the restart of a device. -- User-initiated interactive sign-out event +- User-initiated interactive sign out event - Remote Desktop Services sessions connect, reconnect, or disconnect. - EMET events, if EMET is installed. - Event forwarding plugin events - - For monitoring WEF subscription operations, such as Partial Success events. This event is useful for diagnosing deployment issues. + - For monitoring WEF subscription operations, such as Partial Success events. This event is useful for diagnosing deployment issues. - Network share creation and deletion @@ -217,111 +217,111 @@ The annotated event query can be found in the following. For more info, see [App - Sign-in sessions - - Sign-in success for interactive (local and Remote Interactive/Remote Desktop) - - Sign-in success for services for non-built-in accounts, such as LocalSystem, LocalNetwork, and so on. - - Sign-in success for batch sessions - - Sign-in session close, which is sign-out events for non-network sessions. + - Sign-in success for interactive (local and Remote Interactive/Remote Desktop) + - Sign-in success for services for non-built-in accounts, such as LocalSystem, LocalNetwork, and so on. + - Sign-in success for batch sessions + - Sign-in session close, which is sign out events for non-network sessions. - Windows Error Reporting (Application crash events only) - - This session can help detect early signs of intruder not familiar with enterprise environment using targeted malware. + - This session can help detect early signs of intruder not familiar with enterprise environment using targeted malware. - Event log service events - - Errors, start events, and stop events for the Windows Event Log service. + - Errors, start events, and stop events for the Windows Event Log service. - Event log cleared (including the Security Event Log) - - This event could indicate an intruder that is covering their tracks. + - This event could indicate an intruder that is covering their tracks. - Special privileges assigned to new sign in - - This assignation indicates that at the time of signing in, a user is either an Administrator or has the sufficient access to make themselves Administrator. + - This assignation indicates that at the time of signing in, a user is either an Administrator or has the sufficient access to make themselves Administrator. - Outbound Remote Desktop Services session attempts - - Visibility into potential beachhead for intruder + - Visibility into potential beachhead for intruder - System time changed - SMB Client (mapped drive connections) - Account credential validation - - Local accounts or domain accounts on domain controllers + - Local accounts or domain accounts on domain controllers - A user was added or removed from the local Administrators security group. - Crypto API private key accessed - - Associated with signing objects using the locally stored private key. + - Associated with signing objects using the locally stored private key. - Task Scheduler task creation and delete - - Task Scheduler allows intruders to run code at specified times as LocalSystem. + - Task Scheduler allows intruders to run code at specified times as LocalSystem. - Sign-in with explicit credentials - - Detect credential use changes by intruders to access more resources. + - Detect credential use changes by intruders to access more resources. - Smartcard card holder verification events - - This event detects when a smartcard is being used. + - This event detects when a smartcard is being used. ### Suspect subscription This subscription adds some possible intruder-related activity to help analyst further refine their determinations about the state of the device. -- Sign-in session creation for network sessions +- Sign-in session creation for network sessions - - Enables time-series analysis of network graphs. + - Enables time-series analysis of network graphs. -- RADIUS and VPN events +- RADIUS and VPN events - - Useful if you use a Microsoft IAS RADIUS/VPN implementation. It shows user-> IP address assignment with remote IP address connecting to the enterprise. + - Useful if you use a Microsoft IAS RADIUS/VPN implementation. It shows user-> IP address assignment with remote IP address connecting to the enterprise. -- Crypto API X509 object and build chain events +- Crypto API X509 object and build chain events - - Detects known bad certificate, CA, or sub-CA - - Detects unusual process use of CAPI + - Detects known bad certificate, CA, or sub-CA + - Detects unusual process use of CAPI -- Groups assigned to local sign in +- Groups assigned to local sign in - - Gives visibility to groups that enable account-wide access - - Allows better planning for remediation efforts - - Excludes well known, built-in system accounts. + - Gives visibility to groups that enable account-wide access + - Allows better planning for remediation efforts + - Excludes well known, built-in system accounts. -- Sign-in session exit +- Sign-in session exit - - Specific for network sign-in sessions. + - Specific for network sign-in sessions. -- Client DNS lookup events +- Client DNS lookup events - - Returns what process performed a DNS query and the results returned from the DNS server. + - Returns what process performed a DNS query and the results returned from the DNS server. -- Process exit +- Process exit - - Enables checking for processes terminating unexpectedly. + - Enables checking for processes terminating unexpectedly. -- Local credential validation or signing in with explicit credentials +- Local credential validation or signing in with explicit credentials - - Generated when the local SAM is authoritative for the account credentials being authenticated. - - Noisy on domain controllers - - On client devices, it's only generated when local accounts sign in. + - Generated when the local SAM is authoritative for the account credentials being authenticated. + - Noisy on domain controllers + - On client devices, it's only generated when local accounts sign in. -- Registry modification audit events +- Registry modification audit events - - Only when a registry value is being created, modified, or deleted. + - Only when a registry value is being created, modified, or deleted. -- Wireless 802.1x authentication +- Wireless 802.1x authentication - - Detect wireless connection with a peer MAC address + - Detect wireless connection with a peer MAC address -- Windows PowerShell logging +- Windows PowerShell logging - - Covers Windows PowerShell 2.0 and later and includes the Windows PowerShell 5.0 logging improvements for in-memory attacks using Windows PowerShell. - - Includes Windows PowerShell remoting logging + - Covers Windows PowerShell 2.0 and later and includes the Windows PowerShell 5.0 logging improvements for in-memory attacks using Windows PowerShell. + - Includes Windows PowerShell remoting logging -- User Mode Driver Framework "Driver Loaded" event +- User Mode Driver Framework "Driver Loaded" event - - Can possibly detect a USB device loading multiple device drivers. For example, a USB\_STOR device loading the keyboard or network driver. + - Can possibly detect a USB device loading multiple device drivers. For example, a USB\_STOR device loading the keyboard or network driver. ## Appendix A - Minimum recommended minimum audit policy diff --git a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md index 7325710e0c..f0014cf81a 100644 --- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md +++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md @@ -3,7 +3,7 @@ title: Get support for security baselines description: Find answers to frequently asked question on how to get support for baselines, the Security Compliance Toolkit (SCT), and related articles. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 10/31/2023 +ms.date: 07/10/2024 --- # Get Support diff --git a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/mbsa-removal-and-guidance.md b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/mbsa-removal-and-guidance.md index e68c6df87a..08bb94eda4 100644 --- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/mbsa-removal-and-guidance.md +++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/mbsa-removal-and-guidance.md @@ -2,7 +2,7 @@ title: Guide to removing Microsoft Baseline Security Analyzer (MBSA) description: This article documents the removal of Microsoft Baseline Security Analyzer (MBSA) and provides alternative solutions. ms.localizationpriority: medium -ms.date: 07/11/2023 +ms.date: 07/10/2024 ms.topic: conceptual --- @@ -28,7 +28,7 @@ For example: [![Screenshot that shows the PowerShell script.](images/powershell-example.png)](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0) The preceding scripts use the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it. -The wsusscn2.cab file contains the metadata of only security updates, update rollups and service packs available from Microsoft Update; it doesn't contain any information on non-security updates, tools or drivers. +The wsusscn2.cab file contains the metadata of only security updates, update rollups, and service packs available from Microsoft Update; it doesn't contain any information on non-security updates, tools, or drivers. ## More information diff --git a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md index fa66e1ee5c..87e04bd53b 100644 --- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md +++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md @@ -2,7 +2,7 @@ title: Microsoft Security Compliance Toolkit Guide description: This article describes how to use Security Compliance Toolkit in your organization. ms.topic: conceptual -ms.date: 10/31/2023 +ms.date: 07/10/2024 --- # Microsoft Security Compliance Toolkit - How to use diff --git a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md index 851c7a72c1..436a88a7a3 100644 --- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md +++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md @@ -2,7 +2,7 @@ title: Security baselines guide description: Learn how to use security baselines in your organization. ms.topic: conceptual -ms.date: 07/11/2023 +ms.date: 07/10/2024 --- # Security baselines @@ -19,7 +19,7 @@ For more information, see the following blog post: [Sticking with well-known and ## What are security baselines? -Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be different from another organization. For example, an e-commerce company may focus on protecting its internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization. +Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be different from another organization. For example, an e-commerce company might focus on protecting its internet-facing web apps, while a hospital might focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization. A security baseline is a group of Microsoft-recommended configuration settings that explains their security implication. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers. diff --git a/windows/security/operating-system-security/index.md b/windows/security/operating-system-security/index.md index 4b093fe6f8..e8c0197c75 100644 --- a/windows/security/operating-system-security/index.md +++ b/windows/security/operating-system-security/index.md @@ -1,7 +1,7 @@ --- title: Windows operating system security description: Securing the operating system includes system security, encryption, network security, and threat protection. -ms.date: 08/02/2023 +ms.date: 07/10/2024 ms.topic: overview --- diff --git a/windows/security/operating-system-security/system-security/cryptography-certificate-mgmt.md b/windows/security/operating-system-security/system-security/cryptography-certificate-mgmt.md index 3dab6e2b51..5cff1aedaa 100644 --- a/windows/security/operating-system-security/system-security/cryptography-certificate-mgmt.md +++ b/windows/security/operating-system-security/system-security/cryptography-certificate-mgmt.md @@ -2,7 +2,7 @@ title: Cryptography and Certificate Management description: Get an overview of cryptography and certificate management in Windows ms.topic: conceptual -ms.date: 08/11/2023 +ms.date: 07/10/2024 ms.reviewer: skhadeer, raverma --- @@ -12,7 +12,7 @@ ms.reviewer: skhadeer, raverma Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure. The cryptography stack in Windows extends from the chip to the cloud enabling Windows, applications, and services protect system and user secrets. -Cryptography in Windows is Federal Information Processing Standards (FIPS) 140 certified. FIPS 140 certification ensures that US government approved algorithms are being used (RSA for signing, ECDH with NIST curves for key agreement, AES for symmetric encryption, and SHA2 for hashing), tests module integrity to prove that no tampering has occurred and proves the randomness for entropy sources. +Cryptography in Windows is Federal Information Processing Standards (FIPS) 140 certified. FIPS 140 certification ensures that US government approved algorithms are being used (RSA for signing, ECDH with NIST curves for key agreement, AES for symmetric encryption, and SHA2 for hashing), tests module integrity to prove that no tampering occurred and proves the randomness for entropy sources. Windows cryptographic modules provide low-level primitives such as: diff --git a/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md index c30f214bdb..7cad827253 100644 --- a/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md +++ b/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md @@ -1,7 +1,7 @@ --- title: Control the health of Windows devices description: This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows devices. -ms.date: 08/11/2023 +ms.date: 07/10/2024 ms.topic: conceptual --- @@ -11,7 +11,7 @@ This article details an end-to-end solution that helps you protect high-value as ## Introduction -For Bring Your Own Device (BYOD) scenarios, employees bring commercially available devices to access both work-related resources and their personal data. Users want to use the device of their choice to access the organization's applications, data, and resources not only from the internal network but also from anywhere. This phenomenon is also known as the consumerization of IT. +For Bring Your Own Device (BYOD) scenarios, users bring commercially available devices to access both work-related resources and their personal data. Users want to use the device of their choice to access the organization's applications, data, and resources not only from the internal network but also from anywhere. This phenomenon is also known as the consumerization of IT. Users want to have the best productivity experience when accessing corporate applications and working on organization data from their devices. That means they don't tolerate being prompted to enter their work credentials each time they access an application or a file server. From a security perspective, it also means that users manipulate corporate credentials and corporate data on unmanaged devices. @@ -27,7 +27,7 @@ Windows is an important component of an end-to-end security solution that focuse Today's computing threat landscape is increasing at a speed never encountered before. The sophistication of criminal attacks is growing, and there's no doubt that malware now targets both consumers and professionals in all industries. -During recent years, one particular category of threat has become prevalent: advanced persistent threats (APTs). The term APT is commonly used to describe any attack that seems to target individual organizations on an on-going basis. In fact, this type of attack typically involves determined adversaries who may use any methods or techniques necessary. +During recent years, one particular category of threat has become prevalent: advanced persistent threats (APTs). The term APT is commonly used to describe any attack that seems to target individual organizations on an ongoing basis. In fact, this type of attack typically involves determined adversaries who may use any methods or techniques necessary. With the BYOD phenomena, a poorly maintained device represents a target of choice. For an attacker, it's an easy way to breach the security network perimeter, gain access to, and then steal high-value assets. @@ -97,7 +97,7 @@ This section describes what Windows offers in terms of security defenses and wha ### Windows hardware-based security defenses -The most aggressive forms of malware try to insert themselves into the boot process as early as possible so that they can take control of the operating system early and prevent protection mechanisms and antimalware software from working. This type of malicious code is often called a rootkit or bootkit. The best way to avoid having to deal with low-level malware is to secure the boot process so that the device is protected from the very start. Windows supports multiple layers of boot protection. Some of these features are available only if specific types of hardware are installed. For more information, see the [Hardware requirements](#hardware-requirements) section. +The most aggressive forms of malware try to insert themselves into the boot process as early as possible so that they can take control of the operating system early and prevent protection mechanisms and anti-malware software from working. This type of malicious code is often called a rootkit or bootkit. The best way to avoid having to deal with low-level malware is to secure the boot process so that the device is protected from the very start. Windows supports multiple layers of boot protection. Some of these features are available only if specific types of hardware are installed. For more information, see the [Hardware requirements](#hardware-requirements) section. :::image type="content" alt-text="figure 4." source="images/hva-fig4-hardware.png"::: @@ -153,14 +153,14 @@ Windows supports features to help prevent sophisticated low-level malware like r - **Early Launch Antimalware (ELAM).** ELAM tests all drivers before they load and prevents unapproved drivers from loading. - Traditional antimalware apps don't start until after the boot drivers have been loaded, which gives a rootkit that is disguised as a driver the opportunity to work. ELAM is a Windows mechanism introduced in a previous version of Windows that allows antimalware software to run early in the boot sequence. Thus, the antimalware component is the first third-party component to run and control the initialization of other boot drivers until the Windows operating system is operational. When the system is started with a complete runtime environment (network access, storage, and so on), then a full-featured antimalware is loaded. + Traditional anti-malware apps don't start until after the boot drivers have been loaded, which gives a rootkit that is disguised as a driver the opportunity to work. ELAM is a Windows mechanism introduced in a previous version of Windows that allows anti-malware software to run early in the boot sequence. Thus, the anti-malware component is the first third-party component to run and control the initialization of other boot drivers until the Windows operating system is operational. When the system is started with a complete runtime environment (network access, storage, and so on), then a full-featured anti-malware is loaded. - ELAM can load a Microsoft or non-Microsoft antimalware driver before all non-Microsoft boot drivers and applications, thus continuing the chain of trust established by Secure Boot and Trusted Boot. Because the operating system hasn't started yet, and because Windows needs to boot as quickly as possible, ELAM has a simple task: Examine every boot driver and determine whether it is on the list of trusted drivers. If it's not trusted, Windows won't load it. + ELAM can load a Microsoft or non-Microsoft anti-malware driver before all non-Microsoft boot drivers and applications, thus continuing the chain of trust established by Secure Boot and Trusted Boot. Because the operating system hasn't started yet, and because Windows needs to boot as quickly as possible, ELAM has a simple task: Examine every boot driver and determine whether it is on the list of trusted drivers. If it's not trusted, Windows won't load it. > [!NOTE] > Windows Defender, Microsoft's antimalware included by default in Windows, supports ELAM; it can be replaced with a third-party antimalware compatible solution. The name of the Windows Defender ELAM driver is WdBoot.sys. Windows Defender uses its ELAM driver to roll back any malicious changes made to the Windows Defender driver at the next reboot. This prevents kernel mode malware making lasting changes to Windows Defender's mini-filter driver before shutdown or reboot. - The ELAM signed driver is loaded before any other third-party drivers or applications, which allows the antimalware software to detect and block any attempts to tamper with the boot process by trying to load unsigned or untrusted code. + The ELAM signed driver is loaded before any other third-party drivers or applications, which allows the anti-malware software to detect and block any attempts to tamper with the boot process by trying to load unsigned or untrusted code. The ELAM driver is a small driver with a small policy database that has a narrow scope, focused on drivers that are loaded early at system launch. The policy database is stored in a registry hive that is also measured to the TPM, to record the operational parameters of the ELAM driver. An ELAM driver must be signed by Microsoft and the associated certificate must contain the complementary EKU (1.3.6.1.4.1.311.61.4.1). @@ -170,9 +170,9 @@ Windows supports features to help prevent sophisticated low-level malware like r - **Hypervisor-protected Code Integrity (HVCI).** Hypervisor-protected Code Integrity is a feature of Device Guard that ensures only drivers, executables, and DLLs that comply with the Device Guard Code Integrity policy are allowed to run. - When enabled and configured, Windows can start the Hyper-V virtualization-based security services. HVCI helps protect the system core (kernel), privileged drivers, and system defenses, like antimalware solutions, by preventing malware from running early in the boot process, or after startup. + When enabled and configured, Windows can start the Hyper-V Virtualization-based security services. HVCI helps protect the system core (kernel), privileged drivers, and system defenses, like anti-malware solutions, by preventing malware from running early in the boot process, or after startup. - HVCI uses virtualization-based security to isolate Code Integrity, the only way kernel memory can become executable is through a Code Integrity verification. This dependency on verification means that kernel memory pages can never be Writable and Executable (W+X) and executable code can't be directly modified. + HVCI uses Virtualization-based security to isolate Code Integrity, the only way kernel memory can become executable is through a Code Integrity verification. This dependency on verification means that kernel memory pages can never be Writable and Executable (W+X) and executable code can't be directly modified. > [!NOTE] > Device Guard devices that run Kernel Mode Code Integrity with virtualization-based security must have compatible drivers. For additional information, please read the [Driver compatibility with Device Guard in Windows](https://techcommunity.microsoft.com/t5/windows-hardware-certification/driver-compatibility-with-device-guard-in-windows-10/ba-p/364865) blog post. @@ -184,17 +184,17 @@ Windows supports features to help prevent sophisticated low-level malware like r In Windows, Credential Guard aims to protect domain corporate credentials from theft and reuse by malware. With Credential Guard, Windows implemented an architectural change that fundamentally prevents the current forms of the pass-the-hash (PtH) attack. - This attack-free state is accomplished by using Hyper-V and the new virtualization-based security feature to create a protected container where trusted code and secrets are isolated from the Windows kernel. This accomplishment means that even if the Windows kernel is compromised, an attacker has no way to read and extract the data required to initiate a PtH attack. Credential Guard prevents this unauthorized access because the memory where secrets are stored is no longer accessible from the regular OS, even in kernel mode - the hypervisor controls who can access the memory. + This attack-free state is accomplished by using Hyper-V and the new Virtualization-based security feature to create a protected container where trusted code and secrets are isolated from the Windows kernel. This accomplishment means that even if the Windows kernel is compromised, an attacker has no way to read and extract the data required to initiate a PtH attack. Credential Guard prevents this unauthorized access because the memory where secrets are stored is no longer accessible from the regular OS, even in kernel mode - the hypervisor controls who can access the memory. - **Health attestation.** The device's firmware logs the boot process, and Windows can send it to a trusted server that can check and assess the device's health. - Windows takes measurements of the UEFI firmware and each of the Windows and antimalware components are made as they load during the boot process. Additionally, they're taken and measured sequentially, not all at once. When these measurements are complete, their values are digitally signed and stored securely in the TPM and can't be changed unless the system is reset. + Windows takes measurements of the UEFI firmware and each of the Windows and anti-malware components are made as they load during the boot process. Additionally, they're taken and measured sequentially, not all at once. When these measurements are complete, their values are digitally signed and stored securely in the TPM and can't be changed unless the system is reset. For more information, see [Secured Boot and Measured Boot: Hardening Early Boot Components Against Malware](/previous-versions/windows/hardware/design/dn653311(v=vs.85)). During each subsequent boot, the same components are measured, which allows comparison of the measurements against an expected baseline. For more security, the values measured by the TPM can be signed and transmitted to a remote server, which can then perform the comparison. This process, called *remote device health attestation*, allows the server to verify health status of the Windows device. - Although Secure Boot is a proactive form of protection, health attestation is a reactive form of boot protection. Health attestation ships disabled in Windows and is enabled by an antimalware or an MDM vendor. Unlike Secure Boot, health attestation won't stop the boot process and enter remediation when a measurement doesn't work. But with conditional access control, health attestation will help to prevent access to high-value assets. + Although Secure Boot is a proactive form of protection, health attestation is a reactive form of boot protection. Health attestation ships disabled in Windows and is enabled by an anti-malware or an MDM vendor. Unlike Secure Boot, health attestation won't stop the boot process and enter remediation when a measurement doesn't work. But with conditional access control, health attestation helps to prevent access to high-value assets. ### Virtualization-based security @@ -202,16 +202,16 @@ Virtualization-based security provides a new trust boundary for Windows and uses Virtualization-based security helps to protect against a compromised kernel or a malicious user with Administrator privileges. Virtualization-based security isn't trying to protect against a physical attacker. -The following Windows services are protected with virtualization-based security: +The following Windows services are protected with Virtualization-based security: - **Credential Guard** (LSA Credential Isolation): prevents pass-the-hash attacks and enterprise credential theft that happens by reading and dumping the content of lsass memory -- **Device Guard** (Hyper-V Code Integrity): Device Guard uses the new virtualization-based security in Windows to isolate the Code Integrity service from the Windows kernel itself, which lets the service use signatures defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container. +- **Device Guard** (Hyper-V Code Integrity): Device Guard uses the new Virtualization-based security in Windows to isolate the Code Integrity service from the Windows kernel itself, which lets the service use signatures defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container. - **Other isolated services**: for example, on Windows Server 2016, there's the vTPM feature that allows you to have encrypted virtual machines (VMs) on servers. > [!NOTE] > Virtualization-based security is only available with Enterprise edition. Virtualization-based security requires devices with UEFI (2.3.1 or higher) with Secure Boot enabled, x64 processor with Virtualization Extensions and SLAT enabled. IOMMU, TPM 2.0. and support for Secure Memory overwritten are optional, but recommended. -The schema below is a high-level view of Windows with virtualization-based security. +The schema below is a high-level view of Windows with Virtualization-based security. :::image type="content" alt-text="figure 5." source="images/hva-fig5-virtualbasedsecurity.png"::: @@ -231,7 +231,7 @@ credential isolation is enabled, it then spawns LsaIso.exe as an isolated proces Device Guard is a feature of Windows Enterprise that allows organizations to lock down a device to help protect it from running untrusted software. In this configuration, the only applications allowed to run are those applications that are trusted by the organization. -The trust decision to execute code is performed by using Hyper-V Code Integrity, which runs in virtualization-based security, a Hyper-V protected container that runs alongside regular Windows. +The trust decision to execute code is performed by using Hyper-V Code Integrity, which runs in Virtualization-based security, a Hyper-V protected container that runs alongside regular Windows. Hyper-V Code Integrity is a feature that validates the integrity of a driver or system file each time it's loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with Administrator privileges. On x64-based versions of Windows, kernel-mode drivers must be digitally signed. @@ -252,7 +252,7 @@ Device Guard needs to be planned and configured to be truly effective. It isn't There are three different parts that make up the Device Guard solution in Windows: - The first part is a base **set of hardware security features** introduced with the previous version of Windows. TPM for hardware cryptographic operations and UEFI with modern firmware, along with Secure Boot, allows you to control what the device is running when the systems start. -- After the hardware security feature, there's the code integrity engine. In Windows, **Code Integrity is now fully configurable** and now resides in Isolated user mode, a part of the memory that is protected by virtualization-based security. +- After the hardware security feature, there's the code integrity engine. In Windows, **Code Integrity is now fully configurable** and now resides in Isolated user mode, a part of the memory that is protected by Virtualization-based security. - The last part of Device Guard is **manageability**. Code Integrity configuration is exposed through specific Group Policy Objects, PowerShell cmdlets, and MDM configuration service providers (CSPs). For more information on how to deploy Device Guard in an enterprise, see the [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide). @@ -270,7 +270,7 @@ To protect high-value assets, SAWs are used to make secure connections to those Similarly, on corporate fully managed workstations, where applications are installed by using a distribution tool like Microsoft Configuration Manager, Intune, or any third-party device management, then Device Guard is applicable. In that type of scenario, the organization has a good idea of the software that an average user is running. -It could be challenging to use Device Guard on corporate, lightly managed workstations where the user is typically allowed to install software on their own. When an organization offers great flexibility, it's difficult to run Device Guard in enforcement mode. Nevertheless, Device Guard can be run in Audit mode, and in that case, the event log will contain a record of any binaries that violated the Device Guard policy. When Device Guard is used in Audit mode, organizations can get rich data about drivers and applications that users install and run. +It could be challenging to use Device Guard on corporate, lightly managed workstations where the user is typically allowed to install software on their own. When an organization offers great flexibility, it's difficult to run Device Guard in enforcement mode. Nevertheless, Device Guard can be run in Audit mode, and in that case, the event log contains a record of any binaries that violated the Device Guard policy. When Device Guard is used in Audit mode, organizations can get rich data about drivers and applications that users install and run. Before you can benefit from the protection included in Device Guard, Code Integrity policy must be created by using tools provided by Microsoft, but the policy can be deployed with common management tools, like Group Policy. The Code Integrity policy is a binary-encoded XML document that includes configuration settings for both the User and Kernel-modes of Windows, along with restrictions on Windows script hosts. Device Guard Code Integrity policy restricts what code can run on a device. @@ -286,14 +286,14 @@ Device Guard policy into the UpdateSigner section. On computers with Device Guard, Microsoft proposes to move from a world where unsigned apps can be run without restriction to a world where only signed and trusted code is allowed to run on Windows. -With Windows, organizations will make line-of-business (LOB) apps available to members of the organization through the Microsoft Store infrastructure. More specifically, LOB apps will be available in a private store within the public Microsoft Store. Microsoft Store signs and distributes Universal +With Windows, organizations make line-of-business (LOB) apps available to members of the organization through the Microsoft Store infrastructure. More specifically, LOB apps are available in a private store within the public Microsoft Store. Microsoft Store signs and distributes Universal Windows apps and Classic Windows apps. All apps downloaded from the Microsoft Store are signed. In organizations today, many LOB applications are unsigned. Code signing is frequently viewed as a tough problem to solve for various reasons, like the lack of code signing expertise. Even if code signing is a best practice, many internal applications aren't signed. Windows includes tools that allow IT pros to take applications that have been already packaged and run them through a process to create more signatures that can be distributed along with existing applications. -### Why are antimalware and device management solutions still necessary? +### Why are anti-malware and device management solutions still necessary? Although allowlist mechanisms are efficient at ensuring that only trusted applications can be run, they can't prevent the compromise of a trusted (but vulnerable) application by malicious content designed to exploit a known vulnerability. Device Guard doesn't protect against user mode malicious code run by exploiting vulnerabilities. @@ -301,7 +301,7 @@ Vulnerabilities are weaknesses in software that could allow an attacker to compr It's common to see attackers distributing specially crafted content in an attempt to exploit known vulnerabilities in user mode software like web browsers (and their plug-ins), Java virtual machines, PDF readers, or document editors. As of today, 90 percent of discovered vulnerabilities affect user mode applications compared to the operating system and kernel mode drivers that host them. -To combat these threats, patching is the single most effective control, with antimalware software forming complementary layers of defense. +To combat these threats, patching is the single most effective control, with anti-malware software forming complementary layers of defense. Most application software has no facility for updating itself, so even if the software vendor publishes an update that fixes the vulnerability, the user may not know that the update is available or how to obtain it, and therefore remains vulnerable to attack. Organizations still need to manage devices and to patch vulnerabilities. @@ -319,15 +319,15 @@ For more information on device health attestation, see the [Detect an unhealthy ### Hardware requirements -The following table details the hardware requirements for both virtualization-based security services and the health attestation feature. For more information, see [Minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview). +The following table details the hardware requirements for both Virtualization-based security services and the health attestation feature. For more information, see [Minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview). |Hardware|Motivation| |--- |--- | |UEFI 2.3.1 or later firmware with Secure Boot enabled|Required to support UEFI Secure Boot. UEFI Secure Boot ensures that the device boots only authorized code. Additionally, Boot Integrity (Platform Secure Boot) must be supported following the requirements in Hardware Compatibility Specification for Systems for Windows under the subsection: "System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby"| -|Virtualization extensions, such as Intel VT-x, AMD-V, and SLAT must be enabled|Required to support virtualization-based security. **Note:** Device Guard can be enabled without using virtualization-based security.| -|X64 processor|Required to support virtualization-based security that uses Windows Hypervisor. Hyper-V is supported only on x64 processor (and not on x86). Direct Memory Access (DMA) protection can be enabled to provide extra memory protection but requires processors to include DMA protection technologies.| +|Virtualization extensions, such as Intel VT-x, AMD-V, and SLAT must be enabled|Required to support Virtualization-based security. **Note:** Device Guard can be enabled without using Virtualization-based security.| +|X64 processor|Required to support Virtualization-based security that uses Windows Hypervisor. Hyper-V is supported only on x64 processor (and not on x86). Direct Memory Access (DMA) protection can be enabled to provide extra memory protection but requires processors to include DMA protection technologies.| |IOMMU, such as Intel VT-d, AMD-Vi|Support for the IOMMU in Windows enhances system resiliency against DMA attacks.| -|Trusted Platform Module (TPM)|Required to support health attestation and necessary for other key protections for virtualization-based security. TPM 2.0 is supported. Support for TPM 1.2 was added beginning in Windows 10, version 1607 (RS1)| +|Trusted Platform Module (TPM)|Required to support health attestation and necessary for other key protections for Virtualization-based security. TPM 2.0 is supported. Support for TPM 1.2 was added beginning in Windows 10, version 1607 (RS1)| This section presented information about several closely related controls in Windows . The multi-layer defenses and in-depth approach help to eradicate low-level malware during boot sequence. Virtualization-based security is a fundamental operating system architecture change that adds a new security boundary. Device Guard and Credential Guard respectively help to block untrusted code and protect corporate domain credentials from theft and reuse. This section also briefly discussed the importance of managing devices and patching vulnerabilities. All these technologies can be used to harden and lock down devices while limiting the risk of attackers compromising them. @@ -335,7 +335,7 @@ This section presented information about several closely related controls in Win As of today, many organizations only consider devices to be compliant with company policy after they've passed various checks that show, for example, that the operating system is in the correct state, properly configured, and has security protection enabled. Unfortunately, with today's systems, this form of reporting isn't entirely reliable because malware can spoof a software statement about system health. A rootkit, or a similar low-level exploit, can report a false healthy state to traditional compliance tools. -The biggest challenge with rootkits is that they can be undetectable to the client. Because they start before antimalware, and they have system-level privileges, they can completely disguise themselves while continuing to access system resources. As a result, traditional computers infected with rootkits appear to be healthy, even with antimalware running. +The biggest challenge with rootkits is that they can be undetectable to the client. Because they start before anti-malware, and they have system-level privileges, they can completely disguise themselves while continuing to access system resources. As a result, traditional computers infected with rootkits appear to be healthy, even with anti-malware running. As previously discussed, the health attestation feature of Windows uses the TPM hardware component to securely record a measurement of every boot-related component, including firmware, Windows kernel, and even early boot drivers. Because health attestation uses the hardware-based security capabilities of TPM, the log of all boot measured components remains out of the reach of any malware. @@ -345,9 +345,9 @@ After the devices attest a trusted boot state, they can prove that they aren't r To understand the concept of device health, it's important to know traditional measures that IT pros have taken to prevent the breach of malware. Malware control technologies are highly focused on the prevention of installation and distribution. -However, the use of traditional malware prevention technologies like antimalware or patching solutions brings a new set of issues for IT pros: the ability to monitor and control the compliance of devices accessing organization's resources. +However, the use of traditional malware prevention technologies like anti-malware or patching solutions brings a new set of issues for IT pros: the ability to monitor and control the compliance of devices accessing organization's resources. -The definition of device compliance will vary based on an organization's installed antimalware, device configuration settings, patch management baseline, and other security requirements. But health of the device is part of the overall device compliance policy. +The definition of device compliance will vary based on an organization's installed anti-malware, device configuration settings, patch management baseline, and other security requirements. But health of the device is part of the overall device compliance policy. The health of the device isn't binary and depends on the organization's security implementation. The Health Attestation Service provides information back to the MDM on which security features are enabled during the boot of the device by using trustworthy hardware TPM. @@ -364,13 +364,13 @@ A relying party like an MDM can inspect the report generated by the remote healt > [!NOTE] > To use the health attestation feature of Windows, the device must be equipped with a discrete or firmware TPM. There is no restriction on any particular edition of Windows. -Windows supports health attestation scenarios by allowing applications access to the underlying health attestation configuration service provider (CSP) so that applications can request a health attestation token. The measurement of the boot sequence can be checked at any time locally by an antimalware or an MDM agent. +Windows supports health attestation scenarios by allowing applications access to the underlying health attestation configuration service provider (CSP) so that applications can request a health attestation token. The measurement of the boot sequence can be checked at any time locally by an anti-malware or an MDM agent. Remote device health attestation combined with an MDM provides a hardware-rooted method for reporting the current security status and detecting any changes, without having to trust the software running on the system. -In the case where malicious code is running on the device, the use of a remote server is required. If a rootkit is present on the device, the antimalware is no longer reliable, and its behavior can be hijacked by a malicious code running early in the startup sequence. This reason is what makes it important to use Secure Boot and Device Guard, to control which code is loaded during the boot sequence. +In the case where malicious code is running on the device, the use of a remote server is required. If a rootkit is present on the device, the anti-malware is no longer reliable, and its behavior can be hijacked by a malicious code running early in the startup sequence. This reason is what makes it important to use Secure Boot and Device Guard, to control which code is loaded during the boot sequence. -The antimalware software can search to determine whether the boot sequence contains any signs of malware, such as a rootkit. It can also send the TCG log and the PCRs to a remote health attestation server to provide a separation between the measurement component and the verification component. +The anti-malware software can search to determine whether the boot sequence contains any signs of malware, such as a rootkit. It can also send the TCG log and the PCRs to a remote health attestation server to provide a separation between the measurement component and the verification component. Health attestation logs the measurements in various TPM Platform Configuration Registers (PCRs) and TCG logs during the boot process. @@ -602,7 +602,7 @@ The figure below shows how the Health Attestation Service is expected to work wi :::image type="content" alt-text="figure 10." source="images/hva-fig9-intune.png"::: -An MDM solution can then use health state statements and take them to the next level by coupling with client policies that will enable conditional access to be granted based on the device's ability to prove that it's malware free, its antimalware system is functional and up to date, the +An MDM solution can then use health state statements and take them to the next level by coupling with client policies that will enable conditional access to be granted based on the device's ability to prove that it's malware free, its anti-malware system is functional and up to date, the firewall is running, and the devices patch state is compliant. Finally, resources can be protected by denying access to endpoints that are unable to prove they're healthy. This feature is much needed for BYOD devices that need to access organizational resources. @@ -736,7 +736,7 @@ The following list contains high-level key takeaways to improve the security pos - **Use virtualization-based security** - When you have Kernel Mode Code Integrity protected by virtualization-based security, the code integrity rules are still enforced even if a vulnerability allows unauthorized kernel mode memory access. Keep in mind that Device Guard devices that run Kernel Code Integrity with virtualization-based security must have compatible drivers. + When you have Kernel Mode Code Integrity protected by Virtualization-based security, the code integrity rules are still enforced even if a vulnerability allows unauthorized kernel mode memory access. Keep in mind that Device Guard devices that run Kernel Code Integrity with Virtualization-based security must have compatible drivers. - **Start to deploy Device Guard with Audit mode** @@ -756,7 +756,7 @@ The following list contains high-level key takeaways to improve the security pos Health attestation is a key feature of Windows that includes client and cloud components to control access to high-value assets based on a user and their device's identity and compliance with corporate governance policy. Organizations can choose to detect and report unhealthy devices, or to configure health enforcement rules based on their needs. Health attestation provides an end-to-end security model and integration points, which vendors and software developers can use to build and integrate a customized solution. -## Related topics +## Related articles - [Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard) - [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide) diff --git a/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md b/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md index 3daa0cbf86..c931ca2dcb 100644 --- a/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md +++ b/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md @@ -2,7 +2,7 @@ title: Secure the Windows boot process description: This article describes how Windows security features help protect your PC from malware, including rootkits and other applications. ms.topic: conceptual -ms.date: 08/11/2023 +ms.date: 07/10/2024 ms.collection: - tier1 --- @@ -73,7 +73,7 @@ These requirements help protect you from rootkits while allowing you to run any To prevent malware from abusing these options, the user must manually configure the UEFI firmware to trust a non-certified bootloader or to turn off Secure Boot. Software can't change the Secure Boot settings. -The default state of Secure Boot has a wide circle of trust, which can result in customers trusting boot components they may not need. Since the Microsoft 3rd Party UEFI CA certificate signs the bootloaders for all Linux distributions, trusting the Microsoft 3rd Party UEFI CA signature in the UEFI database increase s the attack surface of systems. A customer who intended to only trust and boot a single Linux distribution will trust all distributions - much more than their desired configuration. A vulnerability in any of the bootloaders exposes the system and places the customer at risk of exploit for a bootloader they never intended to use, as seen in recent vulnerabilities, for example [with the GRUB bootloader](https://msrc.microsoft.com/security-guidance/advisory/ADV200011) or [firmware-level rootkit]( https://www.darkreading.com/threat-intelligence/researchers-uncover-dangerous-new-firmware-level-rootkit) affecting boot components. [Secured-core PCs](/windows-hardware/design/device-experiences/OEM-highly-secure-11) require Secure Boot to be enabled and configured to distrust the Microsoft 3rd Party UEFI CA signature, by default, to provide customers with the most secure configuration of their PCs possible. +The default state of Secure Boot has a wide circle of trust, which can result in customers trusting boot components they may not need. Since the Microsoft 3rd Party UEFI CA certificate signs the bootloaders for all Linux distributions, trusting the Microsoft 3rd Party UEFI CA signature in the UEFI database increase s the attack surface of systems. A customer who intended to only trust and boot a single Linux distribution will trust all distributions - more than their desired configuration. A vulnerability in any of the bootloaders exposes the system and places the customer at risk of exploit for a bootloader they never intended to use, as seen in recent vulnerabilities, for example [with the GRUB bootloader](https://msrc.microsoft.com/security-guidance/advisory/ADV200011) or [firmware-level rootkit]( https://www.darkreading.com/threat-intelligence/researchers-uncover-dangerous-new-firmware-level-rootkit) affecting boot components. [Secured-core PCs](/windows-hardware/design/device-experiences/OEM-highly-secure-11) require Secure Boot to be enabled and configured to distrust the Microsoft 3rd Party UEFI CA signature, by default, to provide customers with the most secure configuration of their PCs possible. To trust and boot operating systems, like Linux, and components signed by the UEFI signature, Secured-core PCs can be configured in the BIOS menu to add the signature in the UEFI database by following these steps: @@ -91,11 +91,11 @@ Like most mobile devices, Arm-based devices, such as the Microsoft Surface RT de Trusted Boot takes over where Secure Boot ends. The bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM. If a file has been modified, the bootloader detects the problem and refuses to load the corrupted component. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally. -## Early Launch Anti-Malware +## Early Launch anti-malware Because Secure Boot has protected the bootloader and Trusted Boot has protected the Windows kernel, the next opportunity for malware to start is by infecting a non-Microsoft boot driver. Traditional anti-malware apps don't start until after the boot drivers have been loaded, giving a rootkit disguised as a driver the opportunity to work. -Early Launch Anti-Malware (ELAM) can load a Microsoft or non-Microsoft anti-malware driver before all non-Microsoft boot drivers and applications, thus continuing the chain of trust established by Secure Boot and Trusted Boot. Because the OS hasn't started yet, and because Windows needs to boot as quickly as possible, ELAM has a simple task: examine every boot driver and determine whether it is on the list of trusted drivers. If it's not trusted, Windows doesn't load it. +Early Launch anti-malware (ELAM) can load a Microsoft or non-Microsoft anti-malware driver before all non-Microsoft boot drivers and applications, thus continuing the chain of trust established by Secure Boot and Trusted Boot. Because the OS hasn't started yet, and because Windows needs to boot as quickly as possible, ELAM has a simple task: examine every boot driver and determine whether it is on the list of trusted drivers. If it's not trusted, Windows doesn't load it. An ELAM driver isn't a full-featured anti-malware solution; that loads later in the boot process. Windows Defender (included with Windows) supports ELAM, as does several non-Microsoft anti-malware apps. diff --git a/windows/security/operating-system-security/system-security/trusted-boot.md b/windows/security/operating-system-security/system-security/trusted-boot.md index 431c65c17d..4da0621dc6 100644 --- a/windows/security/operating-system-security/system-security/trusted-boot.md +++ b/windows/security/operating-system-security/system-security/trusted-boot.md @@ -2,7 +2,7 @@ title: Secure Boot and Trusted Boot description: Trusted Boot prevents corrupted components from loading during the boot-up process in Windows 11 ms.topic: conceptual -ms.date: 10/30/2023 +ms.date: 07/10/2024 ms.reviewer: jsuther appliesto: - "✅ Windows 11" @@ -10,15 +10,15 @@ appliesto: # Secure Boot and Trusted Boot -*This article describes Secure Boot and Trusted Boot, security measures built into Windows 11.* +This article describes Secure Boot and Trusted Boot, security measures built into Windows 11. Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows 11 device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure your Windows 11 system boots up safely and securely. ## Secure Boot -The first step in protecting the operating system is to ensure that it boots securely after the initial hardware and firmware boot sequences have safely finished their early boot sequences. Secure Boot makes a safe and trusted path from the Unified Extensible Firmware Interface (UEFI) through the Windows kernel's Trusted Boot sequence. Malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes throughout the boot sequence between the UEFI, bootloader, kernel, and application environments. +The first step in protecting the operating system is to ensure that it boots securely after the initial hardware and firmware boot sequences safely finish their early boot sequences. Secure Boot makes a safe and trusted path from the Unified Extensible Firmware Interface (UEFI) through the Windows kernel's Trusted Boot sequence. Malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes throughout the boot sequence between the UEFI, bootloader, kernel, and application environments. -As the PC begins the boot process, it first verifies that the firmware is digitally signed, reducing the risk of firmware rootkits. Secure Boot then checks all code that runs before the operating system and checks the OS bootloader's digital signature to ensure that it's trusted by the Secure Boot policy and hasn't been tampered with. +As the PC begins the boot process, it first verifies that the firmware is digitally signed, reducing the risk of firmware rootkits. Secure Boot then checks all code that runs before the operating system, and checks the OS bootloader's digital signature to ensure that it's trusted by the Secure Boot policy and hasn't been tampered with. ## Trusted Boot diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md index 5968d29a6c..a416410eb0 100644 --- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md +++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md @@ -1,65 +1,59 @@ --- -title: Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings +title: Available Microsoft Defender SmartScreen settings description: A list of all available settings for Microsoft Defender SmartScreen using Group Policy and mobile device management (MDM) settings. -ms.date: 08/11/2023 +ms.date: 07/10/2024 ms.topic: reference --- # Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings -Microsoft Defender SmartScreen works with Intune, Group Policy, and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Microsoft Defender SmartScreen, you can show employees a warning page and let them continue to the site, or you can block the site entirely. +Microsoft Defender SmartScreen works with Intune, Group Policy, and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Microsoft Defender SmartScreen, you can show users a warning page and let them continue to the site, or you can block the site entirely. -See [Windows 10 and Windows 11 settings to protect devices using Intune](/intune/endpoint-protection-windows-10#windows-defender-smartscreen-settings) for the controls you can use in Intune. +See [Windows settings to protect devices using Intune](/intune/endpoint-protection-windows-10#windows-defender-smartscreen-settings) for the controls you can use in Intune. + +> [!NOTE] +> For a list of settings available for Enhanced phishing protection, see [Enhanced phishing protection](enhanced-phishing-protection.md#configure-enhanced-phishing-protection-for-your-organization). ## Group Policy settings SmartScreen uses registry-based Administrative Template policy settings. -Setting|Supported on|Description| -|--- |--- |--- | -|**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen|**Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen

**Windows 10, Version 1607 and earlier:** Administrative Templates\Windows Components\File Explorer\Configure Windows SmartScreen

**At least Windows Server 2012, Windows 8 or Windows RT**|This policy setting turns on Microsoft Defender SmartScreen.

If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off. Additionally, when enabling this feature, you must also pick whether Microsoft Defender SmartScreen should Warn your employees or Warn and prevent bypassing the message (effectively blocking the employee from the site).

If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on.

If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen.| -|**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control|**Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control|This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.

This setting doesn't protect against malicious content from USB devices, network shares, or other non-internet sources.

**Important:** Using a trustworthy browser helps ensure that these protections work as expected.| -|**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen (Microsoft Edge version 45 and earlier)

Administrative Templates\Microsoft Edge\SmartScreen settings\Configure Microsoft Defender SmartScreen (Microsoft Edge version 77 or later)

**Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen (Microsoft Edge version 45 and earlier)

Administrative Templates\Microsoft Edge\SmartScreen settings\Configure Microsoft Defender SmartScreen (Microsoft Edge version 77 or later)

**Windows 10, Version 1607 and earlier:** Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen|Microsoft Edge on Windows 10 or Windows 11|This policy setting turns on Microsoft Defender SmartScreen.

If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off.

If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on.

If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen.| -|**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files (Microsoft Edge version 45 and earlier)

Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (Microsoft Edge version 77 or later)

**Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files (Microsoft Edge version 45 and earlier)

Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (Microsoft Edge version 77 or later)

**Windows 10, Version 1511 and 1607:** Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for files|Microsoft Edge on Windows 10, version 1511 or later|This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious files.

If you enable this setting, it stops employees from bypassing the warning, stopping the file download.

If you disable or don't configure this setting, your employees can bypass the warnings and continue to download potentially malicious files.| -|**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites (Microsoft Edge version 45 and earlier)

Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing Microsoft Defender SmartScreen prompts for sites (Microsoft Edge version 77 or later)

**Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites (Microsoft Edge version 45 and earlier)

Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing Microsoft Defender SmartScreen prompts for sites (Microsoft Edge version 77 or later)

**Windows 10, Version 1511 and 1607:** Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sites|Microsoft Edge on Windows 10, version 1511 or later|This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious sites.

If you enable this setting, it stops employees from bypassing the warning, stopping them from going to the site.

If you disable or don't configure this setting, your employees can bypass the warnings and continue to visit a potentially malicious site.| -|Administrative Templates\Windows Components\Internet Explorer\Prevent managing SmartScreen Filter|Internet Explorer 9 or later|This policy setting prevents the employee from managing Microsoft Defender SmartScreen.

If you enable this policy setting, the employee isn't prompted to turn on Microsoft Defender SmartScreen. All website addresses that aren't on the filter's allowlist are sent automatically to Microsoft without prompting the employee.

If you disable or don't configure this policy setting, the employee is prompted to decide whether to turn on Microsoft Defender SmartScreen during the first-run experience.| -|Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warnings|Internet Explorer 8 or later|This policy setting determines whether an employee can bypass warnings from Microsoft Defender SmartScreen.

If you enable this policy setting, Microsoft Defender SmartScreen warnings block the employee.

If you disable or don't configure this policy setting, the employee can bypass Microsoft Defender SmartScreen warnings.| -|Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warnings about files that aren't commonly downloaded from the Internet|Internet Explorer 9 or later|This policy setting determines whether the employee can bypass warnings from Microsoft Defender SmartScreen. Microsoft Defender SmartScreen warns the employee about executable files that Internet Explorer users don't commonly download from the Internet.

If you enable this policy setting, Microsoft Defender SmartScreen warnings block the employee.

If you disable or don't configure this policy setting, the employee can bypass Microsoft Defender SmartScreen warnings.| +|Setting|Description| +|---|--- | +|Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure Windows Defender SmartScreen | This policy setting turns on Microsoft Defender SmartScreen.

If you enable this setting, it turns on Microsoft Defender SmartScreen and your users are unable to turn it off. Additionally, when enabling this feature, you must also pick whether Microsoft Defender SmartScreen should Warn your users or Warn and prevent bypassing the message (effectively blocking the user from the site).

If you disable this setting, it turns off Microsoft Defender SmartScreen and your users are unable to turn it on.

If you don't configure this setting, your users can decide whether to use Microsoft Defender SmartScreen.| +|Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure App Install Control| This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.

This setting doesn't protect against malicious content from USB devices, network shares, or other non-internet sources.

**Important:** Using a trustworthy browser helps ensure that these protections work as expected.| +|Administrative Templates > Windows Components > Windows Defender SmartScreen > Microsoft Edge > Configure Windows Defender SmartScreen | This policy setting lets you configure whether to turn on Windows Defender SmartScreen. Windows Defender SmartScreen provides warning messages to help protect your users from potential phishing scams and malicious software. By default, Windows Defender SmartScreen is turned on.

If you enable this setting, Windows Defender SmartScreen is turned on, and users can't turn it off.

If you disable this setting, Windows Defender SmartScreen is turned off, and users can't turn it on.

If you don't configure this setting, users can choose whether to use Windows Defender SmartScreen. | +|Administrative Templates > Windows Components > Windows Defender SmartScreen > Microsoft Edge > Prevent bypassing Windows Defender SmartScreen prompts for sites | This policy setting lets you decide whether users can override the Windows Defender SmartScreen warnings about potentially malicious websites.

If you enable this setting, users can't ignore Windows Defender SmartScreen warnings and they're blocked from continuing to the site.

If you disable or don't configure this setting, users can ignore Windows Defender SmartScreen warnings and continue to the site. | ## MDM settings If you manage your policies using Microsoft Intune, use these MDM policy settings. All settings support desktop computers running Windows 10/11 Pro or Windows 10/11 Enterprise, enrolled with Microsoft Intune. -For Microsoft Defender SmartScreen Microsoft Edge MDM policies, see [Policy CSP - Browser](/windows/client-management/mdm/policy-csp-browser). - -|Setting|Supported versions|Details| -|--- |--- |--- | -|AllowSmartScreen|Windows 10|
  • **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen
  • **Data type.** Integer
  • **Allowed values:**
    • **0 .** Turns off Microsoft Defender SmartScreen in Microsoft Edge.
    • **1.** Turns on Microsoft Defender SmartScreen in Microsoft Edge.| -|EnableAppInstallControl|Windows 10, version 1703|
    • **URI full path.** ./Vendor/MSFT/Policy/Config/SmartScreen/EnableAppInstallControl
    • **Data type.** Integer
    • **Allowed values:**
      • **0 .** Turns off Application Installation Control, allowing users to download and install files from anywhere on the web.
      • **1.** Turns on Application Installation Control, allowing users to install apps from the Microsoft Store only.| -|EnableSmartScreenInShell|Windows 10, version 1703|
      • **URI full path.** ./Vendor/MSFT/Policy/Config/SmartScreen/EnableSmartScreenInShell
      • **Data type.** Integer
      • **Allowed values:**
        • **0 .** Turns off Microsoft Defender SmartScreen in Windows for app and file execution.
        • **1.** Turns on Microsoft Defender SmartScreen in Windows for app and file execution.| -|PreventOverrideForFilesInShell|Windows 10, version 1703|
        • **URI full path.** ./Vendor/MSFT/Policy/Config/SmartScreen/PreventOverrideForFilesInShell
        • **Data type.** Integer
        • **Allowed values:**
          • **0 .** Employees can ignore Microsoft Defender SmartScreen warnings and run malicious files.
          • **1.** Employees can't ignore Microsoft Defender SmartScreen warnings and run malicious files.| -|PreventSmartScreenPromptOverride|Windows 10, Version 1511 and Windows 11|
          • **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride
          • **Data type.** Integer
          • **Allowed values:**
            • **0 .** Employees can ignore Microsoft Defender SmartScreen warnings.
            • **1.** Employees can't ignore Microsoft Defender SmartScreen warnings.| -|PreventSmartScreenPromptOverrideForFiles|Windows 10, Version 1511 and Windows 11|
            • **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles
            • **Data type.** Integer
            • **Allowed values:**
              • **0 .** Employees can ignore Microsoft Defender SmartScreen warnings for files.
              • **1.** Employees can't ignore Microsoft Defender SmartScreen warnings for files.| +- [AllowSmartScreen](/windows/client-management/mdm/policy-csp-browser#allowsmartscreen) +- [EnableAppInstallControl](/windows/client-management/mdm/policy-csp-smartscreen.md#enableappinstallcontrol) +- [EnableSmartScreenInShell](/windows/client-management/mdm/policy-csp-smartscreen.md#enablesmartscreeninshell) +- [PreventOverrideForFilesInShell](/windows/client-management/mdm/policy-csp-smartscreen.md#preventoverrideforfilesinshell) +- [PreventSmartScreenPromptOverride](/windows/client-management/mdm/policy-csp-browser.md#preventsmartscreenpromptoverride) +- [PreventSmartScreenPromptOverrideForFiles](/windows/client-management/mdm/policy-csp-browser.md#preventsmartscreenpromptoverrideforfiles) ## Recommended Group Policy and MDM settings for your organization -By default, Microsoft Defender SmartScreen lets employees bypass warnings. Unfortunately, this feature can let employees continue to an unsafe site or to continue to download an unsafe file, even after being warned. Because of this possibility, we strongly recommend that you set up Microsoft Defender SmartScreen to block high-risk interactions instead of providing just a warning. +By default, Microsoft Defender SmartScreen lets users bypass warnings. Unfortunately, this feature can let users continue to an unsafe site or to continue to download an unsafe file, even after being warned. Because of this possibility, we strongly recommend that you set up Microsoft Defender SmartScreen to block high-risk interactions instead of providing just a warning. To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen Group Policy and MDM settings. |Group Policy setting|Recommendation| |--- |--- | -|Administrative Templates\Windows Components\Microsoft Edge\Configure Windows Defender SmartScreen (Microsoft Edge version 45 and earlier)

                Administrative Templates\Microsoft Edge\SmartScreen settings\Configure Microsoft Defender SmartScreen (Microsoft Edge version 77 or later)|**Enable.** Turns on Microsoft Defender SmartScreen.| -|Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites (Microsoft Edge version 45 and earlier)

                Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing Windows Defender SmartScreen prompts for sites (Microsoft Edge version 77 or later)|**Enable.** Stops employees from ignoring warning messages and continuing to a potentially malicious website.| -|Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files (Microsoft Edge version 45 and earlier)

                Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (Microsoft Edge version 77 or later)|**Enable.** Stops employees from ignoring warning messages and continuing to download potentially malicious files.| -|Administrative Templates\Windows Components\File Explorer\Configure Windows Defender SmartScreen|**Enable with the Warn and prevent bypass option.** Stops employees from ignoring warning messages about malicious files downloaded from the Internet.| +|Administrative Templates > Windows Components > Microsoft Edge > Configure Windows Defender SmartScreen|**Enable.** Turns on Microsoft Defender SmartScreen.| +|Administrative Templates > Windows Components > Microsoft Edge > Prevent bypassing Windows Defender SmartScreen prompts for sites|**Enable.** Stops users from ignoring warning messages and continuing to a potentially malicious website.| +|Administrative Templates > Windows Components > Explorer > Configure Windows Defender SmartScreen|**Enable with the Warn and prevent bypass option.** Stops users from ignoring warning messages about malicious files downloaded from the Internet.| |MDM setting|Recommendation| |--- |--- | |Browser/AllowSmartScreen|**1.** Turns on Microsoft Defender SmartScreen.| -|Browser/PreventSmartScreenPromptOverride|**1.** Stops employees from ignoring warning messages and continuing to a potentially malicious website.| -|Browser/PreventSmartScreenPromptOverrideForFiles|**1.** Stops employees from ignoring warning messages and continuing to download potentially malicious files.| +|Browser/PreventSmartScreenPromptOverride|**1.** Stops users from ignoring warning messages and continuing to a potentially malicious website.| +|Browser/PreventSmartScreenPromptOverrideForFiles|**1.** Stops users from ignoring warning messages and continuing to download potentially malicious files.| |SmartScreen/EnableSmartScreenInShell|**1.** Turns on Microsoft Defender SmartScreen in Windows.

                Requires at least Windows 10, version 1703.| -|SmartScreen/PreventOverrideForFilesInShell|**1.** Stops employees from ignoring warning messages about malicious files downloaded from the Internet.

                Requires at least Windows 10, version 1703.| +|SmartScreen/PreventOverrideForFilesInShell|**1.** Stops users from ignoring warning messages about malicious files downloaded from the Internet.

                Requires at least Windows 10, version 1703.| ## Related articles diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md index 38921c5358..b05b845919 100644 --- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md +++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md @@ -1,7 +1,7 @@ --- title: Enhanced Phishing Protection in Microsoft Defender SmartScreen description: Learn how Enhanced Phishing Protection for Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps. -ms.date: 11/02/2023 +ms.date: 07/10/2024 ms.topic: conceptual appliesto: - ✅ Windows 11, version 22H2 @@ -37,7 +37,7 @@ Enhanced Phishing Protection provides robust phishing protections for work or sc ## Configure Enhanced Phishing Protection for your organization -Enhanced Phishing Protection can be configured via Microsoft Intune, Group Policy Objects (GPO) or Configuration Service Providers (CSP) with an MDM service. These settings are available to configure your devices using either Microsoft Intune, GPO or CSP. +Enhanced Phishing Protection can be configured via Microsoft Intune, Group Policy Objects (GPO) or Configuration Service Providers (CSP) with an MDM service. These settings are available to configure your devices using either Microsoft Intune, GPO, or CSP. | Setting | Description | |--|--| @@ -51,7 +51,7 @@ Enhanced Phishing Protection allows organizations to add their custom identity p To add your organization's custom sign-in URL to Enhanced Phishing Protection, configure the `EnableWebSignIn` policy in the [Authentication Policy CSP](/windows/client-management/mdm/policy-csp-authentication#enablewebsignin). For more information, see [Web sign-in for Windows](../../../identity-protection/web-sign-in/index.md). -Follow these instructions to configure your devices using either Microsoft Intune, GPO or CSP. +Follow these instructions to configure your devices using either Microsoft Intune, GPO, or CSP. #### [:::image type="icon" source="../../../images/icons/intune.svg"::: **Intune**](#tab/intune) diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md index b5af241045..56fc48b2bf 100644 --- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md +++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md @@ -1,7 +1,7 @@ --- title: Microsoft Defender SmartScreen overview description: Learn how Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. -ms.date: 08/11/2023 +ms.date: 07/10/2024 ms.topic: conceptual appliesto: - ✅ Windows 11 From 0f97bb0b4781aea4636fb288201e6d4caa9bf036 Mon Sep 17 00:00:00 2001 From: "Vinay Pamnani (from Dev Box)" Date: Wed, 10 Jul 2024 16:56:53 -0600 Subject: [PATCH 13/61] Fix links --- .../available-settings.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md index a416410eb0..3d92583855 100644 --- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md +++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md @@ -29,11 +29,11 @@ SmartScreen uses registry-based Administrative Template policy settings. If you manage your policies using Microsoft Intune, use these MDM policy settings. All settings support desktop computers running Windows 10/11 Pro or Windows 10/11 Enterprise, enrolled with Microsoft Intune. - [AllowSmartScreen](/windows/client-management/mdm/policy-csp-browser#allowsmartscreen) -- [EnableAppInstallControl](/windows/client-management/mdm/policy-csp-smartscreen.md#enableappinstallcontrol) -- [EnableSmartScreenInShell](/windows/client-management/mdm/policy-csp-smartscreen.md#enablesmartscreeninshell) -- [PreventOverrideForFilesInShell](/windows/client-management/mdm/policy-csp-smartscreen.md#preventoverrideforfilesinshell) -- [PreventSmartScreenPromptOverride](/windows/client-management/mdm/policy-csp-browser.md#preventsmartscreenpromptoverride) -- [PreventSmartScreenPromptOverrideForFiles](/windows/client-management/mdm/policy-csp-browser.md#preventsmartscreenpromptoverrideforfiles) +- [EnableAppInstallControl](/windows/client-management/mdm/policy-csp-smartscreen#enableappinstallcontrol) +- [EnableSmartScreenInShell](/windows/client-management/mdm/policy-csp-smartscreen#enablesmartscreeninshell) +- [PreventOverrideForFilesInShell](/windows/client-management/mdm/policy-csp-smartscreen#preventoverrideforfilesinshell) +- [PreventSmartScreenPromptOverride](/windows/client-management/mdm/policy-csp-browser#preventsmartscreenpromptoverride) +- [PreventSmartScreenPromptOverrideForFiles](/windows/client-management/mdm/policy-csp-browser#preventsmartscreenpromptoverrideforfiles) ## Recommended Group Policy and MDM settings for your organization From a2a1479ccd2497e627f6a3fe14c025086bffa0c3 Mon Sep 17 00:00:00 2001 From: "Vinay Pamnani (from Dev Box)" Date: Thu, 11 Jul 2024 10:17:23 -0600 Subject: [PATCH 14/61] Mo-updates --- .../microsoft-defender-smartscreen/available-settings.md | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md index 3d92583855..d53d8c5dc7 100644 --- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md +++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md @@ -4,7 +4,8 @@ description: A list of all available settings for Microsoft Defender SmartScreen ms.date: 07/10/2024 ms.topic: reference --- -# Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings + +# Available Microsoft Defender SmartScreen settings Microsoft Defender SmartScreen works with Intune, Group Policy, and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Microsoft Defender SmartScreen, you can show users a warning page and let them continue to the site, or you can block the site entirely. @@ -54,7 +55,3 @@ To better help you protect your organization, we recommend turning on and using |Browser/PreventSmartScreenPromptOverrideForFiles|**1.** Stops users from ignoring warning messages and continuing to download potentially malicious files.| |SmartScreen/EnableSmartScreenInShell|**1.** Turns on Microsoft Defender SmartScreen in Windows.

                Requires at least Windows 10, version 1703.| |SmartScreen/PreventOverrideForFilesInShell|**1.** Stops users from ignoring warning messages about malicious files downloaded from the Internet.

                Requires at least Windows 10, version 1703.| - -## Related articles - -- [Available Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](/microsoft-edge/deploy/available-policies) From 54d1e68b88c58b36cda16851943074c306a5dc06 Mon Sep 17 00:00:00 2001 From: Jeff Borsecnik <123032460+American-Dipper@users.noreply.github.com> Date: Thu, 11 Jul 2024 10:00:29 -0700 Subject: [PATCH 15/61] Update enhanced-phishing-protection.md - Acrolinx fix --- .../enhanced-phishing-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md index b05b845919..ee7a31a01b 100644 --- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md +++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md @@ -19,7 +19,7 @@ If a user signs into Windows using a password, Enhanced Phishing Protection work - If users type their work or school password into a website or app that SmartScreen finds suspicious, Enhanced Phishing Protection can automatically collect information from that website or app to help identify security threats. For example, the content displayed, sounds played, and application memory. > [!NOTE] -> When a user signs-in to a device using a Windows Hello for Business PIN or biometric, Enhanced Phishing Protection does not alert the user or send events to [Microsoft Defender for Endpoint (MDE)](/microsoft-365/security/defender-endpoint/). +> When a user signs in to a device using a Windows Hello for Business PIN or biometric, Enhanced Phishing Protection does not alert the user or send events to [Microsoft Defender for Endpoint (MDE)](/microsoft-365/security/defender-endpoint/). ## Benefits of Enhanced Phishing Protection in Microsoft Defender SmartScreen From 78f6649dbbd9d4b092a90000f7e2b624714a177f Mon Sep 17 00:00:00 2001 From: "Steve DiAcetis (MSFT)" <52939067+SteveDiAcetis@users.noreply.github.com> Date: Thu, 11 Jul 2024 10:00:46 -0700 Subject: [PATCH 16/61] Update media-dynamic-update.md --- windows/deployment/update/media-dynamic-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index cab9d7dee8..699b798dbf 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -121,7 +121,7 @@ Optional Components, along with the .NET feature, can be installed offline, howe ### Checkpoint cumulative updates -Starting with Windows 11, version 24H2, the latest cumulative update may have a prerequisite cumulative update that is required to be installed first. These are known as checkpoint cumulative updates. In these cases, the cumulative update file level differentials are based on a previous cumulative update instead of the Windows RTM release. The benefit is a smaller update package and faster installation. +Starting with Windows 11, version 24H2, the latest cumulative update may have a prerequisite cumulative update that is required to be installed first. These are known as checkpoint cumulative updates. In these cases, the cumulative update file level differentials are based on a previous cumulative update instead of the Windows RTM release. The benefit is a smaller update package and faster installation. When you obtain the latest cumulative update from the [Microsoft Update Catalog](https://catalog.update.microsoft.com), checkpoint cumulative updates will be available from the download button. In addition, the knowledge base article for the cumulative update will provide additional information. To install the checkpoint(s) when servicing the Windows OS (steps 9 & 12) and WinPE (steps 17 & 23), call `Add-WindowsPackage` with the target cumulative update. The folder from `-PackagePath` will be used to discover and install one or more checkpoints as needed. Only the target cumulative update and checkpoint cumulative updates should be in the `-PackagePath` folder. Cumulative update packages with a revision <= the target cumulative update will be processed. If you are not customizing the image with additional languages and/or optional features, then separate calls to `Add-WindowsPackage` (checkpoint cumulative updates first) can be used for steps 9 & 17 above. Separate calls cannot be used for steps 12 and 23. From 569105a82dbacc043628c25c38df225e20930e01 Mon Sep 17 00:00:00 2001 From: Jeff Borsecnik <123032460+American-Dipper@users.noreply.github.com> Date: Thu, 11 Jul 2024 10:01:32 -0700 Subject: [PATCH 17/61] Update protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md - Acrolinx fix --- ...ets-by-controlling-the-health-of-windows-10-based-devices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md index 7cad827253..1c997805c4 100644 --- a/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md +++ b/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md @@ -329,7 +329,7 @@ The following table details the hardware requirements for both Virtualization-ba |IOMMU, such as Intel VT-d, AMD-Vi|Support for the IOMMU in Windows enhances system resiliency against DMA attacks.| |Trusted Platform Module (TPM)|Required to support health attestation and necessary for other key protections for Virtualization-based security. TPM 2.0 is supported. Support for TPM 1.2 was added beginning in Windows 10, version 1607 (RS1)| -This section presented information about several closely related controls in Windows . The multi-layer defenses and in-depth approach help to eradicate low-level malware during boot sequence. Virtualization-based security is a fundamental operating system architecture change that adds a new security boundary. Device Guard and Credential Guard respectively help to block untrusted code and protect corporate domain credentials from theft and reuse. This section also briefly discussed the importance of managing devices and patching vulnerabilities. All these technologies can be used to harden and lock down devices while limiting the risk of attackers compromising them. +This section presented information about several closely related controls in Windows. The multi-layer defenses and in-depth approach help to eradicate low-level malware during boot sequence. Virtualization-based security is a fundamental operating system architecture change that adds a new security boundary. Device Guard and Credential Guard respectively help to block untrusted code and protect corporate domain credentials from theft and reuse. This section also briefly discussed the importance of managing devices and patching vulnerabilities. All these technologies can be used to harden and lock down devices while limiting the risk of attackers compromising them. ## Detect an unhealthy Windows-based device From d11d590f4668d92a007f44b4fbf18ac5d0febfbb Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Thu, 11 Jul 2024 16:04:49 -0700 Subject: [PATCH 18/61] remove essentials-overview --- windows/deployment/do/waas-delivery-optimization.md | 5 ++--- .../windows-autopatch/overview/windows-autopatch-overview.md | 3 +-- .../windows-defender-application-control/wdac.md | 3 --- windows/security/introduction.md | 1 - 4 files changed, 3 insertions(+), 9 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization.md b/windows/deployment/do/waas-delivery-optimization.md index 10e0059d41..133945930d 100644 --- a/windows/deployment/do/waas-delivery-optimization.md +++ b/windows/deployment/do/waas-delivery-optimization.md @@ -11,11 +11,10 @@ ms.reviewer: mstewart ms.collection: - tier3 - highpri - - essentials-overview ms.localizationpriority: medium -appliesto: +appliesto: - ✅ Windows 11 -- ✅ Windows 10 +- ✅ Windows 10 ms.date: 05/23/2024 --- diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md index f5f9d6ac76..f8f71f9db2 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md @@ -4,7 +4,7 @@ description: Details what the service is and shortcuts to articles. ms.date: 07/08/2024 ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: overview ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan @@ -12,7 +12,6 @@ manager: aaroncz ms.collection: - highpri - tier1 - - essentials-overview ms.reviewer: hathind --- diff --git a/windows/security/application-security/application-control/windows-defender-application-control/wdac.md b/windows/security/application-security/application-control/windows-defender-application-control/wdac.md index f35be85ec0..2d0145d3bc 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/wdac.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/wdac.md @@ -4,9 +4,6 @@ description: Application Control restricts which applications users are allowed ms.localizationpriority: medium ms.collection: - tier3 -- must-keep -- essentials-navigation -- essentials-overview ms.date: 08/30/2023 ms.topic: overview --- diff --git a/windows/security/introduction.md b/windows/security/introduction.md index 7b90b57e21..073a4309b9 100644 --- a/windows/security/introduction.md +++ b/windows/security/introduction.md @@ -6,7 +6,6 @@ ms.topic: tutorial ms.author: paoloma ms.collection: - essentials-security - - essentials-overview content_well_notification: - AI-contribution author: paolomatarazzo From 2bf1e76a2e66999da2eb46399288f605ceeddce2 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Thu, 11 Jul 2024 16:05:00 -0700 Subject: [PATCH 19/61] remove essentials-navigation --- education/windows/index.yml | 1 - windows/deployment/do/index.yml | 11 +++++------ windows/deployment/windows-autopatch/index.yml | 1 - windows/security/index.yml | 1 - 4 files changed, 5 insertions(+), 9 deletions(-) diff --git a/education/windows/index.yml b/education/windows/index.yml index ac12ab0836..0cd20e659d 100644 --- a/education/windows/index.yml +++ b/education/windows/index.yml @@ -9,7 +9,6 @@ metadata: ms.collection: - education - tier1 - - essentials-navigation author: paolomatarazzo ms.author: paoloma manager: aaroncz diff --git a/windows/deployment/do/index.yml b/windows/deployment/do/index.yml index d4f3409ae7..d8717e04d8 100644 --- a/windows/deployment/do/index.yml +++ b/windows/deployment/do/index.yml @@ -12,13 +12,12 @@ metadata: ms.collection: - highpri - tier3 - - essentials-navigation author: aczechowski ms.author: aaroncz manager: aaroncz ms.date: 12/22/2023 #Required; mm/dd/yyyy format. localization_priority: medium - + # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new landingContent: @@ -61,8 +60,8 @@ landingContent: - text: Optimize Windows 10 or later update delivery with Configuration Manager url: /mem/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#windows-delivery-optimization - text: Delivery Optimization settings in Microsoft Intune - url: /mem/intune/configuration/delivery-optimization-windows - + url: /mem/intune/configuration/delivery-optimization-windows + # Card - title: Microsoft Connected Cache (MCC) for Enterprise and Education linkLists: @@ -71,7 +70,7 @@ landingContent: - text: MCC for Enterprise and Education (early preview) url: waas-microsoft-connected-cache.md - text: Sign up - url: https://aka.ms/MSConnectedCacheSignup + url: https://aka.ms/MSConnectedCacheSignup # Card - title: Microsoft Connected Cache (MCC) for Internet Service Providers (ISPs) @@ -84,7 +83,7 @@ landingContent: url: https://aka.ms/MCCForISPSurvey - text: MCC for ISPs (early preview) url: mcc-isp.md - + # Card (optional) - title: Resources diff --git a/windows/deployment/windows-autopatch/index.yml b/windows/deployment/windows-autopatch/index.yml index 2c2a7c6642..3385e19bee 100644 --- a/windows/deployment/windows-autopatch/index.yml +++ b/windows/deployment/windows-autopatch/index.yml @@ -17,7 +17,6 @@ metadata: ms.collection: - highpri - tier2 - - essentials-navigation # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new diff --git a/windows/security/index.yml b/windows/security/index.yml index afb32d0f77..9553388f93 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -7,7 +7,6 @@ metadata: ms.topic: landing-page ms.collection: - tier1 - - essentials-navigation author: paolomatarazzo ms.author: paoloma manager: aaroncz From 73cb07bebf5e3035f8d554c290c603c486a53dd1 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Thu, 11 Jul 2024 16:06:50 -0700 Subject: [PATCH 20/61] remove essentials accountability tags --- .../deployment/do/delivery-optimization-workflow.md | 12 +++++------- .../overview/windows-autopatch-privacy.md | 1 - 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/windows/deployment/do/delivery-optimization-workflow.md b/windows/deployment/do/delivery-optimization-workflow.md index 9635f725c9..1f89eca0a6 100644 --- a/windows/deployment/do/delivery-optimization-workflow.md +++ b/windows/deployment/do/delivery-optimization-workflow.md @@ -8,15 +8,13 @@ author: cmknox ms.author: carmenf manager: aaroncz ms.reviewer: mstewart -ms.collection: +ms.collection: - tier3 - - essentials-privacy - - essentials-security ms.localizationpriority: medium -appliesto: +appliesto: - ✅ Windows 11 - ✅ Windows 10 -- ✅ Delivery Optimization +- ✅ Delivery Optimization ms.date: 05/23/2024 --- @@ -30,7 +28,7 @@ Delivery Optimization can't be used to download or send personal content. Delive Delivery Optimization downloads the same updates and apps that you would get through [Windows Update](../update/windows-update-security.md), Microsoft Store apps, and other Microsoft updates using the same security measures. To make sure you're getting authentic updates, Delivery Optimization gets information securely from Microsoft to check the authenticity of each part of an update or app that it downloads from other PCs. The authenticity of the downloads is checked again before installing it. -## Download request workflow +## Download request workflow This workflow allows Delivery Optimization to securely and efficiently deliver requested content to the calling device and explains client-service communication. Delivery Optimization uses content metadata to verify the content and to determine all available locations to pull content from. @@ -50,4 +48,4 @@ This workflow allows Delivery Optimization to securely and efficiently deliver r | cp\*.prod.do.dsp.mp.microsoft.com
                | 443 | Content Policy | Provides content specific policies and as content metadata URLs. | **Profile**: The device type (for example, PC or Xbox)
                **ContentId**: The content identifier
                **doClientVersion**: The version of the DoSvc client
                **countryCode**: The country the client is connected from
                **altCatalogID**: If ContentID isn't available, use the download URL instead
                **eID**: Client grouping ID
                **CacheHost**: Cache host ID | | disc\*.prod.do.dsp.mp.microsoft.com | 443 | Discovery | Directs clients to a particular instance of the peer matching service (Array), ensuing that clients are collocated by factors, such as content, groupID and external IP. | **Profile**: The device type (for example, PC or Xbox)
                **ContentID**: The content identifier
                **doClientVersion**: The version of the DoSvc client
                **partitionID**: Client partitioning hint
                **altCatalogID**: If ContentID isn't available, use the download URL instead
                **eID**: Client grouping ID | | array\*.prod.do.dsp.mp.microsoft.com | 443 | Arrays | Provides the client with list of peers that have the same content and belong to the same peer group. | **Profile**: The device type (for example, PC or Xbox)
                **ContentID**: The content identifier
                **doClientVersion**: The version of the DoSvc client
                **altCatalogID**: If ContentID isn't available, use the download URL instead
                **PeerID**: Identity of the device running DO client
                **ReportedIp**: The internal / private IP Address
                **IsBackground**: Is the download interactive or background
                **Uploaded**: Total bytes uploaded to peers
                **Downloaded**: Total bytes downloaded from peers
                **DownloadedCdn**: Total bytes downloaded from CDN
                **Left**: Bytes left to download
                **Peers Wanted**: Total number of peers wanted
                **Group ID**: Group the device belongs to (set via DownloadMode 2 + Group ID GP / MDM policies)
                **Scope**: The Download mode
                **UploadedBPS**: The upload speed in bytes per second
                **DownloadBPS**: The download speed in Bytes per second
                **eID**: Client grouping ID | -| dl.delivery.mp.microsoft.com
                download.windowsupdate.com | 80 | Delivery Optimization metadata file hosting | CDN hostnames for Delivery Optimization content metadata files | Metadata download can come from different hostnames, but it's required for peer to peer. | +| dl.delivery.mp.microsoft.com
                download.windowsupdate.com | 80 | Delivery Optimization metadata file hosting | CDN hostnames for Delivery Optimization content metadata files | Metadata download can come from different hostnames, but it's required for peer to peer. | diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md index 5b74de7688..c2aadef998 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md @@ -13,7 +13,6 @@ ms.reviewer: hathind ms.collection: - highpri - tier1 - - essentials-privacy --- # Privacy From 8b74ed138a34c9ad40cacac197577e3e486c7c3d Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Thu, 11 Jul 2024 16:07:39 -0700 Subject: [PATCH 21/61] remove essentials-get-started --- windows/deployment/do/waas-delivery-optimization-setup.md | 1 - .../overview/windows-autopatch-deployment-guide.md | 1 - .../deployment/wdac-deployment-guide.md | 3 +-- 3 files changed, 1 insertion(+), 4 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md index 0a8cced507..93e5197724 100644 --- a/windows/deployment/do/waas-delivery-optimization-setup.md +++ b/windows/deployment/do/waas-delivery-optimization-setup.md @@ -10,7 +10,6 @@ ms.reviewer: mstewart manager: aaroncz ms.collection: - tier3 - - essentials-get-started ms.localizationpriority: medium appliesto: - ✅ Windows 11 diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md index df3a6cd77d..a44081d038 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md @@ -12,7 +12,6 @@ manager: aaroncz ms.reviewer: hathind ms.collection: - tier2 - - essentials-get-started --- # Windows Autopatch deployment guide diff --git a/windows/security/application-security/application-control/windows-defender-application-control/deployment/wdac-deployment-guide.md b/windows/security/application-security/application-control/windows-defender-application-control/deployment/wdac-deployment-guide.md index 21442ea394..46d07c19a7 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/deployment/wdac-deployment-guide.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/deployment/wdac-deployment-guide.md @@ -4,7 +4,6 @@ description: Learn how to plan and implement a WDAC deployment. ms.localizationpriority: medium ms.date: 01/23/2023 ms.topic: overview -ms.collection: essentials-get-started --- # Deploying Windows Defender Application Control (WDAC) policies @@ -31,7 +30,7 @@ Before you deploy your WDAC policies, you must first convert the XML to its bina { $PolicyBinary = "SiPolicy.p7b" } - + ## Binary file will be written to your desktop ConvertFrom-CIPolicy -XmlFilePath $WDACPolicyXMLFile -BinaryFilePath $env:USERPROFILE\Desktop\$PolicyBinary ``` From 77f3216934c59c1c797c319b09699f53233449a5 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Thu, 11 Jul 2024 16:09:15 -0700 Subject: [PATCH 22/61] remove essentials-manage --- windows/deployment/do/waas-delivery-optimization-monitor.md | 5 ++--- .../operate/windows-autopatch-groups-update-management.md | 1 - .../operate/windows-autopatch-maintain-environment.md | 1 - .../windows-autopatch-policy-health-and-remediation.md | 1 - .../operations/wdac-operational-guide.md | 1 - 5 files changed, 2 insertions(+), 7 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization-monitor.md b/windows/deployment/do/waas-delivery-optimization-monitor.md index 6c30ab2dc4..ed6710932b 100644 --- a/windows/deployment/do/waas-delivery-optimization-monitor.md +++ b/windows/deployment/do/waas-delivery-optimization-monitor.md @@ -10,11 +10,10 @@ manager: aaroncz ms.reviewer: mstewart ms.collection: - tier3 - - essentials-manage ms.localizationpriority: medium -appliesto: +appliesto: - ✅ Windows 11 -- ✅ Windows 10 +- ✅ Windows 10 - ✅ Delivery Optimization ms.date: 05/23/2024 --- diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md index ee20c918b3..1a03d4c08b 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md @@ -13,7 +13,6 @@ ms.reviewer: andredm7 ms.collection: - highpri - tier1 - - essentials-manage --- # Software update management diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md index 0b6c9d7421..6273ceb86d 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md @@ -13,7 +13,6 @@ ms.reviewer: smithcharles ms.collection: - highpri - tier1 - - essentials-manage --- # Maintain the Windows Autopatch environment diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md index 54d541524e..16dd0cc679 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md @@ -13,7 +13,6 @@ ms.reviewer: rekhanr ms.collection: - highpri - tier1 - - essentials-manage --- # Policy health and remediation diff --git a/windows/security/application-security/application-control/windows-defender-application-control/operations/wdac-operational-guide.md b/windows/security/application-security/application-control/windows-defender-application-control/operations/wdac-operational-guide.md index 81a98c78ca..71c48fb256 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/operations/wdac-operational-guide.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/operations/wdac-operational-guide.md @@ -4,7 +4,6 @@ description: Gather information about how your deployed Windows Defender Applica ms.localizationpriority: medium ms.date: 03/30/2023 ms.topic: how-to -ms.collection: essentials-manage --- # Windows Defender Application Control operational guide From 9f331ad29a241262cfcb2ede014dbd1cb2de837b Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Thu, 11 Jul 2024 16:15:55 -0700 Subject: [PATCH 23/61] add essentials-manage --- .../client-tools/administrative-tools-in-windows.md | 2 ++ windows/client-management/index.yml | 1 + windows/client-management/mdm-overview.md | 1 + windows/configuration/start/index.md | 2 ++ windows/configuration/taskbar/index.md | 2 ++ 5 files changed, 8 insertions(+) diff --git a/windows/client-management/client-tools/administrative-tools-in-windows.md b/windows/client-management/client-tools/administrative-tools-in-windows.md index 63b3fbd65c..785eb740cc 100644 --- a/windows/client-management/client-tools/administrative-tools-in-windows.md +++ b/windows/client-management/client-tools/administrative-tools-in-windows.md @@ -4,6 +4,8 @@ description: The folders for Windows Tools and Administrative Tools are folders ms.date: 07/01/2024 ms.topic: conceptual zone_pivot_groups: windows-versions-11-10 +ms.collection: +- essentials-manage --- # Windows Tools diff --git a/windows/client-management/index.yml b/windows/client-management/index.yml index 184e34da03..4cee76e2bb 100644 --- a/windows/client-management/index.yml +++ b/windows/client-management/index.yml @@ -10,6 +10,7 @@ metadata: ms.collection: - highpri - tier1 + - essentials-manage author: vinaypamnani-msft ms.author: vinpa manager: aaroncz diff --git a/windows/client-management/mdm-overview.md b/windows/client-management/mdm-overview.md index 7be2352c9b..1db4cb2fee 100644 --- a/windows/client-management/mdm-overview.md +++ b/windows/client-management/mdm-overview.md @@ -7,6 +7,7 @@ ms.localizationpriority: medium ms.collection: - highpri - tier2 +- essentials-manage --- # Mobile Device Management overview diff --git a/windows/configuration/start/index.md b/windows/configuration/start/index.md index c78ef0401d..0627e33663 100644 --- a/windows/configuration/start/index.md +++ b/windows/configuration/start/index.md @@ -4,6 +4,8 @@ description: Learn how to configure the Windows Start menu to provide quick acce ms.topic: overview ms.date: 04/10/2024 zone_pivot_groups: windows-versions-11-10 +ms.collection: +- essentials-manage appliesto: --- diff --git a/windows/configuration/taskbar/index.md b/windows/configuration/taskbar/index.md index 68edd41929..6ef2fe06f6 100644 --- a/windows/configuration/taskbar/index.md +++ b/windows/configuration/taskbar/index.md @@ -3,6 +3,8 @@ title: Configure the Windows taskbar description: Learn how to configure the Windows taskbar to provide quick access to the tools and applications that users need most. ms.topic: how-to ms.date: 04/17/2024 +ms.collection: +- essentials-manage appliesto: zone_pivot_groups: windows-versions-11-10 --- From 3288894552c9af09566cfad6a39e781c6d16938a Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Thu, 11 Jul 2024 16:22:19 -0700 Subject: [PATCH 24/61] update hub page --- windows/hub/index.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/hub/index.yml b/windows/hub/index.yml index 6bed7b9fcc..48104903e4 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -15,7 +15,7 @@ metadata: author: paolomatarazzo ms.author: paoloma manager: aaroncz - ms.date: 04/25/2024 + ms.date: 07/11/2024 highlightedContent: items: @@ -34,9 +34,9 @@ highlightedContent: - title: Windows commercial licensing itemType: overview url: /windows/whats-new/windows-licensing - - title: Copilot in Windows + - title: Manage Recall itemType: how-to-guide - url: /windows/client-management/manage-windows-copilot + url: /windows/client-management/manage-recall - title: Windows 365 documentation itemType: overview url: /windows-365 @@ -55,10 +55,10 @@ productDirectory: - title: Learn how to deploy Windows imageSrc: /media/common/i_deploy.svg links: - - url: /mem/autopilot/ - text: Windows Autopilot overview - - url: /mem/autopilot/tutorial/autopilot-scenarios - text: "Tutorial: Windows Autopilot scenarios" + - url: /autopilot/ + text: Windows Autopilot + - url: /autopilot/device-preparation/compare + text: Compare Windows Autopilot solutions - url: /windows/deployment/do/ text: Delivery optimization - url: /windows/deployment/update/deployment-service-overview @@ -109,8 +109,8 @@ productDirectory: text: Configuration Service Provider (CSP) - url: /windows/client-management/administrative-tools-in-windows-10 text: Windows administrative tools - - url: /windows/client-management/manage-windows-copilot - text: Manage Copilot in Windows + - url: /windows/client-management/manage-recall + text: Manage Recall - url: /windows/application-management/index text: Learn more about application management > - url: /windows/client-management From b14ef2b4bb9f5bc975145c730ab0c2cef4e5ed8b Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Fri, 12 Jul 2024 10:08:34 -0700 Subject: [PATCH 25/61] update tiles --- windows/hub/index.yml | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/windows/hub/index.yml b/windows/hub/index.yml index 48104903e4..95d49b10a7 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -34,19 +34,15 @@ highlightedContent: - title: Windows commercial licensing itemType: overview url: /windows/whats-new/windows-licensing - - title: Manage Recall - itemType: how-to-guide - url: /windows/client-management/manage-recall - title: Windows 365 documentation itemType: overview url: /windows-365 - title: Explore all Windows trainings and learning paths for IT pros itemType: learn url: https://learn.microsoft.com/en-us/training/browse/?products=windows&roles=administrator - -# - title: Enroll Windows client devices in Microsoft Intune -# itemType: how-to-guide -# url: /mem/intune/fundamentals/deployment-guide-enrollment-windows + - title: Enroll Windows client devices in Microsoft Intune + itemType: how-to-guide + url: /mem/intune/fundamentals/deployment-guide-enrollment-windows productDirectory: title: Get started @@ -103,14 +99,14 @@ productDirectory: - title: Learn how to manage Windows imageSrc: /media/common/i_management.svg links: + - url: /windows/client-management/administrative-tools-in-windows-10 + text: Windows administrative tools + - url: /windows/client-management/client-tools/windows-version-search + text: What version of Windows am I running? - url: /windows/client-management/mobile-device-enrollment text: MDM enrollment - url: /windows/client-management/mdm/ - text: Configuration Service Provider (CSP) - - url: /windows/client-management/administrative-tools-in-windows-10 - text: Windows administrative tools - - url: /windows/client-management/manage-recall - text: Manage Recall + text: Configuration Service Provider (CSP) reference - url: /windows/application-management/index text: Learn more about application management > - url: /windows/client-management From ac8c7ed3004d271751e591acd289b1eae43f1805 Mon Sep 17 00:00:00 2001 From: Nazmus Sakib Date: Fri, 12 Jul 2024 14:26:09 -0700 Subject: [PATCH 26/61] Update microsoft-pluton-security-processor.md Update based on leadership\reported feedback to add value prop and scenario example. Also updates availability information --- .../microsoft-pluton-security-processor.md | 20 ++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md b/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md index 66feedfe73..fcb2561271 100644 --- a/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md +++ b/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md @@ -9,7 +9,7 @@ ms.date: 07/10/2024 Microsoft Pluton security processor is a chip-to-cloud security technology built with [Zero Trust](/security/zero-trust/zero-trust-overview) principles at the core. Microsoft Pluton provides hardware-based root of trust, secure identity, secure attestation, and cryptographic services. Pluton technology is a combination of a secure subsystem, which is part of the System on Chip (SoC) and Microsoft authored software that runs on this integrated secure subsystem. -Microsoft Pluton is currently available on devices with Ryzen 6000 and Qualcomm Snapdragon® 8cx Gen 3 series processors. Microsoft Pluton can be enabled on devices with Pluton capable processors running Windows 11, version 22H2. +Microsoft Pluton is currently available on devices with AMD Ryzen® 6000, 7000, 8000, Ryzen AI and Qualcomm Snapdragon® 8cx Gen 3 and Snapdragon X series processors. Microsoft Pluton can be enabled on devices with Pluton capable processors running Windows 11, version 22H2 and above. ## What is Microsoft Pluton? @@ -19,6 +19,24 @@ Microsoft Pluton is designed to provide the functionality of the Trusted Platfor Pluton is built on proven technology used in Xbox and Azure Sphere, and provides hardened integrated security capabilities to Windows 11 devices in collaboration with leading silicon partners. For more information, see [Meet the Microsoft Pluton processor – The security chip designed for the future of Windows PCs](https://www.microsoft.com/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/). +## How can Pluton help customers? + +Pluton is built with the goal of providing customers with better end-to-end security experiences. It does so by doing three things: +1) **Zero-trust security and reliability**: customer security scenarios often span devices and cloud services. Windows PCs and services like Microsoft Entra and Intune need to work harmoniously together to provide frictionless security. Pluton is designed, built and maintained in close collaboration with teams across Microsoft to ensure that customers get both high security and reliability +2) **Innovation**: the Pluton platform and the functionality it provides is informed by customer feedback and Microsoft’s threat intelligence. As one example, 2024 Pluton platforms in AMD and Intel systems will start to use a Rust-based firmware foundation given the importance of memory safety. +3) **Continuous improvement**: the Pluton platform supports loading new firmware delivered through operating system updates. This functionality is supported alongside the typical mechanism of UEFI capsule updates that updates the Pluton firmware that is resident on the system’s SPI flash and loaded during early system boot. The additional support for dynamically loading valid new Pluton firmware through operating system updates facilitates continuous improvements both for bug fixes and new features. + +### A practical example: zero-trust security with device-based conditional access policies + +An increasingly important zero-trust workflow is conditional access – gating access to resources like Sharepoint documents based on verifying whether requests are coming from a valid, healthy source. Microsoft Intune for example supports may different workflows for conditional access including [device-based conditional access](https://learn.microsoft.com/en-us/mem/intune/protect/create-conditional-access-intune) which allows organizations to set policies that ensure that managed devices are healthy and compliant before granting access to the organization’s apps and services. + +To ensure that Intune gets an accurate picture about the device’s health as part of enforcing these policies, ideally it has tamper-resistant logs on the state of the relevant security capabilities. This is where hardware security is critical as any malicious software running on the device could attempt to provide false signals to the service. One of the core benefits of a hardware security technology like the TPM, is that it has a tamper-resistant log of the state of the system. Services can cryptographically validate that logs and the associated system state reported by the TPM truly come from the TPM. + +For the end-to-end scenario to be truly successful at scale the hardware-based security is not enough though. Since access to enterprise assets is being gated based on security settings that are being reported by the TPM logs, it is critical that these logs are available reliably. Zero-trust security essentially requires high reliability. + +With Pluton, when it is configured as the TPM for the system, customers using conditional access get the benefits of Pluton’s security architecture and implementation with the reliability that comes from the tight integration and collaboration between Pluton and other Microsoft components and services. + + ## Microsoft Pluton security architecture overview ![Diagram showing the Microsoft Pluton security processor architecture](../images/pluton/pluton-security-architecture.png) From 3f9eb83d029d1b587f48ceaac7d5e9ef9faa6a23 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Fri, 12 Jul 2024 16:44:49 -0700 Subject: [PATCH 27/61] remove articles --- .openpublishing.redirection.json | 2 +- ...ishing.redirection.windows-deployment.json | 10 +++ windows/deployment/TOC.yml | 4 +- windows/deployment/index.yml | 6 +- .../planning/windows-10-compatibility.md | 45 ------------- .../windows-10-deployment-considerations.md | 3 +- .../windows-10-infrastructure-requirements.md | 1 - .../update/plan-determine-app-readiness.md | 63 ------------------- .../update/prepare-deploy-windows.md | 10 +-- 9 files changed, 22 insertions(+), 122 deletions(-) delete mode 100644 windows/deployment/planning/windows-10-compatibility.md delete mode 100644 windows/deployment/update/plan-determine-app-readiness.md diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index d6f6446385..31d8d2cd74 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -11487,7 +11487,7 @@ }, { "source_path": "windows/plan/windows-10-compatibility.md", - "redirect_url": "/windows/deployment/planning/windows-10-compatibility", + "redirect_url": "/windows/compatibility/", "redirect_document_id": false }, { diff --git a/.openpublishing.redirection.windows-deployment.json b/.openpublishing.redirection.windows-deployment.json index 44cd5fae11..e733f7e24e 100644 --- a/.openpublishing.redirection.windows-deployment.json +++ b/.openpublishing.redirection.windows-deployment.json @@ -1179,6 +1179,16 @@ "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md", "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-and-feature-update-reports-overview", "redirect_document_id": true + }, + { + "source_path": "windows/deployment/planning/windows-10-compatibility.md", + "redirect_url": "/windows/compatibility/", + "redirect_document_id": true + }, + { + "source_path": "windows/deployment/update/plan-determine-app-readiness.md", + "redirect_url": "/windows/compatibility/windows-11/testing-guidelines", + "redirect_document_id": true } ] } diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 88851f15ff..339f7151c3 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -36,8 +36,6 @@ href: update/plan-define-readiness.md - name: Evaluate infrastructure and tools href: update/eval-infra-tools.md - - name: Determine application readiness - href: update/plan-determine-app-readiness.md - name: Define your servicing strategy href: update/plan-define-strategy.md - name: Delivery Optimization for Windows client updates @@ -53,6 +51,8 @@ href: planning/windows-10-infrastructure-requirements.md - name: Plan for volume activation href: volume-activation/plan-for-volume-activation-client.md + - name: Windows compatibility cookbook + href: /windows/compatibility/ - name: Features removed or planned for replacement items: - name: Windows client features lifecycle diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml index 5e60b0c3c0..3f5ea288b1 100644 --- a/windows/deployment/index.yml +++ b/windows/deployment/index.yml @@ -15,7 +15,7 @@ metadata: author: aczechowski ms.author: aaroncz manager: aaroncz - ms.date: 04/01/2024 + ms.date: 07/12/2024 localization_priority: medium # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new @@ -34,10 +34,10 @@ landingContent: url: update/plan-define-readiness.md - text: Define your servicing strategy url: update/plan-define-strategy.md - - text: Determine application readiness - url: update/plan-determine-app-readiness.md - text: Plan for volume activation url: volume-activation/plan-for-volume-activation-client.md + - text: Windows compatibility cookbook + url: /windows/compatibility/ - title: Prepare linkLists: diff --git a/windows/deployment/planning/windows-10-compatibility.md b/windows/deployment/planning/windows-10-compatibility.md deleted file mode 100644 index 83227970dd..0000000000 --- a/windows/deployment/planning/windows-10-compatibility.md +++ /dev/null @@ -1,45 +0,0 @@ ---- -title: Windows 10 compatibility (Windows 10) -description: Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10. -manager: aaroncz -ms.author: frankroj -ms.service: windows-client -ms.localizationpriority: medium -author: frankroj -ms.topic: article -ms.subservice: itpro-deploy -ms.date: 10/28/2022 ---- - -# Windows 10 compatibility - -**Applies to** - -- Windows 10 - -Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10. - -For full system requirements, see [Windows 10 specifications](https://go.microsoft.com/fwlink/p/?LinkId=625077). Some driver updates may be required for Windows 10. - -Existing desktop (Win32) application compatibility is also expected to be strong, with most existing applications working without any changes. Those applications that interface with Windows at a low level, those applications that use undocumented APIs, or those that do not follow recommended coding practices could experience issues. - -Existing Windows Store (WinRT) apps created for Windows 8 and Windows 8.1 should also continue to work, because compatibility can be validated against all the apps that have been submitted to the Windows Store. - -For web apps and sites, modern HTML5-based sites should also have a high degree of compatibility and excellent performance through the new Microsoft Edge browser, while older web apps and sites can continue to use Internet Explorer 11 and the Enterprise Mode features that were first introduced in Windows 7 and Windows 8.1 and are still present in Windows 10. For more information about Internet Explorer and Enterprise Mode, see the [Internet Explorer 11 Deployment Guide for IT Pros.](/internet-explorer/ie11-deploy-guide/) - -## Recommended application testing process - -Historically, organizations have performed extensive, and often exhaustive, testing of the applications they use before deployment of a new Windows version, service pack, or any other significant update. With Windows 10, organizations are encouraged to use more optimized testing processes, which reflect the higher levels of compatibility that are expected. At a high level: - -- Identify mission-critical applications and websites, those applications and websites that are essential to the organization's operations. Focus testing efforts on this subset of applications, early in the Windows development cycle (for example, with Windows Insider Program builds) to identify potential issues. Report any issues you encounter with the Windows Feedback tool, so that these issues can be addressed prior to the next Windows release. - -- For less critical applications, apply an "internal flighting" or pilot-based approach, by deploying new Windows upgrades to groups of machines, growing gradually in size and potential impact, to verify compatibility with hardware and software. Reactively address issues before you expand the pilot to more machines. - -## Related articles - - -[Windows 10 servicing options](../update/waas-servicing-strategy-windows-10-updates.md) - -[Windows 10 deployment considerations](windows-10-deployment-considerations.md) - -[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) \ No newline at end of file diff --git a/windows/deployment/planning/windows-10-deployment-considerations.md b/windows/deployment/planning/windows-10-deployment-considerations.md index 434b7da17f..4b6d775551 100644 --- a/windows/deployment/planning/windows-10-deployment-considerations.md +++ b/windows/deployment/planning/windows-10-deployment-considerations.md @@ -69,7 +69,7 @@ In either of these scenarios, you can make various configuration changes to the For computers using the [General Availability Channel](../update/waas-overview.md#general-availability-channel), you can deploy these upgrades by using various methods: - Windows Update or Windows Update for Business, for devices where you want to receive updates directly from the Internet. -- Windows Server Update Services (WSUS), for devices configured to pull updates from internal servers after they're approved (deploying like an update). +- Windows Server Update Services (WSUS), for devices configured to pull updates from internal servers after they're approved (deploying like an update). - Configuration Manager task sequences. - Configuration Manager software update capabilities (deploying like an update). @@ -79,5 +79,4 @@ The upgrade process is also optimized to reduce the overall time and network ban ## Related articles -[Windows 10 compatibility](windows-10-compatibility.md)
                [Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) diff --git a/windows/deployment/planning/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md index 06a835b0ba..f33cc45e96 100644 --- a/windows/deployment/planning/windows-10-infrastructure-requirements.md +++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md @@ -97,4 +97,3 @@ Windows 10 Enterprise and Windows 10 Enterprise LTSC installations use different [Windows 10 servicing options](../update/waas-servicing-strategy-windows-10-updates.md)
                [Windows 10 deployment considerations](windows-10-deployment-considerations.md)
                -[Windows 10 compatibility](windows-10-compatibility.md)
                \ No newline at end of file diff --git a/windows/deployment/update/plan-determine-app-readiness.md b/windows/deployment/update/plan-determine-app-readiness.md deleted file mode 100644 index 6801a4cca8..0000000000 --- a/windows/deployment/update/plan-determine-app-readiness.md +++ /dev/null @@ -1,63 +0,0 @@ ---- -title: Determine application readiness -description: How to test your apps to identify which need attention prior to deploying an update in your organization. -ms.service: windows-client -ms.subservice: itpro-updates -ms.topic: conceptual -ms.author: mstewart -author: mestew -manager: aaroncz -ms.localizationpriority: medium -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 -ms.date: 12/31/2017 ---- - -# Determine application readiness - -Before you deploy a Windows client update, you should know which apps will continue to work without problems, which need their own updates, and which just won't work and must be replaced. If you haven't already, it's worth [classifying your apps](plan-define-readiness.md) with respect to their criticality in your organization. - -## Validation methods - -You can choose from various methods to validate apps. Exactly which ones to use depends on the specifics of your environment. - - -|Validation method |Description | -|---------|---------| -|Full regression | A full quality assurance probing. Staff that know the application well and can validate its core functionality should do this validation. | -|Smoke testing | The application goes through formal validation. That is, a user validates the application following a detailed plan, ideally with limited, or no knowledge of the application they're validating. | -|Automated testing | Software performs tests automatically. The software lets you know whether the tests have passed or failed, and provides detailed reporting for you automatically. | -|Test in pilot | You preselect users to be in the pilot deployment group and carry out the same tasks they do on a day-to-day basis to validate the application. Normally you use this method in addition to one of the other validation types. | -|Reactive response | Applications are validated in late pilot, and no specific users are selected. These applications normally aren't installed on many devices and aren't handled by enterprise application distribution. | - -Combining the various validation methods with the app classifications you've previously established might look like this: - - -|Validation method |Critical apps |Important apps |Not important apps | -|---------|---------|---------|---------| -|Full regression | x | | | -|Smoke testing | | x | | -|Automated testing | x | x | x | -|Test in pilot | x | x | x | - - -### Identify users - -Since your organization no doubt has a wide variety of users, each with different background and regular tasks, you have to choose which users are best suited for validation testing. Some factors to consider include: - -- **Location**: If users are in different physical locations, can you support them and get validation feedback from the region they're in? -- **Application knowledge**: Do the users have appropriate knowledge of how the app is supposed to work? -- **Technical ability**: Do the users have enough technical competence to provide useful feedback from various test scenarios? - -You could seek volunteers who enjoy working with new features and include them in the pilot deployment. You might want to avoid using core users like department heads or project managers. Current application owners, operations personnel, and developers can help you identify the most appropriate pilot users. - -### Identify and set up devices for validation - -In addition to users, it's important to carefully choose devices to participate in app validation as well. For example, ideally, your selection includes devices representing all of the hardware models in your environment. - -There's more than one way to choose devices for app validation: - -- **Existing pilot devices**: You might already have a list of devices that you regularly use for testing updates as part of release cycles. -- **Manual selection**: Some internal groups like operations have expertise to help choose devices manually based on specifications, usage, or records of past support problems. -- **Data-driven analysis**: With appropriate tools, you can use diagnostic data from devices to inform your choices. diff --git a/windows/deployment/update/prepare-deploy-windows.md b/windows/deployment/update/prepare-deploy-windows.md index 732aab35e3..c69e5987ea 100644 --- a/windows/deployment/update/prepare-deploy-windows.md +++ b/windows/deployment/update/prepare-deploy-windows.md @@ -8,7 +8,7 @@ author: mestew ms.author: mstewart manager: aaroncz ms.localizationpriority: medium -appliesto: +appliesto: - ✅ Windows 11 - ✅ Windows 10 ms.date: 12/31/2017 @@ -19,7 +19,7 @@ ms.date: 12/31/2017 Having worked through the activities in the planning phase, you should be in a good position to prepare your environment and process to deploy Windows client. The planning phase left you with these useful items: - A clear understanding of necessary personnel and their roles and criteria for [rating app readiness](plan-define-readiness.md) -- A plan for [testing and validating](plan-determine-app-readiness.md) apps +- A plan for [testing and validating](/windows/compatibility/windows-11/testing-guidelines) apps - An assessment of your [deployment infrastructure](eval-infra-tools.md) and definitions for operational readiness - A [deployment plan](create-deployment-plan.md) that defines the rings you want to use @@ -35,7 +35,7 @@ Your infrastructure probably includes many different components and tools. You n 1. Review all of the infrastructure changes that you've identified in your plan. It's important to understand the changes that need to be made and to detail how to implement them. This process prevents problems later on. -2. Validate your changes. You validate the changes for your infrastructure's components and tools, to help you understand how your changes could affect your production environment. +2. Validate your changes. You validate the changes for your infrastructure's components and tools, to help you understand how your changes could affect your production environment. 3. Implement the changes. Once the changes have been validated, you can implement the changes across the wider infrastructure. @@ -166,11 +166,11 @@ You can also create and run scripts to perform additional cleanup actions on dev In the plan phase, you determined the specific infrastructure and configuration changes that needed to be implemented to add new capabilities to the environment. Now you can move on to implementing those changes defined in the plan phase. You need to complete these higher-level tasks to gain those new capabilities: -- Enable capabilities across the environment by implementing the changes. For example, implement updates to relevant ADMX templates in Active Directory. New Windows versions come with new policies that you use to update ADMX templates. +- Enable capabilities across the environment by implementing the changes. For example, implement updates to relevant ADMX templates in Active Directory. New Windows versions come with new policies that you use to update ADMX templates. - Validate new changes to understand how they affect the wider environment. -- Remediate any potential problems that have been identified through validation. +- Remediate any potential problems that have been identified through validation. ## Prepare users From 6baa59a9bb43119e3b769481d52ee41418ffab66 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Fri, 12 Jul 2024 16:45:02 -0700 Subject: [PATCH 28/61] refresh --- windows/whats-new/windows-11-plan.md | 88 +++++++++++++++------------- 1 file changed, 46 insertions(+), 42 deletions(-) diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md index a32a7baeb6..df1748f800 100644 --- a/windows/whats-new/windows-11-plan.md +++ b/windows/whats-new/windows-11-plan.md @@ -1,6 +1,6 @@ --- title: Plan for Windows 11 -description: Windows 11 deployment planning, IT Pro content. +description: This article provides guidance to help you plan for Windows 11 in your organization. ms.service: windows-client author: mestew ms.author: mstewart @@ -12,7 +12,7 @@ ms.collection: - tier1 - essentials-get-started ms.subservice: itpro-fundamentals -ms.date: 02/06/2024 +ms.date: 07/12/2024 appliesto: - ✅ Windows 11 --- @@ -20,98 +20,102 @@ appliesto: # Plan for Windows 11 This article provides guidance to help you plan for Windows 11 in your organization. + ## Deployment planning -Since Windows 11 is built on the same foundation as Windows 10, you can use the same deployment capabilities, scenarios, and tools—and the same basic deployment strategy that you use today for Windows 10. You'll need to review and update your servicing strategy to adjust for changes in [Servicing and support](#servicing-and-support) for Windows 11. +Since Windows 11 is built on the same foundation as Windows 10, you can use the same deployment capabilities, scenarios, and tools. You can also use the same basic deployment strategy that you use today for Windows 10. Make sure that you review and update your servicing strategy to adjust for changes in [servicing and support](#servicing-and-support) for Windows 11. At a high level, this strategy should include the following steps: + - [Create a deployment plan](/windows/deployment/update/create-deployment-plan) - [Define readiness criteria](/windows/deployment/update/plan-define-readiness) - [Evaluate infrastructure and tools](/windows/deployment/update/eval-infra-tools) -- [Determine application readiness](/windows/deployment/update/plan-determine-app-readiness) +- [Test applications](/windows/compatibility/windows-11/testing-guidelines) - [Define your servicing strategy](/windows/deployment/update/plan-define-strategy) -If you're looking for ways to optimize your approach to deploying Windows 11, or if deploying a new version of an operating system isn't a familiar process for you, some items to consider are provided below: +If you're looking for ways to optimize your approach to deploying Windows 11, or if deploying a new version of Windows isn't a familiar process for you, consider the factors in the following sections. ## Determine eligibility -As a first step, you'll need to know which of your current devices meet the Windows 11 hardware requirements. Most devices purchased in the last 18-24 months will be compatible with Windows 11. Verify that your device meets or exceeds [Windows 11 requirements](windows-11-requirements.md) to ensure it's compatible. +As a first step, determine which of your current devices meet the Windows 11 hardware requirements. To ensure compatibility, verify that your device meets or exceeds [Windows 11 requirements](windows-11-requirements.md). -Microsoft is currently developing analysis tools to help you evaluate your devices against the Windows 11 hardware requirements. When Windows 11 reaches general availability, users running Windows 10 Home, Pro, and Pro for Workstations will be able to use the [PC Health Check](https://www.microsoft.com/windows/windows-11#pchealthcheck) app to determine their eligibility for Windows 11. Users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they're eligible for the upgrade.  - -Enterprise organizations looking to evaluate device readiness in their environments can expect this capability to be integrated into existing Microsoft tools, such as Endpoint analytics and Update Compliance. This capability will be available when Windows 11 is generally available. Microsoft is also working with software publishing partners to facilitate adding Windows 11 device support into their solutions. +Microsoft has analysis tools to help you evaluate your devices against the Windows 11 hardware requirements. If you're running Windows 10 Home, Pro, or Pro for Workstations editions, you can use the [PC Health Check](https://www.microsoft.com/windows/windows-11#pchealthcheck) app to determine Windows 11 eligibility. Users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they're eligible for the upgrade. + +Enterprise organizations looking to evaluate device readiness in their environments can expect this capability to be integrated into existing Microsoft tools, such as [Endpoint analytics](/mem/analytics/). ## Windows 11 availability -The availability of Windows 11 will vary according to a device's hardware and whether the device receives updates directly, or from a management solution that is maintained by an IT administrator. +The availability of Windows 11 varies according to a device's hardware and whether the device receives updates directly from Microsoft, or from a management solution that's maintained by an IT administrator. -##### Managed devices +For more information, see [Defining Windows update-managed devices](/windows/deployment/update/update-managed-unmanaged-devices). -Managed devices are devices that are under organizational control. Managed devices include those devices managed by Microsoft Intune, Microsoft Configuration Manager, or other endpoint management solutions. +### Managed devices -If you manage devices on behalf of your organization, you'll be able to upgrade eligible devices to Windows 11 using your existing deployment and management tools at no cost when the upgrade reaches general availability. Organizations that use Windows Update for Business will have added benefits, such as: +Managed devices are devices that are under organizational control. Managed devices include those devices managed by Microsoft Intune, Microsoft Configuration Manager, or other endpoint management solutions. -- Ensuring that devices that don't meet the minimum hardware requirements aren't automatically offered the Windows 11 upgrade. -- More insight into safeguard holds. While safeguard holds will function for Windows 11 devices just as they do for Windows 10 today, administrators using Windows Update for Business will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows 11. +If you manage devices on behalf of your organization, you can upgrade eligible devices to Windows 11 using your existing deployment and management tools. + +Organizations that use Windows Update for Business also have the following benefits: + +- Ensuring that devices that don't meet the minimum hardware requirements aren't automatically offered the Windows 11 upgrade. +- More insight into safeguard holds. While safeguard holds function for Windows 11 devices just as they do for Windows 10 today, administrators using Windows Update for Business have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows 11. > [!NOTE] -> Also, Windows 11 has new Microsoft Software License Terms. If you are deploying with Windows Update for Business or Windows Server Update Services, you are accepting these new license terms on behalf of the users in your organization. +> Also, Windows 11 has new Microsoft Software License Terms. If you deploy with Windows Update for Business or Windows Server Update Services, you accept these new license terms on behalf of the users in your organization. -##### Unmanaged devices +### Unmanaged devices -Unmanaged devices are devices that aren't managed by an IT administrator on behalf of an organization. For operating system (OS) deployment, these devices aren't subject to organizational policies that manage upgrades or updates. +Unmanaged devices are devices that an IT administrator doesn't manage on behalf of an organization. For OS deployment, these devices aren't subject to organizational policies that manage upgrades or updates. -Windows 11 will be offered to eligible Windows 10 devices beginning later in the 2021 calendar year. Messaging on new devices will vary by PC manufacturer, but users will see labels such as **This PC will upgrade to Windows 11 once available** on products that are available for purchase. +Windows 11 was offered to eligible Windows 10 devices in 2021. Messaging on new devices varies by PC manufacturer. -The Windows 11 upgrade will be available initially on eligible, unmanaged devices to users who manually seek the upgrade through Windows Update. As with all Windows Update managed devices, the **Windows Update Settings** page will confirm when a device is eligible, and users can upgrade if they choose to. +The Windows 11 upgrade is available on eligible, unmanaged devices to users who manually seek the upgrade through Windows Update. As with all Windows Update-managed devices, the **Windows Update** settings page confirms when a device is eligible. -Just like Windows 10, the machine learning-based [intelligent rollout](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/using-machine-learning-to-improve-the-windows-10-update/ba-p/877860) process will be used when rolling out upgrades. Machine learning uses a combination of testing, close partner engagement, feedback, diagnostic data, and real-life insights to manage quality. This process improves the update experience and ensures that devices first nominated for updates are the devices likely to have a seamless experience. Devices that might have compatibility issues with the upgrade get the benefit of resolving these issues before the upgrade is offered. +Just like Windows 10, the machine learning-based [intelligent rollout](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/using-machine-learning-to-improve-the-windows-10-update/ba-p/877860) process is used when rolling out upgrades. Machine learning uses a combination of testing, close partner engagement, feedback, diagnostic data, and real-life insights to manage quality. This process improves the update experience and ensures that devices first nominated for updates are the devices likely to have a seamless experience. Devices that might have compatibility issues with the upgrade get the benefit of resolving these issues before the upgrade is offered. -## Windows 11 readiness considerations +## Windows 11 readiness considerations -The recommended method to determine if your infrastructure, deployment processes, and management tools are ready for Windows 11 is to join the [Windows Insider Program for Business](https://insider.windows.com/for-business). As a participant in the [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel), you can validate that your devices and applications work as expected, and explore new features. +The recommended method to determine if your infrastructure, deployment processes, and management tools are ready for Windows 11 is to join the [Windows Insider Program for Business](https://insider.windows.com/for-business). As a participant in the [release preview channel](/windows-insider/business/validate-Release-Preview-Channel), you can validate that your devices and applications work as expected, and explore new features. As you plan your endpoint management strategy for Windows 11, consider moving to cloud-based mobile device management (MDM), such as [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). If a cloud-only approach isn't right for your organization yet, you can still modernize and streamline essential pieces of your endpoint management strategy as follows: -- Create a [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview) (CMG) to manage Configuration Manager clients over the internet. -- Attach your existing Configuration Management estate to the cloud with [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions) so you can manage all devices from within the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -- Use [co-management](/mem/configmgr/comanage/overview) to concurrently manage devices using both Configuration Manager and Microsoft Intune. This concurrent management allows you to take advantage of cloud-powered capabilities like [Conditional Access](/azure/active-directory/conditional-access/overview). -For more information on the benefits of these approaches, see [Cloud Attach Your Future: The Big 3](https://techcommunity.microsoft.com/t5/configuration-manager-blog/cloud-attach-your-future-part-ii-quot-the-big-3-quot/ba-p/1750664). +- To manage Configuration Manager clients over the internet, create a [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview) (CMG). +- Attach your existing Configuration Management estate to the cloud with [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions) so you can manage all devices from within the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +- Use [co-management](/mem/configmgr/comanage/overview) to concurrently manage devices using both Configuration Manager and Microsoft Intune. This concurrent management allows you to take advantage of cloud-powered capabilities like [conditional access](/azure/active-directory/conditional-access/overview). + +For more information on the benefits of these approaches, see [Cloud Attach Your Future: The Big 3](https://techcommunity.microsoft.com/t5/configuration-manager-blog/cloud-attach-your-future-part-ii-quot-the-big-3-quot/ba-p/1750664). The introduction of Windows 11 is also a good time to review your hardware refresh plans and prioritize eligible devices to ensure an optimal experience for your users. ## Servicing and support -Along with user experience and security improvements, Windows 11 introduces enhancements to Microsoft's servicing approach based on your suggestions and feedback. +Along with user experience and security improvements, Windows 11 introduces enhancements to Microsoft's servicing approach based on your suggestions and feedback. -**Quality updates**: Windows 11 and Windows 10 devices will receive regular monthly quality updates to provide security updates and bug fixes. +- **Quality updates**: Windows 11 and Windows 10 devices receive regular monthly quality updates to provide security updates and bug fixes. -**Feature updates**: Microsoft will provide a single Windows 11 feature update annually, targeted for release in the second half of each calendar year. +- **Feature updates**: Microsoft provides a single Windows 11 feature update annually, targeted for release in the second half of each calendar year. -**Lifecycle**: -- Home, Pro, Pro for Workstations, and Pro for Education editions of Windows 11 will receive 24 months of support from the general availability date. -- Enterprise and Education editions of Windows 11 will be supported for 36 months from the general availability date. +- **Lifecycle**: -When Windows 11 reaches general availability, a consolidated [Windows 11 update history](https://support.microsoft.com/topic/59875222-b990-4bd9-932f-91a5954de434) is available, similar to what is [available today for Windows 10](https://support.microsoft.com/topic/windows-10-update-history-1b6aac92-bf01-42b5-b158-f80c6d93eb11). Similarly, the [Windows release health](/windows/release-health/) hub will offer quick access to Windows 11 servicing announcements, known issues, and safeguard holds. + - Home, Pro, Pro for Workstations, and Pro for Education editions of Windows 11 receive 24 months of support from the general availability date. + - Enterprise and Education editions of Windows 11 are supported for 36 months from the general availability date. -It's important that organizations have adequate time to plan for Windows 11. Microsoft also recognizes that many organizations will have a mix of Windows 11 and Windows 10 devices across their ecosystem. Devices on in-service versions of Windows 10 will continue to receive monthly Windows 10 security updates through 2025, and incremental improvements to Windows 10 to support ongoing Microsoft 365 deployments. For more information, see the [Windows 10 release information](/windows/release-health/release-information) page, which offers information about the Windows 10 General Availability Channel and Long-term Servicing Channel (LTSC) releases. +A consolidated [Windows 11 update history](https://support.microsoft.com/topic/59875222-b990-4bd9-932f-91a5954de434) is available. Similarly, the [Windows release health](/windows/release-health/) hub offers quick access to Windows 11 servicing announcements, known issues, and safeguard holds. + +It's important that organizations have adequate time to plan for Windows 11. Microsoft also recognizes that many organizations have a mix of Windows 11 and Windows 10 devices across their ecosystem. Devices on in-service versions of Windows 10 continue to receive monthly Windows 10 security updates, and incremental improvements to Windows 10 to support ongoing Microsoft 365 deployments. For more information, see the [Windows 10 release information](/windows/release-health/release-information) page. ## Application compatibility Microsoft's compatibility promise for Windows 10 is maintained for Windows 11. Data from the App Assure program shows that Windows 10 compatibility rates are over 99.7% for enterprise organizations, including line of business (LOB) apps. Microsoft remains committed to ensuring that the apps you rely upon continue to work as expected when you upgrade. Windows 11 is subject to the same app compatibility validation requirements that are in place for Windows 10 today, for both feature and quality updates. -#### App Assure +For more information, see [Windows compatibility cookbook](/windows/compatibility/). -If you run into compatibility issues or want to ensure that your organization's applications are compatible from day one, App Assure can help. +### App Assure -- **App Assure**: With enrollment in the [App Assure](/windows/compatibility/app-assure) service, any app compatibility issues that you find with Windows 11 can be resolved. Microsoft will help you remedy application issues at no cost. Since 2018, App Assure has evaluated almost 800,000 apps, and subscriptions are free for eligible customers with 150+ seats. - -You might already be using App Assure in your Windows 10 environment. The tool will continue to function with Windows 11. +If you run into compatibility issues or want to ensure that your organization's applications are compatible from day one, App Assure can help. With enrollment in the [App Assure](/windows/compatibility/app-assure) service, any app compatibility issues that you find with Windows 11 can be resolved. Microsoft helps you remedy application issues at no cost. Since 2018, App Assure has evaluated almost 800,000 apps, and subscriptions are free for eligible customers with more than 150 devices. ## Next steps [Prepare for Windows 11](windows-11-prepare.md) -## Also see - [Plan to deploy updates for Windows 10 and Microsoft 365 Apps](/training/modules/windows-plan/) From a55e434dda2a079a66a636f9678b6b9113a79851 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Fri, 12 Jul 2024 16:54:10 -0700 Subject: [PATCH 29/61] fix build suggestion --- .openpublishing.redirection.windows-deployment.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.openpublishing.redirection.windows-deployment.json b/.openpublishing.redirection.windows-deployment.json index e733f7e24e..9fe31073d2 100644 --- a/.openpublishing.redirection.windows-deployment.json +++ b/.openpublishing.redirection.windows-deployment.json @@ -1183,12 +1183,12 @@ { "source_path": "windows/deployment/planning/windows-10-compatibility.md", "redirect_url": "/windows/compatibility/", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/deployment/update/plan-determine-app-readiness.md", "redirect_url": "/windows/compatibility/windows-11/testing-guidelines", - "redirect_document_id": true + "redirect_document_id": false } ] } From 1194b58c0db4dbcb971c97155a693fc822eefb1c Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Fri, 12 Jul 2024 17:00:09 -0700 Subject: [PATCH 30/61] update metadata --- windows/deployment/update/prepare-deploy-windows.md | 4 ++-- windows/whats-new/windows-11-plan.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/update/prepare-deploy-windows.md b/windows/deployment/update/prepare-deploy-windows.md index c69e5987ea..def7222a70 100644 --- a/windows/deployment/update/prepare-deploy-windows.md +++ b/windows/deployment/update/prepare-deploy-windows.md @@ -1,9 +1,9 @@ --- title: Prepare to deploy Windows -description: Final steps to get ready to deploy Windows, including preparing infrastructure, environment, applications, devices, network, capability, and users +description: Final steps to get ready to deploy Windows, including preparing infrastructure, environment, applications, devices, network, capability, and users. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: concept-article author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md index df1748f800..c3887cd926 100644 --- a/windows/whats-new/windows-11-plan.md +++ b/windows/whats-new/windows-11-plan.md @@ -6,7 +6,7 @@ author: mestew ms.author: mstewart manager: aaroncz ms.localizationpriority: high -ms.topic: conceptual +ms.topic: get-started ms.collection: - highpri - tier1 From 4b422a2f27d582f1ad2dceb4980904db53ba5a7c Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 15 Jul 2024 10:43:13 -0600 Subject: [PATCH 31/61] Update windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md --- .../pluton/microsoft-pluton-security-processor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md b/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md index fcb2561271..f577d3889f 100644 --- a/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md +++ b/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md @@ -9,7 +9,7 @@ ms.date: 07/10/2024 Microsoft Pluton security processor is a chip-to-cloud security technology built with [Zero Trust](/security/zero-trust/zero-trust-overview) principles at the core. Microsoft Pluton provides hardware-based root of trust, secure identity, secure attestation, and cryptographic services. Pluton technology is a combination of a secure subsystem, which is part of the System on Chip (SoC) and Microsoft authored software that runs on this integrated secure subsystem. -Microsoft Pluton is currently available on devices with AMD Ryzen® 6000, 7000, 8000, Ryzen AI and Qualcomm Snapdragon® 8cx Gen 3 and Snapdragon X series processors. Microsoft Pluton can be enabled on devices with Pluton capable processors running Windows 11, version 22H2 and above. +Microsoft Pluton is currently available on devices with AMD Ryzen® 6000, 7000, 8000, Ryzen AI and Qualcomm Snapdragon® 8cx Gen 3 and Snapdragon X series processors. Microsoft Pluton can be enabled on devices with Pluton capable processors running Windows 11, version 22H2 and later. ## What is Microsoft Pluton? From 603b681dbcc48ae647689cdd5ada5e04d2e8989d Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 15 Jul 2024 10:43:21 -0600 Subject: [PATCH 32/61] Update windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md --- .../pluton/microsoft-pluton-security-processor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md b/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md index f577d3889f..a68fb9ac24 100644 --- a/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md +++ b/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md @@ -22,7 +22,7 @@ Pluton is built on proven technology used in Xbox and Azure Sphere, and provides ## How can Pluton help customers? Pluton is built with the goal of providing customers with better end-to-end security experiences. It does so by doing three things: -1) **Zero-trust security and reliability**: customer security scenarios often span devices and cloud services. Windows PCs and services like Microsoft Entra and Intune need to work harmoniously together to provide frictionless security. Pluton is designed, built and maintained in close collaboration with teams across Microsoft to ensure that customers get both high security and reliability +1. **Zero-trust security and reliability**: Customer security scenarios often span devices and cloud services. Windows PCs and services like Microsoft Entra and Intune need to work harmoniously together to provide frictionless security. Pluton is designed, built and maintained in close collaboration with teams across Microsoft to ensure that customers get both high security and reliability. 2) **Innovation**: the Pluton platform and the functionality it provides is informed by customer feedback and Microsoft’s threat intelligence. As one example, 2024 Pluton platforms in AMD and Intel systems will start to use a Rust-based firmware foundation given the importance of memory safety. 3) **Continuous improvement**: the Pluton platform supports loading new firmware delivered through operating system updates. This functionality is supported alongside the typical mechanism of UEFI capsule updates that updates the Pluton firmware that is resident on the system’s SPI flash and loaded during early system boot. The additional support for dynamically loading valid new Pluton firmware through operating system updates facilitates continuous improvements both for bug fixes and new features. From c5f9ba0c42d0f07b75fee33efe8aabbb685f57c4 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 15 Jul 2024 10:43:31 -0600 Subject: [PATCH 33/61] Update windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md --- .../pluton/microsoft-pluton-security-processor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md b/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md index a68fb9ac24..07830755bf 100644 --- a/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md +++ b/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md @@ -23,7 +23,7 @@ Pluton is built on proven technology used in Xbox and Azure Sphere, and provides Pluton is built with the goal of providing customers with better end-to-end security experiences. It does so by doing three things: 1. **Zero-trust security and reliability**: Customer security scenarios often span devices and cloud services. Windows PCs and services like Microsoft Entra and Intune need to work harmoniously together to provide frictionless security. Pluton is designed, built and maintained in close collaboration with teams across Microsoft to ensure that customers get both high security and reliability. -2) **Innovation**: the Pluton platform and the functionality it provides is informed by customer feedback and Microsoft’s threat intelligence. As one example, 2024 Pluton platforms in AMD and Intel systems will start to use a Rust-based firmware foundation given the importance of memory safety. +1. **Innovation**: Pluton platform and the functionality it provides is informed by customer feedback and Microsoft’s threat intelligence. As an example, Pluton platforms in 2024 AMD and Intel systems will start to use a Rust-based firmware foundation given the importance of memory safety. 3) **Continuous improvement**: the Pluton platform supports loading new firmware delivered through operating system updates. This functionality is supported alongside the typical mechanism of UEFI capsule updates that updates the Pluton firmware that is resident on the system’s SPI flash and loaded during early system boot. The additional support for dynamically loading valid new Pluton firmware through operating system updates facilitates continuous improvements both for bug fixes and new features. ### A practical example: zero-trust security with device-based conditional access policies From 9a9acdb8672ddff12746fcd49d26ffd7ea8dd7ce Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 15 Jul 2024 10:43:52 -0600 Subject: [PATCH 34/61] Update windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md --- .../pluton/microsoft-pluton-security-processor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md b/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md index 07830755bf..4af71435ad 100644 --- a/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md +++ b/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md @@ -24,7 +24,7 @@ Pluton is built on proven technology used in Xbox and Azure Sphere, and provides Pluton is built with the goal of providing customers with better end-to-end security experiences. It does so by doing three things: 1. **Zero-trust security and reliability**: Customer security scenarios often span devices and cloud services. Windows PCs and services like Microsoft Entra and Intune need to work harmoniously together to provide frictionless security. Pluton is designed, built and maintained in close collaboration with teams across Microsoft to ensure that customers get both high security and reliability. 1. **Innovation**: Pluton platform and the functionality it provides is informed by customer feedback and Microsoft’s threat intelligence. As an example, Pluton platforms in 2024 AMD and Intel systems will start to use a Rust-based firmware foundation given the importance of memory safety. -3) **Continuous improvement**: the Pluton platform supports loading new firmware delivered through operating system updates. This functionality is supported alongside the typical mechanism of UEFI capsule updates that updates the Pluton firmware that is resident on the system’s SPI flash and loaded during early system boot. The additional support for dynamically loading valid new Pluton firmware through operating system updates facilitates continuous improvements both for bug fixes and new features. +1. **Continuous improvement**: Pluton platform supports loading new firmware delivered through operating system updates. This functionality is supported alongside the typical mechanism of UEFI capsule updates that update the Pluton firmware that is resident on the system’s SPI flash and loaded during early system boot. The additional support for dynamically loading valid new Pluton firmware through operating system updates facilitates continuous improvements both for bug fixes and new features. ### A practical example: zero-trust security with device-based conditional access policies From 45d4b332ac77e59d29de2bfeae5ddd9ac66b0275 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 15 Jul 2024 10:44:04 -0600 Subject: [PATCH 35/61] Update windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md --- .../pluton/microsoft-pluton-security-processor.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md b/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md index 4af71435ad..9c417c0772 100644 --- a/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md +++ b/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md @@ -22,6 +22,7 @@ Pluton is built on proven technology used in Xbox and Azure Sphere, and provides ## How can Pluton help customers? Pluton is built with the goal of providing customers with better end-to-end security experiences. It does so by doing three things: + 1. **Zero-trust security and reliability**: Customer security scenarios often span devices and cloud services. Windows PCs and services like Microsoft Entra and Intune need to work harmoniously together to provide frictionless security. Pluton is designed, built and maintained in close collaboration with teams across Microsoft to ensure that customers get both high security and reliability. 1. **Innovation**: Pluton platform and the functionality it provides is informed by customer feedback and Microsoft’s threat intelligence. As an example, Pluton platforms in 2024 AMD and Intel systems will start to use a Rust-based firmware foundation given the importance of memory safety. 1. **Continuous improvement**: Pluton platform supports loading new firmware delivered through operating system updates. This functionality is supported alongside the typical mechanism of UEFI capsule updates that update the Pluton firmware that is resident on the system’s SPI flash and loaded during early system boot. The additional support for dynamically loading valid new Pluton firmware through operating system updates facilitates continuous improvements both for bug fixes and new features. From 7b749fca826468aba7664922fb0083e6a59779f1 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 15 Jul 2024 10:44:12 -0600 Subject: [PATCH 36/61] Update windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md --- .../pluton/microsoft-pluton-security-processor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md b/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md index 9c417c0772..6f06687ff9 100644 --- a/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md +++ b/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md @@ -29,7 +29,7 @@ Pluton is built with the goal of providing customers with better end-to-end secu ### A practical example: zero-trust security with device-based conditional access policies -An increasingly important zero-trust workflow is conditional access – gating access to resources like Sharepoint documents based on verifying whether requests are coming from a valid, healthy source. Microsoft Intune for example supports may different workflows for conditional access including [device-based conditional access](https://learn.microsoft.com/en-us/mem/intune/protect/create-conditional-access-intune) which allows organizations to set policies that ensure that managed devices are healthy and compliant before granting access to the organization’s apps and services. +An increasingly important zero-trust workflow is conditional access – gating access to resources like Sharepoint documents based on verifying whether requests are coming from a valid, healthy source. Microsoft Intune, for example, supports different workflows for conditional access including [device-based conditional access](/mem/intune/protect/create-conditional-access-intune) which allows organizations to set policies that ensure that managed devices are healthy and compliant before granting access to the organization’s apps and services. To ensure that Intune gets an accurate picture about the device’s health as part of enforcing these policies, ideally it has tamper-resistant logs on the state of the relevant security capabilities. This is where hardware security is critical as any malicious software running on the device could attempt to provide false signals to the service. One of the core benefits of a hardware security technology like the TPM, is that it has a tamper-resistant log of the state of the system. Services can cryptographically validate that logs and the associated system state reported by the TPM truly come from the TPM. From cfc27841cca4739ee2671e8a12daed46482134c7 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 15 Jul 2024 10:44:21 -0600 Subject: [PATCH 37/61] Update windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md --- .../pluton/microsoft-pluton-security-processor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md b/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md index 6f06687ff9..dfdb572272 100644 --- a/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md +++ b/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md @@ -33,7 +33,7 @@ An increasingly important zero-trust workflow is conditional access – gating a To ensure that Intune gets an accurate picture about the device’s health as part of enforcing these policies, ideally it has tamper-resistant logs on the state of the relevant security capabilities. This is where hardware security is critical as any malicious software running on the device could attempt to provide false signals to the service. One of the core benefits of a hardware security technology like the TPM, is that it has a tamper-resistant log of the state of the system. Services can cryptographically validate that logs and the associated system state reported by the TPM truly come from the TPM. -For the end-to-end scenario to be truly successful at scale the hardware-based security is not enough though. Since access to enterprise assets is being gated based on security settings that are being reported by the TPM logs, it is critical that these logs are available reliably. Zero-trust security essentially requires high reliability. +For the end-to-end scenario to be truly successful at scale, the hardware-based security is not enough. Since access to enterprise assets is being gated based on security settings that are being reported by the TPM logs, it is critical that these logs are available reliably. Zero-trust security essentially requires high reliability. With Pluton, when it is configured as the TPM for the system, customers using conditional access get the benefits of Pluton’s security architecture and implementation with the reliability that comes from the tight integration and collaboration between Pluton and other Microsoft components and services. From 9c0754a65bf070eae4ebb5039218775a0cd4fb5a Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Tue, 16 Jul 2024 11:51:30 -0700 Subject: [PATCH 38/61] updated metadata --- .../deploy/windows-autopatch-device-registration-overview.md | 2 +- .../deploy/windows-autopatch-groups-overview.md | 2 +- .../deploy/windows-autopatch-post-reg-readiness-checks.md | 2 +- .../windows-autopatch/operate/windows-autopatch-edge.md | 2 +- .../operate/windows-autopatch-groups-update-management.md | 2 +- .../windows-autopatch-manage-windows-feature-update-releases.md | 2 +- .../windows-autopatch/operate/windows-autopatch-teams.md | 2 +- .../windows-autopatch-windows-feature-update-overview.md | 2 +- ...patch-windows-quality-and-feature-update-reports-overview.md | 2 +- .../windows-autopatch-windows-quality-update-communications.md | 2 +- .../windows-autopatch/overview/windows-autopatch-privacy.md | 2 +- .../overview/windows-autopatch-roles-responsibilities.md | 2 +- .../prepare/windows-autopatch-prerequisites.md | 2 +- .../references/windows-autopatch-changes-to-tenant.md | 2 +- .../references/windows-autopatch-conflicting-configurations.md | 2 +- ...patch-driver-and-firmware-updates-public-preview-addendum.md | 2 +- .../references/windows-autopatch-microsoft-365-policies.md | 2 +- .../windows-autopatch-windows-update-unsupported-policies.md | 2 +- 18 files changed, 18 insertions(+), 18 deletions(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md index dd113afcfc..3b2702240b 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md @@ -4,7 +4,7 @@ description: This article provides an overview on how to register devices in Aut ms.date: 02/15/2024 ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: concept-article ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md index 030de871bb..acdf9129ce 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md @@ -4,7 +4,7 @@ description: This article explains what Autopatch groups are ms.date: 07/08/2024 ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: concept-article ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md index bbed3ec3b1..a330822f85 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md @@ -4,7 +4,7 @@ description: This article details how post-device registration readiness checks ms.date: 07/08/2024 ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: concept-artcle ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md index 66650fb27b..3b4cb9ee57 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md @@ -4,7 +4,7 @@ description: This article explains how Microsoft Edge updates are managed in Win ms.date: 09/15/2023 ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: how-to ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md index 1a03d4c08b..7d66ce8a49 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md @@ -4,7 +4,7 @@ description: This article provides an overview of how updates are handled with A ms.date: 07/08/2024 ms.service: windows-client ms.subservice: itpro-updates -ms.topic: overview +ms.topic: concept-article ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-manage-windows-feature-update-releases.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-manage-windows-feature-update-releases.md index 0ed4a2cdb6..8c21ff7513 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-manage-windows-feature-update-releases.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-manage-windows-feature-update-releases.md @@ -4,7 +4,7 @@ description: This article explains how you can manage Windows feature updates wi ms.date: 07/08/2024 ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: how-to ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md index b474ff2498..3945ea4bca 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md @@ -4,7 +4,7 @@ description: This article explains how Microsoft Teams updates are managed in Wi ms.date: 09/15/2023 ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: how-to ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md index 2bf45427ed..24c4fc7e02 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md @@ -4,7 +4,7 @@ description: This article explains how Windows feature updates are managed with ms.date: 07/08/2024 ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: overview ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-and-feature-update-reports-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-and-feature-update-reports-overview.md index c556fca641..7d2cb8b29e 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-and-feature-update-reports-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-and-feature-update-reports-overview.md @@ -4,7 +4,7 @@ description: This article details the types of reports available and info about ms.date: 07/10/2024 ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: overview ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications.md index 4c86c00301..139508380f 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications.md @@ -4,7 +4,7 @@ description: This article explains Windows quality update communications ms.date: 07/08/2024 ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: concept-article ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md index c2aadef998..267c55bde3 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md @@ -4,7 +4,7 @@ description: This article provides details about the data platform and privacy c ms.date: 07/08/2024 ms.service: windows-client ms.subservice: itpro-updates -ms.topic: reference +ms.topic: concept-article ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md index b62bc5627b..f7e85f6135 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md @@ -4,7 +4,7 @@ description: This article describes the roles and responsibilities provided by W ms.date: 07/08/2024 ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: concept-article ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md index c5a7d98976..eaccb006f5 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md @@ -4,7 +4,7 @@ description: This article details the prerequisites needed for Windows Autopatch ms.date: 01/11/2024 ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: concept-article ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index 13ccf4e8ec..b91a7f24ed 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -4,7 +4,7 @@ description: This reference article details the changes made to your tenant when ms.date: 12/13/2023 ms.service: windows-client ms.subservice: itpro-updates -ms.topic: reference +ms.topic: concept-article ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md b/windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md index cbd7fc1142..afcb34afdb 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md @@ -4,7 +4,7 @@ description: This article explains how to remediate conflicting configurations a ms.date: 07/08/2024 ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: concept-article ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md b/windows/deployment/windows-autopatch/references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md index 8cbed6ce25..9023597983 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md @@ -4,7 +4,7 @@ description: This article explains how driver and firmware updates are managed ms.date: 07/08/2024 ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: legal ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md b/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md index 56d474d0f9..fab099ab47 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md @@ -4,7 +4,7 @@ description: This article explains the Microsoft 365 Apps for enterprise policie ms.date: 07/08/2024 ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: concept-article ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md b/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md index 5e6dfd39cc..708985a6bf 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md @@ -4,7 +4,7 @@ description: This article explains Windows update policies in Windows Autopatch ms.date: 07/08/2024 ms.service: windows-client ms.subservice: itpro-updates -ms.topic: conceptual +ms.topic: concept-article ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan From 19b6ca161dfb589ee33a512f15517f9aa69f25b9 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Tue, 16 Jul 2024 11:59:22 -0700 Subject: [PATCH 39/61] Fixed acrolinx score --- .../windows-autopatch/operate/windows-autopatch-edge.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md index 3b4cb9ee57..e72d188447 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md @@ -30,9 +30,9 @@ For a device to be eligible for Microsoft Edge updates as a part of Windows Auto ## Update release schedule -Microsoft Edge will check for updates every 10 hours. Quality updates occur weekly by default. Feature updates occur automatically every four weeks and are rolled out [progressively](/deployedge/microsoft-edge-update-progressive-rollout) by the Microsoft Edge product group to ensure the best experience for customers. All users will see the update within a few days of the initial release. +Microsoft Edge checks for updates every 10 hours. Quality updates occur weekly by default. Feature updates occur automatically every four weeks and are rolled out [progressively](/deployedge/microsoft-edge-update-progressive-rollout) by the Microsoft Edge product group to ensure the best experience for customers. The update is available within a few days of the initial release. -Browser updates with critical security fixes will have a faster rollout cadence than updates that don't have critical security fixes to ensure prompt protection from vulnerabilities. +Browser updates with critical security fixes have a faster rollout cadence than updates that don't have critical security fixes to ensure fast protection from vulnerabilities. Devices in the Test device group receive feature updates from the [Beta Channel](/deployedge/microsoft-edge-channels#beta-channel). This channel is fully supported and automatically updated with new features approximately every four weeks. From ba9524517d4dde39a63c4b5c9c41436a07c3d014 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Tue, 16 Jul 2024 12:11:40 -0700 Subject: [PATCH 40/61] typo --- .../deploy/windows-autopatch-post-reg-readiness-checks.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md index a330822f85..922580d930 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md @@ -4,7 +4,7 @@ description: This article details how post-device registration readiness checks ms.date: 07/08/2024 ms.service: windows-client ms.subservice: itpro-updates -ms.topic: concept-artcle +ms.topic: concept-article ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan From 56d88b67ae0b2f5fda1fdae718ef9e8794f7a141 Mon Sep 17 00:00:00 2001 From: Sandeep Deo <38295759+SanDeo-MSFT@users.noreply.github.com> Date: Tue, 16 Jul 2024 13:02:13 -0700 Subject: [PATCH 41/61] Update recovery-process.md --- .../data-protection/bitlocker/recovery-process.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md b/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md index d6e0f76716..28cbcd8d4a 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md @@ -72,7 +72,7 @@ The following list can be used as a template for creating a recovery process for There are a few Microsoft Entra ID roles that allow a delegated administrator to read BitLocker recovery passwords from the devices in the tenant. While it's common for organizations to use the existing Microsoft Entra ID *[Cloud Device Administrator][ENTRA-2]* or *[Helpdesk Administrator][ENTRA-3]* built-in roles, you can also [create a custom role][ENTRA-5], delegating access to BitLocker keys using the `microsoft.directory/bitlockerKeys/key/read` permission. Roles can be delegated to access BitLocker recovery passwords for devices in specific Administrative Units. > [!NOTE] -> When devices including [Windows Autopilot](/mem/autopilot/windows-autopilot) are reused to join to Entra, **and there is a new device owner**, that new device owner must contact an administrator to acquire the BitLocker recovery key for that device. Administrative unit scoped administrators will lose access to BitLocker recovery keys after device ownership changes. These scoped administrators will need to contact a non-scoped administrator for the recovery keys. For more information, see the article [Find the primary user of an Intune device](/mem/intune/remote-actions/find-primary-user#change-a-devices-primary-user). +> When devices including [Windows Autopilot](/mem/autopilot/windows-autopilot) are reused to join to Entra, **and there is a new device owner**, that new device owner must contact an administrator to acquire the BitLocker recovery key for that device. Custom role or administrative unit scoped administrators will lose access to BitLocker recovery keys for those devices that have undergone device ownership changes. These scoped administrators will need to contact a non-scoped administrator for the recovery keys. For more information, see the article [Find the primary user of an Intune device](/mem/intune/remote-actions/find-primary-user#change-a-devices-primary-user). The [Microsoft Entra admin center][ENTRA] allows administrators to retrieve BitLocker recovery passwords. To learn more about the process, see [View or copy BitLocker keys][ENTRA-4]. Another option to access BitLocker recovery passwords is to use the Microsoft Graph API, which might be useful for integrated or scripted solutions. For more information about this option, see [Get bitlockerRecoveryKey][GRAPH-1]. From 4470d6d34fe5afcd6db35a7a47f643e9d19fa030 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 16 Jul 2024 14:03:36 -0700 Subject: [PATCH 42/61] bulk update for topic metadata --- .../enterprise-background-activity-controls.md | 2 +- .../private-app-repository-mdm-company-portal-windows-11.md | 2 +- windows/deployment/configure-a-pxe-server-to-load-windows-pe.md | 2 +- windows/deployment/customize-boot-image.md | 2 +- windows/deployment/deploy-m365.md | 2 +- ...ows-10-operating-system-image-using-configuration-manager.md | 2 +- ...10-deployment-with-windows-pe-using-configuration-manager.md | 2 +- ...a-custom-windows-pe-boot-image-with-configuration-manager.md | 2 +- ...create-a-task-sequence-with-configuration-manager-and-mdt.md | 2 +- ...ion-to-deploy-with-windows-10-using-configuration-manager.md | 2 +- .../deploy-windows-10-using-pxe-and-configuration-manager.md | 2 +- ...tion-for-windows-10-deployment-with-configuration-manager.md | 2 +- ...dows-7-client-with-windows-10-using-configuration-manager.md | 2 +- ...dows-7-client-with-windows-10-using-configuration-manager.md | 2 +- .../upgrade-to-windows-10-with-configuration-manager.md | 2 +- .../deployment/do/images/elixir_ux/readme-elixir-ux-files.md | 2 +- .../planning/applying-filters-to-data-in-the-sua-tool.md | 2 +- ...e-data-types-and-operators-in-compatibility-administrator.md | 2 +- .../planning/compatibility-administrator-users-guide.md | 2 +- ...ibility-fix-database-management-strategies-and-deployment.md | 2 +- ...atibility-fixes-for-windows-8-windows-7-and-windows-vista.md | 2 +- ...a-custom-compatibility-fix-in-compatibility-administrator.md | 2 +- ...-custom-compatibility-mode-in-compatibility-administrator.md | 2 +- ...reating-an-apphelp-message-in-compatibility-administrator.md | 2 +- ...abling-compatibility-fixes-in-compatibility-administrator.md | 2 +- .../planning/fixing-applications-by-using-the-sua-tool.md | 2 +- ...om-compatibility-databases-in-compatibility-administrator.md | 2 +- ...-application-compatibility-fixes-and-custom-fix-databases.md | 2 +- ...ing-for-fixed-applications-in-compatibility-administrator.md | 2 +- ...-fixes-with-the-query-tool-in-compatibility-administrator.md | 2 +- .../planning/showing-messages-generated-by-the-sua-tool.md | 2 +- windows/deployment/planning/sua-users-guide.md | 2 +- windows/deployment/planning/tabs-on-the-sua-tool-interface.md | 2 +- .../planning/testing-your-application-mitigation-packages.md | 2 +- .../planning/understanding-and-using-compatibility-fixes.md | 2 +- .../planning/using-the-compatibility-administrator-tool.md | 2 +- .../planning/using-the-sdbinstexe-command-line-tool.md | 2 +- windows/deployment/planning/using-the-sua-tool.md | 2 +- windows/deployment/planning/using-the-sua-wizard.md | 2 +- .../viewing-the-events-screen-in-compatibility-administrator.md | 2 +- .../deployment/planning/windows-10-deployment-considerations.md | 2 +- .../planning/windows-10-infrastructure-requirements.md | 2 +- windows/deployment/update/eval-infra-tools.md | 2 +- windows/deployment/update/wufb-reports-help.md | 2 +- windows/deployment/upgrade/resolve-windows-upgrade-errors.md | 2 +- windows/deployment/upgrade/submit-errors.md | 2 +- windows/deployment/upgrade/windows-error-reporting.md | 2 +- .../upgrade/windows-upgrade-and-migration-considerations.md | 2 +- .../usmt/getting-started-with-the-user-state-migration-tool.md | 2 +- windows/deployment/usmt/migrate-application-settings.md | 2 +- windows/deployment/usmt/migration-store-types-overview.md | 2 +- windows/deployment/usmt/offline-migration-reference.md | 2 +- windows/deployment/usmt/understanding-migration-xml-files.md | 2 +- windows/deployment/usmt/usmt-best-practices.md | 2 +- windows/deployment/usmt/usmt-choose-migration-store-type.md | 2 +- windows/deployment/usmt/usmt-command-line-syntax.md | 2 +- windows/deployment/usmt/usmt-common-migration-scenarios.md | 2 +- windows/deployment/usmt/usmt-configxml-file.md | 2 +- windows/deployment/usmt/usmt-conflicts-and-precedence.md | 2 +- windows/deployment/usmt/usmt-custom-xml-examples.md | 2 +- windows/deployment/usmt/usmt-customize-xml-files.md | 2 +- windows/deployment/usmt/usmt-determine-what-to-migrate.md | 2 +- windows/deployment/usmt/usmt-estimate-migration-store-size.md | 2 +- windows/deployment/usmt/usmt-exclude-files-and-settings.md | 2 +- .../usmt-extract-files-from-a-compressed-migration-store.md | 2 +- windows/deployment/usmt/usmt-general-conventions.md | 2 +- windows/deployment/usmt/usmt-hard-link-migration-store.md | 2 +- windows/deployment/usmt/usmt-how-it-works.md | 2 +- windows/deployment/usmt/usmt-how-to.md | 2 +- windows/deployment/usmt/usmt-identify-application-settings.md | 2 +- .../usmt/usmt-identify-file-types-files-and-folders.md | 2 +- .../deployment/usmt/usmt-identify-operating-system-settings.md | 2 +- windows/deployment/usmt/usmt-identify-users.md | 2 +- windows/deployment/usmt/usmt-include-files-and-settings.md | 2 +- windows/deployment/usmt/usmt-loadstate-syntax.md | 2 +- windows/deployment/usmt/usmt-log-files.md | 2 +- .../deployment/usmt/usmt-migrate-efs-files-and-certificates.md | 2 +- windows/deployment/usmt/usmt-migrate-user-accounts.md | 2 +- windows/deployment/usmt/usmt-migration-store-encryption.md | 2 +- windows/deployment/usmt/usmt-plan-your-migration.md | 2 +- windows/deployment/usmt/usmt-reference.md | 2 +- windows/deployment/usmt/usmt-requirements.md | 2 +- windows/deployment/usmt/usmt-reroute-files-and-settings.md | 2 +- windows/deployment/usmt/usmt-resources.md | 2 +- windows/deployment/usmt/usmt-scanstate-syntax.md | 2 +- windows/deployment/usmt/usmt-technical-reference.md | 2 +- windows/deployment/usmt/usmt-test-your-migration.md | 2 +- windows/deployment/usmt/usmt-topics.md | 2 +- windows/deployment/usmt/usmt-troubleshooting.md | 2 +- windows/deployment/usmt/usmt-utilities.md | 2 +- windows/deployment/usmt/usmt-what-does-usmt-migrate.md | 2 +- windows/deployment/usmt/usmt-xml-elements-library.md | 2 +- windows/deployment/usmt/usmt-xml-reference.md | 2 +- .../verify-the-condition-of-a-compressed-migration-store.md | 2 +- windows/deployment/usmt/xml-file-requirements.md | 2 +- .../volume-activation/activate-forest-by-proxy-vamt.md | 2 +- windows/deployment/volume-activation/activate-forest-vamt.md | 2 +- .../volume-activation/activate-windows-clients-vamt.md | 2 +- .../active-directory-based-activation-overview.md | 2 +- .../deployment/volume-activation/add-manage-products-vamt.md | 2 +- .../deployment/volume-activation/add-remove-computers-vamt.md | 2 +- .../deployment/volume-activation/add-remove-product-key-vamt.md | 2 +- ...ix-information-sent-to-microsoft-during-activation-client.md | 2 +- .../volume-activation/configure-client-computers-vamt.md | 2 +- windows/deployment/volume-activation/install-configure-vamt.md | 2 +- .../deployment/volume-activation/install-kms-client-key-vamt.md | 2 +- .../deployment/volume-activation/install-product-key-vamt.md | 2 +- windows/deployment/volume-activation/install-vamt.md | 2 +- windows/deployment/volume-activation/kms-activation-vamt.md | 2 +- windows/deployment/volume-activation/local-reactivation-vamt.md | 2 +- windows/deployment/volume-activation/manage-activations-vamt.md | 2 +- .../deployment/volume-activation/manage-product-keys-vamt.md | 2 +- windows/deployment/volume-activation/manage-vamt-data.md | 2 +- .../deployment/volume-activation/monitor-activation-client.md | 2 +- windows/deployment/volume-activation/online-activation-vamt.md | 2 +- .../volume-activation/plan-for-volume-activation-client.md | 2 +- windows/deployment/volume-activation/proxy-activation-vamt.md | 2 +- windows/deployment/volume-activation/remove-products-vamt.md | 2 +- .../volume-activation/scenario-kms-activation-vamt.md | 2 +- .../volume-activation/scenario-online-activation-vamt.md | 2 +- .../volume-activation/scenario-proxy-activation-vamt.md | 2 +- .../deployment/volume-activation/update-product-status-vamt.md | 2 +- .../use-the-volume-activation-management-tool-client.md | 2 +- .../volume-activation/use-vamt-in-windows-powershell.md | 2 +- windows/deployment/volume-activation/vamt-known-issues.md | 2 +- windows/deployment/volume-activation/vamt-requirements.md | 2 +- windows/deployment/volume-activation/vamt-step-by-step.md | 2 +- .../deployment/volume-activation/volume-activation-windows.md | 2 +- windows/deployment/wds-boot-support.md | 2 +- windows/deployment/windows-10-pro-in-s-mode.md | 2 +- windows/deployment/windows-adk-scenarios-for-it-pros.md | 2 +- windows/deployment/windows-deployment-scenarios-and-tools.md | 2 +- windows/deployment/windows-deployment-scenarios.md | 2 +- windows/deployment/windows-enterprise-e3-overview.md | 2 +- windows/deployment/windows-missing-fonts.md | 2 +- 135 files changed, 135 insertions(+), 135 deletions(-) diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md index 2a00963aef..73dbb919ae 100644 --- a/windows/application-management/enterprise-background-activity-controls.md +++ b/windows/application-management/enterprise-background-activity-controls.md @@ -5,7 +5,7 @@ author: aczechowski ms.author: aaroncz manager: aaroncz ms.date: 10/03/2017 -ms.topic: article +ms.topic: conceptual ms.service: windows-client ms.subservice: itpro-apps ms.localizationpriority: medium diff --git a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md index 90281afcd3..d6b6444c8d 100644 --- a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md +++ b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md @@ -5,7 +5,7 @@ author: aczechowski ms.author: aaroncz manager: aaroncz ms.date: 04/04/2023 -ms.topic: article +ms.topic: conceptual ms.service: windows-client ms.subservice: itpro-apps ms.localizationpriority: medium diff --git a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md index 8afd2c00f8..4b8d904b2e 100644 --- a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md +++ b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md @@ -6,7 +6,7 @@ ms.localizationpriority: medium author: frankroj manager: aaroncz ms.author: frankroj -ms.topic: article +ms.topic: conceptual ms.date: 11/23/2022 ms.subservice: itpro-deploy --- diff --git a/windows/deployment/customize-boot-image.md b/windows/deployment/customize-boot-image.md index e03de452cb..f49b063823 100644 --- a/windows/deployment/customize-boot-image.md +++ b/windows/deployment/customize-boot-image.md @@ -6,7 +6,7 @@ ms.localizationpriority: medium author: frankroj manager: aaroncz ms.author: frankroj -ms.topic: article +ms.topic: conceptual ms.date: 05/09/2024 ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md index c2a4d9ce76..d125b76faf 100644 --- a/windows/deployment/deploy-m365.md +++ b/windows/deployment/deploy-m365.md @@ -6,7 +6,7 @@ description: Learn about deploying Windows with Microsoft 365 and how to use a f ms.service: windows-client ms.localizationpriority: medium author: frankroj -ms.topic: article +ms.topic: conceptual ms.date: 02/13/2024 ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md index c5ed56316b..078191014f 100644 --- a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md @@ -6,7 +6,7 @@ ms.author: frankroj ms.service: windows-client ms.localizationpriority: medium author: frankroj -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy ms.date: 10/27/2022 --- diff --git a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md index 40fdcea0df..3e07ef2858 100644 --- a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md @@ -6,7 +6,7 @@ ms.author: frankroj ms.service: windows-client ms.localizationpriority: medium author: frankroj -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy ms.date: 10/27/2022 --- diff --git a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md index da7c70c515..cee1940d35 100644 --- a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md @@ -6,7 +6,7 @@ ms.author: frankroj ms.service: windows-client ms.localizationpriority: medium author: frankroj -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy ms.date: 10/27/2022 --- diff --git a/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md index af5baf8233..1f1fdf0411 100644 --- a/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md +++ b/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md @@ -6,7 +6,7 @@ ms.author: frankroj ms.service: windows-client ms.localizationpriority: medium author: frankroj -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy ms.date: 10/27/2022 --- diff --git a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md index 7159edcbe3..da0da8612c 100644 --- a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md @@ -6,7 +6,7 @@ ms.author: frankroj ms.service: windows-client ms.localizationpriority: medium author: frankroj -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy ms.date: 10/27/2022 --- diff --git a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md index 648a274ad0..1d0ee23b79 100644 --- a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md @@ -6,7 +6,7 @@ ms.author: frankroj ms.service: windows-client ms.localizationpriority: medium author: frankroj -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy ms.date: 10/27/2022 --- diff --git a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md index 4929876f5a..ceea5b0432 100644 --- a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md @@ -6,7 +6,7 @@ ms.author: frankroj ms.service: windows-client ms.localizationpriority: medium author: frankroj -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy ms.date: 10/27/2022 --- diff --git a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md index 19bb081501..e6876a705b 100644 --- a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -6,7 +6,7 @@ ms.author: frankroj ms.service: windows-client ms.localizationpriority: medium author: frankroj -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy ms.date: 10/27/2022 --- diff --git a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md index b13078046f..e26d5695c1 100644 --- a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -6,7 +6,7 @@ ms.author: frankroj ms.service: windows-client ms.localizationpriority: medium author: frankroj -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy ms.date: 10/27/2022 --- diff --git a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md index bddc7bf6cb..ad22f1ed1a 100644 --- a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md @@ -6,7 +6,7 @@ ms.author: frankroj ms.service: windows-client ms.localizationpriority: medium author: frankroj -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy ms.date: 10/27/2022 --- diff --git a/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md b/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md index bc36a395ef..8b132e7d76 100644 --- a/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md +++ b/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md @@ -5,7 +5,7 @@ description: Elixir images read me file ms.service: windows-client author: nidos ms.author: nidos -ms.topic: article +ms.topic: conceptual ms.date: 12/31/2017 ms.subservice: itpro-updates robots: noindex diff --git a/windows/deployment/planning/applying-filters-to-data-in-the-sua-tool.md b/windows/deployment/planning/applying-filters-to-data-in-the-sua-tool.md index e592664ec5..34bf0d7f22 100644 --- a/windows/deployment/planning/applying-filters-to-data-in-the-sua-tool.md +++ b/windows/deployment/planning/applying-filters-to-data-in-the-sua-tool.md @@ -6,7 +6,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 10/28/2022 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy --- diff --git a/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md b/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md index 1d4df56098..1b714e4247 100644 --- a/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md +++ b/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md @@ -6,7 +6,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 10/28/2022 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy --- diff --git a/windows/deployment/planning/compatibility-administrator-users-guide.md b/windows/deployment/planning/compatibility-administrator-users-guide.md index 853283a0cc..4e8ee9cb22 100644 --- a/windows/deployment/planning/compatibility-administrator-users-guide.md +++ b/windows/deployment/planning/compatibility-administrator-users-guide.md @@ -5,7 +5,7 @@ ms.author: frankroj description: The Compatibility Administrator tool helps you resolve potential application-compatibility issues before deploying a new version of Windows. ms.service: windows-client author: frankroj -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy ms.date: 10/28/2022 --- diff --git a/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md index dd2905355f..acd338e940 100644 --- a/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md +++ b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md @@ -6,7 +6,7 @@ description: Learn how to deploy your compatibility fixes into an application-in ms.service: windows-client author: frankroj ms.date: 10/28/2022 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy --- diff --git a/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md b/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md index e37a77e25a..6148602a62 100644 --- a/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md +++ b/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md @@ -6,7 +6,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 10/28/2022 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy --- diff --git a/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md b/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md index c1946e6941..d008653378 100644 --- a/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md +++ b/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md @@ -5,7 +5,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy ms.date: 10/28/2022 --- diff --git a/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md b/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md index 9e8137b12b..ffbac4b896 100644 --- a/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md +++ b/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md @@ -6,7 +6,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 10/28/2022 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy --- diff --git a/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md b/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md index a77208735d..5ba7a9cf41 100644 --- a/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md +++ b/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md @@ -6,7 +6,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 10/28/2022 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy --- diff --git a/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md b/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md index e37786a9a6..1767d6c21b 100644 --- a/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md +++ b/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md @@ -5,7 +5,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy ms.date: 10/28/2022 --- diff --git a/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md b/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md index 7155581ea8..ebb8501b13 100644 --- a/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md +++ b/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md @@ -6,7 +6,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 10/28/2022 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy --- diff --git a/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md b/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md index a50feb249b..e7265156ef 100644 --- a/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md +++ b/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md @@ -6,7 +6,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 10/28/2022 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy --- diff --git a/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md b/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md index 69b7bd6cd3..6f9d7dae92 100644 --- a/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md +++ b/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md @@ -6,7 +6,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 10/28/2022 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy --- diff --git a/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md b/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md index aa27616363..a65742c0f2 100644 --- a/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md +++ b/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md @@ -6,7 +6,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 10/28/2022 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy --- diff --git a/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md b/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md index 847fb0731b..c7cd8de1b8 100644 --- a/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md +++ b/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md @@ -5,7 +5,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy ms.date: 10/28/2022 --- diff --git a/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md b/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md index cb8a3ebc82..53428226ac 100644 --- a/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md +++ b/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md @@ -6,7 +6,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 10/28/2022 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy --- diff --git a/windows/deployment/planning/sua-users-guide.md b/windows/deployment/planning/sua-users-guide.md index 47b4ffba5c..3933f9c2d5 100644 --- a/windows/deployment/planning/sua-users-guide.md +++ b/windows/deployment/planning/sua-users-guide.md @@ -6,7 +6,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 10/28/2022 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy --- diff --git a/windows/deployment/planning/tabs-on-the-sua-tool-interface.md b/windows/deployment/planning/tabs-on-the-sua-tool-interface.md index c6af910322..6c189c6d79 100644 --- a/windows/deployment/planning/tabs-on-the-sua-tool-interface.md +++ b/windows/deployment/planning/tabs-on-the-sua-tool-interface.md @@ -6,7 +6,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 10/28/2022 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy --- diff --git a/windows/deployment/planning/testing-your-application-mitigation-packages.md b/windows/deployment/planning/testing-your-application-mitigation-packages.md index 481d2ce883..fcc32044a3 100644 --- a/windows/deployment/planning/testing-your-application-mitigation-packages.md +++ b/windows/deployment/planning/testing-your-application-mitigation-packages.md @@ -6,7 +6,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 10/28/2022 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy --- diff --git a/windows/deployment/planning/understanding-and-using-compatibility-fixes.md b/windows/deployment/planning/understanding-and-using-compatibility-fixes.md index 7327ff75b9..6fa5f46c8c 100644 --- a/windows/deployment/planning/understanding-and-using-compatibility-fixes.md +++ b/windows/deployment/planning/understanding-and-using-compatibility-fixes.md @@ -5,7 +5,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy ms.date: 10/28/2022 --- diff --git a/windows/deployment/planning/using-the-compatibility-administrator-tool.md b/windows/deployment/planning/using-the-compatibility-administrator-tool.md index d3c2f77b38..d938b218f9 100644 --- a/windows/deployment/planning/using-the-compatibility-administrator-tool.md +++ b/windows/deployment/planning/using-the-compatibility-administrator-tool.md @@ -6,7 +6,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 10/28/2022 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy --- diff --git a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md index 2ae090b3f3..d9152b5782 100644 --- a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md +++ b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md @@ -6,7 +6,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 10/28/2022 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy --- diff --git a/windows/deployment/planning/using-the-sua-tool.md b/windows/deployment/planning/using-the-sua-tool.md index 043d002305..c67a5ba90a 100644 --- a/windows/deployment/planning/using-the-sua-tool.md +++ b/windows/deployment/planning/using-the-sua-tool.md @@ -6,7 +6,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 10/28/2022 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy --- diff --git a/windows/deployment/planning/using-the-sua-wizard.md b/windows/deployment/planning/using-the-sua-wizard.md index 8f7ed9170b..5107afeb74 100644 --- a/windows/deployment/planning/using-the-sua-wizard.md +++ b/windows/deployment/planning/using-the-sua-wizard.md @@ -6,7 +6,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 10/28/2022 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy --- diff --git a/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md b/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md index 38b8b8cf10..cf1a19004e 100644 --- a/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md +++ b/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md @@ -5,7 +5,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy ms.date: 10/28/2022 --- diff --git a/windows/deployment/planning/windows-10-deployment-considerations.md b/windows/deployment/planning/windows-10-deployment-considerations.md index 4b6d775551..4de089d98f 100644 --- a/windows/deployment/planning/windows-10-deployment-considerations.md +++ b/windows/deployment/planning/windows-10-deployment-considerations.md @@ -6,7 +6,7 @@ ms.author: frankroj ms.service: windows-client ms.localizationpriority: medium author: frankroj -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy ms.date: 10/28/2022 --- diff --git a/windows/deployment/planning/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md index f33cc45e96..f6e34ac694 100644 --- a/windows/deployment/planning/windows-10-infrastructure-requirements.md +++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md @@ -6,7 +6,7 @@ ms.author: frankroj ms.service: windows-client ms.localizationpriority: medium author: frankroj -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy ms.date: 10/28/2022 --- diff --git a/windows/deployment/update/eval-infra-tools.md b/windows/deployment/update/eval-infra-tools.md index d12a78f404..920952b771 100644 --- a/windows/deployment/update/eval-infra-tools.md +++ b/windows/deployment/update/eval-infra-tools.md @@ -3,7 +3,7 @@ title: Evaluate infrastructure and tools description: Review the steps to ensure your infrastructure is ready to deploy updates to clients in your organization. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: article +ms.topic: conceptual author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/update/wufb-reports-help.md b/windows/deployment/update/wufb-reports-help.md index 6e7c31a485..4561a0045f 100644 --- a/windows/deployment/update/wufb-reports-help.md +++ b/windows/deployment/update/wufb-reports-help.md @@ -4,7 +4,7 @@ titleSuffix: Windows Update for Business reports description: Windows Update for Business reports support, feedback, and troubleshooting information. ms.service: windows-client ms.subservice: itpro-updates -ms.topic: article +ms.topic: conceptual author: mestew ms.author: mstewart manager: aaroncz diff --git a/windows/deployment/upgrade/resolve-windows-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-upgrade-errors.md index db42df75b3..da72341ab0 100644 --- a/windows/deployment/upgrade/resolve-windows-upgrade-errors.md +++ b/windows/deployment/upgrade/resolve-windows-upgrade-errors.md @@ -5,7 +5,7 @@ ms.author: frankroj description: Resolve Windows upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. author: frankroj ms.localizationpriority: medium -ms.topic: article +ms.topic: conceptual ms.service: windows-client ms.subservice: itpro-deploy ms.date: 01/18/2024 diff --git a/windows/deployment/upgrade/submit-errors.md b/windows/deployment/upgrade/submit-errors.md index 16cae375b4..48726194a2 100644 --- a/windows/deployment/upgrade/submit-errors.md +++ b/windows/deployment/upgrade/submit-errors.md @@ -6,7 +6,7 @@ description: Download the Feedback Hub app, and then submit Windows upgrade erro ms.service: windows-client author: frankroj ms.localizationpriority: medium -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy ms.date: 01/18/2024 appliesto: diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md index 6bf70a9220..c7251d75b2 100644 --- a/windows/deployment/upgrade/windows-error-reporting.md +++ b/windows/deployment/upgrade/windows-error-reporting.md @@ -6,7 +6,7 @@ description: Learn how to review the events generated by Windows Error Reporting ms.service: windows-client author: frankroj ms.localizationpriority: medium -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy ms.date: 01/18/2024 appliesto: diff --git a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md index 90b71af916..48b8e267ec 100644 --- a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md +++ b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md @@ -5,7 +5,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy ms.date: 08/09/2023 --- diff --git a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md index 398bf0db0c..fda2e72b83 100644 --- a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md +++ b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy ms.date: 01/09/2024 appliesto: diff --git a/windows/deployment/usmt/migrate-application-settings.md b/windows/deployment/usmt/migrate-application-settings.md index 0c0c0cd136..9d79558fac 100644 --- a/windows/deployment/usmt/migrate-application-settings.md +++ b/windows/deployment/usmt/migrate-application-settings.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/09/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/migration-store-types-overview.md b/windows/deployment/usmt/migration-store-types-overview.md index a78ca35e20..f0fdf74531 100644 --- a/windows/deployment/usmt/migration-store-types-overview.md +++ b/windows/deployment/usmt/migration-store-types-overview.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/09/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/offline-migration-reference.md b/windows/deployment/usmt/offline-migration-reference.md index 37d0ee09aa..8e72361a5d 100644 --- a/windows/deployment/usmt/offline-migration-reference.md +++ b/windows/deployment/usmt/offline-migration-reference.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/09/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/understanding-migration-xml-files.md b/windows/deployment/usmt/understanding-migration-xml-files.md index a0a19e6b05..3adb68387b 100644 --- a/windows/deployment/usmt/understanding-migration-xml-files.md +++ b/windows/deployment/usmt/understanding-migration-xml-files.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/09/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-best-practices.md b/windows/deployment/usmt/usmt-best-practices.md index 389249762f..4ebf6ff55f 100644 --- a/windows/deployment/usmt/usmt-best-practices.md +++ b/windows/deployment/usmt/usmt-best-practices.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/09/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-choose-migration-store-type.md b/windows/deployment/usmt/usmt-choose-migration-store-type.md index 3fa1d56d53..1847cce5d9 100644 --- a/windows/deployment/usmt/usmt-choose-migration-store-type.md +++ b/windows/deployment/usmt/usmt-choose-migration-store-type.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/09/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-command-line-syntax.md b/windows/deployment/usmt/usmt-command-line-syntax.md index 7910d461e3..4844937b52 100644 --- a/windows/deployment/usmt/usmt-command-line-syntax.md +++ b/windows/deployment/usmt/usmt-command-line-syntax.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/09/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-common-migration-scenarios.md b/windows/deployment/usmt/usmt-common-migration-scenarios.md index 3cd5309aed..1685667185 100644 --- a/windows/deployment/usmt/usmt-common-migration-scenarios.md +++ b/windows/deployment/usmt/usmt-common-migration-scenarios.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/09/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-configxml-file.md b/windows/deployment/usmt/usmt-configxml-file.md index 4e57000ce6..c0e4682965 100644 --- a/windows/deployment/usmt/usmt-configxml-file.md +++ b/windows/deployment/usmt/usmt-configxml-file.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/09/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-conflicts-and-precedence.md b/windows/deployment/usmt/usmt-conflicts-and-precedence.md index 3bcd0d7bad..f9874a4d2f 100644 --- a/windows/deployment/usmt/usmt-conflicts-and-precedence.md +++ b/windows/deployment/usmt/usmt-conflicts-and-precedence.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/09/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-custom-xml-examples.md b/windows/deployment/usmt/usmt-custom-xml-examples.md index 18b3331ea4..130f3031c8 100644 --- a/windows/deployment/usmt/usmt-custom-xml-examples.md +++ b/windows/deployment/usmt/usmt-custom-xml-examples.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy ms.date: 01/09/2024 appliesto: diff --git a/windows/deployment/usmt/usmt-customize-xml-files.md b/windows/deployment/usmt/usmt-customize-xml-files.md index 33c3120090..8eefa733d4 100644 --- a/windows/deployment/usmt/usmt-customize-xml-files.md +++ b/windows/deployment/usmt/usmt-customize-xml-files.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/09/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-determine-what-to-migrate.md b/windows/deployment/usmt/usmt-determine-what-to-migrate.md index 68e87f678b..bad57314e9 100644 --- a/windows/deployment/usmt/usmt-determine-what-to-migrate.md +++ b/windows/deployment/usmt/usmt-determine-what-to-migrate.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/09/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-estimate-migration-store-size.md b/windows/deployment/usmt/usmt-estimate-migration-store-size.md index 8db55b2eae..014e48a76e 100644 --- a/windows/deployment/usmt/usmt-estimate-migration-store-size.md +++ b/windows/deployment/usmt/usmt-estimate-migration-store-size.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/09/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-exclude-files-and-settings.md b/windows/deployment/usmt/usmt-exclude-files-and-settings.md index 221ef98e11..354badb01a 100644 --- a/windows/deployment/usmt/usmt-exclude-files-and-settings.md +++ b/windows/deployment/usmt/usmt-exclude-files-and-settings.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/09/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md index c39ac18b5a..59234776e5 100644 --- a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md +++ b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/09/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-general-conventions.md b/windows/deployment/usmt/usmt-general-conventions.md index f0e8b6df67..38b66a02b6 100644 --- a/windows/deployment/usmt/usmt-general-conventions.md +++ b/windows/deployment/usmt/usmt-general-conventions.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/09/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-hard-link-migration-store.md b/windows/deployment/usmt/usmt-hard-link-migration-store.md index fb1b03a426..d2cae89bc7 100644 --- a/windows/deployment/usmt/usmt-hard-link-migration-store.md +++ b/windows/deployment/usmt/usmt-hard-link-migration-store.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/09/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-how-it-works.md b/windows/deployment/usmt/usmt-how-it-works.md index 7008393b54..591b1d3804 100644 --- a/windows/deployment/usmt/usmt-how-it-works.md +++ b/windows/deployment/usmt/usmt-how-it-works.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy ms.date: 01/09/2024 appliesto: diff --git a/windows/deployment/usmt/usmt-how-to.md b/windows/deployment/usmt/usmt-how-to.md index 5356e4e408..c3589124d1 100644 --- a/windows/deployment/usmt/usmt-how-to.md +++ b/windows/deployment/usmt/usmt-how-to.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/09/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-identify-application-settings.md b/windows/deployment/usmt/usmt-identify-application-settings.md index 588764266d..feca874008 100644 --- a/windows/deployment/usmt/usmt-identify-application-settings.md +++ b/windows/deployment/usmt/usmt-identify-application-settings.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/09/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md index db8587a5a5..e5b15c352d 100644 --- a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md +++ b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/09/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-identify-operating-system-settings.md b/windows/deployment/usmt/usmt-identify-operating-system-settings.md index 5d8c14a899..cedbe8d1f9 100644 --- a/windows/deployment/usmt/usmt-identify-operating-system-settings.md +++ b/windows/deployment/usmt/usmt-identify-operating-system-settings.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/09/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-identify-users.md b/windows/deployment/usmt/usmt-identify-users.md index 6f3195fe0a..736881d3b3 100644 --- a/windows/deployment/usmt/usmt-identify-users.md +++ b/windows/deployment/usmt/usmt-identify-users.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.topic: article +ms.topic: conceptual ms.localizationpriority: medium ms.subservice: itpro-deploy ms.date: 01/09/2024 diff --git a/windows/deployment/usmt/usmt-include-files-and-settings.md b/windows/deployment/usmt/usmt-include-files-and-settings.md index aa89ea14d0..f4d79a27f2 100644 --- a/windows/deployment/usmt/usmt-include-files-and-settings.md +++ b/windows/deployment/usmt/usmt-include-files-and-settings.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/09/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-loadstate-syntax.md b/windows/deployment/usmt/usmt-loadstate-syntax.md index c13a48e0c7..a4bf1f2eeb 100644 --- a/windows/deployment/usmt/usmt-loadstate-syntax.md +++ b/windows/deployment/usmt/usmt-loadstate-syntax.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 04/30/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-log-files.md b/windows/deployment/usmt/usmt-log-files.md index 53b4df1789..70f159b544 100644 --- a/windows/deployment/usmt/usmt-log-files.md +++ b/windows/deployment/usmt/usmt-log-files.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/09/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md index eeb1b3c15f..39944f9a6a 100644 --- a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md +++ b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/09/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-migrate-user-accounts.md b/windows/deployment/usmt/usmt-migrate-user-accounts.md index 898de489c6..41f319446d 100644 --- a/windows/deployment/usmt/usmt-migrate-user-accounts.md +++ b/windows/deployment/usmt/usmt-migrate-user-accounts.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/09/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-migration-store-encryption.md b/windows/deployment/usmt/usmt-migration-store-encryption.md index 17d6643a94..b5dc3eb5fe 100644 --- a/windows/deployment/usmt/usmt-migration-store-encryption.md +++ b/windows/deployment/usmt/usmt-migration-store-encryption.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/09/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-plan-your-migration.md b/windows/deployment/usmt/usmt-plan-your-migration.md index 806b4afc87..20bbc09ad5 100644 --- a/windows/deployment/usmt/usmt-plan-your-migration.md +++ b/windows/deployment/usmt/usmt-plan-your-migration.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/09/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-reference.md b/windows/deployment/usmt/usmt-reference.md index e81d243feb..9581170803 100644 --- a/windows/deployment/usmt/usmt-reference.md +++ b/windows/deployment/usmt/usmt-reference.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/09/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-requirements.md b/windows/deployment/usmt/usmt-requirements.md index cdb3d41096..26b5f86f7a 100644 --- a/windows/deployment/usmt/usmt-requirements.md +++ b/windows/deployment/usmt/usmt-requirements.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 04/30/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-reroute-files-and-settings.md b/windows/deployment/usmt/usmt-reroute-files-and-settings.md index 247311e3eb..f002c6d337 100644 --- a/windows/deployment/usmt/usmt-reroute-files-and-settings.md +++ b/windows/deployment/usmt/usmt-reroute-files-and-settings.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/09/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-resources.md b/windows/deployment/usmt/usmt-resources.md index 18a09528cb..239d7be582 100644 --- a/windows/deployment/usmt/usmt-resources.md +++ b/windows/deployment/usmt/usmt-resources.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/09/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-scanstate-syntax.md b/windows/deployment/usmt/usmt-scanstate-syntax.md index 82d4e9ada4..24f73b72d1 100644 --- a/windows/deployment/usmt/usmt-scanstate-syntax.md +++ b/windows/deployment/usmt/usmt-scanstate-syntax.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 04/30/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-technical-reference.md b/windows/deployment/usmt/usmt-technical-reference.md index 6a7de9fd90..1254f4fef0 100644 --- a/windows/deployment/usmt/usmt-technical-reference.md +++ b/windows/deployment/usmt/usmt-technical-reference.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/09/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-test-your-migration.md b/windows/deployment/usmt/usmt-test-your-migration.md index b4a39f6bfd..57767aecf4 100644 --- a/windows/deployment/usmt/usmt-test-your-migration.md +++ b/windows/deployment/usmt/usmt-test-your-migration.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/09/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-topics.md b/windows/deployment/usmt/usmt-topics.md index 8b868f1fec..e3be3d8fd0 100644 --- a/windows/deployment/usmt/usmt-topics.md +++ b/windows/deployment/usmt/usmt-topics.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/09/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-troubleshooting.md b/windows/deployment/usmt/usmt-troubleshooting.md index e3c14bf619..3e85b84a37 100644 --- a/windows/deployment/usmt/usmt-troubleshooting.md +++ b/windows/deployment/usmt/usmt-troubleshooting.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/09/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-utilities.md b/windows/deployment/usmt/usmt-utilities.md index 2ccde56d88..20c70db094 100644 --- a/windows/deployment/usmt/usmt-utilities.md +++ b/windows/deployment/usmt/usmt-utilities.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/09/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md index b069f9ac46..e03e8db9c0 100644 --- a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md +++ b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/18/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-xml-elements-library.md b/windows/deployment/usmt/usmt-xml-elements-library.md index 7e06dffcf9..a4694c75a9 100644 --- a/windows/deployment/usmt/usmt-xml-elements-library.md +++ b/windows/deployment/usmt/usmt-xml-elements-library.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/09/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/usmt-xml-reference.md b/windows/deployment/usmt/usmt-xml-reference.md index 4bc9ba48e0..3b1f32fc27 100644 --- a/windows/deployment/usmt/usmt-xml-reference.md +++ b/windows/deployment/usmt/usmt-xml-reference.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/09/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md index 2f66da5edc..818a24659e 100644 --- a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md +++ b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/09/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/usmt/xml-file-requirements.md b/windows/deployment/usmt/xml-file-requirements.md index 3182faf447..7d1969ad11 100644 --- a/windows/deployment/usmt/xml-file-requirements.md +++ b/windows/deployment/usmt/xml-file-requirements.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 01/09/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md b/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md index 4c3cae83e2..fcf91e9502 100644 --- a/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md +++ b/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 11/07/2022 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-fundamentals --- diff --git a/windows/deployment/volume-activation/activate-forest-vamt.md b/windows/deployment/volume-activation/activate-forest-vamt.md index 82278ce278..128068b07c 100644 --- a/windows/deployment/volume-activation/activate-forest-vamt.md +++ b/windows/deployment/volume-activation/activate-forest-vamt.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 11/07/2022 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-fundamentals --- diff --git a/windows/deployment/volume-activation/activate-windows-clients-vamt.md b/windows/deployment/volume-activation/activate-windows-clients-vamt.md index 46d76cbe54..7f95ef225e 100644 --- a/windows/deployment/volume-activation/activate-windows-clients-vamt.md +++ b/windows/deployment/volume-activation/activate-windows-clients-vamt.md @@ -8,7 +8,7 @@ ms.service: windows-client author: frankroj ms.localizationpriority: medium ms.date: 03/29/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-fundamentals appliesto: - ✅ Windows 11 diff --git a/windows/deployment/volume-activation/active-directory-based-activation-overview.md b/windows/deployment/volume-activation/active-directory-based-activation-overview.md index 3d293922bf..ed01a87d85 100644 --- a/windows/deployment/volume-activation/active-directory-based-activation-overview.md +++ b/windows/deployment/volume-activation/active-directory-based-activation-overview.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 11/07/2022 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-fundamentals --- diff --git a/windows/deployment/volume-activation/add-manage-products-vamt.md b/windows/deployment/volume-activation/add-manage-products-vamt.md index f4fc72f1ab..e4f655dbf7 100644 --- a/windows/deployment/volume-activation/add-manage-products-vamt.md +++ b/windows/deployment/volume-activation/add-manage-products-vamt.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 03/29/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-fundamentals --- diff --git a/windows/deployment/volume-activation/add-remove-computers-vamt.md b/windows/deployment/volume-activation/add-remove-computers-vamt.md index 4ee747359f..9878980a5d 100644 --- a/windows/deployment/volume-activation/add-remove-computers-vamt.md +++ b/windows/deployment/volume-activation/add-remove-computers-vamt.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 11/07/2022 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-fundamentals --- diff --git a/windows/deployment/volume-activation/add-remove-product-key-vamt.md b/windows/deployment/volume-activation/add-remove-product-key-vamt.md index 89439e87f0..af1131f23a 100644 --- a/windows/deployment/volume-activation/add-remove-product-key-vamt.md +++ b/windows/deployment/volume-activation/add-remove-product-key-vamt.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 11/07/2022 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-fundamentals --- diff --git a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md index 4346a5ce67..7fce96b052 100644 --- a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md +++ b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md @@ -9,7 +9,7 @@ ms.service: windows-client ms.subservice: itpro-fundamentals ms.localizationpriority: medium ms.date: 03/29/2024 -ms.topic: article +ms.topic: conceptual appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/volume-activation/configure-client-computers-vamt.md b/windows/deployment/volume-activation/configure-client-computers-vamt.md index 5b39a2996e..c3c6e47154 100644 --- a/windows/deployment/volume-activation/configure-client-computers-vamt.md +++ b/windows/deployment/volume-activation/configure-client-computers-vamt.md @@ -7,7 +7,7 @@ author: frankroj ms.author: frankroj ms.service: windows-client ms.date: 11/07/2022 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-fundamentals --- diff --git a/windows/deployment/volume-activation/install-configure-vamt.md b/windows/deployment/volume-activation/install-configure-vamt.md index fa8087423a..aee189d31f 100644 --- a/windows/deployment/volume-activation/install-configure-vamt.md +++ b/windows/deployment/volume-activation/install-configure-vamt.md @@ -8,7 +8,7 @@ ms.service: windows-client author: frankroj ms.localizationpriority: medium ms.date: 03/29/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-fundamentals --- diff --git a/windows/deployment/volume-activation/install-kms-client-key-vamt.md b/windows/deployment/volume-activation/install-kms-client-key-vamt.md index 0c65b30992..80a5fc67e1 100644 --- a/windows/deployment/volume-activation/install-kms-client-key-vamt.md +++ b/windows/deployment/volume-activation/install-kms-client-key-vamt.md @@ -8,7 +8,7 @@ ms.service: windows-client author: frankroj ms.localizationpriority: medium ms.date: 11/07/2022 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-fundamentals --- diff --git a/windows/deployment/volume-activation/install-product-key-vamt.md b/windows/deployment/volume-activation/install-product-key-vamt.md index fec886a0b7..2b9d727184 100644 --- a/windows/deployment/volume-activation/install-product-key-vamt.md +++ b/windows/deployment/volume-activation/install-product-key-vamt.md @@ -8,7 +8,7 @@ ms.service: windows-client author: frankroj ms.localizationpriority: medium ms.date: 11/07/2022 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-fundamentals --- diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md index 8c43c6cda6..3b3b7746fa 100644 --- a/windows/deployment/volume-activation/install-vamt.md +++ b/windows/deployment/volume-activation/install-vamt.md @@ -8,7 +8,7 @@ ms.service: windows-client author: frankroj ms.localizationpriority: medium ms.date: 03/29/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-fundamentals appliesto: - ✅ Windows 11 diff --git a/windows/deployment/volume-activation/kms-activation-vamt.md b/windows/deployment/volume-activation/kms-activation-vamt.md index 97e5bcca16..1890da7caf 100644 --- a/windows/deployment/volume-activation/kms-activation-vamt.md +++ b/windows/deployment/volume-activation/kms-activation-vamt.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 11/07/2022 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-fundamentals --- diff --git a/windows/deployment/volume-activation/local-reactivation-vamt.md b/windows/deployment/volume-activation/local-reactivation-vamt.md index 277342a97d..2bee6093d1 100644 --- a/windows/deployment/volume-activation/local-reactivation-vamt.md +++ b/windows/deployment/volume-activation/local-reactivation-vamt.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 11/07/2022 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-fundamentals --- diff --git a/windows/deployment/volume-activation/manage-activations-vamt.md b/windows/deployment/volume-activation/manage-activations-vamt.md index 9216ff075c..49cbc84db3 100644 --- a/windows/deployment/volume-activation/manage-activations-vamt.md +++ b/windows/deployment/volume-activation/manage-activations-vamt.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 03/29/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-fundamentals --- diff --git a/windows/deployment/volume-activation/manage-product-keys-vamt.md b/windows/deployment/volume-activation/manage-product-keys-vamt.md index 15579d3b82..fb18c65aa6 100644 --- a/windows/deployment/volume-activation/manage-product-keys-vamt.md +++ b/windows/deployment/volume-activation/manage-product-keys-vamt.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 03/29/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-fundamentals --- diff --git a/windows/deployment/volume-activation/manage-vamt-data.md b/windows/deployment/volume-activation/manage-vamt-data.md index de933e88c8..3946fc1c63 100644 --- a/windows/deployment/volume-activation/manage-vamt-data.md +++ b/windows/deployment/volume-activation/manage-vamt-data.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 03/29/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-fundamentals --- diff --git a/windows/deployment/volume-activation/monitor-activation-client.md b/windows/deployment/volume-activation/monitor-activation-client.md index 8a59c549bd..3720919a25 100644 --- a/windows/deployment/volume-activation/monitor-activation-client.md +++ b/windows/deployment/volume-activation/monitor-activation-client.md @@ -7,7 +7,7 @@ description: Understand the most common methods to monitor the success of the ac ms.service: windows-client author: frankroj ms.localizationpriority: medium -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-fundamentals ms.date: 03/29/2024 appliesto: diff --git a/windows/deployment/volume-activation/online-activation-vamt.md b/windows/deployment/volume-activation/online-activation-vamt.md index 537f46d71e..3e6a04568d 100644 --- a/windows/deployment/volume-activation/online-activation-vamt.md +++ b/windows/deployment/volume-activation/online-activation-vamt.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 11/07/2022 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-fundamentals --- diff --git a/windows/deployment/volume-activation/plan-for-volume-activation-client.md b/windows/deployment/volume-activation/plan-for-volume-activation-client.md index 7702949941..89dab1ef39 100644 --- a/windows/deployment/volume-activation/plan-for-volume-activation-client.md +++ b/windows/deployment/volume-activation/plan-for-volume-activation-client.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.localizationpriority: medium -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-fundamentals ms.date: 03/29/2024 appliesto: diff --git a/windows/deployment/volume-activation/proxy-activation-vamt.md b/windows/deployment/volume-activation/proxy-activation-vamt.md index 9e14cf5631..57c242d69c 100644 --- a/windows/deployment/volume-activation/proxy-activation-vamt.md +++ b/windows/deployment/volume-activation/proxy-activation-vamt.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 11/07/2022 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-fundamentals --- diff --git a/windows/deployment/volume-activation/remove-products-vamt.md b/windows/deployment/volume-activation/remove-products-vamt.md index 2b49facf89..cad9428d5a 100644 --- a/windows/deployment/volume-activation/remove-products-vamt.md +++ b/windows/deployment/volume-activation/remove-products-vamt.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 11/07/2022 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-fundamentals --- diff --git a/windows/deployment/volume-activation/scenario-kms-activation-vamt.md b/windows/deployment/volume-activation/scenario-kms-activation-vamt.md index 0dc03e90e0..4ba48b833b 100644 --- a/windows/deployment/volume-activation/scenario-kms-activation-vamt.md +++ b/windows/deployment/volume-activation/scenario-kms-activation-vamt.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 11/07/2022 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-fundamentals --- diff --git a/windows/deployment/volume-activation/scenario-online-activation-vamt.md b/windows/deployment/volume-activation/scenario-online-activation-vamt.md index 1f573be911..7af76c4c7a 100644 --- a/windows/deployment/volume-activation/scenario-online-activation-vamt.md +++ b/windows/deployment/volume-activation/scenario-online-activation-vamt.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 11/07/2022 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-fundamentals --- diff --git a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md index 654a67b2b3..74a59bbd9d 100644 --- a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md +++ b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 11/07/2022 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-fundamentals --- diff --git a/windows/deployment/volume-activation/update-product-status-vamt.md b/windows/deployment/volume-activation/update-product-status-vamt.md index 0a077e39bb..f47584757f 100644 --- a/windows/deployment/volume-activation/update-product-status-vamt.md +++ b/windows/deployment/volume-activation/update-product-status-vamt.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 03/29/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-fundamentals --- diff --git a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md index 3ee35bd266..3e1e4a1657 100644 --- a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md +++ b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md @@ -8,7 +8,7 @@ ms.service: windows-client author: frankroj ms.localizationpriority: medium ms.date: 03/29/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-fundamentals appliesto: - ✅ Windows 11 diff --git a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md index 0add9fe565..b9633b62d2 100644 --- a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md +++ b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 11/07/2022 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-fundamentals --- diff --git a/windows/deployment/volume-activation/vamt-known-issues.md b/windows/deployment/volume-activation/vamt-known-issues.md index a11eb40946..5244254c65 100644 --- a/windows/deployment/volume-activation/vamt-known-issues.md +++ b/windows/deployment/volume-activation/vamt-known-issues.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 11/07/2022 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-fundamentals --- diff --git a/windows/deployment/volume-activation/vamt-requirements.md b/windows/deployment/volume-activation/vamt-requirements.md index 4a92b44341..8b82d6ae68 100644 --- a/windows/deployment/volume-activation/vamt-requirements.md +++ b/windows/deployment/volume-activation/vamt-requirements.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 03/29/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-fundamentals --- diff --git a/windows/deployment/volume-activation/vamt-step-by-step.md b/windows/deployment/volume-activation/vamt-step-by-step.md index 59c883df3c..375ebad9fa 100644 --- a/windows/deployment/volume-activation/vamt-step-by-step.md +++ b/windows/deployment/volume-activation/vamt-step-by-step.md @@ -7,7 +7,7 @@ ms.author: frankroj ms.service: windows-client author: frankroj ms.date: 03/29/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-fundamentals --- diff --git a/windows/deployment/volume-activation/volume-activation-windows.md b/windows/deployment/volume-activation/volume-activation-windows.md index 8891a74db2..701785bf9e 100644 --- a/windows/deployment/volume-activation/volume-activation-windows.md +++ b/windows/deployment/volume-activation/volume-activation-windows.md @@ -8,7 +8,7 @@ ms.service: windows-client author: frankroj ms.localizationpriority: medium ms.date: 03/29/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-fundamentals appliesto: - ✅ Windows 11 diff --git a/windows/deployment/wds-boot-support.md b/windows/deployment/wds-boot-support.md index ef124c0497..0b09a07b84 100644 --- a/windows/deployment/wds-boot-support.md +++ b/windows/deployment/wds-boot-support.md @@ -6,7 +6,7 @@ ms.localizationpriority: medium author: frankroj ms.author: frankroj manager: aaroncz -ms.topic: article +ms.topic: conceptual ms.date: 04/25/2024 ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/windows-10-pro-in-s-mode.md b/windows/deployment/windows-10-pro-in-s-mode.md index 82bb386aa3..f4b7f66792 100644 --- a/windows/deployment/windows-10-pro-in-s-mode.md +++ b/windows/deployment/windows-10-pro-in-s-mode.md @@ -6,7 +6,7 @@ ms.author: frankroj manager: aaroncz ms.localizationpriority: medium ms.service: windows-client -ms.topic: article +ms.topic: conceptual ms.date: 11/23/2022 ms.subservice: itpro-deploy --- diff --git a/windows/deployment/windows-adk-scenarios-for-it-pros.md b/windows/deployment/windows-adk-scenarios-for-it-pros.md index 2c3b28dac0..cf038aa4a9 100644 --- a/windows/deployment/windows-adk-scenarios-for-it-pros.md +++ b/windows/deployment/windows-adk-scenarios-for-it-pros.md @@ -7,7 +7,7 @@ manager: aaroncz ms.service: windows-client ms.localizationpriority: medium ms.date: 02/13/2024 -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md index 89a7b65ab6..876e0dec6c 100644 --- a/windows/deployment/windows-deployment-scenarios-and-tools.md +++ b/windows/deployment/windows-deployment-scenarios-and-tools.md @@ -5,7 +5,7 @@ manager: aaroncz ms.author: frankroj author: frankroj ms.service: windows-client -ms.topic: article +ms.topic: conceptual ms.date: 11/23/2022 ms.subservice: itpro-deploy --- diff --git a/windows/deployment/windows-deployment-scenarios.md b/windows/deployment/windows-deployment-scenarios.md index 7666f71041..622b83b41b 100644 --- a/windows/deployment/windows-deployment-scenarios.md +++ b/windows/deployment/windows-deployment-scenarios.md @@ -6,7 +6,7 @@ ms.author: frankroj author: frankroj ms.service: windows-client ms.localizationpriority: medium -ms.topic: article +ms.topic: conceptual ms.date: 02/13/2024 ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/windows-enterprise-e3-overview.md b/windows/deployment/windows-enterprise-e3-overview.md index 292858c4fb..43bfc59332 100644 --- a/windows/deployment/windows-enterprise-e3-overview.md +++ b/windows/deployment/windows-enterprise-e3-overview.md @@ -7,7 +7,7 @@ ms.date: 02/13/2024 author: frankroj ms.author: frankroj manager: aaroncz -ms.topic: article +ms.topic: conceptual ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 diff --git a/windows/deployment/windows-missing-fonts.md b/windows/deployment/windows-missing-fonts.md index 6cee49fa4f..eabee6f44f 100644 --- a/windows/deployment/windows-missing-fonts.md +++ b/windows/deployment/windows-missing-fonts.md @@ -6,7 +6,7 @@ ms.localizationpriority: medium author: frankroj ms.author: frankroj manager: aaroncz -ms.topic: article +ms.topic: conceptual ms.date: 03/28/2024 ms.subservice: itpro-deploy zone_pivot_groups: windows-versions-11-10 From 456fe07d9f745e8b50194ab469d1dbf4c4700013 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 16 Jul 2024 14:15:44 -0700 Subject: [PATCH 43/61] Update add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md fix link suggestion --- ...10-deployment-with-windows-pe-using-configuration-manager.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md index 3e07ef2858..ec5cc1ba59 100644 --- a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md @@ -63,7 +63,7 @@ On **CM01**: ## Add drivers for Windows 10 -This section illustrates how to add drivers for Windows 10 using the HP EliteBook 8560w as an example. Use the HP Image Assistant from the [HP Client Management Solutions site](https://hp.com/go/clientmanagement). +This section illustrates how to add drivers for Windows 10 using the HP EliteBook 8560w as an example. Use the HP Image Assistant from the [HP Client Management Solutions site](https://www.hp.com/solutions/client-management-solutions.html). For the purposes of this section, we assume that you've downloaded the Windows 10 drivers for the HP EliteBook 8560w model and copied them to the **D:\Sources$\OSD\DriverSources\Windows 10 x64\Hewlett-Packard\HP EliteBook 8560w** folder on CM01. From 7835ee3cddc619a6b654a439a64231d906b7243e Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 16 Jul 2024 14:21:50 -0700 Subject: [PATCH 44/61] Update windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md https://hp.com/go/clientmanagement link incorrectly shows as broken. It is not --- ...10-deployment-with-windows-pe-using-configuration-manager.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md index ec5cc1ba59..3e07ef2858 100644 --- a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md @@ -63,7 +63,7 @@ On **CM01**: ## Add drivers for Windows 10 -This section illustrates how to add drivers for Windows 10 using the HP EliteBook 8560w as an example. Use the HP Image Assistant from the [HP Client Management Solutions site](https://www.hp.com/solutions/client-management-solutions.html). +This section illustrates how to add drivers for Windows 10 using the HP EliteBook 8560w as an example. Use the HP Image Assistant from the [HP Client Management Solutions site](https://hp.com/go/clientmanagement). For the purposes of this section, we assume that you've downloaded the Windows 10 drivers for the HP EliteBook 8560w model and copied them to the **D:\Sources$\OSD\DriverSources\Windows 10 x64\Hewlett-Packard\HP EliteBook 8560w** folder on CM01. From d8f3b2f9c159f7633669b3b1e05d56e2d631a1d8 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Tue, 16 Jul 2024 17:26:05 -0700 Subject: [PATCH 45/61] remove desktop analytics --- .../deployment/planning/windows-10-enterprise-faq-itpro.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml index 9bf7a86f35..3d8e2f154e 100644 --- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml +++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml @@ -61,11 +61,6 @@ sections: answer: | Many existing Win32 and Win64 applications already run reliably on Windows 10 without any changes. You can also expect strong compatibility and support for Web apps and devices. - - question: | - Is there an easy way to assess if my organization's devices are ready to upgrade to Windows 10? - answer: | - [Desktop Analytics](/mem/configmgr/desktop-analytics/overview) provides powerful insights and recommendations about the computers, applications, and drivers in your organization, at no extra cost and without other infrastructure requirements. This service guides you through your upgrade and feature update projects using a workflow based on Microsoft recommended practices. Up-to-date inventory data allows you to balance cost and risk in your upgrade projects. - - name: Administration and deployment questions: - question: | From e5154c6efb74c2a2ecd3570e40b06b8fff23c00d Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Tue, 16 Jul 2024 17:26:15 -0700 Subject: [PATCH 46/61] freshness review --- windows/whats-new/windows-11-prepare.md | 109 ++++++++++++------------ 1 file changed, 55 insertions(+), 54 deletions(-) diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md index e5852e8ce3..a26ceffb43 100644 --- a/windows/whats-new/windows-11-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -1,17 +1,17 @@ --- title: Prepare for Windows 11 -description: Prepare your infrastructure and tools to deploy Windows 11, IT Pro content. +description: Prepare your infrastructure and tools to deploy Windows 11. ms.service: windows-client author: mestew ms.author: mstewart manager: aaroncz ms.localizationpriority: high -ms.topic: conceptual +ms.topic: concept-article ms.collection: - highpri - tier1 ms.subservice: itpro-fundamentals -ms.date: 12/31/2017 +ms.date: 07/16/2024 appliesto: - ✅ Windows 11 - ✅ Windows 10 @@ -21,87 +21,89 @@ appliesto: Windows 10 and Windows 11 are designed to coexist so that you can use the same familiar tools and processes to manage both operating systems. Using a single management infrastructure that supports common applications across both Windows 10 and Windows 11 helps to simplify the migration process. You can analyze endpoints, determine application compatibility, and manage Windows 11 deployments in the same way that you do with Windows 10. -After you evaluate your hardware to see if it meets [requirements](windows-11-requirements.md) for Windows 11, it's a good time to review your deployment infrastructure, tools, and overall endpoint and update management processes and look for opportunities to simplify and optimize. This article provides some helpful guidance to accomplish these tasks. +After you evaluate your hardware to see if it meets [requirements](windows-11-requirements.md) for Windows 11, it's a good time to review your deployment infrastructure, tools, and overall endpoint and update management processes. Use this review time to look for opportunities to simplify and optimize. This article provides some helpful guidance to accomplish these tasks. ## Infrastructure and tools -The tools that you use for core workloads during Windows 10 deployments can still be used for Windows 11. A few nuanced differences are described below. +The tools that you use for core workloads during Windows 10 deployments can still be used for Windows 11. - > [!IMPORTANT] - > Be sure to check with the providers of any non-Microsoft solutions that you use. Verify compatibility of these tools with Windows 11, particularly if they provide security or data loss prevention capabilities. +> [!IMPORTANT] +> Be sure to check with the providers of any non-Microsoft solutions that you use. Verify compatibility of these tools with Windows 11, particularly if they provide security or data loss prevention capabilities. -#### On-premises solutions +### On-premises solutions -- If you use [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), you'll need to sync the new Windows 11 product category. After you sync the product category, you'll see Windows 11 offered as an option. If you would like to validate Windows 11 prior to release, you can sync the **Windows Insider Pre-release** category as well. +- If you use [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), you need to sync the Windows 11 product category. After you sync the product category, you'll see Windows 11 offered as an option. If you want to validate Windows 11 builds before their broad release, you can also sync the **Windows Insider Pre-release** category. > [!NOTE] - > During deployment, you will be prompted to agree to the Microsoft Software License Terms on behalf of your users. Additionally, you will not see an x86 option because Windows 11 is not supported on 32-bit architecture. + > During deployment, you'll be prompted to agree to the Microsoft Software License Terms on behalf of your users. Additionally, you won't see an x86 option because Windows 11 isn't supported on 32-bit architecture. -- If you use [Microsoft Configuration Manager](/mem/configmgr/), you can sync the new **Windows 11** product category and begin upgrading eligible devices. If you would like to validate Windows 11 prior to release, you can sync the **Windows Insider Pre-release** category as well. +- If you use [Microsoft Configuration Manager](/mem/configmgr/), you can sync the **Windows 11** product category and begin upgrading eligible devices. If you want to validate Windows 11 builds before their broad release, you can also sync the **Windows Insider Pre-release** category. > [!NOTE] - > Configuration Manager will prompt you to accept the Microsoft Software License Terms on behalf of the users in your organization. + > Configuration Manager will prompt you to accept the Microsoft Software License Terms on behalf of the users in your organization. -#### Cloud-based solutions +### Cloud-based solutions -- If you use Windows Update for Business policies, you'll need to use the **Target Version** capability (either through policy or the Windows Update for Business deployment service) rather than using feature update deferrals alone to upgrade from Windows 10 to Windows 11. Feature update deferrals are great for moving to newer versions of your current product (for example, Windows 10, version 20H2 to 21H1), but won't automatically move devices between products (Windows 10 to **Windows 11**). - - If you use Microsoft Intune and have a Microsoft 365 E3 license, you'll be able to use the [feature update deployments](/mem/intune/protect/windows-10-feature-updates) page to select **Windows 11, version 21H2** and upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11 on the **Update Rings** page in Intune. If you aren’t ready to move to Windows 11, keep the feature update version set at the version you're currently on. When you're ready to start upgrading devices, change the feature update deployment setting to specify Windows 11. - - In Group Policy, **Select target Feature Update version** has two entry fields after taking the 9/1/2021 optional update ([KB5005101](https://support.microsoft.com/topic/september-1-2021-kb5005101-os-builds-19041-1202-19042-1202-and-19043-1202-preview-82a50f27-a56f-4212-96ce-1554e8058dc1)) or a later update: **Product Version** and **Target Version**. +- If you use [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb) policies, you need to use the **Target Version** capability. This option is either through policy or the Windows Update for Business deployment service. You need to use this option instead of only using feature update deferrals to upgrade from Windows 10 to Windows 11. Feature update deferrals are great for moving to newer versions of your current product. For example, Windows 10, version 21H2 to version 22H2. They don't automatically move devices between products, for example Windows 10 to Windows 11. - - The product field must specify Windows 11 in order for devices to upgrade to Windows 11. If only the target version field is configured, the device will be offered matching versions of the same product. - - For example, if a device is running Windows 10, version 2004 and only the target version is configured to 21H1, this device will be offered version Windows 10, version 21H1, even if multiple products have a 21H1 version. -- Quality update deferrals will continue to work the same across both Windows 10 and Windows 11, which is true regardless of which management tool you use to configure Windows Update for Business policies. -- If you use Microsoft Intune and have a Microsoft 365 E3 license, you'll be able to use [feature update deployments](/mem/intune/protect/windows-10-feature-updates) to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. If you aren’t ready to move to Windows 11, keep the feature update version set at the version you're currently on. When you're ready to start upgrading devices, change the feature update deployment setting to specify **Windows 11**. + - If you use [Microsoft Intune](/mem/intune/) and have a Microsoft 365 E3 license, use the [feature update deployments](/mem/intune/protect/windows-10-feature-updates) page to select the latest version of Windows 11 and upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11 on the **Update Rings** page in Intune. If you aren't ready to move to Windows 11, keep the feature update version set at the version you're currently on. When you're ready to start upgrading devices, change the feature update deployment setting to specify Windows 11. + + - In group policy, **Select target Feature Update version** has two entry fields: **Product Version** and **Target Version**. + + - The product field must specify Windows 11 in order for devices to upgrade to Windows 11. If only the target version field is configured, the service offers the device matching versions of the same product. + +- Quality update deferrals continue to work the same across both Windows 10 and Windows 11. This behavior is true regardless of which management tool you use to configure Windows Update for Business policies. > [!NOTE] - > Endpoints managed by Windows Update for Business will not automatically upgrade to Windows 11 unless an administrator explicitly configures a **Target Version** using the [TargetReleaseVersion](/windows/client-management/mdm/policy-csp-update#update-targetreleaseversion) setting using a Windows CSP, a [feature update profile](/mem/intune/protect/windows-10-feature-updates) in Intune, or the [Select target Feature Update version setting](/windows/deployment/update/waas-wufb-group-policy#i-want-to-stay-on-a-specific-version) in a group policy. + > Endpoints managed by Windows Update for Business don't automatically upgrade to Windows 11 unless an administrator explicitly configures a **Target Version** using the [TargetReleaseVersion](/windows/client-management/mdm/policy-csp-update#update-targetreleaseversion) setting using a Windows CSP, a [feature update profile](/mem/intune/protect/windows-10-feature-updates) in Intune, or the [Select target Feature Update version setting](/windows/deployment/update/waas-wufb-group-policy#i-want-to-stay-on-a-specific-version) group policy. ## Cloud-based management -If you aren’t already taking advantage of cloud-based management capabilities, like those available in the [Microsoft Intune family of products](/mem/endpoint-manager-overview), it's worth considering. In addition to consolidating device management and endpoint security into a single platform, Microsoft Intune can better support the diverse bring-your-own-device (BYOD) ecosystem that is increasingly the norm with hybrid work scenarios. It can also enable you to track your progress against compliance and business objectives while protecting user privacy. +The cloud-based management capabilities of the [Microsoft Intune family of products](/mem/endpoint-manager-overview) help consolidate device management and endpoint security into a single platform. Microsoft Intune also supports the diverse bring-your-own-device (BYOD) ecosystem that's common with hybrid work scenarios. It can also enable you to track your progress against compliance and business objectives while protecting user data. -The following are some common use cases and the corresponding [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) capabilities that support them: +The following are some common use cases and the corresponding [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) capabilities that support them: -- **Provision and pre-configure new Windows 11 devices**: [Windows Autopilot](/mem/autopilot/windows-autopilot) enables you to deploy new Windows 11 devices in a “business-ready” state that includes your desired applications, settings, and policies. It can also be used to change the edition of Windows. For example, you can upgrade from Professional to Enterprise edition and gain the use of advanced features. The [Windows Autopilot diagnostics page](/mem/autopilot/windows-autopilot-whats-new#preview-windows-autopilot-diagnostics-page) is a new feature that is available when you use in Windows Autopilot to deploy Windows 11. -- **Configure rules and control settings for users, apps, and devices**: When you enroll devices in [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), administrators have full control over apps, settings, features, and security for both Windows 11 and Windows 10. You can also use app protection policies to require multifactor authentication (MFA) for specific apps. -- **Streamline device management for frontline, remote, and onsite workers**: Introduced with Windows 10, [cloud configuration](/mem/intune/fundamentals/cloud-configuration) is a standard, easy-to-manage, device configuration that is cloud-optimized for users with specific workflow needs. It can be deployed to devices running the Pro, Enterprise, and Education editions of Windows 11 by using Microsoft Intune. +- **Provision and pre-configure new Windows 11 devices**: [Windows Autopilot](/autopilot/) enables you to deploy new Windows 11 devices in a business-ready state that includes your desired applications, settings, and policies. It can also be used to change the edition of Windows. For example, you can upgrade from Professional to Enterprise edition and gain the use of advanced features. -If you're exclusively using an on-premises device management solution (for example, Configuration Manager), you can still use the [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview), enable [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions), or enable [co-management](/mem/configmgr/comanage/overview) with Microsoft Intune. These solutions can make it easier to keep devices secure and up-to-date. +- **Configure rules and control settings for users, apps, and devices**: When you enroll devices in Microsoft Intune, you have full control over apps, settings, features, and security for both Windows 11 and Windows 10. You can also use app protection policies to require multifactor authentication (MFA) for specific apps. + +- **Streamline device management for frontline, remote, and onsite workers**: [Cloud configuration](/mem/intune/fundamentals/cloud-configuration) is a standard, easy-to-manage, device configuration that is cloud-optimized for users with specific workflow needs. You can use Microsoft Intune to deploy it to devices running the Pro, Enterprise, and Education editions of Windows 11. + +If you're exclusively using an on-premises device management solution like Configuration Manager, you can still use the [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview), enable [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions), or enable [co-management](/mem/configmgr/comanage/overview) with Microsoft Intune. These solutions can make it easier to keep devices secure and up-to-date. ## Review servicing approach and policies -Every organization will transition to Windows 11 at its own pace. Microsoft is committed to supporting you through your migration to Windows 11, whether you're a fast adopter or will make the transition over the coming months or years. +Every organization transitions to Windows 11 at its own pace. Microsoft is committed to supporting you through your migration to Windows 11, whether you're a fast adopter or will make the transition over the coming months or years. -When you think of operating system updates as an ongoing process, you'll automatically improve your ability to deploy updates. This approach enables you to stay current with less effort, and less impact on productivity. To begin, think about how you roll out Windows feature updates today: which devices, and at what pace. +When you think of OS updates as an ongoing process, you improve your ability to deploy updates. This approach enables you to stay current with less effort, and less effect on productivity. To begin, think about how you roll out Windows feature updates today: which devices, and at what pace. -Next, craft a deployment plan for **Windows 11** that includes deployment groups, rings, users, or devices. There are no absolute rules for exactly how many rings to have for your deployments, but a common structure is: -- Preview (first or canary): Planning and development -- Limited (fast or early adopters): Pilot and validation -- Broad (users or critical): Wide deployment +Next, craft a deployment plan for Windows 11 that includes deployment groups, rings, users, or devices. There are no absolute rules for exactly how many rings to have for your deployments, but the following example is a common structure: -For detailed information, see [Create a deployment plan](/windows/deployment/update/create-deployment-plan). +- Preview (first or canary): Planning and development +- Limited (fast or early adopters): Pilot and validation +- Broad (users or critical): Wide deployment -#### Review policies +For more information, see [Create a deployment plan](/windows/deployment/update/create-deployment-plan). -Review deployment-related policies, taking into consideration your organization's security objectives, update compliance deadlines, and device activity. Apply changes where you can gain a clear improvement, particularly regarding the speed of the update process or security. +### Review policies -#### Validate apps and infrastructure +Review deployment-related policies, and take into consideration your organization's security objectives, update compliance deadlines, and device activity. Apply changes where you can gain a clear improvement, particularly regarding the speed of the update process or security. -To validate that your apps, infrastructure, and deployment processes are ready for Windows 11, join the [Windows Insider Program for Business](https://insider.windows.com/for-business-getting-started), and opt into the [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel). +### Validate apps and infrastructure -If you use [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), you can deploy directly from the Windows Insider Pre-release category using one of the following processes: +To validate that your apps, infrastructure, and deployment processes are ready for Windows 11, join the [Windows Insider Program for Business](https://insider.windows.com/for-business-getting-started). Then opt into the [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel). -- Set **Manage Preview Builds** to **Release Preview** in Windows Update for Business. -- Use Azure Virtual Desktop and Azure Marketplace images. -- Download and deploy ISOs from Microsoft’s Windows Insider Program ISO Download page. +If you use [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), you can deploy directly from the Windows Insider Prerelease category using one of the following processes: -Regardless of the method you choose, you have the benefit of free Microsoft support when validating pre-release builds. Free support is available to any commercial customer deploying Windows 10 or Windows 11 Preview Builds, once they become available through the Windows Insider Program. +- Set **Manage Preview Builds** to **Release Preview** in Windows Update for Business. +- Use Azure Virtual Desktop and Azure Marketplace images. +- Download and deploy ISOs from Microsoft's Windows Insider Program ISO download page. -#### Analytics and assessment tools +Regardless of the method you choose, you have the benefit of free Microsoft support when validating prerelease builds. Free support is available to any commercial customer deploying Windows 10 or Windows 11 Preview Builds, once they become available through the Windows Insider Program. -If you use Microsoft Intune and have onboarded devices to Endpoint analytics, you'll have access to a hardware readiness assessment later this year. This tool enables you to quickly identify which of your managed devices are eligible for the Windows 11 upgrade. +### Analytics and assessment tools -[Desktop Analytics](/mem/configmgr/desktop-analytics/overview) doesn't support Windows 11. You must use [Endpoint analytics](/mem/analytics/overview). +If you use Microsoft Intune and have onboarded devices to [Endpoint analytics](/mem/analytics/overview), you have access to a hardware readiness assessment. This tool enables you to quickly identify which of your managed devices are eligible for the Windows 11 upgrade. ## Prepare a pilot deployment @@ -119,19 +121,18 @@ At a high level, the tasks involved are: ## User readiness -Don't overlook the importance of user readiness to deliver an effective, enterprise-wide deployment of Windows 11. Windows 11 has a familiar design, but your users will see several enhancements to the overall user interface. They'll also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff for Windows 11: +Don't overlook the importance of user readiness to deliver an effective, enterprise-wide deployment of Windows 11. Windows 11 has a familiar design, but your users will see several enhancements to the overall user interface. They'll also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and IT support staff for Windows 11: - Create a communications schedule to ensure that you provide the right message at the right time to the right groups of users, based on when they'll see the changes. - Draft concise emails that inform users of what changes they can expect to see. Offer tips on how to use or customize their experience. Include information about support and help desk options. - Update help desk manuals with screenshots of the new user interface, the out-of-box experience for new devices, and the upgrade experience for existing devices. -## Learn more - -See the [Stay current with Windows 10 and Microsoft 365 Apps](/training/paths/m365-stay-current/) learning path. - -- The learning path was created for Windows 10, but the basic principles and tasks outlined for the plan, prepare, and deploy phases also apply to your deployment of Windows 11. +For more information and resources, see the [Meet Windows 11](https://support.microsoft.com/meetwindows11) video series. ## See also -[Plan for Windows 11](windows-11-plan.md)
                -[Windows help & learning](https://support.microsoft.com/windows) +[Stay current with Windows devices and Microsoft 365 Apps](/training/paths/m365-stay-current/) + +[Plan for Windows 11](windows-11-plan.md) + +[Windows help & learning for users](https://support.microsoft.com/windows) From f714f1644451cfee8f5d2b2f68808f0cc690565f Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Tue, 16 Jul 2024 17:45:01 -0700 Subject: [PATCH 47/61] remove upgrade readiness --- windows/deployment/update/waas-quick-start.md | 4 ++-- ...ws-upgrade-and-migration-considerations.md | 12 ++++------ .../ltsc/whats-new-windows-10-2016.md | 23 ------------------- 3 files changed, 7 insertions(+), 32 deletions(-) diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md index adc84ef341..d9c09992b1 100644 --- a/windows/deployment/update/waas-quick-start.md +++ b/windows/deployment/update/waas-quick-start.md @@ -44,10 +44,10 @@ For more information, see [Assign devices to servicing channels for Windows clie ## Staying up to date -To stay up to date, deploy feature updates at an appropriate time after their release. You can use various management and update tools such as Windows Update, Windows Update for Business, Windows Server Update Services, Microsoft Configuration Manager, and non-Microsoft products to help with this process. [Upgrade Readiness](/windows/deployment/upgrade/upgrade-readiness-get-started), a free tool to streamline Windows upgrade projects, is another important tool to help. +To stay up to date, deploy feature updates at an appropriate time after their release. You can use various management and update tools such as Windows Update, Windows Update for Business, Windows Server Update Services, Microsoft Configuration Manager, and non-Microsoft products to help with this process. Extensive advanced testing isn't required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps, broad deployment can begin. This process repeats with each new feature update. These are small deployment projects, compared to the large projects that were necessary with the old three-to-five-year Windows release cycles. -Other technologies such as BranchCache and Delivery Optimization, both peer-to-peer distribution tools, can help with the distribution of the feature update installation files. +Other technologies such as [BranchCache](waas-branchcache.md) and [Delivery Optimization](../do/waas-delivery-optimization-setup.md), both peer-to-peer distribution tools, can help with the distribution of the feature update installation files. diff --git a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md index 48b8e267ec..4e016e066d 100644 --- a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md +++ b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md @@ -37,13 +37,13 @@ You can use USMT to automate migration during large deployments of the Windows o > [!IMPORTANT] > -> USMT only supports devices that are joined to a local Active Directory domain. USMT doesn't support Microsoft Entra joined devices. +> USMT only supports devices that are joined to a local Active Directory domain. USMT doesn't support Microsoft Entra joined devices. ## Upgrade and migration considerations Whether you're upgrading or migrating to a new version of Windows, you must be aware of the following issues and considerations: ### Application compatibility -For more information about application compatibility in Windows, see [Use Upgrade Readiness to manage Windows upgrades](/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades). +For more information about application compatibility in Windows, see [Windows compatibility cookbook](/windows/compatibility/). ### Multilingual Windows image upgrades When performing multilingual Windows upgrades, cross-language upgrades aren't supported by USMT. If you're upgrading or migrating an operating system with multiple language packs installed, you can upgrade or migrate only to the system default user interface (UI) language. For example, if English is the default but you have a Spanish language pack installed, you can upgrade or migrate only to English. @@ -58,11 +58,9 @@ During the configuration pass of Windows Setup, the root access control list (AC Changing the ACLs may affect the performance of Windows Setup if the default Windows XP ACLs are applied to a partition with a large amount of data. Because of these performance concerns, you can change the following registry value to disable this feature: -``` syntax -Key: HKLM\System\Setup -Type: REG_DWORD -Value: "DDACLSys_Disabled" = 1 -``` +`Key: HKLM\System\Setup` +`Type: REG_DWORD` +`Value: "DDACLSys_Disabled" = 1` This feature is disabled if this registry key value exists and is configured to `1`. diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2016.md b/windows/whats-new/ltsc/whats-new-windows-10-2016.md index df08af61c1..315ac95603 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2016.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2016.md @@ -34,29 +34,6 @@ Windows ICD now includes simplified workflows for creating provisioning packages [Learn more about using provisioning packages in Windows 10.](/windows/configuration/provisioning-packages/provisioning-packages) -### Windows Upgrade Readiness - ->[!IMPORTANT] ->Upgrade Readiness will not allow you to assess an upgrade to an LTSC release (LTSC builds are not available as target versions). However, you can enroll devices running LTSC to plan for an upgrade to a General Availability Channel release. - -Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for more direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft's experience upgrading millions of devices to Windows 10. - -With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they're known to Microsoft. - -Use Upgrade Readiness to get: - -- A visual workflow that guides you from pilot to production -- Detailed computer and application inventory -- Powerful computer level search and drill-downs -- Guidance and insights into application and driver compatibility issues, with suggested fixes -- Data driven application rationalization tools -- Application usage information, allowing targeted validation; workflow to track validation progress and decisions -- Data export to commonly used software deployment tools - -The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are upgrade-ready. - -[Learn more about planning and managing Windows upgrades with Windows Upgrade Readiness.](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness) - ## Security ### Credential Guard and Device Guard From 69d2658ac478b9da45c43cb871da402b9405eeeb Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Tue, 16 Jul 2024 17:48:16 -0700 Subject: [PATCH 48/61] move edit to editable section --- windows/client-management/mdm/policy-csp-devicelock.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index 02737a3f65..5e224a19a5 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -429,10 +429,11 @@ Specifies whether device lock is enabled. > - DevicePasswordHistory > - MaxDevicePasswordFailedAttempts > - MaxInactivityTimeDeviceLock - [!NOTE] -DevicePasswordExpiration is not supported through MDMWinsOverGP. +> DevicePasswordExpiration isn't supported through MDMWinsOverGP. + + **Description framework properties**: From b3f6573e4eaf4e6ca0d9fe75e573879732968b37 Mon Sep 17 00:00:00 2001 From: Aditi Srivastava <133841950+aditisrivastava07@users.noreply.github.com> Date: Wed, 17 Jul 2024 13:37:04 +0530 Subject: [PATCH 49/61] Fixed markdown for Note --- windows/client-management/mdm/policy-csp-devicelock.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index 5e224a19a5..fbc47a783d 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -430,7 +430,7 @@ Specifies whether device lock is enabled. > - MaxDevicePasswordFailedAttempts > - MaxInactivityTimeDeviceLock -[!NOTE] +> [!NOTE] > DevicePasswordExpiration isn't supported through MDMWinsOverGP. From 8c7dcfd22a18eafc7bc4b395a49dbfd640742297 Mon Sep 17 00:00:00 2001 From: Paul Huijbregts <30799281+pahuijbr@users.noreply.github.com> Date: Wed, 17 Jul 2024 15:21:00 -0700 Subject: [PATCH 50/61] Update windowsadvancedthreatprotection-csp.md --- .../mdm/windowsadvancedthreatprotection-csp.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md index 040365664e..171a60f503 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md @@ -17,6 +17,11 @@ The table below shows the applicability of Windows: |Enterprise|Yes|Yes| |Education|Yes|Yes| +> [!IMPORTANT] +> Windows 11 Home devices that have been upgraded to one of the below mentioned applicable editions might require you to run the following command before onboarding: +> `DISM /online /Add-Capability /CapabilityName:Microsoft.Windows.Sense.Client~~~~`. +> For more information about edition upgrades and features, see [Features](/windows-hardware/manufacture/desktop/windows-features?view=windows-11&preserve-view=true)) + The Windows Defender Advanced Threat Protection (WDATP) configuration service provider (CSP) allows IT Admins to onboard, determine configuration and health status, and offboard endpoints for WDATP. The following example shows the WDATP configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM). From dd1e19263a2563b1f1936e6deaa77781149da692 Mon Sep 17 00:00:00 2001 From: Phil Garcia Date: Wed, 17 Jul 2024 16:55:04 -0700 Subject: [PATCH 51/61] Update waas-delivery-optimization-reference.md Fixed typo. --- windows/deployment/do/waas-delivery-optimization-reference.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md index cf03e3d310..f0c45b4832 100644 --- a/windows/deployment/do/waas-delivery-optimization-reference.md +++ b/windows/deployment/do/waas-delivery-optimization-reference.md @@ -87,8 +87,8 @@ All cached files have to be above a set minimum size. This size is automatically More options available that control the impact Delivery Optimization has on your network include the following settings: - [Minimum Background QoS](#minimum-background-qos) lets administrators guarantee a minimum download speed for Windows updates. This setting adjusts the amount of data downloaded directly from HTTP sources, rather than other peers in the network. -- [Maximum Foreground Download Bandwidth](#maximum-foreground-download-bandwidth) specifies the maximum foreground download bandwidth*hat Delivery Optimization uses, across all concurrent download activities, as a percentage of available download bandwidth. -- [Maximum Background Download Bandwidth](#maximum-background-download-bandwidth) specifies the **maximum background download bandwidth** that Delivery Optimization uses, across all concurrent download activities, as a percentage of available download bandwidth. +- [Maximum Foreground Download Bandwidth](#maximum-foreground-download-bandwidth) specifies the maximum foreground download bandwidth that Delivery Optimization uses, across all concurrent download activities, as a percentage of available download bandwidth. +- [Maximum Background Download Bandwidth](#maximum-background-download-bandwidth) specifies the maximum background download bandwidth that Delivery Optimization uses, across all concurrent download activities, as a percentage of available download bandwidth. - [Set Business Hours to Limit Background Download Bandwidth](#set-business-hours-to-limit-background-download-bandwidth) specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. - [Set Business Hours to Limit Foreground Download Bandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. - [Select a method to restrict Peer Selection](#select-a-method-to-restrict-peer-selection) restricts peer selection by the options you select. From c7e9f009b809ac8d6e903a655a34e9ac17ce76f7 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 18 Jul 2024 10:02:07 -0400 Subject: [PATCH 52/61] Addition of PCR 4 --- .../bitlocker/countermeasures.md | 18 ++++++++++++++++-- ...low-secure-boot-for-integrity-validation.md | 5 ++++- ...-for-native-uefi-firmware-configurations.md | 2 ++ 3 files changed, 22 insertions(+), 3 deletions(-) diff --git a/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md b/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md index 13b8fb7c50..2b7377479e 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md @@ -92,9 +92,23 @@ Therefore, organizations that use BitLocker might want to use Hibernate instead ### Tricking BitLocker to pass the key to a rogue operating system -An attacker might modify the boot manager configuration database (BCD), which is stored on a nonencrypted partition and add an entry point to a rogue operating system on a different partition. During the boot process, BitLocker code makes sure that the operating system that the encryption key obtained from the TPM is given to, is cryptographically verified to be the intended recipient. Because this strong cryptographic verification already exists, we don't recommend storing a hash of a disk partition table in Platform Configuration Register (PCR) 5. +An attacker might modify the boot manager configuration database (BCD), which is stored on a nonencrypted partition and add an entry point to a rogue operating system on a different partition. During the boot process, BitLocker code makes sure that the operating system that the encryption key obtained from the TPM is given to, is cryptographically verified to be the intended recipient. Because this strong cryptographic verification already exists, we don't recommend storing a hash of a disk partition table in PCR 5. -An attacker might also replace the entire operating system disk while preserving the platform hardware and firmware and could then extract a protected BitLocker key blob from the metadata of the victim OS partition. The attacker could then attempt to unseal that BitLocker key blob by calling the TPM API from an operating system under their control. This can't succeed because when Windows seals the BitLocker key to the TPM, it does it with a PCR 11 value of 0. To successfully unseal the blob, PCR 11 in the TPM must have a value of 0. However, when the boot manager passes the control to any boot loader (legitimate or rogue) it always changes PCR 11 to a value of 1. Since the PCR 11 value is guaranteed to be different after exiting the boot manager, the attacker can't unlock the BitLocker key. +An attacker might also replace the entire operating system disk while preserving the platform hardware and firmware, and could then extract a protected BitLocker key blob from the metadata of the victim OS partition. The attacker could then attempt to unseal that BitLocker key blob by calling the TPM API from an operating system under their control. This can't succeed because when Windows seals the BitLocker key to the TPM, it does it with a PCR 11 value of 0. To successfully unseal the blob, PCR 11 in the TPM must have a value of 0. However, when the boot manager passes the control to any boot loader (legitimate or rogue), it always changes PCR 11 to a value of 1. Since the PCR 11 value is guaranteed to be different after exiting the boot manager, the attacker can't unlock the BitLocker key. + +To prevent boot manger roll-back attacks, Windows updates released on and after July 2024 changed the default PCR Validation Profile for **UEFI with Secure Boot** from `7, 11` to `4, 7, 11`. + +The PCR values map to: + +- `PCR 4: Boot Manager` +- `PCR 7: Secure Boot State` +- `PCR 11: BitLocker access control` + +> [!TIP] +> To check what PCRs are in use, execute the following command: +> ```cmd +> manage-bde.exe -protectors -get c: +> ``` ## Attacker countermeasures diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/allow-secure-boot-for-integrity-validation.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/allow-secure-boot-for-integrity-validation.md index 853270403b..fbcf599ccc 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/includes/allow-secure-boot-for-integrity-validation.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/allow-secure-boot-for-integrity-validation.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 10/30/2023 +ms.date: 07/18/2024 ms.topic: include --- @@ -26,3 +26,6 @@ When this policy is enabled and the hardware is capable of using Secure Boot for |--|--| | **CSP** | Not available | | **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** | + +> [!NOTE] +> To prevent boot manger roll-back attacks, Windows updates released on and after July 2024 changed the default PCR Validation Profile for **UEFI with Secure Boot** from `7, 11` to `4, 7, 11`. diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-tpm-platform-validation-profile-for-native-uefi-firmware-configurations.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-tpm-platform-validation-profile-for-native-uefi-firmware-configurations.md index cb43d10a8c..fd61b353fa 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-tpm-platform-validation-profile-for-native-uefi-firmware-configurations.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-tpm-platform-validation-profile-for-native-uefi-firmware-configurations.md @@ -26,6 +26,8 @@ A platform validation profile consists of a set of PCR indices ranging from 0 to > [!NOTE] > When Secure Boot State (PCR7) support is available, the default platform validation profile secures the encryption key using Secure Boot State (PCR 7) and the BitLocker access control (PCR 11). +> +> To prevent boot manger roll-back attacks, Windows updates released on and after July 2024 changed the default PCR Validation Profile for **UEFI with Secure Boot** from `7, 11` to `4, 7, 11`. The following list identifies all of the available PCRs: From 699d28803a6d5031c13bc90b14358f24ccbd4f6c Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Thu, 18 Jul 2024 10:28:50 -0700 Subject: [PATCH 53/61] editorial revision --- .../mdm/windowsadvancedthreatprotection-csp.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md index 171a60f503..c0d23cc517 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md @@ -18,9 +18,11 @@ The table below shows the applicability of Windows: |Education|Yes|Yes| > [!IMPORTANT] -> Windows 11 Home devices that have been upgraded to one of the below mentioned applicable editions might require you to run the following command before onboarding: -> `DISM /online /Add-Capability /CapabilityName:Microsoft.Windows.Sense.Client~~~~`. -> For more information about edition upgrades and features, see [Features](/windows-hardware/manufacture/desktop/windows-features?view=windows-11&preserve-view=true)) +> Windows 11 Home devices that have been upgraded to one of the below mentioned applicable editions might require you to run the following command before onboarding: +> +> `DISM /online /Add-Capability /CapabilityName:Microsoft.Windows.Sense.Client~~~~` +> +> For more information about edition upgrades and features, see [Customize Windows features](/windows-hardware/manufacture/desktop/windows-features?view=windows-11&preserve-view=true). The Windows Defender Advanced Threat Protection (WDATP) configuration service provider (CSP) allows IT Admins to onboard, determine configuration and health status, and offboard endpoints for WDATP. From 1b4a528d9c382ce185c8e3fa151ee990ca9462e4 Mon Sep 17 00:00:00 2001 From: Zoe Liu <89218764+xinpli@users.noreply.github.com> Date: Thu, 18 Jul 2024 15:59:17 -0700 Subject: [PATCH 54/61] Learn Editor: Update wds-boot-support.md --- windows/deployment/wds-boot-support.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/windows/deployment/wds-boot-support.md b/windows/deployment/wds-boot-support.md index 0b09a07b84..61403f154f 100644 --- a/windows/deployment/wds-boot-support.md +++ b/windows/deployment/wds-boot-support.md @@ -35,17 +35,16 @@ The following table provides support details for specific deployment scenarios. |--- |--- |--- |--- |--- |--- | |**Windows 11**|Not supported, blocked.|Not supported, blocked.|Not supported, blocked.|Not supported, blocked.|Not supported, blocked.| |**Windows 10**|Supported, using a boot image from matching or newer version.|Supported, using a boot image from Windows 10, version 1607 or later.|Supported, using a boot image from Windows 10, version 1809 or later.|Not supported.|Not supported.| +|**Windows Server 2025**|Not supported.|Not supported.|Not supported.|Not supported.|Not supported.| |**Windows Server 2022**|Deprecated, with a warning message.|Deprecated, with a warning message.|Deprecated, with a warning message.|Deprecated, with a warning message.|Not supported.| |**Windows Server 2019**|Supported, using a boot image from Windows 10, version 1809 or later.|Supported.|Supported.|Not supported.|Not supported.| |**Windows Server 2016**|Supported, using a boot image from Windows 10, version 1607 or later.|Supported.|Not supported.|Not supported.|Not supported.| +> [!NOTE] +> Since WS2025 does not support WDS **boot.wim** deployment scenarios anymore, you will see error message "A media driver your computer needs is missing. This could be a DVD, USB or Hard disk driver. If you have a CD, DVD, or USB flash drive with the driver on it, please insert it now.". ## Reason for the change -Alternatives to WDS, such as [Microsoft Configuration Manager](/mem/configmgr/) and [Microsoft Deployment Toolkit](/mem/configmgr/mdt/) (MDT) provide a better, more flexible, and feature-rich experience for deploying Windows images. - -> [!NOTE] -> -> [Microsoft Deployment Toolkit](/mem/configmgr/mdt/) (MDT) only supports deployment of Windows 10. It doesn't support deployment of Windows 11. For more information, see [Supported platforms](/mem/configmgr/mdt/release-notes#supported-platforms). +Alternatives to WDS, [Microsoft Configuration Manager](/mem/configmgr/) provide a better, more flexible, and feature-rich experience for deploying Windows images. ## Not affected From 4a0a64d760558014826e36e9df31244e09b55221 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Fri, 19 Jul 2024 10:39:48 -0400 Subject: [PATCH 56/61] Style changes Minor style and grammar corrections. Also took the opportunity to perform additional improvements to the article including running it through Acrolinx. --- windows/deployment/wds-boot-support.md | 49 +++++++++++++++----------- 1 file changed, 29 insertions(+), 20 deletions(-) diff --git a/windows/deployment/wds-boot-support.md b/windows/deployment/wds-boot-support.md index 61403f154f..a305d1969b 100644 --- a/windows/deployment/wds-boot-support.md +++ b/windows/deployment/wds-boot-support.md @@ -7,7 +7,7 @@ author: frankroj ms.author: frankroj manager: aaroncz ms.topic: conceptual -ms.date: 04/25/2024 +ms.date: 07/19/2024 ms.subservice: itpro-deploy appliesto: - ✅ Windows 11 @@ -21,47 +21,56 @@ appliesto: The operating system deployment functionality of [Windows Deployment Services](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831764(v=ws.11)) (WDS) is being partially deprecated. Starting with Windows 11, workflows that rely on **boot.wim** from installation media or on running Windows Setup in WDS mode is no longer supported. -When you PXE-boot from a WDS server that uses the **boot.wim** file from installation media as its boot image, Windows Setup automatically launches in WDS mode. This workflow is deprecated for Windows 11 and newer boot images. The following deprecation message is displayed: +When PXE booting from a WDS server that uses the **boot.wim** file from installation media as its boot image, Windows Setup automatically launches in WDS mode. This workflow is deprecated for Windows 11 and newer boot images. The following deprecation message is displayed: > Windows Setup > -> Windows Deployment Services client functionality is being partly deprecated. Please visit https://aka.ms/WDSSupport for more details on what is deprecated and what will continue to be supported. +> Windows Deployment Services client functionality is being partly deprecated. Please visit https://aka.ms/WDSSupport for more details on what is deprecated and what is still supported. ## Deployment scenarios affected The following table provides support details for specific deployment scenarios. Boot.wim is the `boot.wim` file obtained from the Windows source files for each specified version of Windows. -|Windows Version being deployed |Boot.wim from Windows 10|Boot.wim from Windows Server 2016|Boot.wim from Windows Server 2019|Boot.wim from Windows Server 2022|Boot.wim from Windows 11| -|--- |--- |--- |--- |--- |--- | -|**Windows 11**|Not supported, blocked.|Not supported, blocked.|Not supported, blocked.|Not supported, blocked.|Not supported, blocked.| -|**Windows 10**|Supported, using a boot image from matching or newer version.|Supported, using a boot image from Windows 10, version 1607 or later.|Supported, using a boot image from Windows 10, version 1809 or later.|Not supported.|Not supported.| -|**Windows Server 2025**|Not supported.|Not supported.|Not supported.|Not supported.|Not supported.| -|**Windows Server 2022**|Deprecated, with a warning message.|Deprecated, with a warning message.|Deprecated, with a warning message.|Deprecated, with a warning message.|Not supported.| -|**Windows Server 2019**|Supported, using a boot image from Windows 10, version 1809 or later.|Supported.|Supported.|Not supported.|Not supported.| -|**Windows Server 2016**|Supported, using a boot image from Windows 10, version 1607 or later.|Supported.|Not supported.|Not supported.|Not supported.| +| Windows Version being deployed | Boot.wim from Windows 10 | Boot.wim from Windows Server 2016 | Boot.wim from Windows Server 2019 | Boot.wim from Windows Server 2022 | Boot.wim from Windows 11 | +| --- | --- | --- | --- | --- | --- | +| **Windows 11** | Not supported, blocked. | Not supported, blocked. | Not supported, blocked. |Not supported, blocked. | Not supported, blocked. | +| **Windows 10** | Supported, using a boot image from matching or newer version. | Supported, using a boot image from a [currently supported version of Windows 10](/windows/release-health/supported-versions-windows-client#windows-10-supported-versions). | Supported, using a boot image from a [currently supported version of Windows 10](/windows/release-health/supported-versions-windows-client#windows-10-supported-versions).| Not supported. | Not supported. | +| **Windows Server 2025** | Not supported. | Not supported. | Not supported. | Not supported. | Not supported. | +| **Windows Server 2022** | Deprecated, with a warning message. | Deprecated, with a warning message. | Deprecated, with a warning message. | Deprecated, with a warning message. | Not supported. | +| **Windows Server 2019** | Supported, using a boot image from a [currently supported version of Windows 10](/windows/release-health/supported-versions-windows-client#windows-10-supported-versions). | Supported. | Supported. | Not supported. | Not supported. | +| **Windows Server 2016** | Supported, using a boot image from a [currently supported version of Windows 10](/windows/release-health/supported-versions-windows-client#windows-10-supported-versions). |Supported. | Not supported. | Not supported. | Not supported. | > [!NOTE] -> Since WS2025 does not support WDS **boot.wim** deployment scenarios anymore, you will see error message "A media driver your computer needs is missing. This could be a DVD, USB or Hard disk driver. If you have a CD, DVD, or USB flash drive with the driver on it, please insert it now.". +> +> The following error message might be displayed when attempting to use **boot.wim** on WDS running on Windows Server 2025: +> +> `A media driver your computer needs is missing. This could be a DVD, USB or Hard disk driver. If you have a CD, DVD, or USB flash drive with the driver on it, please insert it now.` +> +> An error message is expected since using **boot.wim** on WDS running on Windows Server 2025 isn't supported. + ## Reason for the change -Alternatives to WDS, [Microsoft Configuration Manager](/mem/configmgr/) provide a better, more flexible, and feature-rich experience for deploying Windows images. +Alternatives to WDS, [Microsoft Configuration Manager](/mem/configmgr/) provides a better, more flexible, and feature-rich experience for deploying Windows images. ## Not affected -This change doesn’t affect WDS PXE boot. You can still use WDS to PXE boot devices with custom boot images, but you can't use **boot.wim** as the boot image and run Windows Setup in WDS mode. +This change doesn't affect WDS PXE boot. WDS can still be used to PXE boot devices with custom boot images, but **boot.wim** can't be used as the boot image and run Windows Setup in WDS mode. -You can still run Windows Setup from a network share. This change doesn't change Workflows that use a custom boot.wim, such as MDT or Configuration Manager. +Windows Setup can still run from a network share. This change doesn't change Workflows that use a custom boot.wim, such as MDT or Configuration Manager. ## Summary -- Windows 11 workflows that rely on **boot.wim** from installation media are blocked. You can't perform an end to end deployment of Windows 11 using only WDS. +- Windows 11 workflows that rely on **boot.wim** from installation media are blocked. An end to end deployment of Windows 11 using only WDS can't be performed. + - This change doesn't affect Windows 10, Windows Server 2019, and previous operating system versions. + - Windows Server 2022 workflows that rely on **boot.wim** from installation media show a non-blocking deprecation notice. The notice can be dismissed, and currently the workflow isn't blocked. + - Windows Server workflows after Windows Server 2022 that rely on **boot.wim** from installation media are blocked. -If you currently use WDS with **boot.wim** from installation media for end-to-end operating system deployment, and your OS version isn't supported, deprecated, or blocked, it's recommended that you use deployment tools such as MDT, Configuration Manager, or a non-Microsoft solution with a custom boot.wim image. +If WDS is being used with **boot.wim** from installation media for end-to-end operating system deployment, and the OS version isn't supported, deprecated, or blocked, Microsoft recommends using deployment tools such as Microsoft Configuration Manager, or a non-Microsoft solution that uses a custom boot.wim image. -## Also see +## Related content -- [Features removed or no longer developed starting with Windows Server 2022](/windows-server/get-started/removed-deprecated-features-windows-server-2022#features-were-no-longer-developing) -- [Create a custom Windows PE boot image with Configuration Manager](deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md) +- [Features removed or no longer developed starting with Windows Server 2022](/windows-server/get-started/removed-deprecated-features-windows-server-2022#features-were-no-longer-developing). +- [Create a custom Windows PE boot image with Configuration Manager](deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md). From f8f1ed36c771b66219f12fb7d2fe5c267152e75b Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Fri, 19 Jul 2024 10:43:46 -0400 Subject: [PATCH 57/61] Additional updates Additional corrections and updates --- windows/deployment/wds-boot-support.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/wds-boot-support.md b/windows/deployment/wds-boot-support.md index a305d1969b..1bd67de045 100644 --- a/windows/deployment/wds-boot-support.md +++ b/windows/deployment/wds-boot-support.md @@ -50,13 +50,13 @@ The following table provides support details for specific deployment scenarios. ## Reason for the change -Alternatives to WDS, [Microsoft Configuration Manager](/mem/configmgr/) provides a better, more flexible, and feature-rich experience for deploying Windows images. +Alternatives to WDS, such as [Microsoft Configuration Manager](/mem/configmgr/), provide a better, more flexible, and feature-rich experience for deploying Windows images. ## Not affected This change doesn't affect WDS PXE boot. WDS can still be used to PXE boot devices with custom boot images, but **boot.wim** can't be used as the boot image and run Windows Setup in WDS mode. -Windows Setup can still run from a network share. This change doesn't change Workflows that use a custom boot.wim, such as MDT or Configuration Manager. +Windows Setup can still run from a network share. This change doesn't change Workflows that use a custom boot.wim, such as Microsoft Deployment Toolkit (MDT) or Microsoft Configuration Manager. ## Summary @@ -73,4 +73,4 @@ If WDS is being used with **boot.wim** from installation media for end-to-end op ## Related content - [Features removed or no longer developed starting with Windows Server 2022](/windows-server/get-started/removed-deprecated-features-windows-server-2022#features-were-no-longer-developing). -- [Create a custom Windows PE boot image with Configuration Manager](deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md). +- [Create a custom Windows PE boot image with ](deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md). From a75c91823d123629f3ab24248e35f5ec1a973ee1 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Fri, 19 Jul 2024 10:49:38 -0400 Subject: [PATCH 58/61] Update related link Removed related link that is going to be taken down soon and replaced with a more relevant link from the Configuration Manager docs. --- windows/deployment/wds-boot-support.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/wds-boot-support.md b/windows/deployment/wds-boot-support.md index 1bd67de045..182f55c874 100644 --- a/windows/deployment/wds-boot-support.md +++ b/windows/deployment/wds-boot-support.md @@ -50,7 +50,7 @@ The following table provides support details for specific deployment scenarios. ## Reason for the change -Alternatives to WDS, such as [Microsoft Configuration Manager](/mem/configmgr/), provide a better, more flexible, and feature-rich experience for deploying Windows images. +Alternatives to WDS, such as [Microsoft Configuration Manager](/mem/configmgr/osd/understand/introduction-to-operating-system-deployment), provide a better, more flexible, and feature-rich experience for deploying Windows images. ## Not affected @@ -73,4 +73,4 @@ If WDS is being used with **boot.wim** from installation media for end-to-end op ## Related content - [Features removed or no longer developed starting with Windows Server 2022](/windows-server/get-started/removed-deprecated-features-windows-server-2022#features-were-no-longer-developing). -- [Create a custom Windows PE boot image with ](deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md). +- [Customize boot images with Configuration Manager](/mem/configmgr/osd/get-started/customize-boot-images). From ff6ccaca876c4a1037db7a7f04a741b89437083e Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Fri, 19 Jul 2024 09:11:48 -0600 Subject: [PATCH 59/61] Update windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md --- .../windows-sandbox/windows-sandbox-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md index a59d65972c..8d8f873a38 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md @@ -36,7 +36,7 @@ Windows Sandbox has the following properties: > [!NOTE] > Windows Sandbox is currently not supported on Windows Home edition. -> Beginning in Windows 11 24H2, or build version 26100, all inbox store apps like calculator, photos, notepad and terminal will not be available inside Windows Sandbox. Ability to use the apps will be added soon. +> Beginning in Windows 11, version 24H2, all inbox store apps like calculator, photos, notepad and terminal are not available inside Windows Sandbox. Ability to use these apps will be added soon. ## Installation 1. Ensure that your machine is using Windows 10 Pro or Enterprise, build version 18305 or Windows 11. From 5cd9a01edf5481197cf82b34dbc4208047132c30 Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Fri, 19 Jul 2024 14:39:38 -0700 Subject: [PATCH 60/61] Retire "Enhanced diagnostic data" article --- ...ing.redirection.windows-configuration.json | 2 +- ...ublishing.redirection.windows-privacy.json | 5 + windows/configuration/wcd/wcd-policies.md | 2 +- ...ata-windows-analytics-events-and-fields.md | 424 ------------------ windows/privacy/toc.yml | 2 - 5 files changed, 7 insertions(+), 428 deletions(-) delete mode 100644 windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md diff --git a/.openpublishing.redirection.windows-configuration.json b/.openpublishing.redirection.windows-configuration.json index b5f046f434..abeb93b128 100644 --- a/.openpublishing.redirection.windows-configuration.json +++ b/.openpublishing.redirection.windows-configuration.json @@ -37,7 +37,7 @@ }, { "source_path": "windows/configuration/enhanced-diagnostic-data-windows-analytics-events-and-fields.md", - "redirect_url": "/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields", + "redirect_url": "https://techcommunity.microsoft.com/t5/windows-it-pro-blog/preview-app-and-driver-compatibility-insights-in-endpoint/ba-p/3482136", "redirect_document_id": false }, { diff --git a/.openpublishing.redirection.windows-privacy.json b/.openpublishing.redirection.windows-privacy.json index 3bbff994f7..53cc97b7c2 100644 --- a/.openpublishing.redirection.windows-privacy.json +++ b/.openpublishing.redirection.windows-privacy.json @@ -54,6 +54,11 @@ "source_path": "windows/privacy/windows-personal-data-services-configuration.md", "redirect_url": "/windows/privacy/windows-10-and-privacy-compliance", "redirect_document_id": false + }, + { + "source_path": "/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md", + "redirect_url": "https://techcommunity.microsoft.com/t5/windows-it-pro-blog/preview-app-and-driver-compatibility-insights-in-endpoint/ba-p/3482136", + "redirect_document_id": false } ] } diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md index 68c83b8121..dda5503d8b 100644 --- a/windows/configuration/wcd/wcd-policies.md +++ b/windows/configuration/wcd/wcd-policies.md @@ -455,7 +455,7 @@ ConfigureTelemetryOptInSettingsUx | This policy setting determines whether peopl | DisableDeviceDelete | Specify whether the delete diagnostic data is enabled in the Diagnostic & Feedback Settings page. | ✅ | | | | | DisableDataDiagnosticViewer | Configure whether users can enable and launch the Diagnostic Data Viewer from the Diagnostic & Feedback Settings page. | ✅ | | | | | [DisableOneDriveFileSync](/windows/client-management/mdm/policy-configuration-service-provider#system-disableonedrivefilesync) | Prevent apps and features from working with files on OneDrive. | ✅ | | | | -| [LimitEnhancedDiagnosticDataWindowsAnalytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics) | This policy setting, in combination with the System/AllowTelemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. To enable this behavior you must enable this policy setting, and set Allow Telemetry to level 2 (Enhanced). When you configure these policy settings, a basic level of diagnostic data plus other events that are required for Windows Analytics are sent to Microsoft. These events are documented in [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields). Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus other enhanced level diagnostic data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. If you disable or don't configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. | ✅ | | | | +| [LimitEnhancedDiagnosticDataWindowsAnalytics](/windows/client-management/mdm/policy-csp-system#limitenhanceddiagnosticdatawindowsanalytics) | This policy setting, in combination with the System/AllowTelemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. To enable this behavior you must enable this policy setting, and set Allow Telemetry to level 2 (Enhanced). When you configure these policy settings, a basic level of diagnostic data plus other events that are required for Windows Analytics are sent to Microsoft. Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus other enhanced level diagnostic data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. If you disable or don't configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. | ✅ | | | | ## TextInput diff --git a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md deleted file mode 100644 index c31afd7cdc..0000000000 --- a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md +++ /dev/null @@ -1,424 +0,0 @@ ---- -title: Enhanced diagnostic data required by Windows Analytics (Windows 10) -description: Use this article to learn more about the limit enhanced diagnostic data events policy used by Desktop Analytics -ms.service: windows-client -ms.subservice: itpro-privacy -ms.localizationpriority: high -author: DHB-MSFT -ms.author: danbrown -manager: laurawi -ms.date: 10/12/2017 -ms.topic: reference ---- - - -# Windows 10 diagnostic data events and fields collected through the limit enhanced diagnostic data policy - - **Applies to** - -- Windows 10, version 1709 and newer - -> [!IMPORTANT] -> - The Upgrade Readiness and Device Health solutions of Windows Analytics were retired on January 31, 2020. -> - Desktop Analytics is deprecated and was retired on November 30, 2022. - -Desktop Analytics reports are powered by diagnostic data not included in the Basic level. - -In Windows 10, version 1709, we introduced a new feature: "Limit Enhanced diagnostic data to the minimum required by Windows Analytics". When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to only the events described below. The Enhanced level also includes limited crash reports, which are not described below. For more information on the Enhanced level, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). - -With the retirement of Windows Analytics, this policy will continue to be supported by Desktop Analytics, but will not include Office related diagnostic data. - -## KernelProcess.AppStateChangeSummary -This event summarizes application usage and performance characteristics to help Microsoft improve performance and reliability. Organizations can use this event with Desktop Analytics to gain insights into application reliability. - -The following fields are available: - -- **CommitChargeAtExit_Sum:** Total memory commit charge for a process when it exits -- **CommitChargePeakAtExit_Sum**: Total peak memory commit charge for a process when it exits -- **ContainerId:** Server Silo Container ID -- **CrashCount:** Number of crashes for a process instance -- **CycleCountAtExit_Sum:** Total processor cycles for a process when it exited -- **ExtraInfoFlags:** Flags indicating internal states of the logging -- **GhostCount_Sum:** Total number of instances where the application stopped responding -- **HandleCountAtExit_Sum:** Total handle count for a process when it exits -- **HangCount_Max:** Maximum number of hangs detected -- **HangCount_Sum:** Total number of application hangs that are detected -- **HardFaultCountAtExit_Sum:** Total number of hard page faults detected for a process when it exits -- **HeartbeatCount:** Heartbeats logged for this summary -- **HeartbeatSuspendedCount:** Heartbeats logged for this summary where the process was suspended -- **LaunchCount:** Number of process instances started -- **LicenseType:** Reserved for future use -- **ProcessDurationMS_Sum:** Total duration of wall clock process instances -- **ReadCountAtExit_Sum:** Total IO reads for a process when it exited -- **ReadSizeInKBAtExit_Sum:** Total IO read size for a process when it exited -- **ResumeCount:** Number of times a process instance has resumed -- **RunningDurationMS_Sum:** Total uptime -- **SuspendCount:** Number of times a process instance was suspended -- **TargetAppId:** Application identifier -- **TargetAppType:** Application type -- **TargetAppVer:** Application version -- **TerminateCount:** Number of times a process terminated -- **WriteCountAtExit_Sum:** Total number of IO writes for a process when it exited -- **WriteSizeInKBAtExit_Sum:** Total size of IO writes for a process when it exited - -## Microsoft.Office.TelemetryEngine.IsPreLaunch -Applicable for Office UWP applications. This event is fired when an Office application is initiated for the first-time post upgrade/install from the store. It's part of basic diagnostic data. It's used to track whether a particular session is a launch session or not. - -- **appVersionBuild:** Third part of the version *.*.XXXXX.* -- **appVersionMajor:** First part of the version X.*.*.* -- **appVersionMinor:** Second part of the version *.X.*.* -- **appVersionRev:** Fourth part of the version *.*.*.XXXXX -- **SessionID:** ID of the session - -## Microsoft.Office.SessionIdProvider.OfficeProcessSessionStart -This event sends basic information upon the start of a new Office session. It's used to count the number of unique sessions seen on a given device. The event is used as a heartbeat event to ensure that the application is running on a device. In addition, it serves as a critical signal for overall application reliability. - -- **AppSessionGuid:** ID of the session that maps to the process of the application -- **processSessionId:** ID of the session that maps to the process of the application - -## Microsoft.Office.TelemetryEngine.SessionHandOff -Applicable to Win32 Office applications. This event helps us understand whether there was a new session created to handle a user-initiated file open event. It is a critical diagnostic information that is used to derive reliability signal and ensure that the application is working as expected. - -- **appVersionBuild:** Third part Build version of the application *.*.XXXXX.* -- **appVersionMajor:** First part of the version X.*.*.* -- **appVersionMinor:** Second part of the version *.X.*.* -- **appVersionRev:** Fourth part of the version *.*.*.XXXXX -- **childSessionID:** ID of the session that was created to handle the user initiated file open -- **parentSessionId:** ID of the session that was already running - -## Microsoft.Office.CorrelationMetadata.UTCCorrelationMetadata -Collects Office metadata through UTC to compare with equivalent data collected through the Office telemetry pipeline to check correctness and completeness of data. - -- **abConfigs:** List of features enabled for this session -- **abFlights:** List of features enabled for this session -- **AppSessionGuid:** ID of the session -- **appVersionBuild:** Third part Build version of the application *.*.XXXXX.* -- **appVersionMajor:** First part of the version X.*.*.* -- **appVersionMinor:** Second part of the version *.X.*.* -- **appVersionRevision:** Fourth part of the version *.*.*.XXXXX -- **audienceGroup:** Is this group part of the insiders or production? -- **audienceId:** ID of the audience setting -- **channel:** Are you part of Semi annual channel or Semi annual channel-Targeted? -- **deviceClass:** Is this device a desktop device or a mobile device? -- **impressionId:** What features were available to you in this session -- **languageTag:** Language of the app -- **officeUserID:** A unique identifier tied to the office installation on a particular device. -- **osArchitecture:** Is the machine 32 bit or 64 bit? -- **osEnvironment:** Is this app a win32 app or a UWP app? -- **osVersionString:** Version of the OS -- **sessionID:** ID of the session - -## Microsoft.Office.ClickToRun.UpdateStatus -Applicable to all Win32 applications. Helps us understand the status of the update process of the office suite (Success or failure with error details). - -- **build:** App version -- **channel:** Is this part of GA Channel? -- **errorCode:** What error occurred during the upgrade process? -- **errorMessage:** what was the error message during the upgrade process? -- **status:** Was the upgrade successful or not? -- **targetBuild:** What app version were we trying to upgrade to? - -## Microsoft.Office.TelemetryEngine.FirstIdle -This event is fired when the telemetry engine within an office application is ready to send telemetry. Used for understanding whether there are issues in telemetry. - -- **appVersionBuild:** Third part of the version *.*.XXXXX.* -- **appVersionMajor:** First part of the version X.*.*.* -- **appVersionMinor:** Second part of the version *.X.*.* -- **appVersionRev:** Fourth part of the version *.*.*.XXXXX -- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user -- **SessionID:** ID of the session - -## Microsoft.Office.TelemetryEngine.FirstProcessed -This event is fired when the telemetry engine within an office application has processed the rules or the list of events that we need to collect. Used for understanding whether there are issues in telemetry. - -- **appVersionBuild:** Third part of the version *.*.XXXXX.* -- **appVersionMajor:** First part of the version X.*.*.* -- **appVersionMinor:** Second part of the version *.X.*.* -- **appVersionRev:** Fourth part of the version *.*.*.XXXXX -- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user -- **SessionID:** ID of the session - -## Microsoft.Office.TelemetryEngine.FirstRuleRequest -This event is fired when the telemetry engine within an office application has received the first rule or list of events that need to be sent by the app. Used for understanding whether there are issues in telemetry. - -- **appVersionBuild:** Third part of the version *.*.XXXXX.* -- **appVersionMajor:** First part of the version X.*.*.* -- **appVersionMinor:** Second part of the version *.X.*.* -- **appVersionRev:** Fourth part of the version *.*.*.XXXXX -- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user -- **SessionID:** ID of the session - -## Microsoft.Office.TelemetryEngine.Init -This event is fired when the telemetry engine within an office application has been initialized or not. Used for understanding whether there are issues in telemetry. - -- **appVersionBuild:** Third part of the version *.*.XXXXX.* -- **appVersionMajor:** First part of the version X.*.*.* -- **appVersionMinor:** Second part of the version *.X.*.* -- **appVersionRev:** Fourth part of the version *.*.*.XXXXX -- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user -- **SessionID:** ID of the session - -## Microsoft.Office.TelemetryEngine.Resume -This event is fired when the application resumes from sleep state. Used for understanding whether there are issues in the application life cycle. - -- **appVersionBuild:** Third part of the version *.*.XXXXX.* -- **appVersionMajor:** First part of the version X.*.*.* -- **appVersionMinor:** Second part of the version *.X.*.* -- **appVersionRev:** Fourth part of the version *.*.*.XXXXX -- **maxSequenceIdSeen:** How many events from this session have seen so far? -- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user -- **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed? -- **SessionID:** ID of the session - -## Microsoft.Office.TelemetryEngine.RuleRequestFailed -This event is fired when the telemetry engine within an office application fails to retrieve the rules containing the list of telemetry events. Used for understanding whether there are issues in telemetry. - -- **appVersionBuild:** Third part of the version *.*.XXXXX.* -- **appVersionMajor:** First part of the version X.*.*.* -- **appVersionMinor:** Second part of the version *.X.*.* -- **appVersionRev:** Fourth part of the version *.*.*.XXXXX -- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user -- **SessionID:** ID of the session - -## Microsoft.Office.TelemetryEngine.RuleRequestFailedDueToClientOffline -This event is fired when the telemetry engine within an office application fails to retrieve the rules containing the list of telemetry events, when the device is offline. Used for understanding whether there are issues in telemetry. - -- **appVersionBuild:** Third part of the version *.*.XXXXX.* -- **appVersionMajor:** First part of the version X.*.*.* -- **appVersionMinor:** Second part of the version *.X.*.* -- **appVersionRev:** Fourth part of the version *.*.*.XXXXX -- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user -- **SessionID:** ID of the session - -## Microsoft.Office.TelemetryEngine.ShutdownComplete -This event is fired when the telemetry engine within an office application has processed the rules or the list of events that we need to collect. Useful for understanding whether a particular crash is happening during an app-shutdown, and could potentially lead in data loss or not. - -- **appVersionBuild:** Third part of the version *.*.XXXXX.* -- **appVersionMajor:** First part of the version X.*.*.* -- **appVersionMinor:** Second part of the version *.X.*.* -- **appVersionRev:** Fourth part of the version *.*.*.XXXXX -- **maxSequenceIdSeen:** How many events from this session have seen so far? -- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user -- **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed? -- **SessionID:** ID of the session - -## Microsoft.Office.TelemetryEngine.ShutdownStart -This event is fired when the telemetry engine within an office application has been uninitialized, and the application is shutting down. Useful for understanding whether a particular crash is happening during an app-shutdown, and could potentially lead in data loss or not. - -- **appVersionBuild:** Third part of the version *.*.XXXXX.* -- **appVersionMajor:** First part of the version X.*.*.* -- **appVersionMinor:** Second part of the version *.X.*.* -- **appVersionRev:** Fourth part of the version *.*.*.XXXXX -- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user -- **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed? -- **SessionID:** ID of the session - -## Microsoft.Office.TelemetryEngine.SuspendComplete -This event is fired when the telemetry engine within an office application has processed the rules or the list of events that we need to collect. Used for understanding whether there are issues in telemetry. - -- **appVersionBuild:** Third part of the version *.*.XXXXX.* -- **appVersionMajor:** First part of the version X.*.*.* -- **appVersionMinor:** Second part of the version *.X.*.* -- **appVersionRev:** Fourth part of the version *.*.*.XXXXX -- **maxSequenceIdSeen:** How many events from this session have seen so far? -- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user -- **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed? -- **SessionID:** ID of the session -- **SuspendType:** Type of suspend - -## Microsoft.Office.TelemetryEngine.SuspendStart -This event is fired when the office application suspends as per app life-cycle change. Used for understanding whether there are issues in the application life cycle. - -- **appVersionBuild:** Third part of the version *.*.XXXXX.* -- **appVersionMajor:** First part of the version X.*.*.* -- **appVersionMinor:** Second part of the version *.X.*.* -- **appVersionRev:** Fourth part of the version *.*.*.XXXXX -- **maxSequenceIdSeen:** How many events from this session have seen so far? -- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user -- **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed? -- **SessionID:** ID of the session -- **SuspendType:** Type of suspend - -## Microsoft.OSG.OSS.CredProvFramework.ReportResultStop -This event indicates the result of an attempt to authenticate a user with a credential provider. It helps Microsoft to improve sign-in reliability. Using this event with Desktop Analytics can help organizations monitor and improve sign-in success for different methods (for example, biometric) on managed devices. - -The following fields are available: - -- **CredTileProviderId:** ID of the Credential Provider -- **IsConnectedUser:** Flag indicating whether a user is connected or not -- **IsPLAPTile:** Flag indicating whether this credential tile is a pre-logon access provider or not -- **IsRemoteSession:** Flag indicating whether the session is remote or not -- **IsV2CredProv:** Flag indicating whether the credential provider of V2 or not -- **OpitonalStatusText:** Status text -- **ProcessImage:** Image path to the process -- **ProviderId:** Credential provider ID -- **ProviderStatusIcon:** Indicates which status icon should be displayed -- **ReturnCode:** Output of the ReportResult function -- **SessionId:** Session identifier -- **Sign-in error status:** The sign-in error status -- **SubStatus:** Sign-in error substatus -- **UserTag:** Count of the number of times a user has selected a provider - -## Microsoft.Windows.Kernel.Power.OSStateChange -This event denotes the transition between operating system states (On, Off, Sleep, etc.). By using this event with Desktop Analytics, organizations can monitor reliability and performance of managed devices. - -The following fields are available: - -- **AcPowerOnline:** If "TRUE," the device is using AC power. If "FALSE," the device is using battery power. -- **ActualTransitions:** The number of transitions between operating system states since the last system boot -- **BatteryCapacity:** Maximum battery capacity in mWh -- **BatteryCharge:** Current battery charge as a percentage of total capacity -- **BatteryDischarging:** Flag indicating whether the battery is discharging or charging -- **BootId:** Total boot count since the operating system was installed -- **BootTimeUTC:** Date and time of a particular boot event (identified by BootId) -- **EnergyChangeV2:** A snapshot value in mWh reflecting a change in power usage -- **EnergyChangeV2Flags:** Flags for disambiguating EnergyChangeV2 context -- **EventSequence:** A sequential number used to evaluate the completeness of the data -- **LastStateTransition:** ID of the last operating system state transition -- **LastStateTransitionSub:** ID of the last operating system substate transition -- **StateDurationMS:** Number of milliseconds spent in the last operating system state -- **StateTransition:** ID of the operating system state the system is transitioning to -- **StateTransitionSub:** ID of the operating system substate the system is transitioning to -- **TotalDurationMS:** Total time (in milliseconds) spent in all states since the last boot -- **TotalUptimeMS:** Total time (in milliseconds) the device was in Up or Running states since the last boot -- **TransitionsToOn:** Number of transitions to the Powered On state since the last boot -- **UptimeDeltaMS:** Total time (in milliseconds) added to Uptime since the last event - -## Microsoft.Windows.LogonController.LogonAndUnlockSubmit -Sends details of the user attempting to sign into or unlock the device. - -The following fields are available: - -- **isSystemManagedAccount:** Indicates if the user's account is System Managed -- **isUnlockScenario:** Flag indicating whether the event is a Logon or an Unlock -- **userType:** Indicates the user type: 0 = unknown; 1 = local; 2 = Active Directory domain user; 3 = Microsoft Account; 4 = Azure Active Directory user - -## Microsoft.Windows.LogonController.SignInFailure -Sends details about any error codes detected during a failed sign-in. - -The following fields are available: - -- **ntsStatus:** The NTSTATUS error code status returned from an attempted sign-in -- **ntsSubstatus:** The NTSTATUS error code substatus returned from an attempted sign-in - -## Microsoft.Windows.Security.Biometrics.Service.BioServiceActivityCapture -Indicates that a biometric capture was compared to known templates - -The following fields are available: - -- **captureDetail:** Result of biometric capture, either matched to an enrollment or an error -- **captureSuccessful:** Indicates whether a biometric capture was successfully matched or not -- **hardwareId:** ID of the sensor that collected the biometric capture -- **isSecureSensor:** Flag indicating whether a biometric sensor was in enhanced security mode -- **isTrustletRunning:** Indicates whether an enhanced security component is currently running -- **isVsmCfg:** Flag indicating whether virtual secure mode is configured or not - -## Microsoft.Windows.Security.Winlogon.SystemBootStop -System boot has completed. - -The following field is available: - -- **ticksSinceBoot:** Duration of boot event (milliseconds) - -## Microsoft.Windows.Shell.Desktop.LogonFramework.AllLogonTasks -This event summarizes the logon procedure to help Microsoft improve performance and reliability. By using this event with Desktop Analytics, organizations can help identify logon problems on managed devices. - -The following fields are available: - -- **isAadUser:** Indicates whether the current logon is for an Azure Active Directory account -- **isDomainUser:** Indicates whether the current logon is for a domain account -- **isMSA:** Indicates whether the current logon is for a Microsoft Account -- **logonOptimizationFlags:** Flags indicating optimization settings for this logon session -- **logonTypeFlags:** Flags indicating logon type (first logon vs. a later logon) -- **systemManufacturer:** Device manufacturer -- **systemProductName:** Device product name -- **wilActivity:** Indicates errors in the task to help Microsoft improve reliability. - -## Microsoft.Windows.Shell.Desktop.LogonFramework.LogonTask -This event describes system tasks that are part of the user logon sequence and helps Microsoft to improve reliability. - -The following fields are available: - -- **isStartWaitTask:** Flag indicating whether the task starts a background task -- **isWaitMethod:** Flag indicating the task is waiting on a background task -- **logonTask:** Indicates which logon step is currently occurring -- **wilActivity:** Indicates errors in the task to help Microsoft improve reliability. - -## Microsoft.Windows.Shell.Explorer.DesktopReady -Initialization of Explorer is complete. - -## Microsoft-Windows-Security-EFS-EDPAudit-ApplicationLearning.EdpAuditLogApplicationLearning -For a device subject to Windows Information Protection policy, learning events are generated when an app encounters a policy boundary (for example, trying to open a work document from a personal app). These events help the Windows Information Protection administrator tune policy rules and prevent unnecessary user disruption. - -The following fields are available: - -- **actiontype:** Indicates what type of resource access the app was attempting (for example, opening a local document vs. a network resource) when it encountered a policy boundary. Useful for Windows Information Protection administrators to tune policy rules. -- **appIdType:** Based on the type of application, this field indicates what type of app rule a Windows Information Protection administrator would need to create for this app. -- **appname:** App that triggered the event -- **status:** Indicates whether errors occurred during Windows Information Protection learning events - -## Win32kTraceLogging.AppInteractivitySummary -Summarizes which app windows are being used (for example, have focus) to help Microsoft improve compatibility and user experience. Also helps organizations (by using Desktop Analytics) to understand and improve application reliability on managed devices. - -The following fields are available: - -- **AggregationDurationMS:** Actual duration of aggregation period (in milliseconds) -- **AggregationFlags:** Flags denoting aggregation settings -- **AggregationPeriodMS:** Intended duration of aggregation period (in milliseconds) -- **AggregationStartTime:** Start date and time of AppInteractivity aggregation -- **AppId:** Application ID for usage -- **AppSessionId:** GUID identifying the application's usage session -- **AppVersion:** Version of the application that produced this event -- **AudioInMS:** Audio capture duration (in milliseconds) -- **AudioOutMS:** Audio playback duration (in milliseconds) -- **BackgroundMouseSec:** Indicates that there was a mouse hover event while the app was in the background -- **BitPeriodMS:** Length of the period represented by InFocusBitmap -- **CommandLineHash:** A hash of the command line -- **CompositionDirtyGeneratedSec:** Represents the amount of time (in seconds) during which the active app reported that it had an update -- **CompositionDirtyPropagatedSec:** Total time (in seconds) that a separate process with visuals hosted in an app signaled updates -- **CompositionRenderedSec:** Time (in seconds) that an app's contents were rendered -- **EventSequence:** [need more info] -- **FocusLostCount:** Number of times that an app lost focus during the aggregation period -- **GameInputSec:** Time (in seconds) there was user input using a game controller -- **HidInputSec:** Time (in seconds) there was user input using devices other than a game controller -- **InFocusBitmap:** Series of bits representing application having and losing focus -- **InFocusDurationMS:** Total time (in milliseconds) the application had focus -- **InputSec:** Total number of seconds during which there was any user input -- **InteractiveTimeoutPeriodMS:** Total time (in milliseconds) that inactivity expired interactivity sessions -- **KeyboardInputSec:** Total number of seconds during which there was keyboard input -- **MonitorFlags:** Flags indicating app use of individual monitor(s) -- **MonitorHeight:** Number of vertical pixels in the application host monitor resolution -- **MonitorWidth:** Number of horizontal pixels in the application host monitor resolution -- **MouseInputSec:** Total number of seconds during which there was mouse input -- **NewProcessCount:** Number of new processes contributing to the aggregate -- **PartATransform_AppSessionGuidToUserSid:** Flag that influences how other parts of the event are constructed -- **PenInputSec:** Total number of seconds during which there was pen input -- **SpeechRecognitionSec:** Total number of seconds of speech recognition -- **SummaryRound:** Incrementing number indicating the round (batch) being summarized -- **TargetAsId:** Flag that influences how other parts of the event are constructed -- **TotalUserOrDisplayActiveDurationMS:** Total time the user or the display was active (in milliseconds) -- **TouchInputSec:** Total number of seconds during which there was touch input -- **UserActiveDurationMS:** Total time that the user was active including all input methods -- **UserActiveTransitionCount:** Number of transitions in and out of user activity -- **UserOrDisplayActiveDurationMS:** Total time the user was using the display -- **ViewFlags:** Flags denoting  properties of an app view (for example, special VR view or not) -- **WindowFlags:** Flags denoting runtime properties of an app window -- **WindowHeight:** Number of vertical pixels in the application window -- **WindowWidth:** Number of horizontal pixels in the application window - -## Revisions - -### PartA_UserSid removed -A previous revision of this list stated that a field named PartA_UserSid was a member of the event Microsoft.Windows.LogonController.LogonAndUnlockSubmit. This statement was incorrect. The list has been updated to reflect that no such field is present in the event. - -### Office events added -In Windows 10, version 1809 (also applies to versions 1709 and 1803 starting with [KB 4462932](https://support.microsoft.com/help/4462932/windows-10-update-kb4462932) and [KB 4462933](https://support.microsoft.com/help/4462933/windows-10-update-kb4462933) respectively), 16 events were added, describing Office app launch and availability. These events were added to improve the precision of Office data in Windows Analytics. - -> [!NOTE] -> Office data will no longer be provided through this policy in Desktop Analytics. - -### CertAnalytics events removed -In Windows 10, version 1809 (also applies to versions 1709 and 1803 starting with [KB 4462932](https://support.microsoft.com/help/4462932/windows-10-update-kb4462932) and [KB 4462933](https://support.microsoft.com/help/4462933/windows-10-update-kb4462933) respectively), 3 "CertAnalytics" events were removed, as they are no longer required for Desktop Analytics. - ->[!NOTE] ->You can use the Windows Diagnostic Data Viewer to observe and review events and their fields as described in this topic. diff --git a/windows/privacy/toc.yml b/windows/privacy/toc.yml index b6ad626c23..a90650c92d 100644 --- a/windows/privacy/toc.yml +++ b/windows/privacy/toc.yml @@ -37,8 +37,6 @@ href: windows-diagnostic-data.md - name: Windows 10, version 1703 optional diagnostic data href: windows-diagnostic-data-1703.md - - name: Windows 10 diagnostic data events and fields collected through the limit enhanced diagnostic data policy - href: enhanced-diagnostic-data-windows-analytics-events-and-fields.md - name: Manage Windows connected experiences items: - name: Manage connections from Windows operating system components to Microsoft services From fe428d42fef36a9f8d9f7ac3f42369dc1d3fea40 Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Fri, 19 Jul 2024 14:44:50 -0700 Subject: [PATCH 61/61] Fix formatting error in privacy redirection file --- .openpublishing.redirection.windows-privacy.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.openpublishing.redirection.windows-privacy.json b/.openpublishing.redirection.windows-privacy.json index 53cc97b7c2..e280e5a7ba 100644 --- a/.openpublishing.redirection.windows-privacy.json +++ b/.openpublishing.redirection.windows-privacy.json @@ -56,7 +56,7 @@ "redirect_document_id": false }, { - "source_path": "/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md", + "source_path": "windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md", "redirect_url": "https://techcommunity.microsoft.com/t5/windows-it-pro-blog/preview-app-and-driver-compatibility-insights-in-endpoint/ba-p/3482136", "redirect_document_id": false }