diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md index 95c6a16227..59c8210b09 100644 --- a/windows/client-management/advanced-troubleshooting-802-authentication.md +++ b/windows/client-management/advanced-troubleshooting-802-authentication.md @@ -18,11 +18,11 @@ ms.collection: highpri ## Overview -This article includes general troubleshooting for 802.1X wireless and wired clients. While troubleshooting 802.1X and wireless, it's important to know how the flow of authentication works, and then figure out where it's breaking. It involves a lot of third-party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. We don't make access points or switches, so it's not an end-to-end Microsoft solution. +This article includes general troubleshooting for 802.1X wireless and wired clients. While troubleshooting 802.1X and wireless, it's important to know how the flow of authentication works, and then figure out where it's breaking. It involves many third-party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. We don't make access points or switches, so it's not an end-to-end Microsoft solution. ## Scenarios -This troubleshooting technique applies to any scenario in which wireless or wired connections with 802.1X authentication is attempted and then fails to establish. The workflow covers Windows 7 through Windows 10 (and Windows 11) for clients, and Windows Server 2008 R2 through Windows Server 2012 R2 for NPS. +This troubleshooting technique applies to any scenario in which wireless or wired connections with 802.1X authentication are attempted and then fail to establish. The workflow covers Windows 7 through Windows 10 (and Windows 11) for clients, and Windows Server 2008 R2 through Windows Server 2012 R2 for NPS. ## Known issues @@ -38,9 +38,9 @@ Viewing [NPS authentication status events](/previous-versions/windows/it-pro/win NPS event log entries contain information about the connection attempt, including the name of the connection request policy that matched the connection attempt and the network policy that accepted or rejected the connection attempt. If you don't see both success and failure events, see the [NPS audit policy](#audit-policy) section later in this article. -Check the Windows Security event log on the NPS Server for NPS events that correspond to rejected ([event ID 6273](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735399(v%3dws.10))) or accepted ([event ID 6272](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735388(v%3dws.10))) connection attempts. +Check the Windows Security event log on the NPS Server for NPS events that correspond to the rejected ([event ID 6273](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735399(v%3dws.10))) or the accepted ([event ID 6272](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735388(v%3dws.10))) connection attempts. -In the event message, scroll to the very bottom, and then check the [Reason Code](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v%3dws.10)) field and the text that's associated with it. +In the event message, scroll to the bottom, and then check the [Reason Code](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v%3dws.10)) field and the text that's associated with it. ![example of an audit failure.](images/auditfailure.png) *Example: event ID 6273 (Audit Failure)*

@@ -48,7 +48,7 @@ In the event message, scroll to the very bottom, and then check the [Reason Code ![example of an audit success.](images/auditsuccess.png) *Example: event ID 6272 (Audit Success)*
-‎The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, in the event of connectivity problems, the reason for the failure. For wired network access, the Wired AutoConfig operational log is an equivalent one. +‎The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, if connectivity problems occur, the reason for the failure. For wired network access, the Wired AutoConfig operational log is an equivalent one. On the client side, go to **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\WLAN-AutoConfig/Operational** for wireless issues. For wired network access issues, go to **..\Wired-AutoConfig/Operational**. See the following example: @@ -114,7 +114,7 @@ auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enab Even if audit policy appears to be fully enabled, it sometimes helps to disable and then re-enable this setting. You can also enable Network Policy Server logon/logoff auditing by using Group Policy. To get to the success/failure setting, select **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Advanced Audit Policy Configuration** > **Audit Policies** > **Logon/Logoff** > **Audit Network Policy Server**. -## Additional references +## More references [Troubleshooting Windows Vista 802.11 Wireless Connections](/previous-versions/windows/it-pro/windows-vista/cc766215(v=ws.10))
[Troubleshooting Windows Vista Secure 802.3 Wired Connections](/previous-versions/windows/it-pro/windows-vista/cc749352(v=ws.10)) diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md index 858333629a..dd92af8c4f 100644 --- a/windows/client-management/advanced-troubleshooting-boot-problems.md +++ b/windows/client-management/advanced-troubleshooting-boot-problems.md @@ -46,11 +46,11 @@ Essential drivers required to start the Windows kernel are loaded and the kernel **4. Windows NT OS Kernel** -The kernel loads into memory the system registry hive and additional drivers that are marked as BOOT_START. +The kernel loads into memory the system registry hive and other drivers that are marked as BOOT_START. -The kernel passes control to the session manager process (Smss.exe) which initializes the system session, and loads and starts the devices and drivers that are not marked BOOT_START. +The kernel passes control to the session manager process (Smss.exe) which initializes the system session, and loads and starts the devices and drivers that aren't marked BOOT_START. -Here is a summary of the boot sequence, what will be seen on the display, and typical boot problems at that point in the sequence. Before starting troubleshooting, you have to understand the outline of the boot process and display status to ensure that the issue is properly identified at the beginning of the engagement. +Here's a summary of the boot sequence, what will be seen on the display, and typical boot problems at that point in the sequence. Before starting troubleshooting, you have to understand the outline of the boot process and display status to ensure that the issue is properly identified at the beginning of the engagement. ![thumbnail of boot sequence flowchart.](images/boot-sequence-thumb.png)
[Click to enlarge](img-boot-sequence.md)
@@ -76,15 +76,15 @@ To determine whether the system has passed the BIOS phase, follow these steps: 1. If there are any external peripherals connected to the computer, disconnect them. -2. Check whether the hard disk drive light on the physical computer is working. If it is not working, this indicates that the startup process is stuck at the BIOS phase. +2. Check whether the hard disk drive light on the physical computer is working. If it's not working, this dysfunction indicates that the startup process is stuck at the BIOS phase. -3. Press the NumLock key to see whether the indicator light toggles on and off. If it does not, this indicates that the startup process is stuck at BIOS. +3. Press the NumLock key to see whether the indicator light toggles on and off. If it doesn't toggle, this dysfunction indicates that the startup process is stuck at BIOS. If the system is stuck at the BIOS phase, there may be a hardware problem. ## Boot loader phase -If the screen is completely black except for a blinking cursor, or if you receive one of the following error codes, this indicates that the boot process is stuck in the Boot Loader phase: +If the screen is black except for a blinking cursor, or if you receive one of the following error codes, this status indicates that the boot process is stuck in the Boot Loader phase: - Boot Configuration Data (BCD) missing or corrupted - Boot file or MBR corrupted @@ -100,7 +100,7 @@ To troubleshoot this problem, use Windows installation media to start the comput The Startup Repair tool automatically fixes many common problems. The tool also lets you quickly diagnose and repair more complex startup problems. When the computer detects a startup problem, the computer starts the Startup Repair tool. When the tool starts, it performs diagnostics. These diagnostics include analyzing startup log files to determine the cause of the problem. When the Startup Repair tool determines the cause, the tool tries to fix the problem automatically. -To do this, follow these steps. +To do this task of invoking the Startup Repair tool, follow these steps. > [!NOTE] > For additional methods to start WinRE, see [Windows Recovery Environment (Windows RE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#span-identrypointsintowinrespanspan-identrypointsintowinrespanspan-identrypointsintowinrespanentry-points-into-winre). @@ -144,7 +144,7 @@ BOOTREC /FIXBOOT If you receive BCD-related errors, follow these steps: -1. Scan for all the systems that are installed. To do this, run the following command: +1. Scan for all the systems that are installed. To do this step, run the following command: ```console Bootrec /ScanOS @@ -152,7 +152,7 @@ If you receive BCD-related errors, follow these steps: 2. Restart the computer to check whether the problem is fixed. -3. If the problem is not fixed, run the following commands: +3. If the problem isn't fixed, run the following commands: ```console bcdedit /export c:\bcdbackup @@ -168,7 +168,7 @@ If you receive BCD-related errors, follow these steps: ### Method 4: Replace Bootmgr -If methods 1, 2 and 3 do not fix the problem, replace the Bootmgr file from drive C to the System Reserved partition. To do this, follow these steps: +If methods 1, 2 and 3 don't fix the problem, replace the Bootmgr file from drive C to the System Reserved partition. To do this replacement, follow these steps: 1. At a command prompt, change the directory to the System Reserved partition. @@ -198,7 +198,7 @@ If methods 1, 2 and 3 do not fix the problem, replace the Bootmgr file from driv ### Method 5: Restore System Hive -If Windows cannot load the system registry hive into memory, you must restore the system hive. To do this, use the Windows Recovery Environment or use Emergency Repair Disk (ERD) to copy the files from the C:\Windows\System32\config\RegBack to C:\Windows\System32\config. +If Windows can't load the system registry hive into memory, you must restore the system hive. To do this step,, use the Windows Recovery Environment or use Emergency Repair Disk (ERD) to copy the files from the C:\Windows\System32\config\RegBack to C:\Windows\System32\config. If the problem persists, you may want to restore the system state backup to an alternative location, and then retrieve the registry hives to be replaced. @@ -207,7 +207,7 @@ If the problem persists, you may want to restore the system state backup to an a ## Kernel Phase -If the system gets stuck during the kernel phase, you experience multiple symptoms or receive multiple error messages. These include, but are not limited to, the following: +If the system gets stuck during the kernel phase, you experience multiple symptoms or receive multiple error messages. These error messages include, but aren't limited to, the following examples: - A Stop error appears after the splash screen (Windows Logo screen). @@ -250,7 +250,7 @@ On the **Advanced Boot Options** screen, try to start the computer in **Safe Mod ### Clean boot To troubleshoot problems that affect services, do a clean boot by using System Configuration (msconfig). -Select **Selective startup** to test the services one at a time to determine which one is causing the problem. If you cannot find the cause, try including system services. However, in most cases, the problematic service is third-party. +Select **Selective startup** to test the services one at a time to determine which one is causing the problem. If you can't find the cause, try including system services. However, in most cases, the problematic service is third-party. Disable any service that you find to be faulty, and try to start the computer again by selecting **Normal startup**. @@ -275,7 +275,7 @@ problems can be solved. Modify the registry at your own risk. To troubleshoot this Stop error, follow these steps to filter the drivers: -1. Go to Windows Recovery Environment (WinRE) by putting an ISO disk of the system in the disk drive. The ISO should be of same version of Windows or a later version. +1. Go to Windows Recovery Environment (WinRE) by putting an ISO disk of the system in the disk drive. The ISO should be of the same version of Windows or a later version. 2. Open the registry. @@ -291,7 +291,7 @@ To troubleshoot this Stop error, follow these steps to filter the drivers: 7. Restart the server in Normal mode. -For additional troubleshooting steps, see the following articles: +For more troubleshooting steps, see the following articles: - [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md) @@ -316,7 +316,7 @@ To fix problems that occur after you install Windows updates, check for pending Try to start the computer. -If the computer does not start, follow these steps: +If the computer doesn't start, follow these steps: 1. Open A Command Prompt window in WinRE, and start a text editor, such as Notepad. @@ -348,7 +348,7 @@ If the Stop error occurs late in the startup process, or if the Stop error is st - [Generate a kernel or complete crash dump](./generate-kernel-or-complete-crash-dump.md) -For more information about page file problems in Windows 10 or Windows Server 2016, see the following: +For more information about page file problems in Windows 10 or Windows Server 2016, see the following article: - [Introduction to page files](./introduction-page-file.md) For more information about Stop errors, see the following Knowledge Base article: @@ -359,7 +359,7 @@ If the dump file shows an error that is related to a driver (for example, window - Check the functionality that is provided by the driver. If the driver is a third-party boot driver, make sure that you understand what it does. -- If the driver is not important and has no dependencies, load the system hive, and then disable the driver. +- If the driver isn't important and has no dependencies, load the system hive, and then disable the driver. - If the stop error indicates system file corruption, run the system file checker in offline mode. @@ -371,7 +371,7 @@ If the dump file shows an error that is related to a driver (for example, window For more information, see [Using System File Checker (SFC) To Fix Issues](/archive/blogs/askcore/using-system-file-checker-sfc-to-fix-issues) - - If there is disk corruption, run the check disk command: + - If there's disk corruption, run the check disk command: ```console chkdsk /f /r diff --git a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md index a9300a5ef2..8ab2aede4e 100644 --- a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md +++ b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md @@ -20,7 +20,7 @@ ms.topic: troubleshooting ## Overview -This is a general troubleshooting of establishing Wi-Fi connections from Windows clients. +This overview describes the general troubleshooting of establishing Wi-Fi connections from Windows clients. Troubleshooting Wi-Fi connections requires understanding the basic flow of the Wi-Fi autoconnect state machine. Understanding this flow makes it easier to determine the starting point in a repro scenario in which a different behavior is found. This workflow involves knowledge and use of [TextAnalysisTool](https://github.com/TextAnalysisTool/Releases), an extensive text filtering tool that is useful with complex traces with numerous ETW providers such as wireless_dbg trace scenario. @@ -29,11 +29,11 @@ This workflow involves knowledge and use of [TextAnalysisTool](https://github.co This article applies to any scenario in which Wi-Fi connections fail to establish. The troubleshooter is developed with Windows 10 clients in focus, but also may be useful with traces as far back as Windows 7. > [!NOTE] -> This troubleshooter uses examples that demonstrate a general strategy for navigating and interpreting wireless component [Event Tracing for Windows](/windows/desktop/etw/event-tracing-portal) (ETW). It is not meant to be representative of every wireless problem scenario. +> This troubleshooter uses examples that demonstrate a general strategy for navigating and interpreting wireless component [Event Tracing for Windows](/windows/desktop/etw/event-tracing-portal) (ETW). It's not meant to be representative of every wireless problem scenario. -Wireless ETW is incredibly verbose and calls out a lot of innocuous errors (rather flagged behaviors that have little or nothing to do with the problem scenario). Simply searching for or filtering on "err", "error", and "fail" will seldom lead you to the root cause of a problematic Wi-Fi scenario. Instead it will flood the screen with meaningless logs that will obfuscate the context of the actual problem. +Wireless ETW is incredibly verbose and calls out many innocuous errors (rather flagged behaviors that have little or nothing to do with the problem scenario). Searching for or filtering on "err", "error", and "fail" will seldom lead you to the root cause of a problematic Wi-Fi scenario. Instead it will flood the screen with meaningless logs that will obfuscate the context of the actual problem. -It is important to understand the different Wi-Fi components involved, their expected behaviors, and how the problem scenario deviates from those expected behaviors. +It's important to understand the different Wi-Fi components involved, their expected behaviors, and how the problem scenario deviates from those expected behaviors. The intention of this troubleshooter is to show how to find a starting point in the verbosity of wireless_dbg ETW and home in on the responsible components that are causing the connection problem. ### Known Issues and fixes @@ -57,14 +57,14 @@ Make sure that you install the latest Windows updates, cumulative updates, and r ## Data Collection -1. Network Capture with ETW. Enter the following at an elevated command prompt: +1. Network Capture with ETW. Enter the following command at an elevated command prompt: ```console netsh trace start wireless_dbg capture=yes overwrite=yes maxsize=4096 tracefile=c:\tmp\wireless.etl ``` 2. Reproduce the issue. - - If there is a failure to establish connection, try to manually connect. - - If it is intermittent but easily reproducible, try to manually connect until it fails. Record the time of each connection attempt, and whether it was a success or failure. + - If there's a failure to establish connection, try to manually connect. + - If it's intermittent but easily reproducible, try to manually connect until it fails. Record the time of each connection attempt, and whether it was a success or failure. - If the issue is intermittent but rare, netsh trace stop command needs to be triggered automatically (or at least alerted to admin quickly) to ensure trace doesn’t overwrite the repro data. - If intermittent connection drops trigger stop command on a script (ping or test network constantly until fail, then netsh trace stop). 3. Stop the trace by entering the following command: @@ -78,11 +78,11 @@ Make sure that you install the latest Windows updates, cumulative updates, and r netsh trace convert c:\tmp\wireless.etl ``` -See the [example ETW capture](#example-etw-capture) at the bottom of this article for an example of the command output. After running these commands, you will have three files: wireless.cab, wireless.etl, and wireless.txt. +See the [example ETW capture](#example-etw-capture) at the bottom of this article for an example of the command output. After running these commands, you'll have three files: wireless.cab, wireless.etl, and wireless.txt. ## Troubleshooting -The following is a high-level view of the main wifi components in Windows. +The following view is a high-level one of the main wifi components in Windows. |Wi-fi Components|Description| |--- |--- | @@ -116,7 +116,7 @@ Filtering the ETW trace with the [TextAnalysisTool](https://github.com/TextAnaly Use the **FSM transition** trace filter to see the connection state machine. You can see [an example](#textanalysistool-example) of this filter applied in the TAT at the bottom of this page. -The following is an example of a good connection setup: +An example of a good connection setup is: ```console 44676 [2]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.658 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Disconnected to State: Reset @@ -127,7 +127,7 @@ The following is an example of a good connection setup: 49465 [2]0F24.17E0::‎2018‎-‎09‎-‎17 10:22:14.990 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Authenticating to State: Connected ``` -The following is an example of a failed connection setup: +An example of a failed connection setup is: ```console 44676 [2]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.658 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Disconnected to State: Reset @@ -138,9 +138,9 @@ The following is an example of a failed connection setup: 49465 [2]0F24.17E0::‎2018‎-‎09‎-‎17 10:22:14.990 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Authenticating to State: Roaming ``` -By identifying the state at which the connection fails, one can focus more specifically in the trace on logs just prior to the last known good state. +By identifying the state at which the connection fails, one can focus more specifically in the trace on logs prior to the last known good state. -Examining **[Microsoft-Windows-WLAN-AutoConfig]** logs just prior to the bad state change should show evidence of error. Often, however, the error is propagated up through other wireless components. +Examining **[Microsoft-Windows-WLAN-AutoConfig]** logs prior to the bad state change should show evidence of error. Often, however, the error is propagated up through other wireless components. In many cases the next component of interest will be the MSM, which lies just below Wlansvc. The important components of the MSM include: @@ -149,10 +149,10 @@ The important components of the MSM include: ![MSM details.](images/msmdetails.png) -Each of these components has their own individual state machines which follow specific transitions. +Each of these components has its own individual state machines that follow specific transitions. Enable the **FSM transition, SecMgr Transition,** and **AuthMgr Transition** filters in TextAnalysisTool for more detail. -Continuing with the example above, the combined filters look like this: +Further to the preceding example, the combined filters look like the following command example: ```console [2] 0C34.2FF0::08/28/17-13:24:28.693 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: @@ -177,7 +177,7 @@ Authenticating to State: Roaming > [!NOTE] > In the next to last line the SecMgr transition is suddenly deactivating:
>\[2\] 0C34.2FF0::08/28/17-13:24:29.7512788 \[Microsoft-Windows-WLAN-AutoConfig\]Port\[13\] Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)

->This transition is what eventually propagates to the main connection state machine and causes the Authenticating phase to devolve to Roaming state. As before, it makes sense to focus on tracing just prior to this SecMgr behavior to determine the reason for the deactivation. +>This transition is what eventually propagates to the main connection state machine and causes the Authenticating phase to devolve to Roaming state. As before, it makes sense to focus on tracing prior to this SecMgr behavior to determine the reason for the deactivation. Enabling the **Microsoft-Windows-WLAN-AutoConfig** filter will show more detail leading to the DEACTIVATE transition: @@ -203,7 +203,7 @@ The trail backwards reveals a **Port Down** notification: Port events indicate changes closer to the wireless hardware. The trail can be followed by continuing to see the origin of this indication. -Below, the MSM is the native wifi stack. These are Windows native wifi drivers which talk to the wifi miniport drivers. It is responsible for converting Wi-Fi (802.11) packets to 802.3 (Ethernet) so that TCPIP and other protocols and can use it. +Below, the MSM is the native wifi stack. These drivers are Windows native wifi drivers that talk to the wifi miniport drivers. It's responsible for converting Wi-Fi (802.11) packets to 802.3 (Ethernet) so that TCPIP and other protocols and can use it. Enable trace filter for **[Microsoft-Windows-NWifi]:** @@ -230,7 +230,7 @@ In the trace above, we see the line: [0]0000.0000::‎08/28/17-13:24:29.127 [Microsoft-Windows-NWiFi]DisAssoc: 0x8A1514B62510 Reason: 0x4 ``` -This is followed by **PHY_STATE_CHANGE** and **PORT_DOWN** events due to a disassociate coming from the Access Point (AP), as an indication to deny the connection. This could be due to invalid credentials, connection parameters, loss of signal/roaming, and various other reasons for aborting a connection. The action here would be to examine the reason for the disassociate sent from the indicated AP MAC (8A:15:14:B6:25:10). This would be done by examining internal logging/tracing from the AP. +This line is followed by **PHY_STATE_CHANGE** and **PORT_DOWN** events due to a disassociate coming from the Access Point (AP), as an indication to deny the connection. This denail could be due to invalid credentials, connection parameters, loss of signal/roaming, and various other reasons for aborting a connection. The action here would be to examine the reason for the disassociate sent from the indicated AP MAC (8A:15:14:B6:25:10). This action would be done by examining internal logging/tracing from the AP. ### Resources diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index ec54bee4ae..cf0c18ee1d 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -31,11 +31,11 @@ From its release, Windows 10 has supported remote connections to PCs joined to A ## Set up -- Both PCs (local and remote) must be running Windows 10, version 1607 or later. Remote connections to an Azure AD-joined PC running earlier versions of Windows 10 are not supported. -- Your local PC (where you are connecting from) must be either Azure AD-joined or Hybrid Azure AD-joined if using Windows 10, version 1607 and above, or [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) if using Windows 10, version 2004 and above. Remote connections to an Azure AD-joined PC from an unjoined device or a non-Windows 10 device are not supported. -- The local PC and remote PC must be in the same Azure AD tenant. Azure AD B2B guests are not supported for Remote desktop. +- Both PCs (local and remote) must be running Windows 10, version 1607 or later. Remote connections to an Azure AD-joined PC running earlier versions of Windows 10 aren't supported. +- Your local PC (where you're connecting from) must be either Azure AD-joined or Hybrid Azure AD-joined if using Windows 10, version 1607 and above, or [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) if using Windows 10, version 2004 and above. Remote connections to an Azure AD-joined PC from an unjoined device or a non-Windows 10 device aren't supported. +- The local PC and remote PC must be in the same Azure AD tenant. Azure AD B2B guests aren't supported for Remote desktop. -Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC you are using to connect to the remote PC. +Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC you're using to connect to the remote PC. - On the PC you want to connect to: @@ -45,7 +45,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu ![Allow remote connections to this computer.](images/allow-rdp.png) - 3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users or groups to connect to the PC, you must allow remote connections for the specified users or groups. Users can be added either manually or through MDM policies: + 3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no other configuration is needed. To allow more users or groups to connect to the PC, you must allow remote connections for the specified users or groups. Users can be added either manually or through MDM policies: - Adding users manually @@ -55,14 +55,14 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu ``` where *the-UPN-attribute-of-your-user* is the name of the user profile in C:\Users\, which is created based on the DisplayName attribute in Azure AD. - In order to execute this PowerShell command you be a member of the local Administrators group. Otherwise, you'll get an error like this example: + In order to execute this PowerShell command, you must be a member of the local Administrators group. Otherwise, you'll get an error like this example: - for cloud only user: "There is no such global user or group : *name*" - for synced user: "There is no such global user or group : *name*"
> [!NOTE] > For devices running Windows 10, version 1703 or earlier, the user must sign in to the remote device first before attempting remote connections. > - > Starting in Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there is a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices. + > Starting in Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there's a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices. - Adding users using policy diff --git a/windows/client-management/data-collection-for-802-authentication.md b/windows/client-management/data-collection-for-802-authentication.md index 0002838314..8717d386a2 100644 --- a/windows/client-management/data-collection-for-802-authentication.md +++ b/windows/client-management/data-collection-for-802-authentication.md @@ -42,7 +42,7 @@ Use the following steps to collect wireless and wired logs on Windows and Window netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wired_cli.etl ``` -3. Run the following command to enable CAPI2 logging and increase the size : +3. Run the following command to enable CAPI2 logging and increase the size: ``` wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true wevtutil sl Microsoft-Windows-CAPI2/Operational /ms:104857600 @@ -70,7 +70,7 @@ Use the following steps to collect wireless and wired logs on Windows and Window netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wired_nps.etl ``` -6. Run the following command to enable CAPI2 logging and increase the size : +6. Run the following command to enable CAPI2 logging and increase the size: ``` wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true wevtutil sl Microsoft-Windows-CAPI2/Operational /ms:104857600 @@ -241,7 +241,7 @@ Use the following steps to collect wireless and wired logs on Windows and Window wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-CredentialRoaming_Operational.evtx wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%_CertPoleEng_Operational.evtx ``` - - Run the following 3 commands on Windows Server 2012 and later: + - Run the following commands on Windows Server 2012 and later: ``` wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-Lifecycle-System_Operational.evtx @@ -320,7 +320,7 @@ Use the following steps to collect wireless and wired logs on Windows and Window wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-CredentialRoaming_Operational.evtx wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%_CertPoleEng_Operational.evtx ``` - - Run the following 3 lines on Windows 2012 and up + - Run the following lines on Windows 2012 and up ``` wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-Lifecycle-System_Operational.evtx @@ -371,9 +371,9 @@ Use the following steps to collect wireless and wired logs on Windows and Window reg export HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%_Cryptography.txt ``` 3. Copy the following files, if exist, to C:\MSLOG: %windir%\CAPolicy.inf -4. Log on to a domain controller and create C:\MSLOG to store captured logs. +4. Sign in to a domain controller and create C:\MSLOG to store captured logs. 5. Launch Windows PowerShell as an administrator. -6. Run the following PowerShell cmdlets. Replace the domain name in ";.. ,DC=test,DC=local"; with appropriate domain name. The example shows commands for ";test.local"; domain. +6. Run the following PowerShell cmdlets. Replace the domain name in ";.. ,DC=test,DC=local"; with appropriate domain name. The example shows commands for "; test.local"; domain. ```powershell Import-Module ActiveDirectory diff --git a/windows/client-management/determine-appropriate-page-file-size.md b/windows/client-management/determine-appropriate-page-file-size.md index be28170923..6c0e959124 100644 --- a/windows/client-management/determine-appropriate-page-file-size.md +++ b/windows/client-management/determine-appropriate-page-file-size.md @@ -15,7 +15,7 @@ ms.collection: highpri # How to determine the appropriate page file size for 64-bit versions of Windows -Page file sizing depends on the system crash dump setting requirements and the peak usage or expected peak usage of the system commit charge. Both considerations are unique to each system, even for systems that are identical. This means that page file sizing is also unique to each system and cannot be generalized. +Page file sizing depends on the system crash dump setting requirements and the peak usage or expected peak usage of the system commit charge. Both considerations are unique to each system, even for systems that are identical. This uniqueness means that page file sizing is also unique to each system and can't be generalized. ## Determine the appropriate page file size @@ -23,17 +23,17 @@ Use the following considerations for page file sizing for all versions of Window ### Crash dump setting -If you want a crash dump file to be created during a system crash, a page file or a dedicated dump file must exist and be large enough to back up the system crash dump setting. Otherwise, a system memory dump file is not created. +If you want a crash dump file to be created during a system crash, a page file or a dedicated dump file must exist and be large enough to back up the system crash dump setting. Otherwise, a system memory dump file isn't created. For more information, see [Support for system crash dumps](introduction-page-file.md#support-for-system-crash-dumps) section. ### Peak system commit charge -The system commit charge cannot exceed the system commit limit. This limit is the sum of physical memory (RAM) and all page files combined. If no page files exist, the system commit limit is slightly less than the physical memory that is installed. Peak system-committed memory usage can vary greatly between systems. Therefore, physical memory and page file sizing also vary. +The system commit charge can't exceed the system commit limit. This limit is the sum of physical memory (RAM) and all page files combined. If no page files exist, the system commit limit is slightly less than the physical memory that is installed. Peak system-committed memory usage can vary greatly between systems. Therefore, physical memory and page file sizing also vary. ### Quantity of infrequently accessed pages -The purpose of a page file is to *back* (support) infrequently accessed modified pages so that they can be removed from physical memory. This provides more available space for more frequently accessed pages. The "\Memory\Modified Page List Bytes" performance counter measures, in part, the number of infrequently accessed modified pages that are destined for the hard disk. However, be aware that not all the memory on the modified page list is written out to disk. Typically, several hundred megabytes of memory remains resident on the modified list. Therefore, consider extending or adding a page file if all the following conditions are true: +The purpose of a page file is to *back* (support) infrequently accessed modified pages so that they can be removed from physical memory. This removal provides more available space for more frequently accessed pages. The "\Memory\Modified Page List Bytes" performance counter measures, in part, the number of infrequently accessed modified pages that are destined for the hard disk. However, not all the memory on the modified page list is written out to disk. Typically, several hundred megabytes of memory remains resident on the modified list. Therefore, consider extending or adding a page file if all the following conditions are true: - More available physical memory (\Memory\Available MBytes) is required. @@ -43,7 +43,7 @@ The purpose of a page file is to *back* (support) infrequently accessed modified ## Support for system crash dumps -A system crash (also known as a “bug check” or a "Stop error") occurs when the system cannot run correctly. The dump file that is produced from this event is called a system crash dump. A page file or dedicated dump file is used to write a crash dump file (Memory.dmp) to disk. Therefore, a page file or a dedicated dump file must be large enough to support the kind of crash dump selected. Otherwise, the system cannot create the crash dump file. +A system crash (also known as a “bug check” or a "Stop error") occurs when the system can't run correctly. The dump file that is produced from this event is called a system crash dump. A page file or dedicated dump file is used to write a crash dump file (Memory.dmp) to disk. Therefore, a page file or a dedicated dump file must be large enough to support the kind of crash dump selected. Otherwise, the system can't create the crash dump file. >[!Note] >During startup, system-managed page files are sized respective to the system crash dump settings. This assumes that enough free disk space exists. @@ -57,29 +57,29 @@ A system crash (also known as a “bug check” or a "Stop error") occurs when t \* 1 MB of header data and device drivers can total 256 MB of secondary crash dump data. -The **Automatic memory dump** setting is enabled by default. This is a setting instead of a kind of crash dump. This setting automatically selects the best page file size, depending on the frequency of system crashes. +The **Automatic memory dump** setting is enabled by default. This setting is an alternative to a kind of crash dump. This setting automatically selects the best page file size, depending on the frequency of system crashes. The Automatic memory dump feature initially selects a small paging file size. It would accommodate the kernel memory most of the time. If the system crashes again within four weeks, the Automatic memory dump feature sets the page file size as either the RAM size or 32 GB, whichever is smaller. -Kernel memory crash dumps require enough page file space or dedicated dump file space to accommodate the kernel mode side of virtual memory usage. If the system crashes again within four weeks of the previous crash, a Complete memory dump is selected at restart. This requires a page file or dedicated dump file of at least the size of physical memory (RAM) plus 1 MB for header information plus 256 MB for potential driver data to support all the potential data that is dumped from memory. Again, the system-managed page file will be increased to back this kind of crash dump. If the system is configured to have a page file or a dedicated dump file of a specific size, make sure that the size is sufficient to back the crash dump setting that is listed in the table earlier in this section together with and the peak system commit charge. +Kernel memory crash dumps require enough page file space or dedicated dump file space to accommodate the kernel mode side of virtual memory usage. If the system crashes again within four weeks of the previous crash, a Complete memory dump is selected at restart. This dump requires a page file or dedicated dump file of at least the size of physical memory (RAM) plus 1 MB for header information plus 256 MB for potential driver data to support all the potential data that is dumped from memory. Again, the system-managed page file will be increased to back this kind of crash dump. If the system is configured to have a page file or a dedicated dump file of a specific size, make sure that the size is sufficient to back the crash dump setting that is listed in the table earlier in this section together with and the peak system commit charge. ### Dedicated dump files -Computers that are running Microsoft Windows or Microsoft Windows Server usually must have a page file to support a system crash dump. System administrators now have the option to create a dedicated dump file instead. +Computers that are running Microsoft Windows or Microsoft Windows Server usually must have a page file to support a system crash dump. System administrators can now create a dedicated dump file instead. -A dedicated dump file is a page file that is not used for paging. Instead, it is “dedicated” to back a system crash dump file (Memory.dmp) when a system crash occurs. Dedicated dump files can be put on any disk volume that can support a page file. We recommend that you use a dedicated dump file if you want a system crash dump but you do not want a page file. To learn how to create it, see [Overview of memory dump file options for Windows](/troubleshoot/windows-server/performance/memory-dump-file-options). +A dedicated dump file is a page file that isn't used for paging. Instead, it is “dedicated” to back a system crash dump file (Memory.dmp) when a system crash occurs. Dedicated dump files can be put on any disk volume that can support a page file. We recommend that you use a dedicated dump file if you want a system crash dump but you don't want a page file. To learn how to create it, see [Overview of memory dump file options for Windows](/troubleshoot/windows-server/performance/memory-dump-file-options). ## System-managed page files -By default, page files are system-managed. This means that the page files increase and decrease based on many factors, such as the amount of physical memory installed, the process of accommodating the system commit charge, and the process of accommodating a system crash dump. +By default, page files are system-managed. This system management means that the page files increase and decrease based on many factors, such as the amount of physical memory installed, the process of accommodating the system commit charge, and the process of accommodating a system crash dump. -For example, when the system commit charge is more than 90 percent of the system commit limit, the page file is increased to back it. This continues to occur until the page file reaches three times the size of physical memory or 4 GB, whichever is larger. This all assumes that the logical disk that is hosting the page file is large enough to accommodate the growth. +For example, when the system commit charge is more than 90 percent of the system commit limit, the page file is increased to back it. This surge continues to occur until the page file reaches three times the size of physical memory or 4 GB, whichever is larger. Therefore, it's assumes that the logical disk that is hosting the page file is large enough to accommodate the growth. The following table lists the minimum and maximum page file sizes of system-managed page files in Windows 10 and Windows 11. |Minimum page file size |Maximum page file size| |---------------|------------------| -|Varies based on page file usage history, amount of RAM (RAM ÷ 8, max 32 GB) and crash dump settings. |3 × RAM or 4 GB, whichever is larger. This is then limited to the volume size ÷ 8. However, it can grow to within 1 GB of free space on the volume if required for crash dump settings.| +|Varies based on page file usage history, amount of RAM (RAM ÷ 8, max 32 GB) and crash dump settings. |3 × RAM or 4 GB, whichever is larger. This size is then limited to the volume size ÷ 8. However, it can grow to within 1 GB of free space on the volume if necessary for crash dump settings.| ## Performance counters @@ -87,7 +87,7 @@ Several performance counters are related to page files. This section describes t ### \Memory\Page/sec and other hard page fault counters -The following performance counters measure hard page faults (which include, but are not limited to, page file reads): +The following performance counters measure hard page faults (which include, but aren't limited to, page file reads): - \Memory\Page/sec @@ -103,7 +103,7 @@ The following performance counters measure page file writes: Hard page faults are faults that must be resolved by retrieving the data from disk. Such data can include portions of DLLs, .exe files, memory-mapped files, and page files. These faults might or might not be related to a page file or to a low-memory condition. Hard page faults are a standard function of the operating system. They occur when the following items are read: -- Parts of image files (.dll and .exe files) as they are used +- Parts of image files (.dll and .exe files) as they're used - Memory-mapped files @@ -111,11 +111,11 @@ Hard page faults are faults that must be resolved by retrieving the data from di High values for these counters (excessive paging) indicate disk access of generally 4 KB per page fault on x86 and x64 versions of Windows and Windows Server. This disk access might or might not be related to page file activity but may contribute to poor disk performance that can cause system-wide delays if the related disks are overwhelmed. -Therefore, we recommend that you monitor the disk performance of the logical disks that host a page file in correlation with these counters. Be aware that a system that has a sustained 100 hard page faults per second experiences 400 KB per second disk transfers. Most 7,200 RPM disk drives can handle about 5 MB per second at an IO size of 16 KB or 800 KB per second at an IO size of 4 KB. No performance counter directly measures which logical disk the hard page faults are resolved for. +Therefore, we recommend that you monitor the disk performance of the logical disks that host a page file in correlation with these counters. A system that has a sustained 100 hard page faults per second experiences 400 KB per second disk transfers. Most 7,200-RPM disk drives can handle about 5 MB per second at an IO size of 16 KB or 800 KB per second at an IO size of 4 KB. No performance counter directly measures which logical disk the hard page faults are resolved for. ### \Paging File(*)\% Usage -The \Paging File(*)\% Usage performance counter measures the percentage of usage of each page file. 100 percent usage of a page file does not indicate a performance problem as long as the system commit limit is not reached by the system commit charge, and if a significant amount of memory is not waiting to be written to a page file. +The \Paging File(*)\% Usage performance counter measures the percentage of usage of each page file. 100 percent usage of a page file doesn't indicate a performance problem as long as the system commit limit isn't reached by the system commit charge, and if a significant amount of memory isn't waiting to be written to a page file. >[!Note] >The size of the Modified Page List (\Memory\Modified Page List Bytes) is the total of modified data that is waiting to be written to disk. @@ -127,4 +127,4 @@ If the Modified Page List (a list of physical memory pages that are the least fr ## Multiple page files and disk considerations -If a system is configured to have more than one page files, the page file that responds first is the one that is used. This means that page files that are on faster disks are used more frequently. Also, whether you put a page file on a “fast” or “slow” disk is important only if the page file is frequently accessed and if the disk that is hosting the respective page file is overwhelmed. Be aware that actual page file usage depends greatly on the amount of modified memory that the system is managing. This means that files that already exist on disk (such as .txt, .doc, .dll, and .exe) are not written to a page file. Only modified data that does not already exist on disk (for example, unsaved text in Notepad) is memory that could potentially be backed by a page file. After the unsaved data is saved to disk as a file, it is backed by the disk and not by a page file. +If a system is configured to have more than one page files, the page file that responds first is the one that is used. This customized configuration means that page files that are on faster disks are used more frequently. Also, whether you put a page file on a “fast” or “slow” disk is important only if the page file is frequently accessed and if the disk that is hosting the respective page file is overwhelmed. Actual page file usage depends greatly on the amount of modified memory that the system is managing. This dependency means that files that already exist on disk (such as .txt, .doc, .dll, and .exe) aren't written to a page file. Only modified data that doesn't already exist on disk (for example, unsaved text in Notepad) is memory that could potentially be backed by a page file. After the unsaved data is saved to disk as a file, it's backed by the disk and not by a page file. diff --git a/windows/client-management/generate-kernel-or-complete-crash-dump.md b/windows/client-management/generate-kernel-or-complete-crash-dump.md index 12bd194bc7..b3c3a0f026 100644 --- a/windows/client-management/generate-kernel-or-complete-crash-dump.md +++ b/windows/client-management/generate-kernel-or-complete-crash-dump.md @@ -46,7 +46,7 @@ To enable memory dump setting, follow these steps: When the computer crashes and restarts, the contents of physical RAM are written to the paging file that is located on the partition on which the operating system is installed. -Depending on the speed of the hard disk on which Windows is installed, dumping more than 2 gigabytes (GB) of memory may take a long time. Even in a best case scenario, if the dump file is configured to reside on another local hard drive, a significant amount of data will be read and written to the hard disks. This can cause a prolonged server outage. +Depending on the speed of the hard disk on which Windows is installed, dumping more than 2 gigabytes (GB) of memory may take a long time. Even in a best-case scenario, if the dump file is configured to reside on another local hard drive, a significant amount of data will be read and written to the hard disks. This read-and-write process can cause a prolonged server outage. >[!Note] >Use this method to generate complete memory dump files with caution. Ideally, you should do this only when you are explicitly requested to by the Microsoft Support engineer. Any kernel or complete memory dump file debugging should be the last resort after all standard troubleshooting methods have been completely exhausted. @@ -55,7 +55,7 @@ Depending on the speed of the hard disk on which Windows is installed, dumping m ### Use the NotMyFault tool -If you can log on while the problem is occurring, you can use the Microsoft Sysinternals NotMyFault tool. To do this, follow these steps: +If you can sign in while the problem is occurring, you can use the Microsoft Sysinternals NotMyFault tool by following these steps: 1. Download the [NotMyFault](https://download.sysinternals.com/files/NotMyFault.zip) tool. @@ -71,17 +71,17 @@ If you can log on while the problem is occurring, you can use the Microsoft Sysi ### Use NMI -On some computers, you cannot use keyboard to generate a crash dump file. For example, Hewlett-Packard (HP) BladeSystem servers from the Hewlett-Packard Development Company are managed through a browser-based graphical user interface (GUI). A keyboard is not attached to the HP BladeSystem server. +On some computers, you can't use keyboard to generate a crash dump file. For example, Hewlett-Packard (HP) BladeSystem servers from the Hewlett-Packard Development Company are managed through a browser-based graphical user interface (GUI). A keyboard isn't attached to the HP BladeSystem server. In these cases, you must generate a complete crash dump file or a kernel crash dump file by using the Non-Maskable Interrupt (NMI) switch that causes an NMI on the system processor. -To do this, follow these steps: +To implement this process, follow these steps: > [!IMPORTANT] > Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur. > [!NOTE] -> This registry key is not required for clients running Windows 8 and later, or servers running Windows Server 2012 and later. Setting this registry key on later versions of Windows has no effect. +> This registry key isn't required for clients running Windows 8 and later, or servers running Windows Server 2012 and later. Setting this registry key on later versions of Windows has no effect. 1. In Registry Editor, locate the following registry subkey: @@ -104,7 +104,7 @@ To do this, follow these steps: >[!Note] >For the exact steps, see the BIOS reference manual or contact your hardware vendor. -9. Test this method on the server by using the NMI switch to generate a dump file. You will see a STOP 0x00000080 hardware malfunction. +9. Test this method on the server by using the NMI switch to generate a dump file. You'll see a STOP 0x00000080 hardware malfunction. If you want to run NMI in Microsoft Azure using Serial Console, see [Use Serial Console for SysRq and NMI calls](/azure/virtual-machines/linux/serial-console-nmi-sysrq). diff --git a/windows/client-management/includes/allow-a-shared-books-folder-shortdesc.md b/windows/client-management/includes/allow-a-shared-books-folder-shortdesc.md index ecfa4c5ca0..9b1d7821f3 100644 --- a/windows/client-management/includes/allow-a-shared-books-folder-shortdesc.md +++ b/windows/client-management/includes/allow-a-shared-books-folder-shortdesc.md @@ -9,4 +9,4 @@ ms.prod: edge ms.topic: include --- -Microsoft Edge does not use a shared folder by default but downloads book files to a per-user folder for each user. With this policy, you can configure Microsoft Edge to store books from the Books Library to a default, shared folder in Windows, which decreases the amount of storage used by book files. When you enable this policy, Microsoft Edge downloads books to a shared folder after user action to download the book to their device, which allows them to remove downloaded books at any time. For this policy to work correctly, you must also enable the **Allow a Windows app to share application data between users** group policy. Also, the users must be signed in with a school or work account. +Microsoft Edge doesn't use a shared folder by default but downloads book files to a per-user folder for each user. With this policy, you can configure Microsoft Edge to store books from the Books Library to a default, shared folder in Windows, which decreases the amount of storage used by book files. When you enable this policy, Microsoft Edge downloads books to a shared folder after user action to download the book to their device, which allows them to remove downloaded books at any time. For this policy to work correctly, you must also enable the **Allow a Windows app to share application data between users** group policy. Also, the users must be signed in with a school or work account. diff --git a/windows/client-management/includes/allow-extended-telemetry-for-books-tab-shortdesc.md b/windows/client-management/includes/allow-extended-telemetry-for-books-tab-shortdesc.md index 9d39c7e091..6fa1849707 100644 --- a/windows/client-management/includes/allow-extended-telemetry-for-books-tab-shortdesc.md +++ b/windows/client-management/includes/allow-extended-telemetry-for-books-tab-shortdesc.md @@ -1,11 +1,12 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, and depending on the device configuration, Microsoft Edge gathers basic diagnostic data about the books in the Books Library and sends it to Microsoft. Enabling this policy gathers and sends both basic and additional diagnostic data, such as usage data. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, and depending on the device configuration, Microsoft Edge gathers basic diagnostic data about the books in the Books Library and sends it to Microsoft. Enabling this policy gathers and sends both basic and more diagnostic data, such as usage data. diff --git a/windows/client-management/includes/allow-fullscreen-mode-shortdesc.md b/windows/client-management/includes/allow-fullscreen-mode-shortdesc.md index 1aca979b7e..06b4e1eb02 100644 --- a/windows/client-management/includes/allow-fullscreen-mode-shortdesc.md +++ b/windows/client-management/includes/allow-fullscreen-mode-shortdesc.md @@ -1,11 +1,12 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge allows fullscreen mode by default, which shows only the web content and hides the Microsoft Edge UI. When allowing fullscreen mode, users and extensions must have the proper permissions. Disabling this policy prevents fullscreen mode in Microsoft Edge. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge allows fullscreen mode by default, which shows only the web content and hides the Microsoft Edge UI. To use fullscreen mode, users and extensions must have the proper permissions. Disabling this policy prevents fullscreen mode in Microsoft Edge. diff --git a/windows/client-management/includes/allow-saving-history-shortdesc.md b/windows/client-management/includes/allow-saving-history-shortdesc.md index 9acffb1e18..822a8f9b81 100644 --- a/windows/client-management/includes/allow-saving-history-shortdesc.md +++ b/windows/client-management/includes/allow-saving-history-shortdesc.md @@ -1,11 +1,12 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge saves the browsing history of visited websites and shows them in the History pane by default. Disabling this policy prevents Microsoft Edge from saving the browsing history. If browsing history existed before disabling this policy, the previous browsing history remains in the History pane. Disabling this policy does not stop roaming of existing browsing history or browsing history from other devices. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge saves the browsing history of visited websites and shows them in the History pane by default. Disabling this policy prevents Microsoft Edge from saving the browsing history. If browsing history existed before disabling this policy, the previous browsing history remains in the History pane. Disabling this policy doesn't stop roaming of existing browsing history or browsing history from other devices. diff --git a/windows/client-management/includes/allow-sideloading-of-extensions-shortdesc.md b/windows/client-management/includes/allow-sideloading-of-extensions-shortdesc.md index e16dbdc2db..985741be58 100644 --- a/windows/client-management/includes/allow-sideloading-of-extensions-shortdesc.md +++ b/windows/client-management/includes/allow-sideloading-of-extensions-shortdesc.md @@ -1,11 +1,12 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge allows sideloading, which installs and runs unverified extensions. Disabling this policy prevents sideloading of extensions but does not prevent sideloading using Add-AppxPackage via PowerShell. You can only install extensions through Microsoft store (including a store for business), enterprise storefront (such as Company Portal) or PowerShell (using Add-AppxPackage). +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, Microsoft Edge allows sideloading, which installs and runs unverified extensions. Disabling this policy prevents sideloading of extensions but doesn't prevent sideloading using Add-AppxPackage via PowerShell. You can only install extensions through Microsoft store (including a store for business), enterprise storefront (such as Company Portal) or PowerShell (using Add-AppxPackage). diff --git a/windows/client-management/includes/configure-browser-telemetry-for-m365-analytics-shortdesc.md b/windows/client-management/includes/configure-browser-telemetry-for-m365-analytics-shortdesc.md index 75a3631a95..90eddc5182 100644 --- a/windows/client-management/includes/configure-browser-telemetry-for-m365-analytics-shortdesc.md +++ b/windows/client-management/includes/configure-browser-telemetry-for-m365-analytics-shortdesc.md @@ -1,11 +1,12 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge does not send browsing history data to Microsoft 365 Analytics by default. With this policy though, you can configure Microsoft Edge to send intranet history only, internet history only, or both to Microsoft 365 Analytics for enterprise devices with a configured Commercial ID. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge doesn't send browsing history data to Microsoft 365 Analytics by default. With this policy though, you can configure Microsoft Edge to send intranet history only, internet history only, or both to Microsoft 365 Analytics for enterprise devices with a configured Commercial ID. diff --git a/windows/client-management/includes/configure-do-not-track-shortdesc.md b/windows/client-management/includes/configure-do-not-track-shortdesc.md index dd27fad917..c5253680b3 100644 --- a/windows/client-management/includes/configure-do-not-track-shortdesc.md +++ b/windows/client-management/includes/configure-do-not-track-shortdesc.md @@ -1,11 +1,12 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge does not send ‘Do Not Track’ requests to websites asking for tracking information, but users can choose to send tracking information to sites they visit. With this policy, you can configure Microsoft Edge to send or never send tracking information. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge doesn't send ‘Do Not Track’ requests to websites that ask for tracking information. However, users can choose to send tracking information to sites they visit. With this policy, you can configure Microsoft Edge to send or never send tracking information. diff --git a/windows/client-management/includes/configure-open-microsoft-edge-with-shortdesc.md b/windows/client-management/includes/configure-open-microsoft-edge-with-shortdesc.md index 8d1cc4f603..97d9c264c0 100644 --- a/windows/client-management/includes/configure-open-microsoft-edge-with-shortdesc.md +++ b/windows/client-management/includes/configure-open-microsoft-edge-with-shortdesc.md @@ -1,11 +1,12 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge loads a specific page or pages defined in the Configure Start Pages policy and allow users to make changes. With this policy, you can configure Microsoft Edge to load either the Start page, New Tab page, previously opened pages. You can also configure Microsoft Edge to prevent users from changing or customizing the Start page. For this policy to work correctly, you must also configure the Configure Start Pages. If you want to prevent users from making changes, don’t configure the Disable Lockdown of Start Pages policy. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, Microsoft Edge loads a specific page or pages defined in the Configure Start Pages policy and allows users to make changes. With this policy, you can configure Microsoft Edge to load the Start page, New Tab page, or the previously opened pages. You can also configure Microsoft Edge to prevent users from changing or customizing the Start page. For this policy to work correctly, you must also configure the Configure Start Pages. If you want to prevent users from making changes, don’t configure the Disable Lockdown of Start Pages policy. diff --git a/windows/client-management/includes/configure-start-pages-shortdesc.md b/windows/client-management/includes/configure-start-pages-shortdesc.md index 146511b737..e8c18a3d8b 100644 --- a/windows/client-management/includes/configure-start-pages-shortdesc.md +++ b/windows/client-management/includes/configure-start-pages-shortdesc.md @@ -1,11 +1,12 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge loads the pages specified in App settings as the default Start pages. With this policy, you can configure one or more Start pages when you enable this policy and enable the Configure Open Microsoft Edge With policy. Once you set the Start pages, either in this policy or Configure Open Microsoft Edge With policy, users cannot make changes. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, Microsoft Edge loads the pages specified in App settings as the default Start pages. With this policy, you can configure one or more Start pages when you enable this policy and enable the Configure Open Microsoft Edge With policy. Once you set the Start pages, either in this policy or Configure Open Microsoft Edge With policy, users can't make changes. diff --git a/windows/client-management/includes/configure-windows-defender-smartscreen-shortdesc.md b/windows/client-management/includes/configure-windows-defender-smartscreen-shortdesc.md index 62547e8955..8eeb1e44a5 100644 --- a/windows/client-management/includes/configure-windows-defender-smartscreen-shortdesc.md +++ b/windows/client-management/includes/configure-windows-defender-smartscreen-shortdesc.md @@ -1,11 +1,12 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge uses Windows Defender SmartScreen (turned on) to protect users from potential phishing scams and malicious software by default. Also, by default, users cannot disable (turn off) Windows Defender SmartScreen. Enabling this policy turns on Windows Defender SmartScreen and prevent users from turning it off. Don’t configure this policy to let users choose to turn Windows defender SmartScreen on or off. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge uses Windows Defender SmartScreen (turned on) to protect users from potential phishing scams and malicious software by default. Also, by default, users can't disable (turn off) Windows Defender SmartScreen. Enabling this policy turns on Windows Defender SmartScreen and prevent users from turning it off. Don’t configure this policy to let users choose to turn Windows defender SmartScreen on or off. diff --git a/windows/client-management/includes/disable-lockdown-of-start-pages-shortdesc.md b/windows/client-management/includes/disable-lockdown-of-start-pages-shortdesc.md index 37ff4011ad..37156ee3a7 100644 --- a/windows/client-management/includes/disable-lockdown-of-start-pages-shortdesc.md +++ b/windows/client-management/includes/disable-lockdown-of-start-pages-shortdesc.md @@ -1,11 +1,12 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, the Start pages configured in either the Configure Start Pages policy or Configure Open Microsoft Edge policies cannot be changed and remain locked down. Enabling this policy unlocks the Start pages, and lets users make changes to either all configured Start page or any Start page configured with the Configure Start pages policy. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, the Start pages configured in either the Configure Start Pages policy or Configure Open Microsoft Edge policies can't be changed, and they remain locked down. Enabling this policy unlocks the Start pages, and lets users make changes to either all configured Start pages or any Start page configured with the Configure Start pages policy. diff --git a/windows/client-management/includes/prevent-access-to-about-flags-page-shortdesc.md b/windows/client-management/includes/prevent-access-to-about-flags-page-shortdesc.md index 5bf46ea949..f4acce9ce0 100644 --- a/windows/client-management/includes/prevent-access-to-about-flags-page-shortdesc.md +++ b/windows/client-management/includes/prevent-access-to-about-flags-page-shortdesc.md @@ -1,11 +1,12 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, users can access the about:flags page in Microsoft Edge, which is used to change developer settings and enable experimental features. Enabling this policy prevents users from accessing the about:flags page. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, users can access the about:flags page in Microsoft Edge that is used to change developer settings and enable experimental features. Enabling this policy prevents users from accessing the about:flags page. diff --git a/windows/client-management/includes/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md b/windows/client-management/includes/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md index 5ef4bbdeca..b7b66d315b 100644 --- a/windows/client-management/includes/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md +++ b/windows/client-management/includes/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md @@ -1,11 +1,12 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge shows localhost IP address while making calls using the WebRTC protocol. Enabling this policy hides the localhost IP addresses. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, Microsoft Edge shows localhost IP address while making calls through usage of the WebRTC protocol. Enabling this policy hides the localhost IP addresses. diff --git a/windows/client-management/manage-device-installation-with-group-policy.md b/windows/client-management/manage-device-installation-with-group-policy.md index 3774c02704..29a9358bf0 100644 --- a/windows/client-management/manage-device-installation-with-group-policy.md +++ b/windows/client-management/manage-device-installation-with-group-policy.md @@ -27,19 +27,19 @@ By using Windows operating systems, administrators can determine what devices ca ## Introduction ### General -This step-by-step guide describes how you can control device installation on the computers that you manage, including designating which devices users can and cannot install. This guide applies to all Windows versions starting with RS5 (1809). The guide includes the following scenarios: +This step-by-step guide describes how you can control device installation on the computers that you manage, including designating which devices users can and can't install. This guide applies to all Windows versions starting with RS5 (1809). The guide includes the following scenarios: -- Prevent users from installing devices that are on a "prohibited" list. If a device is not on the list, then the user can install it. -- Allow users to install only devices that are on an "approved" list. If a device is not on the list, then the user cannot install it. +- Prevent users from installing devices that are on a "prohibited" list. If a device isn't on the list, then the user can install it. +- Allow users to install only devices that are on an "approved" list. If a device isn't on the list, then the user can't install it. This guide describes the device installation process and introduces the device identification strings that Windows uses to match a device with the device-driver packages available on a machine. The guide also illustrates two methods of controlling device installation. Each scenario shows, step by step, one method you can use to allow or prevent the installation of a specific device or a class of devices. -The example device used in the scenarios is a USB storage device. You can perform the steps in this guide using a different device. However, if you use a different device, then the instructions in the guide will not exactly match the user interface that appears on the computer. +The example device used in the scenarios is a USB storage device. You can perform the steps in this guide using a different device. However, if you use a different device, then the instructions in the guide won't exactly match the user interface that appears on the computer. -It is important to understand that the Group Policies that are presented in this guide are only apply to machines/machine-groups, not to users/user-groups. +It's important to understand that the Group Policies that are presented in this guide are only applied to machines/machine-groups, not to users/user-groups. > [!IMPORTANT] -> The steps provided in this guide are intended for use in a test lab environment. This step-by-step guide is not meant to be used to deploy Windows Server features without accompanying documentation and should be used with discretion as a stand-alone document. +> The steps provided in this guide are intended for use in a test lab environment. This step-by-step guide isn't meant to be used to deploy Windows Server features without accompanying documentation and should be used with discretion as a stand-alone document. ### Who Should Use This Guide? @@ -56,7 +56,7 @@ Restricting the devices that users can install reduces the risk of data theft an #### Reduce the risk of data theft -It is more difficult for users to make unauthorized copies of company data if users' computers cannot install unapproved devices that support removable media. For example, if users cannot install a USB thumb-drive device, they cannot download copies of company data onto a removable storage. This benefit cannot eliminate data theft, but it creates another barrier to unauthorized removal of data. +It's more difficult for users to make unauthorized copies of company data if users' computers can't install unapproved devices that support removable media. For example, if users can't install a USB thumb-drive device, they can't download copies of company data onto a removable storage. This benefit can't eliminate data theft, but it creates another barrier to unauthorized removal of data. #### Reduce support costs @@ -82,7 +82,7 @@ In this scenario, the administrator allows standard users to install all printer ### Scenario #3: Prevent installation of all printers while allowing a specific printer to be installed -In this scenario, you will combine what you learned from both scenario #1 and scenario #2. The administrator wants to allow standard users to install only a specific printer while preventing the installation of all other printers. This is a more realistic scenario and brings you a step farther in understanding of the Device Installation Restrictions policies. +In this scenario, you'll combine what you learned from both scenario #1 and scenario #2. The administrator wants to allow standard users to install only a specific printer while preventing the installation of all other printers. This scenario is a more realistic one and brings you a step farther in understanding of the Device Installation Restrictions policies. ### Scenario #4: Prevent installation of a specific USB device @@ -90,7 +90,7 @@ This scenario, although similar to scenario #2, brings another layer of complexi ### Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb drive -In this scenario, combining all previous 4 scenarios, you will learn how to protect a machine from all unauthorized USB devices. The administrator wants to allow users to install only a small set of authorized USB devices while preventing any other USB device from being installed. In addition, this scenario includes an explanation of how to apply the ‘prevent’ functionality to existing USB devices that have already been installed on the machine, and the administrator likes to prevent any farther interaction with them (blocking them all together). This scenario builds on the policies and structure we introduced in the first 4 scenarios and therefore it is preferred to go over them first before attempting this scenario. +In this scenario, combining all previous four scenarios, you'll learn how to protect a machine from all unauthorized USB devices. The administrator wants to allow users to install only a small set of authorized USB devices while preventing any other USB device from being installed. In addition, this scenario includes an explanation of how to apply the ‘prevent’ functionality to existing USB devices that have already been installed on the machine, and the administrator likes to prevent any farther interaction with them (blocking them all together). This scenario builds on the policies and structure we introduced in the first four scenarios and therefore it's preferred to go over them first before attempting this scenario. ## Technology Review @@ -99,9 +99,9 @@ The following sections provide a brief overview of the core technologies discuss ### Device Installation in Windows -A device is a piece of hardware with which Windows interacts to perform some function, or in a more technical definition - it is a single instance of a hardware component with a unique representation in the Windows Plug and Play subsystem. Windows can communicate with a device only through a piece of software called a device-driver (also known as a _driver_). To install a driver, Windows detects the device, recognizes its type, and then finds the driver that matches that type. +A device is a piece of hardware with which Windows interacts to perform some function, or in a more technical definition - it's a single instance of a hardware component with a unique representation in the Windows Plug and Play subsystem. Windows can communicate with a device only through a piece of software called a device-driver (also known as a _driver_). To install a driver, Windows detects the device, recognizes its type, and then finds the driver that matches that type. -When Windows detects a device that has never been installed on the computer, the operating system queries the device to retrieve its list of device identification strings. A device usually has multiple device identification strings, which the device manufacturer assigns. The same device identification strings are included in the .inf file (also known as an _INF_) that is part of the driver package. Windows chooses which driver package to install by matching the device identification strings retrieved from the device to those included with the driver packages. +When Windows detects a device that has never been installed on the computer, the operating system queries the device to retrieve its list of device identification strings. A device usually has multiple device identification strings, which the device manufacturer assigns. The same device identification strings are included in the .inf file (also known as an _INF_) that is part of the driver package. Windows chooses which driver package to install by matching the device identification strings retrieved from the device to those strings included with the driver packages. Windows uses four types of identifiers to control device installation and configuration. You can use the Group Policy settings in Windows to specify which of these identifiers to allow or block. @@ -122,24 +122,24 @@ Windows can use each string to match a device to a driver package. The strings r ##### Hardware IDs -Hardware IDs are the identifiers that provide the exact match between a device and a driver package. The first string in the list of hardware IDs is referred to as the device ID, because it matches the exact make, model, and revision of the device. The other hardware IDs in the list match the details of the device less exactly. For example, a hardware ID might identify the make and model of the device but not the specific revision. This scheme allows Windows to use a driver for a different revision of the device if the driver for the correct revision is not available. +Hardware IDs are the identifiers that provide the exact match between a device and a driver package. The first string in the list of hardware IDs is referred to as the device ID, because it matches the exact make, model, and revision of the device. The other hardware IDs in the list match the details of the device less exactly. For example, a hardware ID might identify the make and model of the device but not the specific revision. This scheme allows Windows to use a driver for a different revision of the device if the driver for the correct revision isn't available. ##### Compatible IDs -Windows uses these identifiers to select a driver if the operating system cannot find a match with the device ID or any of the other hardware IDs. Compatible IDs are listed in the order of decreasing suitability. These strings are optional, and, when provided, they are very generic, such as Disk. When a match is made using a compatible ID, you can typically use only the most basic functions of the device. +Windows uses these identifiers to select a driver if the operating system can't find a match with the device ID or any of the other hardware IDs. Compatible IDs are listed in the order of decreasing suitability. These strings are optional, and, when provided, they're generic, such as Disk. When a match is made using a compatible ID, you can typically use only the most basic functions of the device. When you install a device, such as a printer, a USB storage device, or a keyboard, Windows searches for driver packages that match the device you are attempting to install. During this search, Windows assigns a "rank" to each driver package it discovers with at least one match to a hardware or compatible ID. The rank indicates how well the driver matches the device. Lower rank numbers indicate better matches between the driver and the device. A rank of zero represents the best possible match. A match with the device ID to one in the driver package results in a lower (better) rank than a match to one of the other hardware IDs. Similarly, a match to a hardware ID results in a better rank than a match to any of the compatible IDs. After Windows ranks all of the driver packages, it installs the one with the lowest overall rank. For more information about the process of ranking and selecting driver packages, see How Setup Selects Drivers in the Microsoft Docs library. > [!NOTE] > For more information about the driver installation process, see the "Technology review" section of the Step-by-Step Guide to Driver Signing and Staging. -Some physical devices create one or more logical devices when they are installed. Each logical device might handle part of the functionality of the physical device. For example, a multi-function device, such as an all-in-one scanner/fax/printer, might have a different device identification string for each function. +Some physical devices create one or more logical devices when they're installed. Each logical device might handle part of the functionality of the physical device. For example, a multi-function device, such as an all-in-one scanner/fax/printer, might have a different device identification string for each function. -When you use Device Installation policies to allow or prevent the installation of a device that uses logical devices, you must allow or prevent all of the device identification strings for that device. For example, if a user attempts to install a multifunction device and you did not allow or prevent all of the identification strings for both physical and logical devices, you could get unexpected results from the installation attempt. For more detailed information about hardware IDs, see Device Identification Strings in Microsoft Docs. +When you use Device Installation policies to allow or prevent the installation of a device that uses logical devices, you must allow or prevent all of the device identification strings for that device. For example, if a user attempts to install a multifunction device and you didn't allow or prevent all of the identification strings for both physical and logical devices, you could get unexpected results from the installation attempt. For more detailed information about hardware IDs, see Device Identification Strings in Microsoft Docs. #### Device setup classes -Device setup classes (also known as _Class_) are another type of identification string. The manufacturer assigns the Class to a device in the driver package. The Class groups devices that are installed and configured in the same way. For example, all Biometric devices are belong to the Biometric Class (ClassGuid = {53D29EF7-377C-4D14-864B-EB3A85769359}), and they use the same co-installer when installed. A long number called a globally unique identifier (GUID) represents each device setup class. When Windows starts, it builds an in-memory tree structure with the GUIDs for all of the detected devices. Along with the GUID for the Class of the device itself, Windows may need to insert into the tree the GUID for the Class of the bus to which the device is attached. +Device setup classes (also known as _Class_) are another type of identification string. The manufacturer assigns the Class to a device in the driver package. The Class groups devices that are installed and configured in the same way. For example, all Biometric devices belong to the Biometric Class (ClassGuid = {53D29EF7-377C-4D14-864B-EB3A85769359}), and they use the same co-installer when installed. A long number called a globally unique identifier (GUID) represents each device setup class. When Windows starts, it builds an in-memory tree structure with the GUIDs for all of the detected devices. Along with the GUID for the Class of the device itself, Windows may need to insert into the tree the GUID for the Class of the bus to which the device is attached. When you use device Classes to allow or prevent users from installing drivers, you must specify the GUIDs for all of the device's device setup classes, or you might not achieve the results you want. The installation might fail (if you want it to succeed) or it might succeed (if you want it to fail). @@ -147,36 +147,36 @@ For example, a multi-function device, such as an all-in-one scanner/fax/printer, For more information, see [Device Setup Classes](/windows-hardware/drivers/install/overview-of-device-setup-classes) in Microsoft Docs. -This guide does not depict any scenarios that use device setup classes. However, the basic principles demonstrated with device identification strings in this guide also apply to device setup classes. After you discover the device setup class for a specific device, you can then use it in a policy to either allow or prevent installation of drivers for that class of devices. +This guide doesn't depict any scenarios that use device setup classes. However, the basic principles demonstrated with device identification strings in this guide also apply to device setup classes. After you discover the device setup class for a specific device, you can then use it in a policy to either allow or prevent installation of drivers for that class of devices. -The following two links provide the complete list of Device Setup Classes. ‘System Use’ classes are mostly refer to devices that come with a computer/machine from the factory, while ‘Vendor’ classes are mostly refer to devices that could be connected to an existing computer/machine: +The following two links provide the complete list of Device Setup Classes. ‘System Use’ classes are mostly referred to devices that come with a computer/machine from the factory, while ‘Vendor’ classes are mostly referred to devices that could be connected to an existing computer/machine: - [System-Defined Device Setup Classes Available to Vendors - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors) - [System-Defined Device Setup Classes Reserved for System Use - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-reserved-for-system-use) #### ‘Removable Device’ Device type -Some devices could be classified as _Removable Device_. A device is considered _removable_ when the driver for the device to which it is connected indicates that the device is removable. For example, a USB device is reported to be removable by the drivers for the USB hub to which the device is connected. +Some devices could be classified as _Removable Device_. A device is considered _removable_ when the driver for the device to which it's connected indicates that the device is removable. For example, a USB device is reported to be removable by the drivers for the USB hub to which the device is connected. ### Group Policy Settings for Device Installation Group Policy is an infrastructure that allows you to specify managed configurations for users and computers through Group Policy settings and Group Policy Preferences. -Device Installation section in Group Policy is a set of policies that control which device could or could not be installed on a machine. Whether you want to apply the settings to a stand-alone computer or to many computers in an Active Directory domain, you use the Group Policy Object Editor to configure and apply the policy settings. For more details, see Group Policy Object Editor Technical Reference. +Device Installation section in Group Policy is a set of policies that control which device could or couldn't be installed on a machine. Whether you want to apply the settings to a stand-alone computer or to many computers in an Active Directory domain, you use the Group Policy Object Editor to configure and apply the policy settings. For more information, see Group Policy Object Editor Technical Reference. The following passages are brief descriptions of the Device Installation policies that are used in this guide. > [!NOTE] -> Device Installation control is applied only to machines (‘computer configuration’) and not users (‘user configuration’) by the nature of the Windows OS design. These policy settings affect all users who log on to the computer where the policy settings are applied. You cannot apply these policies to specific users or groups except for the policy Allow administrators to override device installation policy. This policy exempts members of the local Administrators group from any of the device installation restrictions that you apply to the computer by configuring other policy settings as described in this section. +> Device Installation control is applied only to machines (‘computer configuration’) and not users (‘user configuration’) by the nature of the Windows OS design. These policy settings affect all users who log on to the computer where the policy settings are applied. You can't apply these policies to specific users or groups except for the policy Allow administrators to override device installation policy. This policy exempts members of the local Administrators group from any of the device installation restrictions that you apply to the computer by configuring other policy settings as described in this section. #### Allow administrators to override Device Installation Restriction policies -This policy setting allows members of the local Administrators group to install and update the drivers for any device, regardless of other policy settings. If you enable this policy setting, administrators can use the Add Hardware Wizard or the Update Driver Wizard to install and update the drivers for any device. If you disable or do not configure this policy setting, administrators are subject to all policy settings that restrict device installation. +This policy setting allows members of the local Administrators group to install and update the drivers for any device, regardless of other policy settings. If you enable this policy setting, administrators can use the Add Hardware Wizard or the Update Driver Wizard to install and update the drivers for any device. If you disable or don't configure this policy setting, administrators are subject to all policy settings that restrict device installation. #### Allow installation of devices that match any of these device IDs -This policy setting specifies a list of Plug and Play hardware IDs and compatible IDs that describe devices that users can install. This setting is intended to be used only when the Prevent installation of devices not described by other policy settings policy setting is enabled and does not take precedence over any policy setting that would prevent users from installing a device. If you enable this policy setting, users can install and update any device with a hardware ID or compatible ID that matches an ID in this list if that installation has not been specifically prevented by the Prevent installation of devices that match these device IDs policy setting, the Prevent installation of devices for these device classes policy setting, or the Prevent installation of removable devices policy setting. If another policy setting prevents users from installing a device, users cannot install it even if the device is also described by a value in this policy setting. If you disable or do not configure this policy setting and no other policy describes the device, the Prevent installation of devices not described by other policy settings policy setting determines whether users can install the device. +This policy setting specifies a list of Plug and Play hardware IDs and compatible IDs that describe devices that users can install. This setting is intended to be used only when the Prevent installation of devices not described by other policy settings policy setting is enabled and doesn't take precedence over any policy setting that would prevent users from installing a device. If you enable this policy setting, users can install and update any device with a hardware ID or compatible ID that matches an ID in this list if that installation hasn't been prevented by the Prevent installation of devices that match these device IDs policy setting, the Prevent installation of devices for these device classes policy setting, or the Prevent installation of removable devices policy setting. If another policy setting prevents users from installing a device, users can't install it even if the device is also described by a value in this policy setting. If you disable or don't configure this policy setting and no other policy describes the device, the Prevent installation of devices not described by other policy settings policy setting determines whether users can install the device. #### Allow installation of devices that match any of these device instance IDs @@ -184,20 +184,20 @@ This policy setting allows you to specify a list of Plug and Play device instanc #### Allow installation of devices using drivers that match these device setup classes -This policy setting specifies a list of device setup class GUIDs that describe devices that users can install. This setting is intended to be used only when the Prevent installation of devices not described by other policy settings policy setting is enabled and does not take precedence over any policy setting that would prevent users from installing a device. If you enable this setting, users can install and update any device with a hardware ID or compatible ID that matches one of the IDs in this list if that installation has not been specifically prevented by the Prevent installation of devices that match these device IDs policy setting, the Prevent installation of devices for these device classes policy setting, or the Prevent installation of removable devices policy setting. If another policy setting prevents users from installing a device, users cannot install it even if the device is also described by a value in this policy setting. If you disable or do not configure this policy setting and no other policy setting describes the device, the Prevent installation of devices not described by other policy settings policy setting determines whether users can install the device. +This policy setting specifies a list of device setup class GUIDs that describe devices that users can install. This setting is intended to be used only when the Prevent installation of devices not described by other policy settings policy setting is enabled and doesn't take precedence over any policy setting that would prevent users from installing a device. If you enable this setting, users can install and update any device with a hardware ID or compatible ID that matches one of the IDs in this list if that installation hasn't been prevented by the Prevent installation of devices that match these device IDs policy setting, the Prevent installation of devices for these device classes policy setting, or the Prevent installation of removable devices policy setting. If another policy setting prevents users from installing a device, users can't install it even if the device is also described by a value in this policy setting. If you disable or don't configure this policy setting and no other policy setting describes the device, the Prevent installation of devices not described by other policy settings policy setting determines whether users can install the device. #### Prevent installation of devices that match these device IDs -This policy setting specifies a list of Plug and Play hardware IDs and compatible IDs for devices that users cannot install. If you enable this policy setting, users cannot install or update the driver for a device if its hardware ID or compatible ID matches one in this list. If you disable or do not configure this policy setting, users can install devices and update their drivers, as permitted by other policy settings for device installation. +This policy setting specifies a list of Plug and Play hardware IDs and compatible IDs for devices that users can't install. If you enable this policy setting, users can't install or update the driver for a device if its hardware ID or compatible ID matches one in this list. If you disable or don't configure this policy setting, users can install devices and update their drivers, as permitted by other policy settings for device installation. Note: This policy setting takes precedence over any other policy settings that allow users to install a device. This policy setting prevents users from installing a device even if it matches another policy setting that would allow installation of that device. #### Prevent installation of devices that match any of these device instance IDs -This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. If you enable this policy setting, Windows is prevented from installing a device whose device instance ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. +This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. If you enable this policy setting, Windows is prevented from installing a device whose device instance ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or don't configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. #### Prevent installation of devices using drivers that match these device setup classes -This policy setting specifies a list of Plug and Play device setup class GUIDs for devices that users cannot install. If you enable this policy setting, users cannot install or update devices that belong to any of the listed device setup classes. If you disable or do not configure this policy setting, users can install and update devices as permitted by other policy settings for device installation. +This policy setting specifies a list of Plug and Play device setup class GUIDs for devices that users can't install. If you enable this policy setting, users can't install or update devices that belong to any of the listed device setup classes. If you disable or don't configure this policy setting, users can install and update devices as permitted by other policy settings for device installation. Note: This policy setting takes precedence over any other policy settings that allow users to install a device. This policy setting prevents users from installing a device from being installed even if it matches another policy setting that would allow installation of that device. ### Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria @@ -209,7 +209,7 @@ This policy setting will change the evaluation order in which Allow and Prevent > [!NOTE] > This policy setting provides more granular control than the "Prevent installation of devices not described by other policy settings" policy setting. If these conflicting policy settings are enabled at the same time, the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting will be enabled and the other policy setting will be ignored. > -> If you disable or do not configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device. +> If you disable or don't configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device. Some of these policies take precedence over other policies. The flowchart shown below illustrates how Windows processes them to determine whether a user can install a device or not, as shown in Figure below. @@ -222,11 +222,11 @@ Some of these policies take precedence over other policies. The flowchart shown ### General -To complete each of the scenarios, please ensure your have: +To complete each of the scenarios, ensure your have: - A client computer running Windows. -- A USB thumb drive. The scenarios described in this guide use a USB thumb drive as the example device (also known as a “removable disk drive”, "memory drive," a "flash drive," or a "keyring drive"). Most USB thumb drives do not require any manufacturer-provided drivers, and these devices work with the inbox drivers provided with the Windows build. +- A USB thumb drive. The scenarios described in this guide use a USB thumb drive as the example device (also known as a “removable disk drive”, "memory drive," a "flash drive," or a "keyring drive"). Most USB thumb drives don't require any manufacturer-provided drivers, and these devices work with the inbox drivers provided with the Windows build. - A USB/network printer pre-installed on the machine. @@ -234,18 +234,18 @@ To complete each of the scenarios, please ensure your have: ### Understanding implications of applying ‘Prevent’ policies retroactive -All ‘Prevent’ policies have an option to apply the block functionality to already installed devices—devices that have been installed on the machine before the policy took effect. Using this option is recommended when the administrator is not sure of the installation history of devices on the machine and would like to make sure the policy applies to all devices. +All ‘Prevent’ policies can apply the block functionality to already installed devices—devices that have been installed on the machine before the policy took effect. Using this option is recommended when the administrator isn't sure of the installation history of devices on the machine and would like to make sure the policy applies to all devices. For example: A printer is already installed on the machine, preventing the installation of all printers will block any future printer from being installed while keeping only the installed printer usable. To apply the block retroactive, the administrator should check mark the “apply this policy to already installed devices” option. Marking this option will prevent access to already installed devices in addition to any future ones. -This is a powerful tool, but as such it has to be used carefully. +This option is a powerful tool, but as such it has to be used carefully. > [!IMPORTANT] > Applying the ‘Prevent retroactive’ option to crucial devices could render the machine useless/unacceptable! For example: Preventing retroactive all ‘Disk Drives’ could block the access to the disk on which the OS boots with; Preventing retroactive all ‘Net’ could block this machine from accessing network and to fix the issue the admin will have to have a direct connection. ## Determine device identification strings -By following these steps, you can determine the device identification strings for your device. If the hardware IDs and compatible IDs for your device do not match those shown in this guide, use the IDs that are appropriate to your device (this applies to Instance IDs and Classes, but we are not going to give an example for them in this guide). +By following these steps, you can determine the device identification strings for your device. If the hardware IDs and compatible IDs for your device don't match those IDs shown in this guide, use the IDs that are appropriate to your device (this policy applies to Instance IDs and Classes, but we aren't going to give an example for them in this guide). You can determine the hardware IDs and compatible IDs for your device in two ways. You can use Device Manager, a graphical tool included with the operating system, or PnPUtil, a command-line tool available for all Windows versions. Use the following procedure to view the device identification strings for your device. @@ -268,7 +268,7 @@ To find device identification strings using Device Manager ![‘Details’ tab.](images/device-installation-dm-printer-details-screen.png)
_Open the ‘Details’ tab to look for the device identifiers_ -6. From the ‘Value’ window, copy the most detailed Hardware ID – we will use this in the policies. +6. From the ‘Value’ window, copy the most detailed Hardware ID – we'll use this value in the policies. ![HWID.](images/device-installation-dm-printer-hardware-ids.png) @@ -283,7 +283,7 @@ To find device identification strings using Device Manager pnputil /enum-devices /ids ``` -Here is an example of an output for a single device on a machine: +Here's an example of an output for a single device on a machine: ```console @@ -310,7 +310,7 @@ Compatible IDs: PCI\VEN_8086&DEV_2F34&REV_02 ## Scenario #1: Prevent installation of all printers -In this simple scenario, you will learn how to prevent the installation of an entire Class of devices. +In this simple scenario, you'll learn how to prevent the installation of an entire Class of devices. ### Setting up the environment @@ -335,7 +335,7 @@ Getting the right device identifier to prevent it from being installed: - [System-Defined Device Setup Classes Available to Vendors - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors) - [System-Defined Device Setup Classes Reserved for System Use - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-reserved-for-system-use) -3. Our current scenario is focused on preventing all printers from being installed, as such here is the Class GUID for most of printers in the market: +3. Our current scenario is focused on preventing all printers from being installed, as such here's the Class GUID for most of printers in the market: > Printers\ > Class = Printer\ @@ -343,7 +343,7 @@ Getting the right device identifier to prevent it from being installed: > This class includes printers. > [!NOTE] - > As mentioned before, preventing an entire Class could block you from using your system completely. Please make sure you understand which devices are going to be blocked when specifying a Class. For our scenario, there are other classes that relate to printers but before you apply them, make sure they are not blocking any other existing device that is crucial to your system. + > As mentioned before, preventing an entire Class could block you from using your system completely. Please make sure you understand which devices are going to be blocked when specifying a Class. For our scenario, there are other classes that relate to printers but before you apply them, make sure they're not blocking any other existing device that is crucial to your system. Creating the policy to prevent all printers from being installed: @@ -357,15 +357,15 @@ Creating the policy to prevent all printers from being installed: 4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the ‘Enable’ radio button. -5. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This will take you to a table where you can enter the class identifier to block. +5. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the class identifier to block. -6. Enter the printer class GUID you found above with the curly braces (this is important! Otherwise, it won’t work): {4d36e979-e325-11ce-bfc1-08002be10318} +6. Enter the printer class GUID you found above with the curly braces (this convention is important! Otherwise, it won’t work): {4d36e979-e325-11ce-bfc1-08002be10318} ![List of prevent Class GUIDs.](images/device-installation-gpo-prevent-class-list.png)
_List of prevent Class GUIDs_ 7. Click ‘OK’. -8. Click ‘Apply’ on the bottom right of the policy’s window – this pushes the policy and blocks all future printer installations, but doesn’t apply to existing installs. +8. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and blocks all future printer installations, but doesn’t apply to existing installs. 9. Optional – if you would like to apply the policy to existing installs: Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the ‘Options’ window mark the checkbox that says ‘also apply to matching devices that are already installed’ @@ -374,13 +374,13 @@ Creating the policy to prevent all printers from being installed: ### Testing the scenario -1. If you have not completed step #9 – follow these steps: +1. If you haven't completed step #9 – follow these steps: 1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click “Uninstall device”. 1. For USB printer – unplug and plug back the cable; for network device – make a search for the printer in the Windows Settings app. - 1. You should not be able to reinstall the printer. + 1. You shouldn't be able to reinstall the printer. -2. If you completed step #9 above and restarted the machine, simply look for your printer under Device Manager or the Windows Settings app and see that it is no-longer available for you to use. +2. If you completed step #9 above and restarted the machine, look for your printer under Device Manager or the Windows Settings app and see that it's no-longer available for you to use. ## Scenario #2: Prevent installation of a specific printer @@ -392,13 +392,13 @@ Setting up the environment for the scenario with the following steps: 1. Open Group Policy Editor and navigate to the Device Installation Restriction section. -2. Make sure all previous Device Installation policies are disabled except ‘Apply layered order of evaluation’ (this is optional to be On/Off this scenario). Although the policy is disabled in default, it is recommended to be enabled in most practical applications. For scenario #2 it is optional. +2. Ensure all previous Device Installation policies are disabled except ‘Apply layered order of evaluation’ (this prerequisite is optional to be On/Off this scenario). Although the policy is disabled in default, it's recommended to be enabled in most practical applications. For scenario #2, it's optional. ### Scenario steps – preventing installation of a specific device Getting the right device identifier to prevent it from being installed: -1. Get your printer’s Hardware ID – in this example we will use the identifier we found previously +1. Get your printer’s Hardware ID – in this example we'll use the identifier we found previously ![Printer Hardware ID identifier.](images/device-installation-dm-printer-hardware-ids.png)
_Printer Hardware ID_ @@ -414,7 +414,7 @@ Creating the policy to prevent a single printer from being installed: 3. Open **Prevent installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button. -4. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This will take you to a table where you can enter the device identifier to block. +4. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the device identifier to block. 5. Enter the printer device ID you found above – WSDPRINT\CanonMX920_seriesC1A0 @@ -422,26 +422,26 @@ Creating the policy to prevent a single printer from being installed: 6. Click ‘OK’. -7. Click ‘Apply’ on the bottom right of the policy’s window. This pushes the policy and blocks the target printer in future installations, but doesn’t apply to an existing install. +7. Click ‘Apply’ on the bottom right of the policy’s window. This option pushes the policy and blocks the target printer in future installations, but doesn’t apply to an existing install. 8. Optional – if you would like to apply the policy to an existing install: Open the **Prevent installation of devices that match any of these device IDs** policy again; in the ‘Options’ window mark the checkbox that says ‘also apply to matching devices that are already installed’. ### Testing the scenario -If you completed step #8 above and restarted the machine, simply look for your printer under Device Manager or the Windows Settings app and see that it is no-longer available for you to use. +If you completed step #8 above and restarted the machine, look for your printer under Device Manager or the Windows Settings app and see that it's no-longer available for you to use. -If you have not completed step #8, follow these steps: +If you haven't completed step #8, follow these steps: 1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click “Uninstall device”. 2. For USB printer – unplug and plug back the cable; for network device – make a search for the printer in the Windows Settings app. -3. You should not be able to reinstall the printer. +3. You shouldn't be able to reinstall the printer. ## Scenario #3: Prevent installation of all printers while allowing a specific printer to be installed -Now, using the knowledge from both previous scenarios, you will learn how to prevent the installation of an entire Class of devices while allowing a single printer to be installed. +Now, using the knowledge from both previous scenarios, you'll learn how to prevent the installation of an entire Class of devices while allowing a single printer to be installed. ### Setting up the environment @@ -474,15 +474,15 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one 4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the ‘Enable’ radio button. -5. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This will take you to a table where you can enter the class identifier to block. +5. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the class identifier to block. -6. Enter the printer class GUID you found above with the curly braces (this is important! Otherwise, it won’t work): {4d36e979-e325-11ce-bfc1-08002be10318} +6. Enter the printer class GUID you found above with the curly braces (this value is important! Otherwise, it won’t work): {4d36e979-e325-11ce-bfc1-08002be10318} ![List of prevent Class GUIDs.](images/device-installation-gpo-prevent-class-list.png)
_List of prevent Class GUIDs_ 7. Click ‘OK’. -8. Click ‘Apply’ on the bottom right of the policy’s window – this pushes the policy and blocks all future printer installations, but doesn’t apply to existing installs. +8. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and blocks all future printer installations, but doesn’t apply to existing installs. 9. To complete the coverage of all future and existing printers – Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the ‘Options’ window mark the checkbox that says ‘also apply to matching devices that are already installed’ and click ‘OK’ @@ -494,7 +494,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one 9. Now Open **Allow installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button. -10. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This will take you to a table where you can enter the device identifier to allow. +10. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the device identifier to allow. 11. Enter the printer device ID you found above: WSDPRINT\CanonMX920_seriesC1A0. @@ -502,18 +502,18 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one 12. Click ‘OK’. -13. Click ‘Apply’ on the bottom right of the policy’s window – this pushes the policy and allows the target printer to be installed (or stayed installed). +13. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and allows the target printer to be installed (or stayed installed). ## Testing the scenario -1. Simply look for your printer under Device Manager or the Windows Settings app and see that it is still there and accessible. Or just print a test document. +1. Look for your printer under Device Manager or the Windows Settings app and see that it's still there and accessible. Or just print a test document. -2. Go back to the Group Policy Editor, disable **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and test again your printer – you should not be bale to print anything or able to access the printer at all. +2. Go back to the Group Policy Editor, disable **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and test again your printer – you shouldn't be bale to print anything or able to access the printer at all. ## Scenario #4: Prevent installation of a specific USB device -The scenario builds upon the knowledge from scenario #2, Prevent installation of a specific printer. In this scenario, you will gain an understanding of how some devices are built into the PnP (Plug and Play) device tree. +The scenario builds upon the knowledge from scenario #2, Prevent installation of a specific printer. In this scenario, you'll gain an understanding of how some devices are built into the PnP (Plug and Play) device tree. ### Setting up the environment @@ -521,7 +521,7 @@ Setting up the environment for the scenario with the following steps: 1. Open Group Policy Editor and navigate to the Device Installation Restriction section -2. Make sure all previous Device Installation policies are disabled except ‘Apply layered order of evaluation’ (this is optional to be On/Off this scenario) – although the policy is disabled in default, it is recommended to be enabled in most practical applications. +2. Ensure all previous Device Installation policies are disabled except ‘Apply layered order of evaluation’ (this prerequisite is optional to be On/Off this scenario) – although the policy is disabled in default, it's recommended to be enabled in most practical applications. ### Scenario steps – preventing installation of a specific device @@ -546,7 +546,7 @@ Getting the right device identifier to prevent it from being installed and its l 5. Double-click the USB thumb-drive and move to the ‘Details’ tab. -6. From the ‘Value’ window, copy the most detailed Hardware ID—we will use this in the policies. In this case Device ID = USBSTOR\DiskGeneric_Flash_Disk______8.07 +6. From the ‘Value’ window, copy the most detailed Hardware ID—we'll use this value in the policies. In this case Device ID = USBSTOR\DiskGeneric_Flash_Disk______8.07 ![USB device hardware IDs.](images/device-installation-dm-usb-hwid.png)
_USB device hardware IDs_ @@ -560,7 +560,7 @@ Creating the policy to prevent a single USB thumb-drive from being installed: 3. Open **Prevent installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button. -4. In the lower left side, in the ‘Options’ window, click the ‘Show’ box. This will take you to a table where you can enter the device identifier to block. +4. In the lower left side, in the ‘Options’ window, click the ‘Show’ box. This option will take you to a table where you can enter the device identifier to block. 5. Enter the USB thumb-drive device ID you found above – USBSTOR\DiskGeneric_Flash_Disk______8.07 @@ -568,24 +568,24 @@ Creating the policy to prevent a single USB thumb-drive from being installed: 6. Click ‘OK’. -7. Click ‘Apply’ on the bottom right of the policy’s window – this pushes the policy and blocks the target USB thumb-drive in future installations, but doesn’t apply to an existing install. +7. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and blocks the target USB thumb-drive in future installations, but doesn’t apply to an existing install. 8. Optional – if you would like to apply the policy to an existing install: Open the **Prevent installation of devices that match any of these device IDs** policy again; in the ‘Options’ window, mark the checkbox that says ‘also apply to matching devices that are already installed’ ### Testing the scenario -1. If you have not completed step #8 – follow these steps: +1. If you haven't completed step #8 – follow these steps: - Uninstall your USB thumb-drive: Device Manager > Disk drives > right click the target USB thumb-drive > click “Uninstall device”. - - You should not be able to reinstall the device. + - You shouldn't be able to reinstall the device. -2. If you completed step #8 above and restarted the machine, simply look for your Disk drives under Device Manager and see that it is no-longer available for you to use. +2. If you completed step #8 above and restarted the machine, look for your Disk drives under Device Manager and see that it's no-longer available for you to use. ## Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb-drive -Now, using the knowledge from all the previous 4 scenarios, you will learn how to prevent the installation of an entire Class of devices while allowing a single authorized USB thumb-drive to be installed. +Now, using the knowledge from all the previous four scenarios, you'll learn how to prevent the installation of an entire Class of devices while allowing a single authorized USB thumb-drive to be installed. ### Setting up the environment @@ -611,11 +611,11 @@ Getting the device identifier for both the USB Classes and a specific USB thumb- - USB Device - Class = USBDevice - ClassGuid = {88BAE032-5A81-49f0-BC3D-A4FF138216D6} - - USBDevice includes all USB devices that do not belong to another class. This class is not used for USB host controllers and hubs. + - USBDevice includes all USB devices that don't belong to another class. This class isn't used for USB host controllers and hubs. - Hardware ID = USBSTOR\DiskGeneric_Flash_Disk______8.07 -As mentioned in scenario #4, it is not enough to enable only a single hardware ID in order to enable a single USB thumb-drive. The IT admin has to ensure all the USB devices that preceding the target one are not blocked (allowed) as well. In Our case the following devices has to be allowed so the target USB thumb-drive could be allowed as well: +As mentioned in scenario #4, it's not enough to enable only a single hardware ID in order to enable a single USB thumb-drive. The IT admin has to ensure all the USB devices that preceding the target one aren't blocked (allowed) as well. In Our case the following devices has to be allowed so the target USB thumb-drive could be allowed as well: - “Intel(R) USB 3.0 eXtensible Host Controller – 1.0 (Microsoft)” -> PCI\CC_0C03 - “USB Root Hub (USB 3.0)” -> USB\ROOT_HUB30 @@ -623,18 +623,18 @@ As mentioned in scenario #4, it is not enough to enable only a single hardware I ![USB devices nested in the PnP tree.](images/device-installation-dm-usb-by-connection-layering.png)
_USB devices nested under each other in the PnP tree_ -These devices are internal devices on the machine that define the USB port connection to the outside world. Enabling them should not enable any external/peripheral device from being installed on the machine. +These devices are internal devices on the machine that define the USB port connection to the outside world. Enabling them shouldn't enable any external/peripheral device from being installed on the machine. > [!IMPORTANT] -> Some device in the system have several layers of connectivity to define their installation on the system. USB thumb-drives are such devices. Thus, when looking to either block or allow them on a system, it is important to understand the path of connectivity for each device. There are several generic Device IDs that are commonly used in systems and could provide a good start to build an ‘Allow list’ in such cases. See below for the list: +> Some device in the system have several layers of connectivity to define their installation on the system. USB thumb-drives are such devices. Thus, when looking to either block or allow them on a system, it's important to understand the path of connectivity for each device. There are several generic Device IDs that are commonly used in systems and could provide a good start to build an ‘Allow list’ in such cases. See below for the list: > > PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&HOST (for Host Controllers)/ > USB\ROOT_HUB30; USB\ROOT_HUB20 (for USB Root Hubs)/ > USB\USB20_HUB (for Generic USB Hubs)/ > -> Specifically for desktop machines, it is very important to list all the USB devices that your keyboards and mice are connected through in the above list. Failing to do so could block a user from accessing its machine through HID devices. +> Specifically for desktop machines, it's very important to list all the USB devices that your keyboards and mice are connected through in the above list. Failing to do so could block a user from accessing its machine through HID devices. > -> Different PC manufacturers sometimes have different ways to nest USB devices in the PnP tree, but in general this is how it is done. +> Different PC manufacturers sometimes have different ways to nest USB devices in the PnP tree, but in general this is how it's done. First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one: @@ -648,7 +648,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one 4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the ‘Enable’ radio button. -5. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This will take you to a table where you can enter the class identifier to block. +5. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the class identifier to block. 6. Enter both USB classes GUID you found above with the curly braces: @@ -657,7 +657,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one 7. Click ‘OK’. -8. Click ‘Apply’ on the bottom right of the policy’s window – this pushes the policy and blocks all future USB device installations, but doesn’t apply to existing installs. +8. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and blocks all future USB device installations, but doesn’t apply to existing installs. > [!IMPORTANT] > The previous step prevents all future USB devices from being installed. Before you move to the next step make sure you have as complete list as possible of all the USB Host Controllers, USB Root Hubs and Generic USB Hubs Device IDs available to prevent blocking you from interacting with your system through keyboards and mice. @@ -668,7 +668,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one 10. Now Open **Allow installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button. -11. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This will take you to a table where you can enter the device identifier to allow. +11. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the device identifier to allow. 12. Enter the full list of USB device IDs you found above including the specific USB Thumb-drive you would like to authorize for installation – USBSTOR\DiskGeneric_Flash_Disk______8.07 @@ -682,4 +682,4 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one ### Testing the scenario -You should not be able to install any USB thumb-drive, except the one you authorized for usage +You shouldn't be able to install any USB thumb-drive, except the one you authorized for usage diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md index 55882ecb16..cc38c493dd 100644 --- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md @@ -17,9 +17,9 @@ ms.topic: article # Manage Windows 10 in your organization - transitioning to modern management -Use of personal devices for work, as well as employees working outside the office, may be changing how your organization manages devices. Certain parts of your organization might require deep, granular control over devices, while other parts might seek lighter, scenario-based management that empowers the modern workforce. Windows 10 offers the flexibility to respond to these changing requirements, and can easily be deployed in a mixed environment. You can shift the percentage of Windows 10 devices gradually, following the normal upgrade schedules used in your organization. +Use of personal devices for work, and employees working outside the office, may be changing how your organization manages devices. Certain parts of your organization might require deep, granular control over devices, while other parts might seek lighter, scenario-based management that empowers the modern workforce. Windows 10 offers the flexibility to respond to these changing requirements, and can easily be deployed in a mixed environment. You can shift the percentage of Windows 10 devices gradually, following the normal upgrade schedules used in your organization. -Your organization might have considered bringing in Windows 10 devices and downgrading them to Windows 7 until everything is in place for a formal upgrade process. While this may appear to save costs due to standardization, greater savings can come from avoiding the downgrade and immediately taking advantage of the cost reductions Windows 10 can provide. Because Windows 10 devices can be managed using the same processes and technology as other previous Windows versions, it’s easy for versions to coexist. +Your organization might have considered bringing in Windows 10 devices and downgrading them to Windows 7 until everything is in place for a formal upgrade process. While this downgrade may appear to save costs due to standardization, greater savings can come from avoiding the downgrade and immediately taking advantage of the cost reductions Windows 10 can provide. Because Windows 10 devices can be managed using the same processes and technology as other previous Windows versions, it’s easy for versions to coexist. Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Endpoint Configuration Manager, Microsoft Intune, or other third-party products. This “managed diversity” enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster. @@ -50,7 +50,7 @@ As indicated in the diagram, Microsoft continues to provide support for deep man ## Deployment and Provisioning -With Windows 10, you can continue to use traditional OS deployment, but you can also “manage out of the box.” To transform new devices into fully-configured, fully-managed devices, you can: +With Windows 10, you can continue to use traditional OS deployment, but you can also “manage out of the box.” To transform new devices into fully configured, fully managed devices, you can: - Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services such as [Microsoft Autopilot](/windows/deployment/windows-10-auto-pilot) or [Microsoft Intune](/mem/intune/fundamentals/). @@ -59,7 +59,7 @@ With Windows 10, you can continue to use traditional OS deployment, but you can - Use traditional imaging techniques such as deploying custom images using [Microsoft Endpoint Configuration Manager](/configmgr/core/understand/introduction). -You have multiple options for [upgrading to Windows 10](/windows/deployment/windows-10-deployment-scenarios). For existing devices running Windows 7 or Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This can mean significantly lower deployment costs, as well as improved productivity as end users can be immediately productive – everything is right where they left it. Of course, you can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today with Windows 7. +You have multiple options for [upgrading to Windows 10](/windows/deployment/windows-10-deployment-scenarios). For existing devices running Windows 7 or Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This process usage can mean lower deployment costs, and improved productivity as end users can be immediately productive – everything is right where they left it. You can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today with Windows 7. ## Identity and Authentication @@ -73,8 +73,8 @@ You can envision user and device management as falling into these two categories - Likewise, for personal devices, employees can use a new, simplified [BYOD experience](/azure/active-directory/devices/overview) to add their work account to Windows, then access work resources on the device. -- **Domain joined PCs and tablets used for traditional applications and access to important resources.** These may be traditional applications and resources that require authentication or accessing highly sensitive or classified resources on-premises. - With Windows 10, if you have an on-premises [Active Directory](/windows-server/identity/whats-new-active-directory-domain-services) domain that’s [integrated with Azure AD](/azure/active-directory/devices/hybrid-azuread-join-plan), when employee devices are joined, they automatically register with Azure AD. This provides: +- **Domain joined PCs and tablets used for traditional applications and access to important resources.** These applications and resources may be traditional ones that require authentication or accessing highly sensitive or classified resources on-premises. + With Windows 10, if you have an on-premises [Active Directory](/windows-server/identity/whats-new-active-directory-domain-services) domain that’s [integrated with Azure AD](/azure/active-directory/devices/hybrid-azuread-join-plan), when employee devices are joined, they automatically register with Azure AD. This registration provides: - Single sign-on to cloud and on-premises resources from everywhere @@ -98,7 +98,7 @@ As you review the roles in your organization, you can use the following generali Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, employees are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. With Windows 10, you can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer.  -**MDM**: [MDM](https://www.microsoft.com/cloud-platform/mobile-device-management) gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, Group Policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using GP that requires on-premises domain-joined devices. This makes MDM the best choice for devices that are constantly on the go. +**MDM**: [MDM](https://www.microsoft.com/cloud-platform/mobile-device-management) gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, Group Policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using GP that requires on-premises domain-joined devices. This provision makes MDM the best choice for devices that are constantly on the go. **Group Policy** and **Microsoft Endpoint Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level such as Internet Explorer’s 1,500 configurable Group Policy settings. If so, Group Policy and Configuration Manager continue to be excellent management choices: @@ -115,7 +115,7 @@ MDM with Intune provide tools for applying Windows updates to client computers i ## Next steps -There are a variety of steps you can take to begin the process of modernizing device management in your organization: +There are various steps you can take to begin the process of modernizing device management in your organization: **Assess current management practices, and look for investments you might make today.** Which of your current practices need to stay the same, and which can you change? Specifically, what elements of traditional management do you need to retain and where can you modernize? Whether you take steps to minimize custom imaging, re-evaluate settings management, or reassesses authentication and compliance, the benefits can be immediate. You can use the [MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat) to help determine which Group Policies are set for a target user/computer and cross-reference them against the list of available MDM policies. @@ -123,10 +123,10 @@ There are a variety of steps you can take to begin the process of modernizing de **Review the decision trees in this article.** With the different options in Windows 10, plus Configuration Manager and Enterprise Mobility + Security, you have the flexibility to handle imaging, authentication, settings, and management tools for any scenario. -**Take incremental steps.** Moving towards modern device management doesn’t have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this “managed diversity,” users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability. Starting with Windows 10, version 1803, the new policy [MDMWinsOverGP](./mdm/policy-csp-controlpolicyconflict.md#controlpolicyconflict-mdmwinsovergp) was added to allow MDM policies to take precedence over GP when both GP and its equivalent MDM policies are set on the device. You can start implementing MDM policies while keeping your GP environment. Here is the list of MDM policies with equivalent GP - [Policies supported by GP](./mdm/policy-configuration-service-provider.md) +**Take incremental steps.** Moving towards modern device management doesn’t have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this “managed diversity,” users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability. Starting with Windows 10, version 1803, the new policy [MDMWinsOverGP](./mdm/policy-csp-controlpolicyconflict.md#controlpolicyconflict-mdmwinsovergp) was added to allow MDM policies to take precedence over GP when both GP and its equivalent MDM policies are set on the device. You can start implementing MDM policies while keeping your GP environment. Here's the list of MDM policies with equivalent GP - [Policies supported by GP](./mdm/policy-configuration-service-provider.md) -**Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. Starting with Configuration Manager 1710, co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Intune. See these topics for details: +**Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. Configuration Manager 1710 onward, co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Intune. See these topics for details: - [Co-management for Windows 10 devices](/configmgr/core/clients/manage/co-management-overview) - [Prepare Windows 10 devices for co-management](/configmgr/core/clients/manage/co-management-prepare) diff --git a/windows/client-management/mdm/accountmanagement-csp.md b/windows/client-management/mdm/accountmanagement-csp.md index 5f2a7ff230..7be2cf47f8 100644 --- a/windows/client-management/mdm/accountmanagement-csp.md +++ b/windows/client-management/mdm/accountmanagement-csp.md @@ -19,7 +19,7 @@ AccountManagement CSP is used to configure setting in the Account Manager servic > [!NOTE] > The AccountManagement CSP is only supported in Windows Holographic for Business edition. -The following shows the AccountManagement configuration service provider in tree format. +The following syntax shows the AccountManagement configuration service provider in tree format. ```console ./Vendor/MSFT @@ -41,7 +41,7 @@ Interior node. **UserProfileManagement/EnableProfileManager** Enable profile lifetime management for shared or communal device scenarios. Default value is false. -Supported operations are Add, Get,Replace, and Delete. Value type is bool. +Supported operations are Add, Get, Replace, and Delete. Value type is bool. **UserProfileManagement/DeletionPolicy** Configures when profiles will be deleted. Default value is 1. @@ -52,19 +52,19 @@ Valid values: - 1 - delete at storage capacity threshold - 2 - delete at both storage capacity threshold and profile inactivity threshold -Supported operations are Add, Get,Replace, and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. Value type is integer. **UserProfileManagement/StorageCapacityStartDeletion** Start deleting profiles when available storage capacity falls below this threshold, given as percent of total storage available for profiles. Profiles that have been inactive the longest will be deleted first. Default value is 25. -Supported operations are Add, Get,Replace, and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. Value type is integer. **UserProfileManagement/StorageCapacityStopDeletion** Stop deleting profiles when available storage capacity is brought up to this threshold, given as percent of total storage available for profiles. Default value is 50. -Supported operations are Add, Get,Replace, and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. Value type is integer. **UserProfileManagement/ProfileInactivityThreshold** -Start deleting profiles when they have not been logged on during the specified period, given as number of days. Default value is 30. +Start deleting profiles when they haven't been logged on during the specified period, given as number of days. Default value is 30. -Supported operations are Add, Get,Replace, and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. Value type is integer. diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md index 1269c2797e..badfb5ccd9 100644 --- a/windows/client-management/mdm/accounts-csp.md +++ b/windows/client-management/mdm/accounts-csp.md @@ -1,6 +1,6 @@ --- title: Accounts CSP -description: The Accounts configuration service provider (CSP) is used by the enterprise to rename devices, as well as create local Windows accounts & joint them to a group. +description: The Accounts configuration service provider (CSP) is used by the enterprise to rename devices, and create local Windows accounts & join them to a group. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -17,7 +17,7 @@ manager: dansimp The Accounts configuration service provider (CSP) is used by the enterprise (1) to rename a device, (2) to create a new local Windows account and join it to a local user group. This CSP was added in Windows 10, version 1803. -The following shows the Accounts configuration service provider in tree format. +The following syntax shows the Accounts configuration service provider in tree format. ``` ./Device/Vendor/MSFT @@ -37,7 +37,7 @@ Root node. Interior node for the account domain information. **Domain/ComputerName** -This node specifies the DNS hostname for a device. This setting can be managed remotely, but note that this not supported for devices hybrid joined to Azure Active Directory and an on-premises Active directory. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 15 characters. +This node specifies the DNS hostname for a device. This setting can be managed remotely, but this remote management isn't supported for devices hybrid joined to Azure Active Directory and an on-premises Active directory. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 15 characters. Available naming macros: @@ -61,9 +61,9 @@ This node specifies the username for a new local user account. This setting can This node specifies the password for a new local user account. This setting can be managed remotely. Supported operation is Add. -GET operation is not supported. This setting will report as failed when deployed from the Endpoint Manager. +GET operation isn't supported. This setting will report as failed when deployed from the Endpoint Manager. **Users/_UserName_/LocalUserGroup** -This optional node specifies the local user group that a local user account should be joined to. If the node is not set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely. +This optional node specifies the local user group that a local user account should be joined to. If the node isn't set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely. Supported operation is Add. diff --git a/windows/client-management/mdm/activesync-csp.md b/windows/client-management/mdm/activesync-csp.md index e69eef0c44..307391743a 100644 --- a/windows/client-management/mdm/activesync-csp.md +++ b/windows/client-management/mdm/activesync-csp.md @@ -17,7 +17,7 @@ ms.date: 06/26/2017 The ActiveSync configuration service provider is used to set up and change settings for Exchange ActiveSync. After an Exchange account has been updated over-the-air by the ActiveSync configuration service provider, the device must be powered off and then powered back on to see sync status. -Configuring Windows Live ActiveSync accounts through this configuration service provider is not supported. +Configuring Windows Live ActiveSync accounts through this configuration service provider isn't supported. > [!NOTE] > The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the ./User/Vendor/MSFT/ActiveSync path. @@ -28,7 +28,7 @@ The ./Vendor/MSFT/ActiveSync path is deprecated, but will continue to work in th -The following shows the ActiveSync configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM. +The following example shows the ActiveSync configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM. ``` ./Vendor/MSFT @@ -86,7 +86,7 @@ Defines a specific ActiveSync account. A globally unique identifier (GUID) must Supported operations are Get, Add, and Delete. -When managing over OMA DM, make sure to always use a unique GUID. Provisioning with an account that has the same GUID as an existing one deletes the existing account and does not create the new account. +When managing over OMA DM, make sure to always use a unique GUID. Provisioning with an account that has the same GUID as an existing one deletes the existing account and doesn't create the new account. Braces { } are required around the GUID. In OMA Client Provisioning, you can type the braces. For example: @@ -107,7 +107,7 @@ For OMA DM, you must use the ASCII values of %7B and %7D for the opening and clo ***Account GUID*/EmailAddress** Required. A character string that specifies the email address associated with the Exchange ActiveSync account. -Supported operations are Get, Replace, and Add (cannot Add after the account is created). +Supported operations are Get, Replace, and Add (can't Add after the account is created). This email address is entered by the user during setup and must be in the fully qualified email address format, for example, "someone@example.com". @@ -119,21 +119,21 @@ Supported operations are Get, Replace, Add, and Delete. ***Account GUID*/AccountIcon** Required. A character string that specifies the location of the icon associated with the account. -Supported operations are Get, Replace, and Add (cannot Add after the account is created). +Supported operations are Get, Replace, and Add (can't Add after the account is created). The account icon can be used as a tile in the **Start** list or an icon in the applications list under **Settings > email & accounts**. Some icons are already provided on the device. The suggested icon for POP/IMAP or generic ActiveSync accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.genericmail.png. The suggested icon for Exchange Accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.office.outlook.png. Custom icons can be added if desired. ***Account GUID*/AccountType** Required. A character string that specifies the account type. -Supported operations are Get and Add (cannot Add after the account is created). +Supported operations are Get and Add (can't Add after the account is created). -This value is entered during setup and cannot be modified once entered. An Exchange account is indicated by the string value "Exchange". +This value is entered during setup and can't be modified once entered. An Exchange account is indicated by the string value "Exchange". ***Account GUID*/AccountName** Required. A character string that specifies the name that refers to the account on the device. -Supported operations are Get, Replace, and Add (cannot Add after the account is created). +Supported operations are Get, Replace, and Add (can't Add after the account is created). ***Account GUID*/Password** Required. A character string that specifies the password for the account. @@ -145,14 +145,14 @@ For the Get command, only asterisks are returned. ***Account GUID*/ServerName** Required. A character string that specifies the server name used by the account. -Supported operations are Get, Replace, and Add (cannot Add after the account is created). +Supported operations are Get, Replace, and Add (can't Add after the account is created). ***Account GUID*/UserName** Required. A character string that specifies the user name for the account. -Supported operations are Get, and Add (cannot Add after the account is created). +Supported operations are Get, and Add (can't Add after the account is created). -The user name cannot be changed after a sync has been successfully performed. The user name can be in the fully qualified format "someone@example.com", or just "username", depending on the type of account created. For most Exchange accounts, the user name format is just "username", whereas for Microsoft, Google, Yahoo, and most POP/IMAP accounts, the user name format is "someone@example.com". +The user name can't be changed after a sync has been successfully performed. The user name can be in the fully qualified format "someone@example.com", or just "username", depending on the type of account created. For most Exchange accounts, the user name format is just "username", whereas for Microsoft, Google, Yahoo, and most POP/IMAP accounts, the user name format is "someone@example.com". **Options** Node for other parameters. @@ -163,9 +163,9 @@ Specifies the time window used for syncing calendar items to the device. Value t **Options/Logging** Required. A character string that specifies whether diagnostic logging is enabled and at what level. The default is 0 (disabled). -Supported operations are Get, Replace, and Add (cannot Add after the account is created). +Supported operations are Get, Replace, and Add (can't Add after the account is created). -Valid values are one of the following: +Valid values are any of the following values: - 0 (default) - Logging is off. @@ -173,7 +173,7 @@ Valid values are one of the following: - 2 - Advanced logging is enabled. -Logging is set to off by default. The user might be asked to set this to Basic or Advanced when having a sync issue that customer support is investigating. Setting the logging level to Advanced has more of a performance impact than Basic. +Logging is set to off by default. The user might be asked to set this logging to Basic or Advanced when having a sync issue that customer support is investigating. Setting the logging level to Advanced has more of a performance impact than Basic. **Options/MailBodyType** Indicates the email format. Valid values: @@ -185,19 +185,19 @@ Indicates the email format. Valid values: - 4 - MIME **Options/MailHTMLTruncation** -Specifies the size beyond which HTML-formatted email messages are truncated when they are synchronized to the mobile device. The value is specified in KB. A value of -1 disables truncation. +Specifies the size beyond which HTML-formatted email messages are truncated when they're synchronized to the mobile device. The value is specified in KB. A value of -1 disables truncation. **Options/MailPlainTextTruncation** -This setting specifies the size beyond which text-formatted e-mail messages are truncated when they are synchronized to the mobile phone. The value is specified in KB. A value of -1 disables truncation. +This setting specifies the size beyond which text-formatted e-mail messages are truncated when they're synchronized to the mobile phone. The value is specified in KB. A value of -1 disables truncation. **Options/UseSSL** Optional. A character string that specifies whether SSL is used. -Supported operations are Get, Replace, and Add (cannot Add after the account is created). +Supported operations are Get, Replace, and Add (can't Add after the account is created). Valid values are: -- 0 - SSL is not used. +- 0 - SSL isn't used. - 1 (default) - SSL is used. @@ -206,7 +206,7 @@ Required. A character string that specifies the time until the next sync is perf Supported operations are Get and Replace. -Valid values are one of the following: +Valid values are any of the following values: - -1 (default) - A sync will occur as items are received @@ -223,7 +223,7 @@ Required. A character string that specifies the time window used for syncing ema Supported operations are Get and Replace. -Valid values are one of the following: +Valid values are any of the following values: - 0 – No age filter is used, and all email items are synced to the device. @@ -238,7 +238,7 @@ Valid values are one of the following: **Options/ContentTypes/***Content Type GUID* Defines the type of content to be individually enabled/disabled for sync. -The *GUID* values allowed are one of the following: +The *GUID* values allowed are any of the following values: - Email: "{c6d47067-6e92-480e-b0fc-4ba82182fac7}" @@ -251,11 +251,11 @@ The *GUID* values allowed are one of the following: **Options/ContentTypes/*Content Type GUID*/Enabled** Required. A character string that specifies whether sync is enabled or disabled for the selected content type. The default is "1" (enabled). -Supported operations are Get, Replace, and Add (cannot Add after the account is created). +Supported operations are Get, Replace, and Add (can't Add after the account is created). -Valid values are one of the following: +Valid values are any of the following values: -- 0 - Sync for email, contacts, calendar, or tasks is disabled. +- 0 - Sync for email, contacts, calendar, or tasks are disabled. - 1 (default) - Sync is enabled. **Options/ContentTypes/*Content Type GUID*/Name** @@ -265,7 +265,7 @@ Required. A character string that specifies the name of the content type. > In Windows 10, this node is currently not working. -Supported operations are Get, Replace, and Add (cannot Add after the account is created). +Supported operations are Get, Replace, and Add (can't Add after the account is created). When you use Add or Replace inside an atomic block in the SyncML, the CSP returns an error and provisioning fails. When you use Add or Replace outside of the atomic block, the error is ignored and the account is provisioned as expected. diff --git a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md index 740ad8289d..3328f5ca2a 100644 --- a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md +++ b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md @@ -57,7 +57,7 @@ Here's a step-by-step guide to adding an Azure Active Directory tenant, adding a ![azure active directory premium payment page.](images/azure-ad-add-tenant8.png) -10. After the purchase is completed, you can log in to your Office 365 Admin Portal and you will see the **Azure AD** option from the Admin drop-down menu along with other services (SharePoint, Exchange, etc....). +10. After the purchase is completed, you can log on to your Office 365 Admin Portal and you'll see the **Azure AD** option from the Admin drop-down menu along with other services (SharePoint and Exchange). ![admin center left navigation menu.](images/azure-ad-add-tenant9.png) @@ -75,7 +75,7 @@ If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Ent ![register in azure-ad.](images/azure-ad-add-tenant11.png) -3. On the **Admin center** page, hover your mouse over the Admin tools icon on the left and then click **Azure AD**. This will take you to the Azure Active Directory sign-up page and brings up your existing Office 365 organization account information. +3. On the **Admin center** page, hover your mouse over the Admin tools icon on the left and then click **Azure AD**. This option will take you to the Azure Active Directory sign-up page and brings up your existing Office 365 organization account information. ![register azuread](images/azure-ad-add-tenant12.png) @@ -87,7 +87,7 @@ If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Ent ![registration in azuread.](images/azure-ad-add-tenant14.png) -6. You will see a welcome page when the process completes. +6. You'll see a welcome page when the process completes. ![register screen of azuread](images/azure-ad-add-tenant15.png) diff --git a/windows/client-management/mdm/alljoynmanagement-csp.md b/windows/client-management/mdm/alljoynmanagement-csp.md index 1df422d0db..de7482b72d 100644 --- a/windows/client-management/mdm/alljoynmanagement-csp.md +++ b/windows/client-management/mdm/alljoynmanagement-csp.md @@ -26,7 +26,7 @@ This CSP was added in Windows 10, version 1511. For the firewall settings, note that PublicProfile and PrivateProfile are mutually exclusive. The Private Profile must be set on the directly on the device itself, and the only supported operation is Get. For PublicProfile, both Add and Get are supported. This CSP is intended to be used in conjunction with the AllJoyn Device System Bridge, and an understanding of the bridge will help when determining when and how to use this CSP. For more information, see [Device System Bridge (DSB)](https://wikipedia.org/wiki/AllJoyn). For more information, see [AllJoyn - Wikipedia](https://wikipedia.org/wiki/AllJoyn). -The following shows the AllJoynManagement configuration service provider in tree format +The following example shows the AllJoynManagement configuration service provider in tree format ``` ./Vendor/MSFT @@ -70,10 +70,10 @@ List of all AllJoyn objects that are discovered on the AllJoyn bus. All AllJoyn The unique AllJoyn device ID (a GUID) that hosts one or more configurable objects. **Services/*Node name*/Port** -The set of ports that the AllJoyn object uses to communicate configuration settings. Typically only one port is used for communication, but it is possible to specify additional ports. +The set of ports that the AllJoyn object uses to communicate configuration settings. Typically only one port is used for communication, but it's possible to specify more ports. **Services/*Node name*/Port/***Node name* -Port number used for communication. This is specified by the configurable AllJoyn object and reflected here. +Port number used for communication. This value is specified by the configurable AllJoyn object and reflected here. **Services/*Node name*/Port/*Node name*/CfgObject** The set of configurable interfaces that are available on the port of the AllJoyn object. @@ -89,7 +89,7 @@ This is the credential store. An administrator can set credentials for each AllJ When a SyncML request arrives in the CSP to replace or query a configuration item on an AllJoyn object that requires authentication, then the CSP uses the credentials stored here during the authentication phase. **Credentials/***Node name* -This is the same service ID specified in \\AllJoynManagement\\Services\\ServiceID URI. It is typically implemented as a GUID. +This is the same service ID specified in \\AllJoynManagement\\Services\\ServiceID URI. It's typically implemented as a GUID. **Credentials/*Node name*/Key** An alphanumeric key value that conforms to the AllJoyn SRP KEYX authentication standard. @@ -128,7 +128,7 @@ SyncML xmlns="SYNCML:SYNCML1.2"> ``` -You should replace \_ALLJOYN\_DEVICE\_ID\_ with an actual device ID. Note that the data is base-64 encoded representation of the configuration file that you are setting. +You should replace \_ALLJOYN\_DEVICE\_ID\_ with an actual device ID. The data is base-64 encoded representation of the configuration file that you're setting. Get PIN data diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index 648d9c245f..d18a0ebd70 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -13,10 +13,10 @@ ms.date: 09/10/2020 # ApplicationControl CSP -Windows Defender Application Control (WDAC) policies can be managed from an MDM server or locally using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently does not schedule a reboot. +Windows Defender Application Control (WDAC) policies can be managed from an MDM server or locally using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and hence doesn't schedule a reboot. Existing WDAC policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although WDAC policy deployment via the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only. -The following shows the ApplicationControl CSP in tree format. +The following example shows the ApplicationControl CSP in tree format. ``` ./Vendor/MSFT @@ -80,14 +80,14 @@ Scope is dynamic. Supported operation is Get. Value type is char. **ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsEffective** -This node specifies whether a policy is actually loaded by the enforcement engine and is in effect on a system. +This node specifies whether a policy is loaded by the enforcement engine and is in effect on a system. Scope is dynamic. Supported operation is Get. Value type is bool. Supported values are as follows: -- True — Indicates that the policy is actually loaded by the enforcement engine and is in effect on a system. -- False — Indicates that the policy is not loaded by the enforcement engine and is not in effect on a system. This is the default. +- True—Indicates that the policy is loaded by the enforcement engine and is in effect on a system. +- False—Indicates that the policy isn't loaded by the enforcement engine and isn't in effect on a system. This value is the default value. **ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsDeployed** This node specifies whether a policy is deployed on the system and is present on the physical machine. @@ -96,18 +96,18 @@ Scope is dynamic. Supported operation is Get. Value type is bool. Supported values are as follows: -- True — Indicates that the policy is deployed on the system and is present on the physical machine. -- False — Indicates that the policy is not deployed on the system and is not present on the physical machine. This is the default. +- True—Indicates that the policy is deployed on the system and is present on the physical machine. +- False—Indicates that the policy isn't deployed on the system and isn't present on the physical machine. This value is the default value. **ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsAuthorized** -This node specifies whether the policy is authorized to be loaded by the enforcement engine on the system. If not authorized, a policy cannot take effect on the system. +This node specifies whether the policy is authorized to be loaded by the enforcement engine on the system. If not authorized, a policy can't take effect on the system. Scope is dynamic. Supported operation is Get. Value type is bool. Supported values are as follows: -- True — Indicates that the policy is authorized to be loaded by the enforcement engine on the system. -- False — Indicates that the policy is not authorized to be loaded by the enforcement engine on the system. This is the default. +- True—Indicates that the policy is authorized to be loaded by the enforcement engine on the system. +- False—Indicates that the policy isn't authorized to be loaded by the enforcement engine on the system. This value is the default value. The following table provides the result of this policy based on different values of IsAuthorized, IsDeployed, and IsEffective nodes: @@ -144,7 +144,7 @@ For customers using Intune standalone or hybrid management with Configuration Ma ## Generic MDM Server Usage Guidance -In order to leverage the ApplicationControl CSP without using Intune, you must: +In order to use the ApplicationControl CSP without using Intune, you must: 1. Know a generated policy's GUID, which can be found in the policy xml as `` or `` for pre-1903 systems. 2. Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. @@ -171,7 +171,7 @@ To deploy base policy and supplemental policies: 1. Perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data} with the GUID and policy data for the base policy. 2. Repeat for each base or supplemental policy (with its own GUID and data). -The following example shows the deployment of two base policies and a supplemental policy (which already specifies the base policy it supplements and does not need that reflected in the ADD). +The following example shows the deployment of two base policies and a supplemental policy (which already specifies the base policy it supplements and doesn't need that reflected in the ADD). #### Example 1: Add first base policy @@ -240,7 +240,7 @@ The following table displays the result of Get operation on different nodes: |./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Status|Was the deployment successful| |./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/FriendlyName|Friendly name per the policy| -The following is an example of Get command: +An example of Get command is: ```xml @@ -257,7 +257,7 @@ The following is an example of Get command: #### Rebootless Deletion -Upon deletion, policies deployed via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to functionally do a rebootless delete, first replace the existing policy with an Allow All policy (found at C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml) and then delete the updated policy. This will immediately prevent anything from being blocked and fully deactive the policy on the next reboot. +Upon deletion, policies deployed via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to functionally do a rebootless delete, first replace the existing policy with an Allow All policy (found at C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml) and then delete the updated policy. This sequence will immediately prevent anything from being blocked and fully deactive the policy on the next reboot. #### Unsigned Policies @@ -266,7 +266,7 @@ To delete an unsigned policy, perform a DELETE on **./Vendor/MSFT/ApplicationCon #### Signed Policies > [!NOTE] -> A signed policy by default can only be replaced by another signed policy. Hence, performing a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** is not sufficient to delete a signed policy. +> A signed policy by default can only be replaced by another signed policy. Hence, performing a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** isn't sufficient to delete a signed policy. To delete a signed policy: @@ -274,7 +274,7 @@ To delete a signed policy: 2. Deploy another update with unsigned Allow All policy. 3. Perform delete. -The following is an example of Delete command: +An example of Delete command is: ```xml @@ -289,7 +289,7 @@ The following is an example of Delete command: ## PowerShell and WMI Bridge Usage Guidance -The ApplicationControl CSP can also be managed locally from PowerShell or via Microsoft Endpoint Manager Configuration Manager's (MEMCM, formerly known as SCCM) task sequence scripting by leveraging the [WMI Bridge Provider](./using-powershell-scripting-with-the-wmi-bridge-provider.md). +The ApplicationControl CSP can also be managed locally from PowerShell or via Microsoft Endpoint Manager Configuration Manager's (MEMCM, formerly known as SCCM) task sequence scripting by using the [WMI Bridge Provider](./using-powershell-scripting-with-the-wmi-bridge-provider.md). ### Setup for using the WMI Bridge @@ -305,7 +305,7 @@ The ApplicationControl CSP can also be managed locally from PowerShell or via Mi ### Deploying a policy via WMI Bridge -Run the following command. PolicyID is a GUID which can be found in the policy xml, and should be used here without braces. +Run the following command. PolicyID is a GUID that can be found in the policy xml, and should be used here without braces. ```powershell New-CimInstance -Namespace $namespace -ClassName $policyClassName -Property @{ParentID="./Vendor/MSFT/ApplicationControl/Policies";InstanceID="";Policy=$policyBase64} diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index 61070859fe..4d6a2a787f 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -15,9 +15,9 @@ ms.date: 11/19/2019 # AppLocker CSP -The AppLocker configuration service provider is used to specify which applications are allowed or disallowed. There is no user interface shown for apps that are blocked. +The AppLocker configuration service provider is used to specify which applications are allowed or disallowed. There's no user interface shown for apps that are blocked. -The following shows the AppLocker configuration service provider in tree format. +The following example shows the AppLocker configuration service provider in tree format. ```console ./Vendor/MSFT @@ -75,7 +75,7 @@ Defines restrictions for applications. > [!NOTE] > When you create a list of allowed apps, all [inbox apps](#inboxappsandcomponents) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need. -> Delete/unenrollment is not properly supported unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there is no requirement on the exact value of the node. +> Delete/unenrollment is not properly supported unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there's no requirement on the exact value of the node. > [!NOTE] > The AppLocker CSP will schedule a reboot when a policy is applied or a deletion occurs using the AppLocker/ApplicationLaunchRestrictions/Grouping/CodeIntegrity/Policy URI. @@ -83,7 +83,7 @@ Defines restrictions for applications. Additional information: **AppLocker/ApplicationLaunchRestrictions/_Grouping_** -Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define. +Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it's to determine what their purpose is, and to not conflict with other identifiers that they define. Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time. Supported operations are Get, Add, Delete, and Replace. @@ -101,7 +101,7 @@ Data type is string. Supported operations are Get, Add, Delete, and Replace. **AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE/EnforcementMode** -The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). The data type is a string. @@ -125,7 +125,7 @@ Data type is string. Supported operations are Get, Add, Delete, and Replace. **AppLocker/ApplicationLaunchRestrictions/_Grouping_/MSI/EnforcementMode** -The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). The data type is a string. @@ -144,7 +144,7 @@ Data type is string. Supported operations are Get, Add, Delete, and Replace. **AppLocker/ApplicationLaunchRestrictions/_Grouping_/Script/EnforcementMode** -The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). The data type is a string. @@ -163,7 +163,7 @@ Data type is string. Supported operations are Get, Add, Delete, and Replace. **AppLocker/ApplicationLaunchRestrictions/_Grouping_/StoreApps/EnforcementMode** -The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). The data type is a string. @@ -182,7 +182,7 @@ Data type is string. Supported operations are Get, Add, Delete, and Replace. **AppLocker/ApplicationLaunchRestrictions/_Grouping_/DLL/EnforcementMode** -The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). The data type is a string. @@ -211,7 +211,7 @@ Supported operations are Get, Add, Delete, and Replace. **AppLocker/EnterpriseDataProtection** Captures the list of apps that are allowed to handle enterprise data. Should be used in conjunction with the settings in **./Device/Vendor/MSFT/EnterpriseDataProtection** in [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md). -In Windows 10, version 1607 the Windows Information Protection has a concept for allowed and exempt applications. Allowed applications can access enterprise data and the data handled by those applications are protected with encryption. Exempt applications can also access enterprise data, but the data handled by those applications are not protected. This is because some critical enterprise applications may have compatibility problems with encrypted data. +In Windows 10, version 1607 the Windows Information Protection has a concept for allowed and exempt applications. Allowed applications can access enterprise data and the data handled by those applications are protected with encryption. Exempt applications can also access enterprise data, but the data handled by those applications aren't protected. This is because some critical enterprise applications may have compatibility problems with encrypted data. You can set the allowed list using the following URI: - ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping_/EXE/Policy @@ -227,10 +227,10 @@ Exempt examples: Additional information: -- [Recommended deny list for Windows Information Protection](#recommended-deny-list-for-windows-information-protection) - example for Windows 10, version 1607 that denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. This ensures an administrator does not accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications. +- [Recommended blocklist for Windows Information Protection](#recommended-blocklist-for-windows-information-protection) - example for Windows 10, version 1607 that denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. This prevention ensures an administrator doesn't accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications. **AppLocker/EnterpriseDataProtection/_Grouping_** -Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define. +Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it's to determine what their purpose is, and to not conflict with other identifiers that they define. Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time. Supported operations are Get, Add, Delete, and Replace. @@ -259,7 +259,7 @@ Data type is string. Supported operations are Get, Add, Delete, and Replace. -1. On your phone under **Device discovery**, tap **Pair**. You will get a code (case sensitive). +1. On your phone under **Device discovery**, tap **Pair**. You'll get a code (case sensitive). 2. On the browser on the **Set up access page**, enter the code (case sensitive) into the text box and click **Submit**. The **Device Portal** page opens on your browser. @@ -267,11 +267,11 @@ Supported operations are Get, Add, Delete, and Replace. ![device portal screenshot.](images/applocker-screenshot1.png) 3. On the desktop **Device Portal** page, click **Apps** to open the **App Manager**. -4. On the **App Manager** page under **Running apps**, you will see the **Publisher** and **PackageFullName** of apps. +4. On the **App Manager** page under **Running apps**, you'll see the **Publisher** and **PackageFullName** of apps. ![device portal app manager.](images/applocker-screenshot3.png) -5. If you do not see the app that you want, look under **Installed apps**. Using the drop- down menu, click on the application and you get the Version, Publisher, and PackageFullName displayed. +5. If you don't see the app that you want, look under **Installed apps**. Using the drop- down menu, click on the application and you get the Version, Publisher, and PackageFullName displayed. ![app manager.](images/applocker-screenshot2.png) @@ -281,9 +281,9 @@ The following table shows the mapping of information to the AppLocker publisher |--- |--- | |PackageFullName|ProductName

The product name is first part of the PackageFullName followed by the version number. In the Windows Camera example, the ProductName is Microsoft.WindowsCamera.| |Publisher|Publisher| -|Version|Version

This can be used either in the HighSection or LowSection of the BinaryVersionRange.

HighSection defines the highest version number and LowSection defines the lowest version number that should be trusted. You can use a wildcard for both versions to make a version- independent rule. Using a wildcard for one of the values will provide higher than or lower than a specific version semantics.| +|Version|Version

The version can be used either in the HighSection or LowSection of the BinaryVersionRange.

HighSection defines the highest version number and LowSection defines the lowest version number that should be trusted. You can use a wildcard for both versions to make a version- independent rule. Using a wildcard for one of the values will provide higher than or lower than a specific version semantics.| -Here is an example AppLocker publisher rule: +Here's an example AppLocker publisher rule: ```xml @@ -307,7 +307,7 @@ Request URI: https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/{app ID}/applockerdata ``` -Here is the example for Microsoft OneNote: +Here's the example for Microsoft OneNote: Request @@ -330,13 +330,13 @@ Result |--- |--- | |packageIdentityName|ProductName| |publisherCertificateName|Publisher| -|windowsPhoneLegacyId|Same value maps to the ProductName and Publisher name.

This value will only be present if there is a XAP package associated with the app in the Store.

If this value is populated then the simple thing to do to cover both the AppX and XAP package would be to create two rules for the app. One rule for AppX using the packageIdentityName and publisherCertificateName value and another one using the windowsPhoneLegacyId value.| +|windowsPhoneLegacyId|Same value maps to the ProductName and Publisher name.

This value will only be present if there's a XAP package associated with the app in the Store.

If this value is populated, then the simple thing to do to cover both the AppX and XAP package would be to create two rules for the app. One rule for AppX using the packageIdentityName and publisherCertificateName value and another one using the windowsPhoneLegacyId value.| ## Settings apps that rely on splash apps -These apps are blocked unless they are explicitly added to the list of allowed apps. The following table shows the subset of Settings apps that rely on splash apps. +These apps are blocked unless they're explicitly added to the list of allowed apps. The following table shows the subset of Settings apps that rely on splash apps. The product name is first part of the PackageFullName followed by the version number. @@ -526,7 +526,7 @@ The following example blocks the usage of the map application. ``` -The following example disables the Mixed Reality Portal. In the example, the **Id** can be any generated GUID and the **Name** can be any name you choose. Note that `BinaryName="*"` allows you to block any app executable in the Mixed Reality Portal package. **Binary/VersionRange**, as shown in the example, will block all versions of the Mixed Reality Portal app. +The following example disables the Mixed Reality Portal. In the example, the **Id** can be any generated GUID and the **Name** can be any name you choose. `BinaryName="*"` allows you to block any app executable in the Mixed Reality Portal package. **Binary/VersionRange**, as shown in the example, will block all versions of the Mixed Reality Portal app. ```xml @@ -1022,7 +1022,7 @@ In this example, **MobileGroup0** is the node name. We recommend using a GUID fo ``` ## Example for Windows 10 Holographic for Business -The following example for Windows 10 Holographic for Business denies all apps and allows the minimum set of [inbox apps](#inboxappsandcomponents) to enable a working device, as well as Settings. +The following example for Windows 10 Holographic for Business denies all apps and allows the minimum set of [inbox apps](#inboxappsandcomponents) to enable a working device, and Settings. ```xml @@ -1276,8 +1276,8 @@ The following example for Windows 10 Holographic for Business denies all apps an ``` -## Recommended deny list for Windows Information Protection -The following example for Windows 10, version 1607 denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. (An administrator might still use an exempt rule, instead.) This ensures an administrator does not accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications. +## Recommended blocklist for Windows Information Protection +The following example for Windows 10, version 1607 denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. (An administrator might still use an exempt rule, instead.) This prevention ensures an administrator doesn't accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications. In this example, Contoso is the node name. We recommend using a GUID for this node.