deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-20 21:03:42 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'v-alemieux-working' of https://github.com/valemieux/windows-docs-pr into v-alemieux-working

Browse Source
This commit is contained in:
valemieux
2022-06-28 12:09:45 -07:00
parent e42b13922d b172d2c5c4
commit 08a980f0f5
1396 changed files with 20222 additions and 15975 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
windows/application-management/app-v/appv-about-appv.md
View File

@ -58,11 +58,7 @@ For more information about how to configure an existing App-V installation after
## Support for System Center
App-V supports System Center 2016 and System Center 2012 R2 Configuration Manager SP1. See [Planning for App-V Integration with Configuration Manager](/previous-versions/system-center/system-center-2012-R2/jj822982(v=technet.10)) to learn more about how to integrate your App-V environment with Configuration Manager.
App-V supports System Center 2016 and Configuration Manager SP1. See [Planning for App-V Integration with Configuration Manager](/previous-versions/system-center/system-center-2012-R2/jj822982(v=technet.10)) to learn more about how to integrate your App-V environment with Configuration Manager.
## Related articles

2
windows/application-management/app-v/appv-capacity-planning.md
View File

@ -34,7 +34,7 @@ You can also manage your App-V environment using an electronic software distribu
* **Standalone model**—The standalone model allows virtual applications to be Windows Installer-enabled for distribution without streaming. App-V in Standalone mode only needs the sequencer and the client; no extra components are required. Applications are prepared for virtualization using a process called sequencing. For more information, see [Planning for the App-V Sequencer and Client deployment](appv-planning-for-sequencer-and-client-deployment.md). The standalone model is recommended for the following scenarios:
* When there are disconnected remote users who can't connect to the App-V infrastructure.
* When you're running a software management system, such as System Center 2012 Configuration Manager.
* When you're running a software management system, such as Configuration Manager.
* When network bandwidth limitations inhibit electronic software distribution.
* **Full infrastructure model**—The full infrastructure model provides for software distribution, management, and reporting capabilities; it also includes the streaming of applications across the network. The App-V full infrastructure model consists of one or more App-V management servers that can be used to publish applications to all clients. Publishing places the virtual application icons and shortcuts on the target computer. It can also stream applications to local users. For more information about how to install the management server, see [Planning for App-V Server deployment](appv-planning-for-appv-server-deployment.md). The full infrastructure model is recommended for the following scenarios:

20
windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
View File

@ -31,7 +31,7 @@ The following table shows the App-V versions, methods of Office package creation
## Creating Office 2010 App-V using the sequencer
Sequencing Office 2010 is one of the main methods for creating an Office 2010 package on App-V. Microsoft has provided a detailed recipe through a Knowledge Base article. For detailed instructions about how to create an Office 2010 package on App-V, see [How To Sequence Microsoft Office 2010 in Microsoft Application Virtualization 5.0](https://support.microsoft.com/kb/2830069).
Sequencing Office 2010 is one of the main methods for creating an Office 2010 package on App-V. For more information, see [How to Sequence a New Application with App-V 5.0](/microsoft-desktop-optimization-pack/appv-v5/how-to-sequence-a-new-application-with-app-v-50-beta-gb18030).
## Creating Office 2010 App-V packages using package accelerators
@ -76,26 +76,10 @@ The following table provides a full list of supported integration points for Off
|Active X Controls:<br>- Groove.SiteClient<br>- PortalConnect.PersonalSite<br>- SharePoint.openDocuments<br>- SharePoint.ExportDatabase<br>- SharePoint.SpreadSheetLauncher<br>- SharePoint.StssyncHander<br>- SharePoint.DragUploadCtl<br>- SharePoint.DragDownloadCtl<br>- Sharpoint.OpenXMLDocuments<br> - Sharepoint.ClipboardCtl<br>- WinProj.Activator<br>- Name.NameCtrl<br>- STSUPld.CopyCtl<br>- CommunicatorMeetingJoinAx.JoinManager<br>- LISTNET.Listnet<br>- OneDrive Pro Browser Helper|Active X Control. <br><br>For more information about ActiveX controls, see the [ActiveX Control API Reference](<https://msdn.microsoft.com/library/office/ms440037(v=office.14).aspx>).||
|OneDrive Pro Icon Overlays|Windows explorer shell icon overlays when users look at folders OneDrive Pro folders||
## Additional resources
### Office 2013 App-V Packages Additional Resources
* [Supported scenarios for deploying Microsoft Office as a sequenced App-V Package](https://support.microsoft.com/kb/2772509)
### Office 2010 App-V Packages
* [Microsoft Office 2010 Sequencing Kit for Microsoft Application Virtualization 5.0](https://www.microsoft.com/download/details.aspx?id=38399)
* [Known issues when you create or use an App-V 5.0 Office 2010 package](https://support.microsoft.com/kb/2828619)
* [How To Sequence Microsoft Office 2010 in Microsoft Application Virtualization 5.0](https://support.microsoft.com/kb/2830069)
### Connection Groups
* [Managing Connection Groups](appv-managing-connection-groups.md)
* [Connection groups on the App-V team blog](https://blogs.msdn.microsoft.com/gladiator/tag/connection-groups/)
### Dynamic Configuration
* [About App-V Dynamic Configuration](appv-dynamic-configuration.md)
* [About App-V Dynamic Configuration](appv-dynamic-configuration.md)

2
windows/application-management/app-v/appv-supported-configurations.md
View File

@ -119,7 +119,7 @@ See the Windows or Windows Server documentation for the hardware requirements.
## Supported versions of Microsoft Endpoint Configuration Manager
The App-V client works with Configuration Manager versions starting with Technical Preview for System Center Configuration Manager, version 1606.
The App-V client works with Configuration Manager versions starting with Technical Preview for Configuration Manager, version 1606.
## Related articles

2
windows/application-management/manage-windows-mixed-reality.md
View File

@ -31,7 +31,7 @@ Organizations that use Windows Server Update Services (WSUS) must take action to
1. Download the FOD .cab file:
- [Windows 11, version 21H2](https://software-download.microsoft.com/download/sg/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd_64~~.cab)
- [Windows 10, version 2004](https://software-download.microsoft.com/download/pr/6cf73b63/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab)
- [Windows 10, version 2004](https://software-static.download.prss.microsoft.com/pr/download/6cf73b63/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab)
- [Windows 10, version 1903 and 1909](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab)
- [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab)
- [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab)

2
windows/application-management/private-app-repository-mdm-company-portal-windows-11.md
View File

@ -26,7 +26,7 @@ This article discusses the Company Portal app installation options, adding organ
## Before you begin
The Company Portal app is included with Microsoft Endpoint Manager (MEM). Endpoint Manager is a Mobile Device Management (MDM) and Mobile Application manager (MAM) provider. It help manages your devices, and manage apps on your devices.
The Company Portal app is included with Microsoft Endpoint Manager. Endpoint Manager is a Mobile Device Management (MDM) and Mobile Application manager (MAM) provider. It help manages your devices, and manage apps on your devices.
If you're not managing your devices using an MDM provider, the following resources may help you get started:

2
windows/client-management/administrative-tools-in-windows-10.md
View File

@ -2,8 +2,6 @@
title: Windows Tools/Administrative Tools
description: The folders for Windows Tools and Administrative Tools are folders in the Control Panel that contain tools for system administrators and advanced users.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: aczechowski
ms.author: aaroncz
manager: dougeby

3
windows/client-management/advanced-troubleshooting-802-authentication.md
View File

@ -2,10 +2,7 @@
title: Advanced Troubleshooting 802.1X Authentication
ms.reviewer:
description: Troubleshoot authentication flow by learning how 802.1X Authentication works for wired and wireless clients.
keywords: advanced troubleshooting, 802.1X authentication, troubleshooting, authentication, Wi-Fi
ms.prod: w10
ms.mktglfcycl:
ms.sitesec: library
author: aczechowski
ms.author: aaroncz
manager: dougeby

245
windows/client-management/advanced-troubleshooting-boot-problems.md
View File

@ -2,11 +2,11 @@
title: Advanced troubleshooting for Windows boot problems
description: Learn to troubleshoot when Windows can't boot. This article includes advanced troubleshooting techniques intended for use by support agents and IT professionals.
ms.prod: w10
ms.sitesec: library
author: aczechowski
ms.technology: windows
ms.localizationpriority: medium
ms.date: 06/02/2022
author: aczechowski
ms.author: aaroncz
ms.date: 11/16/2018
ms.reviewer:
manager: dougeby
ms.topic: troubleshooting
@ -15,16 +15,15 @@ ms.collection: highpri
# Advanced troubleshooting for Windows boot problems
<p class="alert is-flex is-primary"><span class="has-padding-left-medium has-padding-top-extra-small"><a class="button is-primary" href="https://vsa.services.microsoft.com/v1.0/?partnerId=7d74cf73-5217-4008-833f-87a1a278f2cb&flowId=DMC&initialQuery=boot" target='_blank'><b>Try our Virtual Agent</b></a></span><span class="has-padding-small"> - It can help you quickly identify and fix common Windows boot issues</span>
<p class="alert is-flex is-primary"><span class="has-padding-left-medium has-padding-top-extra-small"><a class="button is-primary" href="https://vsa.services.microsoft.com/v1.0/?partnerId=7d74cf73-5217-4008-833f-87a1a278f2cb&flowId=DMC&initialQuery=boot" target='_blank'><b>Try our Virtual Agent</b></a></span><span class="has-padding-small"> - It can help you quickly identify and fix common Windows boot issues.</span>
> [!NOTE]
> This article is intended for use by support agents and IT professionals. If you're looking for more general information about recovery options, see [Recovery options in Windows 10](https://support.microsoft.com/help/12415).
> This article is intended for use by support agents and IT professionals. If you're looking for more general information about recovery options, see [Recovery options in Windows 10](https://support.microsoft.com/windows/recovery-options-in-windows-31ce2444-7de3-818c-d626-e3b5a3024da5).
## Summary
There are several reasons why a Windows-based computer may have problems during startup. To troubleshoot boot problems, first determine in which of the following phases the computer gets stuck:
| Phase | Boot Process | BIOS | UEFI |
|-----------|----------------------|------------------------------------|-----------------------------------|
| 1 | PreBoot | MBR/PBR (Bootstrap Code) | UEFI Firmware |
@ -32,31 +31,21 @@ There are several reasons why a Windows-based computer may have problems during
| 3 | Windows OS Loader | %SystemRoot%\system32\winload.exe | %SystemRoot%\system32\winload.efi |
| 4 | Windows NT OS Kernel | %SystemRoot%\system32\ntoskrnl.exe | |
**1. PreBoot**
1. **PreBoot**: The PC's firmware initiates a power-on self test (POST) and loads firmware settings. This pre-boot process ends when a valid system disk is detected. Firmware reads the master boot record (MBR), and then starts Windows Boot Manager.
The PCs firmware initiates a Power-On Self Test (POST) and loads firmware settings. This pre-boot process ends when a valid system disk is detected. Firmware reads the master boot record (MBR), and then starts Windows Boot Manager.
2. **Windows Boot Manager**: Windows Boot Manager finds and starts the Windows loader (Winload.exe) on the Windows boot partition.
**2. Windows Boot Manager**
3. **Windows operating system loader**: Essential drivers required to start the Windows kernel are loaded and the kernel starts to run.
Windows Boot Manager finds and starts the Windows loader (Winload.exe) on the Windows boot partition.
4. **Windows NT OS Kernel**: The kernel loads into memory the system registry hive and other drivers that are marked as BOOT_START.
**3. Windows operating system loader**
Essential drivers required to start the Windows kernel are loaded and the kernel starts to run.
**4. Windows NT OS Kernel**
The kernel loads into memory the system registry hive and other drivers that are marked as BOOT_START.
The kernel passes control to the session manager process (Smss.exe) which initializes the system session, and loads and starts the devices and drivers that aren't marked BOOT_START.
Here's a summary of the boot sequence, what will be seen on the display, and typical boot problems at that point in the sequence. Before starting troubleshooting, you have to understand the outline of the boot process and display status to ensure that the issue is properly identified at the beginning of the engagement.
![thumbnail of boot sequence flowchart.](images/boot-sequence-thumb.png)<br>
[Click to enlarge](img-boot-sequence.md)<br>
The kernel passes control to the session manager process (Smss.exe) which initializes the system session, and loads and starts the devices and drivers that aren't marked BOOT_START.
<a name="boot-sequence"></a>
Here's a summary of the boot sequence, what will be seen on the display, and typical boot problems at that point in the sequence. Before you start troubleshooting, you have to understand the outline of the boot process and display status to ensure that the issue is properly identified at the beginning of the engagement. Select the thumbnail to view it larger.
:::image type="content" source="images/boot-sequence-thumb.png" alt-text="Diagram of the boot sequence flowchart." lightbox="images/boot-sequence.png":::
Each phase has a different approach to troubleshooting. This article provides troubleshooting techniques for problems that occur during the first three phases.
@ -69,7 +58,6 @@ Each phase has a different approach to troubleshooting. This article provides tr
>
> `Bcdedit /set {default} bootmenupolicy legacy`
## BIOS phase
To determine whether the system has passed the BIOS phase, follow these steps:
@ -86,26 +74,25 @@ To determine whether the system has passed the BIOS phase, follow these steps:
If the screen is black except for a blinking cursor, or if you receive one of the following error codes, this status indicates that the boot process is stuck in the Boot Loader phase:
- Boot Configuration Data (BCD) missing or corrupted
- Boot file or MBR corrupted
- Operating system Missing
- Boot sector missing or corrupted
- Bootmgr missing or corrupted
- Unable to boot due to system hive missing or corrupted
To troubleshoot this problem, use Windows installation media to start the computer, press Shift+F10 for a command prompt, and then use any of the following methods.
- Boot Configuration Data (BCD) missing or corrupted
- Boot file or MBR corrupted
- Operating system Missing
- Boot sector missing or corrupted
- Bootmgr missing or corrupted
- Unable to boot due to system hive missing or corrupted
To troubleshoot this problem, use Windows installation media to start the computer, press **Shift** + **F10** for a command prompt, and then use any of the following methods.
### Method 1: Startup Repair tool
The Startup Repair tool automatically fixes many common problems. The tool also lets you quickly diagnose and repair more complex startup problems. When the computer detects a startup problem, the computer starts the Startup Repair tool. When the tool starts, it performs diagnostics. These diagnostics include analyzing startup log files to determine the cause of the problem. When the Startup Repair tool determines the cause, the tool tries to fix the problem automatically.
To do this task of invoking the Startup Repair tool, follow these steps.
To do this task of invoking the Startup Repair tool, follow these steps.
> [!NOTE]
> For additional methods to start WinRE, see [Windows Recovery Environment (Windows RE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#span-identrypointsintowinrespanspan-identrypointsintowinrespanspan-identrypointsintowinrespanentry-points-into-winre).
> For additional methods to start WinRE, see [Windows Recovery Environment (Windows RE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#entry-points-into-winre).
1. Start the system to the installation media for the installed version of Windows. For more information, see [Create installation media for Windows](https://support.microsoft.com/help/15088).
1. Start the system to the installation media for the installed version of Windows. For more information, see [Create installation media for Windows](https://support.microsoft.com/windows/create-installation-media-for-windows-99a58364-8c02-206f-aa6f-40c3b507420d).
2. On the **Install Windows** screen, select **Next** > **Repair your computer**.
@ -117,28 +104,26 @@ To do this task of invoking the Startup Repair tool, follow these steps.
The Startup Repair tool generates a log file to help you understand the startup problems and the repairs that were made. You can find the log file in the following location:
**%windir%\System32\LogFiles\Srt\Srttrail.txt**
For more information, see [A Stop error occurs, or the computer stops responding when you try to start Windows Vista or Windows 7](https://support.microsoft.com/help/925810/a-stop-error-occurs-or-the-computer-stops-responding-when-you-try-to-s)
`%windir%\System32\LogFiles\Srt\Srttrail.txt`
For more information, see [Troubleshoot blue screen errors](https://support.microsoft.com/sbs/windows/troubleshoot-blue-screen-errors-5c62726c-6489-52da-a372-3f73142c14ad).
### Method 2: Repair Boot Codes
To repair boot codes, run the following command:
```console
```command
BOOTREC /FIXMBR
```
To repair the boot sector, run the following command:
```console
```command
BOOTREC /FIXBOOT
```
> [!NOTE]
> Running **BOOTREC** together with **Fixmbr** overwrites only the master boot code. If the corruption in the MBR affects the partition table, running **Fixmbr** may not fix the problem.
> Running `BOOTREC` together with `Fixmbr` overwrites only the master boot code. If the corruption in the MBR affects the partition table, running `Fixmbr` may not fix the problem.
### Method 3: Fix BCD errors
@ -146,15 +131,15 @@ If you receive BCD-related errors, follow these steps:
1. Scan for all the systems that are installed. To do this step, run the following command:
```console
```command
Bootrec /ScanOS
```
2. Restart the computer to check whether the problem is fixed.
3. If the problem isn't fixed, run the following commands:
```console
```command
bcdedit /export c:\bcdbackup
attrib c:\boot\bcd -r -s -h
@ -172,128 +157,116 @@ If methods 1, 2 and 3 don't fix the problem, replace the Bootmgr file from drive
1. At a command prompt, change the directory to the System Reserved partition.
2. Run the **attrib** command to unhide the file:
2. Run the `attrib` command to unhide the file:
```console
```command
attrib -r -s -h
```
3. Navigate to the system drive and run the same command:
```console
```command
attrib -r -s -h
```
4. Rename the Bootmgr file as Bootmgr.old:
4. Rename the `bootmgr` file as `bootmgr.old`:
```console
```command
ren c:\bootmgr bootmgr.old
```
5. Navigate to the system drive.
6. Copy the Bootmgr file, and then paste it to the System Reserved partition.
6. Copy the `bootmgr` file, and then paste it to the System Reserved partition.
7. Restart the computer.
### Method 5: Restore System Hive
### Method 5: Restore system hive
If Windows can't load the system registry hive into memory, you must restore the system hive. To do this step,, use the Windows Recovery Environment or use Emergency Repair Disk (ERD) to copy the files from the C:\Windows\System32\config\RegBack to C:\Windows\System32\config.
If Windows can't load the system registry hive into memory, you must restore the system hive. To do this step, use the Windows Recovery Environment or use the Emergency Repair Disk (ERD) to copy the files from the `C:\Windows\System32\config\RegBack` directory to `C:\Windows\System32\config`.
If the problem persists, you may want to restore the system state backup to an alternative location, and then retrieve the registry hives to be replaced.
> [!NOTE]
> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](/troubleshoot/windows-client/deployment/system-registry-no-backed-up-regback-folder)
> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more information, see [The system registry is no longer backed up to the RegBack folder starting in Windows 10 version 1803](/troubleshoot/windows-client/deployment/system-registry-no-backed-up-regback-folder).
## Kernel Phase
If the system gets stuck during the kernel phase, you experience multiple symptoms or receive multiple error messages. These error messages include, but aren't limited to, the following examples:
- A Stop error appears after the splash screen (Windows Logo screen).
- A Stop error appears after the splash screen (Windows Logo screen).
- Specific error code is displayed.
- Specific error code is displayed. For example, `0x00000C2` , `0x0000007B` , or `inaccessible boot device`.
- [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md)
- [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md)
For example, "0x00000C2" , "0x0000007B" , "inaccessible boot device" and so on.
- [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md)
- [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md)
- The screen is stuck at the "spinning wheel" (rolling dots) "system busy" icon.
- The screen is stuck at the "spinning wheel" (rolling dots) "system busy" icon.
- A black screen appears after the splash screen.
- A black screen appears after the splash screen.
To troubleshoot these problems, try the following recovery boot options one at a time.
**Scenario 1: Try to start the computer in Safe mode or Last Known Good Configuration**
### Scenario 1: Try to start the computer in Safe mode or Last Known Good Configuration
On the **Advanced Boot Options** screen, try to start the computer in **Safe Mode** or **Safe Mode with Networking**. If either of these options works, use Event Viewer to help identify and diagnose the cause of the boot problem. To view events that are recorded in the event logs, follow these steps:
1. Use one of the following methods to open Event Viewer:
1. Use one of the following methods to open Event Viewer:
- Click **Start**, point to **Administrative Tools**, and then click
**Event Viewer**.
- Go to the **Start** menu, select **Administrative Tools**, and then select **Event Viewer**.
- Start the Event Viewer snap-in in Microsoft Management Console (MMC).
- Start the Event Viewer snap-in in Microsoft Management Console (MMC).
2. In the console tree, expand Event Viewer, and then click the log that you
want to view. For example, click **System log** or **Application log**.
2. In the console tree, expand Event Viewer, and then select the log that you want to view. For example, choose **System log** or **Application log**.
3. In the details pane, double-click the event that you want to view.
3. In the details pane, open the event that you want to view.
4. On the **Edit** menu, click **Copy**, open a new document in the program in
which you want to paste the event (for example, Microsoft Word), and then
click **Paste**.
5. Use the Up Arrow or Down Arrow key to view the description of the previous
or next event.
4. On the **Edit** menu, select **Copy**. Open a new document in the program in which you want to paste the event. For example, Microsoft Word. Then select **Paste**.
5. Use the up arrow or down arrow key to view the description of the previous or next event.
### Clean boot
To troubleshoot problems that affect services, do a clean boot by using System Configuration (msconfig).
To troubleshoot problems that affect services, do a clean boot by using System Configuration (`msconfig`).
Select **Selective startup** to test the services one at a time to determine which one is causing the problem. If you can't find the cause, try including system services. However, in most cases, the problematic service is third-party.
Disable any service that you find to be faulty, and try to start the computer again by selecting **Normal startup**.
For detailed instructions, see [How to perform a clean boot in Windows](https://support.microsoft.com/help/929135/how-to-perform-a-clean-boot-in-windows).
For detailed instructions, see [How to perform a clean boot in Windows](https://support.microsoft.com/topic/how-to-perform-a-clean-boot-in-windows-da2f9573-6eec-00ad-2f8a-a97a1807f3dd).
If the computer starts in Disable Driver Signature mode, start the computer in Disable Driver Signature Enforcement mode, and then follow the steps that are documented in the following article to determine which drivers or files require driver signature enforcement:
[Troubleshooting boot problem caused by missing driver signature (x64)](/archive/blogs/askcore/troubleshooting-boot-issues-due-to-missing-driver-signature-x64)
[Troubleshooting boot problem caused by missing driver signature (x64)](/archive/blogs/askcore/troubleshooting-boot-issues-due-to-missing-driver-signature-x64)
> [!NOTE]
> If the computer is a domain controller, try Directory Services Restore mode (DSRM).
>
> This method is an important step if you encounter Stop error "0xC00002E1" or "0xC00002E2"
**Examples**
#### Examples
> [!WARNING]
> Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these
problems can be solved. Modify the registry at your own risk.
> Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft can't guarantee that these problems can be solved. Modify the registry at your own risk.
*Error code INACCESSIBLE_BOOT_DEVICE (STOP 0x7B)*
To troubleshoot this Stop error, follow these steps to filter the drivers:
1. Go to Windows Recovery Environment (WinRE) by putting an ISO disk of the system in the disk drive. The ISO should be of the same version of Windows or a later version.
1. Go to Windows Recovery Environment (WinRE) by putting an ISO disk of the system in the disk drive. The ISO should be of the same version of Windows or a later version.
2. Open the registry.
2. Open the registry.
3. Load the system hive, and name it as "test."
3. Load the system hive, and name it **test**.
4. Under the following registry subkey, check for lower filter and upper filter items for Non-Microsoft Drivers:
**HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class**
5. For each third-party driver that you locate, click the upper or lower filter, and then delete the value data.
4. Under the following registry subkey, check for lower filter and upper filter items for non-Microsoft drivers:
6. Search through the whole registry for similar items. Process as an appropriate, and then unload the registry hive.
`HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class`
7. Restart the server in Normal mode.
5. For each third-party driver that you locate, select the upper or lower filter, and then delete the value data.
For more troubleshooting steps, see the following articles:
6. Search through the whole registry for similar items. Process as appropriate, and then unload the registry hive.
- [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md)
7. Restart the server in Normal mode.
For more troubleshooting steps, see [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md).
To fix problems that occur after you install Windows updates, check for pending updates by using these steps:
@ -301,16 +274,15 @@ To fix problems that occur after you install Windows updates, check for pending
2. Run the command:
```console
```command
DISM /image:C:\ /get-packages
```
3. If there are any pending updates, uninstall them by running the following commands:
```console
```command
DISM /image:C:\ /remove-package /packagename: name of the package
```
```console
DISM /Image:C:\ /Cleanup-Image /RevertPendingActions
```
@ -318,72 +290,67 @@ To fix problems that occur after you install Windows updates, check for pending
If the computer doesn't start, follow these steps:
1. Open A Command Prompt window in WinRE, and start a text editor, such as Notepad.
1. Open a command prompt window in WinRE, and start a text editor, such as Notepad.
2. Navigate to the system drive, and search for windows\winsxs\pending.xml.
2. Navigate to the system drive, and search for `windows\winsxs\pending.xml`.
3. If the Pending.xml file is found, rename the file as Pending.xml.old.
3. If the pending.xml file is found, rename the file as `pending.xml.old`.
4. Open the registry, and then load the component hive in HKEY_LOCAL_MACHINE as a test.
4. Open the registry, and then load the component hive in HKEY_LOCAL_MACHINE as test.
5. Highlight the loaded test hive, and then search for the **pendingxmlidentifier** value.
5. Highlight the loaded test hive, and then search for the `pendingxmlidentifier` value.
6. If the **pendingxmlidentifier** value exists, delete the value.
6. If the `pendingxmlidentifier` value exists, delete it.
7. Unload the test hive.
7. Unload the test hive.
8. Load the system hive, name it as "test".
8. Load the system hive, name it **test**.
9. Navigate to the following subkey:
**HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\TrustedInstaller**
10. Change the **Start** value from **1** to **4**
9. Navigate to the following subkey:
`HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TrustedInstaller`
10. Change the **Start** value from `1` to `4`.
11. Unload the hive.
12. Try to start the computer.
If the Stop error occurs late in the startup process, or if the Stop error is still being generated, you can capture a memory dump. A good memory dump can help determine the root cause of the Stop error. For details, see the following articles:
If the Stop error occurs late in the startup process, or if the Stop error is still being generated, you can capture a memory dump. A good memory dump can help determine the root cause of the Stop error. For more information, see [Generate a kernel or complete crash dump](./generate-kernel-or-complete-crash-dump.md).
- [Generate a kernel or complete crash dump](./generate-kernel-or-complete-crash-dump.md)
For more information about page file problems in Windows 10 or Windows Server 2016, see [Introduction to page files](./introduction-page-file.md).
For more information about page file problems in Windows 10 or Windows Server 2016, see the following article:
- [Introduction to page files](./introduction-page-file.md)
For more information about Stop errors, see [Advanced troubleshooting for Stop error or blue screen error issue](./troubleshoot-stop-errors.md).
For more information about Stop errors, see the following Knowledge Base article:
- [Advanced troubleshooting for Stop error or blue screen error issue](./troubleshoot-stop-errors.md)
Sometimes the dump file shows an error that's related to a driver. For example, `windows\system32\drivers\stcvsm.sys` is missing or corrupted. In this instance, follow these guidelines:
If the dump file shows an error that is related to a driver (for example, windows\system32\drivers\stcvsm.sys is missing or corrupted), follow these guidelines:
- Check the functionality that is provided by the driver. If the driver is a third-party boot driver, make sure that you understand what it does.
- Check the functionality that's provided by the driver. If the driver is a third-party boot driver, make sure that you understand what it does.
- If the driver isn't important and has no dependencies, load the system hive, and then disable the driver.
- If the stop error indicates system file corruption, run the system file checker in offline mode.
- To do this, open WinRE, open a command prompt, and then run the following command:
- To do this action, open WinRE, open a command prompt, and then run the following command:
```console
SFC /Scannow /OffBootDir=C:\ /OffWinDir=C:\Windows
```
```command
SFC /Scannow /OffBootDir=C:\ /OffWinDir=C:\Windows
```
For more information, see [Using System File Checker (SFC) To Fix Issues](/archive/blogs/askcore/using-system-file-checker-sfc-to-fix-issues)
For more information, see [Using system file checker (SFC) to fix issues](/archive/blogs/askcore/using-system-file-checker-sfc-to-fix-issues).
- If there's disk corruption, run the check disk command:
- If there's disk corruption, run the check disk command:
```console
chkdsk /f /r
```
```command
chkdsk /f /r
```
- If the Stop error indicates general registry corruption, or if you believe that new drivers or services were installed, follow these steps:
- If the Stop error indicates general registry corruption, or if you believe that new drivers or services were installed, follow these steps:
1. Start WinRE, and open a Command Prompt window.
2. Start a text editor, such as Notepad.
3. Navigate to C:\Windows\System32\Config\.
4. Rename the all five hives by appending ".old" to the name.
5. Copy all the hives from the Regback folder, paste them in the Config folder, and then try to start the computer in Normal mode.
1. Start WinRE, and open a command prompt window.
2. Start a text editor, such as Notepad.
3. Navigate to `C:\Windows\System32\Config\`.
4. Rename the all five hives by appending `.old` to the name.
5. Copy all the hives from the `Regback` folder, paste them in the `Config` folder, and then try to start the computer in Normal mode.
> [!NOTE]
> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](/troubleshoot/windows-client/deployment/system-registry-no-backed-up-regback-folder).
> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more information, see [The system registry is no longer backed up to the RegBack folder starting in Windows 10 version 1803](/troubleshoot/windows-client/deployment/system-registry-no-backed-up-regback-folder).

3
windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
View File

@ -3,10 +3,7 @@ title: Advanced Troubleshooting Wireless Network Connectivity
ms.reviewer:
manager: dougeby
description: Learn how to troubleshoot Wi-Fi connections. Troubleshooting Wi-Fi connections requires understanding the basic flow of the Wi-Fi autoconnect state machine.
keywords: troubleshooting, wireless network connectivity, wireless, Wi-Fi
ms.prod: w10
ms.mktglfcycl:
ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz

6
windows/client-management/connect-to-remote-aadj-pc.md
View File

@ -1,11 +1,7 @@
---
title: Connect to remote Azure Active Directory-joined PC (Windows)
description: You can use Remote Desktop Connection to connect to an Azure AD-joined PC.
keywords: ["MDM", "device management", "RDP", "AADJ"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: devices
author: dansimp
ms.localizationpriority: medium
ms.author: dansimp
@ -66,7 +62,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu
- Adding users using policy
Starting in Windows 10, version 2004, you can add users to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview).
Starting in Windows 10, version 2004, you can add users to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD-joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview).
> [!TIP]
> When you connect to the remote PC, enter your account name in this format: AzureAD\yourloginid@domain.com.

3
windows/client-management/data-collection-for-802-authentication.md
View File

@ -3,10 +3,7 @@ title: Data collection for troubleshooting 802.1X authentication
ms.reviewer:
manager: dansimp
description: Use the steps in this article to collect data that can be used to troubleshoot 802.1X authentication issues.
keywords: troubleshooting, data collection, data, 802.1X authentication, authentication, data
ms.prod: w10
ms.mktglfcycl:
ms.sitesec: library
author: dansimp
ms.localizationpriority: medium
ms.author: dansimp

1
windows/client-management/determine-appropriate-page-file-size.md
View File

@ -2,7 +2,6 @@
title: How to determine the appropriate page file size for 64-bit versions of Windows
description: Learn how to determine the appropriate page file size for 64-bit versions of Windows.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
author: Deland-Han
ms.localizationpriority: medium

1
windows/client-management/generate-kernel-or-complete-crash-dump.md
View File

@ -2,7 +2,6 @@
title: Generate a kernel or complete crash dump
description: Learn how to generate a kernel or complete crash dump, and then use the output to troubleshoot several issues.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
author: Deland-Han
ms.localizationpriority: medium

2
windows/client-management/group-policies-for-enterprise-and-education-editions.md
View File

@ -2,8 +2,6 @@
title: Group Policy settings that apply only to Windows 10 Enterprise and Education Editions (Windows 10)
description: Use this topic to learn about Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: dansimp
ms.localizationpriority: medium
ms.date: 09/14/2021

17
windows/client-management/img-boot-sequence.md
View File

@ -1,17 +0,0 @@
---
title: Boot sequence flowchart
description: View a full-sized view of the boot sequence flowchart. Use the link to return to the Advanced troubleshooting for Windows boot problems article.
ms.date: 11/16/2018
ms.reviewer:
manager: dansimp
ms.author: dansimp
author: dansimp
ms.topic: article
ms.prod: w10
---
# Boot sequence flowchart
Return to: [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)<br>
![Full-sized boot sequence flowchart.](images/boot-sequence.png)

1
windows/client-management/includes/allow-a-shared-books-folder-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

1
windows/client-management/includes/allow-address-bar-drop-down-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

1
windows/client-management/includes/allow-adobe-flash-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

1
windows/client-management/includes/allow-clearing-browsing-data-on-exit-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

1
windows/client-management/includes/allow-configuration-updates-for-books-library-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

1
windows/client-management/includes/allow-cortana-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

1
windows/client-management/includes/allow-developer-tools-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

1
windows/client-management/includes/allow-extended-telemetry-for-books-tab-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

22
windows/client-management/includes/allow-extensions-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge allows users to add or personalize extensions in Microsoft Edge by default. With this policy, you can configure Microsoft to prevent users from adding or personalizing extensions.

1
windows/client-management/includes/allow-fullscreen-mode-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

22
windows/client-management/includes/allow-inprivate-browsing-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, Microsoft Edge allows InPrivate browsing, and after closing all InPrivate tabs, Microsoft Edge deletes the browsing data from the device. With this policy, you can configure Microsoft Edge to prevent InPrivate web browsing.

22
windows/client-management/includes/allow-microsoft-compatibility-list-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
During browser navigation, Microsoft Edge checks the Microsoft Compatibility List for websites with known compatibility issues. If found, users are prompted to use Internet Explorer, where the site loads and displays correctly. Periodically during browser navigation, Microsoft Edge downloads the latest version of the list and applies the updates. With this policy, you can configure Microsoft Edge to ignore the compatibility list. You can view the compatibility list at about:compat.

22
windows/client-management/includes/allow-prelaunch-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge pre-launches as a background process during Windows startup when the system is idle waiting to be launched by the user. Pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start Microsoft Edge. You can also configure Microsoft Edge to prevent from pre-launching.

22
windows/client-management/includes/allow-printing-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge allows users to print web content by default. With this policy, you can configure Microsoft Edge to prevent users from printing web content.

1
windows/client-management/includes/allow-saving-history-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

1
windows/client-management/includes/allow-search-engine-customization-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

1
windows/client-management/includes/allow-sideloading-of-extensions-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

22
windows/client-management/includes/allow-tab-preloading-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge allows preloading of the Start and New Tab pages during Windows sign-in, and each time Microsoft Edge closes by default. Preloading minimizes the amount of time required to start Microsoft Edge and load a new tab. With this policy, you can configure Microsoft Edge to prevent preloading of tabs.

22
windows/client-management/includes/allow-web-content-on-new-tab-page-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 11/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 11/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, Microsoft Edge loads the default New Tab page and lets the users make changes. If you disable this policy, a blank page loads instead of the New Tab page and prevents users from changing it.

22
windows/client-management/includes/allow-windows-app-to-share-data-users-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
With this policy, you can configure Windows 10 to share application data among multiple users on the system and with other instances of that app. Data shared through the SharedLocal folder is available through the Windows.Storage API. If you previously enabled this policy and now want to disable it, any shared app data remains in the SharedLocal folder.

22
windows/client-management/includes/always-show-books-library-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge shows the Books Library only in countries or regions where supported. With this policy, you can configure Microsoft Edge to show the Books Library regardless of the devices country or region.

1
windows/client-management/includes/configure-additional-search-engines-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

22
windows/client-management/includes/configure-adobe-flash-click-to-run-setting-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge supports Adobe Flash as a built-in feature rather than as an external add-on and updates automatically via Windows Update. By default, Microsoft Edge prevents Adobe Flash content from loading automatically, requiring action from the user, for example, clicking the **Click-to-Run** button. Depending on how often the content loads and runs, the sites for the content gets added to the auto-allowed list. Disable this policy if you want Adobe Flash content to load automatically.

22
windows/client-management/includes/configure-autofill-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, users can choose to use the Autofill feature to populate the form fields automatically. With this policy, you can configure Microsoft Edge, when enabled to use Autofill or, when disabled to prevent using Autofill.

1
windows/client-management/includes/configure-browser-telemetry-for-m365-analytics-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

22
windows/client-management/includes/configure-cookies-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge allows all cookies from all websites by default. With this policy, you can configure Microsoft to block only 3rd-party cookies or block all cookies.

1
windows/client-management/includes/configure-do-not-track-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

22
windows/client-management/includes/configure-enterprise-mode-site-list-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have sites or apps that use this technology, you can configure Microsoft Edge to check the Enterprise Mode Site List XML file that lists the sites and domains with compatibility issues and switch to IE11 automatically. You can use the same site list for both Microsoft Edge and IE11, or you can use separate lists. By default, Microsoft Edge ignores the Enterprise Mode and the Enterprise Mode Site List XML file. In this case, users might experience problems while using legacy apps. These sites and domains must be viewed using Internet Explorer 11 and Enterprise Mode.

22
windows/client-management/includes/configure-favorites-bar-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge hides the favorites bar by default but shows it on the Start and New Tab pages. Also, by default, the Favorites Bar toggle, in Settings, is set to Off but enabled letting users make changes. With this policy, you can configure Microsoft Edge to either show or hide the Favorites Bar on all pages.

22
windows/client-management/includes/configure-favorites-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Discontinued in Windows 10, version 1809. Use the **[Provision Favorites](../available-policies.md#provision-favorites)** policy instead.

22
windows/client-management/includes/configure-home-button-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge shows the home button and by clicking it the Start page loads by default. With this policy, you can configure the home button to load the New Tab page or a URL defined in the Set Home Button URL policy. You can also configure Microsoft Edge to hide the home button.

1
windows/client-management/includes/configure-kiosk-mode-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

22
windows/client-management/includes/configure-kiosk-reset-after-idle-timeout-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
You can configure Microsoft Edge kiosk mode to reset to the configured start experience after a specified amount of idle time in minutes (0-1440). The reset timer begins after the last user interaction. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge kiosk mode resets after 30 seconds. Resetting to the configured start experience deletes the current users browsing data.

1
windows/client-management/includes/configure-open-microsoft-edge-with-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

22
windows/client-management/includes/configure-password-manager-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, Microsoft Edge uses Password Manager automatically, allowing users to manager passwords locally. Disabling this policy restricts Microsoft Edge from using Password Manager. Dont configure this policy if you want to let users choose to save and manage passwords locally using Password Manager.

24
windows/client-management/includes/configure-pop-up-blocker-shortdesc.md
View File

@ -1,12 +1,12 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, Microsoft Edge turns off Pop-up Blocker, which opens pop-up windows. Enabling this policy turns on Pop-up Blocker preventing pop-up windows from opening. If you want users to choose to use Pop-up Blocker, dont configure this policy.
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, Microsoft Edge turns off Pop-up Blocker, which opens pop-up windows. Enabling this policy turns on Pop-up Blocker preventing pop-up windows from opening. If you want users to choose to use Pop-up Blocker, dont configure this policy.

22
windows/client-management/includes/configure-search-suggestions-in-address-bar-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, users can choose to see search suggestions in the Address bar of Microsoft Edge. Disabling this policy hides the search suggestions and enabling this policy shows the search suggestions.

1
windows/client-management/includes/configure-start-pages-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

1
windows/client-management/includes/configure-windows-defender-smartscreen-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

1
windows/client-management/includes/disable-lockdown-of-start-pages-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

22
windows/client-management/includes/do-not-sync-browser-settings-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, the “browser” group syncs automatically between users devices and allowing users to choose to make changes. The “browser” group uses the _Sync your Settings_ option in Settings to sync information like history and favorites. Enabling this policy prevents the “browser” group from using the Sync your Settings option. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option.

22
windows/client-management/includes/do-not-sync-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, Microsoft Edge turns on the _Sync your settings_ toggle in **Settings > Device sync settings** letting users choose what to sync on their devices. Enabling this policy turns off and disables the _Sync your settings_ toggle preventing the syncing of users settings between their devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable this policy and select the _Allow users to turn syncing on_ option.

22
windows/client-management/includes/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, Microsoft Edge does not sync the users favorites between IE and Microsoft Edge. Enabling this policy syncs favorites between Internet Explorer and Microsoft Edge. Changes to favorites in one browser reflect in the other, including additions, deletions, modifications, and ordering of favorites.

1
windows/client-management/includes/microsoft-browser-extension-policy-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 04/23/2020
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

1
windows/client-management/includes/prevent-access-to-about-flags-page-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

22
windows/client-management/includes/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, Microsoft Edge allows users to bypass (ignore) the Windows Defender SmartScreen warnings about potentially malicious files, allowing them to continue downloading the unverified file(s). Enabling this policy prevents users from bypassing the warnings, blocking them from downloading of the unverified file(s).

22
windows/client-management/includes/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, Microsoft Edge allows users to bypass (ignore) the Windows Defender SmartScreen warnings about potentially malicious sites, allowing them to continue to the site. With this policy though, you can configure Microsoft Edge to prevent users from bypassing the warnings, blocking them from continuing to the site.

22
windows/client-management/includes/prevent-certificate-error-overrides-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge, by default, allows overriding of the security warnings to sites that have SSL errors, bypassing or ignoring certificate errors. Enabling this policy prevents overriding of the security warnings.

22
windows/client-management/includes/prevent-changes-to-favorites-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, users can add, import, and make changes to the Favorites list in Microsoft Edge. Enabling this policy locks down the Favorites list in Microsoft Edge, preventing users from making changes. When enabled, Microsoft Edge turns off the Save a Favorite, Import settings, and context menu items, such as Create a new folder. Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers.

22
windows/client-management/includes/prevent-edge-from-gathering-live-tile-info-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, Microsoft Edge collects the Live Tile metadata and sends it to Microsoft to help provide users a complete experience when they pin Live Tiles to the Start menu. However, with this policy, you can configure Microsoft Edge to prevent Microsoft from collecting Live Tile metadata, providing users with a limited experience.

22
windows/client-management/includes/prevent-first-run-webpage-from-opening-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, when launching Microsoft Edge for the first time, the First Run webpage (a welcome page) hosted on Microsoft.com loads automatically via an FWLINK. The welcome page lists the new features and helpful tips of Microsoft Edge. With this policy, you can configure Microsoft Edge to prevent loading the welcome page on first explicit user-launch.

1
windows/client-management/includes/prevent-turning-off-required-extensions-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

22
windows/client-management/includes/prevent-users-to-turn-on-browser-syncing-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, the “browser” group syncs automatically between the users devices, letting users make changes. With this policy, though, you can prevent the “browser” group from syncing and prevent users from turning on the _Sync your Settings_ toggle in Settings. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option in the Do not sync browser policy. For this policy to work correctly, you must enable the Do not sync browser policy.

1
windows/client-management/includes/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

1
windows/client-management/includes/provision-favorites-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

22
windows/client-management/includes/search-provider-discovery-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge follows the OpenSearch 1.1 specification to discover and use web search providers. When a user browses to a search service, the OpenSearch description is picked up and saved for later use. Users can then choose to add the search service to use in the Microsoft Edge address bar.

22
windows/client-management/includes/send-all-intranet-sites-to-ie-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, all websites, including intranet sites, open in Microsoft Edge automatically. Only enable this policy if there are known compatibility problems with Microsoft Edge. Enabling this policy loads only intranet sites in Internet Explorer 11 automatically.

22
windows/client-management/includes/set-default-search-engine-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, Microsoft Edge uses the search engine specified in App settings, letting users make changes at any time unless the Allow search engine customization policy is disabled, which restricts users from making changes. With this policy, you can either remove or use the policy-set search engine. When you remove the policy-set search engine, Microsoft Edge uses the specified search engine for the market, which lets users make changes to the default search engine. You can use the policy-set search engine specified in the OpenSearch XML, which prevents users from making changes.

22
windows/client-management/includes/set-home-button-url-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, Microsoft Edge shows the home button and loads the Start page, and locks down the home button to prevent users from changing what page loads. Enabling this policy loads a custom URL for the home button. When you enable this policy, and enable the Configure Home Button policy with the _Show home button & set a specific page_ option selected, a custom URL loads when the user clicks the home button.

22
windows/client-management/includes/set-new-tab-url-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge loads the default New Tab page by default. Enabling this policy lets you set a New Tab page URL in Microsoft Edge, preventing users from changing it. When you enable this policy, and you disable the Allow web content on New Tab page policy, Microsoft Edge ignores any URL specified in this policy and opens about:blank.

21
windows/client-management/includes/show-message-when-opening-sites-in-ie-shortdesc.md
View File

@ -1,10 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge does not show a notification before opening sites in Internet Explorer 11. However, with this policy, you can configure Microsoft Edge to display a notification before a site opens in IE11 or let users continue in Microsoft Edge. If you want users to continue in Microsoft Edge, enable this policy to show the _Keep going in Microsoft Edge_ link in the notification. For this policy to work correctly, you must also enable the Configure the Enterprise Mode Site List or Send all intranet sites to Internet Explorer 11, or both.

22
windows/client-management/includes/unlock-home-button-shortdesc.md
View File

@ -1,11 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, when you enable the Configure Home Button policy or provide a URL in the Set Home Button URL policy, Microsoft Edge locks down the home button to prevent users from changing the settings. When you enable this policy, users can make changes to the home button even if you enabled the Configure Home Button or Set Home Button URL policies.

1
windows/client-management/introduction-page-file.md
View File

@ -2,7 +2,6 @@
title: Introduction to the page file
description: Learn about the page files in Windows. A page file is an optional, hidden system file on a hard disk.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
author: Deland-Han
ms.localizationpriority: medium

12
windows/client-management/manage-corporate-devices.md
View File

@ -1,15 +1,11 @@
---
title: Manage corporate devices
description: You can use the same management tools to manage all device types running Windows 10 or Windows 11 desktops, laptops, tablets, and phones.
ms.assetid: 62D6710C-E59C-4077-9C7E-CE0A92DFC05D
ms.reviewer:
manager: dansimp
ms.author: dansimp
keywords: ["MDM", "device management"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: devices
author: dansimp
ms.localizationpriority: medium
ms.date: 09/14/2021
@ -49,11 +45,5 @@ You can use the same management tools to manage all device types running Windows
[Windows 10 (and Windows 11) and Azure Active Directory: Embracing the Cloud](https://go.microsoft.com/fwlink/p/?LinkId=615768)
Microsoft Virtual Academy course: [System Center 2012 R2 Configuration Manager & Windows Intune](/learn/)
Microsoft Virtual Academy course: [Configuration Manager & Windows Intune](/learn/)
 

2
windows/client-management/manage-device-installation-with-group-policy.md
View File

@ -2,8 +2,6 @@
title: Manage Device Installation with Group Policy (Windows 10 and Windows 11)
description: Find out how to manage Device Installation Restrictions with Group Policy.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: aczechowski
ms.date: 09/14/2021
ms.reviewer:

2
windows/client-management/manage-settings-app-with-group-policy.md
View File

@ -2,8 +2,6 @@
title: Manage the Settings app with Group Policy (Windows 10 and Windows 11)
description: Find out how to manage the Settings app with Group Policy so you can hide specific pages from users.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: dansimp
ms.date: 09/14/2021
ms.reviewer:

124
windows/client-management/manage-windows-10-in-your-organization-modern-management.md
View File

@ -1,140 +1,136 @@
---
title: Manage Windows 10 in your organization - transitioning to modern management
description: This topic offers strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment.
keywords: ["MDM", "device management", "group policy", "Azure Active Directory"]
description: This article offers strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: devices
author: dansimp
ms.localizationpriority: medium
ms.date: 04/26/2018
ms.date: 06/03/2022
author: aczechowski
ms.author: aaroncz
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
manager: dougeby
ms.topic: overview
---
# Manage Windows 10 in your organization - transitioning to modern management
Use of personal devices for work, and employees working outside the office, may be changing how your organization manages devices. Certain parts of your organization might require deep, granular control over devices, while other parts might seek lighter, scenario-based management that empowers the modern workforce. Windows 10 offers the flexibility to respond to these changing requirements, and can easily be deployed in a mixed environment. You can shift the percentage of Windows 10 devices gradually, following the normal upgrade schedules used in your organization.
Your organization might have considered bringing in Windows 10 devices and downgrading them to Windows 7 until everything is in place for a formal upgrade process. While this downgrade may appear to save costs due to standardization, greater savings can come from avoiding the downgrade and immediately taking advantage of the cost reductions Windows 10 can provide. Because Windows 10 devices can be managed using the same processes and technology as other previous Windows versions, its easy for versions to coexist.
Your organization might have considered bringing in Windows 10 devices and downgrading them to an earlier version of Windows until everything is in place for a formal upgrade process. While this downgrade may appear to save costs due to standardization, greater savings can come from avoiding the downgrade and immediately taking advantage of the cost reductions Windows 10 can provide. Because Windows 10 devices can be managed using the same processes and technology as other previous Windows versions, it's easy for versions to coexist.
Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Endpoint Configuration Manager, Microsoft Intune, or other third-party products. This managed diversity enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster.
Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Endpoint Configuration Manager, Microsoft Intune, or other third-party products. This "managed diversity" enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster.
This six-minute video demonstrates how users can bring in a new retail device and be up and working with their personalized settings and a managed experience in a few minutes, without being on the corporate network. It also demonstrates how IT can apply policies and configurations to ensure device compliance.
> [!VIDEO https://www.youtube.com/embed/g1rIcBhhxpA]
>[!NOTE]
>The video demonstrates the configuration process using the classic Azure portal, which is retired. Customers should use the new Azure portal. [Learn how use the new Azure portal to perform tasks that you used to do in the classic Azure portal.](/information-protection/deploy-use/migrate-portal)
> [!NOTE]
> The video demonstrates the configuration process using the classic Azure portal, which is retired. Customers should use the new Azure portal. [Learn how use the new Azure portal to perform tasks that you used to do in the classic Azure portal.](/information-protection/deploy-use/migrate-portal)
This topic offers guidance on strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. The topic covers [management options](#reviewing-the-management-options-with-windows-10) plus the four stages of the device lifecycle:
This article offers guidance on strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. It covers [management options](#reviewing-the-management-options-with-windows-10) plus the four stages of the device lifecycle:
- [Deployment and Provisioning](#deployment-and-provisioning)
- [Deployment and Provisioning](#deployment-and-provisioning)
- [Identity and Authentication](#identity-and-authentication)
- [Identity and Authentication](#identity-and-authentication)
- [Configuration](#settings-and-configuration)
- [Configuration](#settings-and-configuration)
- [Updating and Servicing](#updating-and-servicing)
- [Updating and Servicing](#updating-and-servicing)
## Reviewing the management options with Windows 10
Windows 10 offers a range of management options, as shown in the following diagram:
<img src="images/windows-10-management-range-of-options.png" alt="The path to modern IT" width="766" height="654" />
:::image type="content" source="images/windows-10-management-range-of-options.png" alt-text="Diagram of the path to modern IT." lightbox="images/windows-10-management-range-of-options.png":::
As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like Group Policy, Active Directory, and Microsoft Configuration Manager. It also delivers a mobile-first, cloud-first approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Microsoft Store for Business.
As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like group Policy, Active Directory, and Configuration Manager. It also delivers a "mobile-first, cloud-first" approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Microsoft Store for Business.
## Deployment and Provisioning
## Deployment and provisioning
With Windows 10, you can continue to use traditional OS deployment, but you can also manage out of the box. To transform new devices into fully configured, fully managed devices, you can:
With Windows 10, you can continue to use traditional OS deployment, but you can also "manage out of the box." To transform new devices into fully configured, fully managed devices, you can:
- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management service such as [Windows Autopilot](/mem/autopilot/windows-autopilot) or [Microsoft Intune](/mem/intune/fundamentals/).
- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services such as [Microsoft Autopilot](/windows/deployment/windows-10-auto-pilot) or [Microsoft Intune](/mem/intune/fundamentals/).
- Create self-contained provisioning packages built with the Windows Configuration Designer. For more information, see [Provisioning packages for Windows](/windows/configuration/provisioning-packages/provisioning-packages).
- Create self-contained provisioning packages built with the [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-packages).
- Use traditional imaging techniques such as deploying custom images using [Configuration Manager](/mem/configmgr/core/understand/introduction).
- Use traditional imaging techniques such as deploying custom images using [Microsoft Endpoint Configuration Manager](/configmgr/core/understand/introduction).
You have multiple options for [upgrading to Windows 10](/windows/deployment/windows-10-deployment-scenarios). For existing devices running Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This process usage can mean lower deployment costs, and improved productivity as end users can be immediately productive - everything is right where they left it. You can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today.
You have multiple options for [upgrading to Windows 10](/windows/deployment/windows-10-deployment-scenarios). For existing devices running Windows 7 or Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This process usage can mean lower deployment costs, and improved productivity as end users can be immediately productive everything is right where they left it. You can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today with Windows 7.
## Identity and authentication
## Identity and Authentication
You can use Windows 10 and services like [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **“bring your own device” (BYOD)** or to **“choose your own device” (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them.
You can use Windows 10 and services like [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **"bring your own device" (BYOD)** or to **"choose your own device" (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them.
You can envision user and device management as falling into these two categories:
- **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows 10, your employees can self-provision their devices:
- **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows 10, your employees can self-provision their devices:
- For corporate devices, they can set up corporate access with [Azure AD Join](/azure/active-directory/devices/overview). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud.<br>Azure AD Join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources.
- For corporate devices, they can set up corporate access with [Azure AD join](/azure/active-directory/devices/overview). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud.
- Likewise, for personal devices, employees can use a new, simplified [BYOD experience](/azure/active-directory/devices/overview) to add their work account to Windows, then access work resources on the device.
Azure AD join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources.
- **Domain joined PCs and tablets used for traditional applications and access to important resources.** These applications and resources may be traditional ones that require authentication or accessing highly sensitive or classified resources on-premises.
With Windows 10, if you have an on-premises [Active Directory](/windows-server/identity/whats-new-active-directory-domain-services) domain thats [integrated with Azure AD](/azure/active-directory/devices/hybrid-azuread-join-plan), when employee devices are joined, they automatically register with Azure AD. This registration provides:
- Likewise, for personal devices, employees can use a new, simplified [BYOD experience](/azure/active-directory/devices/overview) to add their work account to Windows, then access work resources on the device.
- Single sign-on to cloud and on-premises resources from everywhere
- **Domain joined PCs and tablets used for traditional applications and access to important resources.** These applications and resources may be traditional ones that require authentication or accessing highly sensitive or classified resources on-premises.
- [Enterprise roaming of settings](/azure/active-directory/devices/enterprise-state-roaming-overview)
With Windows 10, if you have an on-premises [Active Directory](/windows-server/identity/whats-new-active-directory-domain-services) domain that's [integrated with Azure AD](/azure/active-directory/devices/hybrid-azuread-join-plan), when employee devices are joined, they automatically register with Azure AD. This registration provides:
- [Conditional access](/azure/active-directory/conditional-access/overview) to corporate resources based on the health or configuration of the device
- Single sign-on to cloud and on-premises resources from everywhere
- [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification)
- [Enterprise roaming of settings](/azure/active-directory/devices/enterprise-state-roaming-enable)
- Windows Hello
- [Conditional access](/azure/active-directory/conditional-access/overview) to corporate resources based on the health or configuration of the device
Domain joined PCs and tablets can continue to be managed with the [Configuration Manager](/configmgr/core/understand/introduction) client or Group Policy.
- [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification)
- Windows Hello
Domain joined PCs and tablets can continue to be managed with the [Configuration Manager](/mem/configmgr/core/understand/introduction) client or group policy.
For more information about how Windows 10 and Azure AD optimize access to work resources across a mix of devices and scenarios, see [Using Windows 10 devices in your workplace](/azure/active-directory/devices/overview).
As you review the roles in your organization, you can use the following generalized decision tree to begin to identify users or devices that require domain join. Consider switching the remaining users to Azure AD.
![Decision tree for device authentication options.](images/windows-10-management-cyod-byod-flow.png)
:::image type="content" source="images/windows-10-management-cyod-byod-flow.png" alt-text="Diagram of decision tree for device authentication options." lightbox="images/windows-10-management-cyod-byod-flow.png":::
## Settings and Configuration
## Settings and configuration
Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, employees are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. With Windows 10, you can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer. 
Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, employees are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. With Windows 10, you can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer.
**MDM**: [MDM](https://www.microsoft.com/cloud-platform/mobile-device-management) gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, Group Policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using GP that requires on-premises domain-joined devices. This provision makes MDM the best choice for devices that are constantly on the go.
**MDM**: MDM gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, group policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using group policy that requires on-premises domain-joined devices. This provision makes MDM the best choice for devices that are constantly on the go.
**Group Policy** and **Microsoft Endpoint Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level such as Internet Explorers 1,500 configurable Group Policy settings. If so, Group Policy and Configuration Manager continue to be excellent management choices:
**Group policy** and **Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level such as Internet Explorer's 1,500 configurable group policy settings. If so, group policy and Configuration Manager continue to be excellent management choices:
- Group Policy is the best way to granularly configure domain joined Windows PCs and tablets connected to the corporate network using Windows-based tools. Microsoft continues to add Group Policy settings with each new version of Windows.
- Group policy is the best way to granularly configure domain joined Windows PCs and tablets connected to the corporate network using Windows-based tools. Microsoft continues to add group policy settings with each new version of Windows.
- Configuration Manager remains the recommended solution for granular configuration with robust software deployment, Windows updates, and OS deployment.
- Configuration Manager remains the recommended solution for granular configuration with robust software deployment, Windows updates, and OS deployment.
## Updating and servicing
## Updating and Servicing
With Windows as a Service, your IT department no longer needs to perform complex imaging (wipe-and-load) processes with each new Windows release. Whether on current branch (CB) or current branch for business (CBB), devices receive the latest feature and quality updates through simple - often automatic - patching processes. For more information, see [Windows 10 deployment scenarios](/windows/deployment/windows-10-deployment-scenarios).
With Windows as a Service, your IT department no longer needs to perform complex imaging (wipe-and-load) processes with each new Windows release. Whether on current branch (CB) or current branch for business (CBB), devices receive the latest feature and quality updates through simple often automatic patching processes. For more information, see [Windows 10 deployment scenarios](/windows/deployment/windows-10-deployment-scenarios).
MDM with Intune provide tools for applying Windows updates to client computers in your organization. Configuration Manager allows rich management and tracking capabilities of these updates, including maintenance windows and automatic deployment rules.
MDM with Intune provide tools for applying Windows updates to client computers in your organization. Configuration Manager allows rich management and tracking capabilities of these updates, including maintenance windows and automatic deployment rules.
## Next steps
There are various steps you can take to begin the process of modernizing device management in your organization:
**Assess current management practices, and look for investments you might make today.** Which of your current practices need to stay the same, and which can you change? Specifically, what elements of traditional management do you need to retain and where can you modernize? Whether you take steps to minimize custom imaging, re-evaluate settings management, or reassesses authentication and compliance, the benefits can be immediate. You can use the [MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat) to help determine which Group Policies are set for a target user/computer and cross-reference them against the list of available MDM policies.
**Assess current management practices, and look for investments you might make today.** Which of your current practices need to stay the same, and which can you change? Specifically, what elements of traditional management do you need to retain and where can you modernize? Whether you take steps to minimize custom imaging, reevaluate settings management, or reassesses authentication and compliance, the benefits can be immediate. You can use [Group policy analytics in Microsoft Endpoint Manager](/mem/intune/configuration/group-policy-analytics) to help determine which group policies supported by cloud-based MDM providers, including Microsoft Intune.
**Assess the different use cases and management needs in your environment.** Are there groups of devices that could benefit from lighter, simplified management? BYOD devices, for example, are natural candidates for cloud-based management. Users or devices handling more highly regulated data might require an on-premises Active Directory domain for authentication. Configuration Manager and EMS provide you the flexibility to stage implementation of modern management scenarios while targeting different devices the way that best suits your business needs.
**Review the decision trees in this article.** With the different options in Windows 10, plus Configuration Manager and Enterprise Mobility + Security, you have the flexibility to handle imaging, authentication, settings, and management tools for any scenario.
**Take incremental steps.** Moving towards modern device management doesnt have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this managed diversity, users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability. Starting with Windows 10, version 1803, the new policy [MDMWinsOverGP](./mdm/policy-csp-controlpolicyconflict.md#controlpolicyconflict-mdmwinsovergp) was added to allow MDM policies to take precedence over GP when both GP and its equivalent MDM policies are set on the device. You can start implementing MDM policies while keeping your GP environment. Here's the list of MDM policies with equivalent GP - [Policies supported by GP](./mdm/policy-configuration-service-provider.md)
**Take incremental steps.** Moving towards modern device management doesn't have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this "managed diversity," users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability. The CSP policy [MDMWinsOverGP](./mdm/policy-csp-controlpolicyconflict.md#controlpolicyconflict-mdmwinsovergp) allows MDM policies to take precedence over group policy when both group policy and its equivalent MDM policies are set on the device. You can start implementing MDM policies while keeping your group policy environment. For more information, including the list of MDM policies with equivalent group policies, see [Policies supported by group policy](./mdm/policy-configuration-service-provider.md).
**Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. Co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Intune. For more information, see the following articles:
**Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. Configuration Manager 1710 onward, co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Intune. See these topics for details:
- [Co-management for Windows devices](/mem/configmgr/comanage/overview)
- [Prepare Windows devices for co-management](/mem/configmgr/comanage/how-to-prepare-Win10)
- [Switch Configuration Manager workloads to Intune](/mem/configmgr/comanage/how-to-switch-workloads)
- [Co-management dashboard in Configuration Manager](/mem/configmgr/comanage/how-to-monitor)
- [Co-management for Windows 10 devices](/configmgr/core/clients/manage/co-management-overview)
- [Prepare Windows 10 devices for co-management](/configmgr/core/clients/manage/co-management-prepare)
- [Switch Configuration Manager workloads to Intune](/configmgr/core/clients/manage/co-management-switch-workloads)
- [Co-management dashboard in Configuration Manager](/configmgr/core/clients/manage/co-management-dashboard)
## Related articles
## Related topics
- [What is Intune?](/mem/intune/fundamentals/what-is-intune)
- [Windows 10 Policy CSP](./mdm/policy-configuration-service-provider.md)
- [Windows 10 Configuration service Providers](./mdm/configuration-service-provider-reference.md)
- [What is Intune?](/mem/intune/fundamentals/what-is-intune)
- [Windows 10 policy CSP](./mdm/policy-configuration-service-provider.md)
- [Windows 10 configuration service providers](./mdm/configuration-service-provider-reference.md)

3
windows/client-management/mandatory-user-profile.md
View File

@ -1,10 +1,7 @@
---
title: Create mandatory user profiles (Windows 10 and Windows 11)
description: A mandatory user profile is a special type of pre-configured roaming user profile that administrators can use to specify settings for users.
keywords: [".man","ntuser"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: dansimp
ms.author: dansimp
ms.date: 09/14/2021

1
windows/client-management/mdm/Language-pack-management-csp.md
View File

@ -19,6 +19,7 @@ The table below shows the applicability of Windows:
|--- |--- |--- |
|Home|No|No|
|Pro|No|Yes|
|Windows SE|No|Yes|
|Business|No|No|
|Enterprise|No|Yes|
|Education|No|Yes|

21
windows/client-management/mdm/accountmanagement-csp.md
View File

@ -13,7 +13,6 @@ manager: dansimp
# AccountManagement CSP
AccountManagement CSP is used to configure setting in the Account Manager service in Windows Holographic for Business edition. Added in Windows 10, version 1803.
> [!NOTE]
@ -41,7 +40,9 @@ Interior node.
<a href="" id="accountmanagement-userprofilemanagement-deletionpolicy"></a>**UserProfileManagement/EnableProfileManager**
Enable profile lifetime management for shared or communal device scenarios. Default value is false.
Supported operations are Add, Get, Replace, and Delete. Value type is bool.
Supported operations are Add, Get, Replace, and Delete.
Value type is bool.
<a href="" id="accountmanagement-userprofilemanagement-storagecapacitystartdeletion"></a>**UserProfileManagement/DeletionPolicy**
Configures when profiles will be deleted. Default value is 1.
@ -52,19 +53,29 @@ Valid values:
- 1 - delete at storage capacity threshold
- 2 - delete at both storage capacity threshold and profile inactivity threshold
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
Supported operations are Add, Get, Replace, and Delete.
Value type is integer.
<a href="" id="accountmanagement-userprofilemanagement-storagecapacitystopdeletion"></a>**UserProfileManagement/StorageCapacityStartDeletion**
Start deleting profiles when available storage capacity falls below this threshold, given as percent of total storage available for profiles. Profiles that have been inactive the longest will be deleted first. Default value is 25.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
Supported operations are Add, Get, Replace, and Delete.
Value type is integer.
<a href="" id="accountmanagement-userprofilemanagement-storagecapacitystopdeletion"></a>**UserProfileManagement/StorageCapacityStopDeletion**
Stop deleting profiles when available storage capacity is brought up to this threshold, given as percent of total storage available for profiles. Default value is 50.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
Supported operations are Add, Get, Replace, and Delete.
Value type is integer.
<a href="" id="accountmanagement-userprofilemanagement-profileinactivitythreshold"></a>**UserProfileManagement/ProfileInactivityThreshold**
Start deleting profiles when they haven't been logged on during the specified period, given as number of days. Default value is 30.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

7
windows/client-management/mdm/accountmanagement-ddf.md
View File

@ -13,7 +13,6 @@ manager: dansimp
# AccountManagement DDF file
This topic shows the OMA DM device description framework (DDF) for the **AccountManagement** configuration service provider.
The XML below is for Windows 10, version 1803.
@ -74,7 +73,7 @@ The XML below is for Windows 10, version 1803.
<Replace />
</AccessType>
<DefaultValue>false</DefaultValue>
<Description>Enable profile lifetime mangement for shared or communal device scenarios.</Description>
<Description>Enable profile lifetime management for shared or communal device scenarios.</Description>
<DFFormat>
<bool />
</DFFormat>
@ -198,3 +197,7 @@ The XML below is for Windows 10, version 1803.
</Node>
</MgmtTree>
```
## Related topics
[AccountManagement configuration service provider](accountmanagement-csp.md)

23
windows/client-management/mdm/accounts-csp.md
View File

@ -11,15 +11,24 @@ ms.reviewer:
manager: dansimp
---
# Accounts Configuration Service Provider
# Accounts CSP
The table below shows the applicability of Windows:
The Accounts configuration service provider (CSP) is used by the enterprise (1) to rename a device, (2) to create a new local Windows account and join it to a local user group. This CSP was added in Windows 10, version 1803.
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The Accounts configuration service provider (CSP) is used by the enterprise (1) to rename a device, (2) to create a new local Windows account and join it to a local user group. This CSP was added in Windows 10, version 1803, and later.
The following syntax shows the Accounts configuration service provider in tree format.
```
```console
./Device/Vendor/MSFT
Accounts
----Domain
@ -55,10 +64,10 @@ Supported operation is Add.
Interior node for the user account information.
<a href="" id="users-username"></a>**Users/_UserName_**
This node specifies the username for a new local user account. This setting can be managed remotely.
This node specifies the username for a new local user account. This setting can be managed remotely.
<a href="" id="users-username-password"></a>**Users/_UserName_/Password**
This node specifies the password for a new local user account. This setting can be managed remotely.
This node specifies the password for a new local user account. This setting can be managed remotely.
Supported operation is Add.
GET operation isn't supported. This setting will report as failed when deployed from the Endpoint Manager.
@ -67,3 +76,7 @@ GET operation isn't supported. This setting will report as failed when deployed
This optional node specifies the local user group that a local user account should be joined to. If the node isn't set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely.
Supported operation is Add.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

13
windows/client-management/mdm/accounts-ddf-file.md
View File

@ -1,6 +1,6 @@
---
title: Accounts DDF file
description: XML file containing the device description framework (DDF) for the Accounts configuration service provider.
description: View the XML file containing the device description framework (DDF) for the Accounts configuration service provider.
ms.author: dansimp
ms.topic: article
ms.prod: w10
@ -11,12 +11,11 @@ ms.reviewer:
manager: dansimp
---
# Accounts CSP
# Accounts DDF file
This topic shows the OMA DM device description framework (DDF) for the **Accounts** configuration service provider.
The XML below is for Windows 10, version 1803.
The XML below is for Windows 10, version 1803 and later.
```xml
<?xml version="1.0" encoding="UTF-8"?>
@ -157,7 +156,7 @@ The XML below is for Windows 10, version 1803.
<Add />
</AccessType>
<DefaultValue>1</DefaultValue>
<Description>This optional node specifies the local user group that a local user account should be joined to. If the node is not set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely.</Description>
<Description>This optional node specifies the local user group that a local user account should be joined. If the node is not set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely.</Description>
<DFFormat>
<int />
</DFFormat>
@ -177,3 +176,7 @@ The XML below is for Windows 10, version 1803.
</Node>
</MgmtTree>
```
## Related topics
[Accounts configuration service provider](accounts-csp.md)

35
windows/client-management/mdm/activesync-csp.md
View File

@ -1,7 +1,6 @@
---
title: ActiveSync CSP
description: Learn how the ActiveSync configuration service provider is used to set up and change settings for Exchange ActiveSync.
ms.assetid: c65093ef-bd36-4f32-9dab-edb7bcfb3188
ms.reviewer:
manager: dansimp
ms.author: dansimp
@ -14,23 +13,31 @@ ms.date: 06/26/2017
# ActiveSync CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The ActiveSync configuration service provider is used to set up and change settings for Exchange ActiveSync. After an Exchange account has been updated over-the-air by the ActiveSync configuration service provider, the device must be powered off and then powered back on to see sync status.
Configuring Windows Live ActiveSync accounts through this configuration service provider isn't supported.
> [!NOTE]
> The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the ./User/Vendor/MSFT/ActiveSync path.
> The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the `./User/Vendor/MSFT/ActiveSync` path.
On the desktop, only per user configuration (./User/Vendor/MSFT/ActiveSync) is supported. However, the ./Vendor/MSFT/ActiveSync path will work if the user is logged in. The CSP fails when no user is logged in.
On the desktop, only per user configuration `./User/Vendor/MSFT/ActiveSync` is supported. However, the `./Vendor/MSFT/ActiveSync` path will work if the user is logged in. The CSP fails when no user is logged in.
The ./Vendor/MSFT/ActiveSync path is deprecated, but will continue to work in the short term.
The `./Vendor/MSFT/ActiveSync path` is deprecated, but will continue to work in the short term.
The following example shows the ActiveSync configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM.
```
```console
./Vendor/MSFT
ActiveSync
----Accounts
@ -66,13 +73,11 @@ ActiveSync
The root node for the ActiveSync configuration service provider.
> [!NOTE]
> The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the ./User/Vendor/MSFT/ActiveSync path.
> The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the `./User/Vendor/MSFT/ActiveSync` path.
On the desktop, only per user configuration (./User/Vendor/MSFT/ActiveSync) is supported. However, the ./Vendor/MSFT/ActiveSync will work if the user is logged in. The CSP fails when no user is logged in.
On the desktop, only per user configuration `./User/Vendor/MSFT/ActiveSync` is supported. However, the ./Vendor/MSFT/ActiveSync will work if the user is logged in. The CSP fails when no user is logged in.
The ./Vendor/MSFT/ActiveSync path is deprecated, but will continue to work in the short term.
The `./Vendor/MSFT/ActiveSync` path is deprecated, but will continue to work in the short term.
The supported operation is Get.
@ -264,7 +269,6 @@ Required. A character string that specifies the name of the content type.
> [!NOTE]
> In Windows 10, this node is currently not working.
Supported operations are Get, Replace, and Add (can't Add after the account is created).
When you use Add or Replace inside an atomic block in the SyncML, the CSP returns an error and provisioning fails. When you use Add or Replace outside of the atomic block, the error is ignored and the account is provisioned as expected.
@ -275,7 +279,9 @@ Node for mail body type and email age filter.
<a href="" id="policies-mailbodytype"></a>**Policies/MailBodyType**
Required. Specifies the email body type: HTML or plain.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
Value type is string.
Supported operations are Add, Get, Replace, and Delete.
<a href="" id="policies-maxmailagefilter"></a>**Policies/MaxMailAgeFilter**
Required. Specifies the time window used for syncing mail items to the device.
@ -284,7 +290,6 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

15
windows/client-management/mdm/activesync-ddf-file.md
View File

@ -1,7 +1,6 @@
---
title: ActiveSync DDF file
description: Learn about the OMA DM device description framework (DDF) for the ActiveSync configuration service provider.
ms.assetid: c4cd4816-ad8f-45b2-9b81-8abb18254096
ms.reviewer:
manager: dansimp
ms.author: dansimp
@ -14,7 +13,6 @@ ms.date: 12/05/2017
# ActiveSync DDF file
This topic shows the OMA DM device description framework (DDF) for the **ActiveSync** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@ -533,7 +531,7 @@ The XML below is the current version for this CSP.
<Replace />
<Delete />
</AccessType>
<Description>Enables or disables syncing email, contacts, task, and calendar.Each is represented by a GUID.Email: {c6d47067-6e92-480e-b0fc-4ba82182fac7}. Contacts: {0dd8685c-e272-4fcb-9ecf-2ead7ea2497b}.Calendar: {4a5d9fe0-f139-4a63-a5a4-4f31ceea02ad}. Tasks:{783ae4f6-4c12-4423-8270-66361260d4f1}</Description>
<Description>Enables or disables syncing email, contacts, task, and calendar. Each is represented by a GUID.Email: {c6d47067-6e92-480e-b0fc-4ba82182fac7}. Contacts: {0dd8685c-e272-4fcb-9ecf-2ead7ea2497b}.Calendar: {4a5d9fe0-f139-4a63-a5a4-4f31ceea02ad}. Tasks:{783ae4f6-4c12-4423-8270-66361260d4f1}</Description>
<DFFormat>
<node />
</DFFormat>
@ -679,15 +677,4 @@ The XML below is the current version for this CSP.
## Related topics
[ActiveSync configuration service provider](activesync-csp.md)
 
 

1
windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md
View File

@ -1,7 +1,6 @@
---
title: Add an Azure AD tenant and Azure AD subscription
description: Here's a step-by-step guide to adding an Azure Active Directory tenant, adding an Azure AD subscription, and registering your subscription.
ms.assetid: 36D94BEC-A6D8-47D2-A547-EBD7B7D163FA
ms.reviewer:
manager: dansimp
ms.author: dansimp

19
windows/client-management/mdm/alljoynmanagement-csp.md
View File

@ -1,7 +1,6 @@
---
title: AllJoynManagement CSP
description: The AllJoynManagement configuration service provider (CSP) allows an IT administrator to enumerate the AllJoyn devices that are connected to the AllJoyn bus.
ms.assetid: 468E0EE5-EED3-48FF-91C0-89F9D159AA8C
ms.reviewer:
manager: dansimp
ms.author: dansimp
@ -14,21 +13,18 @@ ms.date: 06/26/2017
# AllJoynManagement CSP
The AllJoynManagement configuration service provider (CSP) allows an IT administrator to enumerate the AllJoyn devices that are connected to the AllJoyn bus. The devices must support the Microsoft AllJoyn configuration interface (com.microsoft.alljoynmanagement.config). You can also push configuration files to the same devices. To populate the various nodes when setting new configuration, we recommend that you do a query first, to get the actual values for all the nodes in all the attached devices. You can then use the information from the query to set the node values when pushing the new configuration.
The AllJoynManagement configuration service provider (CSP) allows an IT administrator to enumerate the AllJoyn devices that are connected to the AllJoyn bus. The devices must support the Microsoft AllJoyn configuration interface (`com.microsoft.alljoynmanagement.config`). You can also push configuration files to the same devices. To populate the various nodes when setting new configuration, we recommend that you do a query first, to get the actual values for all the nodes in all the attached devices. You can then use the information from the query to set the node values when pushing the new configuration.
> [!NOTE]
> The AllJoynManagement configuration service provider (CSP) is only supported in Windows 10 IoT Core (IoT Core).
This CSP was added in Windows 10, version 1511.
For the firewall settings, note that PublicProfile and PrivateProfile are mutually exclusive. The Private Profile must be set on the directly on the device itself, and the only supported operation is Get. For PublicProfile, both Add and Get are supported. This CSP is intended to be used in conjunction with the AllJoyn Device System Bridge, and an understanding of the bridge will help when determining when and how to use this CSP. For more information, see [Device System Bridge (DSB)](https://wikipedia.org/wiki/AllJoyn). For more information, see [AllJoyn - Wikipedia](https://wikipedia.org/wiki/AllJoyn).
For the firewall settings, note that PublicProfile and PrivateProfile are mutually exclusive. The Private Profile must be set directly on the device itself, and the only supported operation is Get. For PublicProfile, both Add and Get are supported. This CSP is intended to be used with the AllJoyn Device System Bridge, and an understanding of the bridge will help when determining when and how to use this CSP. For more information, see [Device System Bridge (DSB)](https://wikipedia.org/wiki/AllJoyn). For more information, see [AllJoyn - Wikipedia](https://wikipedia.org/wiki/AllJoyn).
The following example shows the AllJoynManagement configuration service provider in tree format
```
```console
./Vendor/MSFT
AllJoynManagement
----Configurations
@ -64,7 +60,7 @@ The following list describes the characteristics and parameters.
The root node for the AllJoynManagement configuration service provider.
<a href="" id="services"></a>**Services**
List of all AllJoyn objects that are discovered on the AllJoyn bus. All AllJoyn objects that expose the "com.microsoft.alljoynmanagement.config" are included.
List of all AllJoyn objects that are discovered on the AllJoyn bus. All AllJoyn objects that expose the "`com.microsoft.alljoynmanagement.config`" are included.
<a href="" id="services-node-name"></a>**Services/**<strong>*Node name*</strong>
The unique AllJoyn device ID (a GUID) that hosts one or more configurable objects.
@ -81,7 +77,7 @@ The set of configurable interfaces that are available on the port of the AllJoyn
<a href="" id="services-node-name-port-node-name-cfgobject-node-name"></a>**Services/*Node name*/Port/*Node name*/CfgObject/**<strong>*Node name*</strong>
The remainder of this URI is an escaped path to the configurable AllJoyn object hosted by the parent ServiceID and accessible by the parent PortNum.
For example an AllJoyn Bridge with the Microsoft specific AllJoyn configuration interface "\\FabrikamService\\BridgeConfig" would be specified in the URI as: %2FFabrikamService%2FBridgeConfig.
For example an AllJoyn Bridge with the Microsoft specific AllJoyn configuration interface "`\\FabrikamService\\BridgeConfig`" would be specified in the URI as: `%2FFabrikamService%2FBridgeConfig`.
<a href="" id="credentials"></a>**Credentials**
This is the credential store. An administrator can set credentials for each AllJoyn device that requires authentication at this node.
@ -105,7 +101,6 @@ Boolean value indicating whether AllJoyn router service (AJRouter.dll) is enable
## Examples
Set adapter configuration
```xml
@ -167,7 +162,9 @@ Get the firewall PrivateProfile
</SyncML>
```
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

15
windows/client-management/mdm/alljoynmanagement-ddf.md
View File

@ -1,7 +1,6 @@
---
title: AllJoynManagement DDF
description: Learn the OMA DM device description framework (DDF) for the AllJoynManagement configuration service provider.
ms.assetid: 540C2E60-A041-4749-A027-BBAF0BB046E4
ms.reviewer:
manager: dansimp
ms.author: dansimp
@ -14,7 +13,6 @@ ms.date: 12/05/2017
# AllJoynManagement DDF
This topic shows the OMA DM device description framework (DDF) for the **AllJoynManagement** configuration service provider. This CSP was added in Windows 10, version 1511.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@ -238,7 +236,7 @@ It is typically implemented as a GUID.</Description>
<Get />
<Replace />
</AccessType>
<Description>An Alphanumeric KEY value that conforms to the AllJoyn SRP KEYX Authentication Standard</Description>
<Description>An Alphanumeric KEY value that conforms to the AllJoyn SRP KEYX Authentication Standard.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -328,15 +326,4 @@ It is typically implemented as a GUID.</Description>
## Related topics
[AllJoynManagement configuration service provider](alljoynmanagement-csp.md)
 
 

33
windows/client-management/mdm/application-csp.md
View File

@ -1,7 +1,6 @@
---
title: APPLICATION configuration service provider
title: APPLICATION CSP
description: Learn how the APPLICATION configuration service provider is used to configure an application transport using Open Mobile Alliance (OMA) Client Provisioning.
ms.assetid: 0705b5e9-a1e7-4d70-a73d-7f758ffd8099
ms.reviewer:
manager: dansimp
ms.author: dansimp
@ -12,16 +11,28 @@ author: dansimp
ms.date: 06/26/2017
---
# APPLICATION configuration service provider
# APPLICATION CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The APPLICATION configuration service provider is used to configure an application transport using Open Mobile Alliance (OMA) Client Provisioning.
OMA considers each transport to be an application and requires a corresponding APPLICATION configuration service provider. The following list shows the supported transports.
OMA considers each transport to be an application and requires a corresponding APPLICATION configuration service provider.
- w7, for bootstrapping a device with an OMA Device Management (OMA DM) account. For more information, see [w7 APPLICATION configuration service provider](w7-application-csp.md)
The following list shows the supported transports:
- w4, for configuring Multimedia Messaging Service (MMS). For more information, see [w4 APPLICATION configuration service provider](w4-application-csp.md)
- w7, for bootstrapping a device with an OMA Device Management (OMA DM) account. For more information, see [w7 APPLICATION configuration service provider](w7-application-csp.md).
- w4, for configuring Multimedia Messaging Service (MMS). For more information, see [w4 APPLICATION configuration service provider](w4-application-csp.md).
The APPID parameter differentiates these application transports. Each APPID must be registered with OMA, and any APPLICATION configuration service provider must be in the root of the provisioning document.
@ -29,15 +40,5 @@ For the device to decode correctly, provisioning XML that contains the APPLICATI
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

29
windows/client-management/mdm/applicationcontrol-csp-ddf.md
View File

@ -11,13 +11,10 @@ ms.date: 07/10/2019
# ApplicationControl CSP DDF
This topic shows the OMA DM device description framework (DDF) for the **ApplicationControl** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
### ApplicationControl CSP
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
@ -32,7 +29,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<AccessType>
<Get />
</AccessType>
<Description>Root Node of the ApplicationControl CSP</Description>
<Description>Root Node of the ApplicationControl CSP.</Description>
<DFFormat>
<node />
</DFFormat>
@ -73,7 +70,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<AccessType>
<Get />
</AccessType>
<Description>The GUID of the Policy</Description>
<Description>The GUID of the Policy.</Description>
<DFFormat>
<node />
</DFFormat>
@ -97,7 +94,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<Delete />
<Replace />
</AccessType>
<Description>The policy binary encoded as base64</Description>
<Description>The policy binary encoded as base64.</Description>
<DFFormat>
<b64 />
</DFFormat>
@ -119,7 +116,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<AccessType>
<Get />
</AccessType>
<Description>Information Describing the Policy indicated by the GUID</Description>
<Description>Information Describing the Policy indicated by the GUID.</Description>
<DFFormat>
<node />
</DFFormat>
@ -140,7 +137,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<AccessType>
<Get />
</AccessType>
<Description>Version of the Policy indicated by the GUID, as a string. When parsing use a uint64 as the containing data type</Description>
<Description>Version of the Policy indicated by the GUID, as a string. When parsing, use a uint64 as the containing data type.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -162,7 +159,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<AccessType>
<Get />
</AccessType>
<Description>Whether the Policy indicated by the GUID is Effective on the system (loaded by the enforcement engine and in effect)</Description>
<Description>Whether the Policy indicated by the GUID is effective on the system (loaded by the enforcement engine and in effect).</Description>
<DFFormat>
<bool />
</DFFormat>
@ -184,7 +181,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<AccessType>
<Get />
</AccessType>
<Description>Whether the Policy indicated by the GUID is deployed on the system (on the physical machine)</Description>
<Description>Whether the Policy indicated by the GUID is deployed on the system (on the physical machine).</Description>
<DFFormat>
<bool />
</DFFormat>
@ -206,7 +203,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<AccessType>
<Get />
</AccessType>
<Description>Whether the Policy indicated by the GUID is authorized to be loaded by the enforcement engine on the system </Description>
<Description>Whether the Policy indicated by the GUID is authorized to be loaded by the enforcement engine on the system. </Description>
<DFFormat>
<bool />
</DFFormat>
@ -228,7 +225,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<AccessType>
<Get />
</AccessType>
<Description>The Current Status of the Policy Indicated by the Policy GUID</Description>
<Description>The Current Status of the Policy Indicated by the Policy GUID.</Description>
<DFFormat>
<int />
</DFFormat>
@ -250,7 +247,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<AccessType>
<Get />
</AccessType>
<Description>The FriendlyName of the Policy Indicated by the Policy GUID</Description>
<Description>The FriendlyName of the Policy Indicated by the Policy GUID.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -271,4 +268,8 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
</Node>
</Node>
</MgmtTree>
```
```
## Related topics
[ApplicationControl configuration service provider](applicationcontrol-csp.md)

48
windows/client-management/mdm/applicationcontrol-csp.md
View File

@ -1,7 +1,6 @@
---
title: ApplicationControl CSP
description: The ApplicationControl CSP allows you to manage multiple Windows Defender Application Control (WDAC) policies from an MDM server.
keywords: security, malware
ms.author: dansimp
ms.topic: article
ms.prod: w10
@ -13,12 +12,24 @@ ms.date: 09/10/2020
# ApplicationControl CSP
Windows Defender Application Control (WDAC) policies can be managed from an MDM server or locally using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and hence doesn't schedule a reboot.
Existing WDAC policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although WDAC policy deployment via the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only.
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
Windows Defender Application Control (WDAC) policies can be managed from an MDM server, or locally by using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently doesn't schedule a reboot.
Existing Windows Defender Application Control (WDAC) policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although, WDAC policy deployment via the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only.
The following example shows the ApplicationControl CSP in tree format.
```
```console
./Vendor/MSFT
ApplicationControl
----Policies
@ -43,6 +54,7 @@ ApplicationControl
----TenantID
----DeviceID
```
<a href="" id="vendor-msft-applicationcontrol"></a>**./Vendor/MSFT/ApplicationControl**
Defines the root node for the ApplicationControl CSP.
@ -73,7 +85,7 @@ An interior node that contains the nodes that describe the policy indicated by t
Scope is dynamic. Supported operation is Get.
<a href="" id="applicationcontrol-policies-policyguid-policyinfo-version"></a>**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Version**
This node provides the version of the policy indicated by the GUID. Stored as a string, but when parsing use a uint64 as the containing data type.
This node provides the version of the policy indicated by the GUID. Stored as a string, but when parsing uses a uint64 as the containing data type.
Scope is dynamic. Supported operation is Get.
@ -113,7 +125,7 @@ The following table provides the result of this policy based on different values
|IsAuthorized | IsDeployed | IsEffective | Resultant |
|------------ | ---------- | ----------- | --------- |
|True|True|True|Policy is currently running and in effect.|
|True|True|True|Policy is currently running and is in effect.|
|True|True|False|Policy requires a reboot to take effect.|
|True|False|True|Policy requires a reboot to unload from CI.|
|False|True|True|Not Reachable.|
@ -122,14 +134,14 @@ The following table provides the result of this policy based on different values
|False|False|True|Not Reachable.|
|False|False|False|*Not Reachable.|
\* denotes a valid intermediary state; however, if an MDM transaction results in this state configuration, the END_COMMAND_PROCESSING will result in a fail.
\* denotes a valid intermediary state; however, if an MDM transaction results in this state configuration, the `END_COMMAND_PROCESSING` will result in a fail.
<a href="" id="applicationcontrol-policies-policyguid-policyinfo-status"></a>**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Status**
This node specifies whether the deployment of the policy indicated by the GUID was successful.
Scope is dynamic. Supported operation is Get.
Value type is integer. Default value is 0 == OK.
Value type is integer. Default value is 0 = OK.
<a href="" id="applicationcontrol-policies-policyguid-policyinfo-friendlyname"></a>**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/FriendlyName**
This node provides the friendly name of the policy indicated by the policy GUID.
@ -138,17 +150,17 @@ Scope is dynamic. Supported operation is Get.
Value type is char.
## Microsoft Endpoint Manager (MEM) Intune Usage Guidance
## Microsoft Endpoint Manager Intune Usage Guidance
For customers using Intune standalone or hybrid management with Configuration Manager (MEMCM) to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune).
For customers using Intune standalone or hybrid management with Microsoft Endpoint Configuration Manager to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune).
## Generic MDM Server Usage Guidance
In order to use the ApplicationControl CSP without using Intune, you must:
1. Know a generated policy's GUID, which can be found in the policy xml as `<PolicyID>` or `<PolicyTypeID>` for pre-1903 systems.
2. Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
3. Create a policy node (a Base64-encoded blob of the binary policy representation) using the certutil -encode command-line tool.
2. Convert the policies to binary format using the `ConvertFrom-CIPolicy` cmdlet in order to be deployed. The binary policy may be signed or unsigned.
3. Create a policy node (a Base64-encoded blob of the binary policy representation) using the `certutil -encode` command-line tool.
Below is a sample certutil invocation:
@ -289,12 +301,12 @@ An example of Delete command is:
## PowerShell and WMI Bridge Usage Guidance
The ApplicationControl CSP can also be managed locally from PowerShell or via Microsoft Endpoint Manager Configuration Manager's (MEMCM, formerly known as SCCM) task sequence scripting by using the [WMI Bridge Provider](./using-powershell-scripting-with-the-wmi-bridge-provider.md).
The ApplicationControl CSP can also be managed locally from PowerShell or via Configuration Manager's task sequence scripting by using the [WMI Bridge Provider](./using-powershell-scripting-with-the-wmi-bridge-provider.md).
### Setup for using the WMI Bridge
1. Convert your WDAC policy to Base64
2. Open PowerShell in Local System context (through PSExec or something similar)
1. Convert your WDAC policy to Base64.
2. Open PowerShell in Local System context (through PSExec or something similar).
3. Use WMI Interface:
```powershell
@ -315,4 +327,8 @@ New-CimInstance -Namespace $namespace -ClassName $policyClassName -Property @{Pa
```powershell
Get-CimInstance -Namespace $namespace -ClassName $policyClassName
```
```
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

52
windows/client-management/mdm/applocker-csp.md
View File

@ -1,7 +1,6 @@
---
title: AppLocker CSP
description: Learn how the AppLocker configuration service provider is used to specify which applications are allowed or disallowed.
ms.assetid: 32FEA2C9-3CAD-40C9-8E4F-E3C69637580F
ms.reviewer:
manager: dansimp
ms.author: dansimp
@ -14,6 +13,16 @@ ms.date: 11/19/2019
# AppLocker CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The AppLocker configuration service provider is used to specify which applications are allowed or disallowed. There's no user interface shown for apps that are blocked.
@ -74,13 +83,11 @@ Defines restrictions for applications.
> [!NOTE]
> When you create a list of allowed apps, all [inbox apps](#inboxappsandcomponents) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need.
>
> Delete/unenrollment is not properly supported unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there's no requirement on the exact value of the node.
> [!NOTE]
> The AppLocker CSP will schedule a reboot when a policy is applied or a deletion occurs using the AppLocker/ApplicationLaunchRestrictions/Grouping/CodeIntegrity/Policy URI.
Additional information:
> The AppLocker CSP will schedule a reboot when a policy is applied or when a deletion occurs using the AppLocker/ApplicationLaunchRestrictions/Grouping/CodeIntegrity/Policy URI.
<a href="" id="applocker-applicationlaunchrestrictions-grouping"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_**
Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it's to determine what their purpose is, and to not conflict with other identifiers that they define.
@ -96,14 +103,14 @@ Supported operations are Get, Add, Delete, and Replace.
<a href="" id="applocker-applicationlaunchrestrictions-grouping-exe-policy"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE/Policy**
Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
Data type is string.
Data type is string.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="applocker-applicationlaunchrestrictions-grouping-exe-enforcementmode"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE/EnforcementMode**
The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
The data type is a string.
The data type is a string.
Supported operations are Get, Add, Delete, and Replace.
@ -206,22 +213,25 @@ Data type is Base64.
Supported operations are Get, Add, Delete, and Replace.
> [!NOTE]
> To use Code Integrity Policy, you first need to convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet. Then a Base64-encoded blob of the binary policy representation should be created (for example, using the [certutil -encode](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)) command line tool) and added to the Applocker-CSP.
> To use Code Integrity Policy, you first need to convert the policies to binary format using the `ConvertFrom-CIPolicy` cmdlet. Then a Base64-encoded blob of the binary policy representation should be created (for example, using the [certutil -encode](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)) command line tool) and added to the Applocker-CSP.
<a href="" id="applocker-enterprisedataprotection"></a>**AppLocker/EnterpriseDataProtection**
Captures the list of apps that are allowed to handle enterprise data. Should be used in conjunction with the settings in **./Device/Vendor/MSFT/EnterpriseDataProtection** in [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md).
Captures the list of apps that are allowed to handle enterprise data. Should be used with the settings in **./Device/Vendor/MSFT/EnterpriseDataProtection** in [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md).
In Windows 10, version 1607 the Windows Information Protection has a concept for allowed and exempt applications. Allowed applications can access enterprise data and the data handled by those applications are protected with encryption. Exempt applications can also access enterprise data, but the data handled by those applications aren't protected. This is because some critical enterprise applications may have compatibility problems with encrypted data.
You can set the allowed list using the following URI:
- ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping_/EXE/Policy
- ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping_/StoreApps/Policy
You can set the exempt list using the following URI. The _Grouping_ string must contain the keyword "EdpExempt" anywhere to help distinguish the exempt list from the allowed list. The "EdpExempt" keyword is also evaluated in a case-insensitive manner:
- ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping includes "EdpExempt"_/EXE/Policy
- ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping includes "EdpExempt"_/StoreApps/Policy
Exempt examples:
- ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/ContosoEdpExempt/EXE/Policy
- ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/xxxxxEdpExemptxxxxx/EXE/Policy
@ -259,15 +269,15 @@ Data type is string.
Supported operations are Get, Add, Delete, and Replace.
1. On your phone under **Device discovery**, tap **Pair**. You'll get a code (case sensitive).
2. On the browser on the **Set up access page**, enter the code (case sensitive) into the text box and click **Submit**.
1. On your phone under **Device discovery**, tap **Pair**. You'll get a code (case sensitive).
2. On the browser on the **Set up access page**, enter the code (case sensitive) into the text box and click **Submit**.
The **Device Portal** page opens on your browser.
![device portal screenshot.](images/applocker-screenshot1.png)
3. On the desktop **Device Portal** page, click **Apps** to open the **App Manager**.
4. On the **App Manager** page under **Running apps**, you'll see the **Publisher** and **PackageFullName** of apps.
3. On the desktop **Device Portal** page, click **Apps** to open the **App Manager**.
4. On the **App Manager** page under **Running apps**, you'll see the **Publisher** and **PackageFullName** of apps.
![device portal app manager.](images/applocker-screenshot3.png)
@ -279,7 +289,7 @@ The following table shows the mapping of information to the AppLocker publisher
|Device portal data|AppLocker publisher rule field|
|--- |--- |
|PackageFullName|ProductName<br><br> The product name is first part of the PackageFullName followed by the version number. In the Windows Camera example, the ProductName is Microsoft.WindowsCamera.|
|PackageFullName|ProductName: The product name is first part of the PackageFullName followed by the version number. In the Windows Camera example, the ProductName is Microsoft.WindowsCamera.|
|Publisher|Publisher|
|Version|Version<br> <br>The version can be used either in the HighSection or LowSection of the BinaryVersionRange.<br> <br>HighSection defines the highest version number and LowSection defines the lowest version number that should be trusted. You can use a wildcard for both versions to make a version- independent rule. Using a wildcard for one of the values will provide higher than or lower than a specific version semantics.|
@ -293,13 +303,13 @@ Here's an example AppLocker publisher rule:
You can get the publisher name and product name of apps using a web API.
**To find publisher and product name for Microsoft apps in Microsoft Store for Business**
**To find publisher and product name for Microsoft apps in Microsoft Store for Business:**
1. Go to the Microsoft Store for Business website, and find your app. For example, Microsoft OneNote.
1. Go to the Microsoft Store for Business website, and find your app. For example, Microsoft OneNote.
2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, **9wzdncrfhvjl**.
2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is [https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl](https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl), and you'd copy the ID value: **9wzdncrfhvjl**.
3. In your browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values.
3. In your browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values.
Request URI:
@ -359,17 +369,13 @@ The product name is first part of the PackageFullName followed by the version nu
| SettingsPagePhoneNfc | b0894dfd-4671-4bb9-bc17-a8b39947ffb6\_1.0.0.0\_neutral\_\_1prqnbg33c1tj | b0894dfd-4671-4bb9-bc17-a8b39947ffb6 |
## <a href="" id="inboxappsandcomponents"></a>Inbox apps and components
The following list shows the apps that may be included in the inbox.
> [!NOTE]
> This list identifies system apps that ship as part of Windows that you can add to your AppLocker policy to ensure proper functioning of the operating system. If you decide to block some of these apps, we recommend a thorough testing before deploying to your production environment. Failure to do so may result in unexpected failures and can significantly degrade the user experience.
|App|Product ID|Product name|
|--- |--- |--- |
|3D Viewer|f41647c9-d567-4378-b2ab-7924e5a152f3|Microsoft.Microsoft3DViewer (Added in Windows 10, version 1703)|
@ -1277,6 +1283,7 @@ The following example for Windows 10 Holographic for Business denies all apps an
```
## Recommended blocklist for Windows Information Protection
The following example for Windows 10, version 1607 denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. (An administrator might still use an exempt rule, instead.) This prevention ensures an administrator doesn't accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications.
In this example, Contoso is the node name. We recommend using a GUID for this node.
@ -1460,5 +1467,4 @@ In this example, Contoso is the node name. We recommend using a GUID for this no
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

15
windows/client-management/mdm/applocker-ddf-file.md
View File

@ -1,7 +1,6 @@
---
title: AppLocker DDF file
description: Learn about the OMA DM device description framework (DDF) for the AppLocker DDF file configuration service provider.
ms.assetid: 79E199E0-5454-413A-A57A-B536BDA22496
ms.reviewer:
manager: dansimp
ms.author: dansimp
@ -14,7 +13,6 @@ ms.date: 12/05/2017
# AppLocker DDF file
This topic shows the OMA DM device description framework (DDF) for the **AppLocker** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@ -672,15 +670,4 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
## Related topics
[AppLocker configuration service provider](applocker-csp.md)
 
 
[AppLocker configuration service provider](applocker-csp.md)

2
windows/client-management/mdm/applocker-xsd.md
View File

@ -1,7 +1,6 @@
---
title: AppLocker XSD
description: View the XSD for the AppLocker CSP. The AppLocker CSP XSD provides an example of how the schema is organized.
ms.assetid: 70CF48DD-AD7D-4BCF-854F-A41BFD95F876
ms.reviewer:
manager: dansimp
ms.author: dansimp
@ -14,7 +13,6 @@ ms.date: 06/26/2017
# AppLocker XSD
Here's the XSD for the AppLocker CSP.
```xml

Some files were not shown because too many files have changed in this diff Show More