From 7860d83fb61377c1b6bfc3bb43cc55f3cc94b835 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 8 Mar 2018 11:55:29 -0800 Subject: [PATCH 1/6] capability / feature rename --- ...ows-defender-advanced-threat-protection.md | 4 ++-- ...ows-defender-advanced-threat-protection.md | 18 ++++++++--------- ...ows-defender-advanced-threat-protection.md | 4 ++-- ...ows-defender-advanced-threat-protection.md | 8 ++++---- ...ows-defender-advanced-threat-protection.md | 20 +++++++++---------- ...ows-defender-advanced-threat-protection.md | 6 +++--- ...ows-defender-advanced-threat-protection.md | 4 ++-- 7 files changed, 32 insertions(+), 32 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md index fea04741f7..489d6db5d4 100644 --- a/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 11/09/2017 +ms.date: 03/12/2018 --- # View and organize the Windows Defender Advanced Threat Protection Alerts queue @@ -135,7 +135,7 @@ Select multiple alerts (Ctrl or Shift select) and manage or edit alerts together ## Related topics - [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) -- [View the Windows Defender Advanced Threat Protection Security analytics dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md) +- [View the Windows Defender Advanced Threat Protection Secure score dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md) - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md index 2ff55bdc25..fc7325015e 100644 --- a/windows/security/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- -title: Enable Security Analytics in Windows Defender ATP -description: Set the baselines for calculating the score of Windows Defender security controls on the Security Analytics dashboard. -keywords: enable security analytics, baseline, calculation, analytics, score, security analytics dashboard, dashboard +title: Enable Secure score security controls in Windows Defender ATP +description: Set the baselines for calculating the score of Windows Defender security controls on the Secure score dashboard. +keywords: secure score, baseline, calculation, score, secure score dashboard, dashboard, windows defender antivirus, av, exploit guard, application guard, smartscreen search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -10,10 +10,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 10/16/2017 +ms.date: 03/12/2018 --- -# Enable Security Analytics security controls +# Enable Secure score security controls **Applies to:** @@ -25,21 +25,21 @@ ms.date: 10/16/2017 -Set the baselines for calculating the score of Windows Defender security controls on the Security Analytics dashboard. If you use third-party solutions, consider excluding the corresponding controls from the calculations. +Set the baselines for calculating the score of Windows Defender security controls on the Secure score dashboard. If you use third-party solutions, consider excluding the corresponding controls from the calculations. >[!NOTE] >Changes might take up to a few hours to reflect on the dashboard. -1. In the navigation pane, select **Preferences setup** > **Security Analytics**. +1. In the navigation pane, select **Preferences setup** > **Secure score**. - ![Image of Security Analytics controls from Preferences setup menu](images/atp-enable-security-analytics.png) + ![Image of Secure score controls from Preferences setup menu](images/atp-enable-security-analytics.png) 2. Select the security control, then toggle the setting between **On** and **Off**. 3. Click **Save preferences**. ## Related topics -- [View the Security Analytics dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md) +- [View the Secure score dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md) - [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md) - [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md) - [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md index 4c24bf012f..b25f671461 100644 --- a/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 10/23/2017 +ms.date: 03/12/2018 --- # View and organize the Windows Defender ATP Machines list @@ -80,7 +80,7 @@ Filter the list to view specific machines that are well configured or require at - **Well configured** - Machines have the Windows Defender security controls well configured. - **Requires attention** - Machines where improvements can be made to increase the overall security posture of your organization. -For more information, see [View the Security Analytics dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md). +For more information, see [View the Secure score dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md). **Malware category alerts**
Filter the list to view specific machines grouped together by the following malware categories: diff --git a/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md index adef15a6bb..14d4fc1ac4 100644 --- a/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: DulceMV ms.localizationpriority: high -ms.date: 10/19/2017 +ms.date: 03/12/2018 --- # Windows Defender Advanced Threat Protection portal overview @@ -51,11 +51,11 @@ You can navigate through the portal using the menu options available in all sect Area | Description :---|:--- (1) Navigation pane | Use the navigation pane to move between the **Dashboards**, **Alerts queue**, **Machines list**, **Service health**, **Preferences setup**, and **Endpoint management**. -**Dashboards** | Enables you to view the Security operations or the Security analytics dashboard. -**Alerts queue** | Enables you to view separate queues of new, in progress, resolved alerts, alerts assigned to you, and suppression rules. +**Dashboards** | Allows you to access the Security operations or the Secure score dashboard. +**Alerts queue** | Allows you to view separate queues: new, in progress, resolved alerts, alerts assigned to you, and suppression rules. **Machines list** | Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts. **Service health** | Provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues. -**Preferences setup** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set other configuration settings such as email notifications, activate the preview experience, enable or turn off advanced features, SIEM integration, threat intel API, build Power BI reports, and set baselines for the Security analytics dashboard. +**Preferences setup** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set other configuration settings such as email notifications, activate the preview experience, enable or turn off advanced features, SIEM integration, threat intel API, build Power BI reports, and set baselines for the Secure score dashboard. **Endpoint management** | Provides access to endpoints such as clients and servers. Allows you to download the onboarding configuration package for endpoints. It also provides access to endpoint offboarding. **Community center** | Access the Community center to learn, collaborate, and share experiences about the product. (2) Main portal| Main area where you will see the different views such as the Dashboards, Alerts queue, and Machines list. diff --git a/windows/security/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md index a7f177c650..6ea27c4f75 100644 --- a/windows/security/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- -title: View the Security Analytics dashboard in Windows Defender ATP -description: Use the Security Analytics dashboard to assess and improve the security state of your organization by analyzing various security control tiles. -keywords: security analytics, dashboard, security recommendations, security control state, security score, score improvement, organizational security score, security coverage, security control, improvement opportunities, edr, antivirus, av, os security updates +title: View the Secure score dashboard in Windows Defender ATP +description: Use the Secure score dashboard to assess and improve the security state of your organization by analyzing various security control tiles. +keywords: secure score, dashboard, security recommendations, security control state, security score, score improvement, organizational security score, security coverage, security control, improvement opportunities, edr, antivirus, av, os security updates search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -9,10 +9,10 @@ ms.sitesec: library ms.pagetype: security author: mjcaparas localizationpriority: high -ms.date: 11/17/2017 +ms.date: 03/12/2018 --- -# View the Windows Defender Advanced Threat Protection Security analytics dashboard +# View the Windows Defender Advanced Threat Protection Secure score dashboard **Applies to:** @@ -27,18 +27,18 @@ ms.date: 11/17/2017 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-abovefoldlink) -The Security Analytics dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines. +The Secure score dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines. >[!IMPORTANT] > This feature is available for machines on Windows 10, version 1703 or later. -The **Security analytics dashboard** displays a snapshot of: +The **Secure score dashboard** displays a snapshot of: - Organizational security score - Security coverage - Improvement opportunities - Security score over time -![Security analytics dashboard](images/atp-dashboard-security-analytics-full.png) +![Secure score dashboard](images/atp-dashboard-security-analytics-full.png) ## Organizational security score The organization security score is reflective of the average score of all the Windows Defender security controls that are configured according to the recommended baseline. You can improve this score by taking the steps in configuring each of the security controls in the optimal settings. @@ -52,7 +52,7 @@ The denominator is reflective of the organizational score potential and calculat In the example image, the total points from the **Improvement opportunities** tile add up to 321 points for the six pillars from the **Security coverage** tile. -You can set the baselines for calculating the score of Windows Defender security controls on the Security Analytics dashboard through the **Preferences settings**. For more information, see [Enable Security Analytics security controls](enable-security-analytics-windows-defender-advanced-threat-protection.md). +You can set the baselines for calculating the score of Windows Defender security controls on the Secure score dashboard through the **Preferences settings**. For more information, see [Enable Secure score security controls](enable-security-analytics-windows-defender-advanced-threat-protection.md). ## Security coverage The security coverage tile shows a bar graph where each bar represents a Windows Defender security control. Each bar reflects the number of machines that are well configured and those that require **any kind of attention** for each security control. Hovering on top of the individual bars will show exact numbers for each category. Machines that are green are well configured, while machines that are orange require some level of attention. @@ -241,7 +241,7 @@ For more information, see [Windows Defender SmartScreen](../windows-defender-sma >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-belowfoldlink) ## Related topics -- [Enable Security Analytics security controls](enable-security-analytics-windows-defender-advanced-threat-protection.md) +- [Enable Secure score security controls](enable-security-analytics-windows-defender-advanced-threat-protection.md) - [View the Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md index 75aed7ba70..9ec694fdde 100644 --- a/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 02/13/2018 +ms.date: 03/12/2018 --- # Use the Windows Defender Advanced Threat Protection portal @@ -31,7 +31,7 @@ You can use the Windows Defender ATP portal to carry out an end-to-end security Use the **Security operations** dashboard to gain insight on the various alerts on machines and users in your network. -Use the **Security analytics** dashboard to expand your visibility on the overall security posture of your organization. You'll see machines that require attention and recommendations that can help you reduce the attack surface in your organization. +Use the **Secure score** dashboard to expand your visibility on the overall security posture of your organization. You'll see machines that require attention and recommendations that can help you reduce the attack surface in your organization. ### In this section @@ -40,6 +40,6 @@ Topic | Description :---|:--- [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) | Understand the portal layout and area descriptions. [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) | The Windows Defender ATP **Security operations dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the endpoints on your network, investigate machines, files, and URLs, and see snapshots of threats seen on machines. -[View the Windows Defender Advanced Threat Protection Security analytics dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | The **Security Analytics dashboard** expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. +[View the Windows Defender Advanced Threat Protection Secure score dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | The **Secure score dashboard** expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. diff --git a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md index 42fe8383b5..a82528a68f 100644 --- a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- title: Windows Defender Advanced Threat Protection - Windows Defender description: Windows Defender Advanced Threat Protection is an enterprise security service that helps detect and respond to possible cybersecurity threats related to advanced persistent threats. -keywords: introduction to Windows Defender Advanced Threat Protection, introduction to Windows Defender ATP, cybersecurity, advanced persistent threat, enterprise security, endpoint behavioral sensor, cloud security, analytics, threat intelligence +keywords: introduction to Windows Defender Advanced Threat Protection, introduction to Windows Defender ATP, cybersecurity, advanced persistent threat, enterprise security, endpoint behavioral sensor, cloud security, score, threat intelligence search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 11/13/2017 +ms.date: 03/12/2018 --- # Windows Defender Advanced Threat Protection From 6a35f0ab3c4db6b5808b0cecb5f35ba1065f8812 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 8 Mar 2018 15:16:09 -0800 Subject: [PATCH 2/6] update toc label for secure score --- windows/security/threat-protection/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index e0c3ba2050..d5c63e1673 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -39,7 +39,7 @@ ### [Understand the Windows Defender ATP portal](windows-defender-atp\use-windows-defender-advanced-threat-protection.md) #### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md) #### [View the Security operations dashboard](windows-defender-atp\dashboard-windows-defender-advanced-threat-protection.md) -#### [View the Security analytics dashboard](windows-defender-atp\security-analytics-dashboard-windows-defender-advanced-threat-protection.md) +#### [View the Secure score dashboard](windows-defender-atp\security-analytics-dashboard-windows-defender-advanced-threat-protection.md) #### [View the Threat analytics dashboard](windows-defender-atp\threat-analytics-windows-defender-advanced-threat-protection.md) ###Investigate and remediate threats From 8f0298db30a3563323ff0a00518a09103917545b Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Mon, 12 Mar 2018 21:44:24 +0000 Subject: [PATCH 3/6] Merged PR 6314: TimeLanguageSettings/AllowSet24HourClock - updated the default value fixed default value --- .../mdm/policy-csp-timelanguagesettings.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md index f577d940bb..731fc2ae63 100644 --- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md +++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md @@ -63,14 +63,14 @@ ms.date: 03/12/2018 -Allows for the configuration of the default clock setting to be the 24 hour format. Selecting 'Set 24 hour Clock' enables this setting. Selecting 'Locale default setting' uses the default clock as prescribed by the current locale setting. +Allows for the configuration of the default clock setting to be the 24 hour format. If set to 0 (zero), the device uses the default clock as prescribed by the current locale setting. The following list shows the supported values: -- 0 – Locale default setting. -- 1 (default) – Set 24 hour clock. +- 0 (default) – Current locale setting. +- 1 – Set 24 hour clock. From 0292ef2bf3d68859455d386b1c1e3109449aa8cb Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Mon, 12 Mar 2018 21:44:51 +0000 Subject: [PATCH 4/6] Merged PR 6313: Updated the Policy DDF topic with the latest version --- .../client-management/mdm/policy-ddf-file.md | 1158 +++++++++++------ 1 file changed, 779 insertions(+), 379 deletions(-) diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md index 406db3df06..0b6035ae0a 100644 --- a/windows/client-management/mdm/policy-ddf-file.md +++ b/windows/client-management/mdm/policy-ddf-file.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 02/26/2018 +ms.date: 03/12/2018 --- # Policy DDF file @@ -95,6 +95,30 @@ The XML below is the DDF for Windows 10, version 1803. + + MSIAlwaysInstallWithElevatedPrivileges + + + + + + + + + + + + + + + + + + + text/plain + + + RequirePrivateStoreOnly @@ -7848,6 +7872,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + EnableEndSessionButton + + + + + + + + Enable/disable kiosk browser's end session button. + + + + + + + + + + + text/plain + + + EnableHomeButton @@ -7966,6 +8014,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + DisallowTileNotification + + + + + + + + + + + + + + + + + + + text/plain + + + Printers @@ -8284,6 +8356,34 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + MSIAlwaysInstallWithElevatedPrivileges + + + + + 0 + + + + + + + + + + + + text/plain + + + phone + MSI.admx + MSI~AT~WindowsComponents~MSI + AlwaysInstallElevated + HighestValueMostSecure + + RequirePrivateStoreOnly @@ -8307,7 +8407,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on WindowsStore.admx WindowsStore~AT~WindowsComponents~WindowsStore - RequirePrivateStoreOnly_1 + RequirePrivateStoreOnly HighestValueMostSecure @@ -15167,7 +15267,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryProtectionFromZoneElevation - IESF_PolicyAllProcesses_9 + IESF_PolicyExplorerProcesses_9 LastWrite @@ -15221,7 +15321,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictActiveXInstall - IESF_PolicyAllProcesses_11 + IESF_PolicyExplorerProcesses_11 LastWrite @@ -16382,7 +16482,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictFileDownload - IESF_PolicyAllProcesses_12 + IESF_PolicyExplorerProcesses_12 LastWrite @@ -16409,7 +16509,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryScriptedWindowSecurityRestrictions - IESF_PolicyAllProcesses_8 + IESF_PolicyExplorerProcesses_8 LastWrite @@ -16910,6 +17010,31 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on LastWrite + + EnableEndSessionButton + + + + + 0 + Enable/disable kiosk browser's end session button. + + + + + + + + + + + text/plain + + + phone + LastWrite + + EnableHomeButton @@ -17032,6 +17157,33 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on LowestValueMostSecure + + DisallowTileNotification + + + + + 0 + + + + + + + + + + + + text/plain + + + WPN.admx + WPN~AT~StartMenu~NotificationsCategory + NoTileNotification + LowestValueMostSecure + + Printers @@ -18024,6 +18176,78 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + MSIAllowUserControlOverInstall + + + + + + + + + + + + + + + + + + + text/plain + + + + + MSIAlwaysInstallWithElevatedPrivileges + + + + + + + + + + + + + + + + + + + text/plain + + + + + RequirePrivateStoreOnly + + + + + + + + + + + + + + + + + + + text/plain + + + RestrictAppDataToSystemVolume @@ -30441,6 +30665,30 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor + + EnableEndSessionButton + + + + + + + + Enable/disable kiosk browser's end session button. + + + + + + + + + + + text/plain + + + EnableHomeButton @@ -30514,6 +30762,52 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor + + LanmanWorkstation + + + + + + + + + + + + + + + + + + + + + EnableInsecureGuestLogons + + + + + + + + + + + + + + + + + + + text/plain + + + + Licensing @@ -30994,38 +31288,6 @@ Note: Domain controllers are also domain members and establish secure channels w - - DomainMember_DigitallySignSecureChannelDataWhenPossible - - - - - - - - Domain member: Digitally sign secure channel data (when possible) - -This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates. - -When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc. - -This setting determines whether or not the domain member attempts to negotiate signing for all secure channel traffic that it initiates. If enabled, the domain member will request signing of all secure channel traffic. If the Domain Controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it cannot be tampered with in transit. - -Default: Enabled. - - - - - - - - - - - text/plain - - - DomainMember_DisableMachineAccountPasswordChanges @@ -31059,81 +31321,6 @@ This setting should not be used in an attempt to support dual-boot scenarios tha - - DomainMember_MaximumMachineAccountPasswordAge - - - - - - - - Domain member: Maximum machine account password age - -This security setting determines how often a domain member will attempt to change its computer account password. - -Default: 30 days. - -Important - -This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manager tools on these computers. - - - - - - - - - - - text/plain - - - - - DomainMember_RequireStrongSessionKey - - - - - - - - Domain member: Require strong (Windows 2000 or later) session key - -This security setting determines whether 128-bit key strength is required for encrypted secure channel data. - -When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller within the domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup, and so on. - -Depending on what version of Windows is running on the domain controller that the domain member is communicating with and the settings of the parameters: - -Domain member: Digitally encrypt or sign secure channel data (always) -Domain member: Digitally encrypt secure channel data (when possible) -Some or all of the information that is transmitted over the secure channel will be encrypted. This policy setting determines whether or not 128-bit key strength is required for the secure channel information that is encrypted. - -If this setting is enabled, then the secure channel will not be established unless 128-bit encryption can be performed. If this setting is disabled, then the key strength is negotiated with the domain controller. - -Default: Enabled. - -Important - -In order to take advantage of this policy on member workstations and servers, all domain controllers that constitute the member's domain must be running Windows 2000 or later. -In order to take advantage of this policy on domain controllers, all domain controllers in the same domain as well as all trusted domains must run Windows 2000 or later. - - - - - - - - - - - text/plain - - - InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked @@ -31385,52 +31572,6 @@ On Windows Vista and above: For this setting to work, the Smart Card Removal Pol - - MicrosoftNetworkClient_DigitallySignCommunicationsAlways - - - - - - - - Microsoft network client: Digitally sign communications (always) - -This security setting determines whether packet signing is required by the SMB client component. - -The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted. - -If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server. - -Default: Disabled. - -Important - -For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees). - -Notes - -All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. -For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. - - - - - - - - - - - text/plain - - - MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees @@ -31880,7 +32021,7 @@ Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send - NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients + NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers @@ -31888,12 +32029,12 @@ Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send - Network security: Minimum session security for NTLM SSP based (including secure RPC) clients + Network security: Minimum session security for NTLM SSP based (including secure RPC) servers -This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: +This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: -Require NTLMv2 session security: The connection will fail if NTLMv2 protocol is not negotiated. -Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated. +Require NTLMv2 session security: The connection will fail if message integrity is not negotiated. +Require 128-bit encryption. The connection will fail if strong encryption (128-bit) is not negotiated. Default: @@ -31915,7 +32056,7 @@ Windows 7 and Windows Server 2008 R2: Require 128-bit encryption - NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers + NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication @@ -31923,18 +32064,123 @@ Windows 7 and Windows Server 2008 R2: Require 128-bit encryption - Network security: Minimum session security for NTLM SSP based (including secure RPC) servers + Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication -This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: +This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured. -Require NTLMv2 session security: The connection will fail if message integrity is not negotiated. -Require 128-bit encryption. The connection will fail if strong encryption (128-bit) is not negotiated. +If you configure this policy setting, you can define a list of remote servers to which clients are allowed to use NTLM authentication. -Default: +If you do not configure this policy setting, no exceptions will be applied. -Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements. +The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. To ensure exceptions the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats . A single asterisk (*) can be used anywhere in the string as a wildcard character. + + + + + + + + + + + text/plain + + + + + NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic + + + + + + + + Network security: Restrict NTLM: Audit Incoming NTLM Traffic -Windows 7 and Windows Server 2008 R2: Require 128-bit encryption +This policy setting allows you to audit incoming NTLM traffic. + +If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic. + +If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option. + +If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option. + +This policy is supported on at least Windows 7 or Windows Server 2008 R2. + +Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. + + + + + + + + + + + text/plain + + + + + NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic + + + + + + + + Network security: Restrict NTLM: Incoming NTLM traffic + +This policy setting allows you to deny or allow incoming NTLM traffic. + +If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests. + +If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon. + +If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error. + +This policy is supported on at least Windows 7 or Windows Server 2008 R2. + +Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. + + + + + + + + + + + text/plain + + + + + NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers + + + + + + + + Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers + +This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. + +If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication. + +If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer. + +If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication. + +This policy is supported on at least Windows 7 or Windows Server 2008 R2. + +Note: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. @@ -32721,6 +32967,30 @@ The options are: + + TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications + + + + + + + + + + + + + + + + + + + text/plain + + + WDigestAuthentication @@ -43215,6 +43485,89 @@ Because of these factors, users do not usually need this user right. Warning: If LowestValueMostSecure + + MSIAllowUserControlOverInstall + + + + + 0 + + + + + + + + + + + + text/plain + + + phone + MSI.admx + MSI~AT~WindowsComponents~MSI + EnableUserControl + HighestValueMostSecure + + + + MSIAlwaysInstallWithElevatedPrivileges + + + + + 0 + + + + + + + + + + + + text/plain + + + phone + MSI.admx + MSI~AT~WindowsComponents~MSI + AlwaysInstallElevated + HighestValueMostSecure + + + + RequirePrivateStoreOnly + + + + + 0 + + + + + + + + + + + + text/plain + + + WindowsStore.admx + WindowsStore~AT~WindowsComponents~WindowsStore + RequirePrivateStoreOnly + HighestValueMostSecure + + RestrictAppDataToSystemVolume @@ -55097,7 +55450,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryProtectionFromZoneElevation - IESF_PolicyAllProcesses_9 + IESF_PolicyExplorerProcesses_9 LastWrite @@ -55151,7 +55504,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictActiveXInstall - IESF_PolicyAllProcesses_11 + IESF_PolicyExplorerProcesses_11 LastWrite @@ -56312,7 +56665,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictFileDownload - IESF_PolicyAllProcesses_12 + IESF_PolicyExplorerProcesses_12 LastWrite @@ -56339,7 +56692,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor phone inetres.admx inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryScriptedWindowSecurityRestrictions - IESF_PolicyAllProcesses_8 + IESF_PolicyExplorerProcesses_8 LastWrite @@ -57022,6 +57375,31 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor LastWrite + + EnableEndSessionButton + + + + + 0 + Enable/disable kiosk browser's end session button. + + + + + + + + + + + text/plain + + + phone + LastWrite + + EnableHomeButton @@ -57098,6 +57476,53 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor + + LanmanWorkstation + + + + + + + + + + + + + + + + + + + EnableInsecureGuestLogons + + + + + 0 + + + + + + + + + + + + text/plain + + + LanmanWorkstation.admx + LanmanWorkstation~AT~Network~Cat_LanmanWorkstation + Pol_EnableInsecureGuestLogons + LowestValueMostSecure + + + Licensing @@ -57614,41 +58039,6 @@ Note: Domain controllers are also domain members and establish secure channels w LastWrite - - DomainMember_DigitallySignSecureChannelDataWhenPossible - - - - - 1 - Domain member: Digitally sign secure channel data (when possible) - -This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates. - -When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc. - -This setting determines whether or not the domain member attempts to negotiate signing for all secure channel traffic that it initiates. If enabled, the domain member will request signing of all secure channel traffic. If the Domain Controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it cannot be tampered with in transit. - -Default: Enabled. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Domain member: Digitally sign secure channel data (when possible) - LastWrite - - DomainMember_DisableMachineAccountPasswordChanges @@ -57685,87 +58075,6 @@ This setting should not be used in an attempt to support dual-boot scenarios tha LastWrite - - DomainMember_MaximumMachineAccountPasswordAge - - - - - 30 - Domain member: Maximum machine account password age - -This security setting determines how often a domain member will attempt to change its computer account password. - -Default: 30 days. - -Important - -This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manager tools on these computers. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Domain member: Maximum machine account password age - LowestValueMostSecure - - - - DomainMember_RequireStrongSessionKey - - - - - 1 - Domain member: Require strong (Windows 2000 or later) session key - -This security setting determines whether 128-bit key strength is required for encrypted secure channel data. - -When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller within the domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup, and so on. - -Depending on what version of Windows is running on the domain controller that the domain member is communicating with and the settings of the parameters: - -Domain member: Digitally encrypt or sign secure channel data (always) -Domain member: Digitally encrypt secure channel data (when possible) -Some or all of the information that is transmitted over the secure channel will be encrypted. This policy setting determines whether or not 128-bit key strength is required for the secure channel information that is encrypted. - -If this setting is enabled, then the secure channel will not be established unless 128-bit encryption can be performed. If this setting is disabled, then the key strength is negotiated with the domain controller. - -Default: Enabled. - -Important - -In order to take advantage of this policy on member workstations and servers, all domain controllers that constitute the member's domain must be running Windows 2000 or later. -In order to take advantage of this policy on domain controllers, all domain controllers in the same domain as well as all trusted domains must run Windows 2000 or later. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Domain member: Require strong (Windows 2000 or later) session key - LastWrite - - InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked @@ -58039,55 +58348,6 @@ On Windows Vista and above: For this setting to work, the Smart Card Removal Pol LastWrite - - MicrosoftNetworkClient_DigitallySignCommunicationsAlways - - - - - 0 - Microsoft network client: Digitally sign communications (always) - -This security setting determines whether packet signing is required by the SMB client component. - -The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted. - -If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server. - -Default: Disabled. - -Important - -For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees). - -Notes - -All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. -For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Microsoft network client: Digitally sign communications (always) - LastWrite - - MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees @@ -58571,44 +58831,6 @@ Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send HighestValueMostSecure - - NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients - - - - - 0 - Network security: Minimum session security for NTLM SSP based (including secure RPC) clients - -This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: - -Require NTLMv2 session security: The connection will fail if NTLMv2 protocol is not negotiated. -Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated. - -Default: - -Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements. - -Windows 7 and Windows Server 2008 R2: Require 128-bit encryption - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network security: Minimum session security for NTLM SSP based (including secure RPC) clients - HighestValueMostSecure - - NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers @@ -58647,6 +58869,157 @@ Windows 7 and Windows Server 2008 R2: Require 128-bit encryption HighestValueMostSecure + + NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication + + + + + + Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication + +This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured. + +If you configure this policy setting, you can define a list of remote servers to which clients are allowed to use NTLM authentication. + +If you do not configure this policy setting, no exceptions will be applied. + +The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. To ensure exceptions the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats . A single asterisk (*) can be used anywhere in the string as a wildcard character. + + + + + + + + + + + text/plain + + phone + Windows Settings~Security Settings~Local Policies~Security Options + Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication + LastWrite + + + + NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic + + + + + 0 + Network security: Restrict NTLM: Audit Incoming NTLM Traffic + +This policy setting allows you to audit incoming NTLM traffic. + +If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic. + +If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option. + +If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option. + +This policy is supported on at least Windows 7 or Windows Server 2008 R2. + +Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Local Policies~Security Options + Network security: Restrict NTLM: Audit Incoming NTLM Traffic + HighestValueMostSecure + + + + NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic + + + + + 0 + Network security: Restrict NTLM: Incoming NTLM traffic + +This policy setting allows you to deny or allow incoming NTLM traffic. + +If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests. + +If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon. + +If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error. + +This policy is supported on at least Windows 7 or Windows Server 2008 R2. + +Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Local Policies~Security Options + Network security: Restrict NTLM: Incoming NTLM traffic + HighestValueMostSecure + + + + NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers + + + + + 0 + Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers + +This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. + +If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication. + +If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer. + +If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication. + +This policy is supported on at least Windows 7 or Windows Server 2008 R2. + +Note: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Local Policies~Security Options + Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers + HighestValueMostSecure + + Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn @@ -59472,6 +59845,33 @@ The options are: LastWrite + + TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications + + + + + + + + + + + + + + + + + text/plain + + phone + SecGuide.admx + SecGuide~AT~Cat_SecGuide + Pol_SecGuide_0101_WDPUA + LastWrite + + WDigestAuthentication From de920d843565108eb32c34195b2d926f7fc5ca85 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Mon, 12 Mar 2018 21:45:48 +0000 Subject: [PATCH 5/6] Merged PR 6315: UEFI CSP not supported in Pro --- .../mdm/configuration-service-provider-reference.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 1f6269d889..3764a9326f 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 03/02/2018 +ms.date: 03/12/2018 --- # Configuration service provider reference @@ -2136,7 +2136,7 @@ Footnotes: -[Uefi CSP](uefi-csp.md) +[UEFI CSP](uefi-csp.md) @@ -2151,7 +2151,7 @@ Footnotes: - + @@ -2596,6 +2596,7 @@ Footnotes: - [Reporting CSP](reporting-csp.md) - [RootCATrustedCertificates CSP](rootcacertificates-csp.md) - [SurfaceHub CSP](surfacehub-csp.md) +- [UEFI CSP](uefi-csp.md) - [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md) From d12118140d5d977f5f49d5f4c7275dabeea41d5f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Akshatha=20Kommalapati=20=28=F0=9F=90=8D=29?= Date: Mon, 12 Mar 2018 22:03:20 +0000 Subject: [PATCH 6/6] Merged PR 6316: Set up School PCs Technical Reference: Updated the topic's date and removed an entry from the GP table Topic: Set up School PCs Technical Reference Changes: Updated the topic's date and removed the 'allow the system to be shut down without having to log on' line item since we no longer set this policy via the Set up School PCs app. --- .../windows/set-up-school-pcs-technical.md | 621 +++++++++--------- 1 file changed, 309 insertions(+), 312 deletions(-) diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index 59d779962f..c4c3cbd233 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -1,312 +1,309 @@ ---- -title: Set up School PCs app technical reference -description: Describes the changes that the Set up School PCs app makes to a PC. -keywords: shared cart, shared PC, school, set up school pcs -ms.prod: w10 -ms.mktglfcycl: plan -ms.sitesec: library -ms.pagetype: edu -ms.localizationpriority: high -author: CelesteDG -ms.author: celested -ms.date: 02/02/2018 ---- - -# Technical reference for the Set up School PCs app -**Applies to:** - -- Windows 10 - - - -The **Set up School PCs** app helps you set up new Windows 10 PCs that work great in your school by configuring shared PC mode. The latest Set up School PCs app is available for Windows 10, version 1703 (Creators Update). Set up School PCs also configures school-specific settings and policies, described in this topic. - -If your school uses Azure Active Directory (Azure AD) or Office 365, the Set up School PCs app will create a setup file that joins the PC to your Azure Active Directory tenant. You can also use the app to set up school PCs that anyone can use, with or without Internet connectivity. - -Here's a list of what you get when using the Set up School PCs app in your school. - -| Feature | No Internet | Azure AD | Office 365 | Azure AD Premium | -| --- | :---: | :---: | :---: | :---: | -| **Fast sign-in**
Each student can sign in and start using the computer in less than a minute, even on their first sign-in. | X | X | X | X | -| **Custom Start experience**
The apps students need are pinned to Start, and unnecessary apps are removed. | X | X | X | X | -| **Guest account, no sign-in required**
This option sets up computers for common use. Anyone can use the computer without an account. | X | X | X | X | -| **School policies**
Settings specific to education create a useful learning environment and the best computer performance. | X | X | X | X | -| **Azure AD Join**
The computers are joined to your Azure AD or Office 365 subscription for centralized management. | | X | X | X | -| **Single sign-on to Office 365**
By signing on with student IDs, students have fast access to Office 365 web apps or installed Office apps. | | | X | X | -| **Take a Test**
Configure the Take a Test app and use it for taking quizzes and high-stakes assessments by some providers like Smarter Balanced. | | | | X | -| **[Settings roaming](https://azure.microsoft.com/en-us/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/) via Azure AD**
Student user and application settings data can be synchronized across devices for a personalized experience. | | | | X | - - -> [!NOTE] -> If your school uses Active Directory, use [Windows Configuration Designer](set-up-students-pcs-to-join-domain.md) to configure your PCs to join the domain. You can only use the Set up School PCs app to set up PCs that are connected to Azure AD. - -## Automated Azure AD join -One of the most important features in Set up School PCs is the ability to create a provisioning package that performs automated Azure AD join. With this feature, you no longer have to spend minutes going through Windows setup, manually connecting to a network, and manually joining your Azure AD domain. With the automated Azure AD join feature in Set up School School PCs, this process is reduced to zero clicks! You can skip all of the Windows setup experience and the OS automatically joins the PC to your Azure AD domain and enrolls it into MDM if you have a MDM provider activated. - -To make this as seamless as possible, in your Azure AD tenant: -- Allow your teacher and other IT staff to join devices to Azure AD so they can sucessfully request an automated Azure AD join token. - - In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > Device Settings** and in **Users may join devices to Azure AD**, click **Selected** and choose the members you want to enable to join devices to Azure AD. - - **Figure 1** - Select the users you want to enable to join devices to Azure AD - - ![Select the users you want to enable to join devices to Azure AD](images/azuread_usersandgroups_devicesettings_usersmayjoin.png) - -- Consider creating a special account that uses a username and password that you provide, and which has the rights to join devices if you don't want to add all teachers and IT staff. - - When teachers or IT staff need to set up PCs, they can use this account in the Set up School PCs app. - - If you use a service to set up PCs for you, you can give them this special account so they can deliver PCs to you that are already Azure AD joined and ready to be given to a student. - -- Turn off multifactor authentication. - - In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > Device Settings** and set **Require Multi-Factor Auth to join devices** to **No**. - - **Figure 2** - Turn off multi-factor authentication in Azure AD - - ![Turn off multi-factor authentication in Azure AD](images/azuread_usersandgroups_devicesettings_requiremultifactorauth.png) - -- Set the maximum number of devices a user can add to unlimited. - - In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > Device Settings** and set **Maximum number of devices per user** to **Unlimited**. - - **Figure 3** - Set maximum number of devices per user to unlimited - - ![Set maximum number of devices per user to unlimited](images/azuread_usersandgroups_devicesettings_maxnumberofdevicesperuser.png) - -- Clear your Azure AD tokens from time to time. Your tenant can only have 500 automated Azure AD tokens active at any one time. - - In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > All users** and look at the list of user names. User names that start with **package_** followed by a string of letters and numbers. These are the user accounts that are created automatically for the tokens and you can safely delete these. - - **Figure 4** - Delete the accounts automatically created for the Azure AD tokens - - ![Delete the accounts automatically created for the Azure AD tokens](images/azuread_usersandgroups_allusers_automaticaccounts.png) - -- Note that automated Azure AD tokens have expiration dates. Set up School PCs creates them with an expiration date of one month. You will see the specific expiration date for the package in the **Review package summary** page in Set up School PCs. - - **Figure 5** - Sample summary page showing the expiration date - - ![Sample summary page showing the expiration date](images/suspc_choosesettings_summary.png) - - - - - -## Information about Windows Update - -Shared PC mode helps ensure that computers are always up-to-date. If a PC is configured using the Set up School PCs app, shared PC mode sets the power states and Windows Update to: -* Wake nightly -* Check and install updates -* Forcibly reboot if necessary to finish applying updates - -The PC is also configured to not interrupt the user during normal daytime hours with updates or reboots. Notfications are also blocked. - -## Guidance for accounts on shared PCs - -* We recommend no local admin accounts on the PC to improve the reliability and security of the PC. -* When a PC is set up in shared PC mode with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** or **Kiosk** will also be deleted automatically at sign out. -* On a Windows PC joined to Azure Active Directory: - * By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC. - * With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal. -* Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. New local accounts created through **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new local accounts created by the **Guest** or **Kiosk** selection on the sign-in screen, if enabled, will automatically be deleted at sign-out. -* If admin accounts are necessary on the PC - * Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or - * Create admin accounts before setting up shared PC mode, or - * Create exempt accounts before signing out. -* The account management service supports accounts that are exempt from deletion. - * An account can be marked exempt from deletion by adding the account SID to the `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\` registry key. - * To add the account SID to the registry key using PowerShell: - - ``` - $adminName = "LocalAdmin" - $adminPass = 'Pa$$word123' - iex "net user /add $adminName $adminPass" - $user = New-Object System.Security.Principal.NTAccount($adminName) - $sid = $user.Translate([System.Security.Principal.SecurityIdentifier]) - $sid = $sid.Value; - New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\$sid" -Force - ``` - -## Custom images -Shared PC mode is fully compatible with custom images that may be created by IT departments. Create a custom image and then use sysprep with the `/oobe` flag to create an image that teachers can then apply the Set up School PCs provisioning package to. [Learn more about sysprep](https://technet.microsoft.com/en-us/library/cc721940(v=ws.10).aspx). - -## Provisioning package details - -The Set up School PCs app produces a specialized provisioning package that makes use of the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723294%28v=vs.85%29.aspx). - -### Education customizations set by local MDM policy - -- By default, saving content locally to the PC is blocked, but you can choose to enable it. This prevents data loss by forcing students to save to the cloud. -- A custom Start layout, taskbar layout, and lock screen image are set. -- Prohibits unlocking the PC to developer mode. -- Prohibits untrusted Microsoft Store apps from being installed. -- Prohibits students from removing MDM. -- Prohibits students from adding new provisioning packages. -- Prohibits student from removing existing provisioning packages (including the one set by Set up School PCs). -- Sets Windows Update to update nightly. - - -### Uninstalled apps - -- 3D Builder (Microsoft.3DBuilder_8wekyb3d8bbwe) -- Weather (Microsoft.BingWeather_8wekyb3d8bbwe) -- Tips (Microsoft.Getstarted_8wekyb3d8bbwe) -- Get Office (Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) -- Microsoft Solitaire Collection (Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) -- Paid Wi-Fi & Cellular (Microsoft.OneConnect_8wekyb3d8bbwe) -- Feedback Hub (Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) -- Xbox (Microsoft.XboxApp_8wekyb3d8bbwe) -- Mail/Calendar (microsoft.windowscommunicationsapps_8wekyb3d8bbwe) - -### Local Group Policies - -> [!IMPORTANT] -> We do not recommend setting additional policies on PCs configured with the Set up School PCs app. The shared PC mode is optimized to be fast and reliable over time with minimal to no manual maintenance required. - -
cross markcheck mark4cross mark check mark4 check mark4 check mark4
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Policy path

Policy name

Value

Admin Templates > Control Panel > Personalization

Prevent enabling lock screen slide show

Enabled

Prevent changing lock screen and logon image

Enabled

Admin Templates > System > Power Management > Button Settings

Select the Power button action (plugged in)

Sleep

Select the Power button action (on battery)

Sleep

Select the Sleep button action (plugged in)

Sleep

Select the lid switch action (plugged in)

Sleep

Select the lid switch action (on battery)

Sleep

Admin Templates > System > Power Management > Sleep Settings

Require a password when a computer wakes (plugged in)

Enabled

Require a password when a computer wakes (on battery)

Enabled

Specify the system sleep timeout (plugged in)

5 minutes

Specify the system sleep timeout (on battery)

5 minutes

Turn off hybrid sleep (plugged in)

Enabled

Turn off hybrid sleep (on battery)

Enabled

Specify the unattended sleep timeout (plugged in)

5 minutes

Specify the unattended sleep timeout (on battery)

5 minutes

Allow standby states (S1-S3) when sleeping (plugged in)

Enabled

Allow standby states (S1-S3) when sleeping (on battery)

Enabled

Specify the system hibernate timeout (plugged in)

Enabled, 0

Specify the system hibernate timeout (on battery)

Enabled, 0

Admin Templates>System>Power Management>Video and Display Settings

Turn off the display (plugged in)

5 minutes

Turn off the display (on battery)

5 minutes

Admin Templates>System>Power Management>Energy Saver Settings

Energy Saver Battery Threshold (on battery)

70

Admin Templates>System>Logon

Show first sign-in animation

Disabled

Hide entry points for Fast User Switching

Enabled

Turn on convenience PIN sign-in

Disabled

Turn off picture password sign-in

Enabled

Turn off app notification on the lock screen

Enabled

Allow users to select when a password is required when resuming from connected standby

Disabled

Block user from showing account details on sign-in

Enabled

Admin Templates>System>User Profiles

Turn off the advertising ID

Enabled

Admin Templates>Windows Components>Biometrics

Allow the use of biometrics

Disabled

Allow users to log on using biometrics

Disabled

Allow domain users to log on using biometrics

Disabled

Admin Templates>Windows Components>Cloud Content

Do not show Windows Tips

Enabled

Turn off Microsoft consumer experiences

Enabled

Admin Templates>Windows Components>Data Collection and Preview Builds

Toggle user control over Insider builds

Disabled

Disable pre-release features or settings

Disabled

Do not show feedback notifications

Enabled

Allow Telemetry

Basic, 0

Admin Templates > Windows Components > File Explorer

Show lock in the user tile menu

Disabled

Admin Templates > Windows Components > Maintenance Scheduler

Automatic Maintenance Activation Boundary

*MaintenanceStartTime*

Automatic Maintenance Random Delay

Enabled, 2 hours

Automatic Maintenance WakeUp Policy

Enabled

Admin Templates > Windows Components > OneDrive

Prevent the usage of OneDrive for file storage

Enabled

Admin Templates > Windows Components > Windows Hello for Business

Use phone sign-in

Disabled

Use Windows Hello for Business

Disabled

Use biometrics

Disabled

Windows Settings > Security Settings > Local Policies > Security Options

Accounts: Block Microsoft accounts

**Note** Microsoft accounts can still be used in apps.

Enabled

Interactive logon: Do not display last user name

Enabled

Interactive logon: Sign-in last interactive user automatically after a system-initiated restart

Disabled

Shutdown: Allow system to be shut down without having to log on

Enabled

User Account Control: Behavior of the elevation prompt for standard users

Auto deny


- -## Use the app -When you're ready to use the app, see [Use Set up School PCs app](use-set-up-school-pcs-app.md). - -## Related topics - -[Set up Windows devices for education](set-up-windows-10.md) - - - - - +--- +title: Set up School PCs app technical reference +description: Describes the changes that the Set up School PCs app makes to a PC. +keywords: shared cart, shared PC, school, set up school pcs +ms.prod: w10 +ms.mktglfcycl: plan +ms.sitesec: library +ms.pagetype: edu +ms.localizationpriority: high +author: CelesteDG +ms.author: celested +ms.date: 03/12/2018 +--- + +# Technical reference for the Set up School PCs app +**Applies to:** + +- Windows 10 + + + +The **Set up School PCs** app helps you set up new Windows 10 PCs that work great in your school by configuring shared PC mode. The latest Set up School PCs app is available for Windows 10, version 1703 (Creators Update). Set up School PCs also configures school-specific settings and policies, described in this topic. + +If your school uses Azure Active Directory (Azure AD) or Office 365, the Set up School PCs app will create a setup file that joins the PC to your Azure Active Directory tenant. You can also use the app to set up school PCs that anyone can use, with or without Internet connectivity. + +Here's a list of what you get when using the Set up School PCs app in your school. + +| Feature | No Internet | Azure AD | Office 365 | Azure AD Premium | +| --- | :---: | :---: | :---: | :---: | +| **Fast sign-in**
Each student can sign in and start using the computer in less than a minute, even on their first sign-in. | X | X | X | X | +| **Custom Start experience**
The apps students need are pinned to Start, and unnecessary apps are removed. | X | X | X | X | +| **Guest account, no sign-in required**
This option sets up computers for common use. Anyone can use the computer without an account. | X | X | X | X | +| **School policies**
Settings specific to education create a useful learning environment and the best computer performance. | X | X | X | X | +| **Azure AD Join**
The computers are joined to your Azure AD or Office 365 subscription for centralized management. | | X | X | X | +| **Single sign-on to Office 365**
By signing on with student IDs, students have fast access to Office 365 web apps or installed Office apps. | | | X | X | +| **Take a Test**
Configure the Take a Test app and use it for taking quizzes and high-stakes assessments by some providers like Smarter Balanced. | | | | X | +| **[Settings roaming](https://azure.microsoft.com/en-us/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/) via Azure AD**
Student user and application settings data can be synchronized across devices for a personalized experience. | | | | X | + + +> [!NOTE] +> If your school uses Active Directory, use [Windows Configuration Designer](set-up-students-pcs-to-join-domain.md) to configure your PCs to join the domain. You can only use the Set up School PCs app to set up PCs that are connected to Azure AD. + +## Automated Azure AD join +One of the most important features in Set up School PCs is the ability to create a provisioning package that performs automated Azure AD join. With this feature, you no longer have to spend minutes going through Windows setup, manually connecting to a network, and manually joining your Azure AD domain. With the automated Azure AD join feature in Set up School School PCs, this process is reduced to zero clicks! You can skip all of the Windows setup experience and the OS automatically joins the PC to your Azure AD domain and enrolls it into MDM if you have a MDM provider activated. + +To make this as seamless as possible, in your Azure AD tenant: +- Allow your teacher and other IT staff to join devices to Azure AD so they can sucessfully request an automated Azure AD join token. + + In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > Device Settings** and in **Users may join devices to Azure AD**, click **Selected** and choose the members you want to enable to join devices to Azure AD. + + **Figure 1** - Select the users you want to enable to join devices to Azure AD + + ![Select the users you want to enable to join devices to Azure AD](images/azuread_usersandgroups_devicesettings_usersmayjoin.png) + +- Consider creating a special account that uses a username and password that you provide, and which has the rights to join devices if you don't want to add all teachers and IT staff. + - When teachers or IT staff need to set up PCs, they can use this account in the Set up School PCs app. + - If you use a service to set up PCs for you, you can give them this special account so they can deliver PCs to you that are already Azure AD joined and ready to be given to a student. + +- Turn off multifactor authentication. + + In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > Device Settings** and set **Require Multi-Factor Auth to join devices** to **No**. + + **Figure 2** - Turn off multi-factor authentication in Azure AD + + ![Turn off multi-factor authentication in Azure AD](images/azuread_usersandgroups_devicesettings_requiremultifactorauth.png) + +- Set the maximum number of devices a user can add to unlimited. + + In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > Device Settings** and set **Maximum number of devices per user** to **Unlimited**. + + **Figure 3** - Set maximum number of devices per user to unlimited + + ![Set maximum number of devices per user to unlimited](images/azuread_usersandgroups_devicesettings_maxnumberofdevicesperuser.png) + +- Clear your Azure AD tokens from time to time. Your tenant can only have 500 automated Azure AD tokens active at any one time. + + In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > All users** and look at the list of user names. User names that start with **package_** followed by a string of letters and numbers. These are the user accounts that are created automatically for the tokens and you can safely delete these. + + **Figure 4** - Delete the accounts automatically created for the Azure AD tokens + + ![Delete the accounts automatically created for the Azure AD tokens](images/azuread_usersandgroups_allusers_automaticaccounts.png) + +- Note that automated Azure AD tokens have expiration dates. Set up School PCs creates them with an expiration date of one month. You will see the specific expiration date for the package in the **Review package summary** page in Set up School PCs. + + **Figure 5** - Sample summary page showing the expiration date + + ![Sample summary page showing the expiration date](images/suspc_choosesettings_summary.png) + + + + + +## Information about Windows Update + +Shared PC mode helps ensure that computers are always up-to-date. If a PC is configured using the Set up School PCs app, shared PC mode sets the power states and Windows Update to: +* Wake nightly +* Check and install updates +* Forcibly reboot if necessary to finish applying updates + +The PC is also configured to not interrupt the user during normal daytime hours with updates or reboots. Notfications are also blocked. + +## Guidance for accounts on shared PCs + +* We recommend no local admin accounts on the PC to improve the reliability and security of the PC. +* When a PC is set up in shared PC mode with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** or **Kiosk** will also be deleted automatically at sign out. +* On a Windows PC joined to Azure Active Directory: + * By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC. + * With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal. +* Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. New local accounts created through **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new local accounts created by the **Guest** or **Kiosk** selection on the sign-in screen, if enabled, will automatically be deleted at sign-out. +* If admin accounts are necessary on the PC + * Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or + * Create admin accounts before setting up shared PC mode, or + * Create exempt accounts before signing out. +* The account management service supports accounts that are exempt from deletion. + * An account can be marked exempt from deletion by adding the account SID to the `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\` registry key. + * To add the account SID to the registry key using PowerShell: + + ``` + $adminName = "LocalAdmin" + $adminPass = 'Pa$$word123' + iex "net user /add $adminName $adminPass" + $user = New-Object System.Security.Principal.NTAccount($adminName) + $sid = $user.Translate([System.Security.Principal.SecurityIdentifier]) + $sid = $sid.Value; + New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\$sid" -Force + ``` + +## Custom images +Shared PC mode is fully compatible with custom images that may be created by IT departments. Create a custom image and then use sysprep with the `/oobe` flag to create an image that teachers can then apply the Set up School PCs provisioning package to. [Learn more about sysprep](https://technet.microsoft.com/en-us/library/cc721940(v=ws.10).aspx). + +## Provisioning package details + +The Set up School PCs app produces a specialized provisioning package that makes use of the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723294%28v=vs.85%29.aspx). + +### Education customizations set by local MDM policy + +- By default, saving content locally to the PC is blocked, but you can choose to enable it. This prevents data loss by forcing students to save to the cloud. +- A custom Start layout, taskbar layout, and lock screen image are set. +- Prohibits unlocking the PC to developer mode. +- Prohibits untrusted Microsoft Store apps from being installed. +- Prohibits students from removing MDM. +- Prohibits students from adding new provisioning packages. +- Prohibits student from removing existing provisioning packages (including the one set by Set up School PCs). +- Sets Windows Update to update nightly. + + +### Uninstalled apps + +- 3D Builder (Microsoft.3DBuilder_8wekyb3d8bbwe) +- Weather (Microsoft.BingWeather_8wekyb3d8bbwe) +- Tips (Microsoft.Getstarted_8wekyb3d8bbwe) +- Get Office (Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) +- Microsoft Solitaire Collection (Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) +- Paid Wi-Fi & Cellular (Microsoft.OneConnect_8wekyb3d8bbwe) +- Feedback Hub (Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) +- Xbox (Microsoft.XboxApp_8wekyb3d8bbwe) +- Mail/Calendar (microsoft.windowscommunicationsapps_8wekyb3d8bbwe) + +### Local Group Policies + +> [!IMPORTANT] +> We do not recommend setting additional policies on PCs configured with the Set up School PCs app. The shared PC mode is optimized to be fast and reliable over time with minimal to no manual maintenance required. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Policy path

Policy name

Value

Admin Templates > Control Panel > Personalization

Prevent enabling lock screen slide show

Enabled

Prevent changing lock screen and logon image

Enabled

Admin Templates > System > Power Management > Button Settings

Select the Power button action (plugged in)

Sleep

Select the Power button action (on battery)

Sleep

Select the Sleep button action (plugged in)

Sleep

Select the lid switch action (plugged in)

Sleep

Select the lid switch action (on battery)

Sleep

Admin Templates > System > Power Management > Sleep Settings

Require a password when a computer wakes (plugged in)

Enabled

Require a password when a computer wakes (on battery)

Enabled

Specify the system sleep timeout (plugged in)

5 minutes

Specify the system sleep timeout (on battery)

5 minutes

Turn off hybrid sleep (plugged in)

Enabled

Turn off hybrid sleep (on battery)

Enabled

Specify the unattended sleep timeout (plugged in)

5 minutes

Specify the unattended sleep timeout (on battery)

5 minutes

Allow standby states (S1-S3) when sleeping (plugged in)

Enabled

Allow standby states (S1-S3) when sleeping (on battery)

Enabled

Specify the system hibernate timeout (plugged in)

Enabled, 0

Specify the system hibernate timeout (on battery)

Enabled, 0

Admin Templates>System>Power Management>Video and Display Settings

Turn off the display (plugged in)

5 minutes

Turn off the display (on battery)

5 minutes

Admin Templates>System>Power Management>Energy Saver Settings

Energy Saver Battery Threshold (on battery)

70

Admin Templates>System>Logon

Show first sign-in animation

Disabled

Hide entry points for Fast User Switching

Enabled

Turn on convenience PIN sign-in

Disabled

Turn off picture password sign-in

Enabled

Turn off app notification on the lock screen

Enabled

Allow users to select when a password is required when resuming from connected standby

Disabled

Block user from showing account details on sign-in

Enabled

Admin Templates>System>User Profiles

Turn off the advertising ID

Enabled

Admin Templates>Windows Components>Biometrics

Allow the use of biometrics

Disabled

Allow users to log on using biometrics

Disabled

Allow domain users to log on using biometrics

Disabled

Admin Templates>Windows Components>Cloud Content

Do not show Windows Tips

Enabled

Turn off Microsoft consumer experiences

Enabled

Admin Templates>Windows Components>Data Collection and Preview Builds

Toggle user control over Insider builds

Disabled

Disable pre-release features or settings

Disabled

Do not show feedback notifications

Enabled

Allow Telemetry

Basic, 0

Admin Templates > Windows Components > File Explorer

Show lock in the user tile menu

Disabled

Admin Templates > Windows Components > Maintenance Scheduler

Automatic Maintenance Activation Boundary

*MaintenanceStartTime*

Automatic Maintenance Random Delay

Enabled, 2 hours

Automatic Maintenance WakeUp Policy

Enabled

Admin Templates > Windows Components > OneDrive

Prevent the usage of OneDrive for file storage

Enabled

Admin Templates > Windows Components > Windows Hello for Business

Use phone sign-in

Disabled

Use Windows Hello for Business

Disabled

Use biometrics

Disabled

Windows Settings > Security Settings > Local Policies > Security Options

Accounts: Block Microsoft accounts

**Note** Microsoft accounts can still be used in apps.

Enabled

Interactive logon: Do not display last user name

Enabled

Interactive logon: Sign-in last interactive user automatically after a system-initiated restart

Disabled

User Account Control: Behavior of the elevation prompt for standard users

Auto deny


+ +## Use the app +When you're ready to use the app, see [Use Set up School PCs app](use-set-up-school-pcs-app.md). + +## Related topics + +[Set up Windows devices for education](set-up-windows-10.md) + + + + +