diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index e7ed3131c8..1f6269d889 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 02/02/2018 +ms.date: 03/02/2018 --- # Configuration service provider reference @@ -1127,6 +1127,34 @@ Footnotes: + +[eUICCs CSP](euiccs-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark3check mark3check mark3check mark3check mark3check mark3
+ + + + [FileSystem CSP](filesystem-csp.md) diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md index beaaf83a87..3cbe681524 100644 --- a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md +++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md @@ -297,4 +297,14 @@ The \ payload is empty. Here an example to set AppVirtualization/Publishin -``` \ No newline at end of file +``` + +## Video walkthrough + +Here is a video of how to create a custom xml to enable an ADMX-backed policy and deploy the XML in Intune. + +> [!VIDEO https://www.microsoft.com/showcase/video.aspx?uuid=bdc9b54b-11b0-4bdb-a022-c339d16e7121] + +Here is a video of how to import a custom ADMX file to a device using Intune. + +> [!VIDEO https://www.microsoft.com/showcase/video.aspx?uuid=a59888b1-429f-4a49-8570-c39a143d9a73] \ No newline at end of file diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md index 5062ee119e..2ad3ca1434 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -7,11 +7,15 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/22/2017 +ms.date: 03/01/2018 --- # EnterpriseModernAppManagement CSP + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + The EnterpriseModernAppManagement configuration service provider (CSP) is used for the provisioning and reporting of modern enterprise apps. For details about how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](enterprise-app-management.md). > [!Note] @@ -359,6 +363,20 @@ The following image shows the EnterpriseModernAppManagement configuration servic ``` +**.../*PackageFamilyName*/MaintainProcessorArchitectureOnUpdate** +Added in Windows 10, version 1803. Specify whether on a AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available. + +Supported operations are Add, Get, Delete, and Replace. Value type is integer. + +Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins). + +|Applicability Setting |CSP state |Result | +|---------|---------|---------| +|True |Not configured |X86 flavor is picked | +|True |Enabled |X86 flavor is picked | +|True |Disabled |X86 flavor is picked | +|False (not set) |Not configured |X64 flavor is picked | + **AppInstallation**

Required node. Used to perform app installation. diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md index 335ebd258e..7c3c1c855b 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md @@ -7,899 +7,928 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 12/05/2017 +ms.date: 03/01/2018 --- # EnterpriseModernAppManagement DDF + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + This topic shows the OMA DM device description framework (DDF) for the **EnterpriseModernAppManagement** configuration service provider. DDF files are used only with OMA DM provisioning XML. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is the current version for this CSP. +The XML below is for Windows 10, version 1803. ``` syntax ]> + "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd" + []> - 1.2 - + 1.2 + EnterpriseModernAppManagement ./Vendor/MSFT - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + - AppManagement + AppManagement + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + EnterpriseID + + + + + + + + + + + + + + + + + + + + PackageFamilyName + + + + + - - - - - - - - - - - - - - - EnterpriseID - - - + + + + + + + + + + + + + + + PackageFullName + + + - - - - - - - - - - - - - - - - - PackageFamilyName - - - - - - - - - - - - - - - - - - - - - - PackageFullName - - - - - - Name - - - - - - - - - - - - - - - text/plain - - - - - Version - - - - - - - - - - - - - - - text/plain - - - - - Publisher - - - - - - - - - - - - - - - text/plain - - - - - Architecture - - - - - - - - - - - - - - - text/plain - - - - - InstallLocation - - - - - - - - - - - - - - - text/plain - - - - - IsFramework - - - - - - - - - - - - - - - text/plain - - - - - IsBundle - - - - - - - - - - - - - - - text/plain - - - - - InstallDate - - - - - - - - - - - - - - - text/plain - - - - - ResourceID - - - - - - - - - - - - - - - text/plain - - - - - PackageStatus - - - - - - - - - - - - - - - text/plain - - - - - RequiresReinstall - - - - - - - - - - - - - - - text/plain - - - - - Users - - - - - - - - - - - - - - - text/plain - - - - - IsProvisioned - - - - - - - - - - - - - - - text/plain - - - - - - DoNotUpdate - - - - - - - - - - - - - - - - - DoNotUpdate - - text/plain - - - - - AppSettingPolicy - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SettingValue - - text/plain - - - - + Name + + + + + + + + + + + + + + + text/plain + + - - - UpdateScan - + + Version + - + - + - + - + - text/plain + text/plain - - - - LastScanError - + + + + Publisher + - + - + - + - + - text/plain + text/plain - - - - AppInventoryResults - + + + + Architecture + - + - + - + - + - text/plain + text/plain - - - - AppInventoryQuery - + + + + InstallLocation + - - + - + - + - + - text/plain + text/plain - - - - RemovePackage - + + + + IsFramework + - + - + - + - + - text/plain + text/plain + + + + IsBundle + + + + + + + + + + + + + + + text/plain + + + + + InstallDate + + + + + + + + + + + + + + + text/plain + + + + + ResourceID + + + + + + + + + + + + + + + text/plain + + + + + PackageStatus + + + + + + + + + + + + + + + text/plain + + + + + RequiresReinstall + + + + + + + + + + + + + + + text/plain + + + + + Users + + + + + + + + + + + + + + + text/plain + + + + + IsProvisioned + + + + + + + + + + + + + + + text/plain + + + + + + DoNotUpdate + + + + + + + + + + + + + + + + + DoNotUpdate + + text/plain + + + + AppSettingPolicy + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SettingValue + + text/plain + + + + + + MaintainProcessorArchitectureOnUpdate + + + + + + + + + + + + + + + + + MaintainProcessorArchitectureOnUpdate + + text/plain + + + + + + UpdateScan + + + + + + + + + + + + + + + text/plain + + + + + LastScanError + + + + + + + + + + + + + + + text/plain + + + + + AppInventoryResults + + + + + + + + + + + + + + + text/plain + + + + + AppInventoryQuery + + + + + + + + + + + + + + + + text/plain + + + + + RemovePackage + + + + + + + + + + + + + + + + text/plain + + + - AppInstallation + AppInstallation + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + PackageFamilyName + + + - - - - - - - - - - - - - - - - - - PackageFamilyName - - - - - - StoreInstall - - - - - - - - - - - - - - - - - - text/plain - - - - - HostedInstall - - - - - - - - - - - - - - - - - - text/plain - - - - - LastError - - - - - - - - - - - - - - - text/plain - - - - - LastErrorDesc - - - - - - - - - - - - - - - text/plain - - - - - Status - - - - - - - - - - - - - - - text/plain - - - - - ProgressStatus - - - - - - - - - - - - - - - text/plain - - - + StoreInstall + + + + + + + + + + + + + + + + + + text/plain + + + + HostedInstall + + + + + + + + + + + + + + + + + + text/plain + + + + + LastError + + + + + + + + + + + + + + + text/plain + + + + + LastErrorDesc + + + + + + + + + + + + + + + text/plain + + + + + Status + + + + + + + + + + + + + + + text/plain + + + + + ProgressStatus + + + + + + + + + + + + + + + text/plain + + + + - AppLicenses + AppLicenses + + + + + + + + + + + + + + + + + + + StoreLicenses - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + - StoreLicenses + + + + + + + + + + + + + + + + + LicenseID + + + + + + LicenseCategory - - - - - - - - - - - - - - - + + + + + + + + + + + + + + text/plain + - - - - - - - - - - - - - - - - - - LicenseID - - - - - - LicenseCategory - - - - - - - - - - - - - - - text/plain - - - - - LicenseUsage - - - - - - - - - - - - - - - text/plain - - - - - RequesterID - - - - - - - - - - - - - - - text/plain - - - - - AddLicense - - - - - - - - - - - - - - - text/plain - - - - - GetLicenseFromStore - - - - - - - - - - - - - - - text/plain - - - - + + + LicenseUsage + + + + + + + + + + + + + + + text/plain + + + + + RequesterID + + + + + + + + + + + + + + + text/plain + + + + + AddLicense + + + + + + + + + + + + + + + text/plain + + + + + GetLicenseFromStore + + + + + + + + + + + + + + + text/plain + + + + - + ``` diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md index ed10ebe33c..eb5f1186ce 100644 --- a/windows/client-management/mdm/euiccs-csp.md +++ b/windows/client-management/mdm/euiccs-csp.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 11/15/2017 +ms.date: 03/02/2018 --- # eUICCs CSP @@ -61,6 +61,11 @@ Required. Current state of the profile (Installing = 1, Installed = 2, Deleting Supported operation is Get. Value type is integer. Default value is 1. +**_eUICC_/Profiles/_ICCID_/IsEnabled** +Added in Windows 10, version 1803. Indicates whether this profile is enabled. Can be set by the MDM when the ICCID subtree is created to enable the profile once it’s successfully downloaded and installed on the device. Can also be queried and updated by the CSP. + +Supported operations are Add, Get, and Replace. Value type is bool. + **_eUICC_/Policies** Interior node. Required. Device policies associated with the eUICC as a whole (not per-profile). diff --git a/windows/client-management/mdm/euiccs-ddf-file.md b/windows/client-management/mdm/euiccs-ddf-file.md index caa165bd48..06be1ba347 100644 --- a/windows/client-management/mdm/euiccs-ddf-file.md +++ b/windows/client-management/mdm/euiccs-ddf-file.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 12/05/2017 +ms.date: 03/02/2018 --- # eUICCs DDF file @@ -17,6 +17,8 @@ This topic shows the OMA DM device description framework (DDF) for the **eUICCs* Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). +The XML below if for Windows 10, version 1803. + ``` syntax 1.2 eUICCs - ./Vendor/MSFT + ./Device/Vendor/MSFT @@ -45,7 +47,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic - com.microsoft/1.0/MDM/eUICCs + com.microsoft/1.1/MDM/eUICCs @@ -229,6 +231,29 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic + + IsEnabled + + + + + + + Indicates whether this profile is enabled. Can be set by the MDM when the ICCID subtree is created. Can also be queried and updated by the CSP. + + + + + + + + + + + text/plain + + + diff --git a/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png b/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png index b834990924..a28f41fe6a 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png and b/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-euiccs.png b/windows/client-management/mdm/images/provisioning-csp-euiccs.png index a4c67a8b7e..387fdae3fb 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-euiccs.png and b/windows/client-management/mdm/images/provisioning-csp-euiccs.png differ diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 46bd55a93f..62bdf664f0 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -10,7 +10,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 02/26/2018 +ms.date: 03/03/2018 --- # What's new in MDM enrollment and management @@ -1389,6 +1389,38 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware ## Change history in MDM documentation +### March 2018 + + ++++ + + + + + + + + + + + + + + +
New or updated topicDescription
[eUICCs CSP](euiccs-csp.md)

Added the following node in Windows 10, version 1803:

+
    +
  • IsEnabled
    • +
+
[Understanding ADMX-backed policies](understanding-admx-backed-policies.md)

Added the following videos:

+
    +
  • [How to create a custom xml to enable an ADMX-backed policy and deploy the XML in Intune](https://www.microsoft.com/showcase/video.aspx?uuid=bdc9b54b-11b0-4bdb-a022-c339d16e7121)
    • +
  • [How to import a custom ADMX file to a device using Intune](https://www.microsoft.com/showcase/video.aspx?uuid=a59888b1-429f-4a49-8570-c39a143d9a73)
    • +
+
+ ### February 2018 @@ -1440,6 +1472,13 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware + + +
[MultiSIM CSP](multisim-csp.md)

Added a new CSP in Windows 10, version 1803.

[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)

Added the following node in Windows 10, version 1803:

+
    +
  • MaintainProcessorArchitectureOnUpdate
    • +
+
@@ -1575,6 +1614,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware

Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803.

+[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) +

Added new node MaintainProcessorArchitectureOnUpdate in Windows 10, next major update.

+ + [DMClient CSP](dmclient-csp.md)

Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:

+ +ADMX Info: +- GP English name: *Configure Automatic Updates* +- GP name: *AutoUpdateCfg* +- GP element: *AutoUpdateSchEveryWeek* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + +
@@ -2266,6 +2551,15 @@ Added in Windows 10, version 1709. Enables the IT admin to schedule the update i + +ADMX Info: +- GP English name: *Configure Automatic Updates* +- GP name: *AutoUpdateCfg* +- GP element: *AutoUpdateSchFirstWeek* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + +
@@ -2313,6 +2607,15 @@ Added in Windows 10, version 1709. Enables the IT admin to schedule the update i + +ADMX Info: +- GP English name: *Configure Automatic Updates* +- GP name: *AutoUpdateCfg* +- GP element: *ScheduledInstallFourthWeek* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + +
@@ -2360,6 +2663,15 @@ Added in Windows 10, version 1709. Enables the IT admin to schedule the update i + +ADMX Info: +- GP English name: *Configure Automatic Updates* +- GP name: *AutoUpdateCfg* +- GP element: *ScheduledInstallSecondWeek* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + +
@@ -2407,6 +2719,15 @@ Added in Windows 10, version 1709. Enables the IT admin to schedule the update i + +ADMX Info: +- GP English name: *Configure Automatic Updates* +- GP name: *AutoUpdateCfg* +- GP element: *ScheduledInstallThirdWeek* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + +
@@ -2462,6 +2783,15 @@ Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3. + +ADMX Info: +- GP English name: *Configure Automatic Updates* +- GP name: *AutoUpdateCfg* +- GP element: *AutoUpdateSchTime* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + +
@@ -2505,6 +2835,15 @@ The default value is 3. Added in Windows 10, version 1703. Allows the IT Admin to disable auto-restart notifications for update installations. + +ADMX Info: +- GP English name: *Turn off auto-restart notifications for update installations* +- GP name: *AutoRestartNotificationDisable* +- GP element: *AutoRestartNotificationSchd* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + The following list shows the supported values: @@ -2555,6 +2894,14 @@ The following list shows the supported values: Added in Windows 10, version 1703. For devices in a cart, this policy skips all restart checks to ensure that the reboot will happen at ScheduledInstallTime. + +ADMX Info: +- GP English name: *Update Power Policy for Cart Restarts* +- GP name: *SetEDURestart* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + The following list shows the supported values: @@ -2610,6 +2957,15 @@ Allows the device to check for updates from a WSUS server instead of Microsoft U Supported operations are Get and Replace. + +ADMX Info: +- GP English name: *Specify intranet Microsoft update service location* +- GP name: *CorpWuURL* +- GP element: *CorpWUURL_Name* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + The following list shows the supported values: @@ -2691,6 +3047,15 @@ Value type is string and the default value is an empty string, "". If the settin > This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs. + +ADMX Info: +- GP English name: *Specify intranet Microsoft update service location* +- GP name: *CorpWuURL* +- GP element: *CorpWUContentHost_Name* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + +
diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index b091456af0..6e52bc893b 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 01/30/2018 +ms.date: 03/05/2018 --- # Policy CSP - UserRights @@ -152,6 +152,12 @@ ms.date: 01/30/2018 This user right is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this privilege is given to other entities. + +GP Info: +- GP English name: *Access Credential Manager ase a trusted caller* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -195,6 +201,12 @@ This user right is used by Credential Manager during Backup/Restore. No accounts This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services are not affected by this user right.Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. + +GP Info: +- GP English name: *Access this computer from the network* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -238,6 +250,12 @@ This user right determines which users and groups are allowed to connect to the This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users. + +GP Info: +- GP English name: *Act as part of the operating system* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -281,6 +299,12 @@ This user right allows a process to impersonate any user without authentication. This user right determines which users can log on to the computer. Note: Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally (https://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft website. + +GP Info: +- GP English name: *Allow log on locally* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -324,6 +348,12 @@ This user right determines which users can log on to the computer. Note: Modifyi This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when backing up files and directories.Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Read. Caution: Assigning this user right can be a security risk. Since users with this user right can read any registry settings and files, only assign this user right to trusted users + +GP Info: +- GP English name: *Back up files and directories* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -367,6 +397,12 @@ This user right determines which users can bypass file, directory, registry, and This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. + +GP Info: +- GP English name: *Change the system time* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -410,6 +446,12 @@ This user right determines which users and groups can change the time and date o This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption. Caution: Assigning this user right can be a security risk. Assign this user right only to trusted users. + +GP Info: +- GP English name: *Create global objects* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -453,6 +495,12 @@ This security setting determines whether users can create global objects that ar This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually does not need to be assigned to any users + +GP Info: +- GP English name: *Create a pagefile* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -496,6 +544,12 @@ This user right determines which users and groups can call an internal applicati This user right determines which accounts can be used by processes to create a directory object using the object manager. This user right is used internally by the operating system and is useful to kernel-mode components that extend the object namespace. Because components that are running in kernel mode already have this user right assigned to them, it is not necessary to specifically assign it. + +GP Info: +- GP English name: *Create permanent shared objects* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -539,6 +593,12 @@ This user right determines which accounts can be used by processes to create a d This user right determines if the user can create a symbolic link from the computer he is logged on to. Caution: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. Note: This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links. + +GP Info: +- GP English name: *Create symbolic links* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -582,6 +642,12 @@ This user right determines if the user can create a symbolic link from the compu This user right determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operating system. Unless it is necessary, do not assign this user right to a user, group, or process other than Local System. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system. + +GP Info: +- GP English name: *Create a token object* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -625,6 +691,12 @@ This user right determines which accounts can be used by processes to create a t This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users. + +GP Info: +- GP English name: *Debug programs* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -668,6 +740,12 @@ This user right determines which users can attach a debugger to any process or t This user right determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies. + +GP Info: +- GP English name: *Deny access to this computer from the network* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -711,6 +789,12 @@ This user right determines which users are prevented from accessing a computer o This security setting determines which service accounts are prevented from registering a process as a service. Note: This security setting does not apply to the System, Local Service, or Network Service accounts. + +GP Info: +- GP English name: *Deny log on as a service* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -754,6 +838,12 @@ This security setting determines which service accounts are prevented from regis This user right determines which users and groups are prohibited from logging on as a Remote Desktop Services client. + +GP Info: +- GP English name: *Deny log on through Remote Desktop Services* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -797,6 +887,12 @@ This user right determines which users and groups are prohibited from logging on This user right determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account does not have the Account cannot be delegated account control flag set. Caution: Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources. + +GP Info: +- GP English name: *Enable computer and user accounts to be trusted for delegation* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -840,6 +936,12 @@ This user right determines which users can set the Trusted for Delegation settin This user right determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causing a denial of service. Shut down system immediately if unable to log security audits security policy setting is enabled. + +GP Info: +- GP English name: *Generate security audits* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -887,6 +989,12 @@ Assigning this user right to a user allows programs running on behalf of that us Because of these factors, users do not usually need this user right. Warning: If you enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run. + +GP Info: +- GP English name: *Impersonate a client after authentication* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -930,6 +1038,12 @@ Because of these factors, users do not usually need this user right. Warning: If This user right determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. + +GP Info: +- GP English name: *Increase scheduling priority* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -973,6 +1087,12 @@ This user right determines which accounts can use a process with Write Property This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system. + +GP Info: +- GP English name: *Load and unload device drivers* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -1016,6 +1136,12 @@ This user right determines which users can dynamically load and unload device dr This user right determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). + +GP Info: +- GP English name: *Lock pages in memory* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -1059,6 +1185,12 @@ This user right determines which accounts can use a process to keep data in phys This user right determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting does not allow a user to enable file and object access auditing in general. You can view audited events in the security log of the Event Viewer. A user with this privilege can also view and clear the security log. + +GP Info: +- GP English name: *Manage auditing and security log* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -1102,6 +1234,12 @@ This user right determines which users can specify object access auditing option This user right determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data. + +GP Info: +- GP English name: *Perform volume maintenance tasks* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -1145,6 +1283,12 @@ This user right determines which users and groups can run maintenance tasks on a This user right determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor.On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should only be modified by the system. On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties. On all computers, this user right is required to install or upgrade Windows.Note: This security setting does not affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties. + +GP Info: +- GP English name: *Modify firmware environment values* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -1188,6 +1332,12 @@ This user right determines who can modify firmware environment values. Firmware This user right determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege. + +GP Info: +- GP English name: *Modify an object label* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -1231,6 +1381,12 @@ This user right determines which user accounts can modify the integrity label of This user right determines which users can use performance monitoring tools to monitor the performance of system processes. + +GP Info: +- GP English name: *Profile single process* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -1274,6 +1430,12 @@ This user right determines which users can use performance monitoring tools to m This user right determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service. + +GP Info: +- GP English name: *Force shutdown from a remote system* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -1317,6 +1479,12 @@ This user right determines which users are allowed to shut down a computer from This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Write. Caution: Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, only assign this user right to trusted users. + +GP Info: +- GP English name: *Restore files and directories* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
@@ -1360,6 +1528,12 @@ This user right determines which users can bypass file, directory, registry, and This user right determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. Caution: Assigning this user right can be a security risk. Since owners of objects have full control of them, only assign this user right to trusted users. + +GP Info: +- GP English name: *Take ownership of files or other objects* +- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +
diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md index 8fa7a54082..f4e3dbae88 100644 --- a/windows/client-management/mdm/policy-csp-wifi.md +++ b/windows/client-management/mdm/policy-csp-wifi.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 01/30/2018 +ms.date: 03/05/2018 --- # Policy CSP - Wifi @@ -97,6 +97,14 @@ Allow or disallow the device to automatically connect to Wi-Fi hotspots. Most restricted value is 0. + +ADMX Info: +- GP English name: *Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services* +- GP name: *WiFiSense* +- GP path: *Network/WLAN Service/WLAN Settings* +- GP ADMX file name: *wlansvc.admx* + + The following list shows the supported values: @@ -149,6 +157,14 @@ Allow or disallow internet sharing. Most restricted value is 0. + +ADMX Info: +- GP English name: *Prohibit use of Internet Connection Sharing on your DNS domain network* +- GP name: *NC_ShowSharedAccessUI* +- GP path: *Network/Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + The following list shows the supported values: diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md index 56be2210b2..8329d11f77 100644 --- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md +++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 01/30/2018 +ms.date: 03/05/2018 --- # Policy CSP - WindowsDefenderSecurityCenter @@ -124,6 +124,15 @@ Added in Windows 10, version 1709. The company name that is displayed to the use Value type is string. Supported operations are Add, Get, Replace and Delete. + +ADMX Info: +- GP English name: *Specify contact company name* +- GP name: *EnterpriseCustomization_CompanyName* +- GP element: *Presentation_EnterpriseCustomization_CompanyName* +- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + +
@@ -167,6 +176,14 @@ Value type is string. Supported operations are Add, Get, Replace and Delete. Added in Windows 10, next major release. Use this policy setting to specify if to display the Account protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area. + +ADMX Info: +- GP English name: *Hide the Account protection area* +- GP name: *AccountProtection_UILockdown* +- GP path: *Windows Components/Windows Defender Security Center/Account protection* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + Valid values: @@ -219,6 +236,14 @@ Added in Windows 10, version 1709. Use this policy setting if you want to disabl Value type is integer. Supported operations are Add, Get, Replace and Delete. + +ADMX Info: +- GP English name: *Hide the App and browser protection area* +- GP name: *AppBrowserProtection_UILockdown* +- GP path: *Windows Components/Windows Defender Security Center/App and browser protection* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + The following list shows the supported values: @@ -269,6 +294,14 @@ The following list shows the supported values: Added in Windows 10, next major release. Use this policy setting if you want to disable the display of the Device security area in the Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area. + +ADMX Info: +- GP English name: *Hide the Device security area* +- GP name: *DeviceSecurity_UILockdown* +- GP path: *Windows Components/Windows Defender Security Center/Device security* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + Valid values: @@ -324,6 +357,14 @@ Added in Windows 10, version 1709. Use this policy if you want Windows Defender Value type is integer. Supported operations are Add, Get, Replace and Delete. + +ADMX Info: +- GP English name: *Hide non-critical notifications* +- GP name: *Notifications_DisableEnhancedNotifications* +- GP path: *Windows Components/Windows Defender Security Center/Notifications* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + The following list shows the supported values: @@ -376,6 +417,14 @@ Added in Windows 10, version 1709. Use this policy setting if you want to disabl Value type is integer. Supported operations are Add, Get, Replace and Delete. + +ADMX Info: +- GP English name: *Hide the Family options area* +- GP name: *FamilyOptions_UILockdown* +- GP path: *Windows Components/Windows Defender Security Center/Family options* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + The following list shows the supported values: @@ -428,6 +477,14 @@ Added in Windows 10, version 1709. Use this policy setting if you want to disabl Value type is integer. Supported operations are Add, Get, Replace and Delete. + +ADMX Info: +- GP English name: *Hide the Device performance and health area* +- GP name: *DevicePerformanceHealth_UILockdown* +- GP path: *Windows Components/Windows Defender Security Center/Device performance and health* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + The following list shows the supported values: @@ -480,6 +537,14 @@ Added in Windows 10, version 1709. Use this policy setting if you want to disabl Value type is integer. Supported operations are Add, Get, Replace and Delete. + +ADMX Info: +- GP English name: *Hide the Firewall and network protection area* +- GP name: *FirewallNetworkProtection_UILockdown* +- GP path: *Windows Components/Windows Defender Security Center/Firewall and network protection* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + The following list shows the supported values: @@ -532,6 +597,14 @@ Added in Windows 10, version 1709. Use this policy setting if you want to disabl Value type is integer. Supported operations are Add, Get, Replace and Delete. + +ADMX Info: +- GP English name: *Hide all notifications* +- GP name: *Notifications_DisableNotifications* +- GP path: *Windows Components/Windows Defender Security Center/Notifications* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + The following list shows the supported values: @@ -584,6 +657,14 @@ Added in Windows 10, version 1709. Use this policy setting if you want to disabl Value type is integer. Supported operations are Add, Get, Replace and Delete. + +ADMX Info: +- GP English name: *Hide the Virus and threat protection area* +- GP name: *VirusThreatProtection_UILockdown* +- GP path: *Windows Components/Windows Defender Security Center/Virus and threat protection* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + The following list shows the supported values: @@ -636,6 +717,14 @@ Added in Windows 10, version 1709. Prevent users from making changes to the expl Value type is integer. Supported operations are Add, Get, Replace and Delete. + +ADMX Info: +- GP English name: *Prevent users from modifying settings* +- GP name: *AppBrowserProtection_DisallowExploitProtectionOverride* +- GP path: *Windows Components/Windows Defender Security Center/App and browser protection* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + The following list shows the supported values: @@ -688,6 +777,15 @@ Added in Windows 10, version 1709. The email address that is displayed to users. Value type is string. Supported operations are Add, Get, Replace and Delete. + +ADMX Info: +- GP English name: *Specify contact email address or Email ID* +- GP name: *EnterpriseCustomization_Email* +- GP element: *Presentation_EnterpriseCustomization_Email* +- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + +
@@ -733,6 +831,14 @@ Added in Windows 10, version 1709. Enable this policy to display your company na Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +ADMX Info: +- GP English name: *Configure customized notifications* +- GP name: *EnterpriseCustomization_EnableCustomizedToasts* +- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + The following list shows the supported values: @@ -785,6 +891,14 @@ Added in Windows 10, version 1709. Enable this policy to have your company name Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +ADMX Info: +- GP English name: *Configure customized contact information* +- GP name: *EnterpriseCustomization_EnableInAppCustomization* +- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + The following list shows the supported values: @@ -835,6 +949,14 @@ The following list shows the supported values: Added in Windows 10, version 1803. Use this policy setting to hide the Ransomware data recovery area in Windows Defender Security Center. + +ADMX Info: +- GP English name: *Hide the Ransomware data recovery area* +- GP name: *VirusThreatProtection_HideRansomwareRecovery* +- GP path: *Windows Components/Windows Defender Security Center/Virus and threat protection* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + Valid values: @@ -885,6 +1007,14 @@ Valid values: Added in Windows 10, version 1803. Use this policy to hide the Secure boot area in the Windows Defender Security Center. + +ADMX Info: +- GP English name: *Hide the Secure boot area* +- GP name: *DeviceSecurity_HideSecureBoot* +- GP path: *Windows Components/Windows Defender Security Center/Device security* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + Valid values: @@ -935,6 +1065,14 @@ Valid values: Added in Windows 10, version 1803. Use this policy to hide the Security processor (TPM) troubleshooting area in the Windows Defender Security Center. + +ADMX Info: +- GP English name: *Hide the Security processor (TPM) troubleshooter page* +- GP name: *DeviceSecurity_HideTPMTroubleshooting* +- GP path: *Windows Components/Windows Defender Security Center/Device security* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + Valid values: @@ -987,6 +1125,15 @@ Added in Windows 10, version 1709. The phone number or Skype ID that is displaye Value type is string. Supported operations are Add, Get, Replace, and Delete. + +ADMX Info: +- GP English name: *Specify contact phone number or Skype ID* +- GP name: *EnterpriseCustomization_Phone* +- GP element: *Presentation_EnterpriseCustomization_Phone* +- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + +
@@ -1032,6 +1179,15 @@ Added in Windows 10, version 1709. The help portal URL this is displayed to user Value type is Value type is string. Supported operations are Add, Get, Replace, and Delete. + +ADMX Info: +- GP English name: *Specify contact website* +- GP name: *EnterpriseCustomization_URL* +- GP element: *Presentation_EnterpriseCustomization_URL* +- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + +
diff --git a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md index 0b0a6104d4..3549c95e06 100644 --- a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md +++ b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 01/30/2018 +ms.date: 03/05/2018 --- # Policy CSP - WindowsInkWorkspace @@ -69,6 +69,14 @@ ms.date: 01/30/2018 Added in Windows 10, version 1607. Show recommended app suggestions in the ink workspace. + +ADMX Info: +- GP English name: *Allow suggested apps in Windows Ink Workspace* +- GP name: *AllowSuggestedAppsInWindowsInkWorkspace* +- GP path: *Windows Components/Windows Ink Workspace* +- GP ADMX file name: *WindowsInkWorkspace.admx* + + The following list shows the supported values: @@ -119,6 +127,15 @@ The following list shows the supported values: Added in Windows 10, version 1607. Specifies whether to allow the user to access the ink workspace. + +ADMX Info: +- GP English name: *Allow Windows Ink Workspace* +- GP name: *AllowWindowsInkWorkspace* +- GP element: *AllowWindowsInkWorkspaceDropdown* +- GP path: *Windows Components/Windows Ink Workspace* +- GP ADMX file name: *WindowsInkWorkspace.admx* + + Value type is int. The following list shows the supported values: diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index 513b783cee..cc10b25f2c 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 01/30/2018 +ms.date: 03/05/2018 --- # Policy CSP - WindowsLogon @@ -83,14 +83,14 @@ If you disable or do not configure this policy setting, users can choose which a > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - + ADMX Info: - GP English name: *Turn off app notifications on the lock screen* - GP name: *DisableLockScreenAppNotifications* - GP path: *System/Logon* - GP ADMX file name: *logon.admx* - +
@@ -145,14 +145,14 @@ If you disable or don't configure this policy setting, any user can disconnect t > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - + ADMX Info: - GP English name: *Do not display network selection UI* - GP name: *DontDisplayNetworkSelectionUI* - GP path: *System/Logon* - GP ADMX file name: *logon.admx* - +
@@ -196,6 +196,14 @@ ADMX Info: Added in Windows 10, version 1703. This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations. + +ADMX Info: +- GP English name: *Hide entry points for Fast User Switching* +- GP name: *HideFastUserSwitching* +- GP path: *System/Logon* +- GP ADMX file name: *Logon.admx* + + The following list shows the supported values: diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md index 5830a05aa4..9e122a3f3f 100644 --- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md +++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 01/30/2018 +ms.date: 03/05/2018 --- # Policy CSP - WirelessDisplay @@ -291,6 +291,14 @@ If you set it to 0 (zero), your PC is not discoverable and you cannot project to Value type is integer. + +ADMX Info: +- GP English name: *Don't allow this PC to be projected to* +- GP name: *AllowProjectionToPC* +- GP path: *Windows Components/Connect* +- GP ADMX file name: *WirelessDisplay.admx* + + The following list shows the supported values: @@ -422,6 +430,14 @@ If you turn this on, the pairing ceremony for new devices will always require a Value type is integer. + +ADMX Info: +- GP English name: *Require pin for pairing* +- GP name: *RequirePinForPairing* +- GP path: *Windows Components/Connect* +- GP ADMX file name: *WirelessDisplay.admx* + + The following list shows the supported values: diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md index f88849e2b1..16f22e3436 100644 --- a/windows/client-management/mdm/understanding-admx-backed-policies.md +++ b/windows/client-management/mdm/understanding-admx-backed-policies.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/11/2017 +ms.date: 03/02/2018 --- # Understanding ADMX-backed policies @@ -15,23 +15,6 @@ Due to increased simplicity and the ease with which devices can be targeted, ent Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support will be expanded to allow access of select Group Policy administrative templates (ADMX-backed policies) for Windows PCs via the Policy configuration service provider (CSP). This expanded access ensures that enterprises do not need to compromise security of their devices in the cloud. -## In this section - -- [Background](#background) -- [ADMX files and the Group Policy Editor](#admx-files-and-the-group-policy-editor) -- [ADMX-backed policy examples](#admx-backed-policy-examples) - - [Enabling a policy](#enabling-a-policy) - - [Disabling a policy](#disabling-a-policy) - - [Setting a policy to not configured](#setting-a-policy-to-not-configured) -- [Sample SyncML for various ADMX elements](#sample-syncml-for-various-admx-elements) - - [Text Element](#text-element) - - [MultiText Element](#multitext-element) - - [List Element (and its variations)](#list-element) - - [No Elements](#no-elements) - - [Enum](#enum) - - [Decimal Element](#decimal-element) - - [Boolean Element](#boolean-element) - ## Background In addition to standard policies, the Policy CSP can now also handle ADMX-backed policies. In an ADMX-backed policy, an administrative template contains the metadata of a Window Group Policy and can be edited in the Local Group Policy Editor on a PC. Each administrative template specifies the registry keys (and their values) that are associated with a Group Policy and defines the policy settings that can be managed. Administrative templates organize Group Policies in a hierarchy in which each segment in the hierarchical path is defined as a category. Each setting in a Group Policy administrative template corresponds to a specific registry value. These Group Policy settings are defined in a standards-based, XML file format known as an ADMX file. For more information, see [Group Policy ADMX Syntax Reference Guide](https://technet.microsoft.com/en-us/library/cc753471(v=ws.10).aspx). @@ -47,6 +30,16 @@ An ADMX file can either be shipped with Windows (located at `%SystemRoot%\policy Windows maps the name and category path of a Group Policy to a MDM policy area and policy name by parsing the associated ADMX file, finding the specified Group Policy, and storing the definition (metadata) in the MDM Policy CSP client store. When the MDM policy is referenced by a SyncML command and the Policy CSP URI, `.\[device|user]\vendor\msft\policy\[config|result]\\`, this metadata is referenced and determines which registry keys are set or removed. For a list of ADMX-backed policies supported by MDM, see [Policy CSP - ADMX-backed policies](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider#admx-backed-policies). +## Video walkthrough + +Here is a video of how to create a custom xml to enable an ADMX-backed policy and deploy the XML in Intune. + +> [!VIDEO https://www.microsoft.com/showcase/video.aspx?uuid=bdc9b54b-11b0-4bdb-a022-c339d16e7121] + +Here is a video of how to import a custom ADMX file to a device using Intune. + +> [!VIDEO https://www.microsoft.com/showcase/video.aspx?uuid=a59888b1-429f-4a49-8570-c39a143d9a73] + ## ADMX files and the Group Policy Editor To capture the end-to-end MDM handling of ADMX Group Policies, an IT administrator must use a UI, such as the Group Policy Editor (gpedit.msc), to gather the necessary data. The MDM ISV console UI determines how to gather the needed Group Policy data from the IT administrator. ADMX-backed Group Policies are organized in a hierarchy and can have a scope of machine, user, or both. The Group Policy example in the next section uses a machine-wide Group Policy named “Publishing Server 2 Settings.” When this Group Policy is selected, its available states are **Not Configured**, **Enabled**, and **Disabled**. diff --git a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md index 6708631bb3..c3162d20c2 100644 --- a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 11/09/2017 +ms.date: 03/06/2018 --- # Take response actions on a file @@ -48,7 +48,7 @@ The **Stop and Quarantine File** action includes stopping running processes, qua The action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last 30 days. >[!NOTE] ->You’ll be able to remove the file from quarantine at any time. +>You’ll be able to restore the file from quarantine at any time. ### Stop and quarantine files 1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box: @@ -101,7 +101,7 @@ You can roll back and remove a file from quarantine if you’ve determined that ``` > [!NOTE] -> Windows Defender ATP will remove all files that were quarantined on this machine in the last 30 days. +> Windows Defender ATP will restore all files that were quarantined on this machine in the last 30 days. ## Block files in your network You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization. diff --git a/windows/security/threat-protection/windows-defender-atp/threat-analytics-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/threat-analytics-windows-defender-advanced-threat-protection.md index 6fa550565a..e2bb30d5ac 100644 --- a/windows/security/threat-protection/windows-defender-atp/threat-analytics-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/threat-analytics-windows-defender-advanced-threat-protection.md @@ -45,6 +45,9 @@ Threat analytics helps you continually assess and control risk exposure to Spect - **Microcode mitigation**: Identifies machines that have installed the necessary microcode updates or those that do not require them - **Overall mitigation status**: Identifies the completeness by which machines have mitigated against the Spectre and Meltdown exploits + +To access Threat analytics, from the navigation pane select **Dashboards** > **Threat analytics**. + Click a section of each chart to get a list of the machines in the corresponding mitigation status.