deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 12:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into nimishasatapathy-5178244

Browse Source
This commit is contained in:
Nimisha Satapathy
2021-06-12 16:02:18 +05:30
committed by GitHub
parent 784a8bae51 5a49a82699
commit 10400e4234
53 changed files with 1285 additions and 807 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
windows/client-management/mdm/defender-csp.md
View File

@ -8,9 +8,9 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
author: dansimp
ms.localizationpriority: medium
ms.date: 08/11/2020
ms.date: 06/02/2021
---
# Defender CSP
@ -56,8 +56,8 @@ Defender
--------TamperProtectionEnabled (Added in Windows 10, version 1903)
--------IsVirtualMachine (Added in Windows 10, version 1903)
----Configuration (Added in Windows 10, version 1903)
--------TamperProetection (Added in Windows 10, version 1903)
--------EnableFileHashcomputation (Added in Windows 10, version 1903)
--------TamperProtection (Added in Windows 10, version 1903)
--------EnableFileHashComputation (Added in Windows 10, version 1903)
--------SupportLogLocation (Added in the next major release of Windows 10)
----Scan
----UpdateSignature
@ -94,11 +94,11 @@ The data type is integer.
The following list shows the supported values:
- 0 = Unknown
- 1 = Low
- 2 = Moderate
- 4 = High
- 5 = Severe
- 0 = Unknown
- 1 = Low
- 2 = Moderate
- 4 = High
- 5 = Severe
Supported operation is Get.
@ -171,17 +171,17 @@ The data type is integer.
The following list shows the supported values:
- 0 = Active
- 1 = Action failed
- 2 = Manual steps required
- 3 = Full scan required
- 4 = Reboot required
- 5 = Remediated with noncritical failures
- 6 = Quarantined
- 7 = Removed
- 8 = Cleaned
- 9 = Allowed
- 10 = No Status ( Cleared)
- 0 = Active
- 1 = Action failed
- 2 = Manual steps required
- 3 = Full scan required
- 4 = Reboot required
- 5 = Remediated with noncritical failures
- 6 = Quarantined
- 7 = Removed
- 8 = Cleaned
- 9 = Allowed
- 10 = No Status ( Cleared)
Supported operation is Get.
@ -491,7 +491,7 @@ Supported operations are Add, Delete, Get, Replace.
<a href="" id="configuration-enablefilehashcomputation"></a>**Configuration/EnableFileHashComputation**
Enables or disables file hash computation feature.
When this feature is enabled Windows defender will compute hashes for files it scans.
When this feature is enabled Windows Defender will compute hashes for files it scans.
The data type is integer.
@ -542,4 +542,4 @@ Supported operations are Get and Execute.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
[Configuration service provider reference](configuration-service-provider-reference.md)

2
windows/client-management/mdm/defender-ddf.md
View File

@ -10,7 +10,6 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
ms.date: 08/11/2020
---
# Defender DDF file
@ -757,6 +756,7 @@ The XML below is the current version for this CSP.
</DFType>
</DFProperties>
</Node>
<Node>
</Node>
<Node>
<NodeName>Scan</NodeName>

12
windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date:
ms.date: 06/02/2021
ms.reviewer:
manager: dansimp
---
@ -18,9 +18,9 @@ Starting in Windows 10, version 1709, you can use a Group Policy to trigger auto
The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Azure AD account.
Requirements:
- AD-joined PC running Windows 10, version 1709 or later
- Active Directory-joined PC running Windows 10, version 1709 or later
- The enterprise has configured a mobile device management (MDM) service
- The on-premises AD must be [integrated with Azure AD (via Azure AD Connect)](/azure/architecture/reference-architectures/identity/azure-ad)
- The on-premises Active Directory must be [integrated with Azure AD (via Azure AD Connect)](/azure/architecture/reference-architectures/identity/azure-ad)
- The device should not already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`)
- The minimum Windows Server version requirement is based on the Hybrid Azure AD join requirement. See [How to plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan) for more information.
@ -195,6 +195,8 @@ Requirements:
- 20H2 --> [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157)
- 21H1 --> [Administrative Templates (.admx) for Windows 10 May 2021 Update (21H1)](https://www.microsoft.com/download/details.aspx?id=103124)
2. Install the package on the Domain Controller.
3. Navigate, depending on the version to the folder:
@ -211,6 +213,8 @@ Requirements:
- 20H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2020 Update (20H2)**
- 21H1 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2021 Update (21H1)**
4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**.
5. Copy PolicyDefinitions folder to **\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions**.
@ -294,7 +298,7 @@ To collect Event Viewer logs:
- [Group Policy Central Store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra)
### Useful Links
- [Windows 10 Administrative Templates for Windows 10 May 2021 Update 21H1](https://www.microsoft.com/download/details.aspx?id=103124)
- [Windows 10 Administrative Templates for Windows 10 November 2019 Update 1909](https://www.microsoft.com/download/details.aspx?id=100591)
- [Windows 10 Administrative Templates for Windows 10 May 2019 Update 1903](https://www.microsoft.com/download/details.aspx?id=58495)
- [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576)

4
windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
View File

@ -4521,7 +4521,7 @@ ADMX Info:
<!--Description-->
Available in the latest Windows 10 Insider Preview Build. Prevents users from using My Computer to gain access to the content of selected drives.
If you enable this setting, users can browse the directory structure of the selected drives in My Computer or File Explorer, but they cannot open folders and access the contents. Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives.
If you enable this setting, users can browse the directory structure of the selected drives in My Computer or File Explorer, but they cannot open folders and access the contents (open the files in the folders or see the files in the folders). Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives.
To use this setting, select a drive or combination of drives from the drop-down list. To allow access to all drive directories, disable this setting or select the "Do not restrict drives" option from the drop-down list.
@ -5356,4 +5356,4 @@ ADMX Info:
> [!NOTE]
> These policies are currently only available as part of a Windows Insider release.
<!--/Policies-->
<!--/Policies-->

2
windows/client-management/mdm/policy-csp-authentication.md
View File

@ -542,7 +542,7 @@ Value type is integer. Supported values:
> [!Warning]
> This policy is in preview mode only and therefore not meant or recommended for production purposes.
"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for non-ADFS federated providers (e.g. SAML).
"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for new Azure AD credentials, like Temporary Access Pass.
> [!Note]
> Web Sign-in is only supported on Azure AD Joined PCs.

6
windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
View File

@ -51,7 +51,7 @@ manager: dansimp
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
</tr>
<tr>
<td>Business</td>
@ -115,7 +115,7 @@ The following list shows the supported values:
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
</tr>
<tr>
<td>Business</td>
@ -178,7 +178,7 @@ IT Pros do not need to set this policy. Instead, Microsoft Intune is expected to
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
</tr>
<tr>
<td>Business</td>

37
windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.date: 05/02/2021
ms.reviewer:
manager: dansimp
---
@ -1045,9 +1045,7 @@ GP Info:
<!--/RegistryMapped-->
<!--SupportedValues-->
Valid values:
- 0 - disabled
- 1 - enabled (session will lock after amount of inactive time exceeds the inactivity limit)
Valid values: From 0 to 599940, where the value is the amount of inactivity time (in seconds) after which the session will be locked. If it is set to zero (0), the setting is disabled.
<!--/SupportedValues-->
<!--/Policy-->
@ -1243,7 +1241,8 @@ If you click Force Logoff in the Properties dialog box for this policy, the user
If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation.
Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
> [!NOTE]
> Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
Default: This policy is not defined, which means that the system treats it as No action.
@ -2459,7 +2458,8 @@ If you select "Enable auditing for all accounts", the server will log events for
This policy is supported on at least Windows 7 or Windows Server 2008 R2.
Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
> [!NOTE]
> Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
<!--/Description-->
<!--RegistryMapped-->
@ -2537,7 +2537,8 @@ If you select "Deny all accounts," the server will deny NTLM authentication requ
This policy is supported on at least Windows 7 or Windows Server 2008 R2.
Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
> [!NOTE]
> Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
<!--/Description-->
<!--RegistryMapped-->
@ -2615,7 +2616,8 @@ If you select "Deny all," the client computer cannot authenticate identities to
This policy is supported on at least Windows 7 or Windows Server 2008 R2.
Note: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
> [!NOTE]
> Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
<!--/Description-->
<!--RegistryMapped-->
@ -2899,7 +2901,9 @@ This policy setting controls the behavior of the elevation prompt for administra
The options are:
- 0 - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments.
- 0 - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials.
> [!NOTE]
> Use this option only in the most constrained environments.
- 1 - Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
@ -3170,11 +3174,12 @@ User Account Control: Only elevate UIAccess applications that are installed in s
This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:
- …\Program Files\, including subfolders
- …\Windows\system32\
- …\Program Files (x86)\, including subfolders for 64-bit versions of Windows
- .\Program Files\, including subfolders
- .\Windows\system32\
- .\Program Files (x86)\, including subfolders for 64-bit versions of Windows
Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting.
> [!NOTE]
> Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting.
The options are:
- 0 - Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.
@ -3242,7 +3247,9 @@ User Account Control: Turn on Admin Approval Mode
This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer.
The options are:
- 0 - Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
- 0 - Disabled: Admin Approval Mode and all related UAC policy settings are disabled.
> [!NOTE]
> If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
- 1 - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
@ -3467,4 +3474,4 @@ Footnotes:
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
<!--/Policies-->
<!--/Policies-->

105
windows/client-management/mdm/policy-csp-system.md
View File

@ -49,6 +49,9 @@ manager: dansimp
<dd>
<a href="#system-allowtelemetry">System/AllowTelemetry</a>
</dd>
<dd>
<a href="#system-allowUpdateComplianceProcessing">System/AllowUpdateComplianceProcessing</a>
</dd>
<dd>
<a href="#system-allowusertoresetphone">System/AllowUserToResetPhone</a>
</dd>
@ -738,21 +741,15 @@ The following list shows the supported values for Windows 8.1:
In Windows 10, you can configure this policy setting to decide what level of diagnostic data to send to Microsoft.
The following list shows the supported values for Windows 10 version 1809 and older:
The following list shows the supported values for Windows 10 version 1809 and older, choose the value that is applicable to your OS version (older OS values are displayed in the brackets):
- 0 **Off (Security)** This turns Windows diagnostic data off.
**Note**: This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), HoloLens 2, and Windows Server 2016 (and later versions). Using this setting on other devices editions of Windows is equivalent to setting the value of 1.
- 1 **Required (Basic)** Sends basic device info, including quality-related data, app compatibility, and other similar data to keep the device secure and up-to-date.
- 2 (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows apps are used, how they perform, and advanced reliability data, such as limited crash dumps.
**Note**: **Enhanced** is no longer an option for Windows Holographic, version 21H1.
- 3 **Optional (Full)** Sends the same data as a value of 2, plus additional data necessary to identify and fix problems with devices such as enhanced error logs.
- 0 (**Security**) Sends information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Microsoft Defender.
**Note:** This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), Hololens 2, and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1.
- 1 (**Basic**) Sends the same data as a value of 0, plus additional basic device info, including quality-related data, app compatibility, and app usage data.
- 2 (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows, Windows Server, System Center, and apps are used, how they perform, and advanced reliability data.
- 3 (**Full**) Sends the same data as a value of 2, plus all data necessary to identify and fix problems with devices.
Most restricted value is 0.
The following list shows the supported values for Windows 10 version 19H1 and later:
- **Diagnostic data off** - No Windows diagnostic data sent.
- **Required (Basic)** - Minimum data required to keep the device secure, up to date, and performing as expected.
- **Optional (Full)** - Additional data about the websites you browse, how Windows and apps are used and how they perform. This data also includes data about device activity, and enhanced error reporting that helps Microsoft to fix and improve products and services for all users.
Most restrictive value is 0.
<!--<table style="margin-left: 20px">
<colgroup>
@ -795,6 +792,77 @@ ADMX Info:
<!--/ADMXMapped-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="system-allowUpdateComplianceProcessing"></a>**System/AllowUpdateComplianceProcessing**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Allows IT admins to enable diagnostic data from this device to be processed by Update Compliance.
If you enable this setting, it enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service.
If you disable or do not configure this policy setting, diagnostic data from this device will not be processed by Update Compliance.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Allow Update Compliance Processing*
- GP name: *AllowUpdateComplianceProcessing*
- GP element: *AllowUpdateComplianceProcessing*
- GP path: *Data Collection and Preview Builds*
- GP ADMX file name: *DataCollection.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 - Disabled.
- 16 - Enabled.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
@ -856,6 +924,7 @@ The following list shows the supported values:
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="system-bootstartdriverinitialization"></a>**System/BootStartDriverInitialization**
@ -1614,13 +1683,13 @@ To enable this behavior, you must complete two steps:
- Enable this policy setting
- Set the **AllowTelemetry** level:
- For Windows 10 version 1809 and older: set **AllowTelemetry** to (Enhanced)
- For Windows 10 version 1809 and older: set **AllowTelemetry** to Enhanced. (**Note**: **Enhanced** is no longer an option for Windows Holographic, version 21H1)
- For Windows 10 version 19H1 and later: set **AllowTelemetry** to Optional (Full)
When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: <a href="/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields" data-raw-source="[Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics](/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields)">Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics</a>.
Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level telemetry data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft.
Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level telemetry data. This setting has no effect on computers configured to send Required (Basic) or Optional (Full) diagnostic data to Microsoft.
If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy.
@ -1784,5 +1853,7 @@ Footnotes:
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
- 9 - Available in Windows 10, version 20H2.
- 10 - Available in Windows 10, version 21H1.
<!--/Policies-->
<!--/Policies-->

7
windows/client-management/mdm/surfacehub-csp.md
View File

@ -61,9 +61,9 @@ SurfaceHub
--------SleepTimeout
--------AllowSessionResume
--------AllowAutoProxyAuth
--------ProxyServers
--------DisableSigninSuggestions
--------DoNotShowMyMeetingsAndFiles
----ProxyServers
----Management
--------GroupName
--------GroupSid
@ -571,6 +571,11 @@ SurfaceHub
<p style="margin-left: 20px">If this setting is true, the device account will be used for proxy authentication. If false, a separate account will be used.
<p style="margin-left: 20px">The data type is boolean. Supported operation is Get and Replace.
<a href="" id="properties-proxyservers"></a>**Properties/ProxyServers**
<p style="margin-left: 20px">Added in <a href="https://support.microsoft.com/topic/may-28-2019-kb4499162-os-build-15063-1839-ed6780ab-38d6-f590-d789-5ba873b1e142" data-raw-source="[KB4499162](https://support.microsoft.com/topic/may-28-2019-kb4499162-os-build-15063-1839-ed6780ab-38d6-f590-d789-5ba873b1e142)">KB4499162</a> for Windows 10, version 1703. Specifies FQDNs of proxy servers to provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This is a semi-colon separated list of server names, without any additional prefixes (e.g. https://).
<p style="margin-left: 20px">The data type is string. Supported operation is Get and Replace.
<a href="" id="properties-disablesigninsuggestions"></a>**Properties/DisableSigninSuggestions**
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings.