deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-20 04:43:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into MDBranchStartPolicyScopeUpdate

Browse Source
This commit is contained in:
Denise Vangel-MSFT
2021-08-23 10:24:13 -07:00
committed by GitHub
parent 3f7664ddd6 fa45ec373a
commit 160036ec3f
6761 changed files with 215294 additions and 407036 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
windows/client-management/TOC.md
View File

@ -1,37 +0,0 @@
# [Manage clients in Windows 10](index.md)
## [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)
## [Create mandatory user profiles](mandatory-user-profile.md)
## [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md)
## [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md)
## [New policies for Windows 10](new-policies-for-windows-10.md)
## [Windows 10 default media removal policy](change-default-removal-policy-external-storage-media.md)
## [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)
## [Manage the Settings app with Group Policy](manage-settings-app-with-group-policy.md)
## [What version of Windows am I running](windows-version-search.md)
## [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)
## [Transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md)
## [Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md)
## [Windows libraries](windows-libraries.md)
## [Troubleshoot Windows 10 clients](windows-10-support-solutions.md)
### [Advanced troubleshooting for Windows networking](troubleshoot-networking.md)
#### [Advanced troubleshooting Wireless network connectivity](advanced-troubleshooting-wireless-network-connectivity.md)
#### [Advanced troubleshooting 802.1X authentication](advanced-troubleshooting-802-authentication.md)
##### [Data collection for troubleshooting 802.1X authentication](data-collection-for-802-authentication.md)
#### [Advanced troubleshooting for TCP/IP](troubleshoot-tcpip.md)
##### [Collect data using Network Monitor](troubleshoot-tcpip-netmon.md)
##### [Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md)
##### [Troubleshoot port exhaustion](troubleshoot-tcpip-port-exhaust.md)
##### [Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md)
### [Advanced troubleshooting for Windows startup](troubleshoot-windows-startup.md)
#### [How to determine the appropriate page file size for 64-bit versions of Windows](determine-appropriate-page-file-size.md)
#### [Generate a kernel or complete crash dump](generate-kernel-or-complete-crash-dump.md)
#### [Introduction to the page file](introduction-page-file.md)
#### [Configure system failure and recovery options in Windows](system-failure-recovery-options.md)
#### [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)
#### [Advanced troubleshooting for Windows-based computer freeze](troubleshoot-windows-freeze.md)
#### [Advanced troubleshooting for stop error or blue screen error](troubleshoot-stop-errors.md)
#### [Advanced troubleshooting for stop error 7B or Inaccessible_Boot_Device](troubleshoot-inaccessible-boot-device.md)
#### [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md)
#### [Stop error occurs when you update the in-box Broadcom network adapter driver](troubleshoot-stop-error-on-broadcom-driver-update.md)
## [Mobile device management for solution providers](mdm/index.md)
## [Change history for Client management](change-history-for-client-management.md)

34
windows/client-management/administrative-tools-in-windows-10.md
View File

@ -4,11 +4,11 @@ description: Administrative Tools is a folder in Control Panel that contains too
ms.assetid: FDC63933-C94C-43CB-8373-629795926DC8
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.author: greglin
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: dansimp
author: greg-lindsay
ms.localizationpriority: medium
ms.date: 07/27/2017
ms.topic: article
@ -29,7 +29,7 @@ The tools in the folder might vary depending on which edition of Windows you are
![Screenshot of folder of admin tools](images/admin-tools-folder.png)
These tools were included in previous versions of Windows and the associated documentation for each tool should help you use these tools in Windows 10. The following list links to documentation for each tool.
These tools were included in previous versions of Windows. The associated documentation for each tool should help you use these tools in Windows 10. The following list provides links to documentation for each tool. The tools are located within the folder C:\Windows\System32\ or its subfolders.
@ -37,18 +37,20 @@ These tools were included in previous versions of Windows and the associated doc
- [Computer Management](https://support.microsoft.com/kb/308423)
- [Defragment and Optimize Drives](https://go.microsoft.com/fwlink/p/?LinkId=708488)
- [Disk Cleanup](https://go.microsoft.com/fwlink/p/?LinkID=698648)
- [Event Viewer](https://go.microsoft.com/fwlink/p/?LinkId=708491)
- [iSCSI Initiator](https://go.microsoft.com/fwlink/p/?LinkId=708492)
- [Local Security Policy](https://go.microsoft.com/fwlink/p/?LinkId=708493)
- [Event Viewer](/previous-versions/windows/it-pro/windows-2000-server/cc938674(v=technet.10))
- [iSCSI Initiator](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee338476(v=ws.10))
- [Local Security Policy](/previous-versions/tn-archive/dd277395(v=technet.10))
- [ODBC Data Sources]( https://go.microsoft.com/fwlink/p/?LinkId=708494)
- [Performance Monitor](https://go.microsoft.com/fwlink/p/?LinkId=708495)
- [Print Management](https://go.microsoft.com/fwlink/p/?LinkId=708496)
- [Resource Monitor](https://go.microsoft.com/fwlink/p/?LinkId=708497)
- [Services](https://go.microsoft.com/fwlink/p/?LinkId=708498)
- [Performance Monitor](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc749115(v=ws.11))
- [Print Management](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731857(v=ws.11))
- [Recovery Drive](https://support.microsoft.com/help/4026852/windows-create-a-recovery-drive)
- [Registry Editor](/windows/win32/sysinfo/registry)
- [Resource Monitor](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd883276(v=ws.10))
- [Services](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc772408(v=ws.11))
- [System Configuration](https://go.microsoft.com/fwlink/p/?LinkId=708499)
- [System Information]( https://go.microsoft.com/fwlink/p/?LinkId=708500)
- [Task Scheduler](https://go.microsoft.com/fwlink/p/?LinkId=708501)
- [Windows Firewall with Advanced Security](https://go.microsoft.com/fwlink/p/?LinkId=708503)
- [Task Scheduler](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc766428(v=ws.11))
- [Windows Firewall with Advanced Security](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754274(v=ws.11))
- [Windows Memory Diagnostic]( https://go.microsoft.com/fwlink/p/?LinkId=708507)
> [!TIP]
@ -56,11 +58,5 @@ These tools were included in previous versions of Windows and the associated doc
## Related topics
[Diagnostic Data Viewer](https://docs.microsoft.com/windows/privacy/diagnostic-data-viewer-overview)
[Diagnostic Data Viewer](/windows/privacy/diagnostic-data-viewer-overview)

61
windows/client-management/advanced-troubleshooting-802-authentication.md
View File

@ -2,12 +2,12 @@
title: Advanced Troubleshooting 802.1X Authentication
ms.reviewer:
manager: dansimp
description: Learn how 802.1X Authentication works
description: Troubleshoot authentication flow by learning how 802.1X Authentication works for wired and wireless clients.
keywords: advanced troubleshooting, 802.1X authentication, troubleshooting, authentication, Wi-Fi
ms.prod: w10
ms.mktglfcycl:
ms.sitesec: library
author: dansimp
author: greg-lindsay
ms.localizationpriority: medium
ms.author: tracyp
ms.topic: troubleshooting
@ -17,29 +17,29 @@ ms.topic: troubleshooting
## Overview
This is a general troubleshooting of 802.1X wireless and wired clients. With 802.1X and wireless troubleshooting, it's important to know how the flow of authentication works, and then figuring out where it's breaking. It involves a lot of third party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. Since we don't make access points or switches, it won't be an end-to-end Microsoft solution.
This article includes general troubleshooting for 802.1X wireless and wired clients. While troubleshooting 802.1X and wireless, it's important to know how the flow of authentication works, and then figure out where it's breaking. It involves a lot of third-party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. We don't make access points or switches, so it's not an end-to-end Microsoft solution.
## Scenarios
This troubleshooting technique applies to any scenario in which wireless or wired connections with 802.1X authentication is attempted and then fails to establish. The workflow covers Windows 7 - 10 for clients, and Windows Server 2008 R2 - 2012 R2 for NPS.
This troubleshooting technique applies to any scenario in which wireless or wired connections with 802.1X authentication is attempted and then fails to establish. The workflow covers Windows 7 through Windows 10 for clients, and Windows Server 2008 R2 through Windows Server 2012 R2 for NPS.
## Known Issues
## Known issues
None
## Data Collection
## Data collection
See [Advanced troubleshooting 802.1X authentication data collection](data-collection-for-802-authentication.md).
## Troubleshooting
Viewing [NPS authentication status events](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735320(v%3dws.10)) in the Windows Security [event log](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc722404(v%3dws.11)) is one of the most useful troubleshooting methods to obtain information about failed authentications.
Viewing [NPS authentication status events](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735320(v%3dws.10)) in the Windows Security [event log](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc722404(v%3dws.11)) is one of the most useful troubleshooting methods to obtain information about failed authentications.
NPS event log entries contain information on the connection attempt, including the name of the connection request policy that matched the connection attempt and the network policy that accepted or rejected the connection attempt. If you are not seeing both success and failure events, see the section below on [NPS audit policy](#audit-policy).
NPS event log entries contain information about the connection attempt, including the name of the connection request policy that matched the connection attempt and the network policy that accepted or rejected the connection attempt. If you don't see both success and failure events, see the [NPS audit policy](#audit-policy) section later in this article.
Check Windows Security Event log on the NPS Server for NPS events corresponding to rejected ([event ID 6273](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735399(v%3dws.10))) or accepted ([event ID 6272](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735388(v%3dws.10))) connection attempts.
Check Windows Security Event log on the NPS Server for NPS events that correspond to rejected ([event ID 6273](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735399(v%3dws.10))) or accepted ([event ID 6272](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735388(v%3dws.10))) connection attempts.
In the event message, scroll to the very bottom, and check the [Reason Code](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v%3dws.10)) field and the text associated with it.
In the event message, scroll to the very bottom, and then check the [Reason Code](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v%3dws.10)) field and the text that's associated with it.
![example of an audit failure](images/auditfailure.png)
*Example: event ID 6273 (Audit Failure)*<br><br>
@ -47,35 +47,35 @@ In the event message, scroll to the very bottom, and check the [Reason Code](htt
![example of an audit success](images/auditsuccess.png)
*Example: event ID 6272 (Audit Success)*<br>
The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, in the event of connectivity problems, the reason for the failure. For wired network access, Wired AutoConfig operational log is equivalent one.
The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, in the event of connectivity problems, the reason for the failure. For wired network access, the Wired AutoConfig operational log is an equivalent one.
On the client side, navigate to **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\WLAN-AutoConfig/Operational** for wireless issues. For wired network access issues, navigate to **..\Wired-AutoConfig/Operational**. See the following example:
On the client side, go to **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\WLAN-AutoConfig/Operational** for wireless issues. For wired network access issues, go to **..\Wired-AutoConfig/Operational**. See the following example:
![event viewer screenshot showing wired-autoconfig and WLAN autoconfig](images/eventviewer.png)
Most 802.1X authentication issues are due to problems with the certificate that is used for client or server authentication (e.g. invalid certificate, expiration, chain verification failure, revocation check failure, etc.).
Most 802.1X authentication issues are because of problems with the certificate that's used for client or server authentication. Examples include invalid certificate, expiration, chain verification failure, and revocation check failure.
First, validate the type of EAP method being used:
First, validate the type of EAP method that's used:
![eap authentication type comparison](images/comparisontable.png)
If a certificate is used for its authentication method, check if the certificate is valid. For server (NPS) side, you can confirm what certificate is being used from the EAP property menu. In **NPS snap-in**, go to **Policies** > **Network Policies**. Right click on the policy and select **Properties**. In the pop-up window, go to the **Constraints** tab and select the **Authentication Methods** section.
If a certificate is used for its authentication method, check whether the certificate is valid. For the server (NPS) side, you can confirm what certificate is being used from the EAP property menu. In **NPS snap-in**, go to **Policies** > **Network Policies**. Select and hold (or right-click) the policy, and then select **Properties**. In the pop-up window, go to the **Constraints** tab, and then select the **Authentication Methods** section.
![Constraints tab of the secure wireless connections properties](images/eappropertymenu.png)
The CAPI2 event log will be useful for troubleshooting certificate-related issues.
This log is not enabled by default. You can enable this log by expanding **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\CAPI2**, right-clicking **Operational** and then clicking **Enable Log**.
The CAPI2 event log is useful for troubleshooting certificate-related issues.
By default, this log isn't enabled. To enable this log, expand **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\CAPI2**, select and hold (or right-click) **Operational**, and then select **Enable Log**.
![screenshot of event viewer](images/capi.png)
The following article explains how to analyze CAPI2 event logs:
[Troubleshooting PKI Problems on Windows Vista](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-vista/cc749296%28v=ws.10%29).
For information about how to analyze CAPI2 event logs, see
[Troubleshooting PKI Problems on Windows Vista](/previous-versions/windows/it-pro/windows-vista/cc749296%28v=ws.10%29).
When troubleshooting complex 802.1X authentication issues, it is important to understand the 802.1X authentication process. The following figure is an example of wireless connection process with 802.1X authentication:
When troubleshooting complex 802.1X authentication issues, it's important to understand the 802.1X authentication process. Here's an example of wireless connection process with 802.1X authentication:
![authenticatior flow chart](images/authenticator_flow_chart.png)
![authenticator flow chart](images/authenticator_flow_chart.png)
If you [collect a network packet capture](troubleshoot-tcpip-netmon.md) on both the client and the server (NPS) side, you can see a flow like the one below. Type **EAPOL** in the Display Filter in for a client side capture, and **EAP** for an NPS side capture. See the following examples:
If you [collect a network packet capture](troubleshoot-tcpip-netmon.md) on both the client and the server (NPS) side, you can see a flow like the one below. Type **EAPOL** in the Display Filter for a client-side capture, and **EAP** for an NPS-side capture. See the following examples:
![client-side packet capture data](images/clientsidepacket_cap_data.png)
*Client-side packet capture data*<br><br>
@ -85,16 +85,16 @@ If you [collect a network packet capture](troubleshoot-tcpip-netmon.md) on both
> [!NOTE]
> If you have a wireless trace, you can also [view ETL files with network monitor](https://docs.microsoft.com/windows/desktop/ndf/using-network-monitor-to-view-etl-files) and apply the **ONEX_MicrosoftWindowsOneX** and **WLAN_MicrosoftWindowsWLANAutoConfig** Network Monitor filters. Follow the instructions under the **Help** menu in Network Monitor to load the reqired [parser](https://blogs.technet.microsoft.com/netmon/2010/06/04/parser-profiles-in-network-monitor-3-4/) if needed. See the example below.
> If you have a wireless trace, you can also [view ETL files with network monitor](/windows/desktop/ndf/using-network-monitor-to-view-etl-files) and apply the **ONEX_MicrosoftWindowsOneX** and **WLAN_MicrosoftWindowsWLANAutoConfig** Network Monitor filters. If you need to load the required [parser](/archive/blogs/netmon/parser-profiles-in-network-monitor-3-4), see the instructions under the **Help** menu in Network Monitor. Here's an example:
![ETL parse](images/etl.png)
## Audit policy
NPS audit policy (event logging) for connection success and failure is enabled by default. If you find that one or both types of logging are disabled, use the following steps to troubleshoot.
By default, NPS audit policy (event logging) for connection success and failure is enabled. If you find that one or both types of logging are disabled, use the following steps to troubleshoot.
View the current audit policy settings by running the following command on the NPS server:
```
```console
auditpol /get /subcategory:"Network Policy Server"
```
@ -106,15 +106,14 @@ Logon/Logoff
Network Policy Server Success and Failure
</pre>
If it shows No auditing, you can run this command to enable it:
```
If it says, "No auditing," you can run this command to enable it:
```console
auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
```
Even if audit policy appears to be fully enabled, it sometimes helps to disable and then re-enable this setting. You can also enable Network Policy Server logon/logoff auditing via Group Policy. The success/failure setting can be found under **Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Logon/Logoff -> Audit Network Policy Server**.
Even if audit policy appears to be fully enabled, it sometimes helps to disable and then re-enable this setting. You can also enable Network Policy Server logon/logoff auditing by using Group Policy. To get to the success/failure setting, select **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Advanced Audit Policy Configuration** > **Audit Policies** > **Logon/Logoff** > **Audit Network Policy Server**.
## Additional references
[Troubleshooting Windows Vista 802.11 Wireless Connections](https://technet.microsoft.com/library/cc766215%28v=ws.10%29.aspx)<br>
[Troubleshooting Windows Vista Secure 802.3 Wired Connections](https://technet.microsoft.com/library/cc749352%28v=ws.10%29.aspx)
[Troubleshooting Windows Vista 802.11 Wireless Connections](/previous-versions/windows/it-pro/windows-vista/cc766215(v=ws.10))<br>
[Troubleshooting Windows Vista Secure 802.3 Wired Connections](/previous-versions/windows/it-pro/windows-vista/cc749352(v=ws.10))

125
windows/client-management/advanced-troubleshooting-boot-problems.md
View File

@ -1,11 +1,11 @@
---
title: Advanced troubleshooting for Windows boot problems
description: Learn how to troubleshoot when Windows is unable to boot
description: Learn to troubleshoot when Windows can't boot. This article includes advanced troubleshooting techniques intended for use by support agents and IT professionals.
ms.prod: w10
ms.sitesec: library
author: dansimp
author: greg-lindsay
ms.localizationpriority: medium
ms.author: dansimp
ms.author: greglin
ms.date: 11/16/2018
ms.reviewer:
manager: dansimp
@ -22,7 +22,7 @@ ms.topic: troubleshooting
There are several reasons why a Windows-based computer may have problems during startup. To troubleshoot boot problems, first determine in which of the following phases the computer gets stuck:
| **Phase** | **Boot Process** | **BIOS** | **UEFI** |
| Phase | Boot Process | BIOS | UEFI |
|-----------|----------------------|------------------------------------|-----------------------------------|
| 1 | PreBoot | MBR/PBR (Bootstrap Code) | UEFI Firmware |
| 2 | Windows Boot Manager | %SystemDrive%\bootmgr | \EFI\Microsoft\Boot\bootmgfw.efi |
@ -73,10 +73,12 @@ Each phase has a different approach to troubleshooting. This article provides tr
To determine whether the system has passed the BIOS phase, follow these steps:
1. If there are any external peripherals connected to the computer, disconnect them.
2. Check whether the hard disk drive light on the physical computer is working. If it is not working, this indicates that the startup process is stuck at the BIOS phase.
3. Press the NumLock key to see whether the indicator light toggles on and off. If it does not, this indicates that the startup process is stuck at BIOS.
If the system is stuck at the BIOS phase, there may be a hardware problem.
If the system is stuck at the BIOS phase, there may be a hardware problem.
## Boot loader phase
@ -99,35 +101,37 @@ The Startup Repair tool automatically fixes many common problems. The tool also
To do this, follow these steps.
> [!NOTE]
> For additional methods to start WinRE, see [Windows Recovery Environment (Windows RE)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#span-identrypointsintowinrespanspan-identrypointsintowinrespanspan-identrypointsintowinrespanentry-points-into-winre).
> For additional methods to start WinRE, see [Windows Recovery Environment (Windows RE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#span-identrypointsintowinrespanspan-identrypointsintowinrespanspan-identrypointsintowinrespanentry-points-into-winre).
1. Start the system to the installation media for the installed version of Windows. For more information, see [Create installation media for Windows](https://support.microsoft.com/help/15088).
2. On the **Install Windows** screen, select **Next** > **Repair your computer**.
3. On the **System Recovery Options** screen, select **Next** > **Command Prompt**.
3. On the **Choose an option** screen, select **Troubleshoot**.
4. After Startup Repair, select **Shutdown**, then turn on your PC to see if Windows can boot properly.
4. On the **Advanced options** screen, select **Startup Repair**.
5. After Startup Repair, select **Shutdown**, then turn on your PC to see if Windows can boot properly.
The Startup Repair tool generates a log file to help you understand the startup problems and the repairs that were made. You can find the log file in the following location:
**%windir%\System32\LogFiles\Srt\Srttrail.txt**
For more information see, [A Stop error occurs, or the computer stops responding when you try to start Windows Vista or Windows 7](https://support.microsoft.com/help/925810/a-stop-error-occurs-or-the-computer-stops-responding-when-you-try-to-s)
For more information, see [A Stop error occurs, or the computer stops responding when you try to start Windows Vista or Windows 7](https://support.microsoft.com/help/925810/a-stop-error-occurs-or-the-computer-stops-responding-when-you-try-to-s)
### Method 2: Repair Boot Codes
To repair boot codes, run the following command:
```dos
```console
BOOTREC /FIXMBR
```
To repair the boot sector, run the following command:
```dos
```console
BOOTREC /FIXBOOT
```
@ -139,51 +143,54 @@ BOOTREC /FIXBOOT
If you receive BCD-related errors, follow these steps:
1. Scan for all the systems that are installed. To do this, run the following command:
```dos
```console
Bootrec /ScanOS
```
2. Restart the computer to check whether the problem is fixed.
3. If the problem is not fixed, run the following command:
```dos
```console
Bootrec /rebuildbcd
```
4. You might receive one of the following outputs:
```dos
```console
Scanning all disks for Windows installations. Please wait, since this may take a while ...
Successfully scanned Windows installations. Total identified Windows installations: 0
The operation completed successfully.
```
```dos
```console
Scanning all disks for Windows installations. Please wait, since this may take a while ...
Successfully scanned Windows installations. Total identified Windows installations: 1
D:\Windows
Add installation to boot list? Yes/No/All:
```
If the output shows **windows installation: 0**, run the following commands:
```dos
bcdedit /export c:\bcdbackup
attrib c:\\boot\\bcd -r s -h
ren c:\\boot\\bcd bcd.old
bootrec /rebuildbcd
```
After you run the command, you receive the following output:
```dos
Scanning all disks for Windows installations. Please wait, since this may take a while ...
Successfully scanned Windows installations. Total identified Windows installations: 1
{D}:\Windows
Add installation to boot list? Yes/No/All: Y
```
If the output shows **windows installation: 0**, run the following commands:
```console
bcdedit /export c:\bcdbackup
attrib c:\\boot\\bcd -r s -h
ren c:\\boot\\bcd bcd.old
bootrec /rebuildbcd
```
After you run the command, you receive the following output:
```console
Scanning all disks for Windows installations. Please wait, since this may take a while ...
Successfully scanned Windows installations. Total identified Windows installations: 1
{D}:\Windows
Add installation to boot list? Yes/No/All: Y
```
5. Try restarting the system.
@ -194,17 +201,20 @@ If methods 1, 2 and 3 do not fix the problem, replace the Bootmgr file from driv
1. At a command prompt, change the directory to the System Reserved partition.
2. Run the **attrib** command to unhide the file:
```dos
```console
attrib -r -s -h
```
3. Run the same **attrib** command on the Windows (system drive):
```dos
```console
attrib -r -s -h
```
4. Rename the Bootmgr file as Bootmgr.old:
```dos
```console
ren c:\bootmgr bootmgr.old
```
@ -220,6 +230,9 @@ If Windows cannot load the system registry hive into memory, you must restore th
If the problem persists, you may want to restore the system state backup to an alternative location, and then retrieve the registry hives to be replaced.
> [!NOTE]
> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](https://support.microsoft.com/en-us/help/4509719/the-system-registry-is-no-longer-backed-up-to-the-regback-folder-start).
## Kernel Phase
If the system gets stuck during the kernel phase, you experience multiple symptoms or receive multiple error messages. These include, but are not limited to, the following:
@ -227,8 +240,9 @@ If the system gets stuck during the kernel phase, you experience multiple sympto
- A Stop error appears after the splash screen (Windows Logo screen).
- Specific error code is displayed.
For example, "0x00000C2" , "0x0000007B" , "inaccessible boot device" and so on.
- [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](https://docs.microsoft.com/windows/client-management/troubleshoot-inaccessible-boot-device)
- [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md)
- [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md)
- The screen is stuck at the "spinning wheel" (rolling dots) "system busy" icon.
@ -271,7 +285,7 @@ Disable any service that you find to be faulty, and try to start the computer ag
For detailed instructions, see [How to perform a clean boot in Windows](https://support.microsoft.com/help/929135/how-to-perform-a-clean-boot-in-windows).
If the computer starts in Disable Driver Signature mode, start the computer in Disable Driver Signature Enforcement mode, and then follow the steps that are documented in the following article to determine which drivers or files require driver signature enforcement:
[Troubleshooting boot problem caused by missing driver signature (x64)](https://blogs.technet.microsoft.com/askcore/2012/04/15/troubleshooting-boot-issues-due-to-missing-driver-signature-x64/)
[Troubleshooting boot problem caused by missing driver signature (x64)](/archive/blogs/askcore/troubleshooting-boot-issues-due-to-missing-driver-signature-x64)
> [!NOTE]
> If the computer is a domain controller, try Directory Services Restore mode (DSRM).
@ -307,26 +321,28 @@ To troubleshoot this Stop error, follow these steps to filter the drivers:
For additional troubleshooting steps, see the following articles:
- [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](https://docs.microsoft.com/windows/client-management/troubleshoot-inaccessible-boot-device)
- [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md)
To fix problems that occur after you install Windows updates, check for pending updates by using these steps:
1. Open a Command Prompt window in WinRE.
2. Run the command:
```dos
```console
DISM /image:C:\ /get-packages
```
3. If there are any pending updates, uninstall them by running the following commands:
```dos
```console
DISM /image:C:\ /remove-package /packagename: name of the package
```
```dos
```console
DISM /Image:C:\ /Cleanup-Image /RevertPendingActions
```
Try to start the computer.
Try to start the computer.
If the computer does not start, follow these steps:
@ -358,13 +374,13 @@ If the computer does not start, follow these steps:
If the Stop error occurs late in the startup process, or if the Stop error is still being generated, you can capture a memory dump. A good memory dump can help determine the root cause of the Stop error. For details, see the following articles:
- [Generate a kernel or complete crash dump](https://docs.microsoft.com/windows/client-management/generate-kernel-or-complete-crash-dump)
- [Generate a kernel or complete crash dump](./generate-kernel-or-complete-crash-dump.md)
For more information about page file problems in Windows 10 or Windows Server 2016, see the following:
- [Introduction to page files](https://docs.microsoft.com/windows/client-management/introduction-page-file)
- [Introduction to page files](./introduction-page-file.md)
For more information about Stop errors, see the following Knowledge Base article:
- [Advanced troubleshooting for Stop error or blue screen error issue](https://docs.microsoft.com/windows/client-management/troubleshoot-stop-errors)
- [Advanced troubleshooting for Stop error or blue screen error issue](./troubleshoot-stop-errors.md)
If the dump file shows an error that is related to a driver (for example, windows\system32\drivers\stcvsm.sys is missing or corrupted), follow these guidelines:
@ -374,14 +390,18 @@ If the dump file shows an error that is related to a driver (for example, window
- If the driver is not important and has no dependencies, load the system hive, and then disable the driver.
- If the stop error indicates system file corruption, run the system file checker in offline mode.
- To do this, open WinRE, open a command prompt, and then run the following command:
```dos
```console
SFC /Scannow /OffBootDir=C:\ /OffWinDir=E:\Windows
```
For more information, see [Using System File Checker (SFC) To Fix Issues](https://blogs.technet.microsoft.com/askcore/2007/12/18/using-system-file-checker-sfc-to-fix-issues/)
For more information, see [Using System File Checker (SFC) To Fix Issues](/archive/blogs/askcore/using-system-file-checker-sfc-to-fix-issues)
- If there is disk corruption, run the check disk command:
```dos
```console
chkdsk /f /r
```
@ -392,3 +412,6 @@ If the dump file shows an error that is related to a driver (for example, window
3. Navigate to C:\Windows\System32\Config\.
4. Rename the all five hives by appending ".old" to the name.
5. Copy all the hives from the Regback folder, paste them in the Config folder, and then try to start the computer in Normal mode.
> [!NOTE]
> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](https://support.microsoft.com/en-us/help/4509719/the-system-registry-is-no-longer-backed-up-to-the-regback-folder-start).

24
windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
View File

@ -2,14 +2,14 @@
title: Advanced Troubleshooting Wireless Network Connectivity
ms.reviewer:
manager: dansimp
description: Learn how troubleshooting of establishing Wi-Fi connections
description: Learn how to troubleshoot Wi-Fi connections. Troubleshooting Wi-Fi connections requires understanding the basic flow of the Wi-Fi autoconnect state machine.
keywords: troubleshooting, wireless network connectivity, wireless, Wi-Fi
ms.prod: w10
ms.mktglfcycl:
ms.sitesec: library
author: dansimp
author: greg-lindsay
ms.localizationpriority: medium
ms.author: dansimp
ms.author: greglin
ms.topic: troubleshooting
---
@ -29,7 +29,7 @@ This workflow involves knowledge and use of [TextAnalysisTool](https://github.co
This article applies to any scenario in which Wi-Fi connections fail to establish. The troubleshooter is developed with Windows 10 clients in focus, but also may be useful with traces as far back as Windows 7.
> [!NOTE]
> This troubleshooter uses examples that demonstrate a general strategy for navigating and interpreting wireless component [Event Tracing for Windows](https://docs.microsoft.com/windows/desktop/etw/event-tracing-portal) (ETW). It is not meant to be representative of every wireless problem scenario.
> This troubleshooter uses examples that demonstrate a general strategy for navigating and interpreting wireless component [Event Tracing for Windows](/windows/desktop/etw/event-tracing-portal) (ETW). It is not meant to be representative of every wireless problem scenario.
Wireless ETW is incredibly verbose and calls out a lot of innocuous errors (rather flagged behaviors that have little or nothing to do with the problem scenario). Simply searching for or filtering on "err", "error", and "fail" will seldom lead you to the root cause of a problematic Wi-Fi scenario. Instead it will flood the screen with meaningless logs that will obfuscate the context of the actual problem.
@ -86,14 +86,14 @@ See the [example ETW capture](#example-etw-capture) at the bottom of this articl
The following is a high-level view of the main wifi components in Windows.
<table>
<tr><td><img src="images/wcm.png"></td><td>The <b>Windows Connection Manager</b> (Wcmsvc) is closely associated with the UI controls (taskbar icon) to connect to various networks, including wireless networks. It accepts and processes input from the user and feeds it to the core wireless service. </td></tr>
<tr><td><img src="images/wlan.png"></td><td>The <b>WLAN Autoconfig Service</b> (WlanSvc) handles the following core functions of wireless networks in windows:
<tr><td><img src="images/wcm.png" alt="Windows Connection Manager"></td><td>The <b>Windows Connection Manager</b> (Wcmsvc) is closely associated with the UI controls (taskbar icon) to connect to various networks, including wireless networks. It accepts and processes input from the user and feeds it to the core wireless service. </td></tr>
<tr><td><img src="images/wlan.png" alt="WLAN Autoconfig Service"></td><td>The <b>WLAN Autoconfig Service</b> (WlanSvc) handles the following core functions of wireless networks in windows:
- Scanning for wireless networks in range
- Managing connectivity of wireless networks</td></tr>
<tr><td><img src="images/msm.png"></td><td>The <b>Media Specific Module</b> (MSM) handles security aspects of connection being established.</td></tr>
<tr><td><img src="images/wifi-stack.png"></td><td>The <b>Native WiFi stack</b> consists of drivers and wireless APIs to interact with wireless miniports and the supporting user-mode Wlansvc.</td></tr>
<tr><td><img src="images/miniport.png"></td><td>Third-party <b>wireless miniport</b> drivers interface with the upper wireless stack to provide notifications to and receive commands from Windows.</td></tr>
<tr><td><img src="images/msm.png" alt="Media Specific Module"></td><td>The <b>Media Specific Module</b> (MSM) handles security aspects of connection being established.</td></tr>
<tr><td><img src="images/wifi-stack.png" alt="Native WiFi stack"></td><td>The <b>Native WiFi stack</b> consists of drivers and wireless APIs to interact with wireless miniports and the supporting user-mode Wlansvc.</td></tr>
<tr><td><img src="images/miniport.png" alt="Wireless miniport"></td><td>Third-party <b>wireless miniport</b> drivers interface with the upper wireless stack to provide notifications to and receive commands from Windows.</td></tr>
</table>
@ -237,8 +237,8 @@ This is followed by **PHY_STATE_CHANGE** and **PORT_DOWN** events due to a disas
### Resources
[802.11 Wireless Tools and Settings](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc755892(v%3dws.10))<br>
[Understanding 802.1X authentication for wireless networks](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc759077%28v%3dws.10%29)<br>
[802.11 Wireless Tools and Settings](/previous-versions/windows/it-pro/windows-server-2003/cc755892(v%3dws.10))<br>
[Understanding 802.1X authentication for wireless networks](/previous-versions/windows/it-pro/windows-server-2003/cc759077%28v%3dws.10%29)<br>
## Example ETW capture
@ -327,4 +327,4 @@ Copy and paste all the lines below and save them into a text file named "wifi.ta
In the following example, the **View** settings are configured to **Show Only Filtered Lines**.
![TAT filter example](images/tat.png)
![TAT filter example](images/tat.png)

13
windows/client-management/change-default-removal-policy-external-storage-media.md
View File

@ -4,11 +4,11 @@ description: In Windows 10, version 1809, the default removal policy for externa
ms.prod: w10
author: Teresa-Motiv
ms.author: v-tea
ms.date: 12/13/2019
ms.prod: w10
ms.date: 11/25/2020
ms.topic: article
ms.custom:
- CI 111493
- CI 125140
- CSSTroubleshooting
audience: ITPro
ms.localizationpriority: medium
@ -45,6 +45,13 @@ To change the policy for an external storage device:
![In Disk Management, right-click the device and click Properties.](./images/change-def-rem-policy-1.png)
6. Select **Policies**, and then select the policy you want to use.
6. Select **Policies**.
> [!NOTE]
> Some recent versions of Windows may use a different arrangement of tabs in the disk properties dialog box.
>
> If you do not see the **Policies** tab, select **Hardware**, select the removable drive from the **All disk drives** list, and then select **Properties**. The **Policies** tab should now be available.
7. Select the policy that you want to use.
![Policy options for disk management](./images/change-def-rem-policy-2.png)

80
windows/client-management/change-history-for-client-management.md
View File

@ -1,80 +0,0 @@
---
title: Change history for Client management (Windows 10)
description: View changes to documentation for client management in Windows 10.
keywords:
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
ms.date: 1/21/2020
ms.reviewer:
manager: dansimp
ms.topic: article
---
# Change history for Client management
This topic lists new and updated topics in the [Client management](index.md) documentation for Windows 10 and Windows 10 Mobile.
## February 2020
New or changed topic | Description
--- | ---
[Blue screen occurs when you update the in-box Broadcom NIC driver](troubleshoot-stop-error-on-broadcom-driver-update.md) | New
[Advanced troubleshooting for Windows startup](troubleshoot-windows-startup.md) | Updated
## December 2019
New or changed topic | Description
--- | ---
[Change in default removal policy for external storage media in Windows 10, version 1809](change-default-removal-policy-external-storage-media.md) | New
[Advanced troubleshooting for Windows startup](troubleshoot-windows-startup.md) | Updated
[Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md) | New
## December 2018
New or changed topic | Description
--- | ---
[Advanced troubleshooting for TCP/IP](troubleshoot-tcpip.md) | New
[Collect data using Network Monitor](troubleshoot-tcpip-netmon.md) | New
[Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md) | New
[Troubleshoot port exhaustion issues](troubleshoot-tcpip-port-exhaust.md) | New
[Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md) | New
## November 2018
New or changed topic | Description
--- | ---
[Advanced troubleshooting for Windows-based computer freeze issues](troubleshoot-windows-freeze.md) | New
[Advanced troubleshooting for Stop error or blue screen error issue](troubleshoot-stop-errors.md) | New
## RELEASE: Windows 10, version 1709
The topics in this library have been updated for Windows 10, version 1709 (also known as the Fall Creators Update).
## July 2017
| New or changed topic | Description |
| --- | --- |
| [Group Policy settings that apply only to Windows 10 Enterprise and Education Editions](group-policies-for-enterprise-and-education-editions.md) | Added that Start layout policy setting can be applied to Windows 10 Pro, version 1703 |
## June 2017
| New or changed topic | Description |
| --- | --- |
| [Create mandatory user profiles](mandatory-user-profile.md) | Added Windows 10, version 1703, to profile extension table |
## April 2017
| New or changed topic | Description |
|----------------------|-------------|
| [New policies for Windows 10](new-policies-for-windows-10.md) | Added a list of new Group Policy settings for Windows 10, version 1703 |
## RELEASE: Windows 10, version 1703
The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following new topic has been added:
- [Manage the Settings app with Group Policy](manage-settings-app-with-group-policy.md)

113
windows/client-management/connect-to-remote-aadj-pc.md
View File

@ -20,90 +20,71 @@ ms.topic: article
**Applies to**
- Windows 10
- Windows 10
From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](https://docs.microsoft.com/azure/active-directory/user-help/device-management-azuread-joined-devices-setup).
From its release, Windows 10 has supported remote connections to PCs joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](/azure/active-directory/devices/concept-azure-ad-join). Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics).
![Remote Desktop Connection client](images/rdp.png)
>[!TIP]
>Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session.](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics)
## Set up
- Both PCs (local and remote) must be running Windows 10, version 1607 (or later). Remote connection to an Azure AD-joined PC that is running earlier versions of Windows 10 is not supported.
- Your local PC (where you are connecting from) must be either Azure AD joined or Hybrid Azure AD joined. Remote connection to an Azure AD joined PC from an unjoined device or a non-Windows 10 device is not supported.
Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC that you are using to connect to the remote PC.
- On the PC that you want to connect to:
1. Open system properties for the remote PC.
2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**.
- Both PCs (local and remote) must be running Windows 10, version 1607 or later. Remote connections to an Azure AD-joined PC running earlier versions of Windows 10 are not supported.
- Your local PC (where you are connecting from) must be either Azure AD-joined or Hybrid Azure AD-joined if using Windows 10, version 1607 and above, or [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) if using Windows 10, version 2004 and above. Remote connections to an Azure AD-joined PC from an unjoined device or a non-Windows 10 device are not supported.
- The local PC and remote PC must be in the same Azure AD tenant. Azure AD B2B guests are not supported for Remote desktop.
Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC you are using to connect to the remote PC.
- On the PC you want to connect to:
1. Open system properties for the remote PC.
2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**.
![Allow remote connections to this computer](images/allow-rdp.png)
3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users to connect to the PC, you must allow remote connections for the local **Authenticated Users** group. Click **Select Users**.
>[!NOTE]
>You can specify individual Azure AD accounts for remote connections by having the user sign in to the remote device at least once and then running the following PowerShell cmdlet:
>
>`net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user"`, where *FirstnameLastname* is the name of the user profile in C:\Users\, which is created based on DisplayName attribute in Azure AD.
>
> This command only works for AADJ device users already added to any of the local groups (administrators).
> Otherwise this command throws the below error. For example: </br>
> for cloud only user: "There is no such global user or group : *name*" </br>
> for synced user: "There is no such global user or group : *name*" </br>
>
>In Windows 10, version 1709, the user does not have to sign in to the remote device first.
>
>In Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there is a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices.
3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users or groups to connect to the PC, you must allow remote connections for the specified users or groups. Users can be added either manually or through MDM policies:
- Adding users manually
You can specify individual Azure AD accounts for remote connections by running the following PowerShell cmdlet:
```powershell
net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user"
```
where *the-UPN-attribute-of-your-user* is the name of the user profile in C:\Users\, which is created based on the DisplayName attribute in Azure AD.
4. Enter **Authenticated Users**, then click **Check Names**. If the **Name Not Found** window opens, click **Locations** and select this PC.
This command only works for AADJ device users already added to any of the local groups (administrators).
Otherwise this command throws the below error. For example:
- for cloud only user: "There is no such global user or group : *name*"
- for synced user: "There is no such global user or group : *name*" </br>
> [!TIP]
> When you connect to the remote PC, enter your account name in this format: `AzureAD UPN`. The local PC must either be domain-joined or Azure AD-joined. The local PC and remote PC must be in the same Azure AD tenant.
> [!NOTE]
> For devices running Windows 10, version 1703 or earlier, the user must sign in to the remote device first before attempting remote connections.
>
> Starting in Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there is a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices.
- Adding users using policy
Starting in Windows 10, version 2004, you can add users or Azure AD groups to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview).
> [!TIP]
> When you connect to the remote PC, enter your account name in this format: AzureAD\yourloginid@domain.com.
> [!NOTE]
> If you cannot connect using Remote Desktop Connection 6.0, you must turn off the new features of RDP 6.0 and revert back to RDP 5.0 by making a few changes in the RDP file. See the details in this [support article](https://support.microsoft.com/help/941641/remote-desktop-connection-6-0-prompts-you-for-credentials-before-you-e).
> [!Note]
> If you cannot connect using Remote Desktop Connection 6.0, then you must turn off new features of RDP 6.0 and revert back to RDP 5.0 by changing a few changes in the RDP file. See the details in the [support article](https://support.microsoft.com/help/941641/remote-desktop-connection-6-0-prompts-you-for-credentials-before-you-e).
## Supported configurations
In organizations that have integrated Active Directory and Azure AD, you can connect from a Hybrid-joined PC to an Azure AD-joined PC using:
- Password
- Smartcards
- Windows Hello for Business, if the domain is managed by Microsoft Endpoint Configuration Manager
The table below lists the supported configurations for remotely connecting to an Azure AD-joined PC:
In organizations that have integrated Active Directory and Azure AD, you can connect from an Azure AD-joined PC to an AD-joined PC when the Azure AD-joined PC is on the corporate network using:
| Criteria | RDP from Azure AD registered device| RDP from Azure AD joined device| RDP from hybrid Azure AD joined device |
| - | - | - | - |
| **Client operating systems**| Windows 10, version 2004 and above| Windows 10, version 1607 and above | Windows 10, version 1607 and above |
| **Supported credentials**| Password, smartcard| Password, smartcard, Windows Hello for Business certificate trust | Password, smartcard, Windows Hello for Business certificate trust |
- Password
- Smartcards
- Windows Hello for Business, if the organization has a mobile device management (MDM) subscription.
In organizations that have integrated Active Directory and Azure AD, you can connect from an Azure AD-joined PC to another Azure AD-joined PC using:
- Password
- Smartcards
- Windows Hello for Business, with or without an MDM subscription.
In organizations using only Azure AD, you can connect from an Azure AD-joined PC to another Azure AD-joined PC using:
- Password
- Windows Hello for Business, with or without an MDM subscription.
> [!NOTE]
> If the RDP client is running Windows Server 2016 or Windows Server 2019, to be able to connect to Azure Active Directory-joined PCs, it must [allow Public Key Cryptography Based User-to-User (PKU2U) authentication requests to use online identities](https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities).
> If the RDP client is running Windows Server 2016 or Windows Server 2019, to be able to connect to Azure Active Directory-joined PCs, it must [allow Public Key Cryptography Based User-to-User (PKU2U) authentication requests to use online identities](/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities).
## Related topics
[How to use Remote Desktop](https://support.microsoft.com/instantanswers/ff521c86-2803-4bc0-a5da-7df445788eb9/how-to-use-remote-desktop)
[How to use Remote Desktop](https://support.microsoft.com/windows/how-to-use-remote-desktop-5fe128d5-8fb1-7a23-3b8a-41e636865e8c)

2
windows/client-management/data-collection-for-802-authentication.md
View File

@ -2,7 +2,7 @@
title: Data collection for troubleshooting 802.1X authentication
ms.reviewer:
manager: dansimp
description: Data needed for reviewing 802.1X Authentication issues
description: Use the steps in this article to collect data that can be used to troubleshoot 802.1X authentication issues.
keywords: troubleshooting, data collection, data, 802.1X authentication, authentication, data
ms.prod: w10
ms.mktglfcycl:

4
windows/client-management/determine-appropriate-page-file-size.md
View File

@ -8,8 +8,8 @@ author: Deland-Han
ms.localizationpriority: medium
ms.author: delhan
ms.date: 8/28/2019
ms.reviewer:
manager: dcscontentpm
ms.reviewer: dcscontentpm
manager: dansimp
---
# How to determine the appropriate page file size for 64-bit versions of Windows

17
windows/client-management/docfx.json
View File

@ -3,7 +3,8 @@
"content": [
{
"files": [
"**/*.md"
"**/*.md",
"**/*.yml"
],
"exclude": [
"**/obj/**",
@ -31,7 +32,9 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.technology": "windows",
"audience": "ITPro",
"ms.topic": "article",
@ -45,7 +48,17 @@
"folder_relative_path_in_docset": "./"
}
},
"titleSuffix": "Windows Client Management"
"titleSuffix": "Windows Client Management",
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"jborsecnik",
"tiburd",
"garycentric"
],
"searchScope": ["Windows 10"]
},
"fileMetadata": {},
"template": [],

11
windows/client-management/generate-kernel-or-complete-crash-dump.md
View File

@ -1,6 +1,6 @@
---
title: Generate a kernel or complete crash dump
description: Learn how to generate a kernel or complete crash dump.
description: Learn how to generate a kernel or complete crash dump, and then use the output to troubleshoot several issues.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
@ -78,6 +78,9 @@ To do this, follow these steps:
> [!IMPORTANT]
> Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur.
> [!NOTE]
> This registry key is not required for clients running Windows 8 and later, or servers running Windows Server 2012 and later. Setting this registry key on later versions of Windows has no effect.
1. In Registry Editor, locate the following registry subkey:
@ -102,12 +105,12 @@ To do this, follow these steps:
9. Test this method on the server by using the NMI switch to generate a dump file. You will see a STOP 0x00000080 hardware malfunction.
If you want to run NMI in Microsoft Azure using Serial Console, see [Use Serial Console for SysRq and NMI calls](https://docs.microsoft.com/azure/virtual-machines/linux/serial-console-nmi-sysrq).
If you want to run NMI in Microsoft Azure using Serial Console, see [Use Serial Console for SysRq and NMI calls](/azure/virtual-machines/linux/serial-console-nmi-sysrq).
### Use the keyboard
[Forcing a System Crash from the Keyboard](https://docs.microsoft.com/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-keyboard)
[Forcing a System Crash from the Keyboard](/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-keyboard)
### Use Debugger
[Forcing a System Crash from the Debugger](https://docs.microsoft.com/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-debugger)
[Forcing a System Crash from the Debugger](/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-debugger)

BIN
windows/client-management/images/device-installation-apply-layered-policy-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 81 KiB

BIN
windows/client-management/images/device-installation-apply-layered_policy-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 240 KiB

BIN
windows/client-management/images/device-installation-dm-printer-by-device.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 120 KiB

BIN
windows/client-management/images/device-installation-dm-printer-compatible-ids.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 42 KiB

BIN
windows/client-management/images/device-installation-dm-printer-details-screen.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 33 KiB

BIN
windows/client-management/images/device-installation-dm-printer-hardware-ids.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 36 KiB

BIN
windows/client-management/images/device-installation-dm-usb-by-connection-blocked.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 97 KiB

BIN
windows/client-management/images/device-installation-dm-usb-by-connection-layering.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 203 KiB

BIN
windows/client-management/images/device-installation-dm-usb-by-connection.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 202 KiB

BIN
windows/client-management/images/device-installation-dm-usb-by-device.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 47 KiB

BIN
windows/client-management/images/device-installation-dm-usb-hwid.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 42 KiB

BIN
windows/client-management/images/device-installation-flowchart.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 66 KiB

BIN
windows/client-management/images/device-installation-gpo-allow-device-id-list-printer.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

BIN
windows/client-management/images/device-installation-gpo-allow-device-id-list-usb.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 45 KiB

BIN
windows/client-management/images/device-installation-gpo-prevent-class-list.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 26 KiB

BIN
windows/client-management/images/device-installation-gpo-prevent-device-id-list-printer.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 28 KiB

BIN
windows/client-management/images/device-installation-gpo-prevent-device-id-list-usb.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 26 KiB

BIN
windows/client-management/images/device-installation-usb-properties.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 27 KiB

BIN
windows/client-management/images/quick-assist-flow.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 25 KiB

2
windows/client-management/img-boot-sequence.md
View File

@ -1,6 +1,6 @@
---
title: Boot sequence flowchart
description: A full-sized view of the boot sequence flowchart.
description: View a full-sized view of the boot sequence flowchart. Use the link to return to the Advanced troubleshooting for Windows boot problems article.
ms.date: 11/16/2018
ms.reviewer:
manager: dansimp

12
windows/client-management/includes/allow-a-shared-books-folder-shortdesc.md Normal file
View File

@ -0,0 +1,12 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge does not use a shared folder by default but downloads book files to a per-user folder for each user. With this policy, you can configure Microsoft Edge to store books from the Books Library to a default, shared folder in Windows, which decreases the amount of storage used by book files. When you enable this policy, Microsoft Edge downloads books to a shared folder after user action to download the book to their device, which allows them to remove downloaded books at any time. For this policy to work correctly, you must also enable the **Allow a Windows app to share application data between users** group policy. Also, the users must be signed in with a school or work account.

12
windows/client-management/includes/allow-address-bar-drop-down-shortdesc.md Normal file
View File

@ -0,0 +1,12 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge shows the Address bar drop-down list and makes it available by default, which takes precedence over the Configure search suggestions in Address bar policy. We recommend disabling this policy if you want to minimize network connections from Microsoft Edge to Microsoft service, which hides the functionality of the Address bar drop-down list. When you disable this policy, Microsoft Edge also disables the _Show search and site suggestions as I type_ toggle in Settings.

12
windows/client-management/includes/allow-adobe-flash-shortdesc.md Normal file
View File

@ -0,0 +1,12 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
Adobe Flash is integrated with Microsoft Edge and runs Adobe Flash content by default. With this policy, you can configure Microsoft Edge to prevent Adobe Flash content from running.

12
windows/client-management/includes/allow-clearing-browsing-data-on-exit-shortdesc.md Normal file
View File

@ -0,0 +1,12 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge does not clear the browsing data on exit by default, but users can configure the _Clear browsing data_ option in Settings. Browsing data includes information you entered in forms, passwords, and even the websites visited. With this policy, you can configure Microsoft Edge to clear the browsing data automatically each time Microsoft Edge closes.

12
windows/client-management/includes/allow-configuration-updates-for-books-library-shortdesc.md Normal file
View File

@ -0,0 +1,12 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge automatically updates the configuration data for the Books library. Disabling this policy prevents Microsoft Edge from updating the configuration data. If Microsoft receives feedback about the amount of data about the Books library, the data comes as a JSON file.

12
windows/client-management/includes/allow-cortana-shortdesc.md Normal file
View File

@ -0,0 +1,12 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
Since Microsoft Edge is integration with Cortana, Microsoft Edge allows users to use Cortana voice assistant by default. With this policy, you can configure Microsoft Edge to prevent users from using Cortana but can still search to find items on their device.

12
windows/client-management/includes/allow-developer-tools-shortdesc.md Normal file
View File

@ -0,0 +1,12 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge allows users to use the F12 developer tools to build and debug web pages by default. With this policy, you can configure Microsoft Edge to prevent users from using the F12 developer tools.

11
windows/client-management/includes/allow-extended-telemetry-for-books-tab-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/allow-extensions-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/allow-fullscreen-mode-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/allow-inprivate-browsing-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/allow-microsoft-compatibility-list-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/allow-prelaunch-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/allow-printing-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/allow-saving-history-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/allow-search-engine-customization-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/allow-sideloading-of-extensions-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/allow-tab-preloading-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/allow-web-content-on-new-tab-page-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 11/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/allow-windows-app-to-share-data-users-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/always-show-books-library-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/configure-additional-search-engines-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/configure-adobe-flash-click-to-run-setting-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/configure-autofill-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/configure-browser-telemetry-for-m365-analytics-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/configure-cookies-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/configure-do-not-track-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/configure-enterprise-mode-site-list-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/configure-favorites-bar-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/configure-favorites-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/configure-home-button-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/configure-kiosk-mode-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/configure-kiosk-reset-after-idle-timeout-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/configure-open-microsoft-edge-with-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/configure-password-manager-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

12
windows/client-management/includes/configure-pop-up-blocker-shortdesc.md Normal file
View File

@ -0,0 +1,12 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
By default, Microsoft Edge turns off Pop-up Blocker, which opens pop-up windows. Enabling this policy turns on Pop-up Blocker preventing pop-up windows from opening. If you want users to choose to use Pop-up Blocker, dont configure this policy.

11
windows/client-management/includes/configure-search-suggestions-in-address-bar-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/configure-start-pages-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/configure-windows-defender-smartscreen-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/disable-lockdown-of-start-pages-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/do-not-sync-browser-settings-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/do-not-sync-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

13
windows/client-management/includes/microsoft-browser-extension-policy-shortdesc.md Normal file
View File

@ -0,0 +1,13 @@
---
author: dansimp
ms.author: dansimp
ms.date: 04/23/2020
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---
[Microsoft browser extension policy](/legal/microsoft-edge/microsoft-browser-extension-policy):
This article describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content these browsers display. Techniques that aren't explicitly listed in this article are considered to be **unsupported**.

11
windows/client-management/includes/prevent-access-to-about-flags-page-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/prevent-certificate-error-overrides-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/prevent-changes-to-favorites-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/prevent-edge-from-gathering-live-tile-info-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/prevent-first-run-webpage-from-opening-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/prevent-turning-off-required-extensions-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/prevent-users-to-turn-on-browser-syncing-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/provision-favorites-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/search-provider-discovery-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/send-all-intranet-sites-to-ie-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/set-default-search-engine-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/set-home-button-url-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/set-new-tab-url-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

10
windows/client-management/includes/show-message-when-opening-sites-in-ie-shortdesc.md Normal file
View File

@ -0,0 +1,10 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

11
windows/client-management/includes/unlock-home-button-shortdesc.md Normal file
View File

@ -0,0 +1,11 @@
---
author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include
---

34
windows/client-management/index.md
View File

@ -1,34 +0,0 @@
---
title: Client management (Windows 10)
description: Windows 10 client management
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: dansimp
ms.localizationpriority: medium
ms.author: dansimp
---
# Client management
**Applies to**
- Windows 10
Learn about the administrative tools, tasks and best practices for managing Windows 10 and Windows 10 Mobile clients across your enterprise.
| Topic | Description |
|---|---|
|[Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)| Links to documentation for tools for IT pros and advanced users in the Administrative Tools folder.|
|[Create mandatory user profiles](mandatory-user-profile.md)| Instructions for managing settings commonly defined in a mandatory profiles, including (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more.|
|[Connect to remote Azure Active Directory-joined PCs](connect-to-remote-aadj-pc.md)| Instructions for connecting to a remote PC joined to Azure Active Directory (Azure AD)|
|[Join Windows 10 Mobile to Azure AD](join-windows-10-mobile-to-azure-active-directory.md)| Describes the considerations and options for using Windows 10 Mobile with Azure AD in your organization.|
|[New policies for Windows 10](new-policies-for-windows-10.md)| Listing of new group policy settings available in Windows 10|
|[Windows 10 default media removal policy](change-default-removal-policy-external-storage-media.md) |In Windows 10, version 1809, the default removal policy for external storage media changed from "Better performance" to "Quick removal." |
|[Group policies for enterprise and education editions](group-policies-for-enterprise-and-education-editions.md)| Listing of all group policy settings that apply specifically to Windows 10 Enterprise and Education editions|
| [Manage the Settings app with Group Policy](manage-settings-app-with-group-policy.md) | Starting in Windows 10, version 1703, you can now manage the pages that are shown in the Settings app by using Group Policy. |
|[Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)| Instructions for resetting a Windows 10 Mobile device using either *factory* or *'wipe and persist'* reset options|
|[Transitioning to modern ITPro management](manage-windows-10-in-your-organization-modern-management.md)| Describes modern Windows 10 ITPro management scenarios across traditional, hybrid and cloud-based enterprise needs|
|[Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md)| Considerations and instructions for deploying Windows 10 Mobile|
|[Windows libraries](windows-libraries.md)| Considerations and instructions for managing Windows 10 libraries such as My Documents, My Pictures, and My Music.|
|[Mobile device management for solution providers](mdm/index.md) | Procedural and reference documentation for solution providers providing mobile device management (MDM) for Windows 10 devices. |
|[Change history for Client management](change-history-for-client-management.md) | This topic lists new and updated topics in the Client management documentation for Windows 10 and Windows 10 Mobile. |

67
windows/client-management/index.yml Normal file
View File

@ -0,0 +1,67 @@
### YamlMime:Landing
title: Client management # < 60 chars
summary: Find out how to apply custom configurations to Windows client devices. Windows provides many features and methods to help you configure or lock down specific parts of the Windows interface. # < 160 chars
metadata:
title: Manage Windows client # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Learn about the administrative tools, tasks, and best practices for managing Windows clients across your enterprise. # Required; article description that is displayed in search results. < 160 chars.
services: windows-10
ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
ms.subservice: subservice
ms.topic: landing-page # Required
ms.collection: windows-10
author: greg-lindsay #Required; your GitHub user alias, with correct capitalization.
ms.author: greglin #Required; microsoft alias of author; optional team alias.
ms.date: 08/05/2021 #Required; mm/dd/yyyy format.
localization_priority: medium
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
landingContent:
# Cards and links should be based on top customer tasks or top subjects
# Start card title with a verb
# Card (optional)
- title: Device management
linkLists:
- linkListType: overview
links:
- text: Administrative Tools in Windows 10
url: administrative-tools-in-windows-10.md
- text: Create mandatory user profiles
url: mandatory-user-profile.md
- text: Mobile device management (MDM)
url: mdm/index.md
- text: MDM for device updates
url: mdm/device-update-management.md
- text: Mobile device enrollment
url: mdm/mobile-device-enrollment.md
# Card (optional)
- title: CSP reference documentation
linkLists:
- linkListType: overview
links:
- text: Configuration service provider reference
url: mdm/configuration-service-provider-reference.md
- text: DynamicManagement CSP
url: mdm/dynamicmanagement-csp.md
- text: BitLocker CSP
url: mdm/bitlocker-csp.md
- text: Policy CSP - Update
url: mdm/policy-csp-update.md
# Card (optional)
- title: Troubleshoot Windows clients
linkLists:
- linkListType: how-to-guide
links:
- text: Troubleshoot Windows 10 clients
url: windows-10-support-solutions.md
- text: Advanced troubleshooting for Windows networking
url: troubleshoot-networking.md
- text: Advanced troubleshooting for Windows start-up
url: troubleshoot-networking.md
- text: Advanced troubleshooting for Windows networking
url: troubleshoot-windows-startup.md

10
windows/client-management/introduction-page-file.md
View File

@ -1,14 +1,14 @@
---
title: Introduction to the page file
description: Learn about the page files in Windows.
description: Learn about the page files in Windows. A page file is an optional, hidden system file on a hard disk.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
author: Deland-Han
ms.localizationpriority: medium
ms.author: delhan
ms.reviewer: greglin
manager: dcscontentpm
ms.reviewer: dcscontentpm
manager: dansimp
---
# Introduction to page files
@ -66,5 +66,5 @@ The system commit charge is the total committed or "promised" memory of all comm
The system committed charge and system committed limit can be measured on the **Performance** tab in Task Manager or by using the "\Memory\Committed Bytes" and "\Memory\Commit Limit" performance counters. The \Memory\% Committed Bytes In Use counter is a ratio of \Memory\Committed Bytes to \Memory\Commit Limit values.
>[!Note]
>System-managed page files automatically grow up to three times the physical memory or 4 GB (whichever is larger) when the system commit charge reaches 90 percent of the system commit limit. This assumes that enough free disk space is available to accommodate the growth.
> [!NOTE]
> System-managed page files automatically grow up to three times the physical memory or 4 GB (whichever is larger, but no more than one-eighth of the volume size) when the system commit charge reaches 90 percent of the system commit limit. This assumes that enough free disk space is available to accommodate the growth.

210
windows/client-management/join-windows-10-mobile-to-azure-active-directory.md
View File

@ -1,210 +0,0 @@
---
title: Join Windows 10 Mobile to Azure Active Directory (Windows 10)
description: Devices running Windows 10 Mobile can join Azure Active Directory (Azure AD) when the device is configured during the out-of-box experience (OOBE).
ms.assetid: 955DD9EC-3519-4752-827E-79CEB1EC8D6B
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile
author: dansimp
ms.localizationpriority: medium
ms.date: 09/21/2017
ms.topic: article
---
# Join Windows 10 Mobile to Azure Active Directory
**Applies to**
- Windows 10 Mobile
Devices running Windows 10 Mobile can join Azure Active Directory (Azure AD) when the device is configured during the out-of-box experience (OOBE). This article describes the considerations and options for using Windows 10 Mobile with Azure AD in your organization.
## Why join Windows 10 Mobile to Azure AD
When a device running Windows 10 Mobile is joined to Azure AD, the device can exclusively use a credential owned by your organization, and you can ensure users sign in using the sign-in requirements of your organization. Joining a Windows 10 Mobile device to Azure AD provides many of the same benefits as joining desktop devices, such as:
- Single sign-on (SSO) in applications like Mail, Word, and OneDrive using resources backed by Azure AD.
- SSO in Microsoft Edge browser to Azure AD-connected web applications like Office 365 Portal, Visual Studio, and more than [2500 non-Microsoft apps](https://go.microsoft.com/fwlink/p/?LinkID=746211).
- SSO to resources on-premises.
- Automatically enroll in your mobile device management (MDM) service.
- Enable enterprise roaming of settings. (Not currently supported but on roadmap)
- Use Microsoft Store for Business to target applications to users.
## <a href="" id="bkmk-upgrade"></a>Are you upgrading current devices to Windows 10 Mobile?
Windows Phone 8.1 only supported the ability to connect the device to personal cloud services using a Microsoft account for authentication. This required creating Microsoft accounts to be used for work purposes. In Windows 10 Mobile, you have the ability to join devices directly to Azure AD without requiring a personal Microsoft account.
If you have existing Windows Phone 8.1 devices, the first thing to understand is whether the devices you have can be upgraded to Windows 10 Mobile. Microsoft will be releasing more information about upgrade availability soon. As more information becomes available, it will be posted at [How to get Windows 10 Mobile]( https://go.microsoft.com/fwlink/p/?LinkId=746312). Premier Enterprise customers that have a business need to postpone Windows 10 Mobile upgrade should contact their Technical Account Manager to understand what options may be available.
Before upgrading and joining devices to Azure AD, you will want to consider existing data usage. How users are using the existing devices and what data is stored locally will vary for every customer. Are text messages used for work purposes and need to be backed up and available after the upgrade? Are there photos stored locally or stored associated with an Microsoft account? Are there device and app settings that to be retained? Are there contacts stored in the SIM or associated with an Microsoft account? You will need to explore methods for capturing and storing the data that needs to be retained before you join the devices to Azure AD. Photos, music files, and documents stored locally on the device can be copied from the device using a USB connection to a PC.
To join upgraded mobile devices to Azure AD, [the devices must be reset](reset-a-windows-10-mobile-device.md) to start the out-of-box experience for device setup. Joining a device to Azure AD is not a change that can be done while maintaining existing user data. This is similar to changing a device from personally owned to organizationally owned. When a user joins an organizations domain, the user is then required to log in as the domain user and start with a fresh user profile. A new user profile means there would not be any persisted settings, apps, or data from the previous personal profile.
If you want to avoid the device reset process, consider [adding work accounts](#add-work-account) rather than joining the devices to Azure AD.
## <a href="" id="add-work-account"></a>The difference between "Add work account" and "Azure AD Join"
Even though Azure AD Join on Windows 10 Mobile provides the best overall experience, there are two ways that you can use an added work account instead of joining the device to Azure AD due to organizational requirements.
- You can complete OOBE using the **Sign in later** option. This lets you start using Windows 10 Mobile with any connected Azure AD account or Microsoft account.
- You can add access to Azure AD-backed resources on the device without resetting the device.
However, neither of these methods provides SSO in the Microsoft Store or SSO to resources on-premises, and does not provide the ability to roam settings based on the Azure AD account using enterprise roaming. [Learn about enterprise state roaming in Azure AD.](https://go.microsoft.com/fwlink/p/?LinkId=734996)
Using **Settings** &gt; **Accounts** &gt; **Your email and accounts** &gt; **Add work or school account**, users can add their Azure AD account to the device. Alternatively, a work account can be added when the user signs in to an application like Mail, Word, etc. If you [enable auto-enrollment in your MDM settings](https://go.microsoft.com/fwlink/p/?LinkID=691615), the device will automatically be enrolled in MDM.
An added work account provides the same SSO experience in browser apps like Office 365 (Office portal, Outlook on the web, Calendar, People, OneDrive), Azure AD profile and change password app, and Visual Studio. You get SSO to built-in applications like Mail, Calendar, People, OneDrive and files hosted on OneDrive without prompts for a password. In Office apps like Microsoft Word, Microsoft Excel, etc., you simply select the Azure AD account and you are able to open files without entering a password.
## Preparing for Windows 10 Mobile
- **Azure AD configuration**
Currently, Azure AD Join only supports self-provisioning, meaning the credentials of the user of the device must be used during the initial setup of the device. If your mobile operator prepares devices on your behalf, this will impact your ability to join the device to Azure AD. Many IT administrators may start with a desire to set up devices for their employees, but the Azure AD Join experience is optimized for end-users, including the option for automatic MDM enrollment.
By default, Azure AD is set up to allow devices to join and to allow users to use their corporate credentials on organizational-owned devices or personal devices. The blog post [Azure AD Join on Windows 10 devices](https://go.microsoft.com/fwlink/p/?LinkID=616791) has more information on where you can review your Azure AD settings. You can configure Azure AD to not allow anyone to join, to allow everyone in your organization to join, or you can select specific Azure AD groups which are allowed to join.
- **Device setup**
A device running Windows 10 Mobile can only join Azure AD during OOBE. New devices from mobile operators will be in this state when they are received. Windows Phone 8.1 devices that are [upgraded](#bkmk-upgrade) to Windows 10 Mobile will need to be reset to get back to OOBE for device setup.
- **Mobile device management**
An MDM service is required for managing Azure AD-joined devices. You can use MDM to push settings to devices, as well as application and certificates used by VPN, Wi-Fi, etc. Azure AD Premium or [Enterprise Mobility Suite (EMS)](https://go.microsoft.com/fwlink/p/?LinkID=723984) licenses are required to set up your Azure AD-joined devices to automatically enroll in MDM. [Learn more about setting up your Azure AD tenant for MDM auto-enrollment.](https://go.microsoft.com/fwlink/p/?LinkID=691615)
- **Windows Hello**
Creating a Windows Hello (PIN) is required on Windows 10 Mobile by default and cannot be disabled. You can control Windows Hello policies using controls in MDM, such as Intune. Because the device is joined using organizational credentials, the device must have a PIN to unlock the device. Biometrics such as fingerprint or iris can be used for authentication. Creating a Windows Hello requires the user to perform an multi-factor authentication since the PIN is a strong authentication credential. [Learn more about Windows Hello for Azure AD.](https://go.microsoft.com/fwlink/p/?LinkId=735004)
- **Conditional access**
Conditional access policies are also applicable to Windows 10 Mobile. Multifactor authentication and device compliance policies can be applied to users or resources and require that the user or device satisfies these requirements before access to resources is allowed. Policies like **Domain Join** which support traditional domain joining only apply to desktop PC. Policies dependent on IP range will be tough to enforce on a phone as the IP address of the operator is used unless the user has connected to corporate Wi-Fi or a VPN.
- **Known issues**
- The apps for **Device backup and restore** and to sync photos to OneDrive only work with the Microsoft account as the primary account—these apps wont work on devices joined to Azure AD.
- **Find my Phone** will work depending on how you add a Microsoft account to the device—for example, the Cortana application will sign in with your Microsoft account in a way that makes **Find my Phone** work. Cortana and OneNote both work with Azure AD accounts but must be set up with a Microsoft account first.
- OneNote requires the user to sign in with a Microsoft account but will also provide access to Notebooks using the Azure AD account.
- If your organization is configured to federate with Azure AD, your federation proxy will need to be Active Directory Federation Services (ADFS) or a 3rd party which supports WS-Trust endpoints just like ADFS does.
## How to join Windows 10 Mobile to Azure AD
1. During OOBE, on the **Keep your life in sync** screen, choose the option **Sign in with a work account**, and then tap **Next**.
![choose how to sign in](images/aadj1.jpg)
2. Enter your Azure AD account. If your Azure AD account is federated, you will be redirected to your organization's sign-in page; if not, you enter your password here.
![sign in](images/aadj2.jpg)
If you are taken to your organization's sign-in page, you may be required to provide a second factor of authentication.
![multi-factor authentication](images/aadj3.jpg)
3. After authentication completes, the device registration is complete. If your MDM service has a terms of use page, it would be seen here as well. Federated users are required to provide a password again to complete the authentication to Windows. Users with passwords managed in the cloud will not see this additional authentication prompt. This federated login requires your federation server to support a WS-Trust active endpoint.
![enter password](images/aadj4.jpg)
4. Next, you set up a PIN.
![set up a pin](images/aadjpin.jpg)
**Note**  To learn more about the PIN requirement, see [Why a PIN is better than a password](/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password).
 
**To verify Azure AD join**
- Go to **Settings** &gt; **Accounts** &gt; **Your email and accounts**. You will see your Azure AD account listed at the top and also listed as an account used by other apps. If auto-enrollment into MDM was configured, you will see in **Settings** &gt; **Accounts** &gt; **Work Access** that the device is correctly enrolled in MDM. If the MDM is pushing a certificate to be used by VPN, then **Settings** &gt; **Network & wireless** &gt; **VPN** will show the ability to connect to your VPN.
![verify that device joined azure ad](images/aadjverify.jpg)
## Set up mail and calendar
Setting up email on your Azure AD joined device is simple. Launching the **Mail** app brings you to the **Accounts** page. Most users will have their email accounts hosted in Office 365 and will automatically start syncing. Just tap **Ready to go**.
![email ready to go](images/aadjmail1.jpg)
When email is hosted in on-premises Exchange, the user must provide credentials to establish a basic authentication connection to the Exchange server. Tap **Add account** to see the types of mail accounts you can add, including your Azure AD account.
![email add an account](images/aadjmail2.jpg)
After you select an account type, you provide credentials to complete setup for that mailbox.
![set up email account](images/aadjmail3.jpg)
Setup for the **Calendar** app is similar. Open the app and you'll see your Azure AD account listed -- just tap **Ready to go**.
![calendar ready to go](images/aadjcal.jpg)
Return to **Settings** &gt; **Accounts** &gt; **Your email and accounts**, and you will see your Azure AD account listed for **Email, calendar, and contacts**.
![email, calendar, and contacts](images/aadjcalmail.jpg)
## Use Office and OneDrive apps
Office applications like Microsoft Word and Microsoft PowerPoint will automatically sign you in with your Azure AD account. When you open an Office app, you see a screen that allows you to choose between a Microsoft account and Azure AD account. Office shows this screen while it is automatically signing you in, so just be patient for a couple seconds and Office will automatically sign you in using your Azure AD account.
Microsoft Word automatically shows the documents recently opened on other devices. Opening a document allows you to jump straight to the same section you were last editing on another device.
![word](images/aadjword.jpg)
Microsoft PowerPoint shows your recently opened slide decks.
![powerpoint](images/aadjppt.jpg)
The OneDrive application also uses SSO, showing you all your documents and enabling you to open them without any authentication experience.
![onedrive](images/aadjonedrive.jpg)
In addition to application SSO, Azure AD joined devices also get SSO for browser applications which trust Azure AD, such as web applications, Visual Studio, Office 365 portal, and OneDrive for Business.
![browser apps](images/aadjbrowser.jpg)
OneNote requires a Microsoft account, but you can use it with your Azure AD account as well.
![sign in to onenote](images/aadjonenote.jpg)
After you sign in to OneNote, go to Settings &gt; Accounts, and you will see that your Azure AD account is automatically added.
![onenote settings](images/aadjonenote2.jpg)
To see the Notebooks that your Azure AD account has access to, tap **More Notebooks** and select the Notebook you want to open.
![see more notebooks](images/aadjonenote3.jpg)
## Use Microsoft Store for Business
[Microsoft Store for Business](/microsoft-store/index) allows you to specify applications to be available to your users in the Microsoft Store application. These applications show up on a tab titled for your company. Applications approved in the Microsoft Store for Business portal can be installed by users.
![company tab on store](images/aadjwsfb.jpg)
 
 

17
windows/client-management/manage-corporate-devices.md
View File

@ -22,7 +22,6 @@ ms.topic: article
**Applies to**
- Windows 10
- Windows 10 Mobile
You can use the same management tools to manage all device types running Windows 10 : desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, System Center tools, and so on, will continue to work for Windows 10.
@ -36,17 +35,16 @@ You can use the same management tools to manage all device types running Windows
| [New policies for Windows 10](new-policies-for-windows-10.md) | New Group Policy settings added in Windows 10 |
| [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md) | Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education |
| [Changes to Group Policy settings for Start in Windows 10](/windows/configuration/changes-to-start-policies-in-windows-10) | Changes to the Group Policy settings that you use to manage Start |
| [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) | How to plan for and deploy Windows 10 Mobile devices |
| [Introduction to configuration service providers (CSPs) for IT pros](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) | How IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 and Windows 10 Mobile in their organizations |
| [Introduction to configuration service providers (CSPs) for IT pros](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) | How IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 in their organizations |
## Learn more
[How to bulk-enroll devices with On-premises Mobile Device Management in Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/library/mt627898.aspx)
[How to bulk-enroll devices with On-premises Mobile Device Management in Microsoft Endpoint Configuration Manager](/mem/configmgr/mdm/deploy-use/bulk-enroll-devices-on-premises-mdm)
[Azure AD, Microsoft Intune and Windows 10 - Using the cloud to modernize enterprise mobility](https://blogs.technet.microsoft.com/enterprisemobility/2015/06/12/azure-ad-microsoft-intune-and-windows-10-using-the-cloud-to-modernize-enterprise-mobility/)
[Microsoft Intune End User Enrollment Guide](https://go.microsoft.com/fwlink/p/?LinkID=617169)
[Microsoft Intune End User Enrollment Guide](/samples/browse/?redirectedfrom=TechNet-Gallery)
[Azure AD Join on Windows 10 devices](https://go.microsoft.com/fwlink/p/?LinkId=616791)
@ -58,16 +56,11 @@ You can use the same management tools to manage all device types running Windows
[Using Intune alone and with Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=613207)
Microsoft Virtual Academy course: [System Center 2012 R2 Configuration Manager & Windows Intune](https://go.microsoft.com/fwlink/p/?LinkId=613208)
Microsoft Virtual Academy course: [System Center 2012 R2 Configuration Manager & Windows Intune](/learn/)
 
 

684
windows/client-management/manage-device-installation-with-group-policy.md Normal file
View File

@ -0,0 +1,684 @@
---
title: Manage Device Installation with Group Policy (Windows 10)
description: Find out how to manage Device Installation Restrictions with Group Policy.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: barakm
ms.date: 07/05/2021
ms.reviewer:
manager: barakm
ms.author: barakm
ms.topic: article
---
# Manage Device Installation with Group Policy
**Applies to**
- Windows 10, Windows Server 2022
## Summary
By using Windows 10 operating systems, administrators can determine what devices can be installed on computers they manage. This guide summarizes the device installation process and demonstrates several techniques for controlling device installation by using Group Policy.
## Introduction
### General
This step-by-step guide describes how you can control device installation on the computers that you manage, including designating which devices users can and cannot install. This guide applies to all Windows 10 versions starting with RS5 (1809). The guide includes the following scenarios:
- Prevent users from installing devices that are on a "prohibited" list. If a device is not on the list, then the user can install it.
- Allow users to install only devices that are on an "approved" list. If a device is not on the list, then the user cannot install it.
This guide describes the device installation process and introduces the device identification strings that Windows uses to match a device with the device-driver packages available on a machine. The guide also illustrates two methods of controlling device installation. Each scenario shows, step by step, one method you can use to allow or prevent the installation of a specific device or a class of devices.
The example device used in the scenarios is a USB storage device. You can perform the steps in this guide using a different device. However, if you use a different device, then the instructions in the guide will not exactly match the user interface that appears on the computer.
It is important to understand that the Group Policies that are presented in this guide are only apply to machines/machine-groups, not to users/user-groups.
> [!IMPORTANT]
> The steps provided in this guide are intended for use in a test lab environment. This step-by-step guide is not meant to be used to deploy Windows Server features without accompanying documentation and should be used with discretion as a stand-alone document.
### Who Should Use This Guide?
This guide is targeted at the following audiences:
- Information technology planners and analysts who are evaluating Windows 10 and Windows Server 2022
- Enterprise information technology planners and designers
- Security architects who are responsible for implementing trustworthy computing in their organization
- Administrators who want to become familiar with the technology
### Benefits of Controlling Device Installation Using Group Policy
Restricting the devices that users can install reduces the risk of data theft and reduces the cost of support.
#### Reduce the risk of data theft
It is more difficult for users to make unauthorized copies of company data if users' computers cannot install unapproved devices that support removable media. For example, if users cannot install a USB thumb-drive device, they cannot download copies of company data onto a removable storage. This benefit cannot eliminate data theft, but it creates another barrier to unauthorized removal of data.
#### Reduce support costs
You can ensure that users install only those devices that your technical support team is trained and equipped to support. This benefit reduces support costs and user confusion.
## Scenario Overview
The scenarios presented in this guide illustrate how you can control device installation and usage on the computers that you manage. The scenarios use Group Policy on a local machine to simplify using the procedures in a lab environment. In an environment where you manage multiple client computers, you should apply these settings using Group Policy.. With Group Policy deployed by Active Directory, you can apply settings to all computers that are members of a domain or an organizational unit in a domain. For more information about how to use Group Policy to manage your client computers, see Group Policy at the Microsoft Web site.
Group Policy guides:
- [Create a Group Policy Object (Windows 10) - Windows security](/windows/security/threat-protection/windows-firewall/create-a-group-policy-object)
- [Advanced Group Policy Management - Microsoft Desktop Optimization Pack](/microsoft-desktop-optimization-pack/agpm)
### Scenario #1: Prevent installation of all printers
In this scenario, the administrator wants to prevent users from installing any printers. Thus is a basic scenario to introduce you to the prevent/allow functionality of Device Installation policies in Group Policy.
### Scenario #2: Prevent installation of a specific printer
In this scenario, the administrator allows standard users to install all printers while but preventing them from installing a specific one.
### Scenario #3: Prevent installation of all printers while allowing a specific printer to be installed
In this scenario, you will combine what you learned from both scenario #1 and scenario #2. The administrator wants to allow standard users to install only a specific printer while preventing the installation of all other printers. This is a more realistic scenario and brings you a step farther in understanding of the Device Installation Restrictions policies.
### Scenario #4: Prevent installation of a specific USB device
This scenario, although similar to scenario #2, brings another layer of complexity how does device connectivity work in the PnP tree. The administrator wants to prevent standard users from installing a specific USB device. By the end of the scenario, you should understand the way devices are nested in layers under the PnP device connectivity tree.
### Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb drive
In this scenario, combining all previous 4 scenarios, you will learn how to protect a machine from all unauthorized USB devices. The administrator wants to allow users to install only a small set of authorized USB devices while preventing any other USB device from being installed. In addition, this scenario includes an explanation of how to apply the prevent functionality to existing USB devices that have already been installed on the machine, and the administrator likes to prevent any farther interaction with them (blocking them all together). This scenario builds on the policies and structure we introduced in the first 4 scenarios and therefore it is preferred to go over them first before attempting this scenario.
## Technology Review
The following sections provide a brief overview of the core technologies discussed in this guide and give background information that is necessary to understand the scenarios.
### Device Installation in Windows
A device is a piece of hardware with which Windows interacts to perform some function, or in a more technical definition - it is a single instance of a hardware component with a unique representation in the Windows Plug and Play subsystem. Windows can communicate with a device only through a piece of software called a device-driver (also known as a _driver_). To install a driver, Windows detects the device, recognizes its type, and then finds the driver that matches that type.
When Windows detects a device that has never been installed on the computer, the operating system queries the device to retrieve its list of device identification strings. A device usually has multiple device identification strings, which the device manufacturer assigns. The same device identification strings are included in the .inf file (also known as an _INF_) that is part of the driver package. Windows chooses which driver package to install by matching the device identification strings retrieved from the device to those included with the driver packages.
Windows uses four types of identifiers to control device installation and configuration. You can use the Group Policy settings in Windows 10 to specify which of these identifiers to allow or block.
The four types of identifiers are:
- Device Instance ID
- Device ID
- Device setup classes
- Removable Devices device type
#### Device Instance ID
A device instance ID is a system-supplied device identification string that uniquely identifies a device in the system. The Plug and Play (PnP) manager assigns a device instance ID to each device node (devnode) in a system's device tree.
#### Device ID
Windows can use each string to match a device to a driver package. The strings range from the specific, matching a single make and model of a device, to the general, possibly applying to an entire class of devices. There are two types of device identification strings: hardware IDs and compatible IDs.
##### Hardware IDs
Hardware IDs are the identifiers that provide the exact match between a device and a driver package. The first string in the list of hardware IDs is referred to as the device ID, because it matches the exact make, model, and revision of the device. The other hardware IDs in the list match the details of the device less exactly. For example, a hardware ID might identify the make and model of the device but not the specific revision. This scheme allows Windows to use a driver for a different revision of the device if the driver for the correct revision is not available.
##### Compatible IDs
Windows uses these identifiers to select a driver if the operating system cannot find a match with the device ID or any of the other hardware IDs. Compatible IDs are listed in the order of decreasing suitability. These strings are optional, and, when provided, they are very generic, such as Disk. When a match is made using a compatible ID, you can typically use only the most basic functions of the device.
When you install a device, such as a printer, a USB storage device, or a keyboard, Windows searches for driver packages that match the device you are attempting to install. During this search, Windows assigns a "rank" to each driver package it discovers with at least one match to a hardware or compatible ID. The rank indicates how well the driver matches the device. Lower rank numbers indicate better matches between the driver and the device. A rank of zero represents the best possible match. A match with the device ID to one in the driver package results in a lower (better) rank than a match to one of the other hardware IDs. Similarly, a match to a hardware ID results in a better rank than a match to any of the compatible IDs. After Windows ranks all of the driver packages, it installs the one with the lowest overall rank. For more information about the process of ranking and selecting driver packages, see How Setup Selects Drivers in the Microsoft Docs library.
> [!NOTE]
> For more information about the driver installation process, see the "Technology review" section of the Step-by-Step Guide to Driver Signing and Staging.
Some physical devices create one or more logical devices when they are installed. Each logical device might handle part of the functionality of the physical device. For example, a multi-function device, such as an all-in-one scanner/fax/printer, might have a different device identification string for each function.
When you use Device Installation policies to allow or prevent the installation of a device that uses logical devices, you must allow or prevent all of the device identification strings for that device. For example, if a user attempts to install a multifunction device and you did not allow or prevent all of the identification strings for both physical and logical devices, you could get unexpected results from the installation attempt. For more detailed information about hardware IDs, see Device Identification Strings in Microsoft Docs.
#### Device setup classes
Device setup classes (also known as _Class_) are another type of identification string. The manufacturer assigns the Class to a device in the driver package. The Class groups devices that are installed and configured in the same way. For example, all Biometric devices are belong to the Biometric Class (ClassGuid = {53D29EF7-377C-4D14-864B-EB3A85769359}), and they use the same co-installer when installed. A long number called a globally unique identifier (GUID) represents each device setup class. When Windows starts, it builds an in-memory tree structure with the GUIDs for all of the detected devices. Along with the GUID for the Class of the device itself, Windows may need to insert into the tree the GUID for the Class of the bus to which the device is attached.
When you use device Classes to allow or prevent users from installing drivers, you must specify the GUIDs for all of the device's device setup classes, or you might not achieve the results you want. The installation might fail (if you want it to succeed) or it might succeed (if you want it to fail).
For example, a multi-function device, such as an all-in-one scanner/fax/printer, has a GUID for a generic multi-function device, a GUID for the printer function, a GUID for the scanner function, and so on. The GUIDs for the individual functions are "child nodes" under the multi-function device GUID. To install a child node, Windows must also be able to install the parent node. You must allow installation of the device setup class of the parent GUID for the multi-function device in addition to any child GUIDs for the printer and scanner functions.
For more information, see [Device Setup Classes](/windows-hardware/drivers/install/overview-of-device-setup-classes) in Microsoft Docs.
This guide does not depict any scenarios that use device setup classes. However, the basic principles demonstrated with device identification strings in this guide also apply to device setup classes. After you discover the device setup class for a specific device, you can then use it in a policy to either allow or prevent installation of drivers for that class of devices.
The following two links provide the complete list of Device Setup Classes. System Use classes are mostly refer to devices that come with a computer/machine from the factory, while Vendor classes are mostly refer to devices that could be connected to an existing computer/machine:
- [System-Defined Device Setup Classes Available to Vendors - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors)
- [System-Defined Device Setup Classes Reserved for System Use - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-reserved-for-system-use)
#### Removable Device Device type
Some devices could be classified as _Removable Device_. A device is considered _removable_ when the driver for the device to which it is connected indicates that the device is removable. For example, a USB device is reported to be removable by the drivers for the USB hub to which the device is connected.
### Group Policy Settings for Device Installation
Group Policy is an infrastructure that allows you to specify managed configurations for users and computers through Group Policy settings and Group Policy Preferences.
Device Installation section in Group Policy is a set of policies that control which device could or could not be installed on a machine. Whether you want to apply the settings to a stand-alone computer or to many computers in an Active Directory domain, you use the Group Policy Object Editor to configure and apply the policy settings. For more details, see Group Policy Object Editor Technical Reference.
The following passages are brief descriptions of the Device Installation policies that are used in this guide.
> [!NOTE]
> Device Installation control is applied only to machines (computer configuration) and not users (user configuration) by the nature of the Windows OS design. These policy settings affect all users who log on to the computer where the policy settings are applied. You cannot apply these policies to specific users or groups except for the policy Allow administrators to override device installation policy. This policy exempts members of the local Administrators group from any of the device installation restrictions that you apply to the computer by configuring other policy settings as described in this section.
#### Allow administrators to override Device Installation Restriction policies
This policy setting allows members of the local Administrators group to install and update the drivers for any device, regardless of other policy settings. If you enable this policy setting, administrators can use the Add Hardware Wizard or the Update Driver Wizard to install and update the drivers for any device. If you disable or do not configure this policy setting, administrators are subject to all policy settings that restrict device installation.
#### Allow installation of devices that match any of these device IDs
This policy setting specifies a list of Plug and Play hardware IDs and compatible IDs that describe devices that users can install. This setting is intended to be used only when the Prevent installation of devices not described by other policy settings policy setting is enabled and does not take precedence over any policy setting that would prevent users from installing a device. If you enable this policy setting, users can install and update any device with a hardware ID or compatible ID that matches an ID in this list if that installation has not been specifically prevented by the Prevent installation of devices that match these device IDs policy setting, the Prevent installation of devices for these device classes policy setting, or the Prevent installation of removable devices policy setting. If another policy setting prevents users from installing a device, users cannot install it even if the device is also described by a value in this policy setting. If you disable or do not configure this policy setting and no other policy describes the device, the Prevent installation of devices not described by other policy settings policy setting determines whether users can install the device.
#### Allow installation of devices that match any of these device instance IDs
This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is allowed to install. Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one. If you enable this policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
#### Allow installation of devices using drivers that match these device setup classes
This policy setting specifies a list of device setup class GUIDs that describe devices that users can install. This setting is intended to be used only when the Prevent installation of devices not described by other policy settings policy setting is enabled and does not take precedence over any policy setting that would prevent users from installing a device. If you enable this setting, users can install and update any device with a hardware ID or compatible ID that matches one of the IDs in this list if that installation has not been specifically prevented by the Prevent installation of devices that match these device IDs policy setting, the Prevent installation of devices for these device classes policy setting, or the Prevent installation of removable devices policy setting. If another policy setting prevents users from installing a device, users cannot install it even if the device is also described by a value in this policy setting. If you disable or do not configure this policy setting and no other policy setting describes the device, the Prevent installation of devices not described by other policy settings policy setting determines whether users can install the device.
#### Prevent installation of devices that match these device IDs
This policy setting specifies a list of Plug and Play hardware IDs and compatible IDs for devices that users cannot install. If you enable this policy setting, users cannot install or update the driver for a device if its hardware ID or compatible ID matches one in this list. If you disable or do not configure this policy setting, users can install devices and update their drivers, as permitted by other policy settings for device installation.
Note: This policy setting takes precedence over any other policy settings that allow users to install a device. This policy setting prevents users from installing a device even if it matches another policy setting that would allow installation of that device.
#### Prevent installation of devices that match any of these device instance IDs
This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. If you enable this policy setting, Windows is prevented from installing a device whose device instance ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
#### Prevent installation of devices using drivers that match these device setup classes
This policy setting specifies a list of Plug and Play device setup class GUIDs for devices that users cannot install. If you enable this policy setting, users cannot install or update devices that belong to any of the listed device setup classes. If you disable or do not configure this policy setting, users can install and update devices as permitted by other policy settings for device installation.
Note: This policy setting takes precedence over any other policy settings that allow users to install a device. This policy setting prevents users from installing a device from being installed even if it matches another policy setting that would allow installation of that device.
### Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria
This policy setting will change the evaluation order in which Allow and Prevent policy settings are applied when more than one install policy setting is applicable for a given device. Enable this policy setting to ensure that overlapping device match criteria is applied based on an established hierarchy where more specific match criteria supersedes less specific match criteria. The hierarchical order of evaluation for policy settings that specify device match criteria is as follows:
> **Device instance IDs** > **Device IDs** > **Device setup class** > **Removable devices**
> [!NOTE]
> This policy setting provides more granular control than the "Prevent installation of devices not described by other policy settings" policy setting. If these conflicting policy settings are enabled at the same time, the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting will be enabled and the other policy setting will be ignored.
>
> If you disable or do not configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device.
Some of these policies take precedence over other policies. The flowchart shown below illustrates how Windows processes them to determine whether a user can install a device or not, as shown in Figure below.
![Device Installation policies flow chart](images/device-installation-flowchart.png)<br/>_Device Installation policies flow chart_
## Requirements for completing the scenarios
### General
To complete each of the scenarios, please ensure your have:
- A client computer running Windows 10.
- A USB thumb drive. The scenarios described in this guide use a USB thumb drive as the example device (also known as a “removable disk drive”, "memory drive," a "flash drive," or a "keyring drive"). Most USB thumb drives do not require any manufacturer-provided drivers, and these devices work with the inbox drivers provided with the Windows build.
- A USB/network printer pre-installed on the machine.
- Access to the administrator account on the testing machine. The procedures in this guide require administrator privileges for most steps.
### Understanding implications of applying Prevent policies retroactive
All Prevent policies have an option to apply the block functionality to already installed devices—devices that have been installed on the machine before the policy took effect. Using this option is recommended when the administrator is not sure of the installation history of devices on the machine and would like to make sure the policy applies to all devices.
For example: A printer is already installed on the machine, preventing the installation of all printers will block any future printer from being installed while keeping only the installed printer usable. To apply the block retroactive, the administrator should check mark the “apply this policy to already installed devices” option. Marking this option will prevent access to already installed devices in addition to any future ones.
This is a powerful tool, but as such it has to be used carefully.
> [!IMPORTANT]
> Applying the Prevent retroactive option to crucial devices could render the machine useless/unacceptable! For example: Preventing retroactive all Disk Drives could block the access to the disk on which the OS boots with; Preventing retroactive all Net could block this machine from accessing network and to fix the issue the admin will have to have a direct connection.
## Determine device identification strings
By following these steps, you can determine the device identification strings for your device. If the hardware IDs and compatible IDs for your device do not match those shown in this guide, use the IDs that are appropriate to your device (this applies to Instance IDs and Classes, but we are not going to give an example for them in this guide).
You can determine the hardware IDs and compatible IDs for your device in two ways. You can use Device Manager, a graphical tool included with the operating system, or PnPUtil, a command-line tool available for all Windows versions. Use the following procedure to view the device identification strings for your device.
> [!NOTE]
> These procedures are specific to a Canon printer. If you are using a different type of device, you must adjust the steps accordingly. The significant difference will be the location of the device in the Device Manager hierarchy. Instead of being located in the Printers node, you must locate your device in the appropriate node.
To find device identification strings using Device Manager
1. Make sure your printer is plugged in and installed.
2. To open Device Manager, click the Start button, type mmc devmgmt.msc in the Start Search box, and then press ENTER; or search for Device Manager as application.
3. Device Manager starts and displays a tree representing all of the devices detected on your computer. At the top of the tree is a node with your computers name next to it. Lower nodes represent the various categories of hardware into which your computers devices are grouped.
4. Find the “Printers” section and find the target printer
![Selecting the printer in Device Manager](images/device-installation-dm-printer-by-device.png)<br/>_Selecting the printer in Device Manager_
5. Double-click the printer and move to the Details tab.
![Details tab](images/device-installation-dm-printer-details-screen.png)<br/>_Open the Details tab to look for the device identifiers_
6. From the Value window, copy the most detailed Hardware ID we will use this in the policies.
![HWID](images/device-installation-dm-printer-hardware-ids.png)
![Compatible ID](images/device-installation-dm-printer-compatible-ids.png)<br/>_HWID and Compatible ID_
> [!TIP]
> You can also determine your device identification strings by using the PnPUtil command-line utility. For more information, see [PnPUtil - Windows drivers](/windows-hardware/drivers/devtest/pnputil) in Microsoft Docs.
### Getting device identifiers using PnPUtil
```console
pnputil /enum-devices /deviceids
```
Here is an example of an output for a single device on a machine:
```console
<snip>
Instance ID: PCI\VEN_8086&DEV_2F34&SUBSYS_2F348086&REV_02\3&103a9d54&0&81
Device Description: Intel(R) Xeon(R) E7 v3/Xeon(R) E5 v3/Core i7 PCIe Ring Interface - 2F34
Class Name: System
Class GUID: {4d36e97d-e325-11ce-bfc1-08002be10318}
Manufacturer Name: INTEL
Status: Stopped
Driver Name: oem6.inf
Hardware IDs: PCI\VEN_8086&DEV_2F34&SUBSYS_2F348086&REV_02
PCI\VEN_8086&DEV_2F34&SUBSYS_2F348086
PCI\VEN_8086&DEV_2F34&CC_110100
PCI\VEN_8086&DEV_2F34&CC_1101
Compatible IDs: PCI\VEN_8086&DEV_2F34&REV_02
PCI\VEN_8086&DEV_2F34
PCI\VEN_8086&CC_110100
PCI\VEN_8086&CC_1101
PCI\VEN_8086
PCI\CC_110100
PCI\CC_1101
<snip>
```
## Scenario #1: Prevent installation of all printers
In this simple scenario, you will learn how to prevent the installation of an entire Class of devices.
### Setting up the environment
Setting up the environment for the scenario with the following steps:
1. Open Group Policy Editor and navigate to the Device Installation Restriction section.
2. Disable all previous Device Installation policies, except Apply layered order of evaluation—although the policy is disabled in default, this policy is recommended to be enabled in most practical applications.
3. If there are any enabled policies, changing their status to disabled, would clear them from all parameters
4. Have a USB/network printer available to test the policy with
### Scenario steps preventing installation of prohibited devices
Getting the right device identifier to prevent it from being installed:
1. If you have on your system a device from the class you want to block, you could follow the steps in the previous section to find the Device Class identifier through Device Manager or PnPUtil (Class GUID).
2. If you dont have such device installed on your system or know the name of the class, you can check the following two links:
- [System-Defined Device Setup Classes Available to Vendors - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors)
- [System-Defined Device Setup Classes Reserved for System Use - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-reserved-for-system-use)
3. Our current scenario is focused on preventing all printers from being installed, as such here is the Class GUID for most of printers in the market:
> Printers\
> Class = Printer\
> ClassGuid = {4d36e979-e325-11ce-bfc1-08002be10318}\
> This class includes printers.
> [!NOTE]
> As mentioned before, preventing an entire Class could block you from using your system completely. Please make sure you understand which devices are going to be blocked when specifying a Class. For our scenario, there are other classes that relate to printers but before you apply them, make sure they are not blocking any other existing device that is crucial to your system.
Creating the policy to prevent all printers from being installed:
1. Open Group Policy Object Editor—either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI.
2. Navigate to the Device Installation Restriction page:
> Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
3. Make sure all policies are disabled (recommended to keep applied layered order of evaluation policy enabled).
4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the Enable radio button.
5. In the lower left side, in the Options window, click the Show… box. This will take you to a table where you can enter the class identifier to block.
6. Enter the printer class GUID you found above with the curly braces (this is important! Otherwise, it wont work): {4d36e979-e325-11ce-bfc1-08002be10318}
![List of prevent Class GUIDs](images/device-installation-gpo-prevent-class-list.png)<br/>_List of prevent Class GUIDs_
7. Click OK.
8. Click Apply on the bottom right of the policys window this pushes the policy and blocks all future printer installations, but doesnt apply to existing installs.
9. Optional if you would like to apply the policy to existing installs: Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the Options window mark the checkbox that says also apply to matching devices that are already installed
> [!IMPORTANT]
> Using a Prevent policy (like the one we used in scenario #1 above) and applying it to all previously installed devices (see step #9) could render crucial devices unusable; hence, use with caution. For example: If an IT admin wants to prevent all removable storage devices from being installed on the machine, using Disk Drive class for blocking and applying it retroactive could render the internal hard-drive unusable and to break the machine.
### Testing the scenario
1. If you have not completed step #9 follow these steps:
- Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click “Uninstall device”.
- For USB printer unplug and plug back the cable; for network device make a search for the printer in the Windows Settings app.
- You should not be able to reinstall the printer.
2. If you completed step #9 above and restarted the machine, simply look for your printer under Device Manager or the Windows Settings app and see that it is no-longer available for you to use.
## Scenario #2: Prevent installation of a specific printer
This scenario builds upon scenario #1, Prevent installation of all printers. In this scenario, you target a specific printer to prevent from being installed on the machine.
### Setting up the environment
Setting up the environment for the scenario with the following steps:
1. Open Group Policy Editor and navigate to the Device Installation Restriction section.
2. Make sure all previous Device Installation policies are disabled except Apply layered order of evaluation (this is optional to be On/Off this scenario). Although the policy is disabled in default, it is recommended to be enabled in most practical applications. For scenario #2 it is optional.
### Scenario steps preventing installation of a specific device
Getting the right device identifier to prevent it from being installed:
1. Get your printers Hardware ID in this example we will use the identifier we found previously
![Printer Hardware ID identifier](images/device-installation-dm-printer-hardware-ids.png)<br/>_Printer Hardware ID_
2. Write down the device ID (in this case Hardware ID) WSDPRINT\CanonMX920_seriesC1A0; Take the more specific identifier to make sure you block a specific printer and not a family of printers
Creating the policy to prevent a single printer from being installed:
1. Open Group Policy Object Editor either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI.
2. Navigate to the Device Installation Restriction page:
> Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
3. Open **Prevent installation of devices that match any of these device IDs** policy and select the Enable radio button.
4. In the lower left side, in the Options window, click the Show… box. This will take you to a table where you can enter the device identifier to block.
5. Enter the printer device ID you found above WSDPRINT\CanonMX920_seriesC1A0
![Prevent Device ID list](images/device-installation-gpo-prevent-device-id-list-printer.png)<br/>_Prevent Device ID list_
6. Click OK.
7. Click Apply on the bottom right of the policys window. This pushes the policy and blocks the target printer in future installations, but doesnt apply to an existing install.
8. Optional if you would like to apply the policy to an existing install: Open the **Prevent installation of devices that match any of these device IDs** policy again; in the Options window mark the checkbox that says also apply to matching devices that are already installed.
### Testing the scenario
If you completed step #8 above and restarted the machine, simply look for your printer under Device Manager or the Windows Settings app and see that it is no-longer available for you to use.
If you have not completed step #8, follow these steps:
1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click “Uninstall device”.
2. For USB printer unplug and plug back the cable; for network device make a search for the printer in the Windows Settings app.
3. You should not be able to reinstall the printer.
## Scenario #3: Prevent installation of all printers while allowing a specific printer to be installed
Now, using the knowledge from both previous scenarios, you will learn how to prevent the installation of an entire Class of devices while allowing a single printer to be installed.
### Setting up the environment
Setting up the environment for the scenario with the following steps:
1. Open Group Policy Editor and navigate to the Device Installation Restriction section.
2. Disable all previous Device Installation policies, and enable Apply layered order of evaluation.
3. If there are any enabled policies, changing their status to disabled, would clear them from all parameters.
4. Have a USB/network printer available to test the policy with.
### Scenario steps preventing installation of an entire class while allowing a specific printer
Getting the device identifier for both the Printer Class and a specific printer following the steps in scenario #1 to find Class identifier and scenario #2 to find Device identifier you could get the identifiers you need for this scenario:
- ClassGuid = {4d36e979-e325-11ce-bfc1-08002be10318}
- Hardware ID = WSDPRINT\CanonMX920_seriesC1A0
First create a Prevent Class policy and then create Allow Device one:
1. Open Group Policy Object Editor either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI.
2. Navigate to the Device Installation Restriction page:
> Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
3. Make sure all policies are disabled
4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the Enable radio button.
5. In the lower left side, in the Options window, click the Show… box. This will take you to a table where you can enter the class identifier to block.
6. Enter the printer class GUID you found above with the curly braces (this is important! Otherwise, it wont work): {4d36e979-e325-11ce-bfc1-08002be10318}
![List of prevent Class GUIDs](images/device-installation-gpo-prevent-class-list.png)<br/>_List of prevent Class GUIDs_
7. Click OK.
8. Click Apply on the bottom right of the policys window this pushes the policy and blocks all future printer installations, but doesnt apply to existing installs.
9. To complete the coverage of all future and existing printers Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the Options window mark the checkbox that says also apply to matching devices that are already installed and click OK
10. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it this policy will enable you to override the wide coverage of the Prevent policy with a specific device.
![Image of Local Group Policy Editor that shows the policies under "Device Installation Restrictions" and the policy named in this step.](images/device-installation-apply-layered_policy-1.png)
![Image that shows the current settings of the policy named in this step, "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria."](images/device-installation-apply-layered-policy-2.png)<br/>_Apply layered order of evaluation policy_
9. Now Open **Allow installation of devices that match any of these device IDs** policy and select the Enable radio button.
10. In the lower left side, in the Options window, click the Show… box. This will take you to a table where you can enter the device identifier to allow.
11. Enter the printer device ID you found above: WSDPRINT\CanonMX920_seriesC1A0.
![Allow Printer Hardware ID](images/device-installation-gpo-allow-device-id-list-printer.png)<br/>_Allow Printer Hardware ID_
12. Click OK.
13. Click Apply on the bottom right of the policys window this pushes the policy and allows the target printer to be installed (or stayed installed).
## Testing the scenario
1. Simply look for your printer under Device Manager or the Windows Settings app and see that it is still there and accessible. Or just print a test document.
2. Go back to the Group Policy Editor, disable **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and test again your printer you should not be bale to print anything or able to access the printer at all.
## Scenario #4: Prevent installation of a specific USB device
The scenario builds upon the knowledge from scenario #2, Prevent installation of a specific printer. In this scenario, you will gain an understanding of how some devices are built into the PnP (Plug and Play) device tree.
### Setting up the environment
Setting up the environment for the scenario with the following steps:
1. Open Group Policy Editor and navigate to the Device Installation Restriction section
2. Make sure all previous Device Installation policies are disabled except Apply layered order of evaluation (this is optional to be On/Off this scenario) although the policy is disabled in default, it is recommended to be enabled in most practical applications.
### Scenario steps preventing installation of a specific device
Getting the right device identifier to prevent it from being installed and its location in the PnP tree:
1. Connect a USB thumb drive to the machine
2. Open Device Manager
3. Find the USB thumb-drive and select it.
![Selecting the usb thumb-drive in Device Manager](images/device-installation-dm-usb-by-device.png)<br/>_Selecting the usb thumb-drive in Device Manager_
4. Change View (in the top menu) to Devices by connections. This view represents the way devices are installed in the PnP tree.
![Changing view in Device Manager to see the PnP connection tree](images/device-installation-dm-usb-by-connection.png)<br/>_Changing view in Device Manager to see the PnP connection tree_
> [!NOTE]
> When blocking\Preventing a device that sits higher in the PnP tree, all the devices that sit under it will be blocked. For example: Preventing a “Generic USB Hub” from being installed, all the devices that lay below a “Generic USB Hub” will be blocked.
![Blocking nested devices from the root](images/device-installation-dm-usb-by-connection-blocked.png)<br/>_When blocking one device, all the devices that are nested below it will be blocked as well_
5. Double-click the USB thumb-drive and move to the Details tab.
6. From the Value window, copy the most detailed Hardware ID—we will use this in the policies. In this case Device ID = USBSTOR\DiskGeneric_Flash_Disk______8.07
![USB device hardware IDs](images/device-installation-dm-usb-hwid.png)<br/>_USB device hardware IDs_
Creating the policy to prevent a single USB thumb-drive from being installed:
1. Open Group Policy Object Editor either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI.
2. Navigate to the Device Installation Restriction page:
> Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
3. Open **Prevent installation of devices that match any of these device IDs** policy and select the Enable radio button.
4. In the lower left side, in the Options window, click the Show box. This will take you to a table where you can enter the device identifier to block.
5. Enter the USB thumb-drive device ID you found above USBSTOR\DiskGeneric_Flash_Disk______8.07
![Prevent Device IDs list](images/device-installation-gpo-prevent-device-id-list-usb.png)<br/>_Prevent Device IDs list_
6. Click OK.
7. Click Apply on the bottom right of the policys window this pushes the policy and blocks the target USB thumb-drive in future installations, but doesnt apply to an existing install.
8. Optional if you would like to apply the policy to an existing install: Open the **Prevent installation of devices that match any of these device IDs** policy again; in the Options window, mark the checkbox that says also apply to matching devices that are already installed
### Testing the scenario
1. If you have not completed step #8 follow these steps:
- Uninstall your USB thumb-drive: Device Manager > Disk drives > right click the target USB thumb-drive > click “Uninstall device”.
- You should not be able to reinstall the device.
2. If you completed step #8 above and restarted the machine, simply look for your Disk drives under Device Manager and see that it is no-longer available for you to use.
## Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb-drive
Now, using the knowledge from all the previous 4 scenarios, you will learn how to prevent the installation of an entire Class of devices while allowing a single authorized USB thumb-drive to be installed.
### Setting up the environment
Setting up the environment for the scenario with the following steps:
1. Open Group Policy Editor and navigate to the Device Installation Restriction section.
2. Disable all previous Device Installation policies, and **enable** Apply layered order of evaluation.
3. If there are any enabled policies, changing their status to disabled, would clear them from all parameters.
4. Have a USB thumb-drive available to test the policy with.
### Scenario steps preventing installation of all USB devices while allowing only an authorized USB thumb-drive
Getting the device identifier for both the USB Classes and a specific USB thumb-drive following the steps in scenario #1 to find Class identifier and scenario #4 to find Device identifier you could get the identifiers you need for this scenario:
- USB Bus Devices (hubs and host controllers)
- Class = USB
- ClassGuid = {36fc9e60-c465-11cf-8056-444553540000}
- This class includes USB host controllers and USB hubs, but not USB peripherals. Drivers for this class are system-supplied.
- USB Device
- Class = USBDevice
- ClassGuid = {88BAE032-5A81-49f0-BC3D-A4FF138216D6}
- USBDevice includes all USB devices that do not belong to another class. This class is not used for USB host controllers and hubs.
- Hardware ID = USBSTOR\DiskGeneric_Flash_Disk______8.07
As mentioned in scenario #4, it is not enough to enable only a single hardware ID in order to enable a single USB thumb-drive. The IT admin has to ensure all the USB devices that preceding the target one are not blocked (allowed) as well. In Our case the following devices has to be allowed so the target USB thumb-drive could be allowed as well:
- “Intel(R) USB 3.0 eXtensible Host Controller 1.0 (Microsoft)” -> PCI\CC_0C03
- “USB Root Hub (USB 3.0)” -> USB\ROOT_HUB30
- “Generic USB Hub” -> USB\USB20_HUB
![USB devices nested in the PnP tree](images/device-installation-dm-usb-by-connection-layering.png)<br/>_USB devices nested under each other in the PnP tree_
These devices are internal devices on the machine that define the USB port connection to the outside world. Enabling them should not enable any external/peripheral device from being installed on the machine.
> [!IMPORTANT]
> Some device in the system have several layers of connectivity to define their installation on the system. USB thumb-drives are such devices. Thus, when looking to either block or allow them on a system, it is important to understand the path of connectivity for each device. There are several generic Device IDs that are commonly used in systems and could provide a good start to build an Allow list in such cases. See below for the list:
>
> PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&HOST (for Host Controllers)/
> USB\ROOT_HUB30; USB\ROOT_HUB20 (for USB Root Hubs)/
> USB\USB20_HUB (for Generic USB Hubs)/
>
> Specifically for desktop machines, it is very important to list all the USB devices that your keyboards and mice are connected through in the above list. Failing to do so could block a user from accessing its machine through HID devices.
>
> Different PC manufacturers sometimes have different ways to nest USB devices in the PnP tree, but in general this is how it is done.
First create a Prevent Class policy and then create Allow Device one:
1. Open Group Policy Object Editor either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI.
2. Navigate to the Device Installation Restriction page:
> Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
3. Make sure all policies are disabled
4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the Enable radio button.
5. In the lower left side, in the Options window, click the Show… box. This will take you to a table where you can enter the class identifier to block.
6. Enter both USB classes GUID you found above with the curly braces:
> {36fc9e60-c465-11cf-8056-444553540000}/
> {88BAE032-5A81-49f0-BC3D-A4FF138216D6}
7. Click OK.
8. Click Apply on the bottom right of the policys window this pushes the policy and blocks all future USB device installations, but doesnt apply to existing installs.
> [!IMPORTANT]
> The previous step prevents all future USB devices from being installed. Before you move to the next step make sure you have as complete list as possible of all the USB Host Controllers, USB Root Hubs and Generic USB Hubs Device IDs available to prevent blocking you from interacting with your system through keyboards and mice.
9. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it this policy will enable you to override the wide coverage of the Prevent policy with a specific device.
![Apply layered order of evaluation policy](images/device-installation-apply-layered_policy-1.png)<br/>_Apply layered order of evaluation policy_
10. Now Open **Allow installation of devices that match any of these device IDs** policy and select the Enable radio button.
11. In the lower left side, in the Options window, click the Show… box. This will take you to a table where you can enter the device identifier to allow.
12. Enter the full list of USB device IDs you found above including the specific USB Thumb-drive you would like to authorize for installation USBSTOR\DiskGeneric_Flash_Disk______8.07
![Image of an example list of devices that have been configured for the policy "Allow installation of devices that match any of these Device IDs."](images/device-installation-gpo-allow-device-id-list-usb.png)<br/>_Allowed USB Device IDs list_
13. Click OK.
14. Click Apply on the bottom right of the policys window.
15. To apply the Prevent coverage of all currently installed USB devices Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the Options window mark the checkbox that says also apply to matching devices that are already installed and click OK.
### Testing the scenario
You should not be able to install any USB thumb-drive, except the one you authorized for usage

Some files were not shown because too many files have changed in this diff Show More